• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 //===--- CheckerManager.cpp - Static Analyzer Checker Manager -------------===//
2 //
3 //                     The LLVM Compiler Infrastructure
4 //
5 // This file is distributed under the University of Illinois Open Source
6 // License. See LICENSE.TXT for details.
7 //
8 //===----------------------------------------------------------------------===//
9 //
10 // Defines the Static Analyzer Checker Manager.
11 //
12 //===----------------------------------------------------------------------===//
13 
14 #include "clang/StaticAnalyzer/Core/CheckerManager.h"
15 #include "clang/AST/DeclBase.h"
16 #include "clang/Analysis/ProgramPoint.h"
17 #include "clang/StaticAnalyzer/Core/Checker.h"
18 #include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h"
19 #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
20 
21 using namespace clang;
22 using namespace ento;
23 
hasPathSensitiveCheckers() const24 bool CheckerManager::hasPathSensitiveCheckers() const {
25   return !StmtCheckers.empty()              ||
26          !PreObjCMessageCheckers.empty()    ||
27          !PostObjCMessageCheckers.empty()   ||
28          !PreCallCheckers.empty()    ||
29          !PostCallCheckers.empty()   ||
30          !LocationCheckers.empty()          ||
31          !BindCheckers.empty()              ||
32          !EndAnalysisCheckers.empty()       ||
33          !EndFunctionCheckers.empty()           ||
34          !BranchConditionCheckers.empty()   ||
35          !LiveSymbolsCheckers.empty()       ||
36          !DeadSymbolsCheckers.empty()       ||
37          !RegionChangesCheckers.empty()     ||
38          !EvalAssumeCheckers.empty()        ||
39          !EvalCallCheckers.empty();
40 }
41 
finishedCheckerRegistration()42 void CheckerManager::finishedCheckerRegistration() {
43 #ifndef NDEBUG
44   // Make sure that for every event that has listeners, there is at least
45   // one dispatcher registered for it.
46   for (llvm::DenseMap<EventTag, EventInfo>::iterator
47          I = Events.begin(), E = Events.end(); I != E; ++I)
48     assert(I->second.HasDispatcher && "No dispatcher registered for an event");
49 #endif
50 }
51 
52 //===----------------------------------------------------------------------===//
53 // Functions for running checkers for AST traversing..
54 //===----------------------------------------------------------------------===//
55 
runCheckersOnASTDecl(const Decl * D,AnalysisManager & mgr,BugReporter & BR)56 void CheckerManager::runCheckersOnASTDecl(const Decl *D, AnalysisManager& mgr,
57                                           BugReporter &BR) {
58   assert(D);
59 
60   unsigned DeclKind = D->getKind();
61   CachedDeclCheckers *checkers = nullptr;
62   CachedDeclCheckersMapTy::iterator CCI = CachedDeclCheckersMap.find(DeclKind);
63   if (CCI != CachedDeclCheckersMap.end()) {
64     checkers = &(CCI->second);
65   } else {
66     // Find the checkers that should run for this Decl and cache them.
67     checkers = &CachedDeclCheckersMap[DeclKind];
68     for (unsigned i = 0, e = DeclCheckers.size(); i != e; ++i) {
69       DeclCheckerInfo &info = DeclCheckers[i];
70       if (info.IsForDeclFn(D))
71         checkers->push_back(info.CheckFn);
72     }
73   }
74 
75   assert(checkers);
76   for (CachedDeclCheckers::iterator
77          I = checkers->begin(), E = checkers->end(); I != E; ++I)
78     (*I)(D, mgr, BR);
79 }
80 
runCheckersOnASTBody(const Decl * D,AnalysisManager & mgr,BugReporter & BR)81 void CheckerManager::runCheckersOnASTBody(const Decl *D, AnalysisManager& mgr,
82                                           BugReporter &BR) {
83   assert(D && D->hasBody());
84 
85   for (unsigned i = 0, e = BodyCheckers.size(); i != e; ++i)
86     BodyCheckers[i](D, mgr, BR);
87 }
88 
89 //===----------------------------------------------------------------------===//
90 // Functions for running checkers for path-sensitive checking.
91 //===----------------------------------------------------------------------===//
92 
93 template <typename CHECK_CTX>
expandGraphWithCheckers(CHECK_CTX checkCtx,ExplodedNodeSet & Dst,const ExplodedNodeSet & Src)94 static void expandGraphWithCheckers(CHECK_CTX checkCtx,
95                                     ExplodedNodeSet &Dst,
96                                     const ExplodedNodeSet &Src) {
97   const NodeBuilderContext &BldrCtx = checkCtx.Eng.getBuilderContext();
98   if (Src.empty())
99     return;
100 
101   typename CHECK_CTX::CheckersTy::const_iterator
102       I = checkCtx.checkers_begin(), E = checkCtx.checkers_end();
103   if (I == E) {
104     Dst.insert(Src);
105     return;
106   }
107 
108   ExplodedNodeSet Tmp1, Tmp2;
109   const ExplodedNodeSet *PrevSet = &Src;
110 
111   for (; I != E; ++I) {
112     ExplodedNodeSet *CurrSet = nullptr;
113     if (I+1 == E)
114       CurrSet = &Dst;
115     else {
116       CurrSet = (PrevSet == &Tmp1) ? &Tmp2 : &Tmp1;
117       CurrSet->clear();
118     }
119 
120     NodeBuilder B(*PrevSet, *CurrSet, BldrCtx);
121     for (ExplodedNodeSet::iterator NI = PrevSet->begin(), NE = PrevSet->end();
122          NI != NE; ++NI) {
123       checkCtx.runChecker(*I, B, *NI);
124     }
125 
126     // If all the produced transitions are sinks, stop.
