This is an archive of the discontinued LLVM Phabricator instance.

Differential D69540

[analyzer] DynamicSize: Remove 'getExtent()' from regions
ClosedPublic

Authored by Charusso on Oct 28 2019, 5:43 PM.

Details

Reviewers
NoQ
Commits
rG601687bf731a: [analyzer] DynamicSize: Remove 'getExtent()' from regions
Summary

This patch introduces a placeholder for representing the dynamic size of
regions. It also moves the getExtent() method of SubRegions to the
MemRegionManager as getStaticSize().

Diff Detail

Event Timeline

Charusso created this revision.Oct 28 2019, 5:43 PM
Herald added subscribers: cfe-commits, dkrupp, donat.nagy and 7 others. · View Herald TranscriptOct 28 2019, 5:43 PM
Charusso marked 3 inline comments as done.Oct 28 2019, 5:51 PM
Charusso added inline comments.
clang/lib/StaticAnalyzer/Core/RegionStore.cpp
880

That is why the static size information needs to be obtainable by a manager, which seems like a design problem from the very beginning.

clang/lib/StaticAnalyzer/Core/SimpleSValBuilder.cpp
158

That is the breaking test's code, which is super wonky. I cannot understand what is the rational behind this concept.

clang/test/Analysis/weak-functions.c
10

I have literally copy-pasted the implementation of getExtent(), so I could not figured out why this test has been changed.

NoQ added inline comments.Oct 29 2019, 4:45 PM
clang/include/clang/StaticAnalyzer/Core/PathSensitive/MemRegion.h
1253–1255

This looks like a layering violation to me. It's not super important, but i'd rather not have MemRegion depend on SValBuilder.

Can we have getStaticSize() be a method on SValBuilder instead? Or simply a standalone static function in DynamicSize.cpp? 'Cause ideally it shouldn't be called directly.

clang/lib/StaticAnalyzer/Checkers/BuiltinFunctionChecker.cpp
95–99

As the next obvious step for the next patch, i suggest replacing evalEQ() with some sort of setDynamicSize() here.

clang/lib/StaticAnalyzer/Checkers/CStringChecker.cpp
1074

And here.

clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp
1413

And here.

1547

And here.

clang/lib/StaticAnalyzer/Checkers/VLASizeChecker.cpp
176

And here.

clang/lib/StaticAnalyzer/Core/DynamicSize.cpp
29–30

For now the map is always empty, right? Maybe we should remove the map until we actually add a setter.

clang/lib/StaticAnalyzer/Core/MemRegion.cpp
692–693

This code doesn't make much sense; it'll return a pointer size, which has nothing to do with the size of the region.

clang/lib/StaticAnalyzer/Core/SimpleSValBuilder.cpp
158

Your new code would return a concrete integer here:

case MemRegion::FunctionCodeRegionKind: {
  QualType Ty = cast<TypedRegion>(SR)->getDesugaredLocationType(Ctx);
  return getTypeSize(Ty, Ctx, SVB);
}

Previously it was a symbol.

That said, the original code looks like a super gross hack: they used an extent symbol not because they actually needed an extent, but because they didn't have a better symbol to use :/ I guess you should just keep the extent symbol for now :/

Charusso updated this revision to Diff 227006.Oct 29 2019, 6:12 PM
Charusso marked 12 inline comments as done.
  • Fix.
  • Added a FIXME about the missing symbol of BlockDataRegion, BlockCodeRegion and FunctionCodeRegion.
Charusso added a comment.Oct 29 2019, 6:12 PM

Thanks for the review! I am not sure why but after your review I always see the most appropriate design immediately.

clang/include/clang/StaticAnalyzer/Core/PathSensitive/MemRegion.h
1253–1255

Hm, in my game-dev world every manager knows about every manager, so I felt that it needs to work. I like the idea behind the directness and hiding the implementation, but I believe the MemRegionManager should manage its stuff. Also we are lucky, because the SValBuilder is available everywhere with a tiny stress on the API.

clang/lib/StaticAnalyzer/Checkers/BuiltinFunctionChecker.cpp
95–99

Okay, good idea, thanks! I want to eliminate getSizeInElements as well.

clang/lib/StaticAnalyzer/Core/SimpleSValBuilder.cpp
158

I see, that was really missing, whoops. Thanks!

NoQ added inline comments.Oct 29 2019, 6:20 PM
clang/lib/StaticAnalyzer/Core/SimpleSValBuilder.cpp
158

Let's keep the hack here, not move it to the region manager. I.e., please create SymbolExtent here directly and then separately keep creating it in getStaticSize(). I.e., don't reuse the code when it isn't supposed to behave identically, even if right now it accidentally does behave identically.

Charusso updated this revision to Diff 227013.Oct 29 2019, 6:29 PM
Charusso marked 2 inline comments as done.
  • Unpack the issue-solving about code regions.
clang/lib/StaticAnalyzer/Core/SimpleSValBuilder.cpp
158

Ah, yes, it makes sense. In my mind they are connecting even in fixing them.

Charusso added a child revision: D69599: [analyzer] DynamicSize: Remove 'getSizeInElements()' from store.Oct 29 2019, 6:43 PM
NoQ accepted this revision.Nov 1 2019, 3:09 PM

Fantastic, let's land this!

This revision is now accepted and ready to land.Nov 1 2019, 3:09 PM
Charusso added a comment.Nov 1 2019, 3:36 PM

Thanks!

Closed by commit rG601687bf731a: [analyzer] DynamicSize: Remove 'getExtent()' from regions (authored by Charusso). · Explain WhyJan 30 2020, 7:08 AM
This revision was automatically updated to reflect the committed changes.

Revision Contents

PathSize
clang/
include/
clang/
StaticAnalyzer/
Core/
PathSensitive/
30 lines
72 lines
5 lines
lib/
StaticAnalyzer/
Checkers/
20 lines
13 lines
21 lines
13 lines
6 lines
MPI-Checker/
4 lines
20 lines
12 lines
Core/
2 lines
1 line
36 lines
133 lines
5 lines
2 lines
2 lines
test/
Analysis/
12 lines

Diff 226795

clang/include/clang/StaticAnalyzer/Core/PathSensitive/DynamicSize.h

  • This file was added.
//===- DynamicSize.h - Dynamic size related APIs ----------------*- C++ -*-===//
//
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
// See https://llvm.org/LICENSE.txt for license information.
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
//
//===----------------------------------------------------------------------===//
//
// This file defines APIs that track and query dynamic size information.
//
//===----------------------------------------------------------------------===//
#ifndef LLVM_CLANG_STATICANALYZER_CORE_PATHSENSITIVE_DYNAMICSIZE_H
#define LLVM_CLANG_STATICANALYZER_CORE_PATHSENSITIVE_DYNAMICSIZE_H
#include "clang/StaticAnalyzer/Core/PathSensitive/MemRegion.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramStateTrait.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState_Fwd.h"
namespace clang {
namespace ento {
/// Get the stored dynamic size for the region \p MR.
DefinedOrUnknownSVal getDynamicSize(ProgramStateRef State, const MemRegion *MR);
} // namespace ento
} // namespace clang
#endif // LLVM_CLANG_STATICANALYZER_CORE_PATHSENSITIVE_DYNAMICSIZE_H

