This is an archive of the discontinued LLVM Phabricator instance.

Paths

Table of Contentst

-
clang/
-
include/clang/
-
clang/
-
AST/
-
ASTTypeTraits.h
-
ASTMatchers/
1/8
ASTMatchers.h
-
ASTMatchersInternal.h
-
StaticAnalyzer/Checkers/
-
Checkers/
1
Checkers.td
-
lib/
-
AST/
-
ASTTypeTraits.cpp
-
ASTMatchers/
-
ASTMatchFinder.cpp
-
ASTMatchersInternal.cpp
-
StaticAnalyzer/Checkers/
-
Checkers/
-
CMakeLists.txt
-
WebKit/
-
ASTUtils.h
-
ASTUtils.cpp
-
DiagOutputUtils.h
4
NoUncountedMembersChecker.cpp
-
PtrTypesSemantics.h
-
PtrTypesSemantics.cpp
-
RefCntblBaseVirtualDtorChecker.cpp
-
test/Analysis/Checkers/WebKit/
-
Analysis/
-
Checkers/
-
WebKit/
-
mock-types.h
-
ref-cntbl-base-virtual-dtor-templates.cpp
-
ref-cntbl-base-virtual-dtor.cpp
-
uncounted-members.cpp
-
unittests/ASTMatchers/
-
ASTMatchers/
-
ASTMatchersNodeTest.cpp

Differential D78165

[WIP][Analyzer] Rewrite WebKit checkers to use ASTMatchers
AbandonedPublic

Authored by jkorous on Apr 14 2020, 3:56 PM.

Download Raw Diff

Details

Reviewers

NoQ
vsavchenko

Diff Detail

Event Timeline

jkorous created this revision.Apr 14 2020, 3:56 PM

Herald added subscribers: ASDenysPetrov, martong, Charusso and 10 others. · View Herald TranscriptApr 14 2020, 3:56 PM

Hi Artem,

I rewrote the first two WebKit checkers: https://reviews.llvm.org/D77177 & https://reviews.llvm.org/D77178

It took me way more time than I expected and at this point I don't think that using matchers here is a net benefit.
Unless you tell me I'm holding it wrong or you and/or other analyzer folks feel strongly about this I'd rather use visitors :-(

The specific reasons why I'd prefer visitors are:

Debug-ability. Especially false negatives (i. e. things that I'd like the matcher to match but it doesn't) are just so much harder to debug with matchers. I usually ended up just bisecting the matcher and iteratively recompiling and rerunning tests. I assume this largely predicts how maintenance of the checkers will be.
(I might be just ignorant about this.) Less expressive power with currently implemented matchers. I have couple issues I haven't been able to solve:
- How to write a matcher that is filtering on parent AST nodes and matching children nodes without having to traverse the AST in children-to-parents direction. Example: for any function that has parameters of type pointer to ref-countable type that is called with "unsafe" arguments I'd like to match ALL the arguments so I can produce warnings.
  
  IIUC the matcher needs to start from arguments (Expr), traverse up to the CallExpr and potentially down again to find callee and parameter types. While the traversal matcher for the parent-to-children direction are mostly implemented (e. g. forEachArgumentWithParam), I don't see any that would have semantics specific enough so I could use it here (hasParent won't help much).
  
  Also - running the matcher on every Expr sounds more expensive then just running a visitor callback on CallExpr-s.
- Some of the checks are basically matching "an arbitrary sequence of AST nodes from a given set followed by a specific kind of node". Again, maybe I just missed this but I don't know how to express this with matchers.
- Implementation of some of the checkers is a simple DAG rather than a tree in the sense that for certain branches the logic is identical. IIUC checkers are always trees. I could probably just use variables and place them to relevant nodes in the tree to avoid duplicating the logic but it still doesn't feel very natural. I would prefer to not mix matchers and visitors within WebKit checkers - not only because I would like to avoid having duplicate implementations of semantic model of WebKit smart pointers.
While I personally like declarative style I am not fully convinced that matchers are more readable than just a simple visitor callback implementation esp. within clang codebase context.
The macros and variadic templates in matchers implementation lead to pretty terrible compiler error messages.

All in all the only clear benefits of replacing visitors with matchers I see are:

having less code (although with the matcher callback boilerplate not that much less)
side-effect of new matchers being available for other people

IMO that's less than the costs.

jkorous retitled this revision from [WIP][Analyzer] Rewrite WebKit checks to use ASTMatchers to [WIP][Analyzer] Rewrite WebKit checkers to use ASTMatchers.Apr 14 2020, 5:07 PM

+Valeriy, our new guy who already knows a lot about matchers :)

Hmm, can we have code side-by-side, i.e. a patch that changes from a visitor-based implementation to a matcher-based implementation? It'll be much easier to reason about readability changes this way.

Debug-ability. Especially false negatives (i. e. things that I'd like the matcher to match but it doesn't) are just so much harder to debug with matchers. I usually ended up just bisecting the matcher and iteratively recompiling and rerunning tests. I assume this largely predicts how maintenance of the checkers will be.
(...)
The macros and variadic templates in matchers implementation lead to pretty terrible compiler error messages.

This was my early experience as well but this quickly gets better as you gather more intuition.

I could probably just use variables and place them to relevant nodes in the tree to avoid duplicating the logic but it still doesn't feel very natural.

This is the natural, intended way of doing things. Put common sub-matchers into variables and re-use them when they otherwise get duplicated. Putting matcher into a variable also has a perk of being able to give the matcher a descriptive name, making it easier to read the code that uses it. I also don't think there's any unreasonable performance cost associated with it.

There's a separate story where you want the matched sub-trees to actually be the same node, as opposed to merely matching the same matcher; you can achieve it with equalsBoundNode().

How to write a matcher that is filtering on parent AST nodes and matching children nodes without having to traverse the AST in children-to-parents direction. Example: for any function that has parameters of type pointer to ref-countable type that is called with "unsafe" arguments I'd like to match ALL the arguments so I can produce warnings.

Hmm, i don't understand what the problem is, i.e. what prevents you from starting with callExpr(...) and putting all the checks inside it in a top-down manner?

Some of the checks are basically matching "an arbitrary sequence of AST nodes from a given set followed by a specific kind of node". Again, maybe I just missed this but I don't know how to express this with matchers.

You mean something like IgnoreImpCasts() but ignore something else instead? There's probably no out-of-the-box solution indeed, might need a custom matcher a-la ignoreImpCasts().

While I personally like declarative style I am not fully convinced that matchers are more readable than just a simple visitor callback implementation esp. within clang codebase context.

Another good thing about matchers is that because matchers are less omnipotent, it's immediately obvious by looking at the code whether it does something normal or does something weird. Most of the time it's immediately clear how the tree is traversed. Having arbitrary C++ in any visitor callback gives me a lot of reader anxiety :)

clang/lib/StaticAnalyzer/Checkers/WebKit/NoUncountedMembersChecker.cpp
46	A lot of these `allOf()` can be omitted because they're implied when you stuff multiple matchers into one matcher.

Hi Jan,

Debug-ability. Especially false negatives (i. e. things that I'd like the matcher to match but it doesn't) are just so much harder to debug with matchers. I usually ended up just bisecting the matcher and iteratively recompiling and rerunning tests. I assume this largely predicts how maintenance of the checkers will be.

If you are not debugging your own new matchers (or you know that the problem is not there), there is a good utility tool called clang-query. I think you might save plenty of time recompiling your code by simply trying matchers there first.

I'm with Artem (@NoQ) on writing ASTMatchers instead of Visitors.

clang/include/clang/ASTMatchers/ASTMatchers.h
2846	There is some sort of naming convention for matchers like this: `hasAny*`, so I suggest `hasAnyBase` here.
2849	I don't really see why that should be done in the `Finder`. The whole matcher can look simply like this: // Forward declarations don't have bases and we'll crash if we ask for those. if (!Node.isThisDeclarationADefinition()) return false; return matchesFirstInRange(InnerMatcher, Node.bases_begin(), Node.bases_end(), Finder, Builder); NOTE: when dealing with lists of things we should be particularly careful with the `Builder` and bindings from the inner matcher. So it's good to use `matchesFirstInRange` that takes care of this problem for you.
2855	Here you already _declared_ `Node` as `CXXBaseSpecifier`. There is no need to cast (and especially `dyn_cast`) in the matcher's body. The same applies to other matchers.
2856	Because this matcher already accepts only `CXXBaseSpecifier`s, it is a bit of a naming overkill to go with `isPublicBase` instead of `isPublic`. The only problem here is that `isPublic` already exists. For this reason, I suggest a very opinionated solution: make `isPublic` polymorphic: inline AccessSpecifier getAccessSpecifier(const Decl &D) { return D.getAccess(); } inline AccessSpecifier getAccessSpecifier(const CXXBaseSpecifier &Base) { return Base.getAccessSpecifier(); } /// Matches public C++ declarations. /// /// Given /// \code /// class C { /// public: int a; /// protected: int b; /// private: int c; /// }; /// \endcode /// fieldDecl(isPublic()) /// matches 'int a;' /// /// TODO: document the base specifier part AST_POLYMORPHIC_MATCHER(isPublic, AST_POLYMORPHIC_SUPPORTED_TYPES(Decl, CXXBaseSpecifier)) { return getAccessSpecifier(Node) == AS_public; } Artem (@NoQ ), what do you think about this merge?
2894	This matcher seems unnecessary :( It does casts (it is similar to having casts in a `Visitor`), and it has repetition. Probably you can implement this using other matchers. I'll look into it and try to think of a better solution.
clang/include/clang/StaticAnalyzer/Checkers/Checkers.td
1523	Looks like this checker got lost in the process :(
clang/lib/StaticAnalyzer/Checkers/WebKit/NoUncountedMembersChecker.cpp
43	`CXXRecordDecl` is either `class`, `struct` or `union`. So this part can be easily reimplemented as `unless(isUnion())`
46	+1
63	I would also extract a part that checks that class has one of those special methods. So it looks something like this: DeclarationMatcher ClassWithRefOrDerefMethodsMatcher = cxxRecordDecl( unless(isUnion()), hasMethod(cxxMethodDecl(anyOf(hasName("ref"), hasName("deref")), isPublic()))); DeclarationMatcher RefCountableClassMatcher = cxxRecordDecl(anyOf( ClassWithRefOrDerefMethodsMatcher, hasABaseSpec(cxxBaseSpecifier( isPublicBase(), hasType(ClassWithRefOrDerefMethodsMatcher)))));

vsavchenko added inline comments.Apr 17 2020, 7:53 AM

clang/include/clang/ASTMatchers/ASTMatchers.h
2894	I think it's also important to note that this matcher seems not to be generic enough to be included in the main matchers library. I suggest you to include the following function directly into your checker's file: TypeMatcher typeOfRecord(DeclarationMatcher InnerMatcher) { TypeMatcher RecordTypeMatcher = recordType(hasDeclaration(InnerMatcher)); return anyOf(RecordTypeMatcher, substTemplateTypeParmType( hasReplacementType(RecordTypeMatcher))); } It works just as good, takes less place and resolves the issue with duplication.

In D78165#1988174, @NoQ wrote:

+Valeriy, our new guy who already knows a lot about matchers :)

Hmm, can we have code side-by-side, i.e. a patch that changes from a visitor-based implementation to a matcher-based implementation? It'll be much easier to reason about readability changes this way.

