This is an archive of the discontinued LLVM Phabricator instance.

Differential D62440

[analyzer] NFC: Change evalCall() to provide a CallEvent.
ClosedPublic

Authored by NoQ on May 24 2019, 7:45 PM.

Details

Reviewers
dcoughlin
xazax.hun
a_sidorin
rnkovacs
mikhail.ramalho
Szelethus
baloghadamsoftware
Charusso
Commits
rG44820630dfa4: [analyzer] NFC: Change evalCall() to provide a CallEvent.
rC363893: [analyzer] NFC: Change evalCall() to provide a CallEvent.
rL363893: [analyzer] NFC: Change evalCall() to provide a CallEvent.
Summary

This is mostly motivated by me being annoyed that in C many functions are implemented as builtins and everybody keeps forgetting about it while writing checkers, leading to checkers not working at all except on LIT tests, which is fairly hard to notice. For that reason i'd like to put a bit more effort into the CallDescription interface, so that to de-duplicate as much code as possible so that nobody needed to remember things.

This is also a necessary step if we want to evalCall() calls that don't correspond to any CallExpr, such as automatic destructor calls.

This patch does varied amount of refactoring in different checkers while updating them after the API breakage. For instance, ChrootChecker is completely converted to CallDescriptions, but CStringChecker is waiting for a few more updates to the CallDescription interface before it can be converted.

Diff Detail

Repository
rL LLVM

Event Timeline

NoQ created this revision.May 24 2019, 7:45 PM
Herald added a project: Restricted Project. · View Herald TranscriptMay 24 2019, 7:45 PM
Herald added subscribers: cfe-commits, dkrupp, donat.nagy and 2 others. · View Herald Transcript
NoQ edited the summary of this revision. (Show Details)May 24 2019, 7:48 PM
NoQ edited the summary of this revision. (Show Details)
a_sidorin accepted this revision.May 26 2019, 11:11 AM
a_sidorin added inline comments.
clang/lib/StaticAnalyzer/Checkers/StdLibraryFunctionsChecker.cpp
372 ↗(On Diff #201380)

Should we create helpers similar to getDecl() and getOriginExpr (getFunctionDecl/getCallExpr)?

This revision is now accepted and ready to land.May 26 2019, 11:11 AM
NoQ marked an inline comment as done.May 28 2019, 4:31 PM
NoQ added inline comments.
clang/lib/StaticAnalyzer/Checkers/StdLibraryFunctionsChecker.cpp
372 ↗(On Diff #201380)

Generally it sounds like a good idea, but in the context of this patch it's only useful when i don't want to refactor the code to avoid needing such getters in the first place. Once the CallDescription interface is good enough, all such getters will turn into hard casts without null checks. But these two checkers implement their own custom call description facility, so they need this sort of dancing.

NoQ added a child revision: D62557: [analyzer] Modernize CStringChecker to use CallDescriptions..May 28 2019, 4:49 PM
Szelethus accepted this revision.Jun 3 2019, 11:08 AM

LGTM!

Closed by commit rL363893: [analyzer] NFC: Change evalCall() to provide a CallEvent. (authored by NoQ). · Explain WhyJun 19 2019, 4:30 PM
This revision was automatically updated to reflect the committed changes.
Herald added a project: Restricted Project. · View Herald TranscriptJun 19 2019, 4:30 PM
Herald added a subscriber: llvm-commits. · View Herald Transcript

Revision Contents

PathSize
cfe/
trunk/
include/
clang/
StaticAnalyzer/
Core/
5 lines
2 lines
lib/
StaticAnalyzer/
Checkers/
31 lines
7 lines
57 lines
9 lines
RetainCountChecker/
2 lines
11 lines
24 lines
10 lines
11 lines
Core/
14 lines

Diff 205701

cfe/trunk/include/clang/StaticAnalyzer/Core/Checker.h

Show First 20 LinesShow All 468 Lines▼ Show 20 Linespublic:
static void _register(CHECKER *checker, CheckerManager &mgr) { static void _register(CHECKER *checker, CheckerManager &mgr) {
mgr._registerForEvalAssume( mgr._registerForEvalAssume(
CheckerManager::EvalAssumeFunc(checker, _evalAssume<CHECKER>)); CheckerManager::EvalAssumeFunc(checker, _evalAssume<CHECKER>));
} }
}; };
class Call { class Call {
template <typename CHECKER> template <typename CHECKER>
static bool _evalCall(void *checker, const CallExpr *CE, CheckerContext &C) { static bool _evalCall(void *checker, const CallEvent &Call,
return ((const CHECKER *)checker)->evalCall(CE, C); CheckerContext &C) {
return ((const CHECKER *)checker)->evalCall(Call, C);
} }
public: public:
template <typename CHECKER> template <typename CHECKER>
static void _register(CHECKER *checker, CheckerManager &mgr) { static void _register(CHECKER *checker, CheckerManager &mgr) {
mgr._registerForEvalCall( mgr._registerForEvalCall(
CheckerManager::EvalCallFunc(checker, _evalCall<CHECKER>)); CheckerManager::EvalCallFunc(checker, _evalCall<CHECKER>));
} }
▲ Show 20 LinesShow All 95 LinesShow Last 20 Lines

cfe/trunk/include/clang/StaticAnalyzer/Core/CheckerManager.h

Show First 20 LinesShow All 484 Lines▼ Show 20 Lines using CheckPointerEscapeFunc =
const InvalidatedSymbols &Escaped, const InvalidatedSymbols &Escaped,
const CallEvent *Call, PointerEscapeKind Kind, const CallEvent *Call, PointerEscapeKind Kind,
RegionAndSymbolInvalidationTraits *ITraits)>; RegionAndSymbolInvalidationTraits *ITraits)>;
using EvalAssumeFunc = using EvalAssumeFunc =
CheckerFn<ProgramStateRef (ProgramStateRef, const SVal &cond, CheckerFn<ProgramStateRef (ProgramStateRef, const SVal &cond,
bool assumption)>; bool assumption)>;
using EvalCallFunc = CheckerFn<bool (const CallExpr *, CheckerContext &)>; using EvalCallFunc = CheckerFn<bool (const CallEvent &, CheckerContext &)>;
using CheckEndOfTranslationUnit = using CheckEndOfTranslationUnit =
CheckerFn<void (const TranslationUnitDecl *, AnalysisManager &, CheckerFn<void (const TranslationUnitDecl *, AnalysisManager &,
BugReporter &)>; BugReporter &)>;
using HandlesStmtFunc = bool (*)(const Stmt *D); using HandlesStmtFunc = bool (*)(const Stmt *D);
void _registerForPreStmt(CheckStmtFunc checkfn, void _registerForPreStmt(CheckStmtFunc checkfn,
▲ Show 20 LinesShow All 166 LinesShow Last 20 Lines