clang/include/clang/StaticAnalyzer/Core/PathSensitive/MemRegion.h

Show First 20 LinesShow All 50 Lines▼ Show 20 Lines
namespace ento { namespace ento {
class CodeTextRegion; class CodeTextRegion;
class MemRegion; class MemRegion;
class MemRegionManager; class MemRegionManager;
class MemSpaceRegion; class MemSpaceRegion;
class SValBuilder; class SValBuilder;
class SymbolicRegion; class SymbolicRegion;
class SymbolManager;
class VarRegion; class VarRegion;
/// Represent a region's offset within the top level base region. /// Represent a region's offset within the top level base region.
class RegionOffset { class RegionOffset {
/// The base region. /// The base region.
const MemRegion *R = nullptr; const MemRegion *R = nullptr;
/// The bit offset within the base region. Can be negative. /// The bit offset within the base region. Can be negative.
Show All 40 Linesprotected:
MemRegion(Kind k) : kind(k) {} MemRegion(Kind k) : kind(k) {}
virtual ~MemRegion(); virtual ~MemRegion();
public: public:
ASTContext &getContext() const; ASTContext &getContext() const;
virtual void Profile(llvm::FoldingSetNodeID& ID) const = 0; virtual void Profile(llvm::FoldingSetNodeID& ID) const = 0;
virtual MemRegionManager* getMemRegionManager() const = 0; virtual MemRegionManager &getMemRegionManager() const = 0;
const MemSpaceRegion *getMemorySpace() const; const MemSpaceRegion *getMemorySpace() const;
const MemRegion *getBaseRegion() const; const MemRegion *getBaseRegion() const;
/// Recursively retrieve the region of the most derived class instance of /// Recursively retrieve the region of the most derived class instance of
/// regions of C++ base class instances. /// regions of C++ base class instances.
const MemRegion *getMostDerivedObjectRegion() const; const MemRegion *getMostDerivedObjectRegion() const;
▲ Show 20 LinesShow All 69 Lines▼ Show 20 Linespublic:
/// \returns source range for declaration retrieved from memory region /// \returns source range for declaration retrieved from memory region
SourceRange sourceRange() const; SourceRange sourceRange() const;
}; };
/// MemSpaceRegion - A memory region that represents a "memory space"; /// MemSpaceRegion - A memory region that represents a "memory space";
/// for example, the set of global variables, the stack frame, etc. /// for example, the set of global variables, the stack frame, etc.
class MemSpaceRegion : public MemRegion { class MemSpaceRegion : public MemRegion {
protected: protected:
MemRegionManager *Mgr; MemRegionManager &Mgr;
MemSpaceRegion(MemRegionManager *mgr, Kind k) : MemRegion(k), Mgr(mgr) { MemSpaceRegion(MemRegionManager &mgr, Kind k) : MemRegion(k), Mgr(mgr) {
assert(classof(this)); assert(classof(this));
assert(mgr);
} }
MemRegionManager* getMemRegionManager() const override { return Mgr; } MemRegionManager &getMemRegionManager() const override { return Mgr; }
public: public:
bool isBoundable() const override { return false; } bool isBoundable() const override { return false; }
void Profile(llvm::FoldingSetNodeID &ID) const override; void Profile(llvm::FoldingSetNodeID &ID) const override;
static bool classof(const MemRegion *R) { static bool classof(const MemRegion *R) {
Kind k = R->getKind(); Kind k = R->getKind();
return k >= BEGIN_MEMSPACES && k <= END_MEMSPACES; return k >= BEGIN_MEMSPACES && k <= END_MEMSPACES;
} }
}; };
/// CodeSpaceRegion - The memory space that holds the executable code of /// CodeSpaceRegion - The memory space that holds the executable code of
/// functions and blocks. /// functions and blocks.
class CodeSpaceRegion : public MemSpaceRegion { class CodeSpaceRegion : public MemSpaceRegion {
friend class MemRegionManager; friend class MemRegionManager;
CodeSpaceRegion(MemRegionManager *mgr) CodeSpaceRegion(MemRegionManager &mgr)
: MemSpaceRegion(mgr, CodeSpaceRegionKind) {} : MemSpaceRegion(mgr, CodeSpaceRegionKind) {}
public: public:
void dumpToStream(raw_ostream &os) const override; void dumpToStream(raw_ostream &os) const override;
static bool classof(const MemRegion *R) { static bool classof(const MemRegion *R) {
return R->getKind() == CodeSpaceRegionKind; return R->getKind() == CodeSpaceRegionKind;
} }
}; };
class GlobalsSpaceRegion : public MemSpaceRegion { class GlobalsSpaceRegion : public MemSpaceRegion {
virtual void anchor(); virtual void anchor();
protected: protected:
GlobalsSpaceRegion(MemRegionManager *mgr, Kind k) : MemSpaceRegion(mgr, k) { GlobalsSpaceRegion(MemRegionManager &mgr, Kind k) : MemSpaceRegion(mgr, k) {
assert(classof(this)); assert(classof(this));
} }
public: public:
static bool classof(const MemRegion *R) { static bool classof(const MemRegion *R) {
Kind k = R->getKind(); Kind k = R->getKind();
return k >= BEGIN_GLOBAL_MEMSPACES && k <= END_GLOBAL_MEMSPACES; return k >= BEGIN_GLOBAL_MEMSPACES && k <= END_GLOBAL_MEMSPACES;
} }
}; };
/// The region of the static variables within the current CodeTextRegion /// The region of the static variables within the current CodeTextRegion
/// scope. /// scope.
/// ///
/// Currently, only the static locals are placed there, so we know that these /// Currently, only the static locals are placed there, so we know that these
/// variables do not get invalidated by calls to other functions. /// variables do not get invalidated by calls to other functions.
class StaticGlobalSpaceRegion : public GlobalsSpaceRegion { class StaticGlobalSpaceRegion : public GlobalsSpaceRegion {
friend class MemRegionManager; friend class MemRegionManager;
const CodeTextRegion *CR; const CodeTextRegion *CR;
StaticGlobalSpaceRegion(MemRegionManager *mgr, const CodeTextRegion *cr) StaticGlobalSpaceRegion(MemRegionManager &mgr, const CodeTextRegion *cr)
: GlobalsSpaceRegion(mgr, StaticGlobalSpaceRegionKind), CR(cr) { : GlobalsSpaceRegion(mgr, StaticGlobalSpaceRegionKind), CR(cr) {
assert(cr); assert(cr);
} }
public: public:
void Profile(llvm::FoldingSetNodeID &ID) const override; void Profile(llvm::FoldingSetNodeID &ID) const override;
void dumpToStream(raw_ostream &os) const override; void dumpToStream(raw_ostream &os) const override;
Show All 10 Lines
/// This class is further split into subclasses for efficient implementation of /// This class is further split into subclasses for efficient implementation of
/// invalidating a set of related global values as is done in /// invalidating a set of related global values as is done in
/// RegionStoreManager::invalidateRegions (instead of finding all the dependent /// RegionStoreManager::invalidateRegions (instead of finding all the dependent
/// globals, we invalidate the whole parent region). /// globals, we invalidate the whole parent region).
class NonStaticGlobalSpaceRegion : public GlobalsSpaceRegion { class NonStaticGlobalSpaceRegion : public GlobalsSpaceRegion {
void anchor() override; void anchor() override;
protected: protected:
NonStaticGlobalSpaceRegion(MemRegionManager *mgr, Kind k) NonStaticGlobalSpaceRegion(MemRegionManager &mgr, Kind k)
: GlobalsSpaceRegion(mgr, k) { : GlobalsSpaceRegion(mgr, k) {
assert(classof(this)); assert(classof(this));
} }
public: public:
static bool classof(const MemRegion *R) { static bool classof(const MemRegion *R) {
Kind k = R->getKind(); Kind k = R->getKind();
return k >= BEGIN_NON_STATIC_GLOBAL_MEMSPACES && return k >= BEGIN_NON_STATIC_GLOBAL_MEMSPACES &&
k <= END_NON_STATIC_GLOBAL_MEMSPACES; k <= END_NON_STATIC_GLOBAL_MEMSPACES;
} }
}; };
/// The region containing globals which are defined in system/external /// The region containing globals which are defined in system/external
/// headers and are considered modifiable by system calls (ex: errno). /// headers and are considered modifiable by system calls (ex: errno).
class GlobalSystemSpaceRegion : public NonStaticGlobalSpaceRegion { class GlobalSystemSpaceRegion : public NonStaticGlobalSpaceRegion {
friend class MemRegionManager; friend class MemRegionManager;
GlobalSystemSpaceRegion(MemRegionManager *mgr) GlobalSystemSpaceRegion(MemRegionManager &mgr)
: NonStaticGlobalSpaceRegion(mgr, GlobalSystemSpaceRegionKind) {} : NonStaticGlobalSpaceRegion(mgr, GlobalSystemSpaceRegionKind) {}
public: public:
void dumpToStream(raw_ostream &os) const override; void dumpToStream(raw_ostream &os) const override;
static bool classof(const MemRegion *R) { static bool classof(const MemRegion *R) {
return R->getKind() == GlobalSystemSpaceRegionKind; return R->getKind() == GlobalSystemSpaceRegionKind;
} }
}; };
/// The region containing globals which are considered not to be modified /// The region containing globals which are considered not to be modified
/// or point to data which could be modified as a result of a function call /// or point to data which could be modified as a result of a function call
/// (system or internal). Ex: Const global scalars would be modeled as part of /// (system or internal). Ex: Const global scalars would be modeled as part of
/// this region. This region also includes most system globals since they have /// this region. This region also includes most system globals since they have
/// low chance of being modified. /// low chance of being modified.
class GlobalImmutableSpaceRegion : public NonStaticGlobalSpaceRegion { class GlobalImmutableSpaceRegion : public NonStaticGlobalSpaceRegion {
friend class MemRegionManager; friend class MemRegionManager;
GlobalImmutableSpaceRegion(MemRegionManager *mgr) GlobalImmutableSpaceRegion(MemRegionManager &mgr)
: NonStaticGlobalSpaceRegion(mgr, GlobalImmutableSpaceRegionKind) {} : NonStaticGlobalSpaceRegion(mgr, GlobalImmutableSpaceRegionKind) {}
public: public:
void dumpToStream(raw_ostream &os) const override; void dumpToStream(raw_ostream &os) const override;
static bool classof(const MemRegion *R) { static bool classof(const MemRegion *R) {
return R->getKind() == GlobalImmutableSpaceRegionKind; return R->getKind() == GlobalImmutableSpaceRegionKind;
} }
}; };
/// The region containing globals which can be modified by calls to /// The region containing globals which can be modified by calls to
/// "internally" defined functions - (for now just) functions other then system /// "internally" defined functions - (for now just) functions other then system
/// calls. /// calls.
class GlobalInternalSpaceRegion : public NonStaticGlobalSpaceRegion { class GlobalInternalSpaceRegion : public NonStaticGlobalSpaceRegion {
friend class MemRegionManager; friend class MemRegionManager;
GlobalInternalSpaceRegion(MemRegionManager *mgr) GlobalInternalSpaceRegion(MemRegionManager &mgr)
: NonStaticGlobalSpaceRegion(mgr, GlobalInternalSpaceRegionKind) {} : NonStaticGlobalSpaceRegion(mgr, GlobalInternalSpaceRegionKind) {}
public: public:
void dumpToStream(raw_ostream &os) const override; void dumpToStream(raw_ostream &os) const override;
static bool classof(const MemRegion *R) { static bool classof(const MemRegion *R) {
return R->getKind() == GlobalInternalSpaceRegionKind; return R->getKind() == GlobalInternalSpaceRegionKind;
} }
}; };
class HeapSpaceRegion : public MemSpaceRegion { class HeapSpaceRegion : public MemSpaceRegion {
friend class MemRegionManager; friend class MemRegionManager;
HeapSpaceRegion(MemRegionManager *mgr) HeapSpaceRegion(MemRegionManager &mgr)
: MemSpaceRegion(mgr, HeapSpaceRegionKind) {} : MemSpaceRegion(mgr, HeapSpaceRegionKind) {}
public: public:
void dumpToStream(raw_ostream &os) const override; void dumpToStream(raw_ostream &os) const override;
static bool classof(const MemRegion *R) { static bool classof(const MemRegion *R) {
return R->getKind() == HeapSpaceRegionKind; return R->getKind() == HeapSpaceRegionKind;
} }
}; };
class UnknownSpaceRegion : public MemSpaceRegion { class UnknownSpaceRegion : public MemSpaceRegion {
friend class MemRegionManager; friend class MemRegionManager;
UnknownSpaceRegion(MemRegionManager *mgr) UnknownSpaceRegion(MemRegionManager &mgr)
: MemSpaceRegion(mgr, UnknownSpaceRegionKind) {} : MemSpaceRegion(mgr, UnknownSpaceRegionKind) {}
public: public:
void dumpToStream(raw_ostream &os) const override; void dumpToStream(raw_ostream &os) const override;
static bool classof(const MemRegion *R) { static bool classof(const MemRegion *R) {
return R->getKind() == UnknownSpaceRegionKind; return R->getKind() == UnknownSpaceRegionKind;
} }
}; };
class StackSpaceRegion : public MemSpaceRegion { class StackSpaceRegion : public MemSpaceRegion {
virtual void anchor(); virtual void anchor();
const StackFrameContext *SFC; const StackFrameContext *SFC;
protected: protected:
StackSpaceRegion(MemRegionManager *mgr, Kind k, const StackFrameContext *sfc) StackSpaceRegion(MemRegionManager &mgr, Kind k, const StackFrameContext *sfc)
: MemSpaceRegion(mgr, k), SFC(sfc) { : MemSpaceRegion(mgr, k), SFC(sfc) {
assert(classof(this)); assert(classof(this));
assert(sfc); assert(sfc);
} }
public: public:
const StackFrameContext *getStackFrame() const { return SFC; } const StackFrameContext *getStackFrame() const { return SFC; }
void Profile(llvm::FoldingSetNodeID &ID) const override; void Profile(llvm::FoldingSetNodeID &ID) const override;
static bool classof(const MemRegion *R) { static bool classof(const MemRegion *R) {
Kind k = R->getKind(); Kind k = R->getKind();
return k >= BEGIN_STACK_MEMSPACES && k <= END_STACK_MEMSPACES; return k >= BEGIN_STACK_MEMSPACES && k <= END_STACK_MEMSPACES;
} }
}; };
class StackLocalsSpaceRegion : public StackSpaceRegion { class StackLocalsSpaceRegion : public StackSpaceRegion {
friend class MemRegionManager; friend class MemRegionManager;
StackLocalsSpaceRegion(MemRegionManager *mgr, const StackFrameContext *sfc) StackLocalsSpaceRegion(MemRegionManager &mgr, const StackFrameContext *sfc)
: StackSpaceRegion(mgr, StackLocalsSpaceRegionKind, sfc) {} : StackSpaceRegion(mgr, StackLocalsSpaceRegionKind, sfc) {}
public: public:
void dumpToStream(raw_ostream &os) const override; void dumpToStream(raw_ostream &os) const override;
static bool classof(const MemRegion *R) { static bool classof(const MemRegion *R) {
return R->getKind() == StackLocalsSpaceRegionKind; return R->getKind() == StackLocalsSpaceRegionKind;
} }
}; };
class StackArgumentsSpaceRegion : public StackSpaceRegion { class StackArgumentsSpaceRegion : public StackSpaceRegion {
private: private:
friend class MemRegionManager; friend class MemRegionManager;
StackArgumentsSpaceRegion(MemRegionManager *mgr, const StackFrameContext *sfc) StackArgumentsSpaceRegion(MemRegionManager &mgr, const StackFrameContext *sfc)
: StackSpaceRegion(mgr, StackArgumentsSpaceRegionKind, sfc) {} : StackSpaceRegion(mgr, StackArgumentsSpaceRegionKind, sfc) {}
public: public:
void dumpToStream(raw_ostream &os) const override; void dumpToStream(raw_ostream &os) const override;
static bool classof(const MemRegion *R) { static bool classof(const MemRegion *R) {
return R->getKind() == StackArgumentsSpaceRegionKind; return R->getKind() == StackArgumentsSpaceRegionKind;
} }
Show All 12 Lines SubRegion(const MemRegion *sReg, Kind k) : MemRegion(k), superRegion(sReg) {
assert(sReg); assert(sReg);
} }
public: public:
const MemRegion* getSuperRegion() const { const MemRegion* getSuperRegion() const {
return superRegion; return superRegion;
} }
/// getExtent - Returns the size of the region in bytes. MemRegionManager &getMemRegionManager() const override;
virtual DefinedOrUnknownSVal getExtent(SValBuilder &svalBuilder) const {
return UnknownVal();
}
MemRegionManager* getMemRegionManager() const override;
bool isSubRegionOf(const MemRegion* R) const override; bool isSubRegionOf(const MemRegion* R) const override;
static bool classof(const MemRegion* R) { static bool classof(const MemRegion* R) {
return R->getKind() > END_MEMSPACES; return R->getKind() > END_MEMSPACES;
} }
}; };
Show All 20 Linesclass AllocaRegion : public SubRegion {
static void ProfileRegion(llvm::FoldingSetNodeID& ID, const Expr *Ex, static void ProfileRegion(llvm::FoldingSetNodeID& ID, const Expr *Ex,
unsigned Cnt, const MemRegion *superRegion); unsigned Cnt, const MemRegion *superRegion);
public: public:
const Expr *getExpr() const { return Ex; } const Expr *getExpr() const { return Ex; }
bool isBoundable() const override { return true; } bool isBoundable() const override { return true; }
DefinedOrUnknownSVal getExtent(SValBuilder &svalBuilder) const override;
void Profile(llvm::FoldingSetNodeID& ID) const override; void Profile(llvm::FoldingSetNodeID& ID) const override;
void dumpToStream(raw_ostream &os) const override; void dumpToStream(raw_ostream &os) const override;
static bool classof(const MemRegion* R) { static bool classof(const MemRegion* R) {
return R->getKind() == AllocaRegionKind; return R->getKind() == AllocaRegionKind;
} }
}; };
▲ Show 20 LinesShow All 43 Lines▼ Show 20 Lines QualType getLocationType() const override {
return ctx.getPointerType(getValueType()); return ctx.getPointerType(getValueType());
} }
QualType getDesugaredValueType(ASTContext &Context) const { QualType getDesugaredValueType(ASTContext &Context) const {
QualType T = getValueType(); QualType T = getValueType();
return T.getTypePtrOrNull() ? T.getDesugaredType(Context) : T; return T.getTypePtrOrNull() ? T.getDesugaredType(Context) : T;
} }
DefinedOrUnknownSVal getExtent(SValBuilder &svalBuilder) const override;
static bool classof(const MemRegion* R) { static bool classof(const MemRegion* R) {
unsigned k = R->getKind(); unsigned k = R->getKind();
return k >= BEGIN_TYPED_VALUE_REGIONS && k <= END_TYPED_VALUE_REGIONS; return k >= BEGIN_TYPED_VALUE_REGIONS && k <= END_TYPED_VALUE_REGIONS;
} }
}; };
class CodeTextRegion : public TypedRegion { class CodeTextRegion : public TypedRegion {
void anchor() override; void anchor() override;
▲ Show 20 LinesShow All 212 Lines▼ Show 20 Lines SymbolicRegion(const SymbolRef s, const MemSpaceRegion *sreg)
assert(isa<UnknownSpaceRegion>(sreg) || isa<HeapSpaceRegion>(sreg)); assert(isa<UnknownSpaceRegion>(sreg) || isa<HeapSpaceRegion>(sreg));
} }
public: public:
SymbolRef getSymbol() const { return sym; } SymbolRef getSymbol() const { return sym; }
bool isBoundable() const override { return true; } bool isBoundable() const override { return true; }
DefinedOrUnknownSVal getExtent(SValBuilder &svalBuilder) const override;
void Profile(llvm::FoldingSetNodeID& ID) const override; void Profile(llvm::FoldingSetNodeID& ID) const override;
static void ProfileRegion(llvm::FoldingSetNodeID& ID, static void ProfileRegion(llvm::FoldingSetNodeID& ID,
SymbolRef sym, SymbolRef sym,
const MemRegion* superRegion); const MemRegion* superRegion);
void dumpToStream(raw_ostream &os) const override; void dumpToStream(raw_ostream &os) const override;
Show All 17 Lines static void ProfileRegion(llvm::FoldingSetNodeID &ID,
const StringLiteral *Str, const StringLiteral *Str,
const MemRegion *superRegion); const MemRegion *superRegion);
public: public:
const StringLiteral *getStringLiteral() const { return Str; } const StringLiteral *getStringLiteral() const { return Str; }
QualType getValueType() const override { return Str->getType(); } QualType getValueType() const override { return Str->getType(); }
DefinedOrUnknownSVal getExtent(SValBuilder &svalBuilder) const override;
bool isBoundable() const override { return false; } bool isBoundable() const override { return false; }
void Profile(llvm::FoldingSetNodeID& ID) const override { void Profile(llvm::FoldingSetNodeID& ID) const override {
ProfileRegion(ID, Str, superRegion); ProfileRegion(ID, Str, superRegion);
} }
void dumpToStream(raw_ostream &os) const override; void dumpToStream(raw_ostream &os) const override;
▲ Show 20 LinesShow All 186 Lines▼ Show 20 Lines
public: public:
const FieldDecl *getDecl() const { return cast<FieldDecl>(D); } const FieldDecl *getDecl() const { return cast<FieldDecl>(D); }
QualType getValueType() const override { QualType getValueType() const override {
// FIXME: We can cache this if needed. // FIXME: We can cache this if needed.
return getDecl()->getType(); return getDecl()->getType();
} }
DefinedOrUnknownSVal getExtent(SValBuilder &svalBuilder) const override;
void dumpToStream(raw_ostream &os) const override; void dumpToStream(raw_ostream &os) const override;
bool canPrintPretty() const override; bool canPrintPretty() const override;
void printPretty(raw_ostream &os) const override; void printPretty(raw_ostream &os) const override;
bool canPrintPrettyAsExpr() const override; bool canPrintPrettyAsExpr() const override;
void printPrettyAsExpr(raw_ostream &os) const override; void printPrettyAsExpr(raw_ostream &os) const override;
static bool classof(const MemRegion* R) { static bool classof(const MemRegion* R) {
▲ Show 20 LinesShow All 203 Lines▼ Show 20 Linesconst RegionTy* MemRegion::castAs() const {
return cast<RegionTy>(this); return cast<RegionTy>(this);
} }
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// MemRegionManager - Factory object for creating regions. // MemRegionManager - Factory object for creating regions.
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
class MemRegionManager { class MemRegionManager {
ASTContext &C; ASTContext &Ctx;
llvm::BumpPtrAllocator& A; llvm::BumpPtrAllocator& A;
SValBuilder &SVB;
SymbolManager &SymMgr;
llvm::FoldingSet<MemRegion> Regions; llvm::FoldingSet<MemRegion> Regions;
GlobalInternalSpaceRegion *InternalGlobals = nullptr; GlobalInternalSpaceRegion *InternalGlobals = nullptr;
GlobalSystemSpaceRegion *SystemGlobals = nullptr; GlobalSystemSpaceRegion *SystemGlobals = nullptr;
GlobalImmutableSpaceRegion *ImmutableGlobals = nullptr; GlobalImmutableSpaceRegion *ImmutableGlobals = nullptr;
llvm::DenseMap<const StackFrameContext *, StackLocalsSpaceRegion *> llvm::DenseMap<const StackFrameContext *, StackLocalsSpaceRegion *>
StackLocalsSpaceRegions; StackLocalsSpaceRegions;
llvm::DenseMap<const StackFrameContext *, StackArgumentsSpaceRegion *> llvm::DenseMap<const StackFrameContext *, StackArgumentsSpaceRegion *>
StackArgumentsSpaceRegions; StackArgumentsSpaceRegions;
llvm::DenseMap<const CodeTextRegion *, StaticGlobalSpaceRegion *> llvm::DenseMap<const CodeTextRegion *, StaticGlobalSpaceRegion *>
StaticsGlobalSpaceRegions; StaticsGlobalSpaceRegions;
HeapSpaceRegion *heap = nullptr; HeapSpaceRegion *heap = nullptr;
UnknownSpaceRegion *unknown = nullptr; UnknownSpaceRegion *unknown = nullptr;
CodeSpaceRegion *code = nullptr; CodeSpaceRegion *code = nullptr;
public: public:
MemRegionManager(ASTContext &c, llvm::BumpPtrAllocator &a) : C(c), A(a) {} MemRegionManager(ASTContext &c, llvm::BumpPtrAllocator &a, SValBuilder &SVB,
SymbolManager &SymMgr)
: Ctx(c), A(a), SVB(SVB), SymMgr(SymMgr) {}
NoQUnsubmitted
Done
ReplyInline Actions