127     if (CurrSet->empty())
128       return;
129 
130     // Update which NodeSet is the current one.
131     PrevSet = CurrSet;
132   }
133 }
134 
135 namespace {
136   struct CheckStmtContext {
137     typedef SmallVectorImpl<CheckerManager::CheckStmtFunc> CheckersTy;
138     bool IsPreVisit;
139     const CheckersTy &Checkers;
140     const Stmt *S;
141     ExprEngine &Eng;
142     bool WasInlined;
143 
checkers_begin__anon1e2187ec0111::CheckStmtContext144     CheckersTy::const_iterator checkers_begin() { return Checkers.begin(); }
checkers_end__anon1e2187ec0111::CheckStmtContext145     CheckersTy::const_iterator checkers_end() { return Checkers.end(); }
146 
CheckStmtContext__anon1e2187ec0111::CheckStmtContext147     CheckStmtContext(bool isPreVisit, const CheckersTy &checkers,
148                      const Stmt *s, ExprEngine &eng, bool wasInlined = false)
149       : IsPreVisit(isPreVisit), Checkers(checkers), S(s), Eng(eng),
150         WasInlined(wasInlined) {}
151 
runChecker__anon1e2187ec0111::CheckStmtContext152     void runChecker(CheckerManager::CheckStmtFunc checkFn,
153                     NodeBuilder &Bldr, ExplodedNode *Pred) {
154       // FIXME: Remove respondsToCallback from CheckerContext;
155       ProgramPoint::Kind K =  IsPreVisit ? ProgramPoint::PreStmtKind :
156                                            ProgramPoint::PostStmtKind;
157       const ProgramPoint &L = ProgramPoint::getProgramPoint(S, K,
158                                 Pred->getLocationContext(), checkFn.Checker);
159       CheckerContext C(Bldr, Eng, Pred, L, WasInlined);
160       checkFn(S, C);
161     }
162   };
163 }
164 
165 /// \brief Run checkers for visiting Stmts.
runCheckersForStmt(bool isPreVisit,ExplodedNodeSet & Dst,const ExplodedNodeSet & Src,const Stmt * S,ExprEngine & Eng,bool WasInlined)166 void CheckerManager::runCheckersForStmt(bool isPreVisit,
167                                         ExplodedNodeSet &Dst,
168                                         const ExplodedNodeSet &Src,
169                                         const Stmt *S,
170                                         ExprEngine &Eng,
171                                         bool WasInlined) {
172   CheckStmtContext C(isPreVisit, getCachedStmtCheckersFor(S, isPreVisit),
173                      S, Eng, WasInlined);
174   expandGraphWithCheckers(C, Dst, Src);
175 }
176 
177 namespace {
178   struct CheckObjCMessageContext {
179     typedef std::vector<CheckerManager::CheckObjCMessageFunc> CheckersTy;
180 
181     ObjCMessageVisitKind Kind;
182     bool WasInlined;
183     const CheckersTy &Checkers;
184     const ObjCMethodCall &Msg;
185     ExprEngine &Eng;
186 
checkers_begin__anon1e2187ec0211::CheckObjCMessageContext187     CheckersTy::const_iterator checkers_begin() { return Checkers.begin(); }
checkers_end__anon1e2187ec0211::CheckObjCMessageContext188     CheckersTy::const_iterator checkers_end() { return Checkers.end(); }
189 
CheckObjCMessageContext__anon1e2187ec0211::CheckObjCMessageContext190     CheckObjCMessageContext(ObjCMessageVisitKind visitKind,
191                             const CheckersTy &checkers,
192                             const ObjCMethodCall &msg, ExprEngine &eng,
193                             bool wasInlined)
194       : Kind(visitKind), WasInlined(wasInlined), Checkers(checkers),
195         Msg(msg), Eng(eng) { }
196 
runChecker__anon1e2187ec0211::CheckObjCMessageContext197     void runChecker(CheckerManager::CheckObjCMessageFunc checkFn,
198                     NodeBuilder &Bldr, ExplodedNode *Pred) {
199 
200       bool IsPreVisit;
201 
202       switch (Kind) {
203         case ObjCMessageVisitKind::Pre:
204           IsPreVisit = true;
205           break;
206         case ObjCMessageVisitKind::MessageNil:
207         case ObjCMessageVisitKind::Post:
208           IsPreVisit = false;
209           break;
210       }
211 
212       const ProgramPoint &L = Msg.getProgramPoint(IsPreVisit,checkFn.Checker);
213       CheckerContext C(Bldr, Eng, Pred, L, WasInlined);
214 
215       checkFn(*Msg.cloneWithState<ObjCMethodCall>(Pred->getState()), C);
216     }
217   };
218 }
219 
220 /// \brief Run checkers for visiting obj-c messages.
