Index: lib/StaticAnalyzer/Checkers/VirtualCallChecker.cpp =================================================================== --- lib/StaticAnalyzer/Checkers/VirtualCallChecker.cpp +++ lib/StaticAnalyzer/Checkers/VirtualCallChecker.cpp @@ -1,292 +1,262 @@ -//=======- VirtualCallChecker.cpp --------------------------------*- C++ -*-==// -// -// The LLVM Compiler Infrastructure -// -// This file is distributed under the University of Illinois Open Source -// License. See LICENSE.TXT for details. -// -//===----------------------------------------------------------------------===// -// -// This file defines a checker that checks virtual function calls during -// construction or destruction of C++ objects. -// -//===----------------------------------------------------------------------===// - #include "ClangSACheckers.h" #include "clang/AST/DeclCXX.h" -#include "clang/AST/StmtVisitor.h" #include "clang/StaticAnalyzer/Core/BugReporter/BugReporter.h" +#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h" #include "clang/StaticAnalyzer/Core/Checker.h" -#include "clang/StaticAnalyzer/Core/PathSensitive/AnalysisManager.h" -#include "llvm/ADT/SmallString.h" -#include "llvm/Support/SaveAndRestore.h" -#include "llvm/Support/raw_ostream.h" +#include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h" +#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h" +#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramStateTrait.h" +#include "clang/StaticAnalyzer/Core/PathSensitive/SValBuilder.h" using namespace clang; using namespace ento; namespace { +class VirtualCallChecker: public Checker { + mutable std::unique_ptr BT_CT; + mutable std::unique_ptr BT_DT; + +public: + void checkPreCall(const CallEvent &Call, CheckerContext &C) const; + void checkPostCall(const CallEvent &Call, CheckerContext &C) const; -class WalkAST : public StmtVisitor { - const CheckerBase *Checker; - BugReporter &BR; - AnalysisDeclContext *AC; - - /// The root constructor or destructor whose callees are being analyzed. - const CXXMethodDecl *RootMethod = nullptr; - - /// Whether the checker should walk into bodies of called functions. - /// Controlled by the "Interprocedural" analyzer-config option. - bool IsInterprocedural = false; - - /// Whether the checker should only warn for calls to pure virtual functions - /// (which is undefined behavior) or for all virtual functions (which may - /// may result in unexpected behavior). - bool ReportPureOnly = false; - - typedef const CallExpr * WorkListUnit; - typedef SmallVector DFSWorkList; - - /// A vector representing the worklist which has a chain of CallExprs. - DFSWorkList WList; - - // PreVisited : A CallExpr to this FunctionDecl is in the worklist, but the - // body has not been visited yet. - // PostVisited : A CallExpr to this FunctionDecl is in the worklist, and the - // body has been visited. - enum Kind { NotVisited, - PreVisited, /**< A CallExpr to this FunctionDecl is in the - worklist, but the body has not yet been - visited. */ - PostVisited /**< A CallExpr to this FunctionDecl is in the - worklist, and the body has been visited. */ +private: + bool isVirtualCall(const CallExpr *CE) const; + Optional getThisSVal(const StackFrameContext *SFC,const ProgramStateRef State) const; + class VirtualBugVisitor : public BugReporterVisitorImpl { + private: + const unsigned Flag; + bool Found; + public: + VirtualBugVisitor(const unsigned Flag) : Flag(Flag), Found(false) {} + void Profile(llvm::FoldingSetNodeID &ID) const override{ + static int x = 0; + ID.AddPointer(&x); + ID.AddPointer(&Flag); + } + std::shared_ptr VisitNode(const ExplodedNode *N, + const ExplodedNode *PrevN, + BugReporterContext &BRC, + BugReport &BR) override; }; +}; +} - /// A DenseMap that records visited states of FunctionDecls. - llvm::DenseMap VisitedFunctions; +//GDM (generic data map) to store two integers in the program state. +//One integer for constructors, one integer for destructors. +REGISTER_TRAIT_WITH_PROGRAMSTATE(ConstructorFlag, unsigned) +REGISTER_TRAIT_WITH_PROGRAMSTATE(DestructorFlag, unsigned) +REGISTER_TRAIT_WITH_PROGRAMSTATE(ObjectFlag, unsigned) + +std::shared_ptr +VirtualCallChecker::VirtualBugVisitor::VisitNode(const ExplodedNode *N, + const ExplodedNode *PrevN, + BugReporterContext &BRC, + BugReport &BR) { + // We need the last ctor/dtor which call the virtual function + // The visitor walks the ExplodedGraph backwards. + if (Found) + return nullptr; + + ProgramStateRef state = N->getState(); + const unsigned ctorflag = state->get(); + const unsigned dtorflag = state->get(); + const LocationContext* LCtx = N->getLocationContext(); + const CXXConstructorDecl *CD = + dyn_cast(LCtx->getDecl()); + const CXXDestructorDecl *DD = + dyn_cast(LCtx->getDecl()); + if((!CD && !DD) || (ctorflag!