This looks like a layering violation to me. It's not super important, but i'd rather not have MemRegion depend on SValBuilder.

Can we have getStaticSize() be a method on SValBuilder instead? Or simply a standalone static function in DynamicSize.cpp? 'Cause ideally it shouldn't be called directly.

NoQ: This looks like a layering violation to me. It's not super important, but i'd rather not have…
CharussoAuthorUnsubmitted
Done
ReplyInline Actions

Hm, in my game-dev world every manager knows about every manager, so I felt that it needs to work. I like the idea behind the directness and hiding the implementation, but I believe the MemRegionManager should manage its stuff. Also we are lucky, because the SValBuilder is available everywhere with a tiny stress on the API.

Charusso: Hm, in my game-dev world every manager knows about every manager, so I felt that it needs to…
~MemRegionManager(); ~MemRegionManager();
ASTContext &getContext() { return C; } ASTContext &getContext() { return Ctx; }
llvm::BumpPtrAllocator &getAllocator() { return A; } llvm::BumpPtrAllocator &getAllocator() { return A; }
SValBuilder &getSValBuilder() { return SVB; }
SymbolManager &getSymbolManager() { return SymMgr; }
/// \returns The static size in bytes of the region \p MR.
/// \note The region \p MR must be a 'SubRegion'.
DefinedOrUnknownSVal getStaticSize(const MemRegion *MR) const;
/// getStackLocalsRegion - Retrieve the memory region associated with the /// getStackLocalsRegion - Retrieve the memory region associated with the
/// specified stack frame. /// specified stack frame.
const StackLocalsSpaceRegion * const StackLocalsSpaceRegion *
getStackLocalsRegion(const StackFrameContext *STC); getStackLocalsRegion(const StackFrameContext *STC);
/// getStackArgumentsRegion - Retrieve the memory region associated with /// getStackArgumentsRegion - Retrieve the memory region associated with
/// function/method arguments of the specified stack frame. /// function/method arguments of the specified stack frame.
const StackArgumentsSpaceRegion * const StackArgumentsSpaceRegion *
▲ Show 20 LinesShow All 149 Lines▼ Show 20 Linesprivate:
const REG* LazyAllocate(REG*& region, ARG a); const REG* LazyAllocate(REG*& region, ARG a);
}; };
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// Out-of-line member definitions. // Out-of-line member definitions.
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
inline ASTContext &MemRegion::getContext() const { inline ASTContext &MemRegion::getContext() const {
return getMemRegionManager()->getContext(); return getMemRegionManager().getContext();
} }
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// Means for storing region/symbol handling traits. // Means for storing region/symbol handling traits.
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
/// Information about invalidation for a particular region/symbol. /// Information about invalidation for a particular region/symbol.
class RegionAndSymbolInvalidationTraits { class RegionAndSymbolInvalidationTraits {
▲ Show 20 LinesShow All 49 LinesShow Last 20 Lines

clang/include/clang/StaticAnalyzer/Core/PathSensitive/SValBuilder.h

Show First 20 LinesShow All 78 Lines▼ Show 20 Linespublic:
// FIXME: Make these protected again once RegionStoreManager correctly // FIXME: Make these protected again once RegionStoreManager correctly
// handles loads from different bound value types. // handles loads from different bound value types.
virtual SVal dispatchCast(SVal val, QualType castTy) = 0; virtual SVal dispatchCast(SVal val, QualType castTy) = 0;
public: public:
SValBuilder(llvm::BumpPtrAllocator &alloc, ASTContext &context, SValBuilder(llvm::BumpPtrAllocator &alloc, ASTContext &context,
ProgramStateManager &stateMgr) ProgramStateManager &stateMgr)
: Context(context), BasicVals(context, alloc), : Context(context), BasicVals(context, alloc),
SymMgr(context, BasicVals, alloc), MemMgr(context, alloc), SymMgr(context, BasicVals, alloc),
StateMgr(stateMgr), ArrayIndexTy(context.LongLongTy), MemMgr(context, alloc, *this, SymMgr), StateMgr(stateMgr),
ArrayIndexTy(context.LongLongTy),
ArrayIndexWidth(context.getTypeSize(ArrayIndexTy)) {} ArrayIndexWidth(context.getTypeSize(ArrayIndexTy)) {}
virtual ~SValBuilder() = default; virtual ~SValBuilder() = default;
bool haveSameType(const SymExpr *Sym1, const SymExpr *Sym2) { bool haveSameType(const SymExpr *Sym1, const SymExpr *Sym2) {
return haveSameType(Sym1->getType(), Sym2->getType()); return haveSameType(Sym1->getType(), Sym2->getType());
} }
▲ Show 20 LinesShow All 299 LinesShow Last 20 Lines

clang/lib/StaticAnalyzer/Checkers/ArrayBoundCheckerV2.cpp

//== ArrayBoundCheckerV2.cpp ------------------------------------*- C++ -*--==// //== ArrayBoundCheckerV2.cpp ------------------------------------*- C++ -*--==//
// //
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
// See https://llvm.org/LICENSE.txt for license information. // See https://llvm.org/LICENSE.txt for license information.
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
// //
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// //
// This file defines ArrayBoundCheckerV2, which is a path-sensitive check // This file defines ArrayBoundCheckerV2, which is a path-sensitive check
// which looks for an out-of-bound array element access. // which looks for an out-of-bound array element access.
// //
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
#include "Taint.h" #include "Taint.h"
#include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"
#include "clang/AST/CharUnits.h" #include "clang/AST/CharUnits.h"
#include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"
#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h" #include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
#include "clang/StaticAnalyzer/Core/Checker.h" #include "clang/StaticAnalyzer/Core/Checker.h"
#include "clang/StaticAnalyzer/Core/CheckerManager.h" #include "clang/StaticAnalyzer/Core/CheckerManager.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/APSIntType.h" #include "clang/StaticAnalyzer/Core/PathSensitive/APSIntType.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h" #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/DynamicSize.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/ExprEngine.h" #include "clang/StaticAnalyzer/Core/PathSensitive/ExprEngine.h"
#include "llvm/ADT/SmallString.h" #include "llvm/ADT/SmallString.h"
#include "llvm/Support/raw_ostream.h" #include "llvm/Support/raw_ostream.h"
using namespace clang; using namespace clang;
using namespace ento; using namespace ento;
using namespace taint; using namespace taint;
▲ Show 20 LinesShow All 140 Lines▼ Show 20 Lines if (Optional<NonLoc> NV = extentBegin.getAs<NonLoc>()) {
} }
// Otherwise, assume the constraint of the lower bound. // Otherwise, assume the constraint of the lower bound.
assert(state_withinLowerBound); assert(state_withinLowerBound);
state = state_withinLowerBound; state = state_withinLowerBound;
} }
do { do {
// CHECK UPPER BOUND: Is byteOffset >= extent(baseRegion)? If so, // CHECK UPPER BOUND: Is byteOffset >= size(baseRegion)? If so,
// we are doing a load/store after the last valid offset. // we are doing a load/store after the last valid offset.
DefinedOrUnknownSVal extentVal = const MemRegion *MR = rawOffset.getRegion();
rawOffset.getRegion()->getExtent(svalBuilder); DefinedOrUnknownSVal Size = getDynamicSize(state, MR);
if (!extentVal.getAs<NonLoc>()) if (!Size.getAs<NonLoc>())
break; break;
if (extentVal.getAs<nonloc::ConcreteInt>()) { if (Size.getAs<nonloc::ConcreteInt>()) {
std::pair<NonLoc, nonloc::ConcreteInt> simplifiedOffsets = std::pair<NonLoc, nonloc::ConcreteInt> simplifiedOffsets =
getSimplifiedOffsets(rawOffset.getByteOffset(), getSimplifiedOffsets(rawOffset.getByteOffset(),
extentVal.castAs<nonloc::ConcreteInt>(), Size.castAs<nonloc::ConcreteInt>(), svalBuilder);
svalBuilder);
rawOffsetVal = simplifiedOffsets.first; rawOffsetVal = simplifiedOffsets.first;
extentVal = simplifiedOffsets.second; Size = simplifiedOffsets.second;
} }
SVal upperbound = svalBuilder.evalBinOpNN(state, BO_GE, rawOffsetVal, SVal upperbound = svalBuilder.evalBinOpNN(state, BO_GE, rawOffsetVal,
extentVal.castAs<NonLoc>(), Size.castAs<NonLoc>(),
svalBuilder.getConditionType()); svalBuilder.getConditionType());
Optional<NonLoc> upperboundToCheck = upperbound.getAs<NonLoc>(); Optional<NonLoc> upperboundToCheck = upperbound.getAs<NonLoc>();
if (!upperboundToCheck) if (!upperboundToCheck)
break; break;
ProgramStateRef state_exceedsUpperBound, state_withinUpperBound; ProgramStateRef state_exceedsUpperBound, state_withinUpperBound;
std::tie(state_exceedsUpperBound, state_withinUpperBound) = std::tie(state_exceedsUpperBound, state_withinUpperBound) =
▲ Show 20 LinesShow All 158 LinesShow Last 20 Lines

