Index: lib/StaticAnalyzer/Checkers/VirtualCallChecker.cpp =================================================================== --- lib/StaticAnalyzer/Checkers/VirtualCallChecker.cpp +++ lib/StaticAnalyzer/Checkers/VirtualCallChecker.cpp @@ -14,279 +14,247 @@ #include "ClangSACheckers.h" #include "clang/AST/DeclCXX.h" -#include "clang/AST/StmtVisitor.h" #include "clang/StaticAnalyzer/Core/BugReporter/BugReporter.h" +#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h" #include "clang/StaticAnalyzer/Core/Checker.h" -#include "clang/StaticAnalyzer/Core/PathSensitive/AnalysisManager.h" -#include "llvm/ADT/SmallString.h" -#include "llvm/Support/SaveAndRestore.h" -#include "llvm/Support/raw_ostream.h" +#include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h" +#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h" +#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramStateTrait.h" +#include "clang/StaticAnalyzer/Core/PathSensitive/SValBuilder.h" using namespace clang; using namespace ento; namespace { -class WalkAST : public StmtVisitor { - const CheckerBase *Checker; - BugReporter &BR; - AnalysisDeclContext *AC; - - /// The root constructor or destructor whose callees are being analyzed. - const CXXMethodDecl *RootMethod = nullptr; - - /// Whether the checker should walk into bodies of called functions. - /// Controlled by the "Interprocedural" analyzer-config option. - bool IsInterprocedural = false; - - /// Whether the checker should only warn for calls to pure virtual functions - /// (which is undefined behavior) or for all virtual functions (which may - /// may result in unexpected behavior). - bool ReportPureOnly = false; - - typedef const CallExpr * WorkListUnit; - typedef SmallVector DFSWorkList; - - /// A vector representing the worklist which has a chain of CallExprs. - DFSWorkList WList; - - // PreVisited : A CallExpr to this FunctionDecl is in the worklist, but the - // body has not been visited yet. - // PostVisited : A CallExpr to this FunctionDecl is in the worklist, and the - // body has been visited. - enum Kind { NotVisited, - PreVisited, /**< A CallExpr to this FunctionDecl is in the - worklist, but the body has not yet been - visited. */ - PostVisited /**< A CallExpr to this FunctionDecl is in the - worklist, and the body has been visited. */ - }; - - /// A DenseMap that records visited states of FunctionDecls. - llvm::DenseMap VisitedFunctions; - - /// The CallExpr whose body is currently being visited. This is used for - /// generating bug reports. This is null while visiting the body of a - /// constructor or destructor. - const CallExpr *visitingCallExpr; +class VirtualCallChecker + : public Checker { + mutable std::unique_ptr BT; public: - WalkAST(const CheckerBase *checker, BugReporter &br, AnalysisDeclContext *ac, - const CXXMethodDecl *rootMethod, bool isInterprocedural, - bool reportPureOnly) - : Checker(checker), BR(br), AC(ac), RootMethod(rootMethod), - IsInterprocedural(isInterprocedural), ReportPureOnly(reportPureOnly), - visitingCallExpr(nullptr) { - // Walking should always start from either a constructor or a destructor. - assert(isa(rootMethod) || - isa(rootMethod)); - } - - bool hasWork() const { return !WList.empty(); } - - /// This method adds a CallExpr to the worklist and marks the callee as - /// being PreVisited. - void Enqueue(WorkListUnit WLUnit) { - const FunctionDecl *FD = WLUnit->getDirectCallee(); - if (!FD || !FD->getBody()) - return; - Kind &K = VisitedFunctions[FD]; - if (K != NotVisited) - return; - K = PreVisited; - WList.push_back(WLUnit); - } - - /// This method returns an item from the worklist without removing it. - WorkListUnit Dequeue() { - assert(!WList.empty()); - return WList.back(); - } + // The flag to determine if pure virtual functions should be issued only. + DefaultBool IsPureOnly; - void Execute() { - while (hasWork()) { - WorkListUnit WLUnit = Dequeue(); - const FunctionDecl *FD = WLUnit->getDirectCallee(); - assert(FD && FD->getBody()); - - if (VisitedFunctions[FD] == PreVisited) { - // If the callee is PreVisited, walk its body. - // Visit the body. - SaveAndRestore