=Flag && dtorflag!=Flag)) return nullptr; + + const Stmt *S = PathDiagnosticLocation::getStmt(N); + if (!S) + return nullptr; + Found = true; + + std::string DeclName; + std::string InfoText; + if(CD) { + DeclName = CD->getNameAsString(); + InfoText = "Called from this constrctor " + DeclName; + } + else { + DeclName = DD->getNameAsString(); + InfoText = "called from this destructor " + DeclName; + } - /// The CallExpr whose body is currently being visited. This is used for - /// generating bug reports. This is null while visiting the body of a - /// constructor or destructor. - const CallExpr *visitingCallExpr; + // Generate the extra diagnostic. + PathDiagnosticLocation Pos(S, BRC.getSourceManager(), + N->getLocationContext()); + return std::make_shared(Pos, InfoText, true); +} -public: - WalkAST(const CheckerBase *checker, BugReporter &br, AnalysisDeclContext *ac, - const CXXMethodDecl *rootMethod, bool isInterprocedural, - bool reportPureOnly) - : Checker(checker), BR(br), AC(ac), RootMethod(rootMethod), - IsInterprocedural(isInterprocedural), ReportPureOnly(reportPureOnly), - visitingCallExpr(nullptr) { - // Walking should always start from either a constructor or a destructor. - assert(isa(rootMethod) || - isa(rootMethod)); - } +void VirtualCallChecker::checkPreCall(const CallEvent &Call, + CheckerContext &C) const { - bool hasWork() const { return !WList.empty(); } + const Decl *D = dyn_cast_or_null(Call.getDecl()); + if (!D) + return; - /// This method adds a CallExpr to the worklist and marks the callee as - /// being PreVisited. - void Enqueue(WorkListUnit WLUnit) { - const FunctionDecl *FD = WLUnit->getDirectCallee(); - if (!FD || !FD->getBody()) - return; - Kind &K = VisitedFunctions[FD]; - if (K != NotVisited) - return; - K = PreVisited; - WList.push_back(WLUnit); + ProgramStateRef state = C.getState(); + const unsigned ctorflag = state->get(); + const unsigned dtorflag = state->get(); + const CallExpr *CE = dyn_cast_or_null(Call.getOriginExpr()); + const LocationContext *LCtx = C.getLocationContext(); + const StackFrameContext *SFC = LCtx->getCurrentStackFrame(); + Optional ThisSVal = getThisSVal(SFC,state); + + // Enter a constructor, increase the corresponding integer + if (dyn_cast(D)) { + unsigned constructorflag = state->get(); + state = state->set(++constructorflag); + C.addTransition(state); + return; } - /// This method returns an item from the worklist without removing it. - WorkListUnit Dequeue() { - assert(!WList.empty()); - return WList.back(); + // Enter a Destructor, increase the corresponding integer + if (dyn_cast(D)) { + unsigned destructorflag = state->get(); + state = state->set(++destructorflag); + C.addTransition(state); + return; } - void Execute() { - while (hasWork()) { - WorkListUnit WLUnit = Dequeue(); - const FunctionDecl *FD = WLUnit->getDirectCallee(); - assert(FD && FD->getBody()); - - if (VisitedFunctions[FD] == PreVisited) { - // If the callee is PreVisited, walk its body. - // Visit the body. - SaveAndRestore SaveCall(visitingCallExpr, WLUnit); - Visit(FD->getBody()); - - // Mark the function as being PostVisited to indicate we have - // scanned the body. - VisitedFunctions[FD] = PostVisited; - continue; + if (const MemberExpr *CME = dyn_cast(CE->getCallee())) { + // If the member access is fully qualified (i.e., X::F), then treat + // this as a non-virtual call and do not warn. + if (Expr *base = CME->getBase()->IgnoreImpCasts()) { + if (!isa(base)) { + SVal CEV = state->getSVal(base, LCtx); + if(CEV != ThisSVal){ + unsigned objectflag = state->get(); + state = state->set(++objectflag); + C.addTransition(state); + } } + } + } - // Otherwise, the