1 //===--- CheckerManager.cpp - Static Analyzer Checker Manager -------------===//
2 //
3 //                     The LLVM Compiler Infrastructure
4 //
5 // This file is distributed under the University of Illinois Open Source
6 // License. See LICENSE.TXT for details.
7 //
8 //===----------------------------------------------------------------------===//
9 //
10 // Defines the Static Analyzer Checker Manager.
11 //
12 //===----------------------------------------------------------------------===//
13 
14 #include "clang/StaticAnalyzer/Core/CheckerManager.h"
15 #include "clang/AST/DeclBase.h"
16 #include "clang/Analysis/ProgramPoint.h"
17 #include "clang/StaticAnalyzer/Core/Checker.h"
18 #include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h"
19 #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
20 
21 using namespace clang;
22 using namespace ento;
23 
hasPathSensitiveCheckers() const24 bool CheckerManager::hasPathSensitiveCheckers() const {
25   return !StmtCheckers.empty()              ||
26          !PreObjCMessageCheckers.empty()    ||
27          !PostObjCMessageCheckers.empty()   ||
28          !PreCallCheckers.empty()    ||
29          !PostCallCheckers.empty()   ||
30          !LocationCheckers.empty()          ||
31          !BindCheckers.empty()              ||
32          !EndAnalysisCheckers.empty()       ||
33          !EndFunctionCheckers.empty()           ||
34          !BranchConditionCheckers.empty()   ||
35          !LiveSymbolsCheckers.empty()       ||
36          !DeadSymbolsCheckers.empty()       ||
37          !RegionChangesCheckers.empty()     ||
38          !EvalAssumeCheckers.empty()        ||
39          !EvalCallCheckers.empty();
40 }
41 
finishedCheckerRegistration()42 void CheckerManager::finishedCheckerRegistration() {
43 #ifndef NDEBUG
44   // Make sure that for every event that has listeners, there is at least
45   // one dispatcher registered for it.
46   for (llvm::DenseMap<EventTag, EventInfo>::iterator
47          I = Events.begin(), E = Events.end(); I != E; ++I)
48     assert(I->second.HasDispatcher && "No dispatcher registered for an event");
49 #endif
50 }
51 
52 //===----------------------------------------------------------------------===//
53 // Functions for running checkers for AST traversing..
54 //===----------------------------------------------------------------------===//
55 
runCheckersOnASTDecl(const Decl * D,AnalysisManager & mgr,BugReporter & BR)56 void CheckerManager::runCheckersOnASTDecl(const Decl *D, AnalysisManager& mgr,
57                                           BugReporter &BR) {
58   assert(D);
59 
60   unsigned DeclKind = D->getKind();
61   CachedDeclCheckers *checkers = nullptr;
62   CachedDeclCheckersMapTy::iterator CCI = CachedDeclCheckersMap.find(DeclKind);
63   if (CCI != CachedDeclCheckersMap.end()) {
64     checkers = &(CCI->second);
65   } else {
66     // Find the checkers that should run for this Decl and cache them.
67     checkers = &CachedDeclCheckersMap[DeclKind];
68     for (unsigned i = 0, e = DeclCheckers.size(); i != e; ++i) {
69       DeclCheckerInfo &info = DeclCheckers[i];
70       if (info.IsForDeclFn(D))
71         checkers->push_back(info.CheckFn);
72     }
73   }
74 
75   assert(checkers);
76   for (CachedDeclCheckers::iterator
77          I = checkers->begin(), E = checkers->end(); I != E; ++I)
78     (*I)(D, mgr, BR);
79 }
80 
runCheckersOnASTBody(const Decl * D,AnalysisManager & mgr,BugReporter & BR)81 void CheckerManager::runCheckersOnASTBody(const Decl *D, AnalysisManager& mgr,
82                                           BugReporter &BR) {
83   assert(D && D->hasBody());
84 
85   for (unsigned i = 0, e = BodyCheckers.size(); i != e; ++i)
86     BodyCheckers[i](D, mgr, BR);
87 }
88 
89 //===----------------------------------------------------------------------===//
90 // Functions for running checkers for path-sensitive checking.