cfe/trunk/lib/StaticAnalyzer/Checkers/BuiltinFunctionChecker.cpp

//=== BuiltinFunctionChecker.cpp --------------------------------*- C++ -*-===// //=== BuiltinFunctionChecker.cpp --------------------------------*- C++ -*-===//
// //
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
// See https://llvm.org/LICENSE.txt for license information. // See https://llvm.org/LICENSE.txt for license information.
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
// //
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// //
// This checker evaluates clang builtin functions. // This checker evaluates clang builtin functions.
// //
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
#include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h" #include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"
#include "clang/Basic/Builtins.h" #include "clang/Basic/Builtins.h"
#include "clang/StaticAnalyzer/Core/Checker.h" #include "clang/StaticAnalyzer/Core/Checker.h"
#include "clang/StaticAnalyzer/Core/CheckerManager.h" #include "clang/StaticAnalyzer/Core/CheckerManager.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h" #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
using namespace clang; using namespace clang;
using namespace ento; using namespace ento;
namespace { namespace {
class BuiltinFunctionChecker : public Checker<eval::Call> { class BuiltinFunctionChecker : public Checker<eval::Call> {
public: public:
bool evalCall(const CallExpr *CE, CheckerContext &C) const; bool evalCall(const CallEvent &Call, CheckerContext &C) const;
}; };
} }
bool BuiltinFunctionChecker::evalCall(const CallExpr *CE, bool BuiltinFunctionChecker::evalCall(const CallEvent &Call,
CheckerContext &C) const { CheckerContext &C) const {
ProgramStateRef state = C.getState(); ProgramStateRef state = C.getState();
const FunctionDecl *FD = C.getCalleeDecl(CE); const auto *FD = dyn_cast_or_null<FunctionDecl>(Call.getDecl());
const LocationContext *LCtx = C.getLocationContext();
if (!FD) if (!FD)
return false; return false;
const LocationContext *LCtx = C.getLocationContext();
const Expr *CE = Call.getOriginExpr();
switch (FD->getBuiltinID()) { switch (FD->getBuiltinID()) {
default: default:
return false; return false;
case Builtin::BI__builtin_assume: { case Builtin::BI__builtin_assume: {
assert (CE->arg_begin() != CE->arg_end()); assert (Call.getNumArgs() > 0);
SVal ArgSVal = C.getSVal(CE->getArg(0)); SVal Arg = Call.getArgSVal(0);
if (ArgSVal.isUndef()) if (Arg.isUndef())
return true; // Return true to model purity. return true; // Return true to model purity.
state = state->assume(ArgSVal.castAs<DefinedOrUnknownSVal>(), true); state = state->assume(Arg.castAs<DefinedOrUnknownSVal>(), true);
// FIXME: do we want to warn here? Not right now. The most reports might // FIXME: do we want to warn here? Not right now. The most reports might
// come from infeasible paths, thus being false positives. // come from infeasible paths, thus being false positives.
if (!state) { if (!state) {
C.generateSink(C.getState(), C.getPredecessor()); C.generateSink(C.getState(), C.getPredecessor());
return true; return true;
} }
C.addTransition(state); C.addTransition(state);
return true; return true;
} }
case Builtin::BI__builtin_unpredictable: case Builtin::BI__builtin_unpredictable:
case Builtin::BI__builtin_expect: case Builtin::BI__builtin_expect:
case Builtin::BI__builtin_assume_aligned: case Builtin::BI__builtin_assume_aligned:
case Builtin::BI__builtin_addressof: { case Builtin::BI__builtin_addressof: {
// For __builtin_unpredictable, __builtin_expect, and // For __builtin_unpredictable, __builtin_expect, and
// __builtin_assume_aligned, just return the value of the subexpression. // __builtin_assume_aligned, just return the value of the subexpression.
// __builtin_addressof is going from a reference to a pointer, but those // __builtin_addressof is going from a reference to a pointer, but those
// are represented the same way in the analyzer. // are represented the same way in the analyzer.
assert (CE->arg_begin() != CE->arg_end()); assert (Call.getNumArgs() > 0);
SVal X = C.getSVal(*(CE->arg_begin())); SVal Arg = Call.getArgSVal(0);
C.addTransition(state->BindExpr(CE, LCtx, X)); C.addTransition(state->BindExpr(CE, LCtx, Arg));
return true; return true;
} }
case Builtin::BI__builtin_alloca_with_align: case Builtin::BI__builtin_alloca_with_align:
case Builtin::BI__builtin_alloca: { case Builtin::BI__builtin_alloca: {
// FIXME: Refactor into StoreManager itself? // FIXME: Refactor into StoreManager itself?
MemRegionManager& RM = C.getStoreManager().getRegionManager(); MemRegionManager& RM = C.getStoreManager().getRegionManager();
const AllocaRegion* R = const AllocaRegion* R =
RM.getAllocaRegion(CE, C.blockCount(), C.getLocationContext()); RM.getAllocaRegion(CE, C.blockCount(), C.getLocationContext());
// Set the extent of the region in bytes. This enables us to use the // Set the extent of the region in bytes. This enables us to use the
// SVal of the argument directly. If we save the extent in bits, we // SVal of the argument directly. If we save the extent in bits, we
// cannot represent values like symbol*8. // cannot represent values like symbol*8.
auto Size = C.getSVal(*(CE->arg_begin())).castAs<DefinedOrUnknownSVal>(); auto Size = Call.getArgSVal(0);
if (Size.isUndef())
return true; // Return true to model purity.
SValBuilder& svalBuilder = C.getSValBuilder(); SValBuilder& svalBuilder = C.getSValBuilder();
DefinedOrUnknownSVal Extent = R->getExtent(svalBuilder); DefinedOrUnknownSVal Extent = R->getExtent(svalBuilder);
DefinedOrUnknownSVal extentMatchesSizeArg = DefinedOrUnknownSVal extentMatchesSizeArg =
svalBuilder.evalEQ(state, Extent, Size); svalBuilder.evalEQ(state, Extent, Size.castAs<DefinedOrUnknownSVal>());
state = state->assume(extentMatchesSizeArg, true); state = state->assume(extentMatchesSizeArg, true);
assert(state && "The region should not have any previous constraints"); assert(state && "The region should not have any previous constraints");
C.addTransition(state->BindExpr(CE, LCtx, loc::MemRegionVal(R))); C.addTransition(state->BindExpr(CE, LCtx, loc::MemRegionVal(R)));
return true; return true;
} }
case Builtin::BI__builtin_dynamic_object_size: case Builtin::BI__builtin_dynamic_object_size:
Show All 36 Lines

