xref: /freebsd/contrib/llvm-project/clang/lib/StaticAnalyzer/Core/CheckerManager.cpp (revision bdd1243df58e60e85101c09001d9812a789b6bc4)
1 //===- CheckerManager.cpp - Static Analyzer Checker Manager ---------------===//
2 //
3 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4 // See https://llvm.org/LICENSE.txt for license information.
5 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6 //
7 //===----------------------------------------------------------------------===//
8 //
9 // Defines the Static Analyzer Checker Manager.
10 //
11 //===----------------------------------------------------------------------===//
12 
13 #include "clang/StaticAnalyzer/Core/CheckerManager.h"
14 #include "clang/AST/DeclBase.h"
15 #include "clang/AST/Stmt.h"
16 #include "clang/Analysis/ProgramPoint.h"
17 #include "clang/Basic/JsonSupport.h"
18 #include "clang/Basic/LLVM.h"
19 #include "clang/Driver/DriverDiagnostic.h"
20 #include "clang/StaticAnalyzer/Core/Checker.h"
21 #include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h"
22 #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
23 #include "clang/StaticAnalyzer/Core/PathSensitive/CoreEngine.h"
24 #include "clang/StaticAnalyzer/Core/PathSensitive/ExprEngine.h"
25 #include "clang/StaticAnalyzer/Core/PathSensitive/SVals.h"
26 #include "llvm/ADT/SmallVector.h"
27 #include "llvm/Support/Casting.h"
28 #include "llvm/Support/ErrorHandling.h"
29 #include "llvm/Support/FormatVariadic.h"
30 #include <cassert>
31 #include <optional>
32 #include <vector>
33 
34 using namespace clang;
35 using namespace ento;
36 
hasPathSensitiveCheckers() const37 bool CheckerManager::hasPathSensitiveCheckers() const {
38   const auto IfAnyAreNonEmpty = [](const auto &... Callbacks) -> bool {
39     return (!Callbacks.empty() || ...);
40   };
41   return IfAnyAreNonEmpty(
42       StmtCheckers, PreObjCMessageCheckers, ObjCMessageNilCheckers,
43       PostObjCMessageCheckers, PreCallCheckers, PostCallCheckers,
44       LocationCheckers, BindCheckers, EndAnalysisCheckers,
45       BeginFunctionCheckers, EndFunctionCheckers, BranchConditionCheckers,
46       NewAllocatorCheckers, LiveSymbolsCheckers, DeadSymbolsCheckers,
47       RegionChangesCheckers, PointerEscapeCheckers, EvalAssumeCheckers,
48       EvalCallCheckers, EndOfTranslationUnitCheckers);
49 }
50 
finishedCheckerRegistration()51 void CheckerManager::finishedCheckerRegistration() {
52 #ifndef NDEBUG
53   // Make sure that for every event that has listeners, there is at least
54   // one dispatcher registered for it.
55   for (const auto &Event : Events)
56     assert(Event.second.HasDispatcher &&
57            "No dispatcher registered for an event");
58 #endif
59 }
60 
reportInvalidCheckerOptionValue(const CheckerBase * C,StringRef OptionName,StringRef ExpectedValueDesc) const61 void CheckerManager::reportInvalidCheckerOptionValue(
62     const CheckerBase *C, StringRef OptionName,
63     StringRef ExpectedValueDesc) const {
64 
65   getDiagnostics().Report(diag::err_analyzer_checker_option_invalid_input)
66       << (llvm::Twine() + C->getTagDescription() + ":" + OptionName).str()
67       << ExpectedValueDesc;
68 }
69 
70 //===----------------------------------------------------------------------===//
71 // Functions for running checkers for AST traversing..
72 //===----------------------------------------------------------------------===//
73 
runCheckersOnASTDecl(const Decl * D,AnalysisManager & mgr,BugReporter & BR)74 void CheckerManager::runCheckersOnASTDecl(const Decl *D, AnalysisManager& mgr,
75                                           BugReporter &BR) {
76   assert(D);
77 
78   unsigned DeclKind = D->getKind();
79   CachedDeclCheckers *checkers = nullptr;
80   CachedDeclCheckersMapTy::iterator CCI = CachedDeclCheckersMap.find(DeclKind);
81   if (CCI != CachedDeclCheckersMap.end()) {
82     checkers = &(CCI->second);
83   } else {
84     // Find the checkers that should run for this Decl and cache them.
85     checkers = &CachedDeclCheckersMap[DeclKind];
86     for (const auto &info : DeclCheckers)
87       if (info.IsForDeclFn(D))
88         checkers->push_back(info.CheckFn);
89   }
90 
91   assert(checkers);
92   for (const auto &checker : *checkers)
93     checker(D, mgr, BR);
94 }
95 
runCheckersOnASTBody(const Decl * D,AnalysisManager & mgr,BugReporter & BR)96 void CheckerManager::runCheckersOnASTBody(const Decl *D, AnalysisManager& mgr,
97                                           BugReporter &BR) {
98   assert(D && D->hasBody());
99 
100   for (const auto &BodyChecker : BodyCheckers)
101     BodyChecker(D, mgr, BR);
102 }
103 
104 //===----------------------------------------------------------------------===//
105 // Functions for running checkers for path-sensitive checking.