clang/lib/StaticAnalyzer/Checkers/BuiltinFunctionChecker.cpp

//=== BuiltinFunctionChecker.cpp --------------------------------*- C++ -*-===// //=== BuiltinFunctionChecker.cpp --------------------------------*- C++ -*-===//
// //
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
// See https://llvm.org/LICENSE.txt for license information. // See https://llvm.org/LICENSE.txt for license information.
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
// //
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// //
// This checker evaluates clang builtin functions. // This checker evaluates clang builtin functions.
// //
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
#include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"
#include "clang/Basic/Builtins.h" #include "clang/Basic/Builtins.h"
#include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"
#include "clang/StaticAnalyzer/Core/Checker.h" #include "clang/StaticAnalyzer/Core/Checker.h"
#include "clang/StaticAnalyzer/Core/CheckerManager.h" #include "clang/StaticAnalyzer/Core/CheckerManager.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h" #include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h" #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/DynamicSize.h"
using namespace clang; using namespace clang;
using namespace ento; using namespace ento;
namespace { namespace {
class BuiltinFunctionChecker : public Checker<eval::Call> { class BuiltinFunctionChecker : public Checker<eval::Call> {
public: public:
▲ Show 20 LinesShow All 58 Lines▼ Show 20 Lines case Builtin::BI__builtin_alloca: {
// Set the extent of the region in bytes. This enables us to use the // Set the extent of the region in bytes. This enables us to use the
// SVal of the argument directly. If we save the extent in bits, we // SVal of the argument directly. If we save the extent in bits, we
// cannot represent values like symbol*8. // cannot represent values like symbol*8.
auto Size = Call.getArgSVal(0); auto Size = Call.getArgSVal(0);
if (Size.isUndef()) if (Size.isUndef())
return true; // Return true to model purity. return true; // Return true to model purity.
SValBuilder& svalBuilder = C.getSValBuilder(); SValBuilder& svalBuilder = C.getSValBuilder();
DefinedOrUnknownSVal Extent = R->getExtent(svalBuilder);
DefinedOrUnknownSVal extentMatchesSizeArg = DefinedOrUnknownSVal DynSize = getDynamicSize(state, R);
svalBuilder.evalEQ(state, Extent, Size.castAs<DefinedOrUnknownSVal>());
state = state->assume(extentMatchesSizeArg, true); DefinedOrUnknownSVal DynSizeMatchesSizeArg =
svalBuilder.evalEQ(state, DynSize, Size.castAs<DefinedOrUnknownSVal>());
state = state->assume(DynSizeMatchesSizeArg, true);
NoQUnsubmitted
Done
ReplyInline Actions

As the next obvious step for the next patch, i suggest replacing evalEQ() with some sort of setDynamicSize() here.

NoQ: As the next obvious step for the next patch, i suggest replacing `evalEQ()` with some sort of…
CharussoAuthorUnsubmitted
Done
ReplyInline Actions

Okay, good idea, thanks! I want to eliminate getSizeInElements as well.

Charusso: Okay, good idea, thanks! I want to eliminate `getSizeInElements` as well.
assert(state && "The region should not have any previous constraints"); assert(state && "The region should not have any previous constraints");
C.addTransition(state->BindExpr(CE, LCtx, loc::MemRegionVal(R))); C.addTransition(state->BindExpr(CE, LCtx, loc::MemRegionVal(R)));
return true; return true;
} }
case Builtin::BI__builtin_dynamic_object_size: case Builtin::BI__builtin_dynamic_object_size:
case Builtin::BI__builtin_object_size: case Builtin::BI__builtin_object_size:
Show All 35 Lines

clang/lib/StaticAnalyzer/Checkers/CStringChecker.cpp

//= CStringChecker.cpp - Checks calls to C string functions --------*- C++ -*-// //= CStringChecker.cpp - Checks calls to C string functions --------*- C++ -*-//
// //
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
// See https://llvm.org/LICENSE.txt for license information. // See https://llvm.org/LICENSE.txt for license information.
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
// //
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// //
// This defines CStringChecker, which is an assortment of checks on calls // This defines CStringChecker, which is an assortment of checks on calls
// to functions in <string.h>. // to functions in <string.h>.
// //
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
#include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"
#include "InterCheckerAPI.h" #include "InterCheckerAPI.h"
#include "clang/Basic/CharInfo.h" #include "clang/Basic/CharInfo.h"
#include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"
#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h" #include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
#include "clang/StaticAnalyzer/Core/Checker.h" #include "clang/StaticAnalyzer/Core/Checker.h"
#include "clang/StaticAnalyzer/Core/CheckerManager.h" #include "clang/StaticAnalyzer/Core/CheckerManager.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h" #include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h" #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/DynamicSize.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramStateTrait.h" #include "clang/StaticAnalyzer/Core/PathSensitive/ProgramStateTrait.h"
#include "llvm/ADT/STLExtras.h" #include "llvm/ADT/STLExtras.h"
#include "llvm/ADT/SmallString.h" #include "llvm/ADT/SmallString.h"
#include "llvm/Support/raw_ostream.h" #include "llvm/Support/raw_ostream.h"
using namespace clang; using namespace clang;
using namespace ento; using namespace ento;
▲ Show 20 LinesShow All 294 Lines▼ Show 20 LinesProgramStateRef CStringChecker::CheckLocation(CheckerContext &C,
if (!ER) if (!ER)
return state; return state;
if (ER->getValueType() != C.getASTContext().CharTy) if (ER->getValueType() != C.getASTContext().CharTy)
return state; return state;
// Get the size of the array. // Get the size of the array.
const SubRegion *superReg = cast<SubRegion>(ER->getSuperRegion()); const SubRegion *superReg = cast<SubRegion>(ER->getSuperRegion());
SValBuilder &svalBuilder = C.getSValBuilder(); DefinedOrUnknownSVal Size = getDynamicSize(state, superReg);
SVal Extent =
svalBuilder.convertToArrayIndex(superReg->getExtent(svalBuilder));
DefinedOrUnknownSVal Size = Extent.castAs<DefinedOrUnknownSVal>();
// Get the index of the accessed element. // Get the index of the accessed element.
DefinedOrUnknownSVal Idx = ER->getIndex().castAs<DefinedOrUnknownSVal>(); DefinedOrUnknownSVal Idx = ER->getIndex().castAs<DefinedOrUnknownSVal>();
ProgramStateRef StInBound = state->assumeInBound(Idx, Size, true); ProgramStateRef StInBound = state->assumeInBound(Idx, Size, true);
ProgramStateRef StOutBound = state->assumeInBound(Idx, Size, false); ProgramStateRef StOutBound = state->assumeInBound(Idx, Size, false);
if (StOutBound && !StInBound) { if (StOutBound && !StInBound) {
// These checks are either enabled by the CString out-of-bounds checker // These checks are either enabled by the CString out-of-bounds checker
▲ Show 20 LinesShow All 588 Lines▼ Show 20 Linesbool CStringChecker::IsFirstBufInBound(CheckerContext &C,
// FIXME: Does this crash when a non-standard definition // FIXME: Does this crash when a non-standard definition
// of a library function is encountered? // of a library function is encountered?
assert(ER->getValueType() == C.getASTContext().CharTy && assert(ER->getValueType() == C.getASTContext().CharTy &&
"IsFirstBufInBound should only be called with char* ElementRegions"); "IsFirstBufInBound should only be called with char* ElementRegions");
// Get the size of the array. // Get the size of the array.
const SubRegion *superReg = cast<SubRegion>(ER->getSuperRegion()); const SubRegion *superReg = cast<SubRegion>(ER->getSuperRegion());
SVal Extent = DefinedOrUnknownSVal SizeDV = getDynamicSize(state, superReg);
svalBuilder.convertToArrayIndex(superReg->getExtent(svalBuilder));
DefinedOrUnknownSVal ExtentSize = Extent.castAs<DefinedOrUnknownSVal>();
// Get the index of the accessed element. // Get the index of the accessed element.
DefinedOrUnknownSVal Idx = ER->getIndex().castAs<DefinedOrUnknownSVal>(); DefinedOrUnknownSVal Idx = ER->getIndex().castAs<DefinedOrUnknownSVal>();
ProgramStateRef StInBound = state->assumeInBound(Idx, ExtentSize, true); ProgramStateRef StInBound = state->assumeInBound(Idx, SizeDV, true);
return static_cast<bool>(StInBound); return static_cast<bool>(StInBound);
} }
ProgramStateRef CStringChecker::InvalidateBuffer(CheckerContext &C, ProgramStateRef CStringChecker::InvalidateBuffer(CheckerContext &C,
ProgramStateRef state, ProgramStateRef state,
const Expr *E, SVal V, const Expr *E, SVal V,
bool IsSourceBuffer, bool IsSourceBuffer,
▲ Show 20 LinesShow All 109 Lines▼ Show 20 Linesbool CStringChecker::memsetAux(const Expr *DstBuffer, SVal CharVal,
SValBuilder &svalBuilder = C.getSValBuilder(); SValBuilder &svalBuilder = C.getSValBuilder();
ASTContext &Ctx = C.getASTContext(); ASTContext &Ctx = C.getASTContext();
// void *memset(void *dest, int ch, size_t count); // void *memset(void *dest, int ch, size_t count);
// For now we can only handle the case of offset is 0 and concrete char value. // For now we can only handle the case of offset is 0 and concrete char value.
if (Offset.isValid() && !Offset.hasSymbolicOffset() && if (Offset.isValid() && !Offset.hasSymbolicOffset() &&
Offset.getOffset() == 0) { Offset.getOffset() == 0) {
// Get the base region's extent. // Get the base region's size.
auto *SubReg = cast<SubRegion>(BR); DefinedOrUnknownSVal SizeDV = getDynamicSize(State, BR);
DefinedOrUnknownSVal Extent = SubReg->getExtent(svalBuilder);
ProgramStateRef StateWholeReg, StateNotWholeReg; ProgramStateRef StateWholeReg, StateNotWholeReg;
std::tie(StateWholeReg, StateNotWholeReg) = std::tie(StateWholeReg, StateNotWholeReg) =
State->assume(svalBuilder.evalEQ(State, Extent, *SizeNL)); State->assume(svalBuilder.evalEQ(State, SizeDV, *SizeNL));
NoQUnsubmitted
Done
ReplyInline Actions

And here.