cfe/trunk/lib/StaticAnalyzer/Checkers/CStringChecker.cpp

Show All 11 Lines
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
#include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h" #include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"
#include "InterCheckerAPI.h" #include "InterCheckerAPI.h"
#include "clang/Basic/CharInfo.h" #include "clang/Basic/CharInfo.h"
#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h" #include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
#include "clang/StaticAnalyzer/Core/Checker.h" #include "clang/StaticAnalyzer/Core/Checker.h"
#include "clang/StaticAnalyzer/Core/CheckerManager.h" #include "clang/StaticAnalyzer/Core/CheckerManager.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h" #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramStateTrait.h" #include "clang/StaticAnalyzer/Core/PathSensitive/ProgramStateTrait.h"
#include "llvm/ADT/STLExtras.h" #include "llvm/ADT/STLExtras.h"
#include "llvm/ADT/SmallString.h" #include "llvm/ADT/SmallString.h"
#include "llvm/Support/raw_ostream.h" #include "llvm/Support/raw_ostream.h"
using namespace clang; using namespace clang;
using namespace ento; using namespace ento;
Show All 24 Lines struct CStringChecksFilter {
CheckName CheckNameCStringBufferOverlap; CheckName CheckNameCStringBufferOverlap;
CheckName CheckNameCStringNotNullTerm; CheckName CheckNameCStringNotNullTerm;
}; };
CStringChecksFilter Filter; CStringChecksFilter Filter;
static void *getTag() { static int tag; return &tag; } static void *getTag() { static int tag; return &tag; }
bool evalCall(const CallExpr *CE, CheckerContext &C) const; bool evalCall(const CallEvent &Call, CheckerContext &C) const;
void checkPreStmt(const DeclStmt *DS, CheckerContext &C) const; void checkPreStmt(const DeclStmt *DS, CheckerContext &C) const;
void checkLiveSymbols(ProgramStateRef state, SymbolReaper &SR) const; void checkLiveSymbols(ProgramStateRef state, SymbolReaper &SR) const;
void checkDeadSymbols(SymbolReaper &SR, CheckerContext &C) const; void checkDeadSymbols(SymbolReaper &SR, CheckerContext &C) const;
ProgramStateRef ProgramStateRef
checkRegionChanges(ProgramStateRef state, checkRegionChanges(ProgramStateRef state,
const InvalidatedSymbols *, const InvalidatedSymbols *,
ArrayRef<const MemRegion *> ExplicitRegions, ArrayRef<const MemRegion *> ExplicitRegions,
▲ Show 20 LinesShow All 2,260 Lines▼ Show 20 Lines else if (C.isCLibraryFunction(FDecl, "bcmp"))
return &CStringChecker::evalMemcmp; return &CStringChecker::evalMemcmp;
else if (C.isCLibraryFunction(FDecl, "bzero") || else if (C.isCLibraryFunction(FDecl, "bzero") ||
C.isCLibraryFunction(FDecl, "explicit_bzero")) C.isCLibraryFunction(FDecl, "explicit_bzero"))
return &CStringChecker::evalBzero; return &CStringChecker::evalBzero;
return nullptr; return nullptr;
} }
bool CStringChecker::evalCall(const CallExpr *CE, CheckerContext &C) const { bool CStringChecker::evalCall(const CallEvent &Call, CheckerContext &C) const {
const auto *CE = dyn_cast_or_null<CallExpr>(Call.getOriginExpr());
FnCheck evalFunction = identifyCall(CE, C); FnCheck evalFunction = identifyCall(CE, C);
// If the callee isn't a string function, let another checker handle it. // If the callee isn't a string function, let another checker handle it.
if (!evalFunction) if (!evalFunction)
return false; return false;
// Check and evaluate the call. // Check and evaluate the call.
(this->*evalFunction)(C, CE); (this->*evalFunction)(C, CE);
▲ Show 20 LinesShow All 158 LinesShow Last 20 Lines

