1 //==-- DebugContainerModeling.cpp ---------------------------------*- C++ -*--//
2 //
3 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4 // See https://llvm.org/LICENSE.txt for license information.
5 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6 //
7 //===----------------------------------------------------------------------===//
8 //
9 // Defines a checker for debugging iterator modeling.
10 //
11 //===----------------------------------------------------------------------===//
12
13 #include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"
14 #include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
15 #include "clang/StaticAnalyzer/Core/Checker.h"
16 #include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h"
17 #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
18
19 #include "Iterator.h"
20
21 using namespace clang;
22 using namespace ento;
23 using namespace iterator;
24
25 namespace {
26
27 class DebugContainerModeling
28 : public Checker<eval::Call> {
29
30 std::unique_ptr<BugType> DebugMsgBugType;
31
32 template <typename Getter>
33 void analyzerContainerDataField(const CallExpr *CE, CheckerContext &C,
34 Getter get) const;
35 void analyzerContainerBegin(const CallExpr *CE, CheckerContext &C) const;
36 void analyzerContainerEnd(const CallExpr *CE, CheckerContext &C) const;
37 ExplodedNode *reportDebugMsg(llvm::StringRef Msg, CheckerContext &C) const;
38
39 typedef void (DebugContainerModeling::*FnCheck)(const CallExpr *,
40 CheckerContext &) const;
41
42 CallDescriptionMap<FnCheck> Callbacks = {
43 {{0, "clang_analyzer_container_begin", 1},
44 &DebugContainerModeling::analyzerContainerBegin},
45 {{0, "clang_analyzer_container_end", 1},
46 &DebugContainerModeling::analyzerContainerEnd},
47 };
48
49 public:
50 DebugContainerModeling();
51
52 bool evalCall(const CallEvent &Call, CheckerContext &C) const;
53 };
54
55 } //namespace
56
DebugContainerModeling()57 DebugContainerModeling::DebugContainerModeling() {
58 DebugMsgBugType.reset(
59 new BugType(this, "Checking analyzer assumptions", "debug",
60 /*SuppressOnSink=*/true));
61 }
62
evalCall(const CallEvent & Call,CheckerContext & C) const63 bool DebugContainerModeling::evalCall(const CallEvent &Call,
64 CheckerContext &C) const {
65 const auto *CE = dyn_cast_or_null<CallExpr>(Call.getOriginExpr());
66 if (!CE)
67 return false;
68
69 const FnCheck *Handler = Callbacks.lookup(Call);
70 if (!Handler)
71 return false;
72
73 (this->**Handler)(CE, C);
74 return true;
75 }
76
77 template <typename Getter>
analyzerContainerDataField(const CallExpr * CE,CheckerContext & C,Getter get) const78 void DebugContainerModeling::analyzerContainerDataField(const CallExpr *CE,
79 CheckerContext &C,
80 Getter get) const {
81 if (CE->getNumArgs() == 0) {
82 reportDebugMsg("Missing container argument", C);
83 return;
84 }
85
86 auto State = C.getState();
87 const MemRegion *Cont = C.getSVal(CE->getArg(0)).getAsRegion();
88 if (Cont) {
89 const auto *Data = getContainerData(State, Cont);
90 if (Data) {
91 SymbolRef Field = get(Data);
92 if (Field) {
93 State = State->BindExpr(CE, C.getLocationContext(),
94 nonloc::SymbolVal(Field));
95
96 // Progpagate interestingness from the container's data (marked
97 // interesting by an `ExprInspection` debug call to the container
98 // itself.
99 const NoteTag *InterestingTag =
100 C.getNoteTag(
101 [Cont, Field](PathSensitiveBugReport &BR) -> std::string {
102 if (BR.isInteresting(Field)) {
103 BR.markInteresting(Cont);
104 }
105 return "";
106 });
107 C.addTransition(State, InterestingTag);
108 return;
109 }
110 }
111 }
112
113 auto &BVF = C.getSValBuilder().getBasicValueFactory();
114 State = State->BindExpr(CE, C.getLocationContext(),
115 nonloc::ConcreteInt(BVF.getValue(llvm::APSInt::get(0))));
116 }
117
analyzerContainerBegin(const CallExpr * CE,CheckerContext & C) const118 void DebugContainerModeling::analyzerContainerBegin(const CallExpr *CE,
119 CheckerContext &C) const {
120 analyzerContainerDataField(CE, C, [](const ContainerData *D) {
121 return D->getBegin();
122 });
123 }
124
analyzerContainerEnd(const CallExpr * CE,CheckerContext & C) const125 void DebugContainerModeling::analyzerContainerEnd(const CallExpr *CE,
126 CheckerContext &C) const {
127 analyzerContainerDataField(CE, C, [](const ContainerData *D) {
128 return D->getEnd();
129 });
130 }
131
reportDebugMsg(llvm::StringRef Msg,CheckerContext & C) const132 ExplodedNode *DebugContainerModeling::reportDebugMsg(llvm::StringRef Msg,
133 CheckerContext &C) const {
134 ExplodedNode *N = C.generateNonFatalErrorNode();
135 if (!N)
136 return nullptr;
137
138 auto &BR = C.getBugReporter();
139 BR.emitReport(std::make_unique<PathSensitiveBugReport>(*DebugMsgBugType,
140 Msg, N));
141 return N;
142 }
143
registerDebugContainerModeling(CheckerManager & mgr)144 void ento::registerDebugContainerModeling(CheckerManager &mgr) {
145 mgr.registerChecker<DebugContainerModeling>();
146 }
147
shouldRegisterDebugContainerModeling(const CheckerManager & mgr)148 bool ento::shouldRegisterDebugContainerModeling(const CheckerManager &mgr) {
149 return true;
150 }
151