1 //===--- CheckerManager.cpp - Static Analyzer Checker Manager -------------===//
2 //
3 // The LLVM Compiler Infrastructure
4 //
5 // This file is distributed under the University of Illinois Open Source
6 // License. See LICENSE.TXT for details.
7 //
8 //===----------------------------------------------------------------------===//
9 //
10 // Defines the Static Analyzer Checker Manager.
11 //
12 //===----------------------------------------------------------------------===//
13
14 #include "clang/StaticAnalyzer/Core/CheckerManager.h"
15 #include "clang/AST/DeclBase.h"
16 #include "clang/Analysis/ProgramPoint.h"
17 #include "clang/StaticAnalyzer/Core/Checker.h"
18 #include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h"
19 #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
20
21 using namespace clang;
22 using namespace ento;
23
hasPathSensitiveCheckers() const24 bool CheckerManager::hasPathSensitiveCheckers() const {
25 return !StmtCheckers.empty() ||
26 !PreObjCMessageCheckers.empty() ||
27 !PostObjCMessageCheckers.empty() ||
28 !PreCallCheckers.empty() ||
29 !PostCallCheckers.empty() ||
30 !LocationCheckers.empty() ||
31 !BindCheckers.empty() ||
32 !EndAnalysisCheckers.empty() ||
33 !EndFunctionCheckers.empty() ||
34 !BranchConditionCheckers.empty() ||
35 !LiveSymbolsCheckers.empty() ||
36 !DeadSymbolsCheckers.empty() ||
37 !RegionChangesCheckers.empty() ||
38 !EvalAssumeCheckers.empty() ||
39 !EvalCallCheckers.empty();
40 }
41
finishedCheckerRegistration()42 void CheckerManager::finishedCheckerRegistration() {
43 #ifndef NDEBUG
44 // Make sure that for every event that has listeners, there is at least
45 // one dispatcher registered for it.
46 for (llvm::DenseMap<EventTag, EventInfo>::iterator
47 I = Events.begin(), E = Events.end(); I != E; ++I)
48 assert(I->second.HasDispatcher && "No dispatcher registered for an event");
49 #endif
50 }
51
52 //===----------------------------------------------------------------------===//
53 // Functions for running checkers for AST traversing..
54 //===----------------------------------------------------------------------===//
55
runCheckersOnASTDecl(const Decl * D,AnalysisManager & mgr,BugReporter & BR)56 void CheckerManager::runCheckersOnASTDecl(const Decl *D, AnalysisManager& mgr,
57 BugReporter &BR) {
58 assert(D);
59
60 unsigned DeclKind = D->getKind();
61 CachedDeclCheckers *checkers = nullptr;
62 CachedDeclCheckersMapTy::iterator CCI = CachedDeclCheckersMap.find(DeclKind);
63 if (CCI != CachedDeclCheckersMap.end()) {
64 checkers = &(CCI->second);
65 } else {
66 // Find the checkers that should run for this Decl and cache them.
67 checkers = &CachedDeclCheckersMap[DeclKind];
68 for (unsigned i = 0, e = DeclCheckers.size(); i != e; ++i) {
69 DeclCheckerInfo &info = DeclCheckers[i];
70 if (info.IsForDeclFn(D))
71 checkers->push_back(info.CheckFn);
72 }
73 }
74
75 assert(checkers);
76 for (CachedDeclCheckers::iterator
77 I = checkers->begin(), E = checkers->end(); I != E; ++I)
78 (*I)(D, mgr, BR);
79 }
80
runCheckersOnASTBody(const Decl * D,AnalysisManager & mgr,BugReporter & BR)81 void CheckerManager::runCheckersOnASTBody(const Decl *D, AnalysisManager& mgr,
82 BugReporter &BR) {
83 assert(D && D->hasBody());
84
85 for (unsigned i = 0, e = BodyCheckers.size(); i != e; ++i)
86 BodyCheckers[i](D, mgr, BR);
87 }
88
89 //===----------------------------------------------------------------------===//
90 // Functions for running checkers for path-sensitive checking.
91 //===----------------------------------------------------------------------===//
92
93 template <typename CHECK_CTX>
expandGraphWithCheckers(CHECK_CTX checkCtx,ExplodedNodeSet & Dst,const ExplodedNodeSet & Src)94 static void expandGraphWithCheckers(CHECK_CTX checkCtx,
95 ExplodedNodeSet &Dst,
96 const ExplodedNodeSet &Src) {
97 const NodeBuilderContext &BldrCtx = checkCtx.Eng.getBuilderContext();
98 if (Src.empty())
99 return;
100
101 typename CHECK_CTX::CheckersTy::const_iterator
102 I = checkCtx.checkers_begin(), E = checkCtx.checkers_end();
103 if (I == E) {
104 Dst.insert(Src);
105 return;
106 }
107
108 ExplodedNodeSet Tmp1, Tmp2;
109 const ExplodedNodeSet *PrevSet = &Src;
110
111 for (; I != E; ++I) {
112 ExplodedNodeSet *CurrSet = nullptr;
113 if (I+1 == E)
114 CurrSet = &Dst;
115 else {
116 CurrSet = (PrevSet == &Tmp1) ? &Tmp2 : &Tmp1;
117 CurrSet->clear();
118 }
119
120 NodeBuilder B(*PrevSet, *CurrSet, BldrCtx);
121 for (ExplodedNodeSet::iterator NI = PrevSet->begin(), NE = PrevSet->end();
122 NI != NE; ++NI) {
123 checkCtx.runChecker(*I, B, *NI);
124 }
125
126 // If all the produced transitions are sinks, stop.