91 //===----------------------------------------------------------------------===//
92 
93 template <typename CHECK_CTX>
expandGraphWithCheckers(CHECK_CTX checkCtx,ExplodedNodeSet & Dst,const ExplodedNodeSet & Src)94 static void expandGraphWithCheckers(CHECK_CTX checkCtx,
95                                     ExplodedNodeSet &Dst,
96                                     const ExplodedNodeSet &Src) {
97   const NodeBuilderContext &BldrCtx = checkCtx.Eng.getBuilderContext();
98   if (Src.empty())
99     return;
100 
101   typename CHECK_CTX::CheckersTy::const_iterator
102       I = checkCtx.checkers_begin(), E = checkCtx.checkers_end();
103   if (I == E) {
104     Dst.insert(Src);
105     return;
106   }
107 
108   ExplodedNodeSet Tmp1, Tmp2;
109   const ExplodedNodeSet *PrevSet = &Src;
110 
111   for (; I != E; ++I) {
112     ExplodedNodeSet *CurrSet = nullptr;
113     if (I+1 == E)
114       CurrSet = &Dst;
115     else {
116       CurrSet = (PrevSet == &Tmp1) ? &Tmp2 : &Tmp1;
117       CurrSet->clear();
118     }
119 
120     NodeBuilder B(*PrevSet, *CurrSet, BldrCtx);
121     for (ExplodedNodeSet::iterator NI = PrevSet->begin(), NE = PrevSet->end();
122          NI != NE; ++NI) {
123       checkCtx.runChecker(*I, B, *NI);
124     }
125 
126     // If all the produced transitions are sinks, stop.
127     if (CurrSet->empty())
128       return;
129 
130     // Update which NodeSet is the current one.
131     PrevSet = CurrSet;
132   }
133 }
134 
135 namespace {
136   struct CheckStmtContext {
137     typedef SmallVectorImpl<CheckerManager::CheckStmtFunc> CheckersTy;
138     bool IsPreVisit;
139     const CheckersTy &Checkers;
140     const Stmt *S;
141     ExprEngine &Eng;
142     bool WasInlined;
143 
checkers_begin__anon5e8ab1010111::CheckStmtContext144     CheckersTy::const_iterator checkers_begin() { return Checkers.begin(); }
checkers_end__anon5e8ab1010111::CheckStmtContext145     CheckersTy::const_iterator checkers_end() { return Checkers.end(); }
146 
CheckStmtContext__anon5e8ab1010111::CheckStmtContext147     CheckStmtContext(bool isPreVisit, const CheckersTy &checkers,
148                      const Stmt *s, ExprEngine &eng, bool wasInlined = false)
149       : IsPreVisit(isPreVisit), Checkers(checkers), S(s), Eng(eng),
150         WasInlined(wasInlined) {}
151 
runChecker__anon5e8ab1010111::CheckStmtContext152     void runChecker(CheckerManager::CheckStmtFunc checkFn,
153                     NodeBuilder &Bldr, ExplodedNode *Pred) {
154       // FIXME: Remove respondsToCallback from CheckerContext;
155       ProgramPoint::Kind K =  IsPreVisit ? ProgramPoint::PreStmtKind :
156                                            ProgramPoint::PostStmtKind;
157       const ProgramPoint &L = ProgramPoint::getProgramPoint(S, K,
158                                 Pred->getLocationContext(), checkFn.Checker);
159       CheckerContext C(Bldr, Eng, Pred, L, WasInlined);
160       checkFn(S, C);
161     }
162   };
163 }
164 
165 /// \brief Run checkers for visiting Stmts.
runCheckersForStmt(bool isPreVisit,ExplodedNodeSet & Dst,const ExplodedNodeSet & Src,const Stmt * S,ExprEngine & Eng,bool WasInlined)166 void CheckerManager::runCheckersForStmt(bool isPreVisit,
167                                         ExplodedNodeSet &Dst,
168                                         const ExplodedNodeSet &Src,
169                                         const Stmt *S,
170                                         ExprEngine &Eng,
171                                         bool WasInlined) {
172   CheckStmtContext C(isPreVisit, getCachedStmtCheckersFor(S, isPreVisit),
173                      S, Eng, WasInlined);
174   expandGraphWithCheckers(C, Dst, Src);
175 }
176 
177 namespace {
178   struct CheckObjCMessageContext {
179     typedef std::vector<CheckerManager::CheckObjCMessageFunc> CheckersTy;
180     bool IsPreVisit, WasInlined;
181     const CheckersTy &Checkers;
182     const ObjCMethodCall &Msg;
183     ExprEngine &Eng;
184 
checkers_begin__anon5e8ab1010211::CheckObjCMessageContext185     CheckersTy::const_iterator checkers_begin() { return Checkers.begin(); }
checkers_end__anon5e8ab1010211::CheckObjCMessageContext186     CheckersTy::const_iterator checkers_end() { return Checkers.end(); }
187 
CheckObjCMessageContext__anon5e8ab1010211::CheckObjCMessageContext188     CheckObjCMessageContext(bool isPreVisit, const CheckersTy &checkers,
189                             const ObjCMethodCall &msg, ExprEngine &eng,
190                             bool wasInlined)
191       : IsPreVisit(isPreVisit), WasInlined(wasInlined), Checkers(checkers),
192         Msg(msg), Eng(eng) { }
193 
runChecker__anon5e8ab1010211::CheckObjCMessageContext194     void runChecker(CheckerManager::CheckObjCMessageFunc checkFn,
195                     NodeBuilder &Bldr, ExplodedNode *Pred) {
196       const ProgramPoint &L = Msg.getProgramPoint(IsPreVisit,checkFn.Checker);
197       CheckerContext C(Bldr, Eng, Pred, L, WasInlined);
198 
199       checkFn(*Msg.cloneWithState<ObjCMethodCall>(Pred->getState()), C);
200     }
201   };
202 }
203 
204 /// \brief Run checkers for visiting obj-c messages.