Please compare
shouldSkipDecl () and visitCXXRecordDecl() in https://reviews.llvm.org/D77177#change-V7KFc7wNp5n3
against
checkASTDecl in https://reviews.llvm.org/D78165#change-V7KFc7wNp5n3 plus implementation in ASTMatchers.h https://reviews.llvm.org/D78165#change-zIDgIjrTgBsu

There's a separate story where you want the matched sub-trees to actually be the same node, as opposed to merely matching the same matcher; you can achieve it with equalsBoundNode().

Hopefully I'll never need this but good to know it exists!

How to write a matcher that is filtering on parent AST nodes and matching children nodes without having to traverse the AST in children-to-parents direction. Example: for any function that has parameters of type pointer to ref-countable type that is called with "unsafe" arguments I'd like to match ALL the arguments so I can produce warnings.

Hmm, i don't understand what the problem is, i.e. what prevents you from starting with callExpr(...) and putting all the checks inside it in a top-down manner?

Nvm - I figured it out. With forEach/ forEachArgumentWithParam I get a match for each of the matching child nodes.

Some of the checks are basically matching "an arbitrary sequence of AST nodes from a given set followed by a specific kind of node". Again, maybe I just missed this but I don't know how to express this with matchers.

You mean something like IgnoreImpCasts() but ignore something else instead? There's probably no out-of-the-box solution indeed, might need a custom matcher a-la ignoreImpCasts().

Pretty much. I definitely can take the current implementation and hide it behind matcher interface but I don't think it helps anything and just makes the debuggability/maintenance worse.

All in all, I am still missing a convincing argument for why to use matchers. Given that the conversion from visitors would take nontrivial extra time which I should be able to justify spending on this and since based on this experiment I find the debugging/maintenance of matchers requires more effort I'd go with visitors.

Now, if you told me that there's say a long-term effort of migration all the checkers to visitors I'd accept that but that's not the case, right?

In D78165#1988583, @vsavchenko wrote:

Hi Jan,

Hi Valeriy!

Debug-ability. Especially false negatives (i. e. things that I'd like the matcher to match but it doesn't) are just so much harder to debug with matchers. I usually ended up just bisecting the matcher and iteratively recompiling and rerunning tests. I assume this largely predicts how maintenance of the checkers will be.

If you are not debugging your own new matchers (or you know that the problem is not there), there is a good utility tool called clang-query. I think you might save plenty of time recompiling your code by simply trying matchers there first.

Thank you for the advice but unfortunately I was mostly debugging my matchers :(

I'm with Artem (@NoQ) on writing ASTMatchers instead of Visitors.

jkorous marked an inline comment as done.Apr 20 2020, 12:41 PM

jkorous added inline comments.

clang/include/clang/ASTMatchers/ASTMatchers.h
2849	Would this actually go through bases transitively?

vsavchenko added inline comments.Apr 21 2020, 2:25 AM

clang/include/clang/ASTMatchers/ASTMatchers.h
2849	You are right, it won't. In this case, I guess, it would be good to add a couple of tests covering transitive traversal of base classes. I think it should be reflected in the name of the matcher (and if we have a transitive version, we should have a regular version as well). Additionally, I still don't see why that should be a part of `MatchFinder`.

In D78165#1993008, @jkorous wrote:

All in all, I am still missing a convincing argument for why to use matchers. Given that the conversion from visitors would take nontrivial extra time which I should be able to justify spending on this and since based on this experiment I find the debugging/maintenance of matchers requires more effort I'd go with visitors.

Now, if you told me that there's say a long-term effort of migration all the checkers to visitors I'd accept that but that's not the case, right?

That's definitely not the case. We're definitely not forcing anybody to use ASTMatchers (especially given that they're not omnipotent), especially when it means rewriting large amounts of code. Even regardless of whether matchers are good or bad, if you don't feel like rewriting your checkers with matchers, I still want them in. I hoped your experience with matchers to be immediately inspiring but if it's not the case then let's proceed with your original code instead.

In D78165#1993008, @jkorous wrote:

Please compare
shouldSkipDecl () and visitCXXRecordDecl() in https://reviews.llvm.org/D77177#change-V7KFc7wNp5n3
against
checkASTDecl in https://reviews.llvm.org/D78165#change-V7KFc7wNp5n3 plus implementation in ASTMatchers.h https://reviews.llvm.org/D78165#change-zIDgIjrTgBsu

That said, i love the converted code. It's not only more compact but much easier to understand, which excites me as a believer in "code is read more often than it's written". The idea behind the code is immediately obvious and all the gory details are isolated and hidden. I still feel like encouraging the use of matchers for code that's, well, not written yet.

In D78165#1996396, @NoQ wrote:

That's definitely not the case. We're definitely not forcing anybody to use ASTMatchers (especially given that they're not omnipotent), especially when it means rewriting large amounts of code. Even regardless of whether matchers are good or bad, if you don't feel like rewriting your checkers with matchers, I still want them in. I hoped your experience with matchers to be immediately inspiring but if it's not the case then let's proceed with your original code instead.

Ok, I'll do that. Thanks a bunch for this review - I appreciate it!

In D78165#1993008, @jkorous wrote:

Please compare
shouldSkipDecl () and visitCXXRecordDecl() in https://reviews.llvm.org/D77177#change-V7KFc7wNp5n3
against
checkASTDecl in https://reviews.llvm.org/D78165#change-V7KFc7wNp5n3 plus implementation in ASTMatchers.h https://reviews.llvm.org/D78165#change-zIDgIjrTgBsu

That said, i love the converted code. It's not only more compact but much easier to understand, which excites me as a believer in "code is read more often than it's written". The idea behind the code is immediately obvious and all the gory details are isolated and hidden. I still feel like encouraging the use of matchers for code that's, well, not written yet.

This is actually pretty funny as yet again I totally agree with someone on the high level principles but then we get to different conclusions :)
I'm very glad I had this opportunity to try out the matchers! And since I was hearing almost universal praise of the matchers which sadly didn't match my own experience (pun intended) I've spent a fair amount of time thinking about why is that.
Part of it is just contextual - that for matchers I'd have to implement functionality for which clang AST already has existing counterparts so it's not really a fair comparison. But I also feel that matchers kind of sweep the complexity under the carpet and present superficial idea of simplicity. This is great for cursory reading of the code but adds extra complexity when someone needs to understand the code on a debugging level. In my experience a structurally simple code with respect to limits of commonly used tools (debugger, grep, ...) is easier to maintain than a code that has a simple textual representation.

Since I've already done the work I'll polish the couple generic matchers from this patch and will land them separately.

jkorous abandoned this revision.Apr 22 2020, 3:46 PM

Revision Contents

Path

Size

clang/

include/

clang/

AST/

ASTTypeTraits.h

7 lines

ASTMatchers/

ASTMatchers.h

80 lines

ASTMatchersInternal.h

10 lines

StaticAnalyzer/

Checkers/

Checkers.td

23 lines

lib/

AST/

ASTTypeTraits.cpp

1 line

ASTMatchers/

ASTMatchFinder.cpp

28 lines

ASTMatchersInternal.cpp

2 lines

StaticAnalyzer/

Checkers/

CMakeLists.txt

4 lines

WebKit/

ASTUtils.h

70 lines

ASTUtils.cpp

91 lines

DiagOutputUtils.h

28 lines

NoUncountedMembersChecker.cpp

173 lines

PtrTypesSemantics.h

59 lines

PtrTypesSemantics.cpp

172 lines

RefCntblBaseVirtualDtorChecker.cpp

129 lines

test/

Analysis/

Checkers/

WebKit/

mock-types.h

48 lines

ref-cntbl-base-virtual-dtor-templates.cpp

30 lines

ref-cntbl-base-virtual-dtor.cpp

53 lines

uncounted-members.cpp

43 lines

unittests/

ASTMatchers/

ASTMatchersNodeTest.cpp

8 lines

Diff 257544

clang/include/clang/AST/ASTTypeTraits.h

Show All 10 Lines
// a type safe way.		// a type safe way.
//		//
//===----------------------------------------------------------------------===//		//===----------------------------------------------------------------------===//

#ifndef LLVM_CLANG_AST_ASTTYPETRAITS_H		#ifndef LLVM_CLANG_AST_ASTTYPETRAITS_H
#define LLVM_CLANG_AST_ASTTYPETRAITS_H		#define LLVM_CLANG_AST_ASTTYPETRAITS_H

#include "clang/AST/ASTFwd.h"		#include "clang/AST/ASTFwd.h"
		#include "clang/AST/DeclCXX.h"
#include "clang/AST/NestedNameSpecifier.h"		#include "clang/AST/NestedNameSpecifier.h"
#include "clang/AST/TemplateBase.h"		#include "clang/AST/TemplateBase.h"
#include "clang/AST/TypeLoc.h"		#include "clang/AST/TypeLoc.h"
#include "clang/Basic/LLVM.h"		#include "clang/Basic/LLVM.h"
#include "llvm/ADT/DenseMapInfo.h"		#include "llvm/ADT/DenseMapInfo.h"
#include "llvm/Support/AlignOf.h"		#include "llvm/Support/AlignOf.h"

namespace llvm {		namespace llvm {
▲ Show 20 Lines • Show All 104 Lines • ▼ Show 20 Lines	private:
enum NodeKindId {		enum NodeKindId {
NKI_None,		NKI_None,
NKI_TemplateArgument,		NKI_TemplateArgument,
NKI_TemplateName,		NKI_TemplateName,
NKI_NestedNameSpecifierLoc,		NKI_NestedNameSpecifierLoc,
NKI_QualType,		NKI_QualType,
NKI_TypeLoc,		NKI_TypeLoc,
NKI_LastKindWithoutPointerIdentity = NKI_TypeLoc,		NKI_LastKindWithoutPointerIdentity = NKI_TypeLoc,
		NKI_CXXBaseSpecifier,
NKI_CXXCtorInitializer,		NKI_CXXCtorInitializer,
NKI_NestedNameSpecifier,		NKI_NestedNameSpecifier,
NKI_Decl,		NKI_Decl,
#define DECL(DERIVED, BASE) NKI_##DERIVED##Decl,		#define DECL(DERIVED, BASE) NKI_##DERIVED##Decl,
#include "clang/AST/DeclNodes.inc"		#include "clang/AST/DeclNodes.inc"
NKI_Stmt,		NKI_Stmt,
#define STMT(DERIVED, BASE) NKI_##DERIVED,		#define STMT(DERIVED, BASE) NKI_##DERIVED,
#include "clang/AST/StmtNodes.inc"		#include "clang/AST/StmtNodes.inc"
▲ Show 20 Lines • Show All 46 Lines • ▼ Show 20 Lines
KIND_TO_KIND_ID(NestedNameSpecifier)		KIND_TO_KIND_ID(NestedNameSpecifier)
KIND_TO_KIND_ID(NestedNameSpecifierLoc)		KIND_TO_KIND_ID(NestedNameSpecifierLoc)
KIND_TO_KIND_ID(QualType)		KIND_TO_KIND_ID(QualType)
KIND_TO_KIND_ID(TypeLoc)		KIND_TO_KIND_ID(TypeLoc)
KIND_TO_KIND_ID(Decl)		KIND_TO_KIND_ID(Decl)
KIND_TO_KIND_ID(Stmt)		KIND_TO_KIND_ID(Stmt)
KIND_TO_KIND_ID(Type)		KIND_TO_KIND_ID(Type)
KIND_TO_KIND_ID(OMPClause)		KIND_TO_KIND_ID(OMPClause)
		KIND_TO_KIND_ID(CXXBaseSpecifier)
#define DECL(DERIVED, BASE) KIND_TO_KIND_ID(DERIVED##Decl)		#define DECL(DERIVED, BASE) KIND_TO_KIND_ID(DERIVED##Decl)
#include "clang/AST/DeclNodes.inc"		#include "clang/AST/DeclNodes.inc"
#define STMT(DERIVED, BASE) KIND_TO_KIND_ID(DERIVED)		#define STMT(DERIVED, BASE) KIND_TO_KIND_ID(DERIVED)
#include "clang/AST/StmtNodes.inc"		#include "clang/AST/StmtNodes.inc"
#define TYPE(DERIVED, BASE) KIND_TO_KIND_ID(DERIVED##Type)		#define TYPE(DERIVED, BASE) KIND_TO_KIND_ID(DERIVED##Type)
#include "clang/AST/TypeNodes.inc"		#include "clang/AST/TypeNodes.inc"
#define OPENMP_CLAUSE(TextualSpelling, Class) KIND_TO_KIND_ID(Class)		#define OPENMP_CLAUSE(TextualSpelling, Class) KIND_TO_KIND_ID(Class)
#include "clang/Basic/OpenMPKinds.def"		#include "clang/Basic/OpenMPKinds.def"
▲ Show 20 Lines • Show All 296 Lines • ▼ Show 20 Lines
template <>		template <>
struct DynTypedNode::BaseConverter<QualType,		struct DynTypedNode::BaseConverter<QualType,
void> : public ValueConverter<QualType> {};		void> : public ValueConverter<QualType> {};