runCheckersForObjCMessage(ObjCMessageVisitKind visitKind,ExplodedNodeSet & Dst,const ExplodedNodeSet & Src,const ObjCMethodCall & msg,ExprEngine & Eng,bool WasInlined)221 void CheckerManager::runCheckersForObjCMessage(ObjCMessageVisitKind visitKind,
222                                                ExplodedNodeSet &Dst,
223                                                const ExplodedNodeSet &Src,
224                                                const ObjCMethodCall &msg,
225                                                ExprEngine &Eng,
226                                                bool WasInlined) {
227   auto &checkers = getObjCMessageCheckers(visitKind);
228   CheckObjCMessageContext C(visitKind, checkers, msg, Eng, WasInlined);
229   expandGraphWithCheckers(C, Dst, Src);
230 }
231 
232 const std::vector<CheckerManager::CheckObjCMessageFunc> &
getObjCMessageCheckers(ObjCMessageVisitKind Kind)233 CheckerManager::getObjCMessageCheckers(ObjCMessageVisitKind Kind) {
234   switch (Kind) {
235   case ObjCMessageVisitKind::Pre:
236     return PreObjCMessageCheckers;
237     break;
238   case ObjCMessageVisitKind::Post:
239     return PostObjCMessageCheckers;
240   case ObjCMessageVisitKind::MessageNil:
241     return ObjCMessageNilCheckers;
242   }
243   llvm_unreachable("Unknown Kind");
244 }
245 namespace {
246   // FIXME: This has all the same signatures as CheckObjCMessageContext.
247   // Is there a way we can merge the two?
248   struct CheckCallContext {
249     typedef std::vector<CheckerManager::CheckCallFunc> CheckersTy;
250     bool IsPreVisit, WasInlined;
251     const CheckersTy &Checkers;
252     const CallEvent &Call;
253     ExprEngine &Eng;
254 
checkers_begin__anon1e2187ec0311::CheckCallContext255     CheckersTy::const_iterator checkers_begin() { return Checkers.begin(); }
checkers_end__anon1e2187ec0311::CheckCallContext256     CheckersTy::const_iterator checkers_end() { return Checkers.end(); }
257 
CheckCallContext__anon1e2187ec0311::CheckCallContext258     CheckCallContext(bool isPreVisit, const CheckersTy &checkers,
259                      const CallEvent &call, ExprEngine &eng,
260                      bool wasInlined)
261     : IsPreVisit(isPreVisit), WasInlined(wasInlined), Checkers(checkers),
262       Call(call), Eng(eng) { }
263 
runChecker__anon1e2187ec0311::CheckCallContext264     void runChecker(CheckerManager::CheckCallFunc checkFn,
265                     NodeBuilder &Bldr, ExplodedNode *Pred) {
266       const ProgramPoint &L = Call.getProgramPoint(IsPreVisit,checkFn.Checker);
267       CheckerContext C(Bldr, Eng, Pred, L, WasInlined);
268 
269       checkFn(*Call.cloneWithState(Pred->getState()), C);
270     }
271   };
272 }
273 
274 /// \brief Run checkers for visiting an abstract call event.
runCheckersForCallEvent(bool isPreVisit,ExplodedNodeSet & Dst,const ExplodedNodeSet & Src,const CallEvent & Call,ExprEngine & Eng,bool WasInlined)275 void CheckerManager::runCheckersForCallEvent(bool isPreVisit,
276                                              ExplodedNodeSet &Dst,
277                                              const ExplodedNodeSet &Src,
278                                              const CallEvent &Call,
279                                              ExprEngine &Eng,
280                                              bool WasInlined) {
281   CheckCallContext C(isPreVisit,
282                      isPreVisit ? PreCallCheckers
283                                 : PostCallCheckers,
284                      Call, Eng, WasInlined);
285   expandGraphWithCheckers(C, Dst, Src);
286 }
287 
288 namespace {
289   struct CheckLocationContext {
290     typedef std::vector<CheckerManager::CheckLocationFunc> CheckersTy;
291     const CheckersTy &Checkers;
292     SVal Loc;
293     bool IsLoad;
294     const Stmt *NodeEx; /* Will become a CFGStmt */
295     const Stmt *BoundEx;
296     ExprEngine &Eng;
297 
checkers_begin__anon1e2187ec0411::CheckLocationContext298     CheckersTy::const_iterator checkers_begin() { return Checkers.begin(); }
checkers_end__anon1e2187ec0411::CheckLocationContext299     CheckersTy::const_iterator checkers_end() { return Checkers.end(); }
300 
CheckLocationContext__anon1e2187ec0411::CheckLocationContext301     CheckLocationContext(const CheckersTy &checkers,
302                          SVal loc, bool isLoad, const Stmt *NodeEx,
303                          const Stmt *BoundEx,
304                          ExprEngine &eng)
305       : Checkers(checkers), Loc(loc), IsLoad(isLoad), NodeEx(NodeEx),
306         BoundEx(BoundEx), Eng(eng) {}
307 
runChecker__anon1e2187ec0411::CheckLocationContext308     void runChecker(CheckerManager::CheckLocationFunc checkFn,
309                     NodeBuilder &Bldr, ExplodedNode *Pred) {
310       ProgramPoint::Kind K =  IsLoad ? ProgramPoint::PreLoadKind :
311                                        ProgramPoint::PreStoreKind;
312       const ProgramPoint &L =
313         ProgramPoint::getProgramPoint(NodeEx, K,
314                                       Pred->getLocationContext(),
315                                       checkFn.Checker);
316       CheckerContext C(Bldr, Eng, Pred, L);
317       checkFn(Loc, IsLoad, BoundEx, C);
318     }
319   };
320 }
321 
322 /// \brief Run checkers for load/store of a location.