127 if (CurrSet->empty())
128 return;
129
130 // Update which NodeSet is the current one.
131 PrevSet = CurrSet;
132 }
133 }
134
135 namespace {
136 struct CheckStmtContext {
137 typedef SmallVectorImpl<CheckerManager::CheckStmtFunc> CheckersTy;
138 bool IsPreVisit;
139 const CheckersTy &Checkers;
140 const Stmt *S;
141 ExprEngine &Eng;
142 bool WasInlined;
143
checkers_begin__anonf08f69e00111::CheckStmtContext144 CheckersTy::const_iterator checkers_begin() { return Checkers.begin(); }
checkers_end__anonf08f69e00111::CheckStmtContext145 CheckersTy::const_iterator checkers_end() { return Checkers.end(); }
146
CheckStmtContext__anonf08f69e00111::CheckStmtContext147 CheckStmtContext(bool isPreVisit, const CheckersTy &checkers,
148 const Stmt *s, ExprEngine &eng, bool wasInlined = false)
149 : IsPreVisit(isPreVisit), Checkers(checkers), S(s), Eng(eng),
150 WasInlined(wasInlined) {}
151
runChecker__anonf08f69e00111::CheckStmtContext152 void runChecker(CheckerManager::CheckStmtFunc checkFn,
153 NodeBuilder &Bldr, ExplodedNode *Pred) {
154 // FIXME: Remove respondsToCallback from CheckerContext;
155 ProgramPoint::Kind K = IsPreVisit ? ProgramPoint::PreStmtKind :
156 ProgramPoint::PostStmtKind;
157 const ProgramPoint &L = ProgramPoint::getProgramPoint(S, K,
158 Pred->getLocationContext(), checkFn.Checker);
159 CheckerContext C(Bldr, Eng, Pred, L, WasInlined);
160 checkFn(S, C);
161 }
162 };
163 }
164
165 /// \brief Run checkers for visiting Stmts.
runCheckersForStmt(bool isPreVisit,ExplodedNodeSet & Dst,const ExplodedNodeSet & Src,const Stmt * S,ExprEngine & Eng,bool WasInlined)166 void CheckerManager::runCheckersForStmt(bool isPreVisit,
167 ExplodedNodeSet &Dst,
168 const ExplodedNodeSet &Src,
169 const Stmt *S,
170 ExprEngine &Eng,
171 bool WasInlined) {
172 CheckStmtContext C(isPreVisit, getCachedStmtCheckersFor(S, isPreVisit),
173 S, Eng, WasInlined);
174 expandGraphWithCheckers(C, Dst, Src);
175 }
176
177 namespace {
178 struct CheckObjCMessageContext {
179 typedef std::vector<CheckerManager::CheckObjCMessageFunc> CheckersTy;
180
181 ObjCMessageVisitKind Kind;
182 bool WasInlined;
183 const CheckersTy &Checkers;
184 const ObjCMethodCall &Msg;
185 ExprEngine &Eng;
186
checkers_begin__anonf08f69e00211::CheckObjCMessageContext187 CheckersTy::const_iterator checkers_begin() { return Checkers.begin(); }
checkers_end__anonf08f69e00211::CheckObjCMessageContext188 CheckersTy::const_iterator checkers_end() { return Checkers.end(); }
189
CheckObjCMessageContext__anonf08f69e00211::CheckObjCMessageContext190 CheckObjCMessageContext(ObjCMessageVisitKind visitKind,
191 const CheckersTy &checkers,
192 const ObjCMethodCall &msg, ExprEngine &eng,
193 bool wasInlined)
194 : Kind(visitKind), WasInlined(wasInlined), Checkers(checkers),
195 Msg(msg), Eng(eng) { }
196
runChecker__anonf08f69e00211::CheckObjCMessageContext197 void runChecker(CheckerManager::CheckObjCMessageFunc checkFn,
198 NodeBuilder &Bldr, ExplodedNode *Pred) {
199
200 bool IsPreVisit;
201
202 switch (Kind) {
203 case ObjCMessageVisitKind::Pre:
204 IsPreVisit = true;
205 break;
206 case ObjCMessageVisitKind::MessageNil:
207 case ObjCMessageVisitKind::Post:
208 IsPreVisit = false;
209 break;
210 }
211
212 const ProgramPoint &L = Msg.getProgramPoint(IsPreVisit,checkFn.Checker);
213 CheckerContext C(Bldr, Eng, Pred, L, WasInlined);
214
215 checkFn(*Msg.cloneWithState<ObjCMethodCall>(Pred->getState()), C);
216 }
217 };
218 }
219
220 /// \brief Run checkers for visiting obj-c messages.