template <>		template <>
struct DynTypedNode::BaseConverter<		struct DynTypedNode::BaseConverter<
TypeLoc, void> : public ValueConverter<TypeLoc> {};		TypeLoc, void> : public ValueConverter<TypeLoc> {};

		template <>
		struct DynTypedNode::BaseConverter<
		CXXBaseSpecifier, void> : public PtrConverter<CXXBaseSpecifier> {};

// The only operation we allow on unsupported types is \c get.		// The only operation we allow on unsupported types is \c get.
// This allows to conveniently use \c DynTypedNode when having an arbitrary		// This allows to conveniently use \c DynTypedNode when having an arbitrary
// AST node that is not supported, but prevents misuse - a user cannot create		// AST node that is not supported, but prevents misuse - a user cannot create
// a DynTypedNode from arbitrary types.		// a DynTypedNode from arbitrary types.
template <typename T, typename EnablerT> struct DynTypedNode::BaseConverter {		template <typename T, typename EnablerT> struct DynTypedNode::BaseConverter {
static const T *get(ASTNodeKind NodeKind, const char Storage[]) {		static const T *get(ASTNodeKind NodeKind, const char Storage[]) {
return NULL;		return NULL;
}		}
Show All 29 Lines

clang/include/clang/ASTMatchers/ASTMatchers.h

Show First 20 Lines • Show All 542 Lines • ▼ Show 20 Lines
/// \code		/// \code
/// template <typename T, int N> struct C {};		/// template <typename T, int N> struct C {};
/// \endcode		/// \endcode
/// templateTypeParmDecl()		/// templateTypeParmDecl()
/// matches 'T', but not 'N'.		/// matches 'T', but not 'N'.
extern const internal::VariadicDynCastAllOfMatcher<Decl, TemplateTypeParmDecl>		extern const internal::VariadicDynCastAllOfMatcher<Decl, TemplateTypeParmDecl>
templateTypeParmDecl;		templateTypeParmDecl;

		/// Matches C++ base specifier.
		//TODO
		extern const internal::VariadicAllOfMatcher<CXXBaseSpecifier>
		cxxBaseSpecifier;

/// Matches public C++ declarations.		/// Matches public C++ declarations.
///		///
/// Given		/// Given
/// \code		/// \code
/// class C {		/// class C {
/// public: int a;		/// public: int a;
/// protected: int b;		/// protected: int b;
/// private: int c;		/// private: int c;
▲ Show 20 Lines • Show All 2,271 Lines • ▼ Show 20 Lines	AST_POLYMORPHIC_MATCHER_P_OVERLOAD(

if (const auto *RD = dyn_cast<CXXRecordDecl>(&Node))		if (const auto *RD = dyn_cast<CXXRecordDecl>(&Node))
return Matcher<CXXRecordDecl>(M).matches(*RD, Finder, Builder);		return Matcher<CXXRecordDecl>(M).matches(*RD, Finder, Builder);

const auto *InterfaceDecl = cast<ObjCInterfaceDecl>(&Node);		const auto *InterfaceDecl = cast<ObjCInterfaceDecl>(&Node);
return Matcher<ObjCInterfaceDecl>(M).matches(*InterfaceDecl, Finder, Builder);		return Matcher<ObjCInterfaceDecl>(M).matches(*InterfaceDecl, Finder, Builder);
}		}

		// TODO later implement isDerivedFrom by this
		AST_MATCHER_P(
		CXXRecordDecl,
		hasABaseSpec,
		vsavchenkoUnsubmitted Not Done Reply Inline Actions There is some sort of naming convention for matchers like this: `hasAny`, so I suggest `hasAnyBase` here. vsavchenko:* There is some sort of naming convention for matchers like this: `hasAny*`, so I suggest…
		internal::Matcher<CXXBaseSpecifier>, InnerMatcher) {
		if (const auto *RD = dyn_cast<CXXRecordDecl>(&Node))
		return Finder->hasABaseSpec(RD, InnerMatcher, Builder);
		vsavchenkoUnsubmitted Not Done Reply Inline Actions I don't really see why that should be done in the `Finder`. The whole matcher can look simply like this: // Forward declarations don't have bases and we'll crash if we ask for those. if (!Node.isThisDeclarationADefinition()) return false; return matchesFirstInRange(InnerMatcher, Node.bases_begin(), Node.bases_end(), Finder, Builder); NOTE: when dealing with lists of things we should be particularly careful with the `Builder` and bindings from the inner matcher. So it's good to use `matchesFirstInRange` that takes care of this problem for you. vsavchenko: I don't really see why that should be done in the `Finder`. The whole matcher can look simply…
		jkorousAuthorUnsubmitted Done Reply Inline Actions Would this actually go through bases transitively? jkorous: Would this actually go through bases transitively?
		vsavchenkoUnsubmitted Not Done Reply Inline Actions You are right, it won't. In this case, I guess, it would be good to add a couple of tests covering transitive traversal of base classes. I think it should be reflected in the name of the matcher (and if we have a transitive version, we should have a regular version as well). Additionally, I still don't see why that should be a part of `MatchFinder`. vsavchenko: You are right, it won't. In this case, I guess, it would be good to add a couple of tests…
		return false;
		}

		// TODO doc
		AST_MATCHER(
		CXXBaseSpecifier,
		vsavchenkoUnsubmitted Not Done Reply Inline Actions Here you already _declared_ `Node` as `CXXBaseSpecifier`. There is no need to cast (and especially `dyn_cast`) in the matcher's body. The same applies to other matchers. vsavchenko: Here you already _declared_ `Node` as `CXXBaseSpecifier`. There is no need to cast (and…
		isPublicBase
		vsavchenkoUnsubmitted Not Done Reply Inline Actions Because this matcher already accepts only `CXXBaseSpecifier`s, it is a bit of a naming overkill to go with `isPublicBase` instead of `isPublic`. The only problem here is that `isPublic` already exists. For this reason, I suggest a very opinionated solution: make `isPublic` polymorphic: inline AccessSpecifier getAccessSpecifier(const Decl &D) { return D.getAccess(); } inline AccessSpecifier getAccessSpecifier(const CXXBaseSpecifier &Base) { return Base.getAccessSpecifier(); } /// Matches public C++ declarations. /// /// Given /// \code /// class C { /// public: int a; /// protected: int b; /// private: int c; /// }; /// \endcode /// fieldDecl(isPublic()) /// matches 'int a;' /// /// TODO: document the base specifier part AST_POLYMORPHIC_MATCHER(isPublic, AST_POLYMORPHIC_SUPPORTED_TYPES(Decl, CXXBaseSpecifier)) { return getAccessSpecifier(Node) == AS_public; } Artem (@NoQ ), what do you think about this merge? vsavchenko: Because this matcher already accepts only `CXXBaseSpecifier`s, it is a bit of a naming overkill…
		) {
		if (const auto *BS = dyn_cast<CXXBaseSpecifier>(&Node))
		return BS->getAccessSpecifier() == AS_public;
		return false;
		}

		// TODO doc
		AST_MATCHER(
		CXXBaseSpecifier,
		isPrivateBase
		) {
		if (const auto *BS = dyn_cast<CXXBaseSpecifier>(&Node))
		return BS->getAccessSpecifier() == AS_private;
		return false;
		}

		// TODO doc
		AST_MATCHER(
		CXXBaseSpecifier,
		isProtectedBase
		) {
		if (const auto *BS = dyn_cast<CXXBaseSpecifier>(&Node))
		return BS->getAccessSpecifier() == AS_protected;
		return false;
		}

		// TODO doc
		AST_MATCHER(
		CXXBaseSpecifier,
		isVirtualBase
		) {
		if (const auto *BS = dyn_cast<CXXBaseSpecifier>(&Node))
		return BS->isVirtual();
		return false;
		}

		// TODO doc
		AST_MATCHER_P(Type, typeOfRecord, internal::Matcher<RecordDecl>, InnerMatcher) {
		vsavchenkoUnsubmitted Not Done Reply Inline Actions This matcher seems unnecessary :( It does casts (it is similar to having casts in a `Visitor`), and it has repetition. Probably you can implement this using other matchers. I'll look into it and try to think of a better solution. vsavchenko: This matcher seems unnecessary :( It does casts (it is similar to having casts in a `Visitor`)…
		vsavchenkoUnsubmitted Not Done Reply Inline Actions I think it's also important to note that this matcher seems not to be generic enough to be included in the main matchers library. I suggest you to include the following function directly into your checker's file: TypeMatcher typeOfRecord(DeclarationMatcher InnerMatcher) { TypeMatcher RecordTypeMatcher = recordType(hasDeclaration(InnerMatcher)); return anyOf(RecordTypeMatcher, substTemplateTypeParmType( hasReplacementType(RecordTypeMatcher))); } It works just as good, takes less place and resolves the issue with duplication. vsavchenko: I think it's also important to note that this matcher seems not to be generic enough to be…
		if (!Node.isRecordType())
		return false;

		if (const auto* RT = dyn_cast<RecordType>(&Node)) {
		if (const auto *RD = RT->getDecl())
		return InnerMatcher.matches(*RD, Finder, Builder);
		} else if (const auto* STTPT = dyn_cast<SubstTemplateTypeParmType>(&Node)) {
		if (auto* SubstituttedType = STTPT->getReplacementType().getTypePtrOrNull()) {
		// FIXME: refactor - this is copy-pasted branch from above
		if (!SubstituttedType->isRecordType())
		return false;

		if (const auto* RT = dyn_cast<RecordType>(SubstituttedType)) {
		if (const auto *RD = RT->getDecl())
		return InnerMatcher.matches(*RD, Finder, Builder);
		}
		}
		}
		return false;
		}