323 
runCheckersForLocation(ExplodedNodeSet & Dst,const ExplodedNodeSet & Src,SVal location,bool isLoad,const Stmt * NodeEx,const Stmt * BoundEx,ExprEngine & Eng)324 void CheckerManager::runCheckersForLocation(ExplodedNodeSet &Dst,
325                                             const ExplodedNodeSet &Src,
326                                             SVal location, bool isLoad,
327                                             const Stmt *NodeEx,
328                                             const Stmt *BoundEx,
329                                             ExprEngine &Eng) {
330   CheckLocationContext C(LocationCheckers, location, isLoad, NodeEx,
331                          BoundEx, Eng);
332   expandGraphWithCheckers(C, Dst, Src);
333 }
334 
335 namespace {
336   struct CheckBindContext {
337     typedef std::vector<CheckerManager::CheckBindFunc> CheckersTy;
338     const CheckersTy &Checkers;
339     SVal Loc;
340     SVal Val;
341     const Stmt *S;
342     ExprEngine &Eng;
343     const ProgramPoint &PP;
344 
checkers_begin__anon1e2187ec0511::CheckBindContext345     CheckersTy::const_iterator checkers_begin() { return Checkers.begin(); }
checkers_end__anon1e2187ec0511::CheckBindContext346     CheckersTy::const_iterator checkers_end() { return Checkers.end(); }
347 
CheckBindContext__anon1e2187ec0511::CheckBindContext348     CheckBindContext(const CheckersTy &checkers,
349                      SVal loc, SVal val, const Stmt *s, ExprEngine &eng,
350                      const ProgramPoint &pp)
351       : Checkers(checkers), Loc(loc), Val(val), S(s), Eng(eng), PP(pp) {}
352 
runChecker__anon1e2187ec0511::CheckBindContext353     void runChecker(CheckerManager::CheckBindFunc checkFn,
354                     NodeBuilder &Bldr, ExplodedNode *Pred) {
355       const ProgramPoint &L = PP.withTag(checkFn.Checker);
356       CheckerContext C(Bldr, Eng, Pred, L);
357 
358       checkFn(Loc, Val, S, C);
359     }
360   };
361 }
362 
363 /// \brief Run checkers for binding of a value to a location.
runCheckersForBind(ExplodedNodeSet & Dst,const ExplodedNodeSet & Src,SVal location,SVal val,const Stmt * S,ExprEngine & Eng,const ProgramPoint & PP)364 void CheckerManager::runCheckersForBind(ExplodedNodeSet &Dst,
365                                         const ExplodedNodeSet &Src,
366                                         SVal location, SVal val,
367                                         const Stmt *S, ExprEngine &Eng,
368                                         const ProgramPoint &PP) {
369   CheckBindContext C(BindCheckers, location, val, S, Eng, PP);
370   expandGraphWithCheckers(C, Dst, Src);
371 }
372 
runCheckersForEndAnalysis(ExplodedGraph & G,BugReporter & BR,ExprEngine & Eng)373 void CheckerManager::runCheckersForEndAnalysis(ExplodedGraph &G,
374                                                BugReporter &BR,
375                                                ExprEngine &Eng) {
376   for (unsigned i = 0, e = EndAnalysisCheckers.size(); i != e; ++i)
377     EndAnalysisCheckers[i](G, BR, Eng);
378 }
379 
380 namespace {
381 struct CheckBeginFunctionContext {
382   typedef std::vector<CheckerManager::CheckBeginFunctionFunc> CheckersTy;
383   const CheckersTy &Checkers;
384   ExprEngine &Eng;
385   const ProgramPoint &PP;
386 
checkers_begin__anon1e2187ec0611::CheckBeginFunctionContext387   CheckersTy::const_iterator checkers_begin() { return Checkers.begin(); }
checkers_end__anon1e2187ec0611::CheckBeginFunctionContext388   CheckersTy::const_iterator checkers_end() { return Checkers.end(); }
389 
CheckBeginFunctionContext__anon1e2187ec0611::CheckBeginFunctionContext390   CheckBeginFunctionContext(const CheckersTy &Checkers, ExprEngine &Eng,
391                             const ProgramPoint &PP)
392       : Checkers(Checkers), Eng(Eng), PP(PP) {}
393 
runChecker__anon1e2187ec0611::CheckBeginFunctionContext394   void runChecker(CheckerManager::CheckBeginFunctionFunc checkFn,
395                   NodeBuilder &Bldr, ExplodedNode *Pred) {
396     const ProgramPoint &L = PP.withTag(checkFn.Checker);
397     CheckerContext C(Bldr, Eng, Pred, L);
398 
399     checkFn(C);
400   }
401 };
402 }
403 
runCheckersForBeginFunction(ExplodedNodeSet & Dst,const BlockEdge & L,ExplodedNode * Pred,ExprEngine & Eng)404 void CheckerManager::runCheckersForBeginFunction(ExplodedNodeSet &Dst,
405                                                  const BlockEdge &L,
406                                                  ExplodedNode *Pred,
407                                                  ExprEngine &Eng) {
408   ExplodedNodeSet Src;
409   Src.insert(Pred);
410   CheckBeginFunctionContext C(BeginFunctionCheckers, Eng, L);
411   expandGraphWithCheckers(C, Dst, Src);
412 }
413 
414 /// \brief Run checkers for end of path.
