Index: clang/lib/StaticAnalyzer/Checkers/CastValueChecker.cpp =================================================================== --- clang/lib/StaticAnalyzer/Checkers/CastValueChecker.cpp +++ clang/lib/StaticAnalyzer/Checkers/CastValueChecker.cpp @@ -16,168 +16,238 @@ #include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h" #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h" #include "llvm/ADT/Optional.h" +#include <utility> using namespace clang; using namespace ento; namespace { class CastValueChecker : public Checker<eval::Call> { + enum class CastKind { Checking, Sugar }; + using CastCheck = std::function<void(const CastValueChecker *, const CallExpr *, DefinedOrUnknownSVal, CheckerContext &)>; + using CheckKindPair = std::pair<CastCheck, CastKind>; + public: - // We have three cases to evaluate a cast: + // We have five cases to evaluate a cast: // 1) The parameter is non-null, the return value is non-null // 2) The parameter is non-null, the return value is null // 3) The parameter is null, the return value is null - // // cast: 1; dyn_cast: 1, 2; cast_or_null: 1, 3; dyn_cast_or_null: 1, 2, 3. + // + // 4) castAs: has no parameter, the return value is non-null. + // 5) getAs: has no parameter, the return value is null or non-null. bool evalCall(const CallEvent &Call, CheckerContext &C) const; private: - // These are known in the LLVM project. - const CallDescriptionMap<CastCheck> CDM = { - {{{"llvm", "cast"}, 1}, &CastValueChecker::evalCast}, - {{{"llvm", "dyn_cast"}, 1}, &CastValueChecker::evalDynCast}, - {{{"llvm", "cast_or_null"}, 1}, &CastValueChecker::evalCastOrNull}, + // These are known in the LLVM project. The pairs are in the following form: + // {{{namespace, call}, argument-count}, {callback, kind}} + const CallDescriptionMap<CheckKindPair> CDM = { + {{{"llvm", "cast"}, 1}, + {&CastValueChecker::evalCast, CastKind::Checking}}, + {{{"llvm", "dyn_cast"}, 1}, + {&CastValueChecker::evalDynCast, CastKind::Checking}}, + {{{"llvm", "cast_or_null"}, 1}, + {&CastValueChecker::evalCastOrNull, CastKind::Checking}}, {{{"llvm", "dyn_cast_or_null"}, 1}, - &CastValueChecker::evalDynCastOrNull}}; + {&CastValueChecker::evalDynCastOrNull, CastKind::Checking}}, + {{{"clang", "castAs"}, 0}, + {&CastValueChecker::evalCastAs, CastKind::Sugar}}, + {{{"clang", "getAs"}, 0}, + {&CastValueChecker::evalGetAs, CastKind::Sugar}}}; - void evalCast(const CallExpr *CE, DefinedOrUnknownSVal ParamDV, + void evalCast(const CallExpr *CE, DefinedOrUnknownSVal DV, CheckerContext &C) const; - void evalDynCast(const CallExpr *CE, DefinedOrUnknownSVal ParamDV, + void evalDynCast(const CallExpr *CE, DefinedOrUnknownSVal DV, CheckerContext &C) const; - void evalCastOrNull(const CallExpr *CE, DefinedOrUnknownSVal ParamDV, + void evalCastOrNull(const CallExpr *CE, DefinedOrUnknownSVal DV, CheckerContext &C) const; - void evalDynCastOrNull(const CallExpr *CE, DefinedOrUnknownSVal ParamDV, + void evalDynCastOrNull(const CallExpr *CE, DefinedOrUnknownSVal DV, CheckerContext &C) const; + void evalCastAs(const CallExpr *CE, DefinedOrUnknownSVal DV, + CheckerContext &C) const; + void evalGetAs(const CallExpr *CE, DefinedOrUnknownSVal DV, + CheckerContext &C) const; }; } // namespace static std::string getCastName(const Expr *Cast) { - return