This is an archive of the discontinued LLVM Phabricator instance.

Differential D65889

[analyzer] CastValueChecker: Model castAs(), getAs()
ClosedPublic

Authored by Charusso on Aug 7 2019, 8:56 AM.

Details

Reviewers
NoQ
Commits
rGcf229d575226: [analyzer] CastValueChecker: Model castAs(), getAs()
rC368383: [analyzer] CastValueChecker: Model castAs(), getAs()
rL368383: [analyzer] CastValueChecker: Model castAs(), getAs()
Summary

Thanks to Kristóf Umann for the great idea!

Diff Detail

Repository
rL LLVM

Event Timeline

Charusso created this revision.Aug 7 2019, 8:56 AM
Herald added subscribers: cfe-commits, dkrupp, donat.nagy and 6 others. · View Herald TranscriptAug 7 2019, 8:56 AM
Charusso marked 4 inline comments as done.Aug 7 2019, 9:01 AM

This is a little-bit WIP as the symbol conjuring is very naive.

clang/lib/StaticAnalyzer/Checkers/CastValueChecker.cpp
111 ↗(On Diff #213919)

That is a very lame way to conjure a symbol, but with a cool wrapper I believe this would be okay. Do we have a better way to create a non-null symbol?

clang/lib/StaticAnalyzer/Core/CallEvent.cpp
718 ↗(On Diff #213919)

This is the only necessary addition to make it usable.

clang/test/Analysis/cast-value.cpp
113 ↗(On Diff #213919)

I am not sure what is going on here,

131 ↗(On Diff #213919)

and here.

193 ↗(On Diff #213919)

Known-value printing fails, but at least it is working well.

Charusso mentioned this in D64374: [analyzer] CastValueChecker: Model casts.Aug 7 2019, 9:06 AM
NoQ added inline comments.Aug 7 2019, 10:39 AM
clang/lib/StaticAnalyzer/Checkers/CastValueChecker.cpp
111 ↗(On Diff #213919)

This creates a concrete 1 rather than a symbol. That's the right behavior for isa, but it's not the right behavior for getAs. In case of getAs we need to return our this.

Charusso added inline comments.Aug 7 2019, 10:47 AM
clang/lib/StaticAnalyzer/Checkers/CastValueChecker.cpp
111 ↗(On Diff #213919)

Could you explain what is this, please? At this case we are working with a CXXMemberCallExpr. Do you mean its getImplicitObjectArgument()?

NoQ added inline comments.Aug 7 2019, 10:48 AM
clang/lib/StaticAnalyzer/Checkers/CastValueChecker.cpp
111 ↗(On Diff #213919)

Yeah, its value.

Charusso updated this revision to Diff 213952.Aug 7 2019, 11:07 AM
Charusso marked 5 inline comments as done.
  • Remove symbol-conjuring.
  • Add a forgotten test case.
clang/lib/StaticAnalyzer/Checkers/CastValueChecker.cpp
111 ↗(On Diff #213919)

Hm, I have not understand why it is not working as I definitely wanted to use this. I believe I had forgotten an early-return at a wrong place. Thanks!

Szelethus added a comment.Aug 7 2019, 11:45 AM

Cheers! :)

NoQ added inline comments.Aug 7 2019, 1:53 PM
clang/lib/StaticAnalyzer/Checkers/CastValueChecker.cpp
51 ↗(On Diff #213952)

I'd rather have only one map from call descriptions to (callback, kind) pairs. This should make the evalCall code much more readable.

215 ↗(On Diff #213952)

Use Call.getResultType() instead.

And please add a test with references, as getResultType behaves more correctly for references:

C &c = ...;
D &d = dyn_cast<D>(c);
223 ↗(On Diff #213952)

*Call.parameters()[0]->getType(). It should also help with references.

231 ↗(On Diff #213952)
const auto *InstanceCall = dyn_cast<CXXInstanceCall>(&Call);
...
DV = InstanceCall->getCXXThisVal();
clang/lib/StaticAnalyzer/Core/CallEvent.cpp
718 ↗(On Diff #213952)

I don't think you need this anymore.

clang/test/Analysis/cast-value.cpp
186 ↗(On Diff #213952)

To think: this note isn't very useful because hard casts aren't really supposed to fail anyway.

Charusso updated this revision to Diff 214037.Aug 7 2019, 5:14 PM
Charusso marked 9 inline comments as done.
  • Make it usable with references.
  • Test references.
  • Better messages on simple cast<>.
clang/lib/StaticAnalyzer/Checkers/CastValueChecker.cpp
51 ↗(On Diff #213952)

The problem with that I really want to use something like that:

auto &&[Check, Kind, MoreData] = *Lookup;

but I cannot. Until that time it equally non-readable and difficult to scale sadly. For now it is fine, but that C++17 feature would be more awesome.