415 // Note, We do not chain the checker output (like in expandGraphWithCheckers)
416 // for this callback since end of path nodes are expected to be final.
runCheckersForEndFunction(NodeBuilderContext & BC,ExplodedNodeSet & Dst,ExplodedNode * Pred,ExprEngine & Eng)417 void CheckerManager::runCheckersForEndFunction(NodeBuilderContext &BC,
418                                                ExplodedNodeSet &Dst,
419                                                ExplodedNode *Pred,
420                                                ExprEngine &Eng) {
421 
422   // We define the builder outside of the loop bacause if at least one checkers
423   // creates a sucsessor for Pred, we do not need to generate an
424   // autotransition for it.
425   NodeBuilder Bldr(Pred, Dst, BC);
426   for (unsigned i = 0, e = EndFunctionCheckers.size(); i != e; ++i) {
427     CheckEndFunctionFunc checkFn = EndFunctionCheckers[i];
428 
429     const ProgramPoint &L = BlockEntrance(BC.Block,
430                                           Pred->getLocationContext(),
431                                           checkFn.Checker);
432     CheckerContext C(Bldr, Eng, Pred, L);
433     checkFn(C);
434   }
435 }
436 
437 namespace {
438   struct CheckBranchConditionContext {
439     typedef std::vector<CheckerManager::CheckBranchConditionFunc> CheckersTy;
440     const CheckersTy &Checkers;
441     const Stmt *Condition;
442     ExprEngine &Eng;
443 
checkers_begin__anon1e2187ec0711::CheckBranchConditionContext444     CheckersTy::const_iterator checkers_begin() { return Checkers.begin(); }
checkers_end__anon1e2187ec0711::CheckBranchConditionContext445     CheckersTy::const_iterator checkers_end() { return Checkers.end(); }
446 
CheckBranchConditionContext__anon1e2187ec0711::CheckBranchConditionContext447     CheckBranchConditionContext(const CheckersTy &checkers,
448                                 const Stmt *Cond, ExprEngine &eng)
449       : Checkers(checkers), Condition(Cond), Eng(eng) {}
450 
runChecker__anon1e2187ec0711::CheckBranchConditionContext451     void runChecker(CheckerManager::CheckBranchConditionFunc checkFn,
452                     NodeBuilder &Bldr, ExplodedNode *Pred) {
453       ProgramPoint L = PostCondition(Condition, Pred->getLocationContext(),
454                                      checkFn.Checker);
455       CheckerContext C(Bldr, Eng, Pred, L);
456       checkFn(Condition, C);
457     }
458   };
459 }
460 
461 /// \brief Run checkers for branch condition.
runCheckersForBranchCondition(const Stmt * Condition,ExplodedNodeSet & Dst,ExplodedNode * Pred,ExprEngine & Eng)462 void CheckerManager::runCheckersForBranchCondition(const Stmt *Condition,
463                                                    ExplodedNodeSet &Dst,
464                                                    ExplodedNode *Pred,
465                                                    ExprEngine &Eng) {
466   ExplodedNodeSet Src;
467   Src.insert(Pred);
468   CheckBranchConditionContext C(BranchConditionCheckers, Condition, Eng);
469   expandGraphWithCheckers(C, Dst, Src);
470 }
471 
472 /// \brief Run checkers for live symbols.
runCheckersForLiveSymbols(ProgramStateRef state,SymbolReaper & SymReaper)473 void CheckerManager::runCheckersForLiveSymbols(ProgramStateRef state,
474                                                SymbolReaper &SymReaper) {
475   for (unsigned i = 0, e = LiveSymbolsCheckers.size(); i != e; ++i)
476     LiveSymbolsCheckers[i](state, SymReaper);
477 }
478 
479 namespace {
480   struct CheckDeadSymbolsContext {
481     typedef std::vector<CheckerManager::CheckDeadSymbolsFunc> CheckersTy;
482     const CheckersTy &Checkers;
483     SymbolReaper &SR;
484     const Stmt *S;
485     ExprEngine &Eng;
486     ProgramPoint::Kind ProgarmPointKind;
487 
checkers_begin__anon1e2187ec0811::CheckDeadSymbolsContext488     CheckersTy::const_iterator checkers_begin() { return Checkers.begin(); }
checkers_end__anon1e2187ec0811::CheckDeadSymbolsContext489     CheckersTy::const_iterator checkers_end() { return Checkers.end(); }
490 
CheckDeadSymbolsContext__anon1e2187ec0811::CheckDeadSymbolsContext491     CheckDeadSymbolsContext(const CheckersTy &checkers, SymbolReaper &sr,
492                             const Stmt *s, ExprEngine &eng,
493                             ProgramPoint::Kind K)
494       : Checkers(checkers), SR(sr), S(s), Eng(eng), ProgarmPointKind(K) { }
495 
runChecker__anon1e2187ec0811::CheckDeadSymbolsContext496     void runChecker(CheckerManager::CheckDeadSymbolsFunc checkFn,
497                     NodeBuilder &Bldr, ExplodedNode *Pred) {
498       const ProgramPoint &L = ProgramPoint::getProgramPoint(S, ProgarmPointKind,
499                                 Pred->getLocationContext(), checkFn.Checker);
500       CheckerContext C(Bldr, Eng, Pred, L);
501 
502       // Note, do not pass the statement to the checkers without letting them
503       // differentiate if we ran remove dead bindings before or after the
504       // statement.