106 //===----------------------------------------------------------------------===//
107 
108 template <typename CHECK_CTX>
expandGraphWithCheckers(CHECK_CTX checkCtx,ExplodedNodeSet & Dst,const ExplodedNodeSet & Src)109 static void expandGraphWithCheckers(CHECK_CTX checkCtx,
110                                     ExplodedNodeSet &Dst,
111                                     const ExplodedNodeSet &Src) {
112   const NodeBuilderContext &BldrCtx = checkCtx.Eng.getBuilderContext();
113   if (Src.empty())
114     return;
115 
116   typename CHECK_CTX::CheckersTy::const_iterator
117       I = checkCtx.checkers_begin(), E = checkCtx.checkers_end();
118   if (I == E) {
119     Dst.insert(Src);
120     return;
121   }
122 
123   ExplodedNodeSet Tmp1, Tmp2;
124   const ExplodedNodeSet *PrevSet = &Src;
125 
126   for (; I != E; ++I) {
127     ExplodedNodeSet *CurrSet = nullptr;
128     if (I+1 == E)
129       CurrSet = &Dst;
130     else {
131       CurrSet = (PrevSet == &Tmp1) ? &Tmp2 : &Tmp1;
132       CurrSet->clear();
133     }
134 
135     NodeBuilder B(*PrevSet, *CurrSet, BldrCtx);
136     for (const auto &NI : *PrevSet)
137       checkCtx.runChecker(*I, B, NI);
138 
139     // If all the produced transitions are sinks, stop.
140     if (CurrSet->empty())
141       return;
142 
143     // Update which NodeSet is the current one.
144     PrevSet = CurrSet;
145   }
146 }
147 
148 namespace {
149 
150   struct CheckStmtContext {
151     using CheckersTy = SmallVectorImpl<CheckerManager::CheckStmtFunc>;
152 
153     bool IsPreVisit;
154     const CheckersTy &Checkers;
155     const Stmt *S;
156     ExprEngine &Eng;
157     bool WasInlined;
158 
CheckStmtContext__anon307ef15f0211::CheckStmtContext159     CheckStmtContext(bool isPreVisit, const CheckersTy &checkers,
160                      const Stmt *s, ExprEngine &eng, bool wasInlined = false)
161         : IsPreVisit(isPreVisit), Checkers(checkers), S(s), Eng(eng),
162           WasInlined(wasInlined) {}
163 
checkers_begin__anon307ef15f0211::CheckStmtContext164     CheckersTy::const_iterator checkers_begin() { return Checkers.begin(); }
checkers_end__anon307ef15f0211::CheckStmtContext165     CheckersTy::const_iterator checkers_end() { return Checkers.end(); }
166 
runChecker__anon307ef15f0211::CheckStmtContext167     void runChecker(CheckerManager::CheckStmtFunc checkFn,
168                     NodeBuilder &Bldr, ExplodedNode *Pred) {
169       // FIXME: Remove respondsToCallback from CheckerContext;
170       ProgramPoint::Kind K =  IsPreVisit ? ProgramPoint::PreStmtKind :
171                                            ProgramPoint::PostStmtKind;
172       const ProgramPoint &L = ProgramPoint::getProgramPoint(S, K,
173                                 Pred->getLocationContext(), checkFn.Checker);
174       CheckerContext C(Bldr, Eng, Pred, L, WasInlined);
175       checkFn(S, C);
176     }
177   };
178 
179 } // namespace
180 
181 /// Run checkers for visiting Stmts.
runCheckersForStmt(bool isPreVisit,ExplodedNodeSet & Dst,const ExplodedNodeSet & Src,const Stmt * S,ExprEngine & Eng,bool WasInlined)182 void CheckerManager::runCheckersForStmt(bool isPreVisit,
183                                         ExplodedNodeSet &Dst,
184                                         const ExplodedNodeSet &Src,
185                                         const Stmt *S,
186                                         ExprEngine &Eng,
187                                         bool WasInlined) {
188   CheckStmtContext C(isPreVisit, getCachedStmtCheckersFor(S, isPreVisit),
189                      S, Eng, WasInlined);
190   expandGraphWithCheckers(C, Dst, Src);
191 }
192 
193 namespace {
194 
195   struct CheckObjCMessageContext {
196     using CheckersTy = std::vector<CheckerManager::CheckObjCMessageFunc>;
197 
198     ObjCMessageVisitKind Kind;
199     bool WasInlined;
200     const CheckersTy &Checkers;
201     const ObjCMethodCall &Msg;
202     ExprEngine &Eng;
203 
CheckObjCMessageContext__anon307ef15f0311::CheckObjCMessageContext204     CheckObjCMessageContext(ObjCMessageVisitKind visitKind,
205                             const CheckersTy &checkers,
206                             const ObjCMethodCall &msg, ExprEngine &eng,
207                             bool wasInlined)
208         : Kind(visitKind), WasInlined(wasInlined), Checkers(checkers), Msg(msg),
209           Eng(eng) {}
210 
checkers_begin__anon307ef15f0311::CheckObjCMessageContext211     CheckersTy::const_iterator checkers_begin() { return Checkers.begin(); }
checkers_end__anon307ef15f0311::CheckObjCMessageContext212     CheckersTy::const_iterator checkers_end() { return Checkers.end(); }
213 
runChecker__anon307ef15f0311::CheckObjCMessageContext214     void runChecker(CheckerManager::CheckObjCMessageFunc checkFn,
215                     NodeBuilder &Bldr, ExplodedNode *Pred) {
216       bool IsPreVisit;
217 
218       switch (Kind) {
219         case ObjCMessageVisitKind::Pre:
220           IsPreVisit = true;
221           break;
222         case ObjCMessageVisitKind::MessageNil:
223         case ObjCMessageVisitKind::Post:
224           IsPreVisit = false;
225           break;
226       }
227 
228       const ProgramPoint &L = Msg.getProgramPoint(IsPreVisit,checkFn.Checker);
229       CheckerContext C(Bldr, Eng, Pred, L, WasInlined);
230 
231       checkFn(*Msg.cloneWithState<ObjCMethodCall>(Pred->getState()), C);
232     }
233   };
234 
235 } // namespace
236 
237 /// Run checkers for visiting obj-c messages.
