1 //==- CoreEngine.h - Path-Sensitive Dataflow Engine ----------------*- C++ -*-// 2 // 3 // The LLVM Compiler Infrastructure 4 // 5 // This file is distributed under the University of Illinois Open Source 6 // License. See LICENSE.TXT for details. 7 // 8 //===----------------------------------------------------------------------===// 9 // 10 // This file defines a generic engine for intraprocedural, path-sensitive, 11 // dataflow analysis via graph reachability. 12 // 13 //===----------------------------------------------------------------------===// 14 15 #ifndef LLVM_CLANG_GR_COREENGINE 16 #define LLVM_CLANG_GR_COREENGINE 17 18 #include "clang/AST/Expr.h" 19 #include "clang/Analysis/AnalysisContext.h" 20 #include "clang/StaticAnalyzer/Core/PathSensitive/BlockCounter.h" 21 #include "clang/StaticAnalyzer/Core/PathSensitive/ExplodedGraph.h" 22 #include "clang/StaticAnalyzer/Core/PathSensitive/FunctionSummary.h" 23 #include "clang/StaticAnalyzer/Core/PathSensitive/WorkList.h" 24 #include <memory> 25 26 namespace clang { 27 28 class ProgramPointTag; 29 30 namespace ento { 31 32 class NodeBuilder; 33 34 //===----------------------------------------------------------------------===// 35 /// CoreEngine - Implements the core logic of the graph-reachability 36 /// analysis. It traverses the CFG and generates the ExplodedGraph. 37 /// Program "states" are treated as opaque void pointers. 38 /// The template class CoreEngine (which subclasses CoreEngine) 39 /// provides the matching component to the engine that knows the actual types 40 /// for states. Note that this engine only dispatches to transfer functions 41 /// at the statement and block-level. The analyses themselves must implement 42 /// any transfer function logic and the sub-expression level (if any). 43 class CoreEngine { 44 friend struct NodeBuilderContext; 45 friend class NodeBuilder; 46 friend class ExprEngine; 47 friend class CommonNodeBuilder; 48 friend class IndirectGotoNodeBuilder; 49 friend class SwitchNodeBuilder; 50 friend class EndOfFunctionNodeBuilder; 51 public: 52 typedef std::vector<std::pair<BlockEdge, const ExplodedNode*> > 53 BlocksExhausted; 54 55 typedef std::vector<std::pair<const CFGBlock*, const ExplodedNode*> > 56 BlocksAborted; 57 58 private: 59 60 SubEngine& SubEng; 61 62 /// G - The simulation graph. Each node is a (location,state) pair. 63 std::unique_ptr<ExplodedGraph> G; 64 65 /// WList - A set of queued nodes that need to be processed by the 66 /// worklist algorithm. It is up to the implementation of WList to decide 67 /// the order that nodes are processed. 68 std::unique_ptr<WorkList> WList; 69 70 /// BCounterFactory - A factory object for created BlockCounter objects. 71 /// These are used to record for key nodes in the ExplodedGraph the 72 /// number of times different CFGBlocks have been visited along a path. 73 BlockCounter::Factory BCounterFactory; 74 75 /// The locations where we stopped doing work because we visited a location 76 /// too many times. 77 BlocksExhausted blocksExhausted; 78 79 /// The locations where we stopped because the engine aborted analysis, 80 /// usually because it could not reason about something. 81 BlocksAborted blocksAborted; 82 83 /// The information about functions shared by the whole translation unit. 84 /// (This data is owned by AnalysisConsumer.) 