cfe/trunk/lib/StaticAnalyzer/Checkers/ChrootChecker.cpp

//===-- ChrootChecker.cpp - chroot usage checks ---------------------------===// //===-- ChrootChecker.cpp - chroot usage checks ---------------------------===//
// //
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
// See https://llvm.org/LICENSE.txt for license information. // See https://llvm.org/LICENSE.txt for license information.
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
// //
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// //
// This file defines chroot checker, which checks improper use of chroot. // This file defines chroot checker, which checks improper use of chroot.
// //
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
#include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h" #include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"
#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h" #include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
#include "clang/StaticAnalyzer/Core/Checker.h" #include "clang/StaticAnalyzer/Core/Checker.h"
#include "clang/StaticAnalyzer/Core/CheckerManager.h" #include "clang/StaticAnalyzer/Core/CheckerManager.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h" #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h" #include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramStateTrait.h" #include "clang/StaticAnalyzer/Core/PathSensitive/ProgramStateTrait.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/SymbolManager.h" #include "clang/StaticAnalyzer/Core/PathSensitive/SymbolManager.h"
using namespace clang; using namespace clang;
using namespace ento; using namespace ento;
namespace { namespace {
// enum value that represent the jail state // enum value that represent the jail state
enum Kind { NO_CHROOT, ROOT_CHANGED, JAIL_ENTERED }; enum Kind { NO_CHROOT, ROOT_CHANGED, JAIL_ENTERED };
bool isRootChanged(intptr_t k) { return k == ROOT_CHANGED; } bool isRootChanged(intptr_t k) { return k == ROOT_CHANGED; }
//bool isJailEntered(intptr_t k) { return k == JAIL_ENTERED; } //bool isJailEntered(intptr_t k) { return k == JAIL_ENTERED; }
// This checker checks improper use of chroot. // This checker checks improper use of chroot.
// The state transition: // The state transition:
// NO_CHROOT ---chroot(path)--> ROOT_CHANGED ---chdir(/) --> JAIL_ENTERED // NO_CHROOT ---chroot(path)--> ROOT_CHANGED ---chdir(/) --> JAIL_ENTERED
// | | // | |
// ROOT_CHANGED<--chdir(..)-- JAIL_ENTERED<--chdir(..)-- // ROOT_CHANGED<--chdir(..)-- JAIL_ENTERED<--chdir(..)--
// | | // | |
// bug<--foo()-- JAIL_ENTERED<--foo()-- // bug<--foo()-- JAIL_ENTERED<--foo()--
class ChrootChecker : public Checker<eval::Call, check::PreStmt<CallExpr> > { class ChrootChecker : public Checker<eval::Call, check::PreCall> {
mutable IdentifierInfo *II_chroot, *II_chdir;
// This bug refers to possibly break out of a chroot() jail. // This bug refers to possibly break out of a chroot() jail.
mutable std::unique_ptr<BuiltinBug> BT_BreakJail; mutable std::unique_ptr<BuiltinBug> BT_BreakJail;
const CallDescription Chroot{"chroot", 1}, Chdir{"chdir", 1};
public: public:
ChrootChecker() : II_chroot(nullptr), II_chdir(nullptr) {} ChrootChecker() {}
static void *getTag() { static void *getTag() {
static int x; static int x;
return &x; return &x;
} }
bool evalCall(const CallExpr *CE, CheckerContext &C) const; bool evalCall(const CallEvent &Call, CheckerContext &C) const;
void checkPreStmt(const CallExpr *CE, CheckerContext &C) const; void checkPreCall(const CallEvent &Call, CheckerContext &C) const;
private: private:
void Chroot(CheckerContext &C, const CallExpr *CE) const; void evalChroot(const CallEvent &Call, CheckerContext &C) const;
void Chdir(CheckerContext &C, const CallExpr *CE) const; void evalChdir(const CallEvent &Call, CheckerContext &C) const;
}; };
} // end anonymous namespace } // end anonymous namespace
bool ChrootChecker::evalCall(const CallExpr *CE, CheckerContext &C) const { bool ChrootChecker::evalCall(const CallEvent &Call, CheckerContext &C) const {
const FunctionDecl *FD = C.getCalleeDecl(CE); if (Call.isCalled(Chroot)) {
if (!FD) evalChroot(Call, C);
return false;
ASTContext &Ctx = C.getASTContext();
if (!II_chroot)
II_chroot = &Ctx.Idents.get("chroot");
if (!II_chdir)
II_chdir = &Ctx.Idents.get("chdir");
if (FD->getIdentifier() == II_chroot) {
Chroot(C, CE);
return true; return true;
} }
if (FD->getIdentifier() == II_chdir) { if (Call.isCalled(Chdir)) {
Chdir(C, CE); evalChdir(Call, C);
return true; return true;
} }
return false; return false;
} }
void ChrootChecker::Chroot(CheckerContext &C, const CallExpr *CE) const { void ChrootChecker::evalChroot(const CallEvent &Call, CheckerContext &C) const {
ProgramStateRef state = C.getState(); ProgramStateRef state = C.getState();
ProgramStateManager &Mgr = state->getStateManager(); ProgramStateManager &Mgr = state->getStateManager();
// Once encouter a chroot(), set the enum value ROOT_CHANGED directly in // Once encouter a chroot(), set the enum value ROOT_CHANGED directly in
// the GDM. // the GDM.
state = Mgr.addGDM(state, ChrootChecker::getTag(), (void*) ROOT_CHANGED); state = Mgr.addGDM(state, ChrootChecker::getTag(), (void*) ROOT_CHANGED);
C.addTransition(state); C.addTransition(state);
} }
void ChrootChecker::Chdir(CheckerContext &C, const CallExpr *CE) const { void ChrootChecker::evalChdir(const CallEvent &Call, CheckerContext &C) const {
ProgramStateRef state = C.getState(); ProgramStateRef state = C.getState();
ProgramStateManager &Mgr = state->getStateManager(); ProgramStateManager &Mgr = state->getStateManager();
// If there are no jail state in the GDM, just return. // If there are no jail state in the GDM, just return.
const void *k = state->FindGDM(ChrootChecker::getTag()); const void *k = state->FindGDM(ChrootChecker::getTag());
if (!k) if (!k)
return; return;
// After chdir("/"), enter the jail, set the enum value JAIL_ENTERED. // After chdir("/"), enter the jail, set the enum value JAIL_ENTERED.
const Expr *ArgExpr = CE->getArg(0); const Expr *ArgExpr = Call.getArgExpr(0);
SVal ArgVal = C.getSVal(ArgExpr); SVal ArgVal = C.getSVal(ArgExpr);
if (const MemRegion *R = ArgVal.getAsRegion()) { if (const MemRegion *R = ArgVal.getAsRegion()) {
R = R->StripCasts(); R = R->StripCasts();
if (const StringRegion* StrRegion= dyn_cast<StringRegion>(R)) { if (const StringRegion* StrRegion= dyn_cast<StringRegion>(R)) {
const StringLiteral* Str = StrRegion->getStringLiteral(); const StringLiteral* Str = StrRegion->getStringLiteral();
if (Str->getString() == "/") if (Str->getString() == "/")
state = Mgr.addGDM(state, ChrootChecker::getTag(), state = Mgr.addGDM(state, ChrootChecker::getTag(),
(void*) JAIL_ENTERED); (void*) JAIL_ENTERED);
} }
} }
C.addTransition(state); C.addTransition(state);
} }
// Check the jail state before any function call except chroot and chdir(). // Check the jail state before any function call except chroot and chdir().
void ChrootChecker::checkPreStmt(const CallExpr *CE, CheckerContext &C) const { void ChrootChecker::checkPreCall(const CallEvent &Call,
const FunctionDecl *FD = C.getCalleeDecl(CE); CheckerContext &C) const {
if (!FD)
return;
ASTContext &Ctx = C.getASTContext();
if (!II_chroot)
II_chroot = &Ctx.Idents.get("chroot");
if (!II_chdir)
II_chdir = &Ctx.Idents.get("chdir");
// Ignore chroot and chdir. // Ignore chroot and chdir.
if (FD->getIdentifier() == II_chroot || FD->getIdentifier() == II_chdir) if (Call.isCalled(Chroot) || Call.isCalled(Chdir))
return; return;
// If jail state is ROOT_CHANGED, generate BugReport. // If jail state is ROOT_CHANGED, generate BugReport.
void *const* k = C.getState()->FindGDM(ChrootChecker::getTag()); void *const* k = C.getState()->FindGDM(ChrootChecker::getTag());
if (k) if (k)
if (isRootChanged((intptr_t) *k)) if (isRootChanged((intptr_t) *k))
if (ExplodedNode *N = C.generateNonFatalErrorNode()) { if (ExplodedNode *N = C.generateNonFatalErrorNode()) {
if (!BT_BreakJail) if (!BT_BreakJail)
Show All 15 Lines