231 ↗(On Diff #213952)

Hm, not bad. Thanks!

clang/test/Analysis/cast-value.cpp
186 ↗(On Diff #213952)

I believe it is better than the generic Assuming... piece.

Charusso updated this revision to Diff 214038.Aug 7 2019, 5:15 PM
  • Fix a comment.
Charusso updated this revision to Diff 214041.Aug 7 2019, 5:27 PM
  • May it is better to also check for getAsCXXRecordDecl() for obtaining a class.
Charusso updated this revision to Diff 214186.Aug 8 2019, 11:52 AM
  • The call as getAsCXXRecordDecl() sometimes run into an assertion failure, so we need to avoid it:
clang/lib/StaticAnalyzer/Core/ExprEngine.cpp:333:
ExprEngine::createTemporaryRegionIfNeeded():
Assertion `!InitValWithAdjustments.getAs<Loc>() || Loc::isLocType(Result->getType()) || Result->getType()->isMemberPointerType()' failed.
NoQ added a comment.Aug 8 2019, 12:58 PM

Looking good now! I still recommend eventually adding tests with casts of references.

In D65889#1620128, @Charusso wrote:
  • May it is better to also check for getAsCXXRecordDecl() for obtaining a class.
In D65889#1621587, @Charusso wrote:
  • The call as getAsCXXRecordDecl() sometimes run into an assertion failure, so we need to avoid it

Well, yeah, i was just about to say "good thing that you don't do this because we really don't want to get into business of modeling return-by-value getAs calls such as SVal::getAs".

clang/lib/StaticAnalyzer/Checkers/CastValueChecker.cpp
220 ↗(On Diff #214186)

What's the point of making this a raw pointer? (no pun intended)

26 ↗(On Diff #214038)

Please explain "Checking" and "Sugar". Checking what? Sugar... you mean syntactic sugar? For what?

51 ↗(On Diff #213952)

I think it turned out pretty pretty (no pun intended).

NoQ added inline comments.Aug 8 2019, 1:08 PM
clang/lib/StaticAnalyzer/Checkers/CastValueChecker.cpp
94 ↗(On Diff #214186)

IsDynamicCast.

98 ↗(On Diff #214186)

More suggestions for the :-branch: "Hard cast" (a bit too jargon-y), "Safe cast", "Checked cast".

clang/test/Analysis/cast-value.cpp
156–167 ↗(On Diff #214186)

Mmm, wait a sec. That's a false positive. cast<> doesn't accept null pointers. We have cast_or_null for this.

Charusso updated this revision to Diff 214234.Aug 8 2019, 2:29 PM
Charusso marked 7 inline comments as done.
  • Added a test case for casting *to* a reference.
  • Better naming.
clang/lib/StaticAnalyzer/Checkers/CastValueChecker.cpp
94 ↗(On Diff #214186)

It is not dyn_cast but simple cast. Because we have decided to use Checked for that cast, I believe IsCheckedCast the one.

98 ↗(On Diff #214186)

Well, let us pick Checked then as that is the proper definition for cast(), but that other sugar-based castAs() definition makes me mad.

220 ↗(On Diff #214186)

I just wanted to make it usable as it being used since the first review as (*Check) and emphasize it is not a given function-call but a pointer to one. If you think as a nude Check() it is fine, then I have no idea which is better and it is fine for me as well.

26 ↗(On Diff #214038)

I have no idea what devs mean by those names:

  • Checking kind:

The cast<> operator is a “checked cast” operation.
The dyn_cast<> operator is a “checking cast” operation.

from http://llvm.org/docs/ProgrammersManual.html#the-isa-cast-and-dyn-cast-templates

  • Sugar kind:

Member-template castAs<specific type>. Look through sugar for the underlying instance of <specific type>.
Member-template getAs<specific type>'. Look through sugar for an instance of <specific type>.

from https://clang.llvm.org/doxygen/classclang_1_1Type.html#a436b8b08ae7f2404b4712d37986194ce
and https://clang.llvm.org/doxygen/classclang_1_1Type.html#adae68e1f4c85ede2d36da45fbefc48a2

  • isa() would be Instance kind:

The isa<> operator works exactly like the Java “instanceof” operator.

from http://llvm.org/docs/ProgrammersManual.html#the-isa-cast-and-dyn-cast-templates

If you could imagine better names, please let me know. I have tried to use the definitions.

clang/test/Analysis/cast-value.cpp
156–167 ↗(On Diff #214186)

This Assuming pointer value is null note is very random. I believe it is not made by me and my code is fine, so I have printed a graph:

graph-print-dark.svg98 KBDownload

Do you see any problem?