runCheckersForObjCMessage(ObjCMessageVisitKind visitKind,ExplodedNodeSet & Dst,const ExplodedNodeSet & Src,const ObjCMethodCall & msg,ExprEngine & Eng,bool WasInlined)221 void CheckerManager::runCheckersForObjCMessage(ObjCMessageVisitKind visitKind,
222 ExplodedNodeSet &Dst,
223 const ExplodedNodeSet &Src,
224 const ObjCMethodCall &msg,
225 ExprEngine &Eng,
226 bool WasInlined) {
227 auto &checkers = getObjCMessageCheckers(visitKind);
228 CheckObjCMessageContext C(visitKind, checkers, msg, Eng, WasInlined);
229 expandGraphWithCheckers(C, Dst, Src);
230 }
231
232 const std::vector<CheckerManager::CheckObjCMessageFunc> &
getObjCMessageCheckers(ObjCMessageVisitKind Kind)233 CheckerManager::getObjCMessageCheckers(ObjCMessageVisitKind Kind) {
234 switch (Kind) {
235 case ObjCMessageVisitKind::Pre:
236 return PreObjCMessageCheckers;
237 break;
238 case ObjCMessageVisitKind::Post:
239 return PostObjCMessageCheckers;
240 case ObjCMessageVisitKind::MessageNil:
241 return ObjCMessageNilCheckers;
242 }
243 llvm_unreachable("Unknown Kind");
244 }
245 namespace {
246 // FIXME: This has all the same signatures as CheckObjCMessageContext.
247 // Is there a way we can merge the two?
248 struct CheckCallContext {
249 typedef std::vector<CheckerManager::CheckCallFunc> CheckersTy;
250 bool IsPreVisit, WasInlined;
251 const CheckersTy &Checkers;
252 const CallEvent &Call;
253 ExprEngine &Eng;
254
checkers_begin__anonf08f69e00311::CheckCallContext255 CheckersTy::const_iterator checkers_begin() { return Checkers.begin(); }
checkers_end__anonf08f69e00311::CheckCallContext256 CheckersTy::const_iterator checkers_end() { return Checkers.end(); }
257
CheckCallContext__anonf08f69e00311::CheckCallContext258 CheckCallContext(bool isPreVisit, const CheckersTy &checkers,
259 const CallEvent &call, ExprEngine &eng,
260 bool wasInlined)
261 : IsPreVisit(isPreVisit), WasInlined(wasInlined), Checkers(checkers),
262 Call(call), Eng(eng) { }
263
runChecker__anonf08f69e00311::CheckCallContext264 void runChecker(CheckerManager::CheckCallFunc checkFn,
265 NodeBuilder &Bldr, ExplodedNode *Pred) {
266 const ProgramPoint &L = Call.getProgramPoint(IsPreVisit,checkFn.Checker);
267 CheckerContext C(Bldr, Eng, Pred, L, WasInlined);
268
269 checkFn(*Call.cloneWithState(Pred->getState()), C);
270 }
271 };
272 }
273
274 /// \brief Run checkers for visiting an abstract call event.
runCheckersForCallEvent(bool isPreVisit,ExplodedNodeSet & Dst,const ExplodedNodeSet & Src,const CallEvent & Call,ExprEngine & Eng,bool WasInlined)275 void CheckerManager::runCheckersForCallEvent(bool isPreVisit,
276 ExplodedNodeSet &Dst,
277 const ExplodedNodeSet &Src,
278 const CallEvent &Call,
279 ExprEngine &Eng,
280 bool WasInlined) {
281 CheckCallContext C(isPreVisit,
282 isPreVisit ? PreCallCheckers
283 : PostCallCheckers,
284 Call, Eng, WasInlined);
285 expandGraphWithCheckers(C, Dst, Src);
286 }
287
288 namespace {
289 struct CheckLocationContext {
290 typedef std::vector<CheckerManager::CheckLocationFunc> CheckersTy;
291 const CheckersTy &Checkers;
292 SVal Loc;
293 bool IsLoad;
294 const Stmt *NodeEx; /* Will become a CFGStmt */
295 const Stmt *BoundEx;
296 ExprEngine &Eng;
297
checkers_begin__anonf08f69e00411::CheckLocationContext298 CheckersTy::const_iterator checkers_begin() { return Checkers.begin(); }
checkers_end__anonf08f69e00411::CheckLocationContext299 CheckersTy::const_iterator checkers_end() { return Checkers.end(); }
300
CheckLocationContext__anonf08f69e00411::CheckLocationContext301 CheckLocationContext(const CheckersTy &checkers,
302 SVal loc, bool isLoad, const Stmt *NodeEx,
303 const Stmt *BoundEx,
304 ExprEngine &eng)
305 : Checkers(checkers), Loc(loc), IsLoad(isLoad), NodeEx(NodeEx),
306 BoundEx(BoundEx), Eng(eng) {}
307
runChecker__anonf08f69e00411::CheckLocationContext308 void runChecker(CheckerManager::CheckLocationFunc checkFn,
309 NodeBuilder &Bldr, ExplodedNode *Pred) {
310 ProgramPoint::Kind K = IsLoad ? ProgramPoint::PreLoadKind :
311 ProgramPoint::PreStoreKind;
312 const ProgramPoint &L =
313 ProgramPoint::getProgramPoint(NodeEx, K,
314 Pred->getLocationContext(),
315 checkFn.Checker);
316 CheckerContext C(Bldr, Eng, Pred, L);
317 checkFn(Loc, IsLoad, BoundEx, C);
318 }
319 };
320 }
321
322 /// \brief Run checkers for load/store of a location.