cfe/trunk/lib/StaticAnalyzer/Checkers/ExprInspectionChecker.cpp

//==- ExprInspectionChecker.cpp - Used for regression tests ------*- C++ -*-==// //==- ExprInspectionChecker.cpp - Used for regression tests ------*- C++ -*-==//
// //
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
// See https://llvm.org/LICENSE.txt for license information. // See https://llvm.org/LICENSE.txt for license information.
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
// //
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
#include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h" #include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"
#include "clang/StaticAnalyzer/Checkers/SValExplainer.h" #include "clang/StaticAnalyzer/Checkers/SValExplainer.h"
#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h" #include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
#include "clang/StaticAnalyzer/Core/Checker.h" #include "clang/StaticAnalyzer/Core/Checker.h"
#include "clang/StaticAnalyzer/Core/IssueHash.h" #include "clang/StaticAnalyzer/Core/IssueHash.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h" #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
#include "llvm/ADT/StringSwitch.h" #include "llvm/ADT/StringSwitch.h"
#include "llvm/Support/ScopedPrinter.h" #include "llvm/Support/ScopedPrinter.h"
using namespace clang; using namespace clang;
using namespace ento; using namespace ento;
namespace { namespace {
Show All 26 Linesclass ExprInspectionChecker : public Checker<eval::Call, check::DeadSymbols,
typedef void (ExprInspectionChecker::*FnCheck)(const CallExpr *, typedef void (ExprInspectionChecker::*FnCheck)(const CallExpr *,
CheckerContext &C) const; CheckerContext &C) const;
ExplodedNode *reportBug(llvm::StringRef Msg, CheckerContext &C) const; ExplodedNode *reportBug(llvm::StringRef Msg, CheckerContext &C) const;
ExplodedNode *reportBug(llvm::StringRef Msg, BugReporter &BR, ExplodedNode *reportBug(llvm::StringRef Msg, BugReporter &BR,
ExplodedNode *N) const; ExplodedNode *N) const;
public: public:
bool evalCall(const CallExpr *CE, CheckerContext &C) const; bool evalCall(const CallEvent &Call, CheckerContext &C) const;
void checkDeadSymbols(SymbolReaper &SymReaper, CheckerContext &C) const; void checkDeadSymbols(SymbolReaper &SymReaper, CheckerContext &C) const;
void checkEndAnalysis(ExplodedGraph &G, BugReporter &BR, void checkEndAnalysis(ExplodedGraph &G, BugReporter &BR,
ExprEngine &Eng) const; ExprEngine &Eng) const;
}; };
} }
REGISTER_SET_WITH_PROGRAMSTATE(MarkedSymbols, SymbolRef) REGISTER_SET_WITH_PROGRAMSTATE(MarkedSymbols, SymbolRef)
REGISTER_MAP_WITH_PROGRAMSTATE(DenotedSymbols, SymbolRef, const StringLiteral *) REGISTER_MAP_WITH_PROGRAMSTATE(DenotedSymbols, SymbolRef, const StringLiteral *)
bool ExprInspectionChecker::evalCall(const CallExpr *CE, bool ExprInspectionChecker::evalCall(const CallEvent &Call,
CheckerContext &C) const { CheckerContext &C) const {
const auto *CE = dyn_cast_or_null<CallExpr>(Call.getOriginExpr());
if (!CE)
return false;
// These checks should have no effect on the surrounding environment // These checks should have no effect on the surrounding environment
// (globals should not be invalidated, etc), hence the use of evalCall. // (globals should not be invalidated, etc), hence the use of evalCall.
FnCheck Handler = llvm::StringSwitch<FnCheck>(C.getCalleeName(CE)) FnCheck Handler = llvm::StringSwitch<FnCheck>(C.getCalleeName(CE))
.Case("clang_analyzer_eval", &ExprInspectionChecker::analyzerEval) .Case("clang_analyzer_eval", &ExprInspectionChecker::analyzerEval)
.Case("clang_analyzer_checkInlined", .Case("clang_analyzer_checkInlined",
&ExprInspectionChecker::analyzerCheckInlined) &ExprInspectionChecker::analyzerCheckInlined)
.Case("clang_analyzer_crash", &ExprInspectionChecker::analyzerCrash) .Case("clang_analyzer_crash", &ExprInspectionChecker::analyzerCrash)
.Case("clang_analyzer_warnIfReached", .Case("clang_analyzer_warnIfReached",
▲ Show 20 LinesShow All 339 LinesShow Last 20 Lines

