1 //== BodyFarm.cpp  - Factory for conjuring up fake bodies ----------*- C++ -*-//
2 //
3 //                     The LLVM Compiler Infrastructure
4 //
5 // This file is distributed under the University of Illinois Open Source
6 // License. See LICENSE.TXT for details.
7 //
8 //===----------------------------------------------------------------------===//
9 //
10 // BodyFarm is a factory for creating faux implementations for functions/methods
11 // for analysis purposes.
12 //
13 //===----------------------------------------------------------------------===//
14 
15 #include "BodyFarm.h"
16 #include "clang/AST/ASTContext.h"
17 #include "clang/AST/Decl.h"
18 #include "clang/AST/Expr.h"
19 #include "clang/AST/ExprObjC.h"
20 #include "clang/Analysis/CodeInjector.h"
21 #include "llvm/ADT/StringSwitch.h"
22 
23 using namespace clang;
24 
25 //===----------------------------------------------------------------------===//
26 // Helper creation functions for constructing faux ASTs.
27 //===----------------------------------------------------------------------===//
28 
isDispatchBlock(QualType Ty)29 static bool isDispatchBlock(QualType Ty) {
30   // Is it a block pointer?
31   const BlockPointerType *BPT = Ty->getAs<BlockPointerType>();
32   if (!BPT)
33     return false;
34 
35   // Check if the block pointer type takes no arguments and
36   // returns void.
37   const FunctionProtoType *FT =
38   BPT->getPointeeType()->getAs<FunctionProtoType>();
39   return FT && FT->getReturnType()->isVoidType() && FT->getNumParams() == 0;
40 }
41 
42 namespace {
43 class ASTMaker {
44 public:
ASTMaker(ASTContext & C)45   ASTMaker(ASTContext &C) : C(C) {}
46 
47   /// Create a new BinaryOperator representing a simple assignment.
48   BinaryOperator *makeAssignment(const Expr *LHS, const Expr *RHS, QualType Ty);
49 
50   /// Create a new BinaryOperator representing a comparison.
51   BinaryOperator *makeComparison(const Expr *LHS, const Expr *RHS,
52                                  BinaryOperator::Opcode Op);
53 
54   /// Create a new compound stmt using the provided statements.
55   CompoundStmt *makeCompound(ArrayRef<Stmt*>);
56 
57   /// Create a new DeclRefExpr for the referenced variable.
58   DeclRefExpr *makeDeclRefExpr(const VarDecl *D);
59 
60   /// Create a new UnaryOperator representing a dereference.
61   UnaryOperator *makeDereference(const Expr *Arg, QualType Ty);
62 
63   /// Create an implicit cast for an integer conversion.
64   Expr *makeIntegralCast(const Expr *Arg, QualType Ty);
65 
66   /// Create an implicit cast to a builtin boolean type.
67   ImplicitCastExpr *makeIntegralCastToBoolean(const Expr *Arg);
68 
69   // Create an implicit cast for lvalue-to-rvaluate conversions.
70   ImplicitCastExpr *makeLvalueToRvalue(const Expr *Arg, QualType Ty);
71 
72   /// Create an Objective-C bool literal.
73   ObjCBoolLiteralExpr *makeObjCBool(bool Val);
74 
75   /// Create an Objective-C ivar reference.
76   ObjCIvarRefExpr *makeObjCIvarRef(const Expr *Base, const ObjCIvarDecl *IVar);
77 
78   /// Create a Return statement.