85 FunctionSummariesTy *FunctionSummaries; 86 87 void generateNode(const ProgramPoint &Loc, 88 ProgramStateRef State, 89 ExplodedNode *Pred); 90 91 void HandleBlockEdge(const BlockEdge &E, ExplodedNode *Pred); 92 void HandleBlockEntrance(const BlockEntrance &E, ExplodedNode *Pred); 93 void HandleBlockExit(const CFGBlock *B, ExplodedNode *Pred); 94 void HandlePostStmt(const CFGBlock *B, unsigned StmtIdx, ExplodedNode *Pred); 95 96 void HandleBranch(const Stmt *Cond, const Stmt *Term, const CFGBlock *B, 97 ExplodedNode *Pred); 98 99 /// Handle conditional logic for running static initializers. 100 void HandleStaticInit(const DeclStmt *DS, const CFGBlock *B, 101 ExplodedNode *Pred); 102 103 private: 104 CoreEngine(const CoreEngine &) LLVM_DELETED_FUNCTION; 105 void operator=(const CoreEngine &) LLVM_DELETED_FUNCTION; 106 107 ExplodedNode *generateCallExitBeginNode(ExplodedNode *N); 108 109 public: 110 /// Construct a CoreEngine object to analyze the provided CFG. CoreEngine(SubEngine & subengine,FunctionSummariesTy * FS)111 CoreEngine(SubEngine& subengine, 112 FunctionSummariesTy *FS) 113 : SubEng(subengine), G(new ExplodedGraph()), 114 WList(WorkList::makeDFS()), 115 BCounterFactory(G->getAllocator()), 116 FunctionSummaries(FS){} 117 118 /// getGraph - Returns the exploded graph. getGraph()119 ExplodedGraph& getGraph() { return *G.get(); } 120 121 /// takeGraph - Returns the exploded graph. Ownership of the graph is 122 /// transferred to the caller. takeGraph()123 ExplodedGraph *takeGraph() { return G.release(); } 124 125 /// ExecuteWorkList - Run the worklist algorithm for a maximum number of 126 /// steps. Returns true if there is still simulation state on the worklist. 127 bool ExecuteWorkList(const LocationContext *L, unsigned Steps, 128 ProgramStateRef InitState); 129 /// Returns true if there is still simulation state on the worklist. 130 bool ExecuteWorkListWithInitialState(const LocationContext *L, 131 unsigned Steps, 132 ProgramStateRef InitState, 133 ExplodedNodeSet &Dst); 134 135 /// Dispatch the work list item based on the given location information. 136 /// Use Pred parameter as the predecessor state. 137 void dispatchWorkItem(ExplodedNode* Pred, ProgramPoint Loc, 138 const WorkListUnit& WU); 139 140 // Functions for external checking of whether we have unfinished work wasBlockAborted()141 bool wasBlockAborted() const { return !blocksAborted.empty(); } wasBlocksExhausted()142 bool wasBlocksExhausted() const { return !blocksExhausted.empty(); } hasWorkRemaining()143 bool hasWorkRemaining() const { return wasBlocksExhausted() || 144 WList->hasWork() || 145 wasBlockAborted(); } 146 147 /// Inform the CoreEngine that a basic block was aborted because 148 /// it could not be completely analyzed. addAbortedBlock(const ExplodedNode * node,const CFGBlock * block)149 void addAbortedBlock(const ExplodedNode *node, const CFGBlock *block) { 150 blocksAborted.push_back(std::make_pair(block, node)); 151 } 152 getWorkList()153 WorkList *getWorkList() const { return WList.get(); } 154 blocks_exhausted_begin()155 BlocksExhausted::const_iterator blocks_exhausted_begin() const { 156 return blocksExhausted.begin(); 157 } blocks_exhausted_end()158 BlocksExhausted::const_iterator blocks_exhausted_end() const { 159 return blocksExhausted.end(); 160 } blocks_aborted_begin()161 BlocksAborted::const_iterator blocks_aborted_begin() const { 162 return blocksAborted.begin(); 163 } blocks_aborted_end()164 BlocksAborted::const_iterator blocks_aborted_end() const { 165 return blocksAborted.end(); 166 } 167 168 /// \brief Enqueue the given set of nodes onto the work list. 169 void enqueue(ExplodedNodeSet &Set); 170 171 /// \brief Enqueue nodes that were created as a result of processing 172 /// a statement onto the work list. 173 void enqueue(ExplodedNodeSet &Set, const CFGBlock *Block, unsigned Idx); 174 175 /// \brief enqueue the nodes corresponding to the end of function onto the 176 /// end of path / work list. 177 void enqueueEndOfFunction(ExplodedNodeSet &Set); 178 179 /// \brief Enqueue a single node created as a result of statement processing. 