runCheckersForObjCMessage(ObjCMessageVisitKind visitKind,ExplodedNodeSet & Dst,const ExplodedNodeSet & Src,const ObjCMethodCall & msg,ExprEngine & Eng,bool WasInlined)238 void CheckerManager::runCheckersForObjCMessage(ObjCMessageVisitKind visitKind,
239                                                ExplodedNodeSet &Dst,
240                                                const ExplodedNodeSet &Src,
241                                                const ObjCMethodCall &msg,
242                                                ExprEngine &Eng,
243                                                bool WasInlined) {
244   const auto &checkers = getObjCMessageCheckers(visitKind);
245   CheckObjCMessageContext C(visitKind, checkers, msg, Eng, WasInlined);
246   expandGraphWithCheckers(C, Dst, Src);
247 }
248 
249 const std::vector<CheckerManager::CheckObjCMessageFunc> &
getObjCMessageCheckers(ObjCMessageVisitKind Kind) const250 CheckerManager::getObjCMessageCheckers(ObjCMessageVisitKind Kind) const {
251   switch (Kind) {
252   case ObjCMessageVisitKind::Pre:
253     return PreObjCMessageCheckers;
254     break;
255   case ObjCMessageVisitKind::Post:
256     return PostObjCMessageCheckers;
257   case ObjCMessageVisitKind::MessageNil:
258     return ObjCMessageNilCheckers;
259   }
260   llvm_unreachable("Unknown Kind");
261 }
262 
263 namespace {
264 
265   // FIXME: This has all the same signatures as CheckObjCMessageContext.
266   // Is there a way we can merge the two?
267   struct CheckCallContext {
268     using CheckersTy = std::vector<CheckerManager::CheckCallFunc>;
269 
270     bool IsPreVisit, WasInlined;
271     const CheckersTy &Checkers;
272     const CallEvent &Call;
273     ExprEngine &Eng;
274 
CheckCallContext__anon307ef15f0411::CheckCallContext275     CheckCallContext(bool isPreVisit, const CheckersTy &checkers,
276                      const CallEvent &call, ExprEngine &eng,
277                      bool wasInlined)
278         : IsPreVisit(isPreVisit), WasInlined(wasInlined), Checkers(checkers),
279           Call(call), Eng(eng) {}
280 
checkers_begin__anon307ef15f0411::CheckCallContext281     CheckersTy::const_iterator checkers_begin() { return Checkers.begin(); }
checkers_end__anon307ef15f0411::CheckCallContext282     CheckersTy::const_iterator checkers_end() { return Checkers.end(); }
283 
runChecker__anon307ef15f0411::CheckCallContext284     void runChecker(CheckerManager::CheckCallFunc checkFn,
285                     NodeBuilder &Bldr, ExplodedNode *Pred) {
286       const ProgramPoint &L = Call.getProgramPoint(IsPreVisit,checkFn.Checker);
287       CheckerContext C(Bldr, Eng, Pred, L, WasInlined);
288 
289       checkFn(*Call.cloneWithState(Pred->getState()), C);
290     }
291   };
292 
293 } // namespace
294 
295 /// Run checkers for visiting an abstract call event.
runCheckersForCallEvent(bool isPreVisit,ExplodedNodeSet & Dst,const ExplodedNodeSet & Src,const CallEvent & Call,ExprEngine & Eng,bool WasInlined)296 void CheckerManager::runCheckersForCallEvent(bool isPreVisit,
297                                              ExplodedNodeSet &Dst,
298                                              const ExplodedNodeSet &Src,
299                                              const CallEvent &Call,
300                                              ExprEngine &Eng,
301                                              bool WasInlined) {
302   CheckCallContext C(isPreVisit,
303                      isPreVisit ? PreCallCheckers
304                                 : PostCallCheckers,
305                      Call, Eng, WasInlined);
306   expandGraphWithCheckers(C, Dst, Src);
307 }
308 
309 namespace {
310 
311   struct CheckLocationContext {
312     using CheckersTy = std::vector<CheckerManager::CheckLocationFunc>;
313 
314     const CheckersTy &Checkers;
315     SVal Loc;
316     bool IsLoad;
317     const Stmt *NodeEx; /* Will become a CFGStmt */
318     const Stmt *BoundEx;
319     ExprEngine &Eng;
320 
CheckLocationContext__anon307ef15f0511::CheckLocationContext321     CheckLocationContext(const CheckersTy &checkers,
322                          SVal loc, bool isLoad, const Stmt *NodeEx,
323                          const Stmt *BoundEx,
324                          ExprEngine &eng)
325         : Checkers(checkers), Loc(loc), IsLoad(isLoad), NodeEx(NodeEx),
326           BoundEx(BoundEx), Eng(eng) {}
327 
checkers_begin__anon307ef15f0511::CheckLocationContext328     CheckersTy::const_iterator checkers_begin() { return Checkers.begin(); }
checkers_end__anon307ef15f0511::CheckLocationContext329     CheckersTy::const_iterator checkers_end() { return Checkers.end(); }
330 
runChecker__anon307ef15f0511::CheckLocationContext331     void runChecker(CheckerManager::CheckLocationFunc checkFn,
332                     NodeBuilder &Bldr, ExplodedNode *Pred) {
333       ProgramPoint::Kind K =  IsLoad ? ProgramPoint::PreLoadKind :
334                                        ProgramPoint::PreStoreKind;
335       const ProgramPoint &L =
336         ProgramPoint::getProgramPoint(NodeEx, K,
337                                       Pred->getLocationContext(),
338                                       checkFn.Checker);
339       CheckerContext C(Bldr, Eng, Pred, L);
340       checkFn(Loc, IsLoad, BoundEx, C);
341     }
342   };
343 
344 } // namespace
345 
346 /// Run checkers for load/store of a location.