79   ReturnStmt *makeReturn(const Expr *RetVal);
80 
81 private:
82   ASTContext &C;
83 };
84 }
85 
makeAssignment(const Expr * LHS,const Expr * RHS,QualType Ty)86 BinaryOperator *ASTMaker::makeAssignment(const Expr *LHS, const Expr *RHS,
87                                          QualType Ty) {
88  return new (C) BinaryOperator(const_cast<Expr*>(LHS), const_cast<Expr*>(RHS),
89                                BO_Assign, Ty, VK_RValue,
90                                OK_Ordinary, SourceLocation(), false);
91 }
92 
makeComparison(const Expr * LHS,const Expr * RHS,BinaryOperator::Opcode Op)93 BinaryOperator *ASTMaker::makeComparison(const Expr *LHS, const Expr *RHS,
94                                          BinaryOperator::Opcode Op) {
95   assert(BinaryOperator::isLogicalOp(Op) ||
96          BinaryOperator::isComparisonOp(Op));
97   return new (C) BinaryOperator(const_cast<Expr*>(LHS),
98                                 const_cast<Expr*>(RHS),
99                                 Op,
100                                 C.getLogicalOperationType(),
101                                 VK_RValue,
102                                 OK_Ordinary, SourceLocation(), false);
103 }
104 
makeCompound(ArrayRef<Stmt * > Stmts)105 CompoundStmt *ASTMaker::makeCompound(ArrayRef<Stmt *> Stmts) {
106   return new (C) CompoundStmt(C, Stmts, SourceLocation(), SourceLocation());
107 }
108 
makeDeclRefExpr(const VarDecl * D)109 DeclRefExpr *ASTMaker::makeDeclRefExpr(const VarDecl *D) {
110   DeclRefExpr *DR =
111     DeclRefExpr::Create(/* Ctx = */ C,
112                         /* QualifierLoc = */ NestedNameSpecifierLoc(),
113                         /* TemplateKWLoc = */ SourceLocation(),
114                         /* D = */ const_cast<VarDecl*>(D),
115                         /* RefersToEnclosingVariableOrCapture = */ false,
116                         /* NameLoc = */ SourceLocation(),
117                         /* T = */ D->getType(),
118                         /* VK = */ VK_LValue);
119   return DR;
120 }
121 
makeDereference(const Expr * Arg,QualType Ty)122 UnaryOperator *ASTMaker::makeDereference(const Expr *Arg, QualType Ty) {
123   return new (C) UnaryOperator(const_cast<Expr*>(Arg), UO_Deref, Ty,
124                                VK_LValue, OK_Ordinary, SourceLocation());
125 }
126 
makeLvalueToRvalue(const Expr * Arg,QualType Ty)127 ImplicitCastExpr *ASTMaker::makeLvalueToRvalue(const Expr *Arg, QualType Ty) {
128   return ImplicitCastExpr::Create(C, Ty, CK_LValueToRValue,
129                                   const_cast<Expr*>(Arg), nullptr, VK_RValue);
130 }
131 
makeIntegralCast(const Expr * Arg,QualType Ty)132 Expr *ASTMaker::makeIntegralCast(const Expr *Arg, QualType Ty) {
133   if (Arg->getType() == Ty)
134     return const_cast<Expr*>(Arg);
135 
136   return ImplicitCastExpr::Create(C, Ty, CK_IntegralCast,
137                                   const_cast<Expr*>(Arg), nullptr, VK_RValue);
138 }
139 
makeIntegralCastToBoolean(const Expr * Arg)140 ImplicitCastExpr *ASTMaker::makeIntegralCastToBoolean(const Expr *Arg) {
141   return ImplicitCastExpr::Create(C, C.BoolTy, CK_IntegralToBoolean,
142                                   const_cast<Expr*>(Arg), nullptr, VK_RValue);
143 }
144 
makeObjCBool(bool Val)145 ObjCBoolLiteralExpr *ASTMaker::makeObjCBool(bool Val) {
146   QualType Ty = C.getBOOLDecl() ? C.getBOOLType() : C.ObjCBuiltinBoolTy;
147   return new (C) ObjCBoolLiteralExpr(Val, Ty, SourceLocation());
148 }
149 
makeObjCIvarRef(const Expr * Base,const ObjCIvarDecl * IVar)150 ObjCIvarRefExpr *ASTMaker::makeObjCIvarRef(const Expr *Base,
151                                            const ObjCIvarDecl *IVar) {
152   return new (C) ObjCIvarRefExpr(const_cast<ObjCIvarDecl*>(IVar),
153                                  IVar->getType(), SourceLocation(),
154                                  SourceLocation(), const_cast<Expr*>(Base),
155                                  /*arrow=*/true, /*free=*/false);
156 }
157 
158 
makeReturn(const Expr * RetVal)159 ReturnStmt *ASTMaker::makeReturn(const Expr *RetVal) {
160   return new (C) ReturnStmt(SourceLocation(), const_cast<Expr*>(RetVal),
161                             nullptr);
162 }
163 
164 //===----------------------------------------------------------------------===//
165 // Creation functions for faux ASTs.