180 void enqueueStmtNode(ExplodedNode *N, const CFGBlock *Block, unsigned Idx); 181 }; 182 183 // TODO: Turn into a calss. 184 struct NodeBuilderContext { 185 const CoreEngine &Eng; 186 const CFGBlock *Block; 187 const LocationContext *LC; NodeBuilderContextNodeBuilderContext188 NodeBuilderContext(const CoreEngine &E, const CFGBlock *B, ExplodedNode *N) 189 : Eng(E), Block(B), LC(N->getLocationContext()) { assert(B); } 190 191 /// \brief Return the CFGBlock associated with this builder. getBlockNodeBuilderContext192 const CFGBlock *getBlock() const { return Block; } 193 194 /// \brief Returns the number of times the current basic block has been 195 /// visited on the exploded graph path. blockCountNodeBuilderContext196 unsigned blockCount() const { 197 return Eng.WList->getBlockCounter().getNumVisited( 198 LC->getCurrentStackFrame(), 199 Block->getBlockID()); 200 } 201 }; 202 203 /// \class NodeBuilder 204 /// \brief This is the simplest builder which generates nodes in the 205 /// ExplodedGraph. 206 /// 207 /// The main benefit of the builder is that it automatically tracks the 208 /// frontier nodes (or destination set). This is the set of nodes which should 209 /// be propagated to the next step / builder. They are the nodes which have been 210 /// added to the builder (either as the input node set or as the newly 211 /// constructed nodes) but did not have any outgoing transitions added. 212 class NodeBuilder { 213 virtual void anchor(); 214 protected: 215 const NodeBuilderContext &C; 216 217 /// Specifies if the builder results have been finalized. For example, if it 218 /// is set to false, autotransitions are yet to be generated. 219 bool Finalized; 220 bool HasGeneratedNodes; 221 /// \brief The frontier set - a set of nodes which need to be propagated after 222 /// the builder dies. 223 ExplodedNodeSet &Frontier; 224 225 /// Checkes if the results are ready. checkResults()226 virtual bool checkResults() { 227 if (!Finalized) 228 return false; 229 return true; 230 } 231 hasNoSinksInFrontier()232 bool hasNoSinksInFrontier() { 233 for (iterator I = Frontier.begin(), E = Frontier.end(); I != E; ++I) { 234 if ((*I)->isSink()) 235 return false; 236 } 237 return true; 238 } 239 240 /// Allow subclasses to finalize results before result_begin() is executed. finalizeResults()241 virtual void finalizeResults() {} 242 243 ExplodedNode *generateNodeImpl(const ProgramPoint &PP, 244 ProgramStateRef State, 245 ExplodedNode *Pred, 246 bool MarkAsSink = false); 247 248 public: 249 NodeBuilder(ExplodedNode *SrcNode, ExplodedNodeSet &DstSet, 250 const NodeBuilderContext &Ctx, bool F = true) C(Ctx)251 : C(Ctx), Finalized(F), HasGeneratedNodes(false), Frontier(DstSet) { 252 Frontier.Add(SrcNode); 253 } 254 255 NodeBuilder(const ExplodedNodeSet &SrcSet, ExplodedNodeSet &DstSet, 256 const NodeBuilderContext &Ctx, bool F = true) C(Ctx)257 : C(Ctx), Finalized(F), HasGeneratedNodes(false), Frontier(DstSet) { 258 Frontier.insert(SrcSet); 259 assert(hasNoSinksInFrontier()); 260 } 261 ~NodeBuilder()262 virtual ~NodeBuilder() {} 263 264 /// \brief Generates a node in the ExplodedGraph. generateNode(const ProgramPoint & PP,ProgramStateRef State,ExplodedNode * Pred)265 ExplodedNode *generateNode(const ProgramPoint &PP, 266 ProgramStateRef State, 267 ExplodedNode *Pred) { 268 return generateNodeImpl(PP, State, Pred, false); 269 } 270 271 /// \brief Generates a sink in the ExplodedGraph. 