347 
runCheckersForLocation(ExplodedNodeSet & Dst,const ExplodedNodeSet & Src,SVal location,bool isLoad,const Stmt * NodeEx,const Stmt * BoundEx,ExprEngine & Eng)348 void CheckerManager::runCheckersForLocation(ExplodedNodeSet &Dst,
349                                             const ExplodedNodeSet &Src,
350                                             SVal location, bool isLoad,
351                                             const Stmt *NodeEx,
352                                             const Stmt *BoundEx,
353                                             ExprEngine &Eng) {
354   CheckLocationContext C(LocationCheckers, location, isLoad, NodeEx,
355                          BoundEx, Eng);
356   expandGraphWithCheckers(C, Dst, Src);
357 }
358 
359 namespace {
360 
361   struct CheckBindContext {
362     using CheckersTy = std::vector<CheckerManager::CheckBindFunc>;
363 
364     const CheckersTy &Checkers;
365     SVal Loc;
366     SVal Val;
367     const Stmt *S;
368     ExprEngine &Eng;
369     const ProgramPoint &PP;
370 
CheckBindContext__anon307ef15f0611::CheckBindContext371     CheckBindContext(const CheckersTy &checkers,
372                      SVal loc, SVal val, const Stmt *s, ExprEngine &eng,
373                      const ProgramPoint &pp)
374         : Checkers(checkers), Loc(loc), Val(val), S(s), Eng(eng), PP(pp) {}
375 
checkers_begin__anon307ef15f0611::CheckBindContext376     CheckersTy::const_iterator checkers_begin() { return Checkers.begin(); }
checkers_end__anon307ef15f0611::CheckBindContext377     CheckersTy::const_iterator checkers_end() { return Checkers.end(); }
378 
runChecker__anon307ef15f0611::CheckBindContext379     void runChecker(CheckerManager::CheckBindFunc checkFn,
380                     NodeBuilder &Bldr, ExplodedNode *Pred) {
381       const ProgramPoint &L = PP.withTag(checkFn.Checker);
382       CheckerContext C(Bldr, Eng, Pred, L);
383 
384       checkFn(Loc, Val, S, C);
385     }
386   };
387 
388 } // namespace
389 
390 /// Run checkers for binding of a value to a location.
runCheckersForBind(ExplodedNodeSet & Dst,const ExplodedNodeSet & Src,SVal location,SVal val,const Stmt * S,ExprEngine & Eng,const ProgramPoint & PP)391 void CheckerManager::runCheckersForBind(ExplodedNodeSet &Dst,
392                                         const ExplodedNodeSet &Src,
393                                         SVal location, SVal val,
394                                         const Stmt *S, ExprEngine &Eng,
395                                         const ProgramPoint &PP) {
396   CheckBindContext C(BindCheckers, location, val, S, Eng, PP);
397   expandGraphWithCheckers(C, Dst, Src);
398 }
399 
runCheckersForEndAnalysis(ExplodedGraph & G,BugReporter & BR,ExprEngine & Eng)400 void CheckerManager::runCheckersForEndAnalysis(ExplodedGraph &G,
401                                                BugReporter &BR,
402                                                ExprEngine &Eng) {
403   for (const auto &EndAnalysisChecker : EndAnalysisCheckers)
404     EndAnalysisChecker(G, BR, Eng);
405 }
406 
407 namespace {
408 
409 struct CheckBeginFunctionContext {
410   using CheckersTy = std::vector<CheckerManager::CheckBeginFunctionFunc>;
411 
412   const CheckersTy &Checkers;
413   ExprEngine &Eng;
414   const ProgramPoint &PP;
415 
CheckBeginFunctionContext__anon307ef15f0711::CheckBeginFunctionContext416   CheckBeginFunctionContext(const CheckersTy &Checkers, ExprEngine &Eng,
417                             const ProgramPoint &PP)
418       : Checkers(Checkers), Eng(Eng), PP(PP) {}
419 
checkers_begin__anon307ef15f0711::CheckBeginFunctionContext420   CheckersTy::const_iterator checkers_begin() { return Checkers.begin(); }
checkers_end__anon307ef15f0711::CheckBeginFunctionContext421   CheckersTy::const_iterator checkers_end() { return Checkers.end(); }
422 
runChecker__anon307ef15f0711::CheckBeginFunctionContext423   void runChecker(CheckerManager::CheckBeginFunctionFunc checkFn,
424                   NodeBuilder &Bldr, ExplodedNode *Pred) {
425     const ProgramPoint &L = PP.withTag(checkFn.Checker);
426     CheckerContext C(Bldr, Eng, Pred, L);
427 
428     checkFn(C);
429   }
430 };
431 
432 } // namespace
433 
runCheckersForBeginFunction(ExplodedNodeSet & Dst,const BlockEdge & L,ExplodedNode * Pred,ExprEngine & Eng)434 void CheckerManager::runCheckersForBeginFunction(ExplodedNodeSet &Dst,
435                                                  const BlockEdge &L,
436                                                  ExplodedNode *Pred,
437                                                  ExprEngine &Eng) {
438   ExplodedNodeSet Src;
439   Src.insert(Pred);
440   CheckBeginFunctionContext C(BeginFunctionCheckers, Eng, L);
441   expandGraphWithCheckers(C, Dst, Src);
442 }
443 
444 /// Run checkers for end of path.
445 // Note, We do not chain the checker output (like in expandGraphWithCheckers)
446 // for this callback since end of path nodes are expected to be final.
runCheckersForEndFunction(NodeBuilderContext & BC,ExplodedNodeSet & Dst,ExplodedNode * Pred,ExprEngine & Eng,const ReturnStmt * RS)447 void CheckerManager::runCheckersForEndFunction(NodeBuilderContext &BC,
448                                                ExplodedNodeSet &Dst,
449                                                ExplodedNode *Pred,
450                                                ExprEngine &Eng,
451                                                const ReturnStmt *RS) {
452   // We define the builder outside of the loop because if at least one checker
453   // creates a successor for Pred, we do not need to generate an
454   // autotransition for it.