callee is PostVisited. - // Remove it from the worklist. - assert(VisitedFunctions[FD] == PostVisited); - WList.pop_back(); + // First Check if a virtual method is called, then check the + // GDM of constructor and destructor. + if (isVirtualCall(CE) && ctorflag > 0 && state->get() == 0) { + if (!BT_CT) { + BT_CT.reset(new BugType(this, "Call to virtual function during construction", + "not pure")); } + ExplodedNode *N = C.generateNonFatalErrorNode(); + auto Reporter = llvm::make_unique(*BT_CT, BT_CT->getName(), N); + Reporter->addVisitor(llvm::make_unique(ctorflag)); + C.emitReport(std::move(Reporter)); + return; } - // Stmt visitor methods. - void VisitCallExpr(CallExpr *CE); - void VisitCXXMemberCallExpr(CallExpr *CE); - void VisitStmt(Stmt *S) { VisitChildren(S); } - void VisitChildren(Stmt *S); + if (isVirtualCall(CE) && dtorflag > 0 && state->get() == 0) { + if (!BT_DT) { + BT_DT.reset(new BugType(this, "Call to virtual function during destruction", + "not pure")); + } + ExplodedNode *N = C.generateNonFatalErrorNode(); + auto Reporter = llvm::make_unique(*BT_DT, BT_DT->getName(), N); + Reporter->addVisitor(llvm::make_unique(dtorflag)); + C.emitReport(std::move(Reporter)); + return; + } +} - void ReportVirtualCall(const CallExpr *CE, bool isPure); +// The PostCall callback, when leave a constructor or a destructor, +// decrease the corresponding integer +void VirtualCallChecker::checkPostCall(const CallEvent &Call, + CheckerContext &C) const { -}; -} // end anonymous namespace + const Decl *D = dyn_cast_or_null(Call.getDecl()); + if (!D) + return; -//===----------------------------------------------------------------------===// -// AST walking. -//===----------------------------------------------------------------------===// - -void WalkAST::VisitChildren(Stmt *S) { - for (Stmt *Child : S->children()) - if (Child) - Visit(Child); -} + ProgramStateRef state = C.getState(); + const CallExpr *CE = dyn_cast_or_null(Call.getOriginExpr()); + const LocationContext *LCtx = C.getLocationContext(); + const StackFrameContext *SFC = LCtx->getCurrentStackFrame(); + Optional ThisSVal = getThisSVal(SFC,state); + + if (dyn_cast(D)) { + unsigned constructorflag = state->get(); + state = state->set(--constructorflag); + C.addTransition(state); + return; + } + + if (dyn_cast(D)) { + unsigned destructorflag = state->get(); + state = state->set(--destructorflag); + C.addTransition(state); + return; + } -void WalkAST::VisitCallExpr(CallExpr *CE) { - VisitChildren(CE); - if (IsInterprocedural) - Enqueue(CE); + if (const MemberExpr *CME = dyn_cast(CE->getCallee())) { + if (Expr *base = CME->getBase()->IgnoreImpCasts()) { + if (!isa(base)) { + SVal CEV = state->getSVal(base, LCtx); + if(CEV != ThisSVal){ + unsigned objectflag = state->get(); + state = state->set(--objectflag); + C.addTransition(state); + } + } + } + } } -void WalkAST::VisitCXXMemberCallExpr(CallExpr *CE) { - VisitChildren(CE); +// The function to check if a virtual function is called +bool VirtualCallChecker::isVirtualCall(const CallExpr *CE) const { bool callIsNonVirtual = false; - // Several situations to elide for checking. - if (MemberExpr *CME = dyn_cast(CE->getCallee())) { + if (const MemberExpr *CME = dyn_cast(CE->getCallee())) { // If the member access is fully qualified (i.e., X::F), then treat // this as a non-virtual call and do not warn. if (CME->getQualifier()) callIsNonVirtual = true; if (Expr *base = CME->getBase()->IgnoreImpCasts()) { - // Elide analyzing the call entirely if the base pointer is not 'this'. - if (!isa(base)) - return; +/* if (!isa(base)) + return false;*/ - // If the most derived class is marked final, we know that now subclass - // can override this member. + // The most derived class is marked final. if (base->getBestDynamicClassType()->hasAttr()) callIsNonVirtual = true; } } - // Get the callee. const CXXMethodDecl *MD = dyn_cast_or_null(CE->getDirectCallee()); if (MD && MD->isVirtual() && !callIsNonVirtual && !MD->hasAttr() && !MD->getParent()->hasAttr()) - ReportVirtualCall(CE, MD->isPure()); - - if (IsInterprocedural) - Enqueue(CE); + return true; + return false; } -void WalkAST::ReportVirtualCall(const