NoQ: And here.
// With the semantic of 'memset()', we should convert the CharVal to // With the semantic of 'memset()', we should convert the CharVal to
// unsigned char. // unsigned char.
CharVal = svalBuilder.evalCast(CharVal, Ctx.UnsignedCharTy, Ctx.IntTy); CharVal = svalBuilder.evalCast(CharVal, Ctx.UnsignedCharTy, Ctx.IntTy);
ProgramStateRef StateNullChar, StateNonNullChar; ProgramStateRef StateNullChar, StateNonNullChar;
std::tie(StateNullChar, StateNonNullChar) = std::tie(StateNullChar, StateNonNullChar) =
assumeZero(C, State, CharVal, Ctx.UnsignedCharTy); assumeZero(C, State, CharVal, Ctx.UnsignedCharTy);
▲ Show 20 LinesShow All 1,333 LinesShow Last 20 Lines

clang/lib/StaticAnalyzer/Checkers/CastSizeChecker.cpp

//=== CastSizeChecker.cpp ---------------------------------------*- C++ -*-===// //=== CastSizeChecker.cpp ---------------------------------------*- C++ -*-===//
// //
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
// See https://llvm.org/LICENSE.txt for license information. // See https://llvm.org/LICENSE.txt for license information.
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
// //
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// //
// CastSizeChecker checks when casting a malloc'ed symbolic region to type T, // CastSizeChecker checks when casting a malloc'ed symbolic region to type T,
// whether the size of the symbolic region is a multiple of the size of T. // whether the size of the symbolic region is a multiple of the size of T.
// //
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
#include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"
#include "clang/AST/CharUnits.h" #include "clang/AST/CharUnits.h"
#include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"
#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h" #include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
#include "clang/StaticAnalyzer/Core/Checker.h" #include "clang/StaticAnalyzer/Core/Checker.h"
#include "clang/StaticAnalyzer/Core/CheckerManager.h" #include "clang/StaticAnalyzer/Core/CheckerManager.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h" #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/DynamicSize.h"
using namespace clang; using namespace clang;
using namespace ento; using namespace ento;
namespace { namespace {
class CastSizeChecker : public Checker< check::PreStmt<CastExpr> > { class CastSizeChecker : public Checker< check::PreStmt<CastExpr> > {
mutable std::unique_ptr<BuiltinBug> BT; mutable std::unique_ptr<BuiltinBug> BT;
▲ Show 20 LinesShow All 77 Lines▼ Show 20 Linesvoid CastSizeChecker::checkPreStmt(const CastExpr *CE,CheckerContext &C) const {
if (!R) if (!R)
return; return;
const SymbolicRegion *SR = dyn_cast<SymbolicRegion>(R); const SymbolicRegion *SR = dyn_cast<SymbolicRegion>(R);
if (!SR) if (!SR)
return; return;
SValBuilder &svalBuilder = C.getSValBuilder(); SValBuilder &svalBuilder = C.getSValBuilder();
SVal extent = SR->getExtent(svalBuilder);
const llvm::APSInt *extentInt = svalBuilder.getKnownValue(state, extent); DefinedOrUnknownSVal Size = getDynamicSize(state, SR);
if (!extentInt) const llvm::APSInt *SizeInt = svalBuilder.getKnownValue(state, Size);
if (!SizeInt)
return; return;
CharUnits regionSize = CharUnits::fromQuantity(extentInt->getSExtValue()); CharUnits regionSize = CharUnits::fromQuantity(SizeInt->getZExtValue());
CharUnits typeSize = C.getASTContext().getTypeSizeInChars(ToPointeeTy); CharUnits typeSize = C.getASTContext().getTypeSizeInChars(ToPointeeTy);
// Ignore void, and a few other un-sizeable types. // Ignore void, and a few other un-sizeable types.
if (typeSize.isZero()) if (typeSize.isZero())
return; return;
if (regionSize % typeSize == 0) if (regionSize % typeSize == 0)
return; return;
Show All 27 Lines

clang/lib/StaticAnalyzer/Checkers/ExprInspectionChecker.cpp

//==- ExprInspectionChecker.cpp - Used for regression tests ------*- C++ -*-==// //==- ExprInspectionChecker.cpp - Used for regression tests ------*- C++ -*-==//
// //
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
// See https://llvm.org/LICENSE.txt for license information. // See https://llvm.org/LICENSE.txt for license information.
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
// //
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
#include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h" #include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"
#include "clang/StaticAnalyzer/Checkers/SValExplainer.h" #include "clang/StaticAnalyzer/Checkers/SValExplainer.h"
#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h" #include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
#include "clang/StaticAnalyzer/Core/Checker.h" #include "clang/StaticAnalyzer/Core/Checker.h"
#include "clang/StaticAnalyzer/Core/IssueHash.h" #include "clang/StaticAnalyzer/Core/IssueHash.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h" #include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h" #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/DynamicSize.h"
#include "llvm/ADT/StringSwitch.h" #include "llvm/ADT/StringSwitch.h"
#include "llvm/Support/ScopedPrinter.h" #include "llvm/Support/ScopedPrinter.h"
using namespace clang; using namespace clang;
using namespace ento; using namespace ento;
namespace { namespace {
class ExprInspectionChecker : public Checker<eval::Call, check::DeadSymbols, class ExprInspectionChecker : public Checker<eval::Call, check::DeadSymbols,
▲ Show 20 LinesShow All 205 Lines▼ Show 20 Linesvoid ExprInspectionChecker::analyzerGetExtent(const CallExpr *CE,
auto MR = dyn_cast_or_null<SubRegion>(C.getSVal(CE->getArg(0)).getAsRegion()); auto MR = dyn_cast_or_null<SubRegion>(C.getSVal(CE->getArg(0)).getAsRegion());
if (!MR) { if (!MR) {
reportBug("Obtaining extent of a non-region", C); reportBug("Obtaining extent of a non-region", C);
return; return;
} }
ProgramStateRef State = C.getState(); ProgramStateRef State = C.getState();
State = State->BindExpr(CE, C.getLocationContext(), DefinedOrUnknownSVal Size = getDynamicSize(State, MR);
MR->getExtent(C.getSValBuilder()));
State = State->BindExpr(CE, C.getLocationContext(), Size);
C.addTransition(State); C.addTransition(State);
} }
void ExprInspectionChecker::analyzerPrintState(const CallExpr *CE, void ExprInspectionChecker::analyzerPrintState(const CallExpr *CE,
CheckerContext &C) const { CheckerContext &C) const {
C.getState()->dump(); C.getState()->dump();
} }
▲ Show 20 LinesShow All 173 LinesShow Last 20 Lines

clang/lib/StaticAnalyzer/Checkers/MPI-Checker/MPIChecker.cpp

Show First 20 LinesShow All 140 Lines▼ Show 20 Lines if (FuncClassifier->isMPI_Wait(CE.getCalleeIdentifier())) {
return (const MemRegion *)nullptr; return (const MemRegion *)nullptr;
} }
} }
void MPIChecker::allRegionsUsedByWait( void MPIChecker::allRegionsUsedByWait(
llvm::SmallVector<const MemRegion *, 2> &ReqRegions, llvm::SmallVector<const MemRegion *, 2> &ReqRegions,
const MemRegion *const MR, const CallEvent &CE, CheckerContext &Ctx) const { const MemRegion *const MR, const CallEvent &CE, CheckerContext &Ctx) const {
MemRegionManager *const RegionManager = MR->getMemRegionManager(); MemRegionManager &RegionManager = MR->getMemRegionManager();
if (FuncClassifier->isMPI_Waitall(CE.getCalleeIdentifier())) { if (FuncClassifier->isMPI_Waitall(CE.getCalleeIdentifier())) {
const SubRegion *SuperRegion{nullptr}; const SubRegion *SuperRegion{nullptr};
if (const ElementRegion *const ER = MR->getAs<ElementRegion>()) { if (const ElementRegion *const ER = MR->getAs<ElementRegion>()) {
SuperRegion = cast<SubRegion>(ER->getSuperRegion()); SuperRegion = cast<SubRegion>(ER->getSuperRegion());
} }
// A single request is passed to MPI_Waitall. // A single request is passed to MPI_Waitall.
if (!SuperRegion) { if (!SuperRegion) {
ReqRegions.push_back(MR); ReqRegions.push_back(MR);
return; return;
} }
const auto &Size = Ctx.getStoreManager().getSizeInElements( const auto &Size = Ctx.getStoreManager().getSizeInElements(
Ctx.getState(), SuperRegion, Ctx.getState(), SuperRegion,
CE.getArgExpr(1)->getType()->getPointeeType()); CE.getArgExpr(1)->getType()->getPointeeType());
const llvm::APSInt &ArrSize = Size.getAs<nonloc::ConcreteInt>()->getValue(); const llvm::APSInt &ArrSize = Size.getAs<nonloc::ConcreteInt>()->getValue();
for (size_t i = 0; i < ArrSize; ++i) { for (size_t i = 0; i < ArrSize; ++i) {
const NonLoc Idx = Ctx.getSValBuilder().makeArrayIndex(i); const NonLoc Idx = Ctx.getSValBuilder().makeArrayIndex(i);
const ElementRegion *const ER = RegionManager->getElementRegion( const ElementRegion *const ER = RegionManager.getElementRegion(
CE.getArgExpr(1)->getType()->getPointeeType(), Idx, SuperRegion, CE.getArgExpr(1)->getType()->getPointeeType(), Idx, SuperRegion,
Ctx.getASTContext()); Ctx.getASTContext());
ReqRegions.push_back(ER->getAs<MemRegion>()); ReqRegions.push_back(ER->getAs<MemRegion>());
} }
} else if (FuncClassifier->isMPI_Wait(CE.getCalleeIdentifier())) { } else if (FuncClassifier->isMPI_Wait(CE.getCalleeIdentifier())) {
ReqRegions.push_back(MR); ReqRegions.push_back(MR);
} }
Show All 14 Lines

clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp

Show First 20 LinesShow All 51 Lines▼ Show 20 Lines
#include "clang/Basic/TargetInfo.h" #include "clang/Basic/TargetInfo.h"
#include "clang/Lex/Lexer.h" #include "clang/Lex/Lexer.h"
#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h" #include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
#include "clang/StaticAnalyzer/Core/BugReporter/CommonBugCategories.h" #include "clang/StaticAnalyzer/Core/BugReporter/CommonBugCategories.h"
#include "clang/StaticAnalyzer/Core/Checker.h" #include "clang/StaticAnalyzer/Core/Checker.h"
#include "clang/StaticAnalyzer/Core/CheckerManager.h" #include "clang/StaticAnalyzer/Core/CheckerManager.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h" #include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h" #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/DynamicSize.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h" #include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramStateTrait.h" #include "clang/StaticAnalyzer/Core/PathSensitive/ProgramStateTrait.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/SymbolManager.h" #include "clang/StaticAnalyzer/Core/PathSensitive/SymbolManager.h"
#include "llvm/ADT/STLExtras.h" #include "llvm/ADT/STLExtras.h"
#include "llvm/ADT/SmallString.h" #include "llvm/ADT/SmallString.h"
#include "llvm/ADT/StringExtras.h" #include "llvm/ADT/StringExtras.h"
#include "AllocationState.h" #include "AllocationState.h"
#include <climits> #include <climits>
▲ Show 20 LinesShow All 1,329 Lines▼ Show 20 LinesProgramStateRef MallocChecker::addExtentSize(CheckerContext &C,
} }
// Set the region's extent equal to the Size in Bytes. // Set the region's extent equal to the Size in Bytes.
QualType ElementType = NE->getAllocatedType(); QualType ElementType = NE->getAllocatedType();
ASTContext &AstContext = C.getASTContext(); ASTContext &AstContext = C.getASTContext();
CharUnits TypeSize = AstContext.getTypeSizeInChars(ElementType); CharUnits TypeSize = AstContext.getTypeSizeInChars(ElementType);
if (ElementCount.getAs<NonLoc>()) { if (ElementCount.getAs<NonLoc>()) {
DefinedOrUnknownSVal Extent = Region->getExtent(svalBuilder); DefinedOrUnknownSVal DynSize = getDynamicSize(State, Region);
// size in Bytes = ElementCount*TypeSize // size in Bytes = ElementCount*TypeSize
SVal SizeInBytes = svalBuilder.evalBinOpNN( SVal SizeInBytes = svalBuilder.evalBinOpNN(
State, BO_Mul, ElementCount.castAs<NonLoc>(), State, BO_Mul, ElementCount.castAs<NonLoc>(),
svalBuilder.makeArrayIndex(TypeSize.getQuantity()), svalBuilder.makeArrayIndex(TypeSize.getQuantity()),
svalBuilder.getArrayIndexType()); svalBuilder.getArrayIndexType());
DefinedOrUnknownSVal extentMatchesSize = svalBuilder.evalEQ( DefinedOrUnknownSVal DynSizeMatchesSize = svalBuilder.evalEQ(
NoQUnsubmitted
Done
ReplyInline Actions

And here.

NoQ: And here.
State, Extent, SizeInBytes.castAs<DefinedOrUnknownSVal>()); State, DynSize, SizeInBytes.castAs<DefinedOrUnknownSVal>());
State = State->assume(extentMatchesSize, true); State = State->assume(DynSizeMatchesSize, true);
} }
return State; return State;
} }
void MallocChecker::checkPreStmt(const CXXDeleteExpr *DE, void MallocChecker::checkPreStmt(const CXXDeleteExpr *DE,
CheckerContext &C) const { CheckerContext &C) const {
if (!ChecksEnabled[CK_NewDeleteChecker]) if (!ChecksEnabled[CK_NewDeleteChecker])
▲ Show 20 LinesShow All 112 Lines▼ Show 20 LinesProgramStateRef MallocChecker::MallocMemAux(CheckerContext &C,
// Set the region's extent equal to the Size parameter. // Set the region's extent equal to the Size parameter.
const SymbolicRegion *R = const SymbolicRegion *R =
dyn_cast_or_null<SymbolicRegion>(RetVal.getAsRegion()); dyn_cast_or_null<SymbolicRegion>(RetVal.getAsRegion());
if (!R) if (!R)
return nullptr; return nullptr;
if (Optional<DefinedOrUnknownSVal> DefinedSize = if (Optional<DefinedOrUnknownSVal> DefinedSize =
Size.getAs<DefinedOrUnknownSVal>()) { Size.getAs<DefinedOrUnknownSVal>()) {
SValBuilder &svalBuilder = C.getSValBuilder(); DefinedOrUnknownSVal DynSize = getDynamicSize(State, R);
DefinedOrUnknownSVal Extent = R->getExtent(svalBuilder);
DefinedOrUnknownSVal extentMatchesSize = DefinedOrUnknownSVal DynSizeMatchesSize =
svalBuilder.evalEQ(State, Extent, *DefinedSize); svalBuilder.evalEQ(State, DynSize, *DefinedSize);
NoQUnsubmitted
Done
ReplyInline Actions

And here.