NoQ accepted this revision.Aug 8 2019, 6:31 PM

Aha, ok!

clang/lib/StaticAnalyzer/Checkers/CastValueChecker.cpp
26 ↗(On Diff #214038)

{ Function, Method }?

clang/test/Analysis/cast-value.cpp
156–167 ↗(On Diff #214186)

Whoops, sorry, i didn't notice the !. Seems fine.

Yeah, the note is broken. I have another interesting reproducer for a problem with the same note: https://bugs.llvm.org/show_bug.cgi?id=42938

This revision is now accepted and ready to land.Aug 8 2019, 6:31 PM
Charusso updated this revision to Diff 214277.Aug 8 2019, 7:02 PM
Charusso marked 6 inline comments as done.
  • Better naming.
clang/lib/StaticAnalyzer/Checkers/CastValueChecker.cpp
26 ↗(On Diff #214038)

These are cool identifiers, thanks!

clang/test/Analysis/cast-value.cpp
156–167 ↗(On Diff #214186)

I will leave that not "Done" as FIXME: Broken notes.

Charusso added a parent revision: D64374: [analyzer] CastValueChecker: Model casts.Aug 8 2019, 7:04 PM

Thanks you for the review!

Closed by commit rL368383: [analyzer] CastValueChecker: Model castAs(), getAs() (authored by Charusso). · Explain WhyAug 8 2019, 7:25 PM
This revision was automatically updated to reflect the committed changes.
Herald added a project: Restricted Project. · View Herald TranscriptAug 8 2019, 7:25 PM
Herald added a subscriber: llvm-commits. · View Herald Transcript
Charusso added a child revision: D66267: [analyzer] TrackConstraintBRVisitor: Do not track unknown values.Aug 14 2019, 5:48 PM

Revision Contents

PathSize
cfe/
trunk/
lib/
StaticAnalyzer/
Checkers/
252 lines
test/
Analysis/
120 lines