SaveCall(visitingCallExpr, WLUnit); - Visit(FD->getBody()); - - // Mark the function as being PostVisited to indicate we have - // scanned the body. - VisitedFunctions[FD] = PostVisited; - continue; - } - - // Otherwise, the callee is PostVisited. - // Remove it from the worklist. - assert(VisitedFunctions[FD] == PostVisited); - WList.pop_back(); + void checkBeginFunction(CheckerContext &C) const; + void checkEndFunction(CheckerContext &C) const; + void checkPreCall(const CallEvent &Call, CheckerContext &C) const; + void ChangeMaps(bool IsBeginFunction, CheckerContext &C) const; + void ReportBug(const char *Msg, bool PureError, const MemRegion *Reg, + CheckerContext &C) const; + +private: + class VirtualBugVisitor : public BugReporterVisitorImpl { + private: + const MemRegion *ObjectRegion; + bool Found; + + public: + VirtualBugVisitor(const MemRegion *R) : ObjectRegion(R), Found(false) {} + + void Profile(llvm::FoldingSetNodeID &ID) const override { + static int X = 0; + ID.AddPointer(&X); + ID.AddPointer(ObjectRegion); } - } - - // Stmt visitor methods. - void VisitCallExpr(CallExpr *CE); - void VisitCXXMemberCallExpr(CallExpr *CE); - void VisitStmt(Stmt *S) { VisitChildren(S); } - void VisitChildren(Stmt *S); - - void ReportVirtualCall(const CallExpr *CE, bool isPure); + std::shared_ptr VisitNode(const ExplodedNode *N, + const ExplodedNode *PrevN, + BugReporterContext &BRC, + BugReport &BR) override; + }; }; -} // end anonymous namespace - -//===----------------------------------------------------------------------===// -// AST walking. -//===----------------------------------------------------------------------===// - -void WalkAST::VisitChildren(Stmt *S) { - for (Stmt *Child : S->children()) - if (Child) - Visit(Child); } -void WalkAST::VisitCallExpr(CallExpr *CE) { - VisitChildren(CE); - if (IsInterprocedural) - Enqueue(CE); +// GDM (generic data map) to the memregion of this for the ctor and dtor. +REGISTER_MAP_WITH_PROGRAMSTATE(CtorMap, const MemRegion *, bool) +REGISTER_MAP_WITH_PROGRAMSTATE(DtorMap, const MemRegion *, bool) + +std::shared_ptr +VirtualCallChecker::VirtualBugVisitor::VisitNode(const ExplodedNode *N, + const ExplodedNode *PrevN, + BugReporterContext &BRC, + BugReport &BR) { + // We need the last ctor/dtor which call the virtual function. + // The visitor walks the ExplodedGraph backwards. + if (Found) + return nullptr; + + ProgramStateRef State = N->getState(); + const LocationContext *LCtx = N->getLocationContext(); + ProgramStateManager &PSM = State->getStateManager(); + auto &SVB = PSM.getSValBuilder(); + const CXXConstructorDecl *CD = + dyn_cast_or_null(LCtx->getDecl()); + const CXXDestructorDecl *DD = + dyn_cast_or_null(LCtx->getDecl()); + + if (!CD && !DD) + return nullptr; + const auto *MD = dyn_cast(LCtx->getDecl()); + auto ThiSVal = + State->getSVal(SVB.getCXXThis(MD, LCtx->getCurrentStackFrame())); + const MemRegion *Reg = ThiSVal.getAsRegion(); + if (Reg != ObjectRegion) + return nullptr; + + const Stmt *S = PathDiagnosticLocation::getStmt(N); + if (!S) + return nullptr; + Found = true; + + std::string DeclName; + std::string InfoText; + if (CD) { + DeclName = CD->getNameAsString(); + InfoText = "Called from this constrctor '" + DeclName + "'"; + } else { + DeclName = DD->getNameAsString(); + InfoText = "Called from this destrctor '" + DeclName + "'"; + } + + // Generate the extra diagnostic. + PathDiagnosticLocation Pos(S, BRC.getSourceManager(), + N->getLocationContext()); + return std::make_shared(Pos, InfoText, true); } -void WalkAST::VisitCXXMemberCallExpr(CallExpr *CE) { - VisitChildren(CE); - bool callIsNonVirtual = false; - - // Several situations to elide for checking. - if (MemberExpr *CME = dyn_cast(CE->getCallee())) { - // If the member access is fully qualified (i.e., X::F), then treat - // this as a non-virtual call and do not warn. +// The function to check if a callexpr is a virtual function. +static bool IsVirtualCall(const CallExpr *CE) { + bool CallIsNonVirtual = false; + + if (const MemberExpr *CME = dyn_cast(CE->getCallee())) { + // The member access is fully qualified (i.e., X::F). + // Treat