runCheckersForObjCMessage(bool isPreVisit,ExplodedNodeSet & Dst,const ExplodedNodeSet & Src,const ObjCMethodCall & msg,ExprEngine & Eng,bool WasInlined)205 void CheckerManager::runCheckersForObjCMessage(bool isPreVisit,
206                                                ExplodedNodeSet &Dst,
207                                                const ExplodedNodeSet &Src,
208                                                const ObjCMethodCall &msg,
209                                                ExprEngine &Eng,
210                                                bool WasInlined) {
211   CheckObjCMessageContext C(isPreVisit,
212                             isPreVisit ? PreObjCMessageCheckers
213                                        : PostObjCMessageCheckers,
214                             msg, Eng, WasInlined);
215   expandGraphWithCheckers(C, Dst, Src);
216 }
217 
218 namespace {
219   // FIXME: This has all the same signatures as CheckObjCMessageContext.
220   // Is there a way we can merge the two?
221   struct CheckCallContext {
222     typedef std::vector<CheckerManager::CheckCallFunc> CheckersTy;
223     bool IsPreVisit, WasInlined;
224     const CheckersTy &Checkers;
225     const CallEvent &Call;
226     ExprEngine &Eng;
227 
checkers_begin__anon5e8ab1010311::CheckCallContext228     CheckersTy::const_iterator checkers_begin() { return Checkers.begin(); }
checkers_end__anon5e8ab1010311::CheckCallContext229     CheckersTy::const_iterator checkers_end() { return Checkers.end(); }
230 
CheckCallContext__anon5e8ab1010311::CheckCallContext231     CheckCallContext(bool isPreVisit, const CheckersTy &checkers,
232                      const CallEvent &call, ExprEngine &eng,
233                      bool wasInlined)
234     : IsPreVisit(isPreVisit), WasInlined(wasInlined), Checkers(checkers),
235       Call(call), Eng(eng) { }
236 
runChecker__anon5e8ab1010311::CheckCallContext237     void runChecker(CheckerManager::CheckCallFunc checkFn,
238                     NodeBuilder &Bldr, ExplodedNode *Pred) {
239       const ProgramPoint &L = Call.getProgramPoint(IsPreVisit,checkFn.Checker);
240       CheckerContext C(Bldr, Eng, Pred, L, WasInlined);
241 
242       checkFn(*Call.cloneWithState(Pred->getState()), C);
243     }
244   };
245 }
246 
247 /// \brief Run checkers for visiting an abstract call event.