272 /// 273 /// When a node is marked as sink, the exploration from the node is stopped - 274 /// the node becomes the last node on the path and certain kinds of bugs are 275 /// suppressed. generateSink(const ProgramPoint & PP,ProgramStateRef State,ExplodedNode * Pred)276 ExplodedNode *generateSink(const ProgramPoint &PP, 277 ProgramStateRef State, 278 ExplodedNode *Pred) { 279 return generateNodeImpl(PP, State, Pred, true); 280 } 281 getResults()282 const ExplodedNodeSet &getResults() { 283 finalizeResults(); 284 assert(checkResults()); 285 return Frontier; 286 } 287 288 typedef ExplodedNodeSet::iterator iterator; 289 /// \brief Iterators through the results frontier. begin()290 inline iterator begin() { 291 finalizeResults(); 292 assert(checkResults()); 293 return Frontier.begin(); 294 } end()295 inline iterator end() { 296 finalizeResults(); 297 return Frontier.end(); 298 } 299 getContext()300 const NodeBuilderContext &getContext() { return C; } hasGeneratedNodes()301 bool hasGeneratedNodes() { return HasGeneratedNodes; } 302 takeNodes(const ExplodedNodeSet & S)303 void takeNodes(const ExplodedNodeSet &S) { 304 for (ExplodedNodeSet::iterator I = S.begin(), E = S.end(); I != E; ++I ) 305 Frontier.erase(*I); 306 } takeNodes(ExplodedNode * N)307 void takeNodes(ExplodedNode *N) { Frontier.erase(N); } addNodes(const ExplodedNodeSet & S)308 void addNodes(const ExplodedNodeSet &S) { Frontier.insert(S); } addNodes(ExplodedNode * N)309 void addNodes(ExplodedNode *N) { Frontier.Add(N); } 310 }; 311 312 /// \class NodeBuilderWithSinks 313 /// \brief This node builder keeps track of the generated sink nodes. 314 class NodeBuilderWithSinks: public NodeBuilder { 315 void anchor() override; 316 protected: 317 SmallVector<ExplodedNode*, 2> sinksGenerated; 318 ProgramPoint &Location; 319 320 public: NodeBuilderWithSinks(ExplodedNode * Pred,ExplodedNodeSet & DstSet,const NodeBuilderContext & Ctx,ProgramPoint & L)321 NodeBuilderWithSinks(ExplodedNode *Pred, ExplodedNodeSet &DstSet, 322 const NodeBuilderContext &Ctx, ProgramPoint &L) 323 : NodeBuilder(Pred, DstSet, Ctx), Location(L) {} 324 325 ExplodedNode *generateNode(ProgramStateRef State, 326 ExplodedNode *Pred, 327 const ProgramPointTag *Tag = nullptr) { 328 const ProgramPoint &LocalLoc = (Tag ? Location.withTag(Tag) : Location); 329 return NodeBuilder::generateNode(LocalLoc, State, Pred); 330 } 331 332 ExplodedNode *generateSink(ProgramStateRef State, ExplodedNode *Pred, 333 const ProgramPointTag *Tag = nullptr) { 334 const ProgramPoint &LocalLoc = (Tag ? Location.withTag(Tag) : Location); 335 ExplodedNode *N = NodeBuilder::generateSink(LocalLoc, State, Pred); 336 if (N && N->isSink()) 337 sinksGenerated.push_back(N); 338 return N; 339 } 340 getSinks()341 const SmallVectorImpl<ExplodedNode*> &getSinks() const { 342 return sinksGenerated; 343 } 344 }; 345 346 /// \class StmtNodeBuilder 347 /// \brief This builder class is useful for generating nodes that resulted from 348 /// visiting a statement. The main difference from its parent NodeBuilder is 349 /// that it creates a statement specific ProgramPoint. 