/// Similar to \c isDerivedFrom(), but also matches classes that directly		/// Similar to \c isDerivedFrom(), but also matches classes that directly
/// match \c Base.		/// match \c Base.
AST_POLYMORPHIC_MATCHER_P_OVERLOAD(		AST_POLYMORPHIC_MATCHER_P_OVERLOAD(
isSameOrDerivedFrom,		isSameOrDerivedFrom,
AST_POLYMORPHIC_SUPPORTED_TYPES(CXXRecordDecl, ObjCInterfaceDecl),		AST_POLYMORPHIC_SUPPORTED_TYPES(CXXRecordDecl, ObjCInterfaceDecl),
internal::Matcher<NamedDecl>, Base, 0) {		internal::Matcher<NamedDecl>, Base, 0) {
const auto M = anyOf(Base, isDerivedFrom(Base));		const auto M = anyOf(Base, isDerivedFrom(Base));

▲ Show 20 Lines • Show All 616 Lines • ▼ Show 20 Lines
/// \code		/// \code
/// class X {};		/// class X {};
/// void y(X &x) { x; X z; }		/// void y(X &x) { x; X z; }
/// class Y { friend class X; };		/// class Y { friend class X; };
/// \endcode		/// \endcode
///		///
/// Usable as: Matcher<Expr>, Matcher<ValueDecl>		/// Usable as: Matcher<Expr>, Matcher<ValueDecl>
AST_POLYMORPHIC_MATCHER_P_OVERLOAD(		AST_POLYMORPHIC_MATCHER_P_OVERLOAD(
hasType, AST_POLYMORPHIC_SUPPORTED_TYPES(Expr, FriendDecl, ValueDecl),		hasType, AST_POLYMORPHIC_SUPPORTED_TYPES(Expr, FriendDecl, ValueDecl, CXXBaseSpecifier),
internal::Matcher<Decl>, InnerMatcher, 1) {		internal::Matcher<Decl>, InnerMatcher, 1) {
QualType QT = internal::getUnderlyingType(Node);		QualType QT = internal::getUnderlyingType(Node);
if (!QT.isNull())		if (!QT.isNull())
return qualType(hasDeclaration(InnerMatcher)).matches(QT, Finder, Builder);		return qualType(hasDeclaration(InnerMatcher)).matches(QT, Finder, Builder);
return false;		return false;
}		}

/// Matches if the type location of the declarator decl's type matches		/// Matches if the type location of the declarator decl's type matches
▲ Show 20 Lines • Show All 3,656 Lines • Show Last 20 Lines

clang/include/clang/ASTMatchers/ASTMatchersInternal.h

Show First 20 Lines • Show All 124 Lines • ▼ Show 20 Lines
inline QualType getUnderlyingType(const TypedefNameDecl &Node) {		inline QualType getUnderlyingType(const TypedefNameDecl &Node) {
return Node.getUnderlyingType();		return Node.getUnderlyingType();
}		}
inline QualType getUnderlyingType(const FriendDecl &Node) {		inline QualType getUnderlyingType(const FriendDecl &Node) {
if (const TypeSourceInfo *TSI = Node.getFriendType())		if (const TypeSourceInfo *TSI = Node.getFriendType())
return TSI->getType();		return TSI->getType();
return QualType();		return QualType();
}		}
		inline QualType getUnderlyingType(const CXXBaseSpecifier &Node) {
		return Node.getType();
		}

/// Unifies obtaining the FunctionProtoType pointer from both		/// Unifies obtaining the FunctionProtoType pointer from both
/// FunctionProtoType and FunctionDecl nodes..		/// FunctionProtoType and FunctionDecl nodes..
inline const FunctionProtoType *		inline const FunctionProtoType *
getFunctionProtoType(const FunctionProtoType &Node) {		getFunctionProtoType(const FunctionProtoType &Node) {
return &Node;		return &Node;
}		}

▲ Show 20 Lines • Show All 836 Lines • ▼ Show 20 Lines	public:
/// from a base type matching \c base.		/// from a base type matching \c base.
///		///
/// A class is not considered to be derived from itself.		/// A class is not considered to be derived from itself.
virtual bool classIsDerivedFrom(const CXXRecordDecl *Declaration,		virtual bool classIsDerivedFrom(const CXXRecordDecl *Declaration,
const Matcher<NamedDecl> &Base,		const Matcher<NamedDecl> &Base,
BoundNodesTreeBuilder *Builder,		BoundNodesTreeBuilder *Builder,
bool Directly) = 0;		bool Directly) = 0;

		/// Returns true if \p Declaration has a base specifier matching \p BaseSpec.
		///
		/// A class is not considered to be derived from itself.
		virtual bool hasABaseSpec(const CXXRecordDecl *ClassDecl,
		const Matcher<CXXBaseSpecifier> &BaseSpecMatcher,
		BoundNodesTreeBuilder *Builder) = 0;

/// Returns true if the given Objective-C class is directly or indirectly		/// Returns true if the given Objective-C class is directly or indirectly
/// derived from a base class matching \c base.		/// derived from a base class matching \c base.
///		///
/// A class is not considered to be derived from itself.		/// A class is not considered to be derived from itself.
virtual bool objcClassIsDerivedFrom(const ObjCInterfaceDecl *Declaration,		virtual bool objcClassIsDerivedFrom(const ObjCInterfaceDecl *Declaration,
const Matcher<NamedDecl> &Base,		const Matcher<NamedDecl> &Base,
BoundNodesTreeBuilder *Builder,		BoundNodesTreeBuilder *Builder,
bool Directly) = 0;		bool Directly) = 0;
▲ Show 20 Lines • Show All 924 Lines • Show Last 20 Lines

clang/include/clang/StaticAnalyzer/Checkers/Checkers.td

	Show First 20 Lines • Show All 108 Lines • ▼ Show 20 Lines

	def CloneDetectionAlpha : Package<"clone">, ParentPackage<Alpha>;			def CloneDetectionAlpha : Package<"clone">, ParentPackage<Alpha>;

	def NonDeterminismAlpha : Package<"nondeterminism">, ParentPackage<Alpha>;			def NonDeterminismAlpha : Package<"nondeterminism">, ParentPackage<Alpha>;

	def Fuchsia : Package<"fuchsia">;			def Fuchsia : Package<"fuchsia">;
	def FuchsiaAlpha : Package<"fuchsia">, ParentPackage<Alpha>;			def FuchsiaAlpha : Package<"fuchsia">, ParentPackage<Alpha>;

				def WebKit : Package<"webkit">;
				def WebKitAlpha : Package<"webkit">, ParentPackage<Alpha>;

	//===----------------------------------------------------------------------===//			//===----------------------------------------------------------------------===//
	// Core Checkers.			// Core Checkers.
	//===----------------------------------------------------------------------===//			//===----------------------------------------------------------------------===//

	let ParentPackage = Core in {			let ParentPackage = Core in {

	def DereferenceChecker : Checker<"NullDereference">,			def DereferenceChecker : Checker<"NullDereference">,
	HelpText<"Check for dereferences of null pointers">,			HelpText<"Check for dereferences of null pointers">,
	▲ Show 20 Lines • Show All 1,371 Lines • ▼ Show 20 Lines

	def FuchsiaLockChecker : Checker<"Lock">,			def FuchsiaLockChecker : Checker<"Lock">,
	HelpText<"Check for the correct usage of locking APIs.">,			HelpText<"Check for the correct usage of locking APIs.">,
	Dependencies<[PthreadLockBase]>,			Dependencies<[PthreadLockBase]>,
	Documentation<HasDocumentation>;			Documentation<HasDocumentation>;

	} // end fuchsia			} // end fuchsia

				//===----------------------------------------------------------------------===//
				// WebKit checkers.
				//===----------------------------------------------------------------------===//

				let ParentPackage = WebKitAlpha in {

				// TODO documentation?

				def WebKitRefCntblBaseVirtualDtorChecker : Checker<"WebKitRefCntblBaseVirtualDtor">,
				HelpText<"Check for any ref-countable base class having virtual destructor.">,
				Documentation<HasDocumentation>;

				def WebKitNoUncountedMemberChecker : Checker<"WebKitNoUncountedMemberChecker">,
				HelpText<"Check for no uncounted member variables.">,
				Documentation<HasDocumentation>;

				def WebKitUncountedCallArgsChecker : Checker<"WebKitUncountedCallArgsChecker">,
				vsavchenkoUnsubmitted Not Done Reply Inline Actions Looks like this checker got lost in the process :( vsavchenko: Looks like this checker got lost in the process :(
				HelpText<"Check uncounted call arguments.">,
				Documentation<HasDocumentation>;
				} // end webkit

clang/lib/AST/ASTTypeTraits.cpp

	Show All 21 Lines

	const ASTNodeKind::KindInfo ASTNodeKind::AllKindInfo[] = {			const ASTNodeKind::KindInfo ASTNodeKind::AllKindInfo[] = {
	{ NKI_None, "<None>" },			{ NKI_None, "<None>" },
	{ NKI_None, "TemplateArgument" },			{ NKI_None, "TemplateArgument" },
	{ NKI_None, "TemplateName" },			{ NKI_None, "TemplateName" },
	{ NKI_None, "NestedNameSpecifierLoc" },			{ NKI_None, "NestedNameSpecifierLoc" },
	{ NKI_None, "QualType" },			{ NKI_None, "QualType" },
	{ NKI_None, "TypeLoc" },			{ NKI_None, "TypeLoc" },
				{ NKI_None, "CXXBaseSpecifier" },
	{ NKI_None, "CXXCtorInitializer" },			{ NKI_None, "CXXCtorInitializer" },
	{ NKI_None, "NestedNameSpecifier" },			{ NKI_None, "NestedNameSpecifier" },
	{ NKI_None, "Decl" },			{ NKI_None, "Decl" },
	#define DECL(DERIVED, BASE) { NKI_##BASE, #DERIVED "Decl" },			#define DECL(DERIVED, BASE) { NKI_##BASE, #DERIVED "Decl" },
	#include "clang/AST/DeclNodes.inc"			#include "clang/AST/DeclNodes.inc"
	{ NKI_None, "Stmt" },			{ NKI_None, "Stmt" },
	#define STMT(DERIVED, BASE) { NKI_##BASE, #DERIVED },			#define STMT(DERIVED, BASE) { NKI_##BASE, #DERIVED },
	#include "clang/AST/StmtNodes.inc"			#include "clang/AST/StmtNodes.inc"
	▲ Show 20 Lines • Show All 142 Lines • Show Last 20 Lines

clang/lib/ASTMatchers/ASTMatchFinder.cpp

Show All 12 Lines
// calling the Matches(...) method of each matcher we are running on each		// calling the Matches(...) method of each matcher we are running on each
// AST node. The matcher can recurse via the ASTMatchFinder interface.		// AST node. The matcher can recurse via the ASTMatchFinder interface.
//		//
//===----------------------------------------------------------------------===//		//===----------------------------------------------------------------------===//

#include "clang/ASTMatchers/ASTMatchFinder.h"		#include "clang/ASTMatchers/ASTMatchFinder.h"
#include "clang/AST/ASTConsumer.h"		#include "clang/AST/ASTConsumer.h"
#include "clang/AST/ASTContext.h"		#include "clang/AST/ASTContext.h"
		#include "clang/AST/CXXInheritance.h"
#include "clang/AST/RecursiveASTVisitor.h"		#include "clang/AST/RecursiveASTVisitor.h"
#include "llvm/ADT/DenseMap.h"		#include "llvm/ADT/DenseMap.h"
#include "llvm/ADT/StringMap.h"		#include "llvm/ADT/StringMap.h"
#include "llvm/Support/Timer.h"		#include "llvm/Support/Timer.h"
#include <deque>		#include <deque>
#include <memory>		#include <memory>
#include <set>		#include <set>