323
runCheckersForLocation(ExplodedNodeSet & Dst,const ExplodedNodeSet & Src,SVal location,bool isLoad,const Stmt * NodeEx,const Stmt * BoundEx,ExprEngine & Eng)324 void CheckerManager::runCheckersForLocation(ExplodedNodeSet &Dst,
325 const ExplodedNodeSet &Src,
326 SVal location, bool isLoad,
327 const Stmt *NodeEx,
328 const Stmt *BoundEx,
329 ExprEngine &Eng) {
330 CheckLocationContext C(LocationCheckers, location, isLoad, NodeEx,
331 BoundEx, Eng);
332 expandGraphWithCheckers(C, Dst, Src);
333 }
334
335 namespace {
336 struct CheckBindContext {
337 typedef std::vector<CheckerManager::CheckBindFunc> CheckersTy;
338 const CheckersTy &Checkers;
339 SVal Loc;
340 SVal Val;
341 const Stmt *S;
342 ExprEngine &Eng;
343 const ProgramPoint &PP;
344
checkers_begin__anonf08f69e00511::CheckBindContext345 CheckersTy::const_iterator checkers_begin() { return Checkers.begin(); }
checkers_end__anonf08f69e00511::CheckBindContext346 CheckersTy::const_iterator checkers_end() { return Checkers.end(); }
347
CheckBindContext__anonf08f69e00511::CheckBindContext348 CheckBindContext(const CheckersTy &checkers,
349 SVal loc, SVal val, const Stmt *s, ExprEngine &eng,
350 const ProgramPoint &pp)
351 : Checkers(checkers), Loc(loc), Val(val), S(s), Eng(eng), PP(pp) {}
352
runChecker__anonf08f69e00511::CheckBindContext353 void runChecker(CheckerManager::CheckBindFunc checkFn,
354 NodeBuilder &Bldr, ExplodedNode *Pred) {
355 const ProgramPoint &L = PP.withTag(checkFn.Checker);
356 CheckerContext C(Bldr, Eng, Pred, L);
357
358 checkFn(Loc, Val, S, C);
359 }
360 };
361 }
362
363 /// \brief Run checkers for binding of a value to a location.
runCheckersForBind(ExplodedNodeSet & Dst,const ExplodedNodeSet & Src,SVal location,SVal val,const Stmt * S,ExprEngine & Eng,const ProgramPoint & PP)364 void CheckerManager::runCheckersForBind(ExplodedNodeSet &Dst,
365 const ExplodedNodeSet &Src,
366 SVal location, SVal val,
367 const Stmt *S, ExprEngine &Eng,
368 const ProgramPoint &PP) {
369 CheckBindContext C(BindCheckers, location, val, S, Eng, PP);
370 expandGraphWithCheckers(C, Dst, Src);
371 }
372
runCheckersForEndAnalysis(ExplodedGraph & G,BugReporter & BR,ExprEngine & Eng)373 void CheckerManager::runCheckersForEndAnalysis(ExplodedGraph &G,
374 BugReporter &BR,
375 ExprEngine &Eng) {
376 for (unsigned i = 0, e = EndAnalysisCheckers.size(); i != e; ++i)
377 EndAnalysisCheckers[i](G, BR, Eng);
378 }
379
380 namespace {
381 struct CheckBeginFunctionContext {
382 typedef std::vector<CheckerManager::CheckBeginFunctionFunc> CheckersTy;
383 const CheckersTy &Checkers;
384 ExprEngine &Eng;
385 const ProgramPoint &PP;
386
checkers_begin__anonf08f69e00611::CheckBeginFunctionContext387 CheckersTy::const_iterator checkers_begin() { return Checkers.begin(); }
checkers_end__anonf08f69e00611::CheckBeginFunctionContext388 CheckersTy::const_iterator checkers_end() { return Checkers.end(); }
389
CheckBeginFunctionContext__anonf08f69e00611::CheckBeginFunctionContext390 CheckBeginFunctionContext(const CheckersTy &Checkers, ExprEngine &Eng,
391 const ProgramPoint &PP)
392 : Checkers(Checkers), Eng(Eng), PP(PP) {}
393
runChecker__anonf08f69e00611::CheckBeginFunctionContext394 void runChecker(CheckerManager::CheckBeginFunctionFunc checkFn,
395 NodeBuilder &Bldr, ExplodedNode *Pred) {
396 const ProgramPoint &L = PP.withTag(checkFn.Checker);
397 CheckerContext C(Bldr, Eng, Pred, L);
398
399 checkFn(C);
400 }
401 };
402 }
403
runCheckersForBeginFunction(ExplodedNodeSet & Dst,const BlockEdge & L,ExplodedNode * Pred,ExprEngine & Eng)404 void CheckerManager::runCheckersForBeginFunction(ExplodedNodeSet &Dst,
405 const BlockEdge &L,
406 ExplodedNode *Pred,
407 ExprEngine &Eng) {
408 ExplodedNodeSet Src;
409 Src.insert(Pred);
410 CheckBeginFunctionContext C(BeginFunctionCheckers, Eng, L);
411 expandGraphWithCheckers(C, Dst, Src);
412 }
413
414 /// \brief Run checkers for end of path.