505       checkFn(SR, C);
506     }
507   };
508 }
509 
510 /// \brief Run checkers for dead symbols.
runCheckersForDeadSymbols(ExplodedNodeSet & Dst,const ExplodedNodeSet & Src,SymbolReaper & SymReaper,const Stmt * S,ExprEngine & Eng,ProgramPoint::Kind K)511 void CheckerManager::runCheckersForDeadSymbols(ExplodedNodeSet &Dst,
512                                                const ExplodedNodeSet &Src,
513                                                SymbolReaper &SymReaper,
514                                                const Stmt *S,
515                                                ExprEngine &Eng,
516                                                ProgramPoint::Kind K) {
517   CheckDeadSymbolsContext C(DeadSymbolsCheckers, SymReaper, S, Eng, K);
518   expandGraphWithCheckers(C, Dst, Src);
519 }
520 
521 /// \brief True if at least one checker wants to check region changes.
wantsRegionChangeUpdate(ProgramStateRef state)522 bool CheckerManager::wantsRegionChangeUpdate(ProgramStateRef state) {
523   for (unsigned i = 0, e = RegionChangesCheckers.size(); i != e; ++i)
524     if (RegionChangesCheckers[i].WantUpdateFn(state))
525       return true;
526 
527   return false;
528 }
529 
530 /// \brief Run checkers for region changes.
531 ProgramStateRef
runCheckersForRegionChanges(ProgramStateRef state,const InvalidatedSymbols * invalidated,ArrayRef<const MemRegion * > ExplicitRegions,ArrayRef<const MemRegion * > Regions,const CallEvent * Call)532 CheckerManager::runCheckersForRegionChanges(ProgramStateRef state,
533                                     const InvalidatedSymbols *invalidated,
534                                     ArrayRef<const MemRegion *> ExplicitRegions,
535                                     ArrayRef<const MemRegion *> Regions,
536                                     const CallEvent *Call) {
537   for (unsigned i = 0, e = RegionChangesCheckers.size(); i != e; ++i) {
538     // If any checker declares the state infeasible (or if it starts that way),
539     // bail out.
540     if (!state)
541       return nullptr;
542     state = RegionChangesCheckers[i].CheckFn(state, invalidated,
543                                              ExplicitRegions, Regions, Call);
544   }
545   return state;
546 }
547 
548 /// \brief Run checkers to process symbol escape event.
549 ProgramStateRef
runCheckersForPointerEscape(ProgramStateRef State,const InvalidatedSymbols & Escaped,const CallEvent * Call,PointerEscapeKind Kind,RegionAndSymbolInvalidationTraits * ETraits)550 CheckerManager::runCheckersForPointerEscape(ProgramStateRef State,
551                                    const InvalidatedSymbols &Escaped,
552                                    const CallEvent *Call,
553                                    PointerEscapeKind Kind,
554                                    RegionAndSymbolInvalidationTraits *ETraits) {
555   assert((Call != nullptr ||
556           (Kind != PSK_DirectEscapeOnCall &&
557            Kind != PSK_IndirectEscapeOnCall)) &&
558          "Call must not be NULL when escaping on call");
559     for (unsigned i = 0, e = PointerEscapeCheckers.size(); i != e; ++i) {
560       // If any checker declares the state infeasible (or if it starts that
561       //  way), bail out.
562       if (!State)
563         return nullptr;
564       State = PointerEscapeCheckers[i](State, Escaped, Call, Kind, ETraits);
565     }
566   return State;
567 }
568 
569 /// \brief Run checkers for handling assumptions on symbolic values.
570 ProgramStateRef
runCheckersForEvalAssume(ProgramStateRef state,SVal Cond,bool Assumption)571 CheckerManager::runCheckersForEvalAssume(ProgramStateRef state,
572                                          SVal Cond, bool Assumption) {
573   for (unsigned i = 0, e = EvalAssumeCheckers.size(); i != e; ++i) {
574     // If any checker declares the state infeasible (or if it starts that way),
575     // bail out.
576     if (!state)
577       return nullptr;
578     state = EvalAssumeCheckers[i](state, Cond, Assumption);
579   }
580   return state;
581 }
582 
583 /// \brief Run checkers for evaluating a call.
584 /// Only one checker will evaluate the call.
runCheckersForEvalCall(ExplodedNodeSet & Dst,const ExplodedNodeSet & Src,const CallEvent & Call,ExprEngine & Eng)585 void CheckerManager::runCheckersForEvalCall(ExplodedNodeSet &Dst,
586                                             const ExplodedNodeSet &Src,
587                                             const CallEvent &Call,
588                                             ExprEngine &Eng) {
589   const CallExpr *CE = cast<CallExpr>(Call.getOriginExpr());
590   for (ExplodedNodeSet::iterator
591          NI = Src.begin(), NE = Src.end(); NI != NE; ++NI) {
592     ExplodedNode *Pred = *NI;
593     bool anyEvaluated = false;
594 
595     ExplodedNodeSet checkDst;
596     NodeBuilder B(Pred, checkDst, Eng.getBuilderContext());
597 
598     // Check if any of the EvalCall callbacks can evaluate the call.