166 //===----------------------------------------------------------------------===//
167 
168 typedef Stmt *(*FunctionFarmer)(ASTContext &C, const FunctionDecl *D);
169 
170 /// Create a fake body for dispatch_once.
create_dispatch_once(ASTContext & C,const FunctionDecl * D)171 static Stmt *create_dispatch_once(ASTContext &C, const FunctionDecl *D) {
172   // Check if we have at least two parameters.
173   if (D->param_size() != 2)
174     return nullptr;
175 
176   // Check if the first parameter is a pointer to integer type.
177   const ParmVarDecl *Predicate = D->getParamDecl(0);
178   QualType PredicateQPtrTy = Predicate->getType();
179   const PointerType *PredicatePtrTy = PredicateQPtrTy->getAs<PointerType>();
180   if (!PredicatePtrTy)
181     return nullptr;
182   QualType PredicateTy = PredicatePtrTy->getPointeeType();
183   if (!PredicateTy->isIntegerType())
184     return nullptr;
185 
186   // Check if the second parameter is the proper block type.
187   const ParmVarDecl *Block = D->getParamDecl(1);
188   QualType Ty = Block->getType();
189   if (!isDispatchBlock(Ty))
190     return nullptr;
191 
192   // Everything checks out.  Create a fakse body that checks the predicate,
193   // sets it, and calls the block.  Basically, an AST dump of:
194   //
195   // void dispatch_once(dispatch_once_t *predicate, dispatch_block_t block) {
196   //  if (!*predicate) {
197   //    *predicate = 1;
198   //    block();
199   //  }
200   // }
201 
202   ASTMaker M(C);
203 
204   // (1) Create the call.
205   DeclRefExpr *DR = M.makeDeclRefExpr(Block);
206   ImplicitCastExpr *ICE = M.makeLvalueToRvalue(DR, Ty);
207   CallExpr *CE = new (C) CallExpr(C, ICE, None, C.VoidTy, VK_RValue,
208                                   SourceLocation());
209 
210   // (2) Create the assignment to the predicate.
211   IntegerLiteral *IL =
212     IntegerLiteral::Create(C, llvm::APInt(C.getTypeSize(C.IntTy), (uint64_t) 1),
213                            C.IntTy, SourceLocation());
214   BinaryOperator *B =
215     M.makeAssignment(
216        M.makeDereference(
217           M.makeLvalueToRvalue(
218             M.makeDeclRefExpr(Predicate), PredicateQPtrTy),
219             PredicateTy),
220        M.makeIntegralCast(IL, PredicateTy),
221        PredicateTy);
222 
223   // (3) Create the compound statement.
224   Stmt *Stmts[] = { B, CE };
225   CompoundStmt *CS = M.makeCompound(Stmts);
226 
227   // (4) Create the 'if' condition.
228   ImplicitCastExpr *LValToRval =
229     M.makeLvalueToRvalue(
230       M.makeDereference(
231         M.makeLvalueToRvalue(
232           M.makeDeclRefExpr(Predicate),
233           PredicateQPtrTy),
234         PredicateTy),
235     PredicateTy);
236 
237   UnaryOperator *UO = new (C) UnaryOperator(LValToRval, UO_LNot, C.IntTy,
238                                            VK_RValue, OK_Ordinary,
239                                            SourceLocation());
240 
241   // (5) Create the 'if' statement.