415 // Note, We do not chain the checker output (like in expandGraphWithCheckers)
416 // for this callback since end of path nodes are expected to be final.
runCheckersForEndFunction(NodeBuilderContext & BC,ExplodedNodeSet & Dst,ExplodedNode * Pred,ExprEngine & Eng)417 void CheckerManager::runCheckersForEndFunction(NodeBuilderContext &BC,
418 ExplodedNodeSet &Dst,
419 ExplodedNode *Pred,
420 ExprEngine &Eng) {
421
422 // We define the builder outside of the loop bacause if at least one checkers
423 // creates a sucsessor for Pred, we do not need to generate an
424 // autotransition for it.
425 NodeBuilder Bldr(Pred, Dst, BC);
426 for (unsigned i = 0, e = EndFunctionCheckers.size(); i != e; ++i) {
427 CheckEndFunctionFunc checkFn = EndFunctionCheckers[i];
428
429 const ProgramPoint &L = BlockEntrance(BC.Block,
430 Pred->getLocationContext(),
431 checkFn.Checker);
432 CheckerContext C(Bldr, Eng, Pred, L);
433 checkFn(C);
434 }
435 }
436
437 namespace {
438 struct CheckBranchConditionContext {
439 typedef std::vector<CheckerManager::CheckBranchConditionFunc> CheckersTy;
440 const CheckersTy &Checkers;
441 const Stmt *Condition;
442 ExprEngine &Eng;
443
checkers_begin__anonf08f69e00711::CheckBranchConditionContext444 CheckersTy::const_iterator checkers_begin() { return Checkers.begin(); }
checkers_end__anonf08f69e00711::CheckBranchConditionContext445 CheckersTy::const_iterator checkers_end() { return Checkers.end(); }
446
CheckBranchConditionContext__anonf08f69e00711::CheckBranchConditionContext447 CheckBranchConditionContext(const CheckersTy &checkers,
448 const Stmt *Cond, ExprEngine &eng)
449 : Checkers(checkers), Condition(Cond), Eng(eng) {}
450
runChecker__anonf08f69e00711::CheckBranchConditionContext451 void runChecker(CheckerManager::CheckBranchConditionFunc checkFn,
452 NodeBuilder &Bldr, ExplodedNode *Pred) {
453 ProgramPoint L = PostCondition(Condition, Pred->getLocationContext(),
454 checkFn.Checker);
455 CheckerContext C(Bldr, Eng, Pred, L);
456 checkFn(Condition, C);
457 }
458 };
459 }
460
461 /// \brief Run checkers for branch condition.
runCheckersForBranchCondition(const Stmt * Condition,ExplodedNodeSet & Dst,ExplodedNode * Pred,ExprEngine & Eng)462 void CheckerManager::runCheckersForBranchCondition(const Stmt *Condition,
463 ExplodedNodeSet &Dst,
464 ExplodedNode *Pred,
465 ExprEngine &Eng) {
466 ExplodedNodeSet Src;
467 Src.insert(Pred);
468 CheckBranchConditionContext C(BranchConditionCheckers, Condition, Eng);
469 expandGraphWithCheckers(C, Dst, Src);
470 }
471
472 /// \brief Run checkers for live symbols.
runCheckersForLiveSymbols(ProgramStateRef state,SymbolReaper & SymReaper)473 void CheckerManager::runCheckersForLiveSymbols(ProgramStateRef state,
474 SymbolReaper &SymReaper) {
475 for (unsigned i = 0, e = LiveSymbolsCheckers.size(); i != e; ++i)
476 LiveSymbolsCheckers[i](state, SymReaper);
477 }
478
479 namespace {
480 struct CheckDeadSymbolsContext {
481 typedef std::vector<CheckerManager::CheckDeadSymbolsFunc> CheckersTy;
482 const CheckersTy &Checkers;
483 SymbolReaper &SR;
484 const Stmt *S;
485 ExprEngine &Eng;
486 ProgramPoint::Kind ProgarmPointKind;
487
checkers_begin__anonf08f69e00811::CheckDeadSymbolsContext488 CheckersTy::const_iterator checkers_begin() { return Checkers.begin(); }
checkers_end__anonf08f69e00811::CheckDeadSymbolsContext489 CheckersTy::const_iterator checkers_end() { return Checkers.end(); }
490
CheckDeadSymbolsContext__anonf08f69e00811::CheckDeadSymbolsContext491 CheckDeadSymbolsContext(const CheckersTy &checkers, SymbolReaper &sr,
492 const Stmt *s, ExprEngine &eng,
493 ProgramPoint::Kind K)
494 : Checkers(checkers), SR(sr), S(s), Eng(eng), ProgarmPointKind(K) { }
495
runChecker__anonf08f69e00811::CheckDeadSymbolsContext496 void runChecker(CheckerManager::CheckDeadSymbolsFunc checkFn,
497 NodeBuilder &Bldr, ExplodedNode *Pred) {
498 const ProgramPoint &L = ProgramPoint::getProgramPoint(S, ProgarmPointKind,
499 Pred->getLocationContext(), checkFn.Checker);
500 CheckerContext C(Bldr, Eng, Pred, L);
501
502 // Note, do not pass the statement to the checkers without letting them
503 // differentiate if we ran remove dead bindings before or after the
504 // statement.