Diff 214284

cfe/trunk/lib/StaticAnalyzer/Checkers/CastValueChecker.cpp

Show All 10 Lines
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
#include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h" #include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"
#include "clang/StaticAnalyzer/Core/Checker.h" #include "clang/StaticAnalyzer/Core/Checker.h"
#include "clang/StaticAnalyzer/Core/CheckerManager.h" #include "clang/StaticAnalyzer/Core/CheckerManager.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h" #include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h" #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
#include "llvm/ADT/Optional.h" #include "llvm/ADT/Optional.h"
#include <utility>
using namespace clang; using namespace clang;
using namespace ento; using namespace ento;
namespace { namespace {
class CastValueChecker : public Checker<eval::Call> { class CastValueChecker : public Checker<eval::Call> {
enum class CastKind { Function, Method };
using CastCheck = using CastCheck =
std::function<void(const CastValueChecker *, const CallExpr *, std::function<void(const CastValueChecker *, const CallExpr *,
DefinedOrUnknownSVal, CheckerContext &)>; DefinedOrUnknownSVal, CheckerContext &)>;
using CheckKindPair = std::pair<CastCheck, CastKind>;
public: public:
// We have three cases to evaluate a cast: // We have five cases to evaluate a cast:
// 1) The parameter is non-null, the return value is non-null // 1) The parameter is non-null, the return value is non-null
// 2) The parameter is non-null, the return value is null // 2) The parameter is non-null, the return value is null
// 3) The parameter is null, the return value is null // 3) The parameter is null, the return value is null
//
// cast: 1; dyn_cast: 1, 2; cast_or_null: 1, 3; dyn_cast_or_null: 1, 2, 3. // cast: 1; dyn_cast: 1, 2; cast_or_null: 1, 3; dyn_cast_or_null: 1, 2, 3.
//
// 4) castAs: has no parameter, the return value is non-null.
// 5) getAs: has no parameter, the return value is null or non-null.
bool evalCall(const CallEvent &Call, CheckerContext &C) const; bool evalCall(const CallEvent &Call, CheckerContext &C) const;
private: private:
// These are known in the LLVM project. // These are known in the LLVM project. The pairs are in the following form:
const CallDescriptionMap<CastCheck> CDM = { // {{{namespace, call}, argument-count}, {callback, kind}}
{{{"llvm", "cast"}, 1}, &CastValueChecker::evalCast}, const CallDescriptionMap<CheckKindPair> CDM = {
{{{"llvm", "dyn_cast"}, 1}, &CastValueChecker::evalDynCast}, {{{"llvm", "cast"}, 1},
{{{"llvm", "cast_or_null"}, 1}, &CastValueChecker::evalCastOrNull}, {&CastValueChecker::evalCast, CastKind::Function}},
{{{"llvm", "dyn_cast"}, 1},
{&CastValueChecker::evalDynCast, CastKind::Function}},
{{{"llvm", "cast_or_null"}, 1},
{&CastValueChecker::evalCastOrNull, CastKind::Function}},
{{{"llvm", "dyn_cast_or_null"}, 1}, {{{"llvm", "dyn_cast_or_null"}, 1},
&CastValueChecker::evalDynCastOrNull}}; {&CastValueChecker::evalDynCastOrNull, CastKind::Function}},
{{{"clang", "castAs"}, 0},
{&CastValueChecker::evalCastAs, CastKind::Method}},
{{{"clang", "getAs"}, 0},
{&CastValueChecker::evalGetAs, CastKind::Method}}};
void evalCast(const CallExpr *CE, DefinedOrUnknownSVal ParamDV, void evalCast(const CallExpr *CE, DefinedOrUnknownSVal DV,
CheckerContext &C) const; CheckerContext &C) const;
void evalDynCast(const CallExpr *CE, DefinedOrUnknownSVal ParamDV, void evalDynCast(const CallExpr *CE, DefinedOrUnknownSVal DV,
CheckerContext &C) const; CheckerContext &C) const;
void evalCastOrNull(const CallExpr *CE, DefinedOrUnknownSVal ParamDV, void evalCastOrNull(const CallExpr *CE, DefinedOrUnknownSVal DV,
CheckerContext &C) const; CheckerContext &C) const;
void evalDynCastOrNull(const CallExpr *CE, DefinedOrUnknownSVal ParamDV, void evalDynCastOrNull(const CallExpr *CE, DefinedOrUnknownSVal DV,
CheckerContext &C) const;
void evalCastAs(const CallExpr *CE, DefinedOrUnknownSVal DV,
CheckerContext &C) const;
void evalGetAs(const CallExpr *CE, DefinedOrUnknownSVal DV,
CheckerContext &C) const; CheckerContext &C) const;
}; };
} // namespace } // namespace
static std::string getCastName(const Expr *Cast) { static std::string getCastName(const Expr *Cast) {
return Cast->getType()->getPointeeCXXRecordDecl()->getNameAsString(); QualType Ty = Cast->getType();
if (const CXXRecordDecl *RD = Ty->getAsCXXRecordDecl())
return RD->getNameAsString();