runCheckersForCallEvent(bool isPreVisit,ExplodedNodeSet & Dst,const ExplodedNodeSet & Src,const CallEvent & Call,ExprEngine & Eng,bool WasInlined)248 void CheckerManager::runCheckersForCallEvent(bool isPreVisit,
249                                              ExplodedNodeSet &Dst,
250                                              const ExplodedNodeSet &Src,
251                                              const CallEvent &Call,
252                                              ExprEngine &Eng,
253                                              bool WasInlined) {
254   CheckCallContext C(isPreVisit,
255                      isPreVisit ? PreCallCheckers
256                                 : PostCallCheckers,
257                      Call, Eng, WasInlined);
258   expandGraphWithCheckers(C, Dst, Src);
259 }
260 
261 namespace {
262   struct CheckLocationContext {
263     typedef std::vector<CheckerManager::CheckLocationFunc> CheckersTy;
264     const CheckersTy &Checkers;
265     SVal Loc;
266     bool IsLoad;
267     const Stmt *NodeEx; /* Will become a CFGStmt */
268     const Stmt *BoundEx;
269     ExprEngine &Eng;
270 
checkers_begin__anon5e8ab1010411::CheckLocationContext271     CheckersTy::const_iterator checkers_begin() { return Checkers.begin(); }
checkers_end__anon5e8ab1010411::CheckLocationContext272     CheckersTy::const_iterator checkers_end() { return Checkers.end(); }
273 
CheckLocationContext__anon5e8ab1010411::CheckLocationContext274     CheckLocationContext(const CheckersTy &checkers,
275                          SVal loc, bool isLoad, const Stmt *NodeEx,
276                          const Stmt *BoundEx,
277                          ExprEngine &eng)
278       : Checkers(checkers), Loc(loc), IsLoad(isLoad), NodeEx(NodeEx),
279         BoundEx(BoundEx), Eng(eng) {}
280 
runChecker__anon5e8ab1010411::CheckLocationContext281     void runChecker(CheckerManager::CheckLocationFunc checkFn,
282                     NodeBuilder &Bldr, ExplodedNode *Pred) {
283       ProgramPoint::Kind K =  IsLoad ? ProgramPoint::PreLoadKind :
284                                        ProgramPoint::PreStoreKind;
285       const ProgramPoint &L =
286         ProgramPoint::getProgramPoint(NodeEx, K,
287                                       Pred->getLocationContext(),
288                                       checkFn.Checker);
289       CheckerContext C(Bldr, Eng, Pred, L);
290       checkFn(Loc, IsLoad, BoundEx, C);
291     }
292   };
293 }
294 
295 /// \brief Run checkers for load/store of a location.
296 
runCheckersForLocation(ExplodedNodeSet & Dst,const ExplodedNodeSet & Src,SVal location,bool isLoad,const Stmt * NodeEx,const Stmt * BoundEx,ExprEngine & Eng)297 void CheckerManager::runCheckersForLocation(ExplodedNodeSet &Dst,
298                                             const ExplodedNodeSet &Src,
299                                             SVal location, bool isLoad,
300                                             const Stmt *NodeEx,
301                                             const Stmt *BoundEx,
302                                             ExprEngine &Eng) {
303   CheckLocationContext C(LocationCheckers, location, isLoad, NodeEx,
304                          BoundEx, Eng);
305   expandGraphWithCheckers(C, Dst, Src);
306 }
307 
308 namespace {
309   struct CheckBindContext {
310     typedef std::vector<CheckerManager::CheckBindFunc> CheckersTy;
311     const CheckersTy &Checkers;
312     SVal Loc;
313     SVal Val;
314     const Stmt *S;
315     ExprEngine &Eng;
316     const ProgramPoint &PP;
317 
checkers_begin__anon5e8ab1010511::CheckBindContext318     CheckersTy::const_iterator checkers_begin() { return Checkers.begin(); }
checkers_end__anon5e8ab1010511::CheckBindContext319     CheckersTy::const_iterator checkers_end() { return Checkers.end(); }
320 
CheckBindContext__anon5e8ab1010511::CheckBindContext321     CheckBindContext(const CheckersTy &checkers,
322                      SVal loc, SVal val, const Stmt *s, ExprEngine &eng,
323                      const ProgramPoint &pp)
324       : Checkers(checkers), Loc(loc), Val(val), S(s), Eng(eng), PP(pp) {}
325 
runChecker__anon5e8ab1010511::CheckBindContext326     void runChecker(CheckerManager::CheckBindFunc checkFn,
327                     NodeBuilder &Bldr, ExplodedNode *Pred) {
328       const ProgramPoint &L = PP.withTag(checkFn.Checker);
329       CheckerContext C(Bldr, Eng, Pred, L);
330 
331       checkFn(Loc, Val, S, C);
332     }
333   };
334 }
335 
336 /// \brief Run checkers for binding of a value to a location.
runCheckersForBind(ExplodedNodeSet & Dst,const ExplodedNodeSet & Src,SVal location,SVal val,const Stmt * S,ExprEngine & Eng,const ProgramPoint & PP)337 void CheckerManager::runCheckersForBind(ExplodedNodeSet &Dst,
338                                         const ExplodedNodeSet &Src,
339                                         SVal location, SVal val,
340                                         const Stmt *S, ExprEngine &Eng,
341                                         const ProgramPoint &PP) {
342   CheckBindContext C(BindCheckers, location, val, S, Eng, PP);
343   expandGraphWithCheckers(C, Dst, Src);
344 }
345 
runCheckersForEndAnalysis(ExplodedGraph & G,BugReporter & BR,ExprEngine & Eng)346 void CheckerManager::runCheckersForEndAnalysis(ExplodedGraph &G,
347                                                BugReporter &BR,
348                                                ExprEngine &Eng) {
349   for (unsigned i = 0, e = EndAnalysisCheckers.size(); i != e; ++i)
350     EndAnalysisCheckers[i](G, BR, Eng);
351 }
352 
353 /// \brief Run checkers for end of path.