NoQ: And here.
State = State->assume(extentMatchesSize, true); State = State->assume(DynSizeMatchesSize, true);
assert(State); assert(State);
} }
return MallocUpdateRefState(C, CE, State, Family); return MallocUpdateRefState(C, CE, State, Family);
} }
static ProgramStateRef MallocUpdateRefState(CheckerContext &C, const Expr *E, static ProgramStateRef MallocUpdateRefState(CheckerContext &C, const Expr *E,
ProgramStateRef State, ProgramStateRef State,
▲ Show 20 LinesShow All 1,871 LinesShow Last 20 Lines

clang/lib/StaticAnalyzer/Checkers/VLASizeChecker.cpp

//=== VLASizeChecker.cpp - Undefined dereference checker --------*- C++ -*-===// //=== VLASizeChecker.cpp - Undefined dereference checker --------*- C++ -*-===//
// //
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
// See https://llvm.org/LICENSE.txt for license information. // See https://llvm.org/LICENSE.txt for license information.
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
// //
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// //
// This defines VLASizeChecker, a builtin check in ExprEngine that // This defines VLASizeChecker, a builtin check in ExprEngine that
// performs checks for declaration of VLA of undefined or zero size. // performs checks for declaration of VLA of undefined or zero size.
// In addition, VLASizeChecker is responsible for defining the extent // In addition, VLASizeChecker is responsible for defining the extent
// of the MemRegion that represents a VLA. // of the MemRegion that represents a VLA.
// //
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
#include "Taint.h" #include "Taint.h"
#include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"
#include "clang/AST/CharUnits.h" #include "clang/AST/CharUnits.h"
#include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"
#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h" #include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
#include "clang/StaticAnalyzer/Core/Checker.h" #include "clang/StaticAnalyzer/Core/Checker.h"
#include "clang/StaticAnalyzer/Core/CheckerManager.h" #include "clang/StaticAnalyzer/Core/CheckerManager.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h" #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/DynamicSize.h"
#include "llvm/ADT/STLExtras.h" #include "llvm/ADT/STLExtras.h"
#include "llvm/ADT/SmallString.h" #include "llvm/ADT/SmallString.h"
#include "llvm/Support/raw_ostream.h" #include "llvm/Support/raw_ostream.h"
using namespace clang; using namespace clang;
using namespace ento; using namespace ento;
using namespace taint; using namespace taint;
▲ Show 20 LinesShow All 129 Lines▼ Show 20 Linesvoid VLASizeChecker::checkPreStmt(const DeclStmt *DS, CheckerContext &C) const {
// Get the element size. // Get the element size.
CharUnits EleSize = Ctx.getTypeSizeInChars(VLA->getElementType()); CharUnits EleSize = Ctx.getTypeSizeInChars(VLA->getElementType());
SVal EleSizeVal = svalBuilder.makeIntVal(EleSize.getQuantity(), SizeTy); SVal EleSizeVal = svalBuilder.makeIntVal(EleSize.getQuantity(), SizeTy);
// Multiply the array length by the element size. // Multiply the array length by the element size.
SVal ArraySizeVal = svalBuilder.evalBinOpNN( SVal ArraySizeVal = svalBuilder.evalBinOpNN(
state, BO_Mul, ArrayLength, EleSizeVal.castAs<NonLoc>(), SizeTy); state, BO_Mul, ArrayLength, EleSizeVal.castAs<NonLoc>(), SizeTy);
// Finally, assume that the array's extent matches the given size. // Finally, assume that the array's size matches the given size.
const LocationContext *LC = C.getLocationContext(); const LocationContext *LC = C.getLocationContext();
DefinedOrUnknownSVal Extent = DefinedOrUnknownSVal DynSize =
state->getRegion(VD, LC)->getExtent(svalBuilder); getDynamicSize(state, state->getRegion(VD, LC));
DefinedOrUnknownSVal ArraySize = ArraySizeVal.castAs<DefinedOrUnknownSVal>(); DefinedOrUnknownSVal ArraySize = ArraySizeVal.castAs<DefinedOrUnknownSVal>();
DefinedOrUnknownSVal sizeIsKnown = DefinedOrUnknownSVal sizeIsKnown =
svalBuilder.evalEQ(state, Extent, ArraySize); svalBuilder.evalEQ(state, DynSize, ArraySize);
NoQUnsubmitted
Done
ReplyInline Actions

And here.

NoQ: And here.
state = state->assume(sizeIsKnown, true); state = state->assume(sizeIsKnown, true);
// Assume should not fail at this point. // Assume should not fail at this point.
assert(state); assert(state);
// Remember our assumptions! // Remember our assumptions!
C.addTransition(state); C.addTransition(state);
} }
void ento::registerVLASizeChecker(CheckerManager &mgr) { void ento::registerVLASizeChecker(CheckerManager &mgr) {
mgr.registerChecker<VLASizeChecker>(); mgr.registerChecker<VLASizeChecker>();
} }
bool ento::shouldRegisterVLASizeChecker(const LangOptions &LO) { bool ento::shouldRegisterVLASizeChecker(const LangOptions &LO) {
return true; return true;
} }

clang/lib/StaticAnalyzer/Core/BugReporterVisitors.cpp

Show First 20 LinesShow All 352 Lines▼ Show 20 Linesclass NoStoreFuncVisitor final : public BugReporterVisitor {
/// stack frames along the path which write into the region of interest. /// stack frames along the path which write into the region of interest.
llvm::SmallPtrSet<const StackFrameContext *, 32> FramesModifyingRegion; llvm::SmallPtrSet<const StackFrameContext *, 32> FramesModifyingRegion;
llvm::SmallPtrSet<const StackFrameContext *, 32> FramesModifyingCalculated; llvm::SmallPtrSet<const StackFrameContext *, 32> FramesModifyingCalculated;
using RegionVector = SmallVector<const MemRegion *, 5>; using RegionVector = SmallVector<const MemRegion *, 5>;
public: public:
NoStoreFuncVisitor(const SubRegion *R, bugreporter::TrackingKind TKind) NoStoreFuncVisitor(const SubRegion *R, bugreporter::TrackingKind TKind)
: RegionOfInterest(R), MmrMgr(*R->getMemRegionManager()), : RegionOfInterest(R), MmrMgr(R->getMemRegionManager()),
SM(MmrMgr.getContext().getSourceManager()), SM(MmrMgr.getContext().getSourceManager()),
PP(MmrMgr.getContext().getPrintingPolicy()), TKind(TKind) {} PP(MmrMgr.getContext().getPrintingPolicy()), TKind(TKind) {}
void Profile(llvm::FoldingSetNodeID &ID) const override { void Profile(llvm::FoldingSetNodeID &ID) const override {
static int Tag = 0; static int Tag = 0;
ID.AddPointer(&Tag); ID.AddPointer(&Tag);
ID.AddPointer(RegionOfInterest); ID.AddPointer(RegionOfInterest);
} }
▲ Show 20 LinesShow All 2,539 LinesShow Last 20 Lines

clang/lib/StaticAnalyzer/Core/CMakeLists.txt

Show All 10 Linesadd_clang_library(clangStaticAnalyzerCore
CallEvent.cpp CallEvent.cpp
Checker.cpp Checker.cpp
CheckerContext.cpp CheckerContext.cpp
CheckerHelpers.cpp CheckerHelpers.cpp
CheckerManager.cpp CheckerManager.cpp
CommonBugCategories.cpp CommonBugCategories.cpp
ConstraintManager.cpp ConstraintManager.cpp
CoreEngine.cpp CoreEngine.cpp
DynamicSize.cpp
DynamicType.cpp DynamicType.cpp
Environment.cpp Environment.cpp
ExplodedGraph.cpp ExplodedGraph.cpp
ExprEngine.cpp ExprEngine.cpp
ExprEngineC.cpp ExprEngineC.cpp
ExprEngineCXX.cpp ExprEngineCXX.cpp
ExprEngineCallAndReturn.cpp ExprEngineCallAndReturn.cpp
ExprEngineObjC.cpp ExprEngineObjC.cpp
Show All 33 Lines

clang/lib/StaticAnalyzer/Core/DynamicSize.cpp

  • This file was added.
//===- DynamicSize.cpp - Dynamic size related APIs --------------*- C++ -*-===//
//
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
// See https://llvm.org/LICENSE.txt for license information.
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
//
//===----------------------------------------------------------------------===//
//
// This file defines APIs that track and query dynamic size information.
//
//===----------------------------------------------------------------------===//
#include "clang/StaticAnalyzer/Core/PathSensitive/DynamicSize.h"
#include "clang/Basic/LLVM.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/MemRegion.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/SValBuilder.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/SVals.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/SymbolManager.h"
REGISTER_MAP_WITH_PROGRAMSTATE(DynamicSizeMap, const clang::ento::MemRegion *,
clang::ento::DefinedOrUnknownSVal)
namespace clang {
namespace ento {
DefinedOrUnknownSVal getDynamicSize(ProgramStateRef State,
const MemRegion *MR) {
if (const DefinedOrUnknownSVal *Size = State->get<DynamicSizeMap>(MR))
return *Size;
NoQUnsubmitted
Done
ReplyInline Actions

For now the map is always empty, right? Maybe we should remove the map until we actually add a setter.

NoQ: For now the map is always empty, right? Maybe we should remove the map until we actually add a…
return MR->getMemRegionManager().getStaticSize(MR);
}
} // namespace ento
} // namespace clang

clang/lib/StaticAnalyzer/Core/MemRegion.cpp

Show First 20 LinesShow All 136 Lines▼ Show 20 Lines do {
if (const auto *sr = dyn_cast<SubRegion>(r)) if (const auto *sr = dyn_cast<SubRegion>(r))
r = sr->getSuperRegion(); r = sr->getSuperRegion();
else else
break; break;
} while (r != nullptr); } while (r != nullptr);
return false; return false;
} }
MemRegionManager* SubRegion::getMemRegionManager() const { MemRegionManager &SubRegion::getMemRegionManager() const {
const SubRegion* r = this; const SubRegion* r = this;
do { do {
const MemRegion *superRegion = r->getSuperRegion(); const MemRegion *superRegion = r->getSuperRegion();
if (const auto *sr = dyn_cast<SubRegion>(superRegion)) { if (const auto *sr = dyn_cast<SubRegion>(superRegion)) {
r = sr; r = sr;
continue; continue;
} }
return superRegion->getMemRegionManager(); return superRegion->getMemRegionManager();
} while (true); } while (true);
} }
const StackFrameContext *VarRegion::getStackFrame() const { const StackFrameContext *VarRegion::getStackFrame() const {
const auto *SSR = dyn_cast<StackSpaceRegion>(getMemorySpace()); const auto *SSR = dyn_cast<StackSpaceRegion>(getMemorySpace());
return SSR ? SSR->getStackFrame() : nullptr; return SSR ? SSR->getStackFrame() : nullptr;
} }
//===----------------------------------------------------------------------===//
// Region extents.
//===----------------------------------------------------------------------===//
DefinedOrUnknownSVal TypedValueRegion::getExtent(SValBuilder &svalBuilder) const {
ASTContext &Ctx = svalBuilder.getContext();
QualType T = getDesugaredValueType(Ctx);
if (isa<VariableArrayType>(T))
return nonloc::SymbolVal(svalBuilder.getSymbolManager().getExtentSymbol(this));
if (T->isIncompleteType())
return UnknownVal();
CharUnits size = Ctx.getTypeSizeInChars(T);
QualType sizeTy = svalBuilder.getArrayIndexType();
return svalBuilder.makeIntVal(size.getQuantity(), sizeTy);
}
DefinedOrUnknownSVal FieldRegion::getExtent(SValBuilder &svalBuilder) const {
// Force callers to deal with bitfields explicitly.
if (getDecl()->isBitField())
return UnknownVal();
DefinedOrUnknownSVal Extent = DeclRegion::getExtent(svalBuilder);
// A zero-length array at the end of a struct often stands for dynamically-
// allocated extra memory.
if (Extent.isZeroConstant()) {
QualType T = getDesugaredValueType(svalBuilder.getContext());
if (isa<ConstantArrayType>(T))
return UnknownVal();
}
return Extent;
}
DefinedOrUnknownSVal AllocaRegion::getExtent(SValBuilder &svalBuilder) const {
return nonloc::SymbolVal(svalBuilder.getSymbolManager().getExtentSymbol(this));
}
DefinedOrUnknownSVal SymbolicRegion::getExtent(SValBuilder &svalBuilder) const {
return nonloc::SymbolVal(svalBuilder.getSymbolManager().getExtentSymbol(this));
}
DefinedOrUnknownSVal StringRegion::getExtent(SValBuilder &svalBuilder) const {
return svalBuilder.makeIntVal(getStringLiteral()->getByteLength()+1,
svalBuilder.getArrayIndexType());
}
ObjCIvarRegion::ObjCIvarRegion(const ObjCIvarDecl *ivd, const SubRegion *sReg) ObjCIvarRegion::ObjCIvarRegion(const ObjCIvarDecl *ivd, const SubRegion *sReg)
: DeclRegion(ivd, sReg, ObjCIvarRegionKind) {} : DeclRegion(ivd, sReg, ObjCIvarRegionKind) {}
const ObjCIvarDecl *ObjCIvarRegion::getDecl() const { const ObjCIvarDecl *ObjCIvarRegion::getDecl() const {
return cast<ObjCIvarDecl>(D); return cast<ObjCIvarDecl>(D);
} }
QualType ObjCIvarRegion::getValueType() const { QualType ObjCIvarRegion::getValueType() const {
▲ Show 20 LinesShow All 492 Lines▼ Show 20 LinesSourceRange MemRegion::sourceRange() const {
else else
return {}; return {};
} }
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// MemRegionManager methods. // MemRegionManager methods.
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
static DefinedOrUnknownSVal getTypeSize(QualType Ty, ASTContext &Ctx,
SValBuilder &SVB) {
CharUnits Size = Ctx.getTypeSizeInChars(Ty);
QualType SizeTy = SVB.getArrayIndexType();
return SVB.makeIntVal(Size.getQuantity(), SizeTy);
}
DefinedOrUnknownSVal
MemRegionManager::getStaticSize(const MemRegion *MR) const {
const auto *SR = cast<SubRegion>(MR);
switch (SR->getKind()) {
case MemRegion::AllocaRegionKind:
case MemRegion::SymbolicRegionKind:
return nonloc::SymbolVal(SymMgr.getExtentSymbol(SR));
case MemRegion::StringRegionKind:
return SVB.makeIntVal(
cast<StringRegion>(SR)->getStringLiteral()->getByteLength() + 1,
SVB.getArrayIndexType());
case MemRegion::BlockDataRegionKind:
case MemRegion::BlockCodeRegionKind:
case MemRegion::FunctionCodeRegionKind: {
QualType Ty = cast<TypedRegion>(SR)->getDesugaredLocationType(Ctx);
return getTypeSize(Ty, Ctx, SVB);
NoQUnsubmitted
Done
ReplyInline Actions

This code doesn't make much sense; it'll return a pointer size, which has nothing to do with the size of the region.