242   IfStmt *If = new (C) IfStmt(C, SourceLocation(), false, nullptr, nullptr,
243                               UO, CS);
244   return If;
245 }
246 
247 /// Create a fake body for dispatch_sync.
create_dispatch_sync(ASTContext & C,const FunctionDecl * D)248 static Stmt *create_dispatch_sync(ASTContext &C, const FunctionDecl *D) {
249   // Check if we have at least two parameters.
250   if (D->param_size() != 2)
251     return nullptr;
252 
253   // Check if the second parameter is a block.
254   const ParmVarDecl *PV = D->getParamDecl(1);
255   QualType Ty = PV->getType();
256   if (!isDispatchBlock(Ty))
257     return nullptr;
258 
259   // Everything checks out.  Create a fake body that just calls the block.
260   // This is basically just an AST dump of:
261   //
262   // void dispatch_sync(dispatch_queue_t queue, void (^block)(void)) {
263   //   block();
264   // }
265   //
266   ASTMaker M(C);
267   DeclRefExpr *DR = M.makeDeclRefExpr(PV);
268   ImplicitCastExpr *ICE = M.makeLvalueToRvalue(DR, Ty);
269   CallExpr *CE = new (C) CallExpr(C, ICE, None, C.VoidTy, VK_RValue,
270                                   SourceLocation());
271   return CE;
272 }
273 
create_OSAtomicCompareAndSwap(ASTContext & C,const FunctionDecl * D)274 static Stmt *create_OSAtomicCompareAndSwap(ASTContext &C, const FunctionDecl *D)
275 {
276   // There are exactly 3 arguments.
277   if (D->param_size() != 3)
278     return nullptr;
279 
280   // Signature:
281   // _Bool OSAtomicCompareAndSwapPtr(void *__oldValue,
282   //                                 void *__newValue,
283   //                                 void * volatile *__theValue)
284   // Generate body:
285   //   if (oldValue == *theValue) {
286   //    *theValue = newValue;
287   //    return YES;
288   //   }
289   //   else return NO;
290 
291   QualType ResultTy = D->getReturnType();
292   bool isBoolean = ResultTy->isBooleanType();
293   if (!isBoolean && !ResultTy->isIntegralType(C))
294     return nullptr;
295 
296   const ParmVarDecl *OldValue = D->getParamDecl(0);
297   QualType OldValueTy = OldValue->getType();
298 
299   const ParmVarDecl *NewValue = D->getParamDecl(1);
300   QualType NewValueTy = NewValue->getType();
301 
302   assert(OldValueTy == NewValueTy);
303 
304   const ParmVarDecl *TheValue = D->getParamDecl(2);
305   QualType TheValueTy = TheValue->getType();
306   const PointerType *PT = TheValueTy->getAs<PointerType>();
307   if (!PT)
308     return nullptr;
309   QualType PointeeTy = PT->getPointeeType();
310 
311   ASTMaker M(C);
312   // Construct the comparison.
313   Expr *Comparison =
314     M.makeComparison(
315       M.makeLvalueToRvalue(M.makeDeclRefExpr(OldValue), OldValueTy),
316       M.makeLvalueToRvalue(
317         M.makeDereference(
318           M.makeLvalueToRvalue(M.makeDeclRefExpr(TheValue), TheValueTy),
319           PointeeTy),
320         PointeeTy),
321       BO_EQ);
322 
323   // Construct the body of the IfStmt.