this as a non-virtual call and do not warn. if (CME->getQualifier()) - callIsNonVirtual = true; + CallIsNonVirtual = true; - if (Expr *base = CME->getBase()->IgnoreImpCasts()) { - // Elide analyzing the call entirely if the base pointer is not 'this'. - if (!isa(base)) - return; - - // If the most derived class is marked final, we know that now subclass - // can override this member. - if (base->getBestDynamicClassType()->hasAttr()) - callIsNonVirtual = true; + if (const Expr *Base = CME->getBase()->IgnoreImpCasts()) { + // The most derived class is marked final. + if (Base->getBestDynamicClassType()->hasAttr()) + CallIsNonVirtual = true; } } - // Get the callee. const CXXMethodDecl *MD = dyn_cast_or_null(CE->getDirectCallee()); - if (MD && MD->isVirtual() && !callIsNonVirtual && !MD->hasAttr() && + if (MD && MD->isVirtual() && !CallIsNonVirtual && !MD->hasAttr() && !MD->getParent()->hasAttr()) - ReportVirtualCall(CE, MD->isPure()); + return true; + return false; +} - if (IsInterprocedural) - Enqueue(CE); +// The BeginFunction callback when enter a constructor or a destructor. +void VirtualCallChecker::checkBeginFunction(CheckerContext &C) const { + ChangeMaps(true, C); } -void WalkAST::ReportVirtualCall(const CallExpr *CE, bool isPure) { - if (ReportPureOnly && !isPure) +// The EndFunction callback when leave a constructor or a destructor. +void VirtualCallChecker::checkEndFunction(CheckerContext &C) const { + ChangeMaps(false, C); +} + +void VirtualCallChecker::checkPreCall(const CallEvent &Call, + CheckerContext &C) const { + const auto MC = dyn_cast(&Call); + if (!MC) return; - SmallString<100> buf; - llvm::raw_svector_ostream os(buf); + const CXXMethodDecl *MD = dyn_cast(Call.getDecl()); + ProgramStateRef State = C.getState(); + const CallExpr *CE = dyn_cast_or_null(Call.getOriginExpr()); + const MemRegion *Reg = MC->getCXXThisVal().getAsRegion(); - // FIXME: The interprocedural diagnostic experience here is not good. - // Ultimately this checker should be re-written to be path sensitive. - // For now, only diagnose intraprocedurally, by default. - if (IsInterprocedural) { - os << "Call Path : "; - // Name of current visiting CallExpr. - os << *CE->getDirectCallee(); - - // Name of the CallExpr whose body is current being walked. - if (visitingCallExpr) - os << " <-- " << *visitingCallExpr->getDirectCallee(); - // Names of FunctionDecls in worklist with state PostVisited. - for (SmallVectorImpl::iterator I = WList.end(), - E = WList.begin(); I != E; --I) { - const FunctionDecl *FD = (*(I-1))->getDirectCallee(); - assert(FD); - if (VisitedFunctions[FD] == PostVisited) - os << " <-- " << *FD; - } + if (IsPureOnly && !MD->isPure()) + return; + if (!IsVirtualCall(CE)) + return; - os << "\n"; + // Check if a virtual method is called. + // The GDM of constructor and destructor should be true. + if (State->get(Reg)) { + if (IsPureOnly && MD->isPure()) { + const char *Msg = "Call to pure function during construction"; + ReportBug(Msg, true, Reg, C); + } else { + const char *Msg = "Call to virtual function during construction"; + ReportBug(Msg, false, Reg, C); + } } - PathDiagnosticLocation CELoc = - PathDiagnosticLocation::createBegin(CE, BR.getSourceManager(), AC); - SourceRange R = CE->getCallee()->getSourceRange(); - - os << "Call to "; - if (isPure) - os << "pure "; - - os << "virtual function during "; - - if (isa(RootMethod)) - os << "construction "; - else - os << "destruction "; - - if (isPure) - os << "has undefined behavior"; - else - os << "will not dispatch to derived class"; - - BR.EmitBasicReport(AC->getDecl(), Checker, - "Call to virtual function during construction or " - "destruction", - "C++ Object Lifecycle", os.str(), CELoc, R); + if (State->get(Reg)) { + if (IsPureOnly && MD->isPure()) { + const char *Msg = "Call to pure function during destruction"; + ReportBug(Msg, true, Reg, C); + } else { + const char *Msg = "Call to virtual function during destruction"; + ReportBug(Msg, false, Reg, C); + } + } } -//===----------------------------------------------------------------------===// -// VirtualCallChecker -//===----------------------------------------------------------------------===// +void VirtualCallChecker::ChangeMaps(bool IsBeginFunction, + CheckerContext &C) const { + const auto *LCtx = C.getLocationContext(); + const auto *MD = dyn_cast(LCtx->getDecl()); + if (!MD) + return; -namespace { -class VirtualCallChecker : public Checker > { -public: - DefaultBool isInterprocedural; - DefaultBool isPureOnly; + ProgramStateRef State = C.getState(); + auto &SVB = C.getSValBuilder(); + + // Enter a constructor, set the corresponding memregion be true. + if (isa(MD)) { + auto ThiSVal = + State->getSVal(SVB.getCXXThis(MD, LCtx->getCurrentStackFrame())); + const MemRegion *Reg = ThiSVal.getAsRegion(); + if (IsBeginFunction) { + State = State->set(Reg, true); + } else { + State = State->remove(Reg); + } + C.addTransition(State); + return; + } - void checkASTDecl(const CXXRecordDecl *RD, AnalysisManager& mgr, - BugReporter &BR) const { - AnalysisDeclContext *ADC = mgr.getAnalysisDeclContext(RD); - - // Check the constructors. - for (const auto *I : RD->ctors()) { - if (!I->isCopyOrMoveConstructor()) - if (Stmt *Body = I->getBody()) { - WalkAST walker(this, BR, ADC, I, isInterprocedural, isPureOnly); - walker.Visit(Body); - walker.Execute(); - } + // Enter a Destructor, set the corresponding memregion be true. + if (isa(MD)) { + auto ThiSVal = + State->getSVal(SVB.getCXXThis(MD, LCtx->getCurrentStackFrame())); + const MemRegion *Reg = ThiSVal.getAsRegion(); + if (IsBeginFunction) { + State = State->set(Reg, true); + } else { + State = State->remove(Reg); } + C.addTransition(State); + return; + } +} - // Check the destructor. - if (CXXDestructorDecl *DD = RD->getDestructor()) - if (Stmt *Body = DD->getBody()) { - WalkAST walker(this, BR, ADC, DD, isInterprocedural, isPureOnly); - walker.Visit(Body); - walker.Execute(); - } +void VirtualCallChecker::ReportBug(const char *Msg, bool PureError, + const MemRegion *Reg, + CheckerContext &C) const { + ExplodedNode *N; + if (PureError) { + N = C.generateErrorNode(); + } else { + N = C.generateNonFatalErrorNode(); } -}; + if (!N) + return; + if (!BT) + BT.reset(new BugType(this, "Virtual Call", "Path-Sensitive")); + + auto Reporter = llvm::make_unique(*BT, Msg, N); + Reporter->addVisitor(llvm::make_unique(Reg)); + C.emitReport(std::move(Reporter)); + return; } void ento::registerVirtualCallChecker(CheckerManager &mgr) { VirtualCallChecker *checker = mgr.registerChecker(); - checker->isInterprocedural = - mgr.getAnalyzerOptions().getBooleanOption("Interprocedural", false, - checker); - - checker->isPureOnly = - mgr.getAnalyzerOptions().getBooleanOption("PureOnly", false, - checker); + + checker->IsPureOnly = + mgr.getAnalyzerOptions().getBooleanOption("PureOnly", false, checker); } + Index: test/Analysis/virtualcall.cpp =================================================================== --- test/Analysis/virtualcall.cpp +++ test/Analysis/virtualcall.cpp @@ -1,29 +1,18 @@ // RUN: %clang_analyze_cc1 -analyzer-checker=optin.cplusplus.VirtualCall -analyzer-store region -verify -std=c++11 %s -// RUN: %clang_analyze_cc1 -analyzer-checker=optin.cplusplus.VirtualCall -analyzer-store region -analyzer-config optin.cplusplus.VirtualCall:Interprocedural=true -DINTERPROCEDURAL=1 -verify -std=c++11 %s -// RUN: %clang_analyze_cc1 -analyzer-checker=optin.cplusplus.VirtualCall -analyzer-store region -analyzer-config optin.cplusplus.VirtualCall:PureOnly=true -DPUREONLY=1 -verify -std=c++11 %s -/* When INTERPROCEDURAL is set, we expect diagnostics in all functions reachable - from a constructor or destructor. If it is not set, we expect diagnostics - only in the constructor or destructor. - - When PUREONLY is set, we expect diagnostics only for calls to pure virtual - functions not to non-pure virtual functions. -*/ +// RUN: %clang_analyze_cc1 -analyzer-checker=optin.cplusplus.VirtualCall -analyzer-store region -analyzer-config optin.cplusplus.VirtualCall:PureOnly=true -DPUREONLY=1 -verify -std=c++11 %s class A { public: A(); - A(int i); ~A() {}; - virtual int foo() = 0; // from Sema: expected-note {{'foo' declared here}} - virtual void bar() = 