NoQ: This code doesn't make much sense; it'll return a pointer size, which has nothing to do with…
}
case MemRegion::CompoundLiteralRegionKind:
case MemRegion::CXXBaseObjectRegionKind:
case MemRegion::CXXDerivedObjectRegionKind:
case MemRegion::CXXTempObjectRegionKind:
case MemRegion::CXXThisRegionKind:
case MemRegion::ObjCIvarRegionKind:
case MemRegion::VarRegionKind:
case MemRegion::ElementRegionKind:
case MemRegion::ObjCStringRegionKind: {
QualType Ty = cast<TypedValueRegion>(SR)->getDesugaredValueType(Ctx);
if (isa<VariableArrayType>(Ty))
return nonloc::SymbolVal(SymMgr.getExtentSymbol(SR));
if (Ty->isIncompleteType())
return UnknownVal();
return getTypeSize(Ty, Ctx, SVB);
}
case MemRegion::FieldRegionKind: {
// Force callers to deal with bitfields explicitly.
if (cast<FieldRegion>(SR)->getDecl()->isBitField())
return UnknownVal();
QualType Ty = cast<TypedValueRegion>(SR)->getDesugaredValueType(Ctx);
DefinedOrUnknownSVal Size = getTypeSize(Ty, Ctx, SVB);
// A zero-length array at the end of a struct often stands for dynamically
// allocated extra memory.
if (Size.isZeroConstant()) {
if (isa<ConstantArrayType>(Ty))
return UnknownVal();
}
return Size;
}
default:
llvm_unreachable("Unhandled region");
}
}
template <typename REG> template <typename REG>
const REG *MemRegionManager::LazyAllocate(REG*& region) { const REG *MemRegionManager::LazyAllocate(REG*& region) {
if (!region) { if (!region) {
region = A.Allocate<REG>(); region = A.Allocate<REG>();
new (region) REG(this); new (region) REG(*this);
} }
return region; return region;
} }
template <typename REG, typename ARG> template <typename REG, typename ARG>
const REG *MemRegionManager::LazyAllocate(REG*& region, ARG a) { const REG *MemRegionManager::LazyAllocate(REG*& region, ARG a) {
if (!region) { if (!region) {
region = A.Allocate<REG>(); region = A.Allocate<REG>();
new (region) REG(this, a); new (region) REG(this, a);
} }
return region; return region;
} }
const StackLocalsSpaceRegion* const StackLocalsSpaceRegion*
MemRegionManager::getStackLocalsRegion(const StackFrameContext *STC) { MemRegionManager::getStackLocalsRegion(const StackFrameContext *STC) {
assert(STC); assert(STC);
StackLocalsSpaceRegion *&R = StackLocalsSpaceRegions[STC]; StackLocalsSpaceRegion *&R = StackLocalsSpaceRegions[STC];
if (R) if (R)
return R; return R;
R = A.Allocate<StackLocalsSpaceRegion>(); R = A.Allocate<StackLocalsSpaceRegion>();
new (R) StackLocalsSpaceRegion(this, STC); new (R) StackLocalsSpaceRegion(*this, STC);
return R; return R;
} }
const StackArgumentsSpaceRegion * const StackArgumentsSpaceRegion *
MemRegionManager::getStackArgumentsRegion(const StackFrameContext *STC) { MemRegionManager::getStackArgumentsRegion(const StackFrameContext *STC) {
assert(STC); assert(STC);
StackArgumentsSpaceRegion *&R = StackArgumentsSpaceRegions[STC]; StackArgumentsSpaceRegion *&R = StackArgumentsSpaceRegions[STC];
if (R) if (R)
return R; return R;
R = A.Allocate<StackArgumentsSpaceRegion>(); R = A.Allocate<StackArgumentsSpaceRegion>();
new (R) StackArgumentsSpaceRegion(this, STC); new (R) StackArgumentsSpaceRegion(*this, STC);
return R; return R;
} }
const GlobalsSpaceRegion const GlobalsSpaceRegion
*MemRegionManager::getGlobalsRegion(MemRegion::Kind K, *MemRegionManager::getGlobalsRegion(MemRegion::Kind K,
const CodeTextRegion *CR) { const CodeTextRegion *CR) {
if (!CR) { if (!CR) {
if (K == MemRegion::GlobalSystemSpaceRegionKind) if (K == MemRegion::GlobalSystemSpaceRegionKind)
return LazyAllocate(SystemGlobals); return LazyAllocate(SystemGlobals);
if (K == MemRegion::GlobalImmutableSpaceRegionKind) if (K == MemRegion::GlobalImmutableSpaceRegionKind)
return LazyAllocate(ImmutableGlobals); return LazyAllocate(ImmutableGlobals);
assert(K == MemRegion::GlobalInternalSpaceRegionKind); assert(K == MemRegion::GlobalInternalSpaceRegionKind);
return LazyAllocate(InternalGlobals); return LazyAllocate(InternalGlobals);
} }
assert(K == MemRegion::StaticGlobalSpaceRegionKind); assert(K == MemRegion::StaticGlobalSpaceRegionKind);
StaticGlobalSpaceRegion *&R = StaticsGlobalSpaceRegions[CR]; StaticGlobalSpaceRegion *&R = StaticsGlobalSpaceRegions[CR];
if (R) if (R)
return R; return R;
R = A.Allocate<StaticGlobalSpaceRegion>(); R = A.Allocate<StaticGlobalSpaceRegion>();
new (R) StaticGlobalSpaceRegion(this, CR); new (R) StaticGlobalSpaceRegion(*this, CR);
return R; return R;
} }
const HeapSpaceRegion *MemRegionManager::getHeapRegion() { const HeapSpaceRegion *MemRegionManager::getHeapRegion() {
return LazyAllocate(heap); return LazyAllocate(heap);
} }
const UnknownSpaceRegion *MemRegionManager::getUnknownRegion() { const UnknownSpaceRegion *MemRegionManager::getUnknownRegion() {
▲ Show 20 LinesShow All 52 Lines▼ Show 20 Lines
const VarRegion* MemRegionManager::getVarRegion(const VarDecl *D, const VarRegion* MemRegionManager::getVarRegion(const VarDecl *D,
const LocationContext *LC) { const LocationContext *LC) {
D = D->getCanonicalDecl(); D = D->getCanonicalDecl();
const MemRegion *sReg = nullptr; const MemRegion *sReg = nullptr;
if (D->hasGlobalStorage() && !D->isStaticLocal()) { if (D->hasGlobalStorage() && !D->isStaticLocal()) {
// First handle the globals defined in system headers. // First handle the globals defined in system headers.
if (C.getSourceManager().isInSystemHeader(D->getLocation())) { if (Ctx.getSourceManager().isInSystemHeader(D->getLocation())) {
// Whitelist the system globals which often DO GET modified, assume the // Whitelist the system globals which often DO GET modified, assume the
// rest are immutable. // rest are immutable.
if (D->getName().find("errno") != StringRef::npos) if (D->getName().find("errno") != StringRef::npos)
sReg = getGlobalsRegion(MemRegion::GlobalSystemSpaceRegionKind); sReg = getGlobalsRegion(MemRegion::GlobalSystemSpaceRegionKind);
else else
sReg = getGlobalsRegion(MemRegion::GlobalImmutableSpaceRegionKind); sReg = getGlobalsRegion(MemRegion::GlobalImmutableSpaceRegionKind);
// Treat other globals as GlobalInternal unless they are constants. // Treat other globals as GlobalInternal unless they are constants.
▲ Show 20 LinesShow All 47 Lines▼ Show 20 Lines if (!STC) {
T = TSI->getType(); T = TSI->getType();
if (T.isNull()) if (T.isNull())
T = getContext().VoidTy; T = getContext().VoidTy;
if (!T->getAs<FunctionType>()) if (!T->getAs<FunctionType>())
T = getContext().getFunctionNoProtoType(T); T = getContext().getFunctionNoProtoType(T);
T = getContext().getBlockPointerType(T); T = getContext().getBlockPointerType(T);
const BlockCodeRegion *BTR = const BlockCodeRegion *BTR =
getBlockCodeRegion(BD, C.getCanonicalType(T), getBlockCodeRegion(BD, Ctx.getCanonicalType(T),
STC->getAnalysisDeclContext()); STC->getAnalysisDeclContext());
sReg = getGlobalsRegion(MemRegion::StaticGlobalSpaceRegionKind, sReg = getGlobalsRegion(MemRegion::StaticGlobalSpaceRegionKind,
BTR); BTR);
} }
else { else {
sReg = getGlobalsRegion(); sReg = getGlobalsRegion();
} }
} }
▲ Show 20 LinesShow All 545 Lines▼ Show 20 Lines
} }
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// BlockDataRegion // BlockDataRegion
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
std::pair<const VarRegion *, const VarRegion *> std::pair<const VarRegion *, const VarRegion *>
BlockDataRegion::getCaptureRegions(const VarDecl *VD) { BlockDataRegion::getCaptureRegions(const VarDecl *VD) {
MemRegionManager &MemMgr = *getMemRegionManager(); MemRegionManager &MemMgr = getMemRegionManager();
const VarRegion *VR = nullptr; const VarRegion *VR = nullptr;
const VarRegion *OriginalVR = nullptr; const VarRegion *OriginalVR = nullptr;
if (!VD->hasAttr<BlocksAttr>() && VD->hasLocalStorage()) { if (!VD->hasAttr<BlocksAttr>() && VD->hasLocalStorage()) {
VR = MemMgr.getVarRegion(VD, this); VR = MemMgr.getVarRegion(VD, this);
OriginalVR = MemMgr.getVarRegion(VD, LC); OriginalVR = MemMgr.getVarRegion(VD, LC);
} }
else { else {
Show All 18 Linesvoid BlockDataRegion::LazyInitializeReferencedVars() {
auto NumBlockVars = auto NumBlockVars =
std::distance(ReferencedBlockVars.begin(), ReferencedBlockVars.end()); std::distance(ReferencedBlockVars.begin(), ReferencedBlockVars.end());
if (NumBlockVars == 0) { if (NumBlockVars == 0) {
ReferencedVars = (void*) 0x1; ReferencedVars = (void*) 0x1;
return; return;
} }
MemRegionManager &MemMgr = *getMemRegionManager(); MemRegionManager &MemMgr = getMemRegionManager();
llvm::BumpPtrAllocator &A = MemMgr.getAllocator(); llvm::BumpPtrAllocator &A = MemMgr.getAllocator();
BumpVectorContext BC(A); BumpVectorContext BC(A);
using VarVec = BumpVector<const MemRegion *>; using VarVec = BumpVector<const MemRegion *>;
auto *BV = A.Allocate<VarVec>(); auto *BV = A.Allocate<VarVec>();
new (BV) VarVec(BC, NumBlockVars); new (BV) VarVec(BC, NumBlockVars);
auto *BVOriginal = A.Allocate<VarVec>(); auto *BVOriginal = A.Allocate<VarVec>();
▲ Show 20 LinesShow All 99 LinesShow Last 20 Lines