▲ Show 20 Lines • Show All 461 Lines • ▼ Show 20 Lines	bool classIsDerivedFrom(const CXXRecordDecl *Declaration,
BoundNodesTreeBuilder *Builder,		BoundNodesTreeBuilder *Builder,
bool Directly) override;		bool Directly) override;

bool objcClassIsDerivedFrom(const ObjCInterfaceDecl *Declaration,		bool objcClassIsDerivedFrom(const ObjCInterfaceDecl *Declaration,
const Matcher<NamedDecl> &Base,		const Matcher<NamedDecl> &Base,
BoundNodesTreeBuilder *Builder,		BoundNodesTreeBuilder *Builder,
bool Directly) override;		bool Directly) override;

		bool hasABaseSpec(const CXXRecordDecl *ClassDecl,
		const Matcher<CXXBaseSpecifier> &BaseSpecMatcher,
		BoundNodesTreeBuilder *Builder) override;

// Implements ASTMatchFinder::matchesChildOf.		// Implements ASTMatchFinder::matchesChildOf.
bool matchesChildOf(const DynTypedNode &Node, ASTContext &Ctx,		bool matchesChildOf(const DynTypedNode &Node, ASTContext &Ctx,
const DynTypedMatcher &Matcher,		const DynTypedMatcher &Matcher,
BoundNodesTreeBuilder *Builder, TraversalKind Traversal,		BoundNodesTreeBuilder *Builder, TraversalKind Traversal,
BindKind Bind) override {		BindKind Bind) override {
if (ResultCache.size() > MaxMemoizationEntries)		if (ResultCache.size() > MaxMemoizationEntries)
ResultCache.clear();		ResultCache.clear();
return memoizedMatchesRecursively(Node, Ctx, Matcher, Builder, 1, Traversal,		return memoizedMatchesRecursively(Node, Ctx, Matcher, Builder, 1, Traversal,
▲ Show 20 Lines • Show All 420 Lines • ▼ Show 20 Lines	if (Base.matches(*ClassDecl, this, &Result)) {
return true;		return true;
}		}
if (!Directly && classIsDerivedFrom(ClassDecl, Base, Builder, Directly))		if (!Directly && classIsDerivedFrom(ClassDecl, Base, Builder, Directly))
return true;		return true;
}		}
return false;		return false;
}		}

		bool MatchASTVisitor::hasABaseSpec(const CXXRecordDecl *ClassDecl,
		const Matcher<CXXBaseSpecifier> &BaseSpecMatcher,
		BoundNodesTreeBuilder *Builder) {
		if (!ClassDecl->hasDefinition())
		return false;

		CXXBasePaths Paths;
		// FIXME: Every time someone casts away const specifier a kitten dies.
		Paths.setOrigin(const_cast<CXXRecordDecl *>(ClassDecl));

		const auto basePredicate = [this, Builder, &BaseSpecMatcher](const CXXBaseSpecifier *BaseSpec, CXXBasePath &IgnoredParam) {
		BoundNodesTreeBuilder Result(*Builder);
		if (BaseSpecMatcher.matches(*BaseSpec, this, &Result)) {
		*Builder = std::move(Result);
		return true;
		}
		return false;
		};

		return ClassDecl->lookupInBases(basePredicate, Paths,
		/LookupInDependent =/true);
		}

// Returns true if the given Objective-C class is directly or indirectly		// Returns true if the given Objective-C class is directly or indirectly
// derived from a matching base class. A class is not considered to be derived		// derived from a matching base class. A class is not considered to be derived
// from itself.		// from itself.
bool MatchASTVisitor::objcClassIsDerivedFrom(		bool MatchASTVisitor::objcClassIsDerivedFrom(
const ObjCInterfaceDecl *Declaration, const Matcher<NamedDecl> &Base,		const ObjCInterfaceDecl *Declaration, const Matcher<NamedDecl> &Base,
BoundNodesTreeBuilder *Builder, bool Directly) {		BoundNodesTreeBuilder *Builder, bool Directly) {
// Check if any of the superclasses of the class match.		// Check if any of the superclasses of the class match.
for (const ObjCInterfaceDecl *ClassDecl = Declaration->getSuperClass();		for (const ObjCInterfaceDecl *ClassDecl = Declaration->getSuperClass();
▲ Show 20 Lines • Show All 214 Lines • Show Last 20 Lines

clang/lib/ASTMatchers/ASTMatchersInternal.cpp

Show First 20 Lines • Show All 661 Lines • ▼ Show 20 Lines	const internal::VariadicDynCastAllOfMatcher<Decl, AccessSpecDecl>
accessSpecDecl;		accessSpecDecl;
const internal::VariadicAllOfMatcher<CXXCtorInitializer> cxxCtorInitializer;		const internal::VariadicAllOfMatcher<CXXCtorInitializer> cxxCtorInitializer;
const internal::VariadicAllOfMatcher<TemplateArgument> templateArgument;		const internal::VariadicAllOfMatcher<TemplateArgument> templateArgument;
const internal::VariadicAllOfMatcher<TemplateName> templateName;		const internal::VariadicAllOfMatcher<TemplateName> templateName;
const internal::VariadicDynCastAllOfMatcher<Decl, NonTypeTemplateParmDecl>		const internal::VariadicDynCastAllOfMatcher<Decl, NonTypeTemplateParmDecl>
nonTypeTemplateParmDecl;		nonTypeTemplateParmDecl;
const internal::VariadicDynCastAllOfMatcher<Decl, TemplateTypeParmDecl>		const internal::VariadicDynCastAllOfMatcher<Decl, TemplateTypeParmDecl>
templateTypeParmDecl;		templateTypeParmDecl;
		const internal::VariadicAllOfMatcher<CXXBaseSpecifier>
		cxxBaseSpecifier;
const internal::VariadicAllOfMatcher<QualType> qualType;		const internal::VariadicAllOfMatcher<QualType> qualType;
const internal::VariadicAllOfMatcher<Type> type;		const internal::VariadicAllOfMatcher<Type> type;
const internal::VariadicAllOfMatcher<TypeLoc> typeLoc;		const internal::VariadicAllOfMatcher<TypeLoc> typeLoc;
const internal::VariadicDynCastAllOfMatcher<Stmt, UnaryExprOrTypeTraitExpr>		const internal::VariadicDynCastAllOfMatcher<Stmt, UnaryExprOrTypeTraitExpr>
unaryExprOrTypeTraitExpr;		unaryExprOrTypeTraitExpr;
const internal::VariadicDynCastAllOfMatcher<Decl, ValueDecl> valueDecl;		const internal::VariadicDynCastAllOfMatcher<Decl, ValueDecl> valueDecl;
const internal::VariadicDynCastAllOfMatcher<Decl, CXXConstructorDecl>		const internal::VariadicDynCastAllOfMatcher<Decl, CXXConstructorDecl>
cxxConstructorDecl;		cxxConstructorDecl;
▲ Show 20 Lines • Show All 273 Lines • Show Last 20 Lines

clang/lib/StaticAnalyzer/Checkers/CMakeLists.txt

Show First 20 Lines • Show All 114 Lines • ▼ Show 20 Lines	add_clang_library(clangStaticAnalyzerCheckers
UninitializedObject/UninitializedObjectChecker.cpp		UninitializedObject/UninitializedObjectChecker.cpp
UninitializedObject/UninitializedPointee.cpp		UninitializedObject/UninitializedPointee.cpp
UnixAPIChecker.cpp		UnixAPIChecker.cpp
UnreachableCodeChecker.cpp		UnreachableCodeChecker.cpp
VforkChecker.cpp		VforkChecker.cpp
VLASizeChecker.cpp		VLASizeChecker.cpp
ValistChecker.cpp		ValistChecker.cpp
VirtualCallChecker.cpp		VirtualCallChecker.cpp
		WebKit/ASTUtils.cpp
		WebKit/NoUncountedMembersChecker.cpp
		WebKit/PtrTypesSemantics.cpp
		WebKit/RefCntblBaseVirtualDtorChecker.cpp

LINK_LIBS		LINK_LIBS
clangAST		clangAST
clangASTMatchers		clangASTMatchers
clangAnalysis		clangAnalysis
clangBasic		clangBasic
clangLex		clangLex
clangStaticAnalyzerCore		clangStaticAnalyzerCore
)		)

clang/lib/StaticAnalyzer/Checkers/WebKit/ASTUtils.h

This file was added.

				//=======- ASTUtis.h ---------------------------------------------- C++ --==//
				//
				// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
				// See https://llvm.org/LICENSE.txt for license information.
				// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
				//
				//===----------------------------------------------------------------------===//

				#ifndef LLVM_CLANG_ANALYZER_WEBKIT_ASTUTILS_H
				#define LLVM_CLANG_ANALYZER_WEBKIT_ASTUTILS_H

				#include "clang/AST/Decl.h"
				#include "llvm/ADT/APInt.h"
				#include "llvm/Support/Casting.h"

				#include <string>
				#include <utility>

				namespace clang {
				class CXXRecordDecl;
				class CXXBaseSpecifier;
				class FunctionDecl;
				class CXXMethodDecl;
				class Expr;

				/// If passed expression is of type uncounted pointer/reference we try to find
				/// the origin of this pointer. Example: Origin can be a local variable, nullptr
				/// constant or this-pointer.
				///
				/// Certain subexpression nodes represent transformations that don't affect
				/// where the memory address originates from. We try to traverse such
				/// subexpressions to get to the relevant child nodes. Whenever we encounter a
				/// subexpression that either can't be ignored, we don't model its semantics or
				/// that has multiple children we stop.
				///
				/// \p E is an expression of uncounted pointer/reference type.
				/// If \p StopAtFirstRefCountedObj is true and we encounter a subexpression that
				/// represents ref-counted object during the traversal we return relevant
				/// sub-expression and true.
				///
				/// \returns subexpression that we traversed to and if \p
				/// StopAtFirstRefCountedObj is true we also return whether we stopped early.
				std::pair<const clang::Expr *, bool>
				tryToFindPtrOrigin(const clang::Expr *E, bool StopAtFirstRefCountedObj);

				/// For \p E referring to a ref-countable/-counted pointer/reference we return
				/// whether it's a safe call argument. Examples: function parameter or
				/// this-pointer. The logic relies on the set of recursive rules we enforce for
				/// WebKit codebase.
				///
				/// \returns Whether \p E is a safe call arugment.
				bool isASafeCallArg(const clang::Expr *E);

				/// \returns name of AST node or empty string.
				template <typename T> std::string safeGetName(const T *ASTNode) {
				const auto *const ND = llvm::dyn_cast_or_null<clang::NamedDecl>(ASTNode);
				if (!ND)
				return "";

				// In case F is for example "operator\|" the getName() method below would
				// assert.
				if (!ND->getDeclName().isIdentifier())
				return "";

				return ND->getName().str();
				}

				} // namespace clang

				#endif

clang/lib/StaticAnalyzer/Checkers/WebKit/ASTUtils.cpp

This file was added.