CallExpr *CE, bool isPure) { - if (ReportPureOnly && !isPure) - return; - - SmallString<100> buf; - llvm::raw_svector_ostream os(buf); - - // FIXME: The interprocedural diagnostic experience here is not good. - // Ultimately this checker should be re-written to be path sensitive. - // For now, only diagnose intraprocedurally, by default. - if (IsInterprocedural) { - os << "Call Path : "; - // Name of current visiting CallExpr. - os << *CE->getDirectCallee(); - - // Name of the CallExpr whose body is current being walked. - if (visitingCallExpr) - os << " <-- " << *visitingCallExpr->getDirectCallee(); - // Names of FunctionDecls in worklist with state PostVisited. - for (SmallVectorImpl::iterator I = WList.end(), - E = WList.begin(); I != E; --I) { - const FunctionDecl *FD = (*(I-1))->getDirectCallee(); - assert(FD); - if (VisitedFunctions[FD] == PostVisited) - os << " <-- " << *FD; - } - - os << "\n"; +Optional +VirtualCallChecker::getThisSVal(const StackFrameContext *SFC,const ProgramStateRef state) const { + if (SFC->inTopFrame()) { + const FunctionDecl *FD = SFC->getDecl()->getAsFunction(); + if (!FD) + return None; + const CXXMethodDecl *MD = dyn_cast_or_null(FD->getParent()); + if (!MD) + return None; + Loc ThisLoc = state->getStateManager().getSValBuilder().getCXXThis(MD, SFC); + return state->getSVal(ThisLoc); + } else { + const Stmt *S = SFC->getCallSite(); + if (!S) + return None; + if (const CXXMemberCallExpr *MCE = dyn_cast_or_null(S)) + return state->getSVal(MCE->getImplicitObjectArgument(), SFC->getParent()); + else if (const CXXConstructExpr *CCE = dyn_cast_or_null(S)) + return state->getSVal(CCE, SFC->getParent()); + return None; } - - PathDiagnosticLocation CELoc = - PathDiagnosticLocation::createBegin(CE, BR.getSourceManager(), AC); - SourceRange R = CE->getCallee()->getSourceRange(); - - os << "Call to "; - if (isPure) - os << "pure "; - - os << "virtual function during "; - - if (isa(RootMethod)) - os << "construction "; - else - os << "destruction "; - - if (isPure) - os << "has undefined behavior"; - else - os << "will not dispatch to derived class"; - - BR.EmitBasicReport(AC->getDecl(), Checker, - "Call to virtual function during construction or " - "destruction", - "C++ Object Lifecycle", os.str(), CELoc, R); -} - -//===----------------------------------------------------------------------===// -// VirtualCallChecker -//===----------------------------------------------------------------------===// - -namespace { -class VirtualCallChecker : public Checker > { -public: - DefaultBool isInterprocedural; - DefaultBool isPureOnly; - - void checkASTDecl(const CXXRecordDecl *RD, AnalysisManager& mgr, - BugReporter &BR) const { - AnalysisDeclContext *ADC = mgr.getAnalysisDeclContext(RD); - - // Check the constructors. - for (const auto *I : RD->ctors()) { - if (!I->isCopyOrMoveConstructor()) - if (Stmt *Body = I->getBody()) { - WalkAST walker(this, BR, ADC, I, isInterprocedural, isPureOnly); - walker.Visit(Body); - walker.Execute(); - } - } - - // Check the destructor. - if (CXXDestructorDecl *DD = RD->getDestructor()) - if (Stmt *Body = DD->getBody()) { - WalkAST walker(this, BR, ADC, DD, isInterprocedural, isPureOnly); - walker.Visit(Body); - walker.Execute(); - } - } -}; } void ento::registerVirtualCallChecker(CheckerManager &mgr) { - VirtualCallChecker *checker = mgr.registerChecker(); - checker->isInterprocedural = - mgr.getAnalyzerOptions().getBooleanOption("Interprocedural", false, - checker); - - checker->isPureOnly = - mgr.getAnalyzerOptions().getBooleanOption("PureOnly", false, - checker); + mgr.registerChecker(); } Index: test/Analysis/virtualcall.cpp =================================================================== --- test/Analysis/virtualcall.cpp +++ test/Analysis/virtualcall.cpp @@ -1,15 +1,3 @@ -// RUN: %clang_analyze_cc1 -analyzer-checker=optin.cplusplus.VirtualCall -analyzer-store region -verify -std=c++11 %s -// RUN: %clang_analyze_cc1 -analyzer-checker=optin.cplusplus.VirtualCall -analyzer-store region -analyzer-config optin.cplusplus.VirtualCall:Interprocedural=true -DINTERPROCEDURAL=1 -verify -std=c++11 %s -// RUN: %clang_analyze_cc1 -analyzer-checker=optin.cplusplus.VirtualCall -analyzer-store