cfe/trunk/lib/StaticAnalyzer/Checkers/RetainCountChecker/RetainCountChecker.h

Show First 20 LinesShow All 304 Lines▼ Show 20 Linespublic:
void checkSummary(const RetainSummary &Summ, const CallEvent &Call, void checkSummary(const RetainSummary &Summ, const CallEvent &Call,
CheckerContext &C) const; CheckerContext &C) const;
void processSummaryOfInlined(const RetainSummary &Summ, void processSummaryOfInlined(const RetainSummary &Summ,
const CallEvent &Call, const CallEvent &Call,
CheckerContext &C) const; CheckerContext &C) const;
bool evalCall(const CallExpr *CE, CheckerContext &C) const; bool evalCall(const CallEvent &Call, CheckerContext &C) const;
ProgramStateRef evalAssume(ProgramStateRef state, SVal Cond, ProgramStateRef evalAssume(ProgramStateRef state, SVal Cond,
bool Assumption) const; bool Assumption) const;
ProgramStateRef ProgramStateRef
checkRegionChanges(ProgramStateRef state, checkRegionChanges(ProgramStateRef state,
const InvalidatedSymbols *invalidated, const InvalidatedSymbols *invalidated,
ArrayRef<const MemRegion *> ExplicitRegions, ArrayRef<const MemRegion *> ExplicitRegions,
▲ Show 20 LinesShow All 77 LinesShow Last 20 Lines

cfe/trunk/lib/StaticAnalyzer/Checkers/RetainCountChecker/RetainCountChecker.cpp

Show First 20 LinesShow All 880 Lines▼ Show 20 Linesvoid RetainCountChecker::processNonLeakError(ProgramStateRef St,
report->addRange(ErrorRange); report->addRange(ErrorRange);
C.emitReport(std::move(report)); C.emitReport(std::move(report));
} }
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// Handle the return values of retain-count-related functions. // Handle the return values of retain-count-related functions.
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
bool RetainCountChecker::evalCall(const CallExpr *CE, CheckerContext &C) const { bool RetainCountChecker::evalCall(const CallEvent &Call,
CheckerContext &C) const {
ProgramStateRef state = C.getState(); ProgramStateRef state = C.getState();
const FunctionDecl *FD = C.getCalleeDecl(CE); const auto *FD = dyn_cast_or_null<FunctionDecl>(Call.getDecl());
if (!FD) if (!FD)
return false; return false;
const auto *CE = dyn_cast_or_null<CallExpr>(Call.getOriginExpr());
if (!CE)
return false;
RetainSummaryManager &SmrMgr = getSummaryManager(C); RetainSummaryManager &SmrMgr = getSummaryManager(C);
QualType ResultTy = CE->getCallReturnType(C.getASTContext()); QualType ResultTy = Call.getResultType();
// See if the function has 'rc_ownership_trusted_implementation' // See if the function has 'rc_ownership_trusted_implementation'
// annotate attribute. If it does, we will not inline it. // annotate attribute. If it does, we will not inline it.
bool hasTrustedImplementationAnnotation = false; bool hasTrustedImplementationAnnotation = false;
const LocationContext *LCtx = C.getLocationContext(); const LocationContext *LCtx = C.getLocationContext();
using BehaviorSummary = RetainSummaryManager::BehaviorSummary; using BehaviorSummary = RetainSummaryManager::BehaviorSummary;
▲ Show 20 LinesShow All 611 LinesShow Last 20 Lines

cfe/trunk/lib/StaticAnalyzer/Checkers/SmartPtrModeling.cpp

Show All 20 Lines
#include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h" #include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h" #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
using namespace clang; using namespace clang;
using namespace ento; using namespace ento;
namespace { namespace {
class SmartPtrModeling : public Checker<eval::Call> { class SmartPtrModeling : public Checker<eval::Call> {
bool isNullAfterMoveMethod(const CXXInstanceCall *Call) const; bool isNullAfterMoveMethod(const CallEvent &Call) const;
public: public:
bool evalCall(const CallExpr *CE, CheckerContext &C) const; bool evalCall(const CallEvent &Call, CheckerContext &C) const;
}; };
} // end of anonymous namespace } // end of anonymous namespace
bool SmartPtrModeling::isNullAfterMoveMethod( bool SmartPtrModeling::isNullAfterMoveMethod(const CallEvent &Call) const {
const CXXInstanceCall *Call) const {
// TODO: Update CallDescription to support anonymous calls? // TODO: Update CallDescription to support anonymous calls?
// TODO: Handle other methods, such as .get() or .release(). // TODO: Handle other methods, such as .get() or .release().
// But once we do, we'd need a visitor to explain null dereferences // But once we do, we'd need a visitor to explain null dereferences
// that are found via such modeling. // that are found via such modeling.
const auto *CD = dyn_cast_or_null<CXXConversionDecl>(Call->getDecl()); const auto *CD = dyn_cast_or_null<CXXConversionDecl>(Call.getDecl());
return CD && CD->getConversionType()->isBooleanType(); return CD && CD->getConversionType()->isBooleanType();
} }
bool SmartPtrModeling::evalCall(const CallExpr *CE, CheckerContext &C) const { bool SmartPtrModeling::evalCall(const CallEvent &Call,
CallEventRef<> CallRef = C.getStateManager().getCallEventManager().getCall( CheckerContext &C) const {
CE, C.getState(), C.getLocationContext()); if (!isNullAfterMoveMethod(Call))
const auto *Call = dyn_cast_or_null<CXXInstanceCall>(CallRef);
if (!Call || !isNullAfterMoveMethod(Call))
return false; return false;
ProgramStateRef State = C.getState(); ProgramStateRef State = C.getState();
const MemRegion *ThisR = Call->getCXXThisVal().getAsRegion(); const MemRegion *ThisR =
cast<CXXInstanceCall>(&Call)->getCXXThisVal().getAsRegion();
if (!move::isMovedFrom(State, ThisR)) { if (!move::isMovedFrom(State, ThisR)) {
// TODO: Model this case as well. At least, avoid invalidation of globals. // TODO: Model this case as well. At least, avoid invalidation of globals.
return false; return false;
} }
// TODO: Add a note to bug reports describing this decision. // TODO: Add a note to bug reports describing this decision.
C.addTransition( C.addTransition(
State->BindExpr(CE, C.getLocationContext(), State->BindExpr(Call.getOriginExpr(), C.getLocationContext(),
C.getSValBuilder().makeZeroVal(CE->getType()))); C.getSValBuilder().makeZeroVal(Call.getResultType())));
return true; return true;
} }
void ento::registerSmartPtrModeling(CheckerManager &Mgr) { void ento::registerSmartPtrModeling(CheckerManager &Mgr) {
Mgr.registerChecker<SmartPtrModeling>(); Mgr.registerChecker<SmartPtrModeling>();
} }
bool ento::shouldRegisterSmartPtrModeling(const LangOptions &LO) { bool ento::shouldRegisterSmartPtrModeling(const LangOptions &LO) {
return LO.CPlusPlus; return LO.CPlusPlus;
} }