Cast->getType()->getPointeeCXXRecordDecl()->getNameAsString(); -} - -static void evalNonNullParamNonNullReturn(const CallExpr *CE, - DefinedOrUnknownSVal ParamDV, - CheckerContext &C) { - ProgramStateRef State = C.getState()->assume(ParamDV, true); - if (!State) - return; + QualType Ty = Cast->getType(); + if (const CXXRecordDecl *RD = Ty->getAsCXXRecordDecl()) + return RD->getNameAsString(); - State = State->BindExpr(CE, C.getLocationContext(), ParamDV, false); + return Ty->getPointeeCXXRecordDecl()->getNameAsString(); +} - std::string CastFromName = getCastName(CE->getArg(0)); +static const NoteTag *getCastTag(bool IsNullReturn, const CallExpr *CE, + CheckerContext &C, + bool IsCheckedCast = false) { + Optional<std::string> CastFromName = (CE->getNumArgs() > 0) + ? getCastName(CE->getArg(0)) + : Optional<std::string>(); std::string CastToName = getCastName(CE); - const NoteTag *CastTag = C.getNoteTag( - [CastFromName, CastToName](BugReport &) -> std::string { + return C.getNoteTag( + [CastFromName, CastToName, IsNullReturn, + IsCheckedCast](BugReport &) -> std::string { SmallString<128> Msg; llvm::raw_svector_ostream Out(Msg); - Out << "Assuming dynamic cast from '" << CastFromName << "' to '" - << CastToName << "' succeeds"; - return Out.str(); - }, - /*IsPrunable=*/true); + Out << (!IsCheckedCast ? "Assuming dynamic cast " : "Checked cast "); + if (CastFromName) + Out << "from '" << *CastFromName << "' "; - C.addTransition(State, CastTag); -} + Out << "to '" << CastToName << "' " + << (!IsNullReturn ? "succeeds" : "fails"); -static void evalNonNullParamNullReturn(const CallExpr *CE, - DefinedOrUnknownSVal ParamDV, - CheckerContext &C) { - ProgramStateRef State = C.getState()->assume(ParamDV, true); - if (!State) - return; - - State = State->BindExpr(CE, C.getLocationContext(), - C.getSValBuilder().makeNull(), false); - - std::string CastFromName = getCastName(CE->getArg(0)); - std::string CastToName = getCastName(CE); - - const NoteTag *CastTag = C.getNoteTag( - [CastFromName, CastToName](BugReport &) -> std::string { - SmallString<128> Msg; - llvm::raw_svector_ostream Out(Msg); - - Out << "Assuming dynamic cast from '" << CastFromName << "' to '" - << CastToName << "' fails"; return Out.str(); }, /*IsPrunable=*/true); +} - C.addTransition(State, CastTag); +static ProgramStateRef getState(bool IsNullReturn, + DefinedOrUnknownSVal ReturnDV, + const CallExpr *CE, ProgramStateRef State, + CheckerContext &C) { + return State->BindExpr( + CE, C.getLocationContext(), + IsNullReturn ? C.getSValBuilder().makeNull() : ReturnDV, false); } -static void evalNullParamNullReturn(const CallExpr *CE, - DefinedOrUnknownSVal ParamDV, - CheckerContext &C) { - ProgramStateRef State = C.getState()->assume(ParamDV, false); - if (!State) - return; +//===----------------------------------------------------------------------===// +// Evaluating cast, dyn_cast, cast_or_null, dyn_cast_or_null. +//===----------------------------------------------------------------------===// - State = State->BindExpr(CE, C.getLocationContext(), - C.getSValBuilder().makeNull(), false); +static void evalNonNullParamNonNullReturn(const CallExpr *CE, + DefinedOrUnknownSVal DV, + CheckerContext &C, + bool IsCheckedCast = false) { + bool IsNullReturn = false; + if (ProgramStateRef State = C.getState()->assume(DV, true)) + C.addTransition(getState(IsNullReturn, DV, CE, State, C), + getCastTag(IsNullReturn, CE, C, IsCheckedCast)); +} - const NoteTag *CastTag = - C.getNoteTag("Assuming null pointer is passed into cast", - /*IsPrunable=*/true); +static void evalNonNullParamNullReturn(const CallExpr *CE, + DefinedOrUnknownSVal DV, + CheckerContext &C) { + bool IsNullReturn = true; + if (ProgramStateRef State = C.getState()->assume(DV, true)) + C.addTransition(getState(IsNullReturn, DV, CE, State, C), + getCastTag(IsNullReturn, CE, C)); +} - C.addTransition(State, CastTag); +static void evalNullParamNullReturn(const CallExpr *CE, DefinedOrUnknownSVal DV, + CheckerContext &C) { + if (ProgramStateRef State = C.getState()->assume(DV, false)) + C.addTransition(getState(/*IsNullReturn=*/true, DV, CE, State, C), + C.getNoteTag("Assuming null pointer is passed into cast", + /*IsPrunable=*/true)); } -void CastValueChecker::evalCast(const CallExpr *CE, - DefinedOrUnknownSVal ParamDV, +void CastValueChecker::evalCast(const CallExpr *CE, DefinedOrUnknownSVal DV, CheckerContext &C) const { - evalNonNullParamNonNullReturn(CE, ParamDV, C); + evalNonNullParamNonNullReturn(CE, DV, C, /*IsCheckedCast=*/true); } -void CastValueChecker::evalDynCast(const CallExpr *CE, - DefinedOrUnknownSVal ParamDV, +void CastValueChecker::evalDynCast(const CallExpr *CE, DefinedOrUnknownSVal DV, CheckerContext &C) const { - evalNonNullParamNonNullReturn(CE, ParamDV, C); - evalNonNullParamNullReturn(CE, ParamDV, C); + evalNonNullParamNonNullReturn(CE, DV, C); + evalNonNullParamNullReturn(CE, DV, C); } void CastValueChecker::evalCastOrNull(const CallExpr *CE, - DefinedOrUnknownSVal ParamDV, + DefinedOrUnknownSVal DV, CheckerContext &C) const { - evalNonNullParamNonNullReturn(CE, ParamDV, C); - evalNullParamNullReturn(CE, ParamDV, C); + evalNonNullParamNonNullReturn(CE, DV, C); + evalNullParamNullReturn(CE, DV, C); } void CastValueChecker::evalDynCastOrNull(const CallExpr *CE, - DefinedOrUnknownSVal ParamDV, + DefinedOrUnknownSVal DV, CheckerContext &C) const { - evalNonNullParamNonNullReturn(CE, ParamDV, C); - evalNonNullParamNullReturn(CE, ParamDV, C); - evalNullParamNullReturn(CE, ParamDV, C); + evalNonNullParamNonNullReturn(CE, DV, C); + evalNonNullParamNullReturn(CE, DV, C); + evalNullParamNullReturn(CE, DV, C); +} + +//===----------------------------------------------------------------------===// +// Evaluating castAs, getAs. +//===----------------------------------------------------------------------===// + +static void evalZeroParamNonNullReturn(const CallExpr *CE, + DefinedOrUnknownSVal DV, + CheckerContext &C, + bool IsCheckedCast = false) { + bool IsNullReturn = false; + if (ProgramStateRef State = C.getState()->assume(DV, true)) + C.addTransition(getState(IsNullReturn, DV, CE, C.getState(), C), + getCastTag(IsNullReturn, CE, C, IsCheckedCast)); +} + +static void evalZeroParamNullReturn(const CallExpr *CE, DefinedOrUnknownSVal DV, + CheckerContext &C) { + bool IsNullReturn = true; + if (ProgramStateRef State = C.getState()->assume(DV, true)) + C.addTransition(getState(IsNullReturn, DV, CE, C.getState(), C), + getCastTag(IsNullReturn, CE, C)); +} + +void CastValueChecker::evalCastAs(const CallExpr *CE, DefinedOrUnknownSVal DV, + CheckerContext &C) const { + evalZeroParamNonNullReturn(CE, DV, C, /*IsCheckedCast=*/true); +} + +void CastValueChecker::evalGetAs(const CallExpr *CE, DefinedOrUnknownSVal DV, + CheckerContext &C) const { + evalZeroParamNonNullReturn(CE, DV, C); + evalZeroParamNullReturn(CE, DV, C); } bool CastValueChecker::evalCall(const CallEvent &Call, CheckerContext &C) const { - const CastCheck *Check = CDM.lookup(Call); - if (!Check) + const auto *Lookup = CDM.lookup(Call); + if (!Lookup) return false; - const auto *CE = cast<CallExpr>(Call.getOriginExpr()); - if (!CE) + // If we cannot obtain the call's class we cannot be sure how to model it. + QualType ResultTy = Call.getResultType(); + if (!ResultTy->getPointeeCXXRecordDecl()) return false; - // If we cannot obtain both of the classes we cannot be sure how to model it. - if (!CE->getType()->getPointeeCXXRecordDecl() || - !CE->getArg(0)->getType()->getPointeeCXXRecordDecl()) - return false; + const CastCheck &Check = Lookup->first; + CastKind Kind = Lookup->second; - SVal ParamV = Call.getArgSVal(0); - auto ParamDV = ParamV.getAs<DefinedOrUnknownSVal>(); - if (!ParamDV) + const auto *CE = cast<CallExpr>(Call.getOriginExpr()); + Optional<DefinedOrUnknownSVal> DV; + + switch (Kind) { + case CastKind::Checking: { + // If we cannot obtain the arg's class we cannot be sure how to model it. + QualType ArgTy = Call.parameters()[0]->getType(); + if (!ArgTy->getAsCXXRecordDecl() && !ArgTy->getPointeeCXXRecordDecl()) + return false; + + DV = Call.getArgSVal(0).getAs<DefinedOrUnknownSVal>(); + break; + } + case CastKind::Sugar: + // If we cannot obtain the 'InstanceCall' we cannot be sure how to model it. + const auto *InstanceCall = dyn_cast<CXXInstanceCall>(&Call); + if (!InstanceCall) + return false; + + DV = InstanceCall->getCXXThisVal().getAs<DefinedOrUnknownSVal>(); + break; + } + + if (!DV) return false; - (*Check)(this, CE, *ParamDV, C); + Check(this, CE, *DV, C); return true; } Index: clang/test/Analysis/cast-value.cpp =================================================================== --- clang/test/Analysis/cast-value.cpp +++ clang/test/Analysis/cast-value.cpp @@ -14,20 +14,33 @@ const X *cast(Y Value); template <class X, class Y> -const X *dyn_cast(Y Value); +const X *dyn_cast(Y *Value); +template <class X, class Y> +const X &dyn_cast(Y &Value); template <class X, class Y> const X *cast_or_null(Y Value); template <class X, class Y> -const X *dyn_cast_or_null(Y Value); +const X *dyn_cast_or_null(Y *Value); +template <class X, class Y> +const X *dyn_cast_or_null(Y &Value); } // namespace llvm -using namespace llvm; +namespace clang { +struct Shape { + template <typename T> + const T *castAs() const; -class Shape {}; + template <typename T> + const T *getAs() const; +}; class Triangle : public Shape {}; class Circle : public Shape {}; +} // namespace clang + +using namespace llvm; +using namespace clang; namespace test_cast { void evalLogic(const Shape *S) { @@ -91,8 +104,52 @@ if (!S) clang_analyzer_eval(!C); // logic-warning {{TRUE}} } +} // namespace test_dyn_cast_or_null -void evalNonNullParamNonNullReturn(const Shape *S) { +namespace test_cast_as { +void evalLogic(const Shape *S) { + const Circle *C = S->castAs<Circle>(); + clang_analyzer_numTimesReached(); // logic-warning {{1}} + + if (S && C) + clang_analyzer_eval(C == S); + // logic-warning@-1 {{TRUE}} + + if (S && !C) + clang_analyzer_warnIfReached(); // no-warning + + if (!S) + clang_analyzer_warnIfReached(); // no-warning +} +} // namespace test_cast_as + +namespace test_get_as { +void evalLogic(const Shape *S) { + const Circle *C = S->getAs<Circle>(); + clang_analyzer_numTimesReached(); // logic-warning {{2}} + + if (S && C) + clang_analyzer_eval(C == S); + // logic-warning@-1 {{TRUE}} + + if (S && !C) + clang_analyzer_warnIfReached(); // logic-warning {{REACHABLE}} + + if (!S) + clang_analyzer_warnIfReached(); // no-warning +} +} // namespace test_get_as + +namespace test_notes { +void evalReferences(const Shape &S) { + const auto &C = dyn_cast<Circle>(S); + // expected-note@-1 {{Assuming dynamic cast from 'Shape' to 'Circle' fails}} + // expected-note@-2 {{Dereference of null pointer}} + // expected-warning@-3 {{Dereference of null pointer}} + // logic-warning@-4 {{Dereference of null pointer}} +} + +void evalNonNullParamNonNullReturnReference(const Shape &S) { const auto *C = dyn_cast_or_null<Circle>(S); // expected-note@-1 {{Assuming dynamic cast from 'Shape' to 'Circle' succeeds}} // expected-note@-2 {{Assuming pointer value is null}} @@ -105,6 +162,19 @@ // logic-warning@-4 {{Division by zero}} } +void evalNonNullParamNonNullReturn(const Shape *S) { + const auto *C = cast<Circle>(S); + // expected-note@-1 {{Checked cast from 'Shape' to 'Circle' succeeds}} + // expected-note@-2 {{Assuming pointer value is null}} + // expected-note@-3 {{'C' initialized here}} + + (void)(1 / !(bool)C); + // expected-note@-1 {{'C' is non-null}} + // expected-note@-2 {{Division by zero}} + // expected-warning@-3 {{Division by zero}} + // logic-warning@-4 {{Division by zero}} +} + void evalNonNullParamNullReturn(const Shape *S) { const auto *C = dyn_cast_or_null<Circle>(S); // expected-note@-1 {{Assuming dynamic cast from 'Shape' to 'Circle' fails}} @@ -134,4 +204,40 @@ // expected-warning@-2 {{Division by zero}} // logic-warning@-3 {{Division by zero}} } -} // namespace test_dyn_cast_or_null + +void evalZeroParamNonNullReturnPointer(const Shape *S) { + const auto *C = S->castAs<Circle>(); + // expected-note@-1 {{Assuming pointer value is null}} + // expected-note@-2 {{Checked cast to 'Circle' succeeds}} + // expected-note@-3 {{'C' initialized here}} + + (void)(1 / !(bool)C); + // expected-note@-1 {{'C' is non-null}} + // expected-note@-2 {{Division by zero}} + // expected-warning@-3 {{Division by zero}} + // logic-warning@-4 {{Division by zero}} +} + +void evalZeroParamNonNullReturn(const Shape &S) { + const auto *C = S.castAs<Circle>(); + // expected-note@-1 {{Checked cast to 'Circle' succeeds}} + // expected-note@-2 {{'C' initialized here}} + + (void)(1 / !(bool)C); + // expected-note@-1 {{'C' is non-null}} + // expected-note@-2 {{Division by zero}} + // expected-warning@-3 {{Division by zero}} + // logic-warning@-4 {{Division by zero}} +} + +void evalZeroParamNullReturn(const Shape &S) { + const auto *C = S.getAs<Circle>(); + // expected-note@-1 {{Assuming dynamic cast to 'Circle' fails}} + // expected-note@-2 {{'C' initialized to a null pointer value}} + + (void)(1 / (bool)C); + // expected-note@-1 {{Division by zero}} + // expected-warning@-2 {{Division by zero}} + // logic-warning@-3 {{Division by zero}} +} +} // namespace test_notes