				//=======- ASTUtils.cpp ------------------------------------------- C++ --==//
				//
				// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
				// See https://llvm.org/LICENSE.txt for license information.
				// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
				//
				//===----------------------------------------------------------------------===//

				#include "ASTUtils.h"
				#include "PtrTypesSemantics.h"
				#include "clang/AST/CXXInheritance.h"
				#include "clang/AST/Decl.h"
				#include "clang/AST/DeclCXX.h"
				#include "clang/AST/ExprCXX.h"

				using llvm::Optional;
				namespace clang {

				std::pair<const Expr *, bool>
				tryToFindPtrOrigin(const Expr *E, bool StopAtFirstRefCountedObj) {
				while (E) {
				if (auto *cast = dyn_cast<CastExpr>(E)) {
				if (StopAtFirstRefCountedObj) {
				if (auto *ConversionFunc =
				dyn_cast_or_null<FunctionDecl>(cast->getConversionFunction())) {
				if (isCtorOfRefCounted(ConversionFunc))
				return {E, true};
				}
				}
				E = cast->getSubExpr();
				continue;
				}
				if (auto *call = dyn_cast<CallExpr>(E)) {
				if (auto *memberCall = dyn_cast<CXXMemberCallExpr>(call)) {
				if (isGetterOfRefCounted(memberCall->getMethodDecl())) {
				E = memberCall->getImplicitObjectArgument();
				if (StopAtFirstRefCountedObj) {
				return {E, true};
				}
				continue;
				}
				}

				if (auto *operatorCall = dyn_cast<CXXOperatorCallExpr>(E)) {
				if (operatorCall->getNumArgs() == 1) {
				E = operatorCall->getArg(0);
				continue;
				}
				}

				if (auto *callee = call->getDirectCallee()) {
				if (isCtorOfRefCounted(callee)) {
				if (StopAtFirstRefCountedObj)
				return {E, true};

				E = call->getArg(0);
				continue;
				}

				if (isPtrConversion(callee)) {
				E = call->getArg(0);
				continue;
				}
				}
				}
				if (auto *unaryOp = dyn_cast<UnaryOperator>(E)) {
				// FIXME: Currently accepts ANY unary operator. Is it OK?
				E = unaryOp->getSubExpr();
				continue;
				}

				break;
				}
				// Some other expression.
				return {E, false};
				}

				bool isASafeCallArg(const Expr *E) {
				assert(E);
				if (auto *Ref = dyn_cast<DeclRefExpr>(E)) {
				if (auto *D = dyn_cast_or_null<VarDecl>(Ref->getFoundDecl())) {
				if (isa<ParmVarDecl>(D) \|\| D->isLocalVarDecl())
				return true;
				}
				}

				// TODO: checker for method calls on non-refcounted objects
				return isa<CXXThisExpr>(E);
				}

				} // namespace clang

clang/lib/StaticAnalyzer/Checkers/WebKit/DiagOutputUtils.h

This file was added.

				//=======- DiagOutputUtils.h -------------------------------------- C++ --==//
				//
				// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
				// See https://llvm.org/LICENSE.txt for license information.
				// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
				//
				//===----------------------------------------------------------------------===//

				#ifndef LLVM_CLANG_ANALYZER_WEBKIT_DIAGPRINTUTILS_H
				#define LLVM_CLANG_ANALYZER_WEBKIT_DIAGPRINTUTILS_H

				#include "clang/AST/Decl.h"
				#include "llvm/Support/raw_ostream.h"

				namespace clang {

				template <typename NamedDeclDerivedT>
				void printQuotedQualifiedName(llvm::raw_ostream &Os,
				const NamedDeclDerivedT &D) {
				Os << "'";
				D->getNameForDiagnostic(Os, D->getASTContext().getPrintingPolicy(),
				/Qualified=/true);
				Os << "'";
				}

				} // namespace clang

				#endif

clang/lib/StaticAnalyzer/Checkers/WebKit/NoUncountedMembersChecker.cpp

This file was added.

				//=======- NoUncountedMembersChecker.cpp -------------------------- C++ --==//
				//
				// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
				// See https://llvm.org/LICENSE.txt for license information.
				// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
				//
				//===----------------------------------------------------------------------===//

				#include "ASTUtils.h"
				#include "DiagOutputUtils.h"
				#include "PtrTypesSemantics.h"
				#include "clang/AST/CXXInheritance.h"
				#include "clang/AST/Decl.h"
				#include "clang/AST/DeclCXX.h"
				#include "clang/ASTMatchers/ASTMatchers.h"
				#include "clang/ASTMatchers/ASTMatchFinder.h"
				#include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"
				#include "clang/StaticAnalyzer/Core/BugReporter/BugReporter.h"
				#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
				#include "clang/StaticAnalyzer/Core/Checker.h"
				#include "llvm/ADT/DenseSet.h"

				using namespace clang;
				using namespace ento;
				using namespace ast_matchers;

				namespace {

				class NoUncountedMemberChecker
				: public Checker<check::ASTDecl<TranslationUnitDecl>> {
				private:
				// lazily created bug instance
				mutable std::unique_ptr<BugType> Bug;
				mutable BugReporter *BR;

				public:
				void checkASTDecl(const TranslationUnitDecl *TUD, AnalysisManager &MGR,
				BugReporter &BRArg) const {
				BR = &BRArg;

				DeclarationMatcher RefCountableClassMatcher =
				cxxRecordDecl(
				anyOf( isClass(), isStruct() ),
				vsavchenkoUnsubmitted Not Done Reply Inline Actions `CXXRecordDecl` is either `class`, `struct` or `union`. So this part can be easily reimplemented as `unless(isUnion())` vsavchenko: `CXXRecordDecl` is either `class`, `struct` or `union`. So this part can be easily…
				anyOf(
				allOf(
				hasMethod(allOf(hasName("ref"), isPublic())),
				NoQUnsubmitted Not Done Reply Inline Actions A lot of these `allOf()` can be omitted because they're implied when you stuff multiple matchers into one matcher. NoQ: A lot of these `allOf()` can be omitted because they're implied when you stuff multiple…
				vsavchenkoUnsubmitted Not Done Reply Inline Actions +1 vsavchenko: +1
				hasMethod(allOf(hasName("deref"), isPublic()))
				),
				hasABaseSpec(
				cxxBaseSpecifier(
				allOf(
				isPublicBase(),
				hasType(
				cxxRecordDecl(
				hasMethod(allOf(hasName("ref"), isPublic())),
				hasMethod(allOf(hasName("deref"), isPublic()))
				)
				)
				)
				)
				)
				)
				);
				vsavchenkoUnsubmitted Not Done Reply Inline Actions I would also extract a part that checks that class has one of those special methods. So it looks something like this: DeclarationMatcher ClassWithRefOrDerefMethodsMatcher = cxxRecordDecl( unless(isUnion()), hasMethod(cxxMethodDecl(anyOf(hasName("ref"), hasName("deref")), isPublic()))); DeclarationMatcher RefCountableClassMatcher = cxxRecordDecl(anyOf( ClassWithRefOrDerefMethodsMatcher, hasABaseSpec(cxxBaseSpecifier( isPublicBase(), hasType(ClassWithRefOrDerefMethodsMatcher))))); vsavchenko: I would also extract a part that checks that class has one of those special methods. So it…

				DeclarationMatcher RefCountedClassMatcher =
				cxxRecordDecl(
				anyOf( isClass(), isStruct() ),
				anyOf(
				hasName("RefPtr"),
				hasName("Ref")
				)
				);

				DeclarationMatcher UncountedClassMatcher =
				cxxRecordDecl(
				RefCountableClassMatcher,
				unless(RefCountedClassMatcher)
				);

				TypeMatcher RawPtrToUncounted =
				type(
				anyOf(
				pointerType(),
				referenceType()
				),
				pointee(
				typeOfRecord(
				cxxRecordDecl(
				UncountedClassMatcher
				).bind("UncountedCXXRecord")
				)
				)
				);

				DeclarationMatcher OffendingFieldMatcher =
				fieldDecl(
				hasType(RawPtrToUncounted),
				hasParent(
				cxxRecordDecl(
				anyOf( isClass(), isStruct() ),
				isDefinition(),
				unless(anyOf(
				RefCountedClassMatcher,
				isImplicit(),
				isLambda(),
				isExpansionInSystemHeader()
				))
				).bind("ProblematicClass")
				)
				).bind("ProblematicField");

				MatchFinder F;

				class Callback : public MatchFinder::MatchCallback {
				public:
				const NoUncountedMemberChecker &Checker;
				Callback(const NoUncountedMemberChecker &Checker)
				: Checker(Checker) {}
				virtual void run(const MatchFinder::MatchResult &Result) {
				auto Field = Result.Nodes.getNodeAs<FieldDecl>("ProblematicField");
				const Type* FieldT = Field->getType().getTypePtr();
				Checker.reportBug(
				Field,
				FieldT,
				Result.Nodes.getNodeAs<CXXRecordDecl>("UncountedCXXRecord"),
				Result.Nodes.getNodeAs<CXXRecordDecl>("ProblematicClass")
				);
				}
				};
				Callback CB(*this);

				F.addMatcher(OffendingFieldMatcher, &CB);
				F.matchAST(TUD->getASTContext());
				}

				void reportBug(const FieldDecl Member, const Type MemberType,
				const CXXRecordDecl *MemberCXXRD,
				const RecordDecl *ClassCXXRD) const {
				assert(Member);
				assert(MemberType);
				assert(MemberCXXRD);

				if (!Bug)
				Bug = std::make_unique<BugType>(this, "Uncounted member variable",
				"WebKit");

				SmallString<100> Buf;
				llvm::raw_svector_ostream Os(Buf);

				Os << "Member variable ";
				printQuotedQualifiedName(Os, Member);

				Os << " is a "
				<< (isa<PointerType>(MemberType) ? "raw pointer" : "reference")
				<< " to ref-countable type ";
				printQuotedQualifiedName(Os, MemberCXXRD);

				PathDiagnosticLocation BSLoc(Member->getSourceRange().getBegin(),
				BR->getSourceManager());
				auto Report = std::make_unique<BasicBugReport>(*Bug, Os.str(), BSLoc);
				Report->addRange(Member->getSourceRange());
				BR->emitReport(std::move(Report));
				}
				};
				} // namespace

				void ento::registerWebKitNoUncountedMemberChecker(CheckerManager &Mgr) {
				Mgr.registerChecker<NoUncountedMemberChecker>();
				}

				bool ento::shouldRegisterWebKitNoUncountedMemberChecker(const LangOptions &LO) {
				return true;
				}

clang/lib/StaticAnalyzer/Checkers/WebKit/PtrTypesSemantics.h

This file was added.

				//=======- PtrTypesSemantics.cpp ---------------------------------- C++ --==//
				//
				// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
				// See https://llvm.org/LICENSE.txt for license information.
				// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
				//
				//===----------------------------------------------------------------------===//

				#ifndef LLVM_CLANG_ANALYZER_WEBKIT_PTRTYPESEMANTICS_H
				#define LLVM_CLANG_ANALYZER_WEBKIT_PTRTYPESEMANTICS_H

				namespace clang {
				class CXXBaseSpecifier;
				class CXXMethodDecl;
				class CXXRecordDecl;
				class Expr;
				class FunctionDecl;
				class Type;

				// Ref-countability of a type is implicitly defined by Ref<T> and RefPtr<T>
				// implementation. It can be modeled as: type T having public methods ref() and
				// deref()

				// In WebKit there are two ref-counted templated smart pointers: RefPtr<T> and
				// Ref<T>.