505 checkFn(SR, C);
506 }
507 };
508 }
509
510 /// \brief Run checkers for dead symbols.
runCheckersForDeadSymbols(ExplodedNodeSet & Dst,const ExplodedNodeSet & Src,SymbolReaper & SymReaper,const Stmt * S,ExprEngine & Eng,ProgramPoint::Kind K)511 void CheckerManager::runCheckersForDeadSymbols(ExplodedNodeSet &Dst,
512 const ExplodedNodeSet &Src,
513 SymbolReaper &SymReaper,
514 const Stmt *S,
515 ExprEngine &Eng,
516 ProgramPoint::Kind K) {
517 CheckDeadSymbolsContext C(DeadSymbolsCheckers, SymReaper, S, Eng, K);
518 expandGraphWithCheckers(C, Dst, Src);
519 }
520
521 /// \brief True if at least one checker wants to check region changes.
wantsRegionChangeUpdate(ProgramStateRef state)522 bool CheckerManager::wantsRegionChangeUpdate(ProgramStateRef state) {
523 for (unsigned i = 0, e = RegionChangesCheckers.size(); i != e; ++i)
524 if (RegionChangesCheckers[i].WantUpdateFn(state))
525 return true;
526
527 return false;
528 }
529
530 /// \brief Run checkers for region changes.
531 ProgramStateRef
runCheckersForRegionChanges(ProgramStateRef state,const InvalidatedSymbols * invalidated,ArrayRef<const MemRegion * > ExplicitRegions,ArrayRef<const MemRegion * > Regions,const CallEvent * Call)532 CheckerManager::runCheckersForRegionChanges(ProgramStateRef state,
533 const InvalidatedSymbols *invalidated,
534 ArrayRef<const MemRegion *> ExplicitRegions,
535 ArrayRef<const MemRegion *> Regions,
536 const CallEvent *Call) {
537 for (unsigned i = 0, e = RegionChangesCheckers.size(); i != e; ++i) {
538 // If any checker declares the state infeasible (or if it starts that way),
539 // bail out.
540 if (!state)
541 return nullptr;
542 state = RegionChangesCheckers[i].CheckFn(state, invalidated,
543 ExplicitRegions, Regions, Call);
544 }
545 return state;
546 }
547
548 /// \brief Run checkers to process symbol escape event.
549 ProgramStateRef
runCheckersForPointerEscape(ProgramStateRef State,const InvalidatedSymbols & Escaped,const CallEvent * Call,PointerEscapeKind Kind,RegionAndSymbolInvalidationTraits * ETraits)550 CheckerManager::runCheckersForPointerEscape(ProgramStateRef State,
551 const InvalidatedSymbols &Escaped,
552 const CallEvent *Call,
553 PointerEscapeKind Kind,
554 RegionAndSymbolInvalidationTraits *ETraits) {
555 assert((Call != nullptr ||
556 (Kind != PSK_DirectEscapeOnCall &&
557 Kind != PSK_IndirectEscapeOnCall)) &&
558 "Call must not be NULL when escaping on call");
559 for (unsigned i = 0, e = PointerEscapeCheckers.size(); i != e; ++i) {
560 // If any checker declares the state infeasible (or if it starts that
561 // way), bail out.
562 if (!State)
563 return nullptr;
564 State = PointerEscapeCheckers[i](State, Escaped, Call, Kind, ETraits);
565 }
566 return State;
567 }
568
569 /// \brief Run checkers for handling assumptions on symbolic values.
570 ProgramStateRef
runCheckersForEvalAssume(ProgramStateRef state,SVal Cond,bool Assumption)571 CheckerManager::runCheckersForEvalAssume(ProgramStateRef state,
572 SVal Cond, bool Assumption) {
573 for (unsigned i = 0, e = EvalAssumeCheckers.size(); i != e; ++i) {
574 // If any checker declares the state infeasible (or if it starts that way),
575 // bail out.
576 if (!state)
577 return nullptr;
578 state = EvalAssumeCheckers[i](state, Cond, Assumption);
579 }
580 return state;
581 }
582
583 /// \brief Run checkers for evaluating a call.
584 /// Only one checker will evaluate the call.
runCheckersForEvalCall(ExplodedNodeSet & Dst,const ExplodedNodeSet & Src,const CallEvent & Call,ExprEngine & Eng)585 void CheckerManager::runCheckersForEvalCall(ExplodedNodeSet &Dst,
586 const ExplodedNodeSet &Src,
587 const CallEvent &Call,
588 ExprEngine &Eng) {
589 const CallExpr *CE = cast<CallExpr>(Call.getOriginExpr());
590 for (ExplodedNodeSet::iterator
591 NI = Src.begin(), NE = Src.end(); NI != NE; ++NI) {
592 ExplodedNode *Pred = *NI;
593 bool anyEvaluated = false;
594
595 ExplodedNodeSet checkDst;
596 NodeBuilder B(Pred, checkDst, Eng.getBuilderContext());
597
598 // Check if any of the EvalCall callbacks can evaluate the call.