599     for (std::vector<EvalCallFunc>::iterator
600            EI = EvalCallCheckers.begin(), EE = EvalCallCheckers.end();
601          EI != EE; ++EI) {
602       ProgramPoint::Kind K = ProgramPoint::PostStmtKind;
603       const ProgramPoint &L = ProgramPoint::getProgramPoint(CE, K,
604                                 Pred->getLocationContext(), EI->Checker);
605       bool evaluated = false;
606       { // CheckerContext generates transitions(populates checkDest) on
607         // destruction, so introduce the scope to make sure it gets properly
608         // populated.
609         CheckerContext C(B, Eng, Pred, L);
610         evaluated = (*EI)(CE, C);
611       }
612       assert(!(evaluated && anyEvaluated)
613              && "There are more than one checkers evaluating the call");
614       if (evaluated) {
615         anyEvaluated = true;
616         Dst.insert(checkDst);
617 #ifdef NDEBUG
618         break; // on release don't check that no other checker also evals.
619 #endif
620       }
621     }
622 
623     // If none of the checkers evaluated the call, ask ExprEngine to handle it.
624     if (!anyEvaluated) {
625       NodeBuilder B(Pred, Dst, Eng.getBuilderContext());
626       Eng.defaultEvalCall(B, Pred, Call);
627     }
628   }
629 }
630 
631 /// \brief Run checkers for the entire Translation Unit.
runCheckersOnEndOfTranslationUnit(const TranslationUnitDecl * TU,AnalysisManager & mgr,BugReporter & BR)632 void CheckerManager::runCheckersOnEndOfTranslationUnit(
633                                                   const TranslationUnitDecl *TU,
634                                                   AnalysisManager &mgr,
635                                                   BugReporter &BR) {
636   for (unsigned i = 0, e = EndOfTranslationUnitCheckers.size(); i != e; ++i)
637     EndOfTranslationUnitCheckers[i](TU, mgr, BR);
638 }
639 
runCheckersForPrintState(raw_ostream & Out,ProgramStateRef State,const char * NL,const char * Sep)640 void CheckerManager::runCheckersForPrintState(raw_ostream &Out,
641                                               ProgramStateRef State,
642                                               const char *NL, const char *Sep) {
643   for (llvm::DenseMap<CheckerTag, CheckerRef>::iterator
644         I = CheckerTags.begin(), E = CheckerTags.end(); I != E; ++I)
645     I->second->printState(Out, State, NL, Sep);
646 }
647 
648 //===----------------------------------------------------------------------===//
649 // Internal registration functions for AST traversing.
650 //===----------------------------------------------------------------------===//
651 
_registerForDecl(CheckDeclFunc checkfn,HandlesDeclFunc isForDeclFn)652 void CheckerManager::_registerForDecl(CheckDeclFunc checkfn,
653                                       HandlesDeclFunc isForDeclFn) {
654   DeclCheckerInfo info = { checkfn, isForDeclFn };
655   DeclCheckers.push_back(info);
656 }
657 
_registerForBody(CheckDeclFunc checkfn)658 void CheckerManager::_registerForBody(CheckDeclFunc checkfn) {
659   BodyCheckers.push_back(checkfn);
660 }
661 
662 //===----------------------------------------------------------------------===//
663 // Internal registration functions for path-sensitive checking.
664 //===----------------------------------------------------------------------===//
665 
_registerForPreStmt(CheckStmtFunc checkfn,HandlesStmtFunc isForStmtFn)666 void CheckerManager::_registerForPreStmt(CheckStmtFunc checkfn,
667                                          HandlesStmtFunc isForStmtFn) {
668   StmtCheckerInfo info = { checkfn, isForStmtFn, /*IsPreVisit*/true };
669   StmtCheckers.push_back(info);
670 }
_registerForPostStmt(CheckStmtFunc checkfn,HandlesStmtFunc isForStmtFn)671 void CheckerManager::_registerForPostStmt(CheckStmtFunc checkfn,
672                                           HandlesStmtFunc isForStmtFn) {
673   StmtCheckerInfo info = { checkfn, isForStmtFn, /*IsPreVisit*/false };
674   StmtCheckers.push_back(info);
675 }
676 
_registerForPreObjCMessage(CheckObjCMessageFunc checkfn)677 void CheckerManager::_registerForPreObjCMessage(CheckObjCMessageFunc checkfn) {
678   PreObjCMessageCheckers.push_back(checkfn);
679 }
680 
_registerForObjCMessageNil(CheckObjCMessageFunc checkfn)681 void CheckerManager::_registerForObjCMessageNil(CheckObjCMessageFunc checkfn) {
682   ObjCMessageNilCheckers.push_back(checkfn);
683 }
684 
_registerForPostObjCMessage(CheckObjCMessageFunc checkfn)685 void CheckerManager::_registerForPostObjCMessage(CheckObjCMessageFunc checkfn) {
686   PostObjCMessageCheckers.push_back(checkfn);