				/// \returns CXXRecordDecl of the base if the type is ref-countable, nullptr if
				/// not.
				const clang::CXXRecordDecl isRefCountable(const clang::CXXBaseSpecifier Base);

				/// \returns true if \p Class is ref-countable, false if not.
				/// Asserts that \p Class IS a definition.
				bool isRefCountable(const clang::CXXRecordDecl *Class);

				/// \returns true if \p Class is ref-counted, false if not.
				bool isRefCounted(const clang::CXXRecordDecl *Class);

				/// \returns true if \p Class is ref-countable AND not ref-counted, false if
				/// not. Asserts that \p Class IS a definition.
				bool isUncounted(const clang::CXXRecordDecl *Class);

				/// \returns true if \p T is either a raw pointer or reference to an uncounted
				/// class, false if not.
				bool isUncountedPtr(const clang::Type *T);

				/// \returns true if \p F creates ref-countable object from uncounted parameter,
				/// false if not.
				bool isCtorOfRefCounted(const clang::FunctionDecl *F);

				/// \returns true if \p M is getter of a ref-counted class, false if not.
				bool isGetterOfRefCounted(const clang::CXXMethodDecl *Method);

				/// \returns true if \p F is a conversion between ref-countable or ref-counted
				/// pointer types.
				bool isPtrConversion(const FunctionDecl *F);

				} // namespace clang

				#endif

clang/lib/StaticAnalyzer/Checkers/WebKit/PtrTypesSemantics.cpp

This file was added.

				//=======- PtrTypesSemantics.cpp ---------------------------------- C++ --==//
				//
				// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
				// See https://llvm.org/LICENSE.txt for license information.
				// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
				//
				//===----------------------------------------------------------------------===//

				#include "PtrTypesSemantics.h"
				#include "ASTUtils.h"
				#include "clang/AST/CXXInheritance.h"
				#include "clang/AST/Decl.h"
				#include "clang/AST/DeclCXX.h"
				#include "clang/AST/ExprCXX.h"

				using llvm::Optional;
				using namespace clang;

				namespace {

				bool hasPublicRefAndDeref(const CXXRecordDecl *R) {
				assert(R);

				bool hasRef = false;
				bool hasDeref = false;
				for (const CXXMethodDecl *MD : R->methods()) {
				const auto MethodName = safeGetName(MD);

				if (MethodName == "ref" && MD->getAccess() == AS_public) {
				if (hasDeref)
				return true;
				hasRef = true;
				} else if (MethodName == "deref" && MD->getAccess() == AS_public) {
				if (hasRef)
				return true;
				hasDeref = true;
				}
				}
				return false;
				}

				} // namespace

				namespace clang {

				const CXXRecordDecl isRefCountable(const CXXBaseSpecifier Base) {
				assert(Base);

				const Type *T = Base->getType().getTypePtrOrNull();
				if (!T)
				return nullptr;

				const CXXRecordDecl *R = T->getAsCXXRecordDecl();
				if (!R)
				return nullptr;

				return hasPublicRefAndDeref(R) ? R : nullptr;
				};

				bool isRefCountable(const CXXRecordDecl *R) {
				assert(R);

				R = R->getDefinition();
				assert(R);

				if (hasPublicRefAndDeref(R))
				return true;

				CXXBasePaths Paths;
				Paths.setOrigin(const_cast<CXXRecordDecl *>(R));

				const auto isRefCountableBase = [](const CXXBaseSpecifier *Base,
				CXXBasePath &) {
				return clang::isRefCountable(Base);
				};

				return R->lookupInBases(isRefCountableBase, Paths,
				/LookupInDependent =/true);
				}

				bool isCtorOfRefCounted(const clang::FunctionDecl *F) {
				assert(F);
				const auto &FunctionName = safeGetName(F);

				return FunctionName == "Ref" \|\| FunctionName == "makeRef"

				\|\| FunctionName == "RefPtr" \|\| FunctionName == "makeRefPtr"

				\|\| FunctionName == "UniqueRef" \|\| FunctionName == "makeUniqueRef" \|\|
				FunctionName == "makeUniqueRefWithoutFastMallocCheck"

				\|\| FunctionName == "String" \|\| FunctionName == "AtomString" \|\|
				FunctionName == "UniqueString"
				// FIXME: Implement as attribute.
				\|\| FunctionName == "Identifier";
				}

				bool isUncounted(const CXXRecordDecl *Class) {
				// Keep isRefCounted first as it's cheaper.
				return !isRefCounted(Class) && isRefCountable(Class);
				}

				bool isUncountedPtr(const Type *T) {
				assert(T);

				if (T->isPointerType() \|\| T->isReferenceType()) {
				if (auto *CXXRD = T->getPointeeCXXRecordDecl()) {
				return isUncounted(CXXRD);
				}
				}
				return false;
				}

				bool isGetterOfRefCounted(const CXXMethodDecl *M) {
				assert(M);

				if (auto *calleeMethodDecl = dyn_cast<CXXMethodDecl>(M)) {
				const CXXRecordDecl *calleeMethodsClass = M->getParent();
				auto className = safeGetName(calleeMethodsClass);
				auto methodName = safeGetName(M);

				if (((className == "Ref" \|\| className == "RefPtr") &&
				methodName == "get") \|\|
				((className == "String" \|\| className == "AtomString" \|\|
				className == "AtomStringImpl" \|\| className == "UniqueString" \|\|
				className == "UniqueStringImpl" \|\| className == "Identifier") &&
				methodName == "impl"))
				return true;

				// Ref<T> -> T conversion
				// FIXME: Currently allowing any Ref<T> -> whatever cast.
				if (className == "Ref" \|\| className == "RefPtr") {
				if (auto *maybeRefToRawOperator = dyn_cast<CXXConversionDecl>(M)) {
				if (auto *targetConversionType =
				maybeRefToRawOperator->getConversionType().getTypePtrOrNull()) {
				if (isUncountedPtr(targetConversionType)) {
				return true;
				}
				}
				}
				}
				}
				return false;
				}

				bool isRefCounted(const CXXRecordDecl *R) {
				assert(R);
				if (auto *TmplR = R->getTemplateInstantiationPattern()) {
				// FIXME: String/AtomString/UniqueString
				const auto &ClassName = safeGetName(TmplR);
				return ClassName == "RefPtr" \|\| ClassName == "Ref";
				}
				return false;
				}

				bool isPtrConversion(const FunctionDecl *F) {
				assert(F);
				if (isCtorOfRefCounted(F))
				return true;

				// FIXME: check # of params == 1
				const auto FunctionName = safeGetName(F);
				if (FunctionName == "getPtr" \|\| FunctionName == "WeakPtr" \|\|
				FunctionName == "makeWeakPtr"

				\|\| FunctionName == "downcast" \|\| FunctionName == "bitwise_cast")
				return true;

				return false;
				}

				} // namespace clang

clang/lib/StaticAnalyzer/Checkers/WebKit/RefCntblBaseVirtualDtorChecker.cpp

This file was added.

				//=======- RefCntblBaseVirtualDtor.cpp ---------------------------- C++ --==//
				//
				// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
				// See https://llvm.org/LICENSE.txt for license information.
				// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
				//
				//===----------------------------------------------------------------------===//

				#include "DiagOutputUtils.h"
				#include "PtrTypesSemantics.h"
				#include "clang/AST/CXXInheritance.h"
				#include "clang/AST/DeclCXX.h"
				#include "clang/ASTMatchers/ASTMatchers.h"
				#include "clang/ASTMatchers/ASTMatchFinder.h"
				#include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"
				#include "clang/StaticAnalyzer/Core/BugReporter/BugReporter.h"
				#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
				#include "clang/StaticAnalyzer/Core/Checker.h"

				using namespace clang;
				using namespace ento;
				using namespace ast_matchers;

				namespace {

				class RefCntblBaseVirtualDtorChecker
				: public Checker<check::ASTDecl<TranslationUnitDecl>> {
				private:
				BugType Bug;
				mutable BugReporter *BR;

				public:

				RefCntblBaseVirtualDtorChecker()
				: Bug(this, "Ref-countable base class doesn't have virtual d-tor",
				"WebKit")
				{ }

				void checkASTDecl(const TranslationUnitDecl *TUD, AnalysisManager &MGR,
				BugReporter &BRArg) const {
				BR = &BRArg;

				DeclarationMatcher OffendingClassDefMatcher =
				cxxRecordDecl(
				anyOf( isClass(), isStruct() ),
				hasABaseSpec(
				cxxBaseSpecifier(
				allOf(
				isPublicBase(),
				hasType(
				cxxRecordDecl(
				hasMethod(allOf(hasName("ref"), isPublic())),
				hasMethod(allOf(hasName("deref"), isPublic())),
				hasMethod(
				allOf(
				cxxDestructorDecl(),
				unless(isVirtual())
				)
				)
				).bind("ProblematicBaseClass")
				)
				)
				).bind("ProblematicBaseSpecifier")
				),
				isDefinition(),
				unless(anyOf(
				isImplicit(),
				isLambda(),
				isExpansionInSystemHeader()
				))
				).bind("ProblematicDerivedClass");

				MatchFinder F;

				class Callback : public MatchFinder::MatchCallback {
				public:
				const RefCntblBaseVirtualDtorChecker &Checker;
				Callback(const RefCntblBaseVirtualDtorChecker &Checker)
				: Checker(Checker) {}
				virtual void run(const MatchFinder::MatchResult &Result) {
				Checker.reportBug(
				Result.Nodes.getNodeAs<CXXRecordDecl>("ProblematicDerivedClass"),
				Result.Nodes.getNodeAs<CXXBaseSpecifier>("ProblematicBaseSpecifier"),
				Result.Nodes.getNodeAs<CXXRecordDecl>("ProblematicBaseClass")
				);
				}
				};
				Callback CB(*this);

				F.addMatcher(OffendingClassDefMatcher, &CB);
				F.matchAST(TUD->getASTContext());
				}

				void reportBug(const CXXRecordDecl *DerivedClass,
				const CXXBaseSpecifier *BaseSpec,
				const CXXRecordDecl *ProblematicBaseClass) const {
				assert(DerivedClass);
				assert(BaseSpec);
				assert(ProblematicBaseClass);

				SmallString<100> Buf;
				llvm::raw_svector_ostream Os(Buf);

				Os << (ProblematicBaseClass->isClass() ? "Class" : "Struct") << " ";
				printQuotedQualifiedName(Os, ProblematicBaseClass);

				Os << " is used as a base of "
				<< (DerivedClass->isClass() ? "class" : "struct") << " ";
				printQuotedQualifiedName(Os, DerivedClass);

				Os << " but doesn't have virtual destructor";

				PathDiagnosticLocation BSLoc(BaseSpec->getSourceRange().getBegin(),
				BR->getSourceManager());
				auto Report = std::make_unique<BasicBugReport>(Bug, Os.str(), BSLoc);
				Report->addRange(BaseSpec->getSourceRange());
				BR->emitReport(std::move(Report));
				}
				};
				} // namespace

				void ento::registerWebKitRefCntblBaseVirtualDtorChecker(CheckerManager &Mgr) {
				Mgr.registerChecker<RefCntblBaseVirtualDtorChecker>();
				}

				bool ento::shouldRegisterWebKitRefCntblBaseVirtualDtorChecker(
				const LangOptions &LO) {
				return true;
				}

clang/test/Analysis/Checkers/WebKit/mock-types.h

This file was added.