599 for (std::vector<EvalCallFunc>::iterator
600 EI = EvalCallCheckers.begin(), EE = EvalCallCheckers.end();
601 EI != EE; ++EI) {
602 ProgramPoint::Kind K = ProgramPoint::PostStmtKind;
603 const ProgramPoint &L = ProgramPoint::getProgramPoint(CE, K,
604 Pred->getLocationContext(), EI->Checker);
605 bool evaluated = false;
606 { // CheckerContext generates transitions(populates checkDest) on
607 // destruction, so introduce the scope to make sure it gets properly
608 // populated.
609 CheckerContext C(B, Eng, Pred, L);
610 evaluated = (*EI)(CE, C);
611 }
612 assert(!(evaluated && anyEvaluated)
613 && "There are more than one checkers evaluating the call");
614 if (evaluated) {
615 anyEvaluated = true;
616 Dst.insert(checkDst);
617 #ifdef NDEBUG
618 break; // on release don't check that no other checker also evals.
619 #endif
620 }
621 }
622
623 // If none of the checkers evaluated the call, ask ExprEngine to handle it.
624 if (!anyEvaluated) {
625 NodeBuilder B(Pred, Dst, Eng.getBuilderContext());
626 Eng.defaultEvalCall(B, Pred, Call);
627 }
628 }
629 }
630
631 /// \brief Run checkers for the entire Translation Unit.
runCheckersOnEndOfTranslationUnit(const TranslationUnitDecl * TU,AnalysisManager & mgr,BugReporter & BR)632 void CheckerManager::runCheckersOnEndOfTranslationUnit(
633 const TranslationUnitDecl *TU,
634 AnalysisManager &mgr,
635 BugReporter &BR) {
636 for (unsigned i = 0, e = EndOfTranslationUnitCheckers.size(); i != e; ++i)
637 EndOfTranslationUnitCheckers[i](TU, mgr, BR);
638 }
639
runCheckersForPrintState(raw_ostream & Out,ProgramStateRef State,const char * NL,const char * Sep)640 void CheckerManager::runCheckersForPrintState(raw_ostream &Out,
641 ProgramStateRef State,
642 const char *NL, const char *Sep) {
643 for (llvm::DenseMap<CheckerTag, CheckerRef>::iterator
644 I = CheckerTags.begin(), E = CheckerTags.end(); I != E; ++I)
645 I->second->printState(Out, State, NL, Sep);
646 }
647
648 //===----------------------------------------------------------------------===//
649 // Internal registration functions for AST traversing.
650 //===----------------------------------------------------------------------===//
651
_registerForDecl(CheckDeclFunc checkfn,HandlesDeclFunc isForDeclFn)652 void CheckerManager::_registerForDecl(CheckDeclFunc checkfn,
653 HandlesDeclFunc isForDeclFn) {
654 DeclCheckerInfo info = { checkfn, isForDeclFn };
655 DeclCheckers.push_back(info);
656 }
657
_registerForBody(CheckDeclFunc checkfn)658 void CheckerManager::_registerForBody(CheckDeclFunc checkfn) {
659 BodyCheckers.push_back(checkfn);
660 }
661
662 //===----------------------------------------------------------------------===//
663 // Internal registration functions for path-sensitive checking.
664 //===----------------------------------------------------------------------===//
665
_registerForPreStmt(CheckStmtFunc checkfn,HandlesStmtFunc isForStmtFn)666 void CheckerManager::_registerForPreStmt(CheckStmtFunc checkfn,
667 HandlesStmtFunc isForStmtFn) {
668 StmtCheckerInfo info = { checkfn, isForStmtFn, /*IsPreVisit*/true };
669 StmtCheckers.push_back(info);
670 }
_registerForPostStmt(CheckStmtFunc checkfn,HandlesStmtFunc isForStmtFn)671 void CheckerManager::_registerForPostStmt(CheckStmtFunc checkfn,
672 HandlesStmtFunc isForStmtFn) {
673 StmtCheckerInfo info = { checkfn, isForStmtFn, /*IsPreVisit*/false };
674 StmtCheckers.push_back(info);
675 }
676
_registerForPreObjCMessage(CheckObjCMessageFunc checkfn)677 void CheckerManager::_registerForPreObjCMessage(CheckObjCMessageFunc checkfn) {
678 PreObjCMessageCheckers.push_back(checkfn);
679 }
680
_registerForObjCMessageNil(CheckObjCMessageFunc checkfn)681 void CheckerManager::_registerForObjCMessageNil(CheckObjCMessageFunc checkfn) {
682 ObjCMessageNilCheckers.push_back(checkfn);
683 }
684
_registerForPostObjCMessage(CheckObjCMessageFunc checkfn)685 void CheckerManager::_registerForPostObjCMessage(CheckObjCMessageFunc checkfn) {
686 PostObjCMessageCheckers.push_back(checkfn);
687 }
688
_registerForPreCall(CheckCallFunc checkfn)689 void CheckerManager::_registerForPreCall(CheckCallFunc checkfn) {
690 PreCallCheckers.push_back(checkfn);