return Ty->getPointeeCXXRecordDecl()->getNameAsString();
} }
static void evalNonNullParamNonNullReturn(const CallExpr *CE, static const NoteTag *getCastTag(bool IsNullReturn, const CallExpr *CE,
DefinedOrUnknownSVal ParamDV, CheckerContext &C,
CheckerContext &C) { bool IsCheckedCast = false) {
ProgramStateRef State = C.getState()->assume(ParamDV, true); Optional<std::string> CastFromName = (CE->getNumArgs() > 0)
if (!State) ? getCastName(CE->getArg(0))
return; : Optional<std::string>();
State = State->BindExpr(CE, C.getLocationContext(), ParamDV, false);
std::string CastFromName = getCastName(CE->getArg(0));
std::string CastToName = getCastName(CE); std::string CastToName = getCastName(CE);
const NoteTag *CastTag = C.getNoteTag( return C.getNoteTag(
[CastFromName, CastToName](BugReport &) -> std::string { [CastFromName, CastToName, IsNullReturn,
IsCheckedCast](BugReport &) -> std::string {
SmallString<128> Msg; SmallString<128> Msg;
llvm::raw_svector_ostream Out(Msg); llvm::raw_svector_ostream Out(Msg);
Out << "Assuming dynamic cast from '" << CastFromName << "' to '" Out << (!IsCheckedCast ? "Assuming dynamic cast " : "Checked cast ");
<< CastToName << "' succeeds"; if (CastFromName)
Out << "from '" << *CastFromName << "' ";
Out << "to '" << CastToName << "' "
<< (!IsNullReturn ? "succeeds" : "fails");
return Out.str(); return Out.str();
}, },
/*IsPrunable=*/true); /*IsPrunable=*/true);
C.addTransition(State, CastTag);
} }
static void evalNonNullParamNullReturn(const CallExpr *CE, static ProgramStateRef getState(bool IsNullReturn,
DefinedOrUnknownSVal ParamDV, DefinedOrUnknownSVal ReturnDV,
const CallExpr *CE, ProgramStateRef State,
CheckerContext &C) { CheckerContext &C) {
ProgramStateRef State = C.getState()->assume(ParamDV, true); return State->BindExpr(
if (!State) CE, C.getLocationContext(),
return; IsNullReturn ? C.getSValBuilder().makeNull() : ReturnDV, false);
}
State = State->BindExpr(CE, C.getLocationContext(),
C.getSValBuilder().makeNull(), false);
std::string CastFromName = getCastName(CE->getArg(0));
std::string CastToName = getCastName(CE);
const NoteTag *CastTag = C.getNoteTag(
[CastFromName, CastToName](BugReport &) -> std::string {
SmallString<128> Msg;
llvm::raw_svector_ostream Out(Msg);
Out << "Assuming dynamic cast from '" << CastFromName << "' to '" //===----------------------------------------------------------------------===//
<< CastToName << "' fails"; // Evaluating cast, dyn_cast, cast_or_null, dyn_cast_or_null.
return Out.str(); //===----------------------------------------------------------------------===//
},
/*IsPrunable=*/true);
C.addTransition(State, CastTag); static void evalNonNullParamNonNullReturn(const CallExpr *CE,
DefinedOrUnknownSVal DV,
CheckerContext &C,
bool IsCheckedCast = false) {
bool IsNullReturn = false;
if (ProgramStateRef State = C.getState()->assume(DV, true))
C.addTransition(getState(IsNullReturn, DV, CE, State, C),
getCastTag(IsNullReturn, CE, C, IsCheckedCast));
} }
static void evalNullParamNullReturn(const CallExpr *CE, static void evalNonNullParamNullReturn(const CallExpr *CE,
DefinedOrUnknownSVal ParamDV, DefinedOrUnknownSVal DV,
CheckerContext &C) { CheckerContext &C) {
ProgramStateRef State = C.getState()->assume(ParamDV, false); bool IsNullReturn = true;
if (!State) if (ProgramStateRef State = C.getState()->assume(DV, true))
return; C.addTransition(getState(IsNullReturn, DV, CE, State, C),
getCastTag(IsNullReturn, CE, C));
State = State->BindExpr(CE, C.getLocationContext(), }
C.getSValBuilder().makeNull(), false);
const NoteTag *CastTag = static void evalNullParamNullReturn(const CallExpr *CE, DefinedOrUnknownSVal DV,
CheckerContext &C) {
if (ProgramStateRef State = C.getState()->assume(DV, false))
C.addTransition(getState(/*IsNullReturn=*/true, DV, CE, State, C),
C.getNoteTag("Assuming null pointer is passed into cast", C.getNoteTag("Assuming null pointer is passed into cast",
/*IsPrunable=*/true); /*IsPrunable=*/true));
C.addTransition(State, CastTag);
} }
void CastValueChecker::evalCast(const CallExpr *CE, void CastValueChecker::evalCast(const CallExpr *CE, DefinedOrUnknownSVal DV,
DefinedOrUnknownSVal ParamDV,
CheckerContext &C) const { CheckerContext &C) const {
evalNonNullParamNonNullReturn(CE, ParamDV, C); evalNonNullParamNonNullReturn(CE, DV, C, /*IsCheckedCast=*/true);
} }
void CastValueChecker::evalDynCast(const CallExpr *CE, void CastValueChecker::evalDynCast(const CallExpr *CE, DefinedOrUnknownSVal DV,