clang/lib/StaticAnalyzer/Core/RegionStore.cpp

Show All 17 Lines
#include "clang/AST/CharUnits.h" #include "clang/AST/CharUnits.h"
#include "clang/ASTMatchers/ASTMatchFinder.h" #include "clang/ASTMatchers/ASTMatchFinder.h"
#include "clang/Analysis/Analyses/LiveVariables.h" #include "clang/Analysis/Analyses/LiveVariables.h"
#include "clang/Analysis/AnalysisDeclContext.h" #include "clang/Analysis/AnalysisDeclContext.h"
#include "clang/Basic/JsonSupport.h" #include "clang/Basic/JsonSupport.h"
#include "clang/Basic/TargetInfo.h" #include "clang/Basic/TargetInfo.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/AnalysisManager.h" #include "clang/StaticAnalyzer/Core/PathSensitive/AnalysisManager.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h" #include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/DynamicSize.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/MemRegion.h" #include "clang/StaticAnalyzer/Core/PathSensitive/MemRegion.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h" #include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramStateTrait.h" #include "clang/StaticAnalyzer/Core/PathSensitive/ProgramStateTrait.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/SubEngine.h" #include "clang/StaticAnalyzer/Core/PathSensitive/SubEngine.h"
#include "llvm/ADT/ImmutableMap.h" #include "llvm/ADT/ImmutableMap.h"
#include "llvm/ADT/Optional.h" #include "llvm/ADT/Optional.h"
#include "llvm/Support/raw_ostream.h" #include "llvm/Support/raw_ostream.h"
#include <utility> #include <utility>
▲ Show 20 LinesShow All 837 Lines▼ Show 20 LinescollectSubRegionBindings(SmallVectorImpl<BindingPair> &Bindings,
if (TopKey.hasSymbolicOffset()) { if (TopKey.hasSymbolicOffset()) {
getSymbolicOffsetFields(TopKey, FieldsInSymbolicSubregions); getSymbolicOffsetFields(TopKey, FieldsInSymbolicSubregions);
Top = TopKey.getConcreteOffsetRegion(); Top = TopKey.getConcreteOffsetRegion();
TopKey = BindingKey::Make(Top, BindingKey::Default); TopKey = BindingKey::Make(Top, BindingKey::Default);
} }
// Find the length (in bits) of the region being invalidated. // Find the length (in bits) of the region being invalidated.
uint64_t Length = UINT64_MAX; uint64_t Length = UINT64_MAX;
SVal Extent = Top->getExtent(SVB); SVal Extent = Top->getMemRegionManager().getStaticSize(Top);
CharussoAuthorUnsubmitted
Done
ReplyInline Actions

That is why the static size information needs to be obtainable by a manager, which seems like a design problem from the very beginning.

Charusso: That is why the static size information needs to be obtainable by a manager, which seems like a…
if (Optional<nonloc::ConcreteInt> ExtentCI = if (Optional<nonloc::ConcreteInt> ExtentCI =
Extent.getAs<nonloc::ConcreteInt>()) { Extent.getAs<nonloc::ConcreteInt>()) {
const llvm::APSInt &ExtentInt = ExtentCI->getValue(); const llvm::APSInt &ExtentInt = ExtentCI->getValue();
assert(ExtentInt.isNonNegative() || ExtentInt.isUnsigned()); assert(ExtentInt.isNonNegative() || ExtentInt.isUnsigned());
// Extents are in bytes but region offsets are in bits. Be careful! // Extents are in bytes but region offsets are in bits. Be careful!
Length = ExtentInt.getLimitedValue() * SVB.getContext().getCharWidth(); Length = ExtentInt.getLimitedValue() * SVB.getContext().getCharWidth();
} else if (const FieldRegion *FR = dyn_cast<FieldRegion>(Top)) { } else if (const FieldRegion *FR = dyn_cast<FieldRegion>(Top)) {
if (FR->getDecl()->isBitField()) if (FR->getDecl()->isBitField())
▲ Show 20 LinesShow All 501 Lines▼ Show 20 Lines
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// Extents for regions. // Extents for regions.
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
DefinedOrUnknownSVal DefinedOrUnknownSVal
RegionStoreManager::getSizeInElements(ProgramStateRef state, RegionStoreManager::getSizeInElements(ProgramStateRef state,
const MemRegion *R, const MemRegion *R,
QualType EleTy) { QualType EleTy) {
SVal Size = cast<SubRegion>(R)->getExtent(svalBuilder); DefinedOrUnknownSVal Size = getDynamicSize(state, R);
const llvm::APSInt *SizeInt = svalBuilder.getKnownValue(state, Size); const llvm::APSInt *SizeInt = svalBuilder.getKnownValue(state, Size);
if (!SizeInt) if (!SizeInt)
return UnknownVal(); return UnknownVal();
CharUnits RegionSize = CharUnits::fromQuantity(SizeInt->getSExtValue()); CharUnits RegionSize = CharUnits::fromQuantity(SizeInt->getSExtValue());
if (Ctx.getAsVariableArrayType(EleTy)) { if (Ctx.getAsVariableArrayType(EleTy)) {
// FIXME: We need to track extra state to properly record the size // FIXME: We need to track extra state to properly record the size
▲ Show 20 LinesShow All 1,284 LinesShow Last 20 Lines

clang/lib/StaticAnalyzer/Core/SimpleSValBuilder.cpp

Show First 20 LinesShow All 149 Lines▼ Show 20 Lines switch (val.getSubKind()) {
case loc::MemRegionValKind: { case loc::MemRegionValKind: {
const MemRegion *R = val.castAs<loc::MemRegionVal>().getRegion(); const MemRegion *R = val.castAs<loc::MemRegionVal>().getRegion();
if (const FunctionCodeRegion *FTR = dyn_cast<FunctionCodeRegion>(R)) if (const FunctionCodeRegion *FTR = dyn_cast<FunctionCodeRegion>(R))
if (const FunctionDecl *FD = dyn_cast<FunctionDecl>(FTR->getDecl())) if (const FunctionDecl *FD = dyn_cast<FunctionDecl>(FTR->getDecl()))
if (FD->isWeak()) if (FD->isWeak())
// FIXME: Currently we are using an extent symbol here, // FIXME: Currently we are using an extent symbol here,
// because there are no generic region address metadata // because there are no generic region address metadata
// symbols to use, only content metadata. // symbols to use, only content metadata.
return nonloc::SymbolVal(SymMgr.getExtentSymbol(FTR)); return FTR->getMemRegionManager().getStaticSize(FTR);
CharussoAuthorUnsubmitted
Done
ReplyInline Actions

That is the breaking test's code, which is super wonky. I cannot understand what is the rational behind this concept.

Charusso: That is the breaking test's code, which is super wonky. I cannot understand what is the…
NoQUnsubmitted
Done
ReplyInline Actions

Your new code would return a concrete integer here:

case MemRegion::FunctionCodeRegionKind: {
  QualType Ty = cast<TypedRegion>(SR)->getDesugaredLocationType(Ctx);
  return getTypeSize(Ty, Ctx, SVB);
}

Previously it was a symbol.

That said, the original code looks like a super gross hack: they used an extent symbol not because they actually needed an extent, but because they didn't have a better symbol to use :/ I guess you should just keep the extent symbol for now :/

NoQ: Your new code would return a concrete integer here: ```lang=c++ case MemRegion…
CharussoAuthorUnsubmitted
Done
ReplyInline Actions

I see, that was really missing, whoops. Thanks!

Charusso: I see, that was really missing, whoops. Thanks!
NoQUnsubmitted
Done
ReplyInline Actions

Let's keep the hack here, not move it to the region manager. I.e., please create SymbolExtent here directly and then separately keep creating it in getStaticSize(). I.e., don't reuse the code when it isn't supposed to behave identically, even if right now it accidentally does behave identically.

NoQ: Let's keep the hack here, not move it to the region manager. I.e., please create `SymbolExtent`…
CharussoAuthorUnsubmitted
Done
ReplyInline Actions

Ah, yes, it makes sense. In my mind they are connecting even in fixing them.

Charusso: Ah, yes, it makes sense. In my mind they are connecting even in fixing them.
if (const SymbolicRegion *SymR = R->getSymbolicBase()) if (const SymbolicRegion *SymR = R->getSymbolicBase())
return makeNonLoc(SymR->getSymbol(), BO_NE, return makeNonLoc(SymR->getSymbol(), BO_NE,
BasicVals.getZeroWithPtrWidth(), castTy); BasicVals.getZeroWithPtrWidth(), castTy);
// FALL-THROUGH // FALL-THROUGH
LLVM_FALLTHROUGH; LLVM_FALLTHROUGH;
} }
▲ Show 20 LinesShow All 1,184 LinesShow Last 20 Lines

clang/lib/StaticAnalyzer/Core/SymbolManager.cpp

Show First 20 LinesShow All 323 Lines▼ Show 20 LinesQualType SymbolConjured::getType() const {
return T; return T;
} }
QualType SymbolDerived::getType() const { QualType SymbolDerived::getType() const {
return R->getValueType(); return R->getValueType();
} }
QualType SymbolExtent::getType() const { QualType SymbolExtent::getType() const {
ASTContext &Ctx = R->getMemRegionManager()->getContext(); ASTContext &Ctx = R->getMemRegionManager().getContext();
return Ctx.getSizeType(); return Ctx.getSizeType();
} }
QualType SymbolMetadata::getType() const { QualType SymbolMetadata::getType() const {
return T; return T;
} }
QualType SymbolRegionValue::getType() const { QualType SymbolRegionValue::getType() const {
▲ Show 20 LinesShow All 230 LinesShow Last 20 Lines

clang/test/Analysis/weak-functions.c

// RUN: %clang_analyze_cc1 -analyzer-checker=core,alpha.core,debug.ExprInspection,unix.Malloc,unix.cstring,alpha.unix.cstring,unix.API,osx.API,osx.cocoa.RetainCount -Wno-null-dereference -Wno-tautological-compare -analyzer-store=region -fblocks -verify -analyzer-config eagerly-assume=false %s // RUN: %clang_analyze_cc1 -analyzer-checker=core,alpha.core,debug.ExprInspection,unix.Malloc,unix.cstring,alpha.unix.cstring,unix.API,osx.API,osx.cocoa.RetainCount -Wno-null-dereference -Wno-tautological-compare -analyzer-store=region -fblocks -verify -analyzer-config eagerly-assume=false %s
#define NULL 0 #define NULL 0
void clang_analyzer_eval(int); void clang_analyzer_eval(int);
void myFunc(); void myFunc();
void myWeakFunc() __attribute__((weak_import)); void myWeakFunc() __attribute__((weak_import));
void testWeakFuncIsNull() void testWeakFuncIsNull()
{ {
clang_analyzer_eval(myFunc == NULL); // expected-warning{{FALSE}} clang_analyzer_eval(myFunc == NULL); // expected-warning{{FALSE}}
clang_analyzer_eval(myWeakFunc == NULL); // expected-warning{{UNKNOWN}} clang_analyzer_eval(myWeakFunc == NULL); // expected-warning{{FALSE}}
CharussoAuthorUnsubmitted
Done
ReplyInline Actions

I have literally copy-pasted the implementation of getExtent(), so I could not figured out why this test has been changed.

Charusso: I have literally copy-pasted the implementation of `getExtent()`, so I could not figured out…
if (myWeakFunc == NULL) { if (myWeakFunc == NULL) {
clang_analyzer_eval(myWeakFunc == NULL); // expected-warning{{TRUE}} clang_analyzer_eval(myWeakFunc == NULL); // no-warning
} else { } else {
clang_analyzer_eval(myWeakFunc == NULL); // expected-warning{{FALSE}} clang_analyzer_eval(myWeakFunc == NULL); // expected-warning{{FALSE}}
} }
} }
void testWeakFuncIsNot() void testWeakFuncIsNot()
{ {
clang_analyzer_eval(myWeakFunc == NULL); // expected-warning{{UNKNOWN}} clang_analyzer_eval(myWeakFunc == NULL); // expected-warning{{FALSE}}
if (!myWeakFunc) { if (!myWeakFunc) {
clang_analyzer_eval(myWeakFunc == NULL); // expected-warning{{TRUE}} clang_analyzer_eval(myWeakFunc == NULL); // no-warning
} else { } else {
clang_analyzer_eval(myWeakFunc == NULL); // expected-warning{{FALSE}} clang_analyzer_eval(myWeakFunc == NULL); // expected-warning{{FALSE}}
} }
} }
void testWeakFuncIsTrue() void testWeakFuncIsTrue()
{ {
clang_analyzer_eval(myWeakFunc == NULL); // expected-warning{{UNKNOWN}} clang_analyzer_eval(myWeakFunc == NULL); // expected-warning{{FALSE}}
if (myWeakFunc) { if (myWeakFunc) {
clang_analyzer_eval(myWeakFunc == NULL); // expected-warning{{FALSE}} clang_analyzer_eval(myWeakFunc == NULL); // expected-warning{{FALSE}}
} else { } else {
clang_analyzer_eval(myWeakFunc == NULL); // expected-warning{{TRUE}} clang_analyzer_eval(myWeakFunc == NULL); // no-warning
} }
} }
//===----------------------------------------------------------------------=== //===----------------------------------------------------------------------===
// func.c // func.c
//===----------------------------------------------------------------------=== //===----------------------------------------------------------------------===
void f(void) __attribute__((weak_import)); void f(void) __attribute__((weak_import));
void g(void (*fp)(void)) __attribute__((weak_import)); void g(void (*fp)(void)) __attribute__((weak_import));
▲ Show 20 LinesShow All 75 LinesShow Last 20 Lines