cfe/trunk/lib/StaticAnalyzer/Checkers/StdLibraryFunctionsChecker.cpp

Show First 20 LinesShow All 218 Lines▼ Show 20 Lines return ArgNo == Ret ? CE->getType().getCanonicalType()
: CE->getArg(ArgNo)->getType().getCanonicalType(); : CE->getArg(ArgNo)->getType().getCanonicalType();
} }
static SVal getArgSVal(const CallEvent &Call, ArgNoTy ArgNo) { static SVal getArgSVal(const CallEvent &Call, ArgNoTy ArgNo) {
return ArgNo == Ret ? Call.getReturnValue() : Call.getArgSVal(ArgNo); return ArgNo == Ret ? Call.getReturnValue() : Call.getArgSVal(ArgNo);
} }
public: public:
void checkPostCall(const CallEvent &Call, CheckerContext &C) const; void checkPostCall(const CallEvent &Call, CheckerContext &C) const;
bool evalCall(const CallExpr *CE, CheckerContext &C) const; bool evalCall(const CallEvent &Call, CheckerContext &C) const;
private: private:
Optional<FunctionSummaryTy> findFunctionSummary(const FunctionDecl *FD, Optional<FunctionSummaryTy> findFunctionSummary(const FunctionDecl *FD,
const CallExpr *CE, const CallExpr *CE,
CheckerContext &C) const; CheckerContext &C) const;
void initFunctionSummaries(BasicValueFactory &BVF) const; void initFunctionSummaries(BasicValueFactory &BVF) const;
}; };
▲ Show 20 LinesShow All 126 Lines▼ Show 20 Lines for (const auto &VR: VRS) {
break; break;
} }
if (NewState && NewState != State) if (NewState && NewState != State)
C.addTransition(NewState); C.addTransition(NewState);
} }
} }
bool StdLibraryFunctionsChecker::evalCall(const CallExpr *CE, bool StdLibraryFunctionsChecker::evalCall(const CallEvent &Call,
CheckerContext &C) const { CheckerContext &C) const {
const FunctionDecl *FD = dyn_cast_or_null<FunctionDecl>(CE->getCalleeDecl()); const auto *FD = dyn_cast_or_null<FunctionDecl>(Call.getDecl());
if (!FD) if (!FD)
return false; return false;
const auto *CE = dyn_cast_or_null<CallExpr>(Call.getOriginExpr());
if (!CE)
return false;
Optional<FunctionSummaryTy> FoundSummary = findFunctionSummary(FD, CE, C); Optional<FunctionSummaryTy> FoundSummary = findFunctionSummary(FD, CE, C);
if (!FoundSummary) if (!FoundSummary)
return false; return false;
const FunctionSummaryTy &Summary = *FoundSummary; const FunctionSummaryTy &Summary = *FoundSummary;
switch (Summary.InvalidationKind) { switch (Summary.InvalidationKind) {
case EvalCallAsPure: { case EvalCallAsPure: {
ProgramStateRef State = C.getState(); ProgramStateRef State = C.getState();
▲ Show 20 LinesShow All 678 LinesShow Last 20 Lines