DefinedOrUnknownSVal ParamDV,
CheckerContext &C) const { CheckerContext &C) const {
evalNonNullParamNonNullReturn(CE, ParamDV, C); evalNonNullParamNonNullReturn(CE, DV, C);
evalNonNullParamNullReturn(CE, ParamDV, C); evalNonNullParamNullReturn(CE, DV, C);
} }
void CastValueChecker::evalCastOrNull(const CallExpr *CE, void CastValueChecker::evalCastOrNull(const CallExpr *CE,
DefinedOrUnknownSVal ParamDV, DefinedOrUnknownSVal DV,
CheckerContext &C) const { CheckerContext &C) const {
evalNonNullParamNonNullReturn(CE, ParamDV, C); evalNonNullParamNonNullReturn(CE, DV, C);
evalNullParamNullReturn(CE, ParamDV, C); evalNullParamNullReturn(CE, DV, C);
} }
void CastValueChecker::evalDynCastOrNull(const CallExpr *CE, void CastValueChecker::evalDynCastOrNull(const CallExpr *CE,
DefinedOrUnknownSVal ParamDV, DefinedOrUnknownSVal DV,
CheckerContext &C) const { CheckerContext &C) const {
evalNonNullParamNonNullReturn(CE, ParamDV, C); evalNonNullParamNonNullReturn(CE, DV, C);
evalNonNullParamNullReturn(CE, ParamDV, C); evalNonNullParamNullReturn(CE, DV, C);
evalNullParamNullReturn(CE, ParamDV, C); evalNullParamNullReturn(CE, DV, C);
}
//===----------------------------------------------------------------------===//
// Evaluating castAs, getAs.
//===----------------------------------------------------------------------===//
static void evalZeroParamNonNullReturn(const CallExpr *CE,
DefinedOrUnknownSVal DV,
CheckerContext &C,
bool IsCheckedCast = false) {
bool IsNullReturn = false;
if (ProgramStateRef State = C.getState()->assume(DV, true))
C.addTransition(getState(IsNullReturn, DV, CE, C.getState(), C),
getCastTag(IsNullReturn, CE, C, IsCheckedCast));
}
static void evalZeroParamNullReturn(const CallExpr *CE, DefinedOrUnknownSVal DV,
CheckerContext &C) {
bool IsNullReturn = true;
if (ProgramStateRef State = C.getState()->assume(DV, true))
C.addTransition(getState(IsNullReturn, DV, CE, C.getState(), C),
getCastTag(IsNullReturn, CE, C));
}
void CastValueChecker::evalCastAs(const CallExpr *CE, DefinedOrUnknownSVal DV,
CheckerContext &C) const {
evalZeroParamNonNullReturn(CE, DV, C, /*IsCheckedCast=*/true);
}
void CastValueChecker::evalGetAs(const CallExpr *CE, DefinedOrUnknownSVal DV,
CheckerContext &C) const {
evalZeroParamNonNullReturn(CE, DV, C);
evalZeroParamNullReturn(CE, DV, C);
} }
bool CastValueChecker::evalCall(const CallEvent &Call, bool CastValueChecker::evalCall(const CallEvent &Call,
CheckerContext &C) const { CheckerContext &C) const {
const CastCheck *Check = CDM.lookup(Call); const auto *Lookup = CDM.lookup(Call);
if (!Check) if (!Lookup)
return false; return false;
// If we cannot obtain the call's class we cannot be sure how to model it.
QualType ResultTy = Call.getResultType();
if (!ResultTy->getPointeeCXXRecordDecl())
return false;
const CastCheck &Check = Lookup->first;
CastKind Kind = Lookup->second;
const auto *CE = cast<CallExpr>(Call.getOriginExpr()); const auto *CE = cast<CallExpr>(Call.getOriginExpr());
if (!CE) Optional<DefinedOrUnknownSVal> DV;
switch (Kind) {
case CastKind::Function: {
// If we cannot obtain the arg's class we cannot be sure how to model it.
QualType ArgTy = Call.parameters()[0]->getType();
if (!ArgTy->getAsCXXRecordDecl() && !ArgTy->getPointeeCXXRecordDecl())
return false; return false;
// If we cannot obtain both of the classes we cannot be sure how to model it. DV = Call.getArgSVal(0).getAs<DefinedOrUnknownSVal>();
if (!CE->getType()->getPointeeCXXRecordDecl() || break;
!CE->getArg(0)->getType()->getPointeeCXXRecordDecl()) }
case CastKind::Method:
// If we cannot obtain the 'InstanceCall' we cannot be sure how to model it.
const auto *InstanceCall = dyn_cast<CXXInstanceCall>(&Call);
if (!InstanceCall)
return false; return false;
SVal ParamV = Call.getArgSVal(0); DV = InstanceCall->getCXXThisVal().getAs<DefinedOrUnknownSVal>();
auto ParamDV = ParamV.getAs<DefinedOrUnknownSVal>(); break;
if (!ParamDV) }
if (!DV)
return false; return false;
(*Check)(this, CE, *ParamDV, C); Check(this, CE, *DV, C);
return true; return true;
} }
void ento::registerCastValueChecker(CheckerManager &Mgr) { void ento::registerCastValueChecker(CheckerManager &Mgr) {
Mgr.registerChecker<CastValueChecker>(); Mgr.registerChecker<CastValueChecker>();
} }
bool ento::shouldRegisterCastValueChecker(const LangOptions &LO) { bool ento::shouldRegisterCastValueChecker(const LangOptions &LO) {
return true; return true;
} }