324   Stmt *Stmts[2];
325   Stmts[0] =
326     M.makeAssignment(
327       M.makeDereference(
328         M.makeLvalueToRvalue(M.makeDeclRefExpr(TheValue), TheValueTy),
329         PointeeTy),
330       M.makeLvalueToRvalue(M.makeDeclRefExpr(NewValue), NewValueTy),
331       NewValueTy);
332 
333   Expr *BoolVal = M.makeObjCBool(true);
334   Expr *RetVal = isBoolean ? M.makeIntegralCastToBoolean(BoolVal)
335                            : M.makeIntegralCast(BoolVal, ResultTy);
336   Stmts[1] = M.makeReturn(RetVal);
337   CompoundStmt *Body = M.makeCompound(Stmts);
338 
339   // Construct the else clause.
340   BoolVal = M.makeObjCBool(false);
341   RetVal = isBoolean ? M.makeIntegralCastToBoolean(BoolVal)
342                      : M.makeIntegralCast(BoolVal, ResultTy);
343   Stmt *Else = M.makeReturn(RetVal);
344 
345   /// Construct the If.
346   Stmt *If = new (C) IfStmt(C, SourceLocation(), false, nullptr, nullptr,
347                             Comparison, Body, SourceLocation(), Else);
348 
349   return If;
350 }
351 
getBody(const FunctionDecl * D)352 Stmt *BodyFarm::getBody(const FunctionDecl *D) {
353   D = D->getCanonicalDecl();
354 
355   Optional<Stmt *> &Val = Bodies[D];
356   if (Val.hasValue())
357     return Val.getValue();
358 
359   Val = nullptr;
360 
361   if (D->getIdentifier() == nullptr)
362     return nullptr;
363 
364   StringRef Name = D->getName();
365   if (Name.empty())
366     return nullptr;
367 
368   FunctionFarmer FF;
369 
370   if (Name.startswith("OSAtomicCompareAndSwap") ||
371       Name.startswith("objc_atomicCompareAndSwap")) {
372     FF = create_OSAtomicCompareAndSwap;
373   }
374   else {
375     FF = llvm::StringSwitch<FunctionFarmer>(Name)
376           .Case("dispatch_sync", create_dispatch_sync)
377           .Case("dispatch_once", create_dispatch_once)
378           .Default(nullptr);
379   }
380 
381   if (FF) { Val = FF(C, D); }
382   else if (Injector) { Val = Injector->getBody(D); }
383   return Val.getValue();
384 }
385 
findBackingIvar(const ObjCPropertyDecl * Prop)386 static const ObjCIvarDecl *findBackingIvar(const ObjCPropertyDecl *Prop) {
387   const ObjCIvarDecl *IVar = Prop->getPropertyIvarDecl();
388 
389   if (IVar)
390     return IVar;
391 
392   // When a readonly property is shadowed in a class extensions with a
393   // a readwrite property, the instance variable belongs to the shadowing
394   // property rather than the shadowed property. If there is no instance
395   // variable on a readonly property, check to see whether the property is
396   // shadowed and if so try to get the instance variable from shadowing
397   // property.
398   if (!Prop->isReadOnly())
399     return nullptr;
400 
401   auto *Container = cast<ObjCContainerDecl>(Prop->getDeclContext());
402   const ObjCInterfaceDecl *PrimaryInterface = nullptr;
403   if (auto *InterfaceDecl = dyn_cast<ObjCInterfaceDecl>(Container)) {
404     PrimaryInterface = InterfaceDecl;
405   } else if (auto *CategoryDecl = dyn_cast<ObjCCategoryDecl>(Container)) {
406     PrimaryInterface = CategoryDecl->getClassInterface();
407   } else if (auto *ImplDecl = dyn_cast<ObjCImplDecl>(Container)) {
408     PrimaryInterface = ImplDecl->getClassInterface();
409   } else {
410     return nullptr;
411   }
412 
413   // FindPropertyVisibleInPrimaryClass() looks first in class extensions, so it
414   // is guaranteed to find the shadowing property, if it exists, rather than
415   // the shadowed property.