cfe/trunk/lib/StaticAnalyzer/Checkers/StreamChecker.cpp

//===-- StreamChecker.cpp -----------------------------------------*- C++ -*--// //===-- StreamChecker.cpp -----------------------------------------*- C++ -*--//
// //
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
// See https://llvm.org/LICENSE.txt for license information. // See https://llvm.org/LICENSE.txt for license information.
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
// //
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// //
// This file defines checkers that model and check stream handling functions. // This file defines checkers that model and check stream handling functions.
// //
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
#include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h" #include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"
#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h" #include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
#include "clang/StaticAnalyzer/Core/Checker.h" #include "clang/StaticAnalyzer/Core/Checker.h"
#include "clang/StaticAnalyzer/Core/CheckerManager.h" #include "clang/StaticAnalyzer/Core/CheckerManager.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h" #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h" #include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramStateTrait.h" #include "clang/StaticAnalyzer/Core/PathSensitive/ProgramStateTrait.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/SymbolManager.h" #include "clang/StaticAnalyzer/Core/PathSensitive/SymbolManager.h"
using namespace clang; using namespace clang;
using namespace ento; using namespace ento;
▲ Show 20 LinesShow All 41 Lines▼ Show 20 Lines
public: public:
StreamChecker() StreamChecker()
: II_fopen(nullptr), II_tmpfile(nullptr), II_fclose(nullptr), : II_fopen(nullptr), II_tmpfile(nullptr), II_fclose(nullptr),
II_fread(nullptr), II_fwrite(nullptr), II_fseek(nullptr), II_fread(nullptr), II_fwrite(nullptr), II_fseek(nullptr),
II_ftell(nullptr), II_rewind(nullptr), II_fgetpos(nullptr), II_ftell(nullptr), II_rewind(nullptr), II_fgetpos(nullptr),
II_fsetpos(nullptr), II_clearerr(nullptr), II_feof(nullptr), II_fsetpos(nullptr), II_clearerr(nullptr), II_feof(nullptr),
II_ferror(nullptr), II_fileno(nullptr) {} II_ferror(nullptr), II_fileno(nullptr) {}
bool evalCall(const CallExpr *CE, CheckerContext &C) const; bool evalCall(const CallEvent &Call, CheckerContext &C) const;
void checkDeadSymbols(SymbolReaper &SymReaper, CheckerContext &C) const; void checkDeadSymbols(SymbolReaper &SymReaper, CheckerContext &C) const;
private: private:
void Fopen(CheckerContext &C, const CallExpr *CE) const; void Fopen(CheckerContext &C, const CallExpr *CE) const;
void Tmpfile(CheckerContext &C, const CallExpr *CE) const; void Tmpfile(CheckerContext &C, const CallExpr *CE) const;
void Fclose(CheckerContext &C, const CallExpr *CE) const; void Fclose(CheckerContext &C, const CallExpr *CE) const;
void Fread(CheckerContext &C, const CallExpr *CE) const; void Fread(CheckerContext &C, const CallExpr *CE) const;
void Fwrite(CheckerContext &C, const CallExpr *CE) const; void Fwrite(CheckerContext &C, const CallExpr *CE) const;
Show All 15 Lines ProgramStateRef CheckDoubleClose(const CallExpr *CE, ProgramStateRef state,
CheckerContext &C) const; CheckerContext &C) const;
}; };
} // end anonymous namespace } // end anonymous namespace
REGISTER_MAP_WITH_PROGRAMSTATE(StreamMap, SymbolRef, StreamState) REGISTER_MAP_WITH_PROGRAMSTATE(StreamMap, SymbolRef, StreamState)
bool StreamChecker::evalCall(const CallExpr *CE, CheckerContext &C) const { bool StreamChecker::evalCall(const CallEvent &Call, CheckerContext &C) const {
const FunctionDecl *FD = C.getCalleeDecl(CE); const auto *FD = dyn_cast_or_null<FunctionDecl>(Call.getDecl());
if (!FD || FD->getKind() != Decl::Function) if (!FD || FD->getKind() != Decl::Function)
return false; return false;
const auto *CE = dyn_cast_or_null<CallExpr>(Call.getOriginExpr());
if (!CE)
return false;
ASTContext &Ctx = C.getASTContext(); ASTContext &Ctx = C.getASTContext();
if (!II_fopen) if (!II_fopen)
II_fopen = &Ctx.Idents.get("fopen"); II_fopen = &Ctx.Idents.get("fopen");
if (!II_tmpfile) if (!II_tmpfile)
II_tmpfile = &Ctx.Idents.get("tmpfile"); II_tmpfile = &Ctx.Idents.get("tmpfile");
if (!II_fclose) if (!II_fclose)
II_fclose = &Ctx.Idents.get("fclose"); II_fclose = &Ctx.Idents.get("fclose");
if (!II_fread) if (!II_fread)
▲ Show 20 LinesShow All 296 LinesShow Last 20 Lines

cfe/trunk/lib/StaticAnalyzer/Core/CheckerManager.cpp

Show First 20 LinesShow All 645 Lines▼ Show 20 Lines
} }
/// Run checkers for evaluating a call. /// Run checkers for evaluating a call.
/// Only one checker will evaluate the call. /// Only one checker will evaluate the call.
void CheckerManager::runCheckersForEvalCall(ExplodedNodeSet &Dst, void CheckerManager::runCheckersForEvalCall(ExplodedNodeSet &Dst,
const ExplodedNodeSet &Src, const ExplodedNodeSet &Src,
const CallEvent &Call, const CallEvent &Call,
ExprEngine &Eng) { ExprEngine &Eng) {
const CallExpr *CE = cast<CallExpr>(Call.getOriginExpr());
for (const auto Pred : Src) { for (const auto Pred : Src) {
bool anyEvaluated = false; bool anyEvaluated = false;
ExplodedNodeSet checkDst; ExplodedNodeSet checkDst;
NodeBuilder B(Pred, checkDst, Eng.getBuilderContext()); NodeBuilder B(Pred, checkDst, Eng.getBuilderContext());
// Check if any of the EvalCall callbacks can evaluate the call. // Check if any of the EvalCall callbacks can evaluate the call.
for (const auto EvalCallChecker : EvalCallCheckers) { for (const auto EvalCallChecker : EvalCallCheckers) {
ProgramPoint::Kind K = ProgramPoint::PostStmtKind; // TODO: Support the situation when the call doesn't correspond
const ProgramPoint &L = // to any Expr.
ProgramPoint::getProgramPoint(CE, K, Pred->getLocationContext(), ProgramPoint L = ProgramPoint::getProgramPoint(
cast<CallExpr>(Call.getOriginExpr()),
ProgramPoint::PostStmtKind,
Pred->getLocationContext(),
EvalCallChecker.Checker); EvalCallChecker.Checker);
bool evaluated = false; bool evaluated = false;
{ // CheckerContext generates transitions(populates checkDest) on { // CheckerContext generates transitions(populates checkDest) on
// destruction, so introduce the scope to make sure it gets properly // destruction, so introduce the scope to make sure it gets properly
// populated. // populated.
CheckerContext C(B, Eng, Pred, L); CheckerContext C(B, Eng, Pred, L);
evaluated = EvalCallChecker(CE, C); evaluated = EvalCallChecker(Call, C);
} }
assert(!(evaluated && anyEvaluated) assert(!(evaluated && anyEvaluated)
&& "There are more than one checkers evaluating the call"); && "There are more than one checkers evaluating the call");
if (evaluated) { if (evaluated) {
anyEvaluated = true; anyEvaluated = true;
Dst.insert(checkDst); Dst.insert(checkDst);
#ifdef NDEBUG #ifdef NDEBUG
break; // on release don't check that no other checker also evals. break; // on release don't check that no other checker also evals.
▲ Show 20 LinesShow All 227 LinesShow Last 20 Lines