455   NodeBuilder Bldr(Pred, Dst, BC);
456   for (const auto &checkFn : EndFunctionCheckers) {
457     const ProgramPoint &L =
458         FunctionExitPoint(RS, Pred->getLocationContext(), checkFn.Checker);
459     CheckerContext C(Bldr, Eng, Pred, L);
460     checkFn(RS, C);
461   }
462 }
463 
464 namespace {
465 
466   struct CheckBranchConditionContext {
467     using CheckersTy = std::vector<CheckerManager::CheckBranchConditionFunc>;
468 
469     const CheckersTy &Checkers;
470     const Stmt *Condition;
471     ExprEngine &Eng;
472 
CheckBranchConditionContext__anon307ef15f0811::CheckBranchConditionContext473     CheckBranchConditionContext(const CheckersTy &checkers,
474                                 const Stmt *Cond, ExprEngine &eng)
475         : Checkers(checkers), Condition(Cond), Eng(eng) {}
476 
checkers_begin__anon307ef15f0811::CheckBranchConditionContext477     CheckersTy::const_iterator checkers_begin() { return Checkers.begin(); }
checkers_end__anon307ef15f0811::CheckBranchConditionContext478     CheckersTy::const_iterator checkers_end() { return Checkers.end(); }
479 
runChecker__anon307ef15f0811::CheckBranchConditionContext480     void runChecker(CheckerManager::CheckBranchConditionFunc checkFn,
481                     NodeBuilder &Bldr, ExplodedNode *Pred) {
482       ProgramPoint L = PostCondition(Condition, Pred->getLocationContext(),
483                                      checkFn.Checker);
484       CheckerContext C(Bldr, Eng, Pred, L);
485       checkFn(Condition, C);
486     }
487   };
488 
489 } // namespace
490 
491 /// Run checkers for branch condition.
runCheckersForBranchCondition(const Stmt * Condition,ExplodedNodeSet & Dst,ExplodedNode * Pred,ExprEngine & Eng)492 void CheckerManager::runCheckersForBranchCondition(const Stmt *Condition,
493                                                    ExplodedNodeSet &Dst,
494                                                    ExplodedNode *Pred,
495                                                    ExprEngine &Eng) {
496   ExplodedNodeSet Src;
497   Src.insert(Pred);
498   CheckBranchConditionContext C(BranchConditionCheckers, Condition, Eng);
499   expandGraphWithCheckers(C, Dst, Src);
500 }
501 
502 namespace {
503 
504   struct CheckNewAllocatorContext {
505     using CheckersTy = std::vector<CheckerManager::CheckNewAllocatorFunc>;
506 
507     const CheckersTy &Checkers;
508     const CXXAllocatorCall &Call;
509     bool WasInlined;
510     ExprEngine &Eng;
511 
CheckNewAllocatorContext__anon307ef15f0911::CheckNewAllocatorContext512     CheckNewAllocatorContext(const CheckersTy &Checkers,
513                              const CXXAllocatorCall &Call, bool WasInlined,
514                              ExprEngine &Eng)
515         : Checkers(Checkers), Call(Call), WasInlined(WasInlined), Eng(Eng) {}
516 
checkers_begin__anon307ef15f0911::CheckNewAllocatorContext517     CheckersTy::const_iterator checkers_begin() { return Checkers.begin(); }
checkers_end__anon307ef15f0911::CheckNewAllocatorContext518     CheckersTy::const_iterator checkers_end() { return Checkers.end(); }
519 
runChecker__anon307ef15f0911::CheckNewAllocatorContext520     void runChecker(CheckerManager::CheckNewAllocatorFunc checkFn,
521                     NodeBuilder &Bldr, ExplodedNode *Pred) {
522       ProgramPoint L =
523           PostAllocatorCall(Call.getOriginExpr(), Pred->getLocationContext());
524       CheckerContext C(Bldr, Eng, Pred, L, WasInlined);
525       checkFn(cast<CXXAllocatorCall>(*Call.cloneWithState(Pred->getState())),
526               C);
527     }
528   };
529 
530 } // namespace
531 
runCheckersForNewAllocator(const CXXAllocatorCall & Call,ExplodedNodeSet & Dst,ExplodedNode * Pred,ExprEngine & Eng,bool WasInlined)532 void CheckerManager::runCheckersForNewAllocator(const CXXAllocatorCall &Call,
533                                                 ExplodedNodeSet &Dst,
534                                                 ExplodedNode *Pred,
535                                                 ExprEngine &Eng,
536                                                 bool WasInlined) {
537   ExplodedNodeSet Src;
538   Src.insert(Pred);
539   CheckNewAllocatorContext C(NewAllocatorCheckers, Call, WasInlined, Eng);
540   expandGraphWithCheckers(C, Dst, Src);
541 }
542 
543 /// Run checkers for live symbols.
runCheckersForLiveSymbols(ProgramStateRef state,SymbolReaper & SymReaper)544 void CheckerManager::runCheckersForLiveSymbols(ProgramStateRef state,
545                                                SymbolReaper &SymReaper) {
546   for (const auto &LiveSymbolsChecker : LiveSymbolsCheckers)
547     LiveSymbolsChecker(state, SymReaper);
548 }
549 
550 namespace {
551 
552   struct CheckDeadSymbolsContext {
553     using CheckersTy = std::vector<CheckerManager::CheckDeadSymbolsFunc>;
554 
555     const CheckersTy &Checkers;
556     SymbolReaper &SR;
557     const Stmt *S;
558     ExprEngine &Eng;
559     ProgramPoint::Kind ProgarmPointKind;
560 
CheckDeadSymbolsContext__anon307ef15f0a11::CheckDeadSymbolsContext561     CheckDeadSymbolsContext(const CheckersTy &checkers, SymbolReaper &sr,
562                             const Stmt *s, ExprEngine &eng,
563                             ProgramPoint::Kind K)
564         : Checkers(checkers), SR(sr), S(s), Eng(eng), ProgarmPointKind(K) {}
565 
checkers_begin__anon307ef15f0a11::CheckDeadSymbolsContext566     CheckersTy::const_iterator checkers_begin() { return Checkers.begin(); }
checkers_end__anon307ef15f0a11::CheckDeadSymbolsContext567     CheckersTy::const_iterator checkers_end() { return Checkers.end(); }
568 
runChecker__anon307ef15f0a11::CheckDeadSymbolsContext569     void runChecker(CheckerManager::CheckDeadSymbolsFunc checkFn,
570                     NodeBuilder &Bldr, ExplodedNode *Pred) {
571       const ProgramPoint &L = ProgramPoint::getProgramPoint(S, ProgarmPointKind,
572                                 Pred->getLocationContext(), checkFn.Checker);
573       CheckerContext C(Bldr, Eng, Pred, L);
574 
575       // Note, do not pass the statement to the checkers without letting them
576       // differentiate if we ran remove dead bindings before or after the
577       // statement.