687 }
688 
_registerForPreCall(CheckCallFunc checkfn)689 void CheckerManager::_registerForPreCall(CheckCallFunc checkfn) {
690   PreCallCheckers.push_back(checkfn);
691 }
_registerForPostCall(CheckCallFunc checkfn)692 void CheckerManager::_registerForPostCall(CheckCallFunc checkfn) {
693   PostCallCheckers.push_back(checkfn);
694 }
695 
_registerForLocation(CheckLocationFunc checkfn)696 void CheckerManager::_registerForLocation(CheckLocationFunc checkfn) {
697   LocationCheckers.push_back(checkfn);
698 }
699 
_registerForBind(CheckBindFunc checkfn)700 void CheckerManager::_registerForBind(CheckBindFunc checkfn) {
701   BindCheckers.push_back(checkfn);
702 }
703 
_registerForEndAnalysis(CheckEndAnalysisFunc checkfn)704 void CheckerManager::_registerForEndAnalysis(CheckEndAnalysisFunc checkfn) {
705   EndAnalysisCheckers.push_back(checkfn);
706 }
707 
_registerForBeginFunction(CheckBeginFunctionFunc checkfn)708 void CheckerManager::_registerForBeginFunction(CheckBeginFunctionFunc checkfn) {
709   BeginFunctionCheckers.push_back(checkfn);
710 }
711 
_registerForEndFunction(CheckEndFunctionFunc checkfn)712 void CheckerManager::_registerForEndFunction(CheckEndFunctionFunc checkfn) {
713   EndFunctionCheckers.push_back(checkfn);
714 }
715 
_registerForBranchCondition(CheckBranchConditionFunc checkfn)716 void CheckerManager::_registerForBranchCondition(
717                                              CheckBranchConditionFunc checkfn) {
718   BranchConditionCheckers.push_back(checkfn);
719 }
720 
_registerForLiveSymbols(CheckLiveSymbolsFunc checkfn)721 void CheckerManager::_registerForLiveSymbols(CheckLiveSymbolsFunc checkfn) {
722   LiveSymbolsCheckers.push_back(checkfn);
723 }
724 
_registerForDeadSymbols(CheckDeadSymbolsFunc checkfn)725 void CheckerManager::_registerForDeadSymbols(CheckDeadSymbolsFunc checkfn) {
726   DeadSymbolsCheckers.push_back(checkfn);
727 }
728 
_registerForRegionChanges(CheckRegionChangesFunc checkfn,WantsRegionChangeUpdateFunc wantUpdateFn)729 void CheckerManager::_registerForRegionChanges(CheckRegionChangesFunc checkfn,
730                                      WantsRegionChangeUpdateFunc wantUpdateFn) {
731   RegionChangesCheckerInfo info = {checkfn, wantUpdateFn};
732   RegionChangesCheckers.push_back(info);
733 }
734 
_registerForPointerEscape(CheckPointerEscapeFunc checkfn)735 void CheckerManager::_registerForPointerEscape(CheckPointerEscapeFunc checkfn){
736   PointerEscapeCheckers.push_back(checkfn);
737 }
738 
_registerForConstPointerEscape(CheckPointerEscapeFunc checkfn)739 void CheckerManager::_registerForConstPointerEscape(
740                                           CheckPointerEscapeFunc checkfn) {
741   PointerEscapeCheckers.push_back(checkfn);
742 }
743 
_registerForEvalAssume(EvalAssumeFunc checkfn)744 void CheckerManager::_registerForEvalAssume(EvalAssumeFunc checkfn) {
745   EvalAssumeCheckers.push_back(checkfn);
746 }
747 
_registerForEvalCall(EvalCallFunc checkfn)748 void CheckerManager::_registerForEvalCall(EvalCallFunc checkfn) {
749   EvalCallCheckers.push_back(checkfn);
750 }
751 
_registerForEndOfTranslationUnit(CheckEndOfTranslationUnit checkfn)752 void CheckerManager::_registerForEndOfTranslationUnit(
753                                             CheckEndOfTranslationUnit checkfn) {
754   EndOfTranslationUnitCheckers.push_back(checkfn);
755 }
756 
757 //===----------------------------------------------------------------------===//
758 // Implementation details.
759 //===----------------------------------------------------------------------===//
760 
761 const CheckerManager::CachedStmtCheckers &
getCachedStmtCheckersFor(const Stmt * S,bool isPreVisit)762 CheckerManager::getCachedStmtCheckersFor(const Stmt *S, bool isPreVisit) {
763   assert(S);
764 
765   unsigned Key = (S->getStmtClass() << 1) | unsigned(isPreVisit);
766   CachedStmtCheckersMapTy::iterator CCI = CachedStmtCheckersMap.find(Key);
767   if (CCI != CachedStmtCheckersMap.end())
768     return CCI->second;
769 
770   // Find the checkers that should run for this Stmt and cache them.
771   CachedStmtCheckers &Checkers = CachedStmtCheckersMap[Key];
772   for (unsigned i = 0, e = StmtCheckers.size(); i != e; ++i) {
773     StmtCheckerInfo &Info = StmtCheckers[i];
774     if (Info.IsPreVisit == isPreVisit && Info.IsForStmtFn(S))
775       Checkers.push_back(Info.CheckFn);
776   }
777   return Checkers;
778 }
779 
~CheckerManager()780 CheckerManager::~CheckerManager() {
781   for (unsigned i = 0, e = CheckerDtors.size(); i != e; ++i)
782     CheckerDtors[i]();
783 }
784