region -analyzer-config optin.cplusplus.VirtualCall:PureOnly=true -DPUREONLY=1 -verify -std=c++11 %s - -/* When INTERPROCEDURAL is set, we expect diagnostics in all functions reachable - from a constructor or destructor. If it is not set, we expect diagnostics - only in the constructor or destructor. - - When PUREONLY is set, we expect diagnostics only for calls to pure virtual - functions not to non-pure virtual functions. -*/ - class A { public: A(); @@ -17,13 +5,11 @@ ~A() {}; - virtual int foo() = 0; // from Sema: expected-note {{'foo' declared here}} - virtual void bar() = 0; + virtual int foo()=0; // from Sema: expected-note {{'foo' declared here}} + virtual void bar()=0; void f() { foo(); -#if INTERPROCEDURAL - // expected-warning-re@-2 {{{{^}}Call Path : foo <-- fCall to pure virtual function during construction has undefined behavior}} -#endif + // expected-warning:Call to virtual function during construction } }; @@ -31,22 +17,13 @@ public: B() { foo(); -#if !PUREONLY -#if INTERPROCEDURAL - // expected-warning-re@-3 {{{{^}}Call Path : fooCall to virtual function during construction will not dispatch to derived class}} -#else - // expected-warning-re@-5 {{{{^}}Call to virtual function during construction will not dispatch to derived class}} -#endif -#endif - + // expected-warning:Call to virtual function during construction } ~B(); virtual int foo(); virtual void bar() { foo(); } -#if INTERPROCEDURAL - // expected-warning-re@-2 {{{{^}}Call Path : foo <-- barCall to virtual function during destruction will not dispatch to derived class}} -#endif + // expected-warning:Call to virtual function during destruction }; A::A() { @@ -55,25 +32,14 @@ A::A(int i) { foo(); // From Sema: expected-warning {{call to pure virtual member function 'foo' has undefined behavior}} -#if INTERPROCEDURAL - // expected-warning-re@-2 {{{{^}}Call Path : fooCall to pure virtual function during construction has undefined behavior}} -#else - // expected-warning-re@-4 {{{{^}}Call to pure virtual function during construction has undefined behavior}} -#endif + // expected-warning:Call to virtual function during construction } B::~B() { this->B::foo(); // no-warning this->B::bar(); this->foo(); -#if !PUREONLY -#if INTERPROCEDURAL - // expected-warning-re@-3 {{{{^}}Call Path : fooCall to virtual function during destruction will not dispatch to derived class}} -#else - // expected-warning-re@-5 {{{{^}}Call to virtual function during destruction will not dispatch to derived class}} -#endif -#endif - + // expected-warning:Call to virtual function during destruction } class C : public B { @@ -87,13 +53,7 @@ C::C() { f(foo()); -#if !PUREONLY -#if INTERPROCEDURAL - // expected-warning-re@-3 {{{{^}}Call Path : fooCall to virtual function during construction will not dispatch to derived class}} -#else - // expected-warning-re@-5 {{{{^}}Call to virtual function during construction will not dispatch to derived class}} -#endif -#endif + // expected-warning:Call to virtual function during construction } class D : public B { @@ -115,7 +75,6 @@ int foo() override; }; -// Regression test: don't crash when there's no direct callee. class F { public: F() { @@ -125,17 +84,65 @@ void foo(); }; -int main() { - A *a; - B *b; - C *c; - D *d; - E *e; - F *f; -} +class G { +public: + virtual void bar(); + void foo() { + bar(); + // no warning + } +}; -#include "virtualcall.h" +class H{ +public: + H() : initState(0) { init(); } + int initState; + virtual void f() const; + void init() { + if (initState) + f(); + // no warning + } -#define AS_SYSTEM -#include "virtualcall.h" -#undef AS_SYSTEM + H(int i) { + G g; + g.foo(); + g.bar(); + // no warning + f(); + // expected-warning:Call to virtual function during construction + H& h = *this; + h.f(); + // expected-warning:Call to virtual function during construction + } +}; + +class X { +public: + X() { + g(); + // expected-warning:Call to virtual function during construction + } + X(int i) { + if (i > 0) { + X x(i-1); + x.g(); + // no warning + } + g(); + // expected-warning:Call to virtual function during construction + } + virtual void g(); +}; + +int main() { + + B b; + C c; + D d; + E e; + F f; + G g; + H h; + X x; +}