578       checkFn(SR, C);
579     }
580   };
581 
582 } // namespace
583 
584 /// Run checkers for dead symbols.
runCheckersForDeadSymbols(ExplodedNodeSet & Dst,const ExplodedNodeSet & Src,SymbolReaper & SymReaper,const Stmt * S,ExprEngine & Eng,ProgramPoint::Kind K)585 void CheckerManager::runCheckersForDeadSymbols(ExplodedNodeSet &Dst,
586                                                const ExplodedNodeSet &Src,
587                                                SymbolReaper &SymReaper,
588                                                const Stmt *S,
589                                                ExprEngine &Eng,
590                                                ProgramPoint::Kind K) {
591   CheckDeadSymbolsContext C(DeadSymbolsCheckers, SymReaper, S, Eng, K);
592   expandGraphWithCheckers(C, Dst, Src);
593 }
594 
595 /// Run checkers for region changes.
596 ProgramStateRef
runCheckersForRegionChanges(ProgramStateRef state,const InvalidatedSymbols * invalidated,ArrayRef<const MemRegion * > ExplicitRegions,ArrayRef<const MemRegion * > Regions,const LocationContext * LCtx,const CallEvent * Call)597 CheckerManager::runCheckersForRegionChanges(ProgramStateRef state,
598                                             const InvalidatedSymbols *invalidated,
599                                             ArrayRef<const MemRegion *> ExplicitRegions,
600                                             ArrayRef<const MemRegion *> Regions,
601                                             const LocationContext *LCtx,
602                                             const CallEvent *Call) {
603   for (const auto &RegionChangesChecker : RegionChangesCheckers) {
604     // If any checker declares the state infeasible (or if it starts that way),
605     // bail out.
606     if (!state)
607       return nullptr;
608     state = RegionChangesChecker(state, invalidated, ExplicitRegions, Regions,
609                                  LCtx, Call);
610   }
611   return state;
612 }
613 
614 /// Run checkers to process symbol escape event.
615 ProgramStateRef
runCheckersForPointerEscape(ProgramStateRef State,const InvalidatedSymbols & Escaped,const CallEvent * Call,PointerEscapeKind Kind,RegionAndSymbolInvalidationTraits * ETraits)616 CheckerManager::runCheckersForPointerEscape(ProgramStateRef State,
617                                    const InvalidatedSymbols &Escaped,
618                                    const CallEvent *Call,
619                                    PointerEscapeKind Kind,
620                                    RegionAndSymbolInvalidationTraits *ETraits) {
621   assert((Call != nullptr ||
622           (Kind != PSK_DirectEscapeOnCall &&
623            Kind != PSK_IndirectEscapeOnCall)) &&
624          "Call must not be NULL when escaping on call");
625   for (const auto &PointerEscapeChecker : PointerEscapeCheckers) {
626     // If any checker declares the state infeasible (or if it starts that
627     //  way), bail out.
628     if (!State)
629       return nullptr;
630     State = PointerEscapeChecker(State, Escaped, Call, Kind, ETraits);
631   }
632   return State;
633 }
634 
635 /// Run checkers for handling assumptions on symbolic values.
636 ProgramStateRef
runCheckersForEvalAssume(ProgramStateRef state,SVal Cond,bool Assumption)637 CheckerManager::runCheckersForEvalAssume(ProgramStateRef state,
638                                          SVal Cond, bool Assumption) {
639   for (const auto &EvalAssumeChecker : EvalAssumeCheckers) {
640     // If any checker declares the state infeasible (or if it starts that way),
641     // bail out.
642     if (!state)
643       return nullptr;
644     state = EvalAssumeChecker(state, Cond, Assumption);
645   }
646   return state;
647 }
648 
649 /// Run checkers for evaluating a call.
650 /// Only one checker will evaluate the call.
runCheckersForEvalCall(ExplodedNodeSet & Dst,const ExplodedNodeSet & Src,const CallEvent & Call,ExprEngine & Eng,const EvalCallOptions & CallOpts)651 void CheckerManager::runCheckersForEvalCall(ExplodedNodeSet &Dst,
652                                             const ExplodedNodeSet &Src,
653                                             const CallEvent &Call,
654                                             ExprEngine &Eng,
655                                             const EvalCallOptions &CallOpts) {
656   for (auto *const Pred : Src) {
657     std::optional<CheckerNameRef> evaluatorChecker;
658 
659     ExplodedNodeSet checkDst;
660     NodeBuilder B(Pred, checkDst, Eng.getBuilderContext());
661 
662     // Check if any of the EvalCall callbacks can evaluate the call.
663     for (const auto &EvalCallChecker : EvalCallCheckers) {
664       // TODO: Support the situation when the call doesn't correspond
665       // to any Expr.
666       ProgramPoint L = ProgramPoint::getProgramPoint(
667           Call.getOriginExpr(), ProgramPoint::PostStmtKind,
668           Pred->getLocationContext(), EvalCallChecker.Checker);
669       bool evaluated = false;
670       { // CheckerContext generates transitions(populates checkDest) on
671         // destruction, so introduce the scope to make sure it gets properly
672         // populated.