350 class StmtNodeBuilder: public NodeBuilder { 351 NodeBuilder *EnclosingBldr; 352 public: 353 354 /// \brief Constructs a StmtNodeBuilder. If the builder is going to process 355 /// nodes currently owned by another builder(with larger scope), use 356 /// Enclosing builder to transfer ownership. 357 StmtNodeBuilder(ExplodedNode *SrcNode, ExplodedNodeSet &DstSet, 358 const NodeBuilderContext &Ctx, 359 NodeBuilder *Enclosing = nullptr) NodeBuilder(SrcNode,DstSet,Ctx)360 : NodeBuilder(SrcNode, DstSet, Ctx), EnclosingBldr(Enclosing) { 361 if (EnclosingBldr) 362 EnclosingBldr->takeNodes(SrcNode); 363 } 364 365 StmtNodeBuilder(ExplodedNodeSet &SrcSet, ExplodedNodeSet &DstSet, 366 const NodeBuilderContext &Ctx, 367 NodeBuilder *Enclosing = nullptr) NodeBuilder(SrcSet,DstSet,Ctx)368 : NodeBuilder(SrcSet, DstSet, Ctx), EnclosingBldr(Enclosing) { 369 if (EnclosingBldr) 370 for (ExplodedNodeSet::iterator I = SrcSet.begin(), 371 E = SrcSet.end(); I != E; ++I ) 372 EnclosingBldr->takeNodes(*I); 373 } 374 375 virtual ~StmtNodeBuilder(); 376 377 using NodeBuilder::generateNode; 378 using NodeBuilder::generateSink; 379 380 ExplodedNode *generateNode(const Stmt *S, 381 ExplodedNode *Pred, 382 ProgramStateRef St, 383 const ProgramPointTag *tag = nullptr, 384 ProgramPoint::Kind K = ProgramPoint::PostStmtKind){ 385 const ProgramPoint &L = ProgramPoint::getProgramPoint(S, K, 386 Pred->getLocationContext(), tag); 387 return NodeBuilder::generateNode(L, St, Pred); 388 } 389 390 ExplodedNode *generateSink(const Stmt *S, 391 ExplodedNode *Pred, 392 ProgramStateRef St, 393 const ProgramPointTag *tag = nullptr, 394 ProgramPoint::Kind K = ProgramPoint::PostStmtKind){ 395 const ProgramPoint &L = ProgramPoint::getProgramPoint(S, K, 396 Pred->getLocationContext(), tag); 397 return NodeBuilder::generateSink(L, St, Pred); 398 } 399 }; 400 401 /// \brief BranchNodeBuilder is responsible for constructing the nodes 402 /// corresponding to the two branches of the if statement - true and false. 403 class BranchNodeBuilder: public NodeBuilder { 404 void anchor() override; 405 const CFGBlock *DstT; 406 const CFGBlock *DstF; 407 408 bool InFeasibleTrue; 409 bool InFeasibleFalse; 410 411 public: BranchNodeBuilder(ExplodedNode * SrcNode,ExplodedNodeSet & DstSet,const NodeBuilderContext & C,const CFGBlock * dstT,const CFGBlock * dstF)412 BranchNodeBuilder(ExplodedNode *SrcNode, ExplodedNodeSet &DstSet, 413 const NodeBuilderContext &C, 414 const CFGBlock *dstT, const CFGBlock *dstF) 415 : NodeBuilder(SrcNode, DstSet, C), DstT(dstT), DstF(dstF), 416 InFeasibleTrue(!DstT), InFeasibleFalse(!DstF) { 417 // The branch node builder does not generate autotransitions. 418 // If there are no successors it means that both branches are infeasible. 419 takeNodes(SrcNode); 420 } 421 BranchNodeBuilder(const ExplodedNodeSet & SrcSet,ExplodedNodeSet & DstSet,const NodeBuilderContext & C,const CFGBlock * dstT,const CFGBlock * dstF)422 BranchNodeBuilder(const ExplodedNodeSet &SrcSet, ExplodedNodeSet &DstSet, 423 const NodeBuilderContext &C, 424 const CFGBlock *dstT, const CFGBlock *dstF) 425 : NodeBuilder(SrcSet, DstSet, C), DstT(dstT), DstF(dstF), 426 InFeasibleTrue(!DstT), InFeasibleFalse(!DstF) { 427 takeNodes(SrcSet); 428 } 429 430 ExplodedNode *generateNode(ProgramStateRef State, bool branch, 431 ExplodedNode *Pred); 432 getTargetBlock(bool branch)433 const CFGBlock *getTargetBlock(bool branch) const { 434 return branch ? DstT : DstF; 435 } 436 markInfeasible(bool branch)437 void markInfeasible(bool branch) { 438 if (branch) 439 InFeasibleTrue = true; 440 else 441 InFeasibleFalse = true; 442 } 443 