691 }
_registerForPostCall(CheckCallFunc checkfn)692 void CheckerManager::_registerForPostCall(CheckCallFunc checkfn) {
693 PostCallCheckers.push_back(checkfn);
694 }
695
_registerForLocation(CheckLocationFunc checkfn)696 void CheckerManager::_registerForLocation(CheckLocationFunc checkfn) {
697 LocationCheckers.push_back(checkfn);
698 }
699
_registerForBind(CheckBindFunc checkfn)700 void CheckerManager::_registerForBind(CheckBindFunc checkfn) {
701 BindCheckers.push_back(checkfn);
702 }
703
_registerForEndAnalysis(CheckEndAnalysisFunc checkfn)704 void CheckerManager::_registerForEndAnalysis(CheckEndAnalysisFunc checkfn) {
705 EndAnalysisCheckers.push_back(checkfn);
706 }
707
_registerForBeginFunction(CheckBeginFunctionFunc checkfn)708 void CheckerManager::_registerForBeginFunction(CheckBeginFunctionFunc checkfn) {
709 BeginFunctionCheckers.push_back(checkfn);
710 }
711
_registerForEndFunction(CheckEndFunctionFunc checkfn)712 void CheckerManager::_registerForEndFunction(CheckEndFunctionFunc checkfn) {
713 EndFunctionCheckers.push_back(checkfn);
714 }
715
_registerForBranchCondition(CheckBranchConditionFunc checkfn)716 void CheckerManager::_registerForBranchCondition(
717 CheckBranchConditionFunc checkfn) {
718 BranchConditionCheckers.push_back(checkfn);
719 }
720
_registerForLiveSymbols(CheckLiveSymbolsFunc checkfn)721 void CheckerManager::_registerForLiveSymbols(CheckLiveSymbolsFunc checkfn) {
722 LiveSymbolsCheckers.push_back(checkfn);
723 }
724
_registerForDeadSymbols(CheckDeadSymbolsFunc checkfn)725 void CheckerManager::_registerForDeadSymbols(CheckDeadSymbolsFunc checkfn) {
726 DeadSymbolsCheckers.push_back(checkfn);
727 }
728
_registerForRegionChanges(CheckRegionChangesFunc checkfn,WantsRegionChangeUpdateFunc wantUpdateFn)729 void CheckerManager::_registerForRegionChanges(CheckRegionChangesFunc checkfn,
730 WantsRegionChangeUpdateFunc wantUpdateFn) {
731 RegionChangesCheckerInfo info = {checkfn, wantUpdateFn};
732 RegionChangesCheckers.push_back(info);
733 }
734
_registerForPointerEscape(CheckPointerEscapeFunc checkfn)735 void CheckerManager::_registerForPointerEscape(CheckPointerEscapeFunc checkfn){
736 PointerEscapeCheckers.push_back(checkfn);
737 }
738
_registerForConstPointerEscape(CheckPointerEscapeFunc checkfn)739 void CheckerManager::_registerForConstPointerEscape(
740 CheckPointerEscapeFunc checkfn) {
741 PointerEscapeCheckers.push_back(checkfn);
742 }
743
_registerForEvalAssume(EvalAssumeFunc checkfn)744 void CheckerManager::_registerForEvalAssume(EvalAssumeFunc checkfn) {
745 EvalAssumeCheckers.push_back(checkfn);
746 }
747
_registerForEvalCall(EvalCallFunc checkfn)748 void CheckerManager::_registerForEvalCall(EvalCallFunc checkfn) {
749 EvalCallCheckers.push_back(checkfn);
750 }
751
_registerForEndOfTranslationUnit(CheckEndOfTranslationUnit checkfn)752 void CheckerManager::_registerForEndOfTranslationUnit(
753 CheckEndOfTranslationUnit checkfn) {
754 EndOfTranslationUnitCheckers.push_back(checkfn);
755 }
756
757 //===----------------------------------------------------------------------===//
758 // Implementation details.
759 //===----------------------------------------------------------------------===//
760
761 const CheckerManager::CachedStmtCheckers &
getCachedStmtCheckersFor(const Stmt * S,bool isPreVisit)762 CheckerManager::getCachedStmtCheckersFor(const Stmt *S, bool isPreVisit) {
763 assert(S);
764
765 unsigned Key = (S->getStmtClass() << 1) | unsigned(isPreVisit);
766 CachedStmtCheckersMapTy::iterator CCI = CachedStmtCheckersMap.find(Key);
767 if (CCI != CachedStmtCheckersMap.end())
768 return CCI->second;
769
770 // Find the checkers that should run for this Stmt and cache them.
771 CachedStmtCheckers &Checkers = CachedStmtCheckersMap[Key];
772 for (unsigned i = 0, e = StmtCheckers.size(); i != e; ++i) {
773 StmtCheckerInfo &Info = StmtCheckers[i];
774 if (Info.IsPreVisit == isPreVisit && Info.IsForStmtFn(S))
775 Checkers.push_back(Info.CheckFn);
776 }
777 return Checkers;
778 }
779
~CheckerManager()780 CheckerManager::~CheckerManager() {
781 for (unsigned i = 0, e = CheckerDtors.size(); i != e; ++i)
782 CheckerDtors[i]();
783 }
784