				#ifndef mock_types_1103988513531
				#define mock_types_1103988513531

				template <typename T> struct Ref {
				T t;

				Ref() : t{} {};
				Ref(T *) {}
				T *get() { return nullptr; }
				operator const T &() const { return t; }
				operator T &() { return t; }
				};

				template <typename T> struct RefPtr {
				T *t;

				RefPtr() : t(new T) {}
				RefPtr(T *t) : t(t) {}
				T *get() { return t; }
				T *operator->() { return t; }
				T &operator() { return t; }
				RefPtr &operator=(T ) { return this; }
				};

				template <typename T> bool operator==(const RefPtr<T> &, const RefPtr<T> &) {
				return false;
				}

				template <typename T> bool operator==(const RefPtr<T> &, T *) { return false; }

				template <typename T> bool operator==(const RefPtr<T> &, T &) { return false; }

				template <typename T> bool operator!=(const RefPtr<T> &, const RefPtr<T> &) {
				return false;
				}

				template <typename T> bool operator!=(const RefPtr<T> &, T *) { return false; }

				template <typename T> bool operator!=(const RefPtr<T> &, T &) { return false; }

				struct RefCountable {
				void ref() {}
				void deref() {}
				};

				template <typename T> T downcast(T t) { return t; }

				#endif

clang/test/Analysis/Checkers/WebKit/ref-cntbl-base-virtual-dtor-templates.cpp

This file was added.

				// RUN: %clang_analyze_cc1 -analyzer-checker=alpha.webkit.WebKitRefCntblBaseVirtualDtor -verify %s

				struct RefCntblBase {
				void ref() {}
				void deref() {}
				};

				template<class T>
				struct DerivedClassTmpl1 : T { };
				// expected-warning@-1{{Struct 'RefCntblBase' is used as a base of struct 'DerivedClassTmpl1<RefCntblBase>' but doesn't have virtual destructor}}

				DerivedClassTmpl1<RefCntblBase> a;



				template<class T>
				struct DerivedClassTmpl2 : T { };
				// expected-warning@-1{{Struct 'RefCntblBase' is used as a base of struct 'DerivedClassTmpl2<RefCntblBase>' but doesn't have virtual destructor}}

				template<class T> int foo(T) { DerivedClassTmpl2<T> f; return 42; }
				int b = foo(RefCntblBase{});



				template<class T>
				struct DerivedClassTmpl3 : T { };
				// expected-warning@-1{{Struct 'RefCntblBase' is used as a base of struct 'DerivedClassTmpl3<RefCntblBase>' but doesn't have virtual destructor}}

				typedef DerivedClassTmpl3<RefCntblBase> Foo;
				Foo c;

clang/test/Analysis/Checkers/WebKit/ref-cntbl-base-virtual-dtor.cpp

This file was added.

				// RUN: %clang_analyze_cc1 -analyzer-checker=alpha.webkit.WebKitRefCntblBaseVirtualDtor -verify %s

				struct RefCntblBase {
				void ref() {}
				void deref() {}
				};

				struct Derived : RefCntblBase { };
				// expected-warning@-1{{Struct 'RefCntblBase' is used as a base of struct 'Derived' but doesn't have virtual destructor}}

				struct DerivedWithVirtualDtor : RefCntblBase {
				// expected-warning@-1{{Struct 'RefCntblBase' is used as a base of struct 'DerivedWithVirtualDtor' but doesn't have virtual destructor}}
				virtual ~DerivedWithVirtualDtor() {}
				};



				template<class T>
				struct DerivedClassTmpl : T { };
				typedef DerivedClassTmpl<RefCntblBase> Foo;



				struct RandomBase {};
				struct RandomDerivedClass : RandomBase { };



				struct FakeRefCntblBase1 {
				private:
				void ref() {}
				void deref() {}
				};
				struct Quiet1 : FakeRefCntblBase1 {};

				struct FakeRefCntblBase2 {
				protected:
				void ref() {}
				void deref() {}
				};
				struct Quiet2 : FakeRefCntblBase2 {};

				class FakeRefCntblBase3 {
				void ref() {}
				void deref() {}
				};
				struct Quiet3 : FakeRefCntblBase3 {};
				struct Quiet4 : private RefCntblBase {};
				class Quiet5 : RefCntblBase {};

				void foo () {
				Derived d;
				}

clang/test/Analysis/Checkers/WebKit/uncounted-members.cpp

This file was added.

				// RUN: %clang_analyze_cc1 -analyzer-checker=alpha.webkit.WebKitNoUncountedMemberChecker -verify %s

				#include "mock-types.h"

				namespace members {
				struct Foo {
				private:
				RefCountable* a = nullptr;
				// expected-warning@-1{{Member variable 'members::Foo::a' is a raw pointer to ref-countable type 'RefCountable'}}

				protected:
				RefPtr<RefCountable> b;

				public:
				RefCountable silenceWarningAboutInit;
				RefCountable& c = silenceWarningAboutInit;
				// expected-warning@-1{{Member variable 'members::Foo::c' is a reference to ref-countable type 'RefCountable'}}
				Ref<RefCountable> d;
				};

				template<class T>
				struct FooTmpl {
				T* a;
				// expected-warning@-1{{Member variable 'members::FooTmpl<RefCountable>::a' is a raw pointer to ref-countable type 'RefCountable'}}
				};

				void forceTmplToInstantiate(FooTmpl<RefCountable>) {}
				}

				namespace ignore_unions {
				union Foo {
				RefCountable* a;
				RefPtr<RefCountable> b;
				Ref<RefCountable> c;
				};

				template<class T>
				union RefPtr {
				T* a;
				};

				void forceTmplToInstantiate(RefPtr<RefCountable>) {}
				}

clang/unittests/ASTMatchers/ASTMatchersNodeTest.cpp

Show First 20 Lines • Show All 1,318 Lines • ▼ Show 20 Lines	EXPECT_TRUE(matches(
"int (*ptr_to_func)(int);",		"int (*ptr_to_func)(int);",
varDecl(hasType(pointsTo(parenType(innerType(functionType())))))));		varDecl(hasType(pointsTo(parenType(innerType(functionType())))))));
EXPECT_TRUE(notMatches(		EXPECT_TRUE(notMatches(
"int (*ptr_to_array)[4];",		"int (*ptr_to_array)[4];",
varDecl(hasType(pointsTo(parenType(innerType(functionType())))))));		varDecl(hasType(pointsTo(parenType(innerType(functionType())))))));
}		}

TEST(TypeMatching, PointerTypes) {		TEST(TypeMatching, PointerTypes) {
// FIXME: Reactive when these tests can be more specific (not matching		// FIXME: Reactivate when these tests can be more specific (not matching
// implicit code on certain platforms), likely when we have hasDescendant for		// implicit code on certain platforms), likely when we have hasDescendant for
// Types/TypeLocs.		// Types/TypeLocs.
//EXPECT_TRUE(matchAndVerifyResultTrue(		//EXPECT_TRUE(matchAndVerifyResultTrue(
// "int* a;",		// "int* a;",
// pointerTypeLoc(pointeeLoc(typeLoc().bind("loc"))),		// pointerTypeLoc(pointeeLoc(typeLoc().bind("loc"))),
// std::make_unique<VerifyIdIsBoundTo<TypeLoc>>("loc", 1)));		// std::make_unique<VerifyIdIsBoundTo<TypeLoc>>("loc", 1)));
//EXPECT_TRUE(matchAndVerifyResultTrue(		//EXPECT_TRUE(matchAndVerifyResultTrue(
// "int* a;",		// "int* a;",
▲ Show 20 Lines • Show All 55 Lines • ▼ Show 20 Lines	TEST(TypeMatching, PointerTypes) {
EXPECT_TRUE(notMatches(Fragment, varDecl(hasName("ref"),		EXPECT_TRUE(notMatches(Fragment, varDecl(hasName("ref"),
hasType(pointerType()))));		hasType(pointerType()))));
EXPECT_TRUE(matches(Fragment, varDecl(hasName("ref"),		EXPECT_TRUE(matches(Fragment, varDecl(hasName("ref"),
hasType(referenceType()))));		hasType(referenceType()))));
EXPECT_TRUE(notMatches(Fragment, varDecl(hasName("ref"),		EXPECT_TRUE(notMatches(Fragment, varDecl(hasName("ref"),
hasType(lValueReferenceType()))));		hasType(lValueReferenceType()))));
EXPECT_TRUE(matches(Fragment, varDecl(hasName("ref"),		EXPECT_TRUE(matches(Fragment, varDecl(hasName("ref"),
hasType(rValueReferenceType()))));		hasType(rValueReferenceType()))));
		EXPECT_TRUE(matches(
		"struct a { int* b; };",
		fieldDecl(hasType(pointerType()))));
		EXPECT_TRUE(matches(
		"struct a { int& b; };",
		fieldDecl(hasType(referenceType()))));
}		}

TEST(TypeMatching, AutoRefTypes) {		TEST(TypeMatching, AutoRefTypes) {
std::string Fragment = "auto a = 1;"		std::string Fragment = "auto a = 1;"
"auto b = a;"		"auto b = a;"
"auto &c = a;"		"auto &c = a;"
"auto &&d = c;"		"auto &&d = c;"
"auto &&e = 2;";		"auto &&e = 2;";
▲ Show 20 Lines • Show All 472 Lines • Show Last 20 Lines

This is an archive of the discontinued LLVM Phabricator instance.

[WIP][Analyzer] Rewrite WebKit checkers to use ASTMatchersAbandonedPublic

Details

Diff Detail

Event Timeline

Revision Contents

Diff 257544

clang/include/clang/AST/ASTTypeTraits.h

clang/include/clang/ASTMatchers/ASTMatchers.h

clang/include/clang/ASTMatchers/ASTMatchersInternal.h

clang/include/clang/StaticAnalyzer/Checkers/Checkers.td

clang/lib/AST/ASTTypeTraits.cpp

clang/lib/ASTMatchers/ASTMatchFinder.cpp

clang/lib/ASTMatchers/ASTMatchersInternal.cpp

clang/lib/StaticAnalyzer/Checkers/CMakeLists.txt

clang/lib/StaticAnalyzer/Checkers/WebKit/ASTUtils.h

clang/lib/StaticAnalyzer/Checkers/WebKit/ASTUtils.cpp

clang/lib/StaticAnalyzer/Checkers/WebKit/DiagOutputUtils.h

clang/lib/StaticAnalyzer/Checkers/WebKit/NoUncountedMembersChecker.cpp

clang/lib/StaticAnalyzer/Checkers/WebKit/PtrTypesSemantics.h

clang/lib/StaticAnalyzer/Checkers/WebKit/PtrTypesSemantics.cpp

clang/lib/StaticAnalyzer/Checkers/WebKit/RefCntblBaseVirtualDtorChecker.cpp

clang/test/Analysis/Checkers/WebKit/mock-types.h

clang/test/Analysis/Checkers/WebKit/ref-cntbl-base-virtual-dtor-templates.cpp

clang/test/Analysis/Checkers/WebKit/ref-cntbl-base-virtual-dtor.cpp

clang/test/Analysis/Checkers/WebKit/uncounted-members.cpp

clang/unittests/ASTMatchers/ASTMatchersNodeTest.cpp

[WIP][Analyzer] Rewrite WebKit checkers to use ASTMatchers
AbandonedPublic