isFeasible(bool branch)444 bool isFeasible(bool branch) { 445 return branch ? !InFeasibleTrue : !InFeasibleFalse; 446 } 447 }; 448 449 class IndirectGotoNodeBuilder { 450 CoreEngine& Eng; 451 const CFGBlock *Src; 452 const CFGBlock &DispatchBlock; 453 const Expr *E; 454 ExplodedNode *Pred; 455 456 public: IndirectGotoNodeBuilder(ExplodedNode * pred,const CFGBlock * src,const Expr * e,const CFGBlock * dispatch,CoreEngine * eng)457 IndirectGotoNodeBuilder(ExplodedNode *pred, const CFGBlock *src, 458 const Expr *e, const CFGBlock *dispatch, CoreEngine* eng) 459 : Eng(*eng), Src(src), DispatchBlock(*dispatch), E(e), Pred(pred) {} 460 461 class iterator { 462 CFGBlock::const_succ_iterator I; 463 464 friend class IndirectGotoNodeBuilder; iterator(CFGBlock::const_succ_iterator i)465 iterator(CFGBlock::const_succ_iterator i) : I(i) {} 466 public: 467 468 iterator &operator++() { ++I; return *this; } 469 bool operator!=(const iterator &X) const { return I != X.I; } 470 getLabel()471 const LabelDecl *getLabel() const { 472 return cast<LabelStmt>((*I)->getLabel())->getDecl(); 473 } 474 getBlock()475 const CFGBlock *getBlock() const { 476 return *I; 477 } 478 }; 479 begin()480 iterator begin() { return iterator(DispatchBlock.succ_begin()); } end()481 iterator end() { return iterator(DispatchBlock.succ_end()); } 482 483 ExplodedNode *generateNode(const iterator &I, 484 ProgramStateRef State, 485 bool isSink = false); 486 getTarget()487 const Expr *getTarget() const { return E; } 488 getState()489 ProgramStateRef getState() const { return Pred->State; } 490 getLocationContext()491 const LocationContext *getLocationContext() const { 492 return Pred->getLocationContext(); 493 } 494 }; 495 496 class SwitchNodeBuilder { 497 CoreEngine& Eng; 498 const CFGBlock *Src; 499 const Expr *Condition; 500 ExplodedNode *Pred; 501 502 public: SwitchNodeBuilder(ExplodedNode * pred,const CFGBlock * src,const Expr * condition,CoreEngine * eng)503 SwitchNodeBuilder(ExplodedNode *pred, const CFGBlock *src, 504 const Expr *condition, CoreEngine* eng) 505 : Eng(*eng), Src(src), Condition(condition), Pred(pred) {} 506 507 class iterator { 508 CFGBlock::const_succ_reverse_iterator I; 509 510 friend class SwitchNodeBuilder; iterator(CFGBlock::const_succ_reverse_iterator i)511 iterator(CFGBlock::const_succ_reverse_iterator i) : I(i) {} 512 513 public: 514 iterator &operator++() { ++I; return *this; } 515 bool operator!=(const iterator &X) const { return I != X.I; } 516 bool operator==(const iterator &X) const { return I == X.I; } 517 getCase()518 const CaseStmt *getCase() const { 519 return cast<CaseStmt>((*I)->getLabel()); 520 } 521 getBlock()522 const CFGBlock *getBlock() const { 523 return *I; 524 } 525 }; 526 begin()527 iterator begin() { return iterator(Src->succ_rbegin()+1); } end()528 iterator end() { return iterator(Src->succ_rend()); } 529 getSwitch()530 const SwitchStmt *getSwitch() const { 531 return cast<SwitchStmt>(Src->getTerminator()); 532 } 533 534 ExplodedNode *generateCaseStmtNode(const iterator &I, 535 ProgramStateRef State); 536 537 ExplodedNode *generateDefaultCaseNode(ProgramStateRef State, 538 bool isSink = false); 539 getCondition()540 const Expr *getCondition() const { return Condition; } 541 getState()542 ProgramStateRef getState() const { return Pred->State; } 543 getLocationContext()544 const LocationContext *getLocationContext() const { 545 return Pred->getLocationContext(); 546 } 547 }; 548 549 } // end ento namespace 550 } // end clang namespace 551 552 #endif 553