cfe/trunk/test/Analysis/cast-value.cpp

// RUN: %clang_analyze_cc1 \ // RUN: %clang_analyze_cc1 \
// RUN: -analyzer-checker=core,apiModeling.llvm.CastValue,debug.ExprInspection\ // RUN: -analyzer-checker=core,apiModeling.llvm.CastValue,debug.ExprInspection\
// RUN: -verify=logic %s // RUN: -verify=logic %s
// RUN: %clang_analyze_cc1 \ // RUN: %clang_analyze_cc1 \
// RUN: -analyzer-checker=core,apiModeling.llvm.CastValue \ // RUN: -analyzer-checker=core,apiModeling.llvm.CastValue \
// RUN: -analyzer-output=text -verify %s // RUN: -analyzer-output=text -verify %s
void clang_analyzer_numTimesReached(); void clang_analyzer_numTimesReached();
void clang_analyzer_warnIfReached(); void clang_analyzer_warnIfReached();
void clang_analyzer_eval(bool); void clang_analyzer_eval(bool);
namespace llvm { namespace llvm {
template <class X, class Y> template <class X, class Y>
const X *cast(Y Value); const X *cast(Y Value);
template <class X, class Y> template <class X, class Y>
const X *dyn_cast(Y Value); const X *dyn_cast(Y *Value);
template <class X, class Y>
const X &dyn_cast(Y &Value);
template <class X, class Y> template <class X, class Y>
const X *cast_or_null(Y Value); const X *cast_or_null(Y Value);
template <class X, class Y> template <class X, class Y>
const X *dyn_cast_or_null(Y Value); const X *dyn_cast_or_null(Y *Value);
template <class X, class Y>
const X *dyn_cast_or_null(Y &Value);
} // namespace llvm } // namespace llvm
using namespace llvm; namespace clang {
struct Shape {
class Shape {}; template <typename T>
const T *castAs() const;
template <typename T>
const T *getAs() const;
};
class Triangle : public Shape {}; class Triangle : public Shape {};
class Circle : public Shape {}; class Circle : public Shape {};
} // namespace clang
using namespace llvm;
using namespace clang;
namespace test_cast { namespace test_cast {
void evalLogic(const Shape *S) { void evalLogic(const Shape *S) {
const Circle *C = cast<Circle>(S); const Circle *C = cast<Circle>(S);
clang_analyzer_numTimesReached(); // logic-warning {{1}} clang_analyzer_numTimesReached(); // logic-warning {{1}}
if (S && C) if (S && C)
clang_analyzer_eval(C == S); // logic-warning {{TRUE}} clang_analyzer_eval(C == S); // logic-warning {{TRUE}}
▲ Show 20 LinesShow All 47 Lines▼ Show 20 Lines if (S && C)
clang_analyzer_eval(C == S); // logic-warning {{TRUE}} clang_analyzer_eval(C == S); // logic-warning {{TRUE}}
if (S && !C) if (S && !C)
clang_analyzer_warnIfReached(); // logic-warning {{REACHABLE}} clang_analyzer_warnIfReached(); // logic-warning {{REACHABLE}}
if (!S) if (!S)
clang_analyzer_eval(!C); // logic-warning {{TRUE}} clang_analyzer_eval(!C); // logic-warning {{TRUE}}
} }
} // namespace test_dyn_cast_or_null
void evalNonNullParamNonNullReturn(const Shape *S) { namespace test_cast_as {
void evalLogic(const Shape *S) {
const Circle *C = S->castAs<Circle>();
clang_analyzer_numTimesReached(); // logic-warning {{1}}
if (S && C)
clang_analyzer_eval(C == S);
// logic-warning@-1 {{TRUE}}
if (S && !C)
clang_analyzer_warnIfReached(); // no-warning
if (!S)
clang_analyzer_warnIfReached(); // no-warning
}
} // namespace test_cast_as
namespace test_get_as {
void evalLogic(const Shape *S) {
const Circle *C = S->getAs<Circle>();
clang_analyzer_numTimesReached(); // logic-warning {{2}}
if (S && C)
clang_analyzer_eval(C == S);
// logic-warning@-1 {{TRUE}}
if (S && !C)
clang_analyzer_warnIfReached(); // logic-warning {{REACHABLE}}
if (!S)
clang_analyzer_warnIfReached(); // no-warning
}
} // namespace test_get_as
namespace test_notes {
void evalReferences(const Shape &S) {
const auto &C = dyn_cast<Circle>(S);
// expected-note@-1 {{Assuming dynamic cast from 'Shape' to 'Circle' fails}}
// expected-note@-2 {{Dereference of null pointer}}
// expected-warning@-3 {{Dereference of null pointer}}
// logic-warning@-4 {{Dereference of null pointer}}
}
void evalNonNullParamNonNullReturnReference(const Shape &S) {