0; + virtual int foo()=0; + virtual void bar()=0; void f() { foo(); -#if INTERPROCEDURAL - // expected-warning-re@-2 {{{{^}}Call Path : foo <-- fCall to pure virtual function during construction has undefined behavior}} -#endif + // expected-warning:Call to virtual function during construction } }; @@ -31,49 +20,24 @@ public: B() { foo(); -#if !PUREONLY -#if INTERPROCEDURAL - // expected-warning-re@-3 {{{{^}}Call Path : fooCall to virtual function during construction will not dispatch to derived class}} -#else - // expected-warning-re@-5 {{{{^}}Call to virtual function during construction will not dispatch to derived class}} -#endif -#endif - + // expected-warning:Call to virtual function during construction } ~B(); virtual int foo(); virtual void bar() { foo(); } -#if INTERPROCEDURAL - // expected-warning-re@-2 {{{{^}}Call Path : foo <-- barCall to virtual function during destruction will not dispatch to derived class}} -#endif + // expected-warning:Call to virtual function during destruction }; A::A() { f(); } -A::A(int i) { - foo(); // From Sema: expected-warning {{call to pure virtual member function 'foo' has undefined behavior}} -#if INTERPROCEDURAL - // expected-warning-re@-2 {{{{^}}Call Path : fooCall to pure virtual function during construction has undefined behavior}} -#else - // expected-warning-re@-4 {{{{^}}Call to pure virtual function during construction has undefined behavior}} -#endif -} - B::~B() { this->B::foo(); // no-warning this->B::bar(); this->foo(); -#if !PUREONLY -#if INTERPROCEDURAL - // expected-warning-re@-3 {{{{^}}Call Path : fooCall to virtual function during destruction will not dispatch to derived class}} -#else - // expected-warning-re@-5 {{{{^}}Call to virtual function during destruction will not dispatch to derived class}} -#endif -#endif - + // expected-warning:Call to virtual function during destruction } class C : public B { @@ -87,13 +51,7 @@ C::C() { f(foo()); -#if !PUREONLY -#if INTERPROCEDURAL - // expected-warning-re@-3 {{{{^}}Call Path : fooCall to virtual function during construction will not dispatch to derived class}} -#else - // expected-warning-re@-5 {{{{^}}Call to virtual function during construction will not dispatch to derived class}} -#endif -#endif + // expected-warning:Call to virtual function during construction } class D : public B { @@ -103,7 +61,8 @@ } ~D() { bar(); } int foo() final; - void bar() final { foo(); } // no-warning + void bar() final { foo(); } + // no-warning }; class E final : public B { @@ -115,7 +74,6 @@ int foo() override; }; -// Regression test: don't crash when there's no direct callee. class F { public: F() { @@ -125,17 +83,100 @@ void foo(); }; -int main() { - A *a; - B *b; - C *c; - D *d; - E *e; - F *f; +class G { +public: + G() {} + virtual void bar(); + void foo() { + bar(); + // no warning + } +}; + +class H{ +public: + H() : initState(0) { init(); } + int initState; + virtual void f() const; + void init() { + if (initState) + f(); + // no warning + } + + H(int i) { + G g; + g.foo(); + g.bar(); + // no warning + f(); + // expected-warning:Call to virtual function during construction + H& h = *this; + h.f(); + // expected-warning:Call to virtual function during construction + } +}; + +class X { +public: + X() { + g(); + // expected-warning:Call to virtual function during construction + } + X(int i) { + if (i > 0) { + X x(i-1); + x.g(); + // no warning + } + g(); + // expected-warning:Call to virtual function during construction + } + virtual void g(); +}; + +class M; +class N { +public: + virtual void virtualMethod(); + void callFooOfM(M*); +}; +class M { +public: + M() { + N n; + n.virtualMethod(); + // no warning + n.callFooOfM(this); + } + virtual void foo(); +}; +void N::callFooOfM(M* m) { + m->foo(); + // expected-warning:Call to virtual function during construction } -#include "virtualcall.h" +class Y { +public: + virtual void foobar(); + Y() { + F f1; + foobar(); + } +}; -#define AS_SYSTEM -#include "virtualcall.h" -#undef AS_SYSTEM +int main() { + B b; + C c; + D d; + E e; + F f; + G g; + H h; + H h1(1); + X x; + X x1(1); + M m; + Y *y = new Y; + delete y; +}