416   auto *ShadowingProp = PrimaryInterface->FindPropertyVisibleInPrimaryClass(
417       Prop->getIdentifier(), Prop->getQueryKind());
418   if (ShadowingProp && ShadowingProp != Prop) {
419     IVar = ShadowingProp->getPropertyIvarDecl();
420   }
421 
422   return IVar;
423 }
424 
createObjCPropertyGetter(ASTContext & Ctx,const ObjCPropertyDecl * Prop)425 static Stmt *createObjCPropertyGetter(ASTContext &Ctx,
426                                       const ObjCPropertyDecl *Prop) {
427   // First, find the backing ivar.
428   const ObjCIvarDecl *IVar = findBackingIvar(Prop);
429   if (!IVar)
430     return nullptr;
431 
432   // Ignore weak variables, which have special behavior.
433   if (Prop->getPropertyAttributes() & ObjCPropertyDecl::OBJC_PR_weak)
434     return nullptr;
435 
436   // Look to see if Sema has synthesized a body for us. This happens in
437   // Objective-C++ because the return value may be a C++ class type with a
438   // non-trivial copy constructor. We can only do this if we can find the
439   // @synthesize for this property, though (or if we know it's been auto-
440   // synthesized).
441   const ObjCImplementationDecl *ImplDecl =
442     IVar->getContainingInterface()->getImplementation();
443   if (ImplDecl) {
444     for (const auto *I : ImplDecl->property_impls()) {
445       if (I->getPropertyDecl() != Prop)
446         continue;
447 
448       if (I->getGetterCXXConstructor()) {
449         ASTMaker M(Ctx);
450         return M.makeReturn(I->getGetterCXXConstructor());
451       }
452     }
453   }
454 
455   // Sanity check that the property is the same type as the ivar, or a
456   // reference to it, and that it is either an object pointer or trivially
457   // copyable.
458   if (!Ctx.hasSameUnqualifiedType(IVar->getType(),
459                                   Prop->getType().getNonReferenceType()))
460     return nullptr;
461   if (!IVar->getType()->isObjCLifetimeType() &&
462       !IVar->getType().isTriviallyCopyableType(Ctx))
463     return nullptr;
464 
465   // Generate our body:
466   //   return self->_ivar;
467   ASTMaker M(Ctx);
468 
469   const VarDecl *selfVar = Prop->getGetterMethodDecl()->getSelfDecl();
470 
471   Expr *loadedIVar =
472     M.makeObjCIvarRef(
473       M.makeLvalueToRvalue(
474         M.makeDeclRefExpr(selfVar),
475         selfVar->getType()),
476       IVar);
477 
478   if (!Prop->getType()->isReferenceType())
479     loadedIVar = M.makeLvalueToRvalue(loadedIVar, IVar->getType());
480 
481   return M.makeReturn(loadedIVar);
482 }
483 
getBody(const ObjCMethodDecl * D)484 Stmt *BodyFarm::getBody(const ObjCMethodDecl *D) {
485   // We currently only know how to synthesize property accessors.
486   if (!D->isPropertyAccessor())
487     return nullptr;
488 
489   D = D->getCanonicalDecl();
490 
491   Optional<Stmt *> &Val = Bodies[D];
492   if (Val.hasValue())
493     return Val.getValue();
494   Val = nullptr;
495 
496   const ObjCPropertyDecl *Prop = D->findPropertyDecl();
497   if (!Prop)
498     return nullptr;
499 
500   // For now, we only synthesize getters.
501   // Synthesizing setters would cause false negatives in the
502   // RetainCountChecker because the method body would bind the parameter
503   // to an instance variable, causing it to escape. This would prevent
504   // warning in the following common scenario:
505   //
506   //  id foo = [[NSObject alloc] init];
507   //  self.foo = foo; // We should warn that foo leaks here.
508   //
509   if (D->param_size() != 0)
510     return nullptr;
511 
512   Val = createObjCPropertyGetter(C, Prop);
513 
514   return Val.getValue();
515 }
516 
517