673         CheckerContext C(B, Eng, Pred, L);
674         evaluated = EvalCallChecker(Call, C);
675       }
676 #ifndef NDEBUG
677       if (evaluated && evaluatorChecker) {
678         const auto toString = [](const CallEvent &Call) -> std::string {
679           std::string Buf;
680           llvm::raw_string_ostream OS(Buf);
681           Call.dump(OS);
682           OS.flush();
683           return Buf;
684         };
685         std::string AssertionMessage = llvm::formatv(
686             "The '{0}' call has been already evaluated by the {1} checker, "
687             "while the {2} checker also tried to evaluate the same call. At "
688             "most one checker supposed to evaluate a call.",
689             toString(Call), evaluatorChecker->getName(),
690             EvalCallChecker.Checker->getCheckerName());
691         llvm_unreachable(AssertionMessage.c_str());
692       }
693 #endif
694       if (evaluated) {
695         evaluatorChecker = EvalCallChecker.Checker->getCheckerName();
696         Dst.insert(checkDst);
697 #ifdef NDEBUG
698         break; // on release don't check that no other checker also evals.
699 #endif
700       }
701     }
702 
703     // If none of the checkers evaluated the call, ask ExprEngine to handle it.
704     if (!evaluatorChecker) {
705       NodeBuilder B(Pred, Dst, Eng.getBuilderContext());
706       Eng.defaultEvalCall(B, Pred, Call, CallOpts);
707     }
708   }
709 }
710 
711 /// Run checkers for the entire Translation Unit.
runCheckersOnEndOfTranslationUnit(const TranslationUnitDecl * TU,AnalysisManager & mgr,BugReporter & BR)712 void CheckerManager::runCheckersOnEndOfTranslationUnit(
713                                                   const TranslationUnitDecl *TU,
714                                                   AnalysisManager &mgr,
715                                                   BugReporter &BR) {
716   for (const auto &EndOfTranslationUnitChecker : EndOfTranslationUnitCheckers)
717     EndOfTranslationUnitChecker(TU, mgr, BR);
718 }
719 
runCheckersForPrintStateJson(raw_ostream & Out,ProgramStateRef State,const char * NL,unsigned int Space,bool IsDot) const720 void CheckerManager::runCheckersForPrintStateJson(raw_ostream &Out,
721                                                   ProgramStateRef State,
722                                                   const char *NL,
723                                                   unsigned int Space,
724                                                   bool IsDot) const {
725   Indent(Out, Space, IsDot) << "\"checker_messages\": ";
726 
727   // Create a temporary stream to see whether we have any message.
728   SmallString<1024> TempBuf;
729   llvm::raw_svector_ostream TempOut(TempBuf);
730   unsigned int InnerSpace = Space + 2;
731 
732   // Create the new-line in JSON with enough space.
733   SmallString<128> NewLine;
734   llvm::raw_svector_ostream NLOut(NewLine);
735   NLOut << "\", " << NL;                     // Inject the ending and a new line
736   Indent(NLOut, InnerSpace, IsDot) << "\"";  // then begin the next message.
737 
738   ++Space;
739   bool HasMessage = false;
740 
741   // Store the last CheckerTag.
742   const void *LastCT = nullptr;
743   for (const auto &CT : CheckerTags) {
744     // See whether the current checker has a message.
745     CT.second->printState(TempOut, State, /*NL=*/NewLine.c_str(), /*Sep=*/"");
746 
747     if (TempBuf.empty())
748       continue;
749 
750     if (!HasMessage) {
751       Out << '[' << NL;
752       HasMessage = true;
753     }
754 
755     LastCT = &CT;
756     TempBuf.clear();
757   }
758 
759   for (const auto &CT : CheckerTags) {
760     // See whether the current checker has a message.
761     CT.second->printState(TempOut, State, /*NL=*/NewLine.c_str(), /*Sep=*/"");
762 
763     if (TempBuf.empty())
764       continue;
765 
766     Indent(Out, Space, IsDot)
767         << "{ \"checker\": \"" << CT.second->getCheckerName().getName()
768         << "\", \"messages\": [" << NL;
769     Indent(Out, InnerSpace, IsDot)
770         << '\"' << TempBuf.str().trim() << '\"' << NL;
771     Indent(Out, Space, IsDot) << "]}";
772 
773     if (&CT != LastCT)
774       Out << ',';
775     Out << NL;
776 
777     TempBuf.clear();
778   }
779 
780   // It is the last element of the 'program_state' so do not add a comma.
781   if (HasMessage)
782     Indent(Out, --Space, IsDot) << "]";
783   else
784     Out << "null";
785 
786   Out << NL;
787 }
788 
789 //===----------------------------------------------------------------------===//
790 // Internal registration functions for AST traversing.
791 //===----------------------------------------------------------------------===//
792 
_registerForDecl(CheckDeclFunc checkfn,HandlesDeclFunc isForDeclFn)793 void CheckerManager::_registerForDecl(CheckDeclFunc checkfn,
794                                       HandlesDeclFunc isForDeclFn) {
795   DeclCheckerInfo info = { checkfn, isForDeclFn };
796   DeclCheckers.push_back(info);
797 }
798 
_registerForBody(CheckDeclFunc checkfn)799 void CheckerManager::_registerForBody(CheckDeclFunc checkfn) {
800   BodyCheckers.push_back(checkfn);
801 }
802 
803 //===----------------------------------------------------------------------===//
804 // Internal registration functions for path-sensitive checking.