const auto *C = dyn_cast_or_null<Circle>(S); const auto *C = dyn_cast_or_null<Circle>(S);
// expected-note@-1 {{Assuming dynamic cast from 'Shape' to 'Circle' succeeds}} // expected-note@-1 {{Assuming dynamic cast from 'Shape' to 'Circle' succeeds}}
// expected-note@-2 {{Assuming pointer value is null}} // expected-note@-2 {{Assuming pointer value is null}}
// expected-note@-3 {{'C' initialized here}} // expected-note@-3 {{'C' initialized here}}
(void)(1 / !(bool)C); (void)(1 / !(bool)C);
// expected-note@-1 {{'C' is non-null}} // expected-note@-1 {{'C' is non-null}}
// expected-note@-2 {{Division by zero}} // expected-note@-2 {{Division by zero}}
// expected-warning@-3 {{Division by zero}} // expected-warning@-3 {{Division by zero}}
// logic-warning@-4 {{Division by zero}} // logic-warning@-4 {{Division by zero}}
} }
void evalNonNullParamNonNullReturn(const Shape *S) {
const auto *C = cast<Circle>(S);
// expected-note@-1 {{Checked cast from 'Shape' to 'Circle' succeeds}}
// expected-note@-2 {{Assuming pointer value is null}}
// expected-note@-3 {{'C' initialized here}}
(void)(1 / !(bool)C);
// expected-note@-1 {{'C' is non-null}}
// expected-note@-2 {{Division by zero}}
// expected-warning@-3 {{Division by zero}}
// logic-warning@-4 {{Division by zero}}
}
void evalNonNullParamNullReturn(const Shape *S) { void evalNonNullParamNullReturn(const Shape *S) {
const auto *C = dyn_cast_or_null<Circle>(S); const auto *C = dyn_cast_or_null<Circle>(S);
// expected-note@-1 {{Assuming dynamic cast from 'Shape' to 'Circle' fails}} // expected-note@-1 {{Assuming dynamic cast from 'Shape' to 'Circle' fails}}
// expected-note@-2 {{Assuming pointer value is null}} // expected-note@-2 {{Assuming pointer value is null}}
if (const auto *T = dyn_cast_or_null<Triangle>(S)) { if (const auto *T = dyn_cast_or_null<Triangle>(S)) {
// expected-note@-1 {{Assuming dynamic cast from 'Shape' to 'Triangle' succeeds}} // expected-note@-1 {{Assuming dynamic cast from 'Shape' to 'Triangle' succeeds}}
// expected-note@-2 {{'T' initialized here}} // expected-note@-2 {{'T' initialized here}}
Show All 13 Linesvoid evalNullParamNullReturn(const Shape *S) {
// expected-note@-1 {{Assuming null pointer is passed into cast}} // expected-note@-1 {{Assuming null pointer is passed into cast}}
// expected-note@-2 {{'C' initialized to a null pointer value}} // expected-note@-2 {{'C' initialized to a null pointer value}}
(void)(1 / (bool)C); (void)(1 / (bool)C);
// expected-note@-1 {{Division by zero}} // expected-note@-1 {{Division by zero}}
// expected-warning@-2 {{Division by zero}} // expected-warning@-2 {{Division by zero}}
// logic-warning@-3 {{Division by zero}} // logic-warning@-3 {{Division by zero}}
} }
} // namespace test_dyn_cast_or_null
void evalZeroParamNonNullReturnPointer(const Shape *S) {
const auto *C = S->castAs<Circle>();
// expected-note@-1 {{Assuming pointer value is null}}
// expected-note@-2 {{Checked cast to 'Circle' succeeds}}
// expected-note@-3 {{'C' initialized here}}
(void)(1 / !(bool)C);
// expected-note@-1 {{'C' is non-null}}
// expected-note@-2 {{Division by zero}}
// expected-warning@-3 {{Division by zero}}
// logic-warning@-4 {{Division by zero}}
}
void evalZeroParamNonNullReturn(const Shape &S) {
const auto *C = S.castAs<Circle>();
// expected-note@-1 {{Checked cast to 'Circle' succeeds}}
// expected-note@-2 {{'C' initialized here}}
(void)(1 / !(bool)C);
// expected-note@-1 {{'C' is non-null}}
// expected-note@-2 {{Division by zero}}
// expected-warning@-3 {{Division by zero}}
// logic-warning@-4 {{Division by zero}}
}
void evalZeroParamNullReturn(const Shape &S) {
const auto *C = S.getAs<Circle>();
// expected-note@-1 {{Assuming dynamic cast to 'Circle' fails}}
// expected-note@-2 {{'C' initialized to a null pointer value}}
(void)(1 / (bool)C);
// expected-note@-1 {{Division by zero}}
// expected-warning@-2 {{Division by zero}}
// logic-warning@-3 {{Division by zero}}
}
} // namespace test_notes