805 //===----------------------------------------------------------------------===//
806 
_registerForPreStmt(CheckStmtFunc checkfn,HandlesStmtFunc isForStmtFn)807 void CheckerManager::_registerForPreStmt(CheckStmtFunc checkfn,
808                                          HandlesStmtFunc isForStmtFn) {
809   StmtCheckerInfo info = { checkfn, isForStmtFn, /*IsPreVisit*/true };
810   StmtCheckers.push_back(info);
811 }
812 
_registerForPostStmt(CheckStmtFunc checkfn,HandlesStmtFunc isForStmtFn)813 void CheckerManager::_registerForPostStmt(CheckStmtFunc checkfn,
814                                           HandlesStmtFunc isForStmtFn) {
815   StmtCheckerInfo info = { checkfn, isForStmtFn, /*IsPreVisit*/false };
816   StmtCheckers.push_back(info);
817 }
818 
_registerForPreObjCMessage(CheckObjCMessageFunc checkfn)819 void CheckerManager::_registerForPreObjCMessage(CheckObjCMessageFunc checkfn) {
820   PreObjCMessageCheckers.push_back(checkfn);
821 }
822 
_registerForObjCMessageNil(CheckObjCMessageFunc checkfn)823 void CheckerManager::_registerForObjCMessageNil(CheckObjCMessageFunc checkfn) {
824   ObjCMessageNilCheckers.push_back(checkfn);
825 }
826 
_registerForPostObjCMessage(CheckObjCMessageFunc checkfn)827 void CheckerManager::_registerForPostObjCMessage(CheckObjCMessageFunc checkfn) {
828   PostObjCMessageCheckers.push_back(checkfn);
829 }
830 
_registerForPreCall(CheckCallFunc checkfn)831 void CheckerManager::_registerForPreCall(CheckCallFunc checkfn) {
832   PreCallCheckers.push_back(checkfn);
833 }
_registerForPostCall(CheckCallFunc checkfn)834 void CheckerManager::_registerForPostCall(CheckCallFunc checkfn) {
835   PostCallCheckers.push_back(checkfn);
836 }
837 
_registerForLocation(CheckLocationFunc checkfn)838 void CheckerManager::_registerForLocation(CheckLocationFunc checkfn) {
839   LocationCheckers.push_back(checkfn);
840 }
841 
_registerForBind(CheckBindFunc checkfn)842 void CheckerManager::_registerForBind(CheckBindFunc checkfn) {
843   BindCheckers.push_back(checkfn);
844 }
845 
_registerForEndAnalysis(CheckEndAnalysisFunc checkfn)846 void CheckerManager::_registerForEndAnalysis(CheckEndAnalysisFunc checkfn) {
847   EndAnalysisCheckers.push_back(checkfn);
848 }
849 
_registerForBeginFunction(CheckBeginFunctionFunc checkfn)850 void CheckerManager::_registerForBeginFunction(CheckBeginFunctionFunc checkfn) {
851   BeginFunctionCheckers.push_back(checkfn);
852 }
853 
_registerForEndFunction(CheckEndFunctionFunc checkfn)854 void CheckerManager::_registerForEndFunction(CheckEndFunctionFunc checkfn) {
855   EndFunctionCheckers.push_back(checkfn);
856 }
857 
_registerForBranchCondition(CheckBranchConditionFunc checkfn)858 void CheckerManager::_registerForBranchCondition(
859                                              CheckBranchConditionFunc checkfn) {
860   BranchConditionCheckers.push_back(checkfn);
861 }
862 
_registerForNewAllocator(CheckNewAllocatorFunc checkfn)863 void CheckerManager::_registerForNewAllocator(CheckNewAllocatorFunc checkfn) {
864   NewAllocatorCheckers.push_back(checkfn);
865 }
866 
_registerForLiveSymbols(CheckLiveSymbolsFunc checkfn)867 void CheckerManager::_registerForLiveSymbols(CheckLiveSymbolsFunc checkfn) {
868   LiveSymbolsCheckers.push_back(checkfn);
869 }
870 
_registerForDeadSymbols(CheckDeadSymbolsFunc checkfn)871 void CheckerManager::_registerForDeadSymbols(CheckDeadSymbolsFunc checkfn) {
872   DeadSymbolsCheckers.push_back(checkfn);
873 }
874 
_registerForRegionChanges(CheckRegionChangesFunc checkfn)875 void CheckerManager::_registerForRegionChanges(CheckRegionChangesFunc checkfn) {
876   RegionChangesCheckers.push_back(checkfn);
877 }
878 
_registerForPointerEscape(CheckPointerEscapeFunc checkfn)879 void CheckerManager::_registerForPointerEscape(CheckPointerEscapeFunc checkfn){
880   PointerEscapeCheckers.push_back(checkfn);
881 }
882 
_registerForConstPointerEscape(CheckPointerEscapeFunc checkfn)883 void CheckerManager::_registerForConstPointerEscape(
884                                           CheckPointerEscapeFunc checkfn) {
885   PointerEscapeCheckers.push_back(checkfn);
886 }
887 
_registerForEvalAssume(EvalAssumeFunc checkfn)888 void CheckerManager::_registerForEvalAssume(EvalAssumeFunc checkfn) {
889   EvalAssumeCheckers.push_back(checkfn);
890 }
891 
_registerForEvalCall(EvalCallFunc checkfn)892 void CheckerManager::_registerForEvalCall(EvalCallFunc checkfn) {
893   EvalCallCheckers.push_back(checkfn);
894 }
895 
_registerForEndOfTranslationUnit(CheckEndOfTranslationUnit checkfn)896 void CheckerManager::_registerForEndOfTranslationUnit(
897                                             CheckEndOfTranslationUnit checkfn) {
898   EndOfTranslationUnitCheckers.push_back(checkfn);
899 }
900 
901 //===----------------------------------------------------------------------===//
902 // Implementation details.
903 //===----------------------------------------------------------------------===//
904 
905 const CheckerManager::CachedStmtCheckers &
getCachedStmtCheckersFor(const Stmt * S,bool isPreVisit)906 CheckerManager::getCachedStmtCheckersFor(const Stmt *S, bool isPreVisit) {
907   assert(S);
908 
909   unsigned Key = (S->getStmtClass() << 1) | unsigned(isPreVisit);
910   CachedStmtCheckersMapTy::iterator CCI = CachedStmtCheckersMap.find(Key);
911   if (CCI != CachedStmtCheckersMap.end())
912     return CCI->second;
913 
914   // Find the checkers that should run for this Stmt and cache them.
915   CachedStmtCheckers &Checkers = CachedStmtCheckersMap[Key];
916   for (const auto &Info : StmtCheckers)
917     if (Info.IsPreVisit == isPreVisit && Info.IsForStmtFn(S))
918       Checkers.push_back(Info.CheckFn);
919   return Checkers;
920 }
921