354 // Note, We do not chain the checker output (like in expandGraphWithCheckers)
355 // for this callback since end of path nodes are expected to be final.
runCheckersForEndFunction(NodeBuilderContext & BC,ExplodedNodeSet & Dst,ExplodedNode * Pred,ExprEngine & Eng)356 void CheckerManager::runCheckersForEndFunction(NodeBuilderContext &BC,
357                                                ExplodedNodeSet &Dst,
358                                                ExplodedNode *Pred,
359                                                ExprEngine &Eng) {
360 
361   // We define the builder outside of the loop bacause if at least one checkers
362   // creates a sucsessor for Pred, we do not need to generate an
363   // autotransition for it.
364   NodeBuilder Bldr(Pred, Dst, BC);
365   for (unsigned i = 0, e = EndFunctionCheckers.size(); i != e; ++i) {
366     CheckEndFunctionFunc checkFn = EndFunctionCheckers[i];
367 
368     const ProgramPoint &L = BlockEntrance(BC.Block,
369                                           Pred->getLocationContext(),
370                                           checkFn.Checker);
371     CheckerContext C(Bldr, Eng, Pred, L);
372     checkFn(C);
373   }
374 }
375 
376 namespace {
377   struct CheckBranchConditionContext {
378     typedef std::vector<CheckerManager::CheckBranchConditionFunc> CheckersTy;
379     const CheckersTy &Checkers;
380     const Stmt *Condition;
381     ExprEngine &Eng;
382 
checkers_begin__anon5e8ab1010611::CheckBranchConditionContext383     CheckersTy::const_iterator checkers_begin() { return Checkers.begin(); }
checkers_end__anon5e8ab1010611::CheckBranchConditionContext384     CheckersTy::const_iterator checkers_end() { return Checkers.end(); }
385 
CheckBranchConditionContext__anon5e8ab1010611::CheckBranchConditionContext386     CheckBranchConditionContext(const CheckersTy &checkers,
387                                 const Stmt *Cond, ExprEngine &eng)
388       : Checkers(checkers), Condition(Cond), Eng(eng) {}
389 
runChecker__anon5e8ab1010611::CheckBranchConditionContext390     void runChecker(CheckerManager::CheckBranchConditionFunc checkFn,
391                     NodeBuilder &Bldr, ExplodedNode *Pred) {
392       ProgramPoint L = PostCondition(Condition, Pred->getLocationContext(),
393                                      checkFn.Checker);
394       CheckerContext C(Bldr, Eng, Pred, L);
395       checkFn(Condition, C);
396     }
397   };
398 }
399 
400 /// \brief Run checkers for branch condition.
runCheckersForBranchCondition(const Stmt * Condition,ExplodedNodeSet & Dst,ExplodedNode * Pred,ExprEngine & Eng)401 void CheckerManager::runCheckersForBranchCondition(const Stmt *Condition,
402                                                    ExplodedNodeSet &Dst,
403                                                    ExplodedNode *Pred,
404                                                    ExprEngine &Eng) {
405   ExplodedNodeSet Src;
406   Src.insert(Pred);
407   CheckBranchConditionContext C(BranchConditionCheckers, Condition, Eng);
408   expandGraphWithCheckers(C, Dst, Src);
409 }
410 
411 /// \brief Run checkers for live symbols.
runCheckersForLiveSymbols(ProgramStateRef state,SymbolReaper & SymReaper)412 void CheckerManager::runCheckersForLiveSymbols(ProgramStateRef state,
413                                                SymbolReaper &SymReaper) {
414   for (unsigned i = 0, e = LiveSymbolsCheckers.size(); i != e; ++i)
415     LiveSymbolsCheckers[i](state, SymReaper);
416 }
417 
418 namespace {
419   struct CheckDeadSymbolsContext {
420     typedef std::vector<CheckerManager::CheckDeadSymbolsFunc> CheckersTy;
421     const CheckersTy &Checkers;
422     SymbolReaper &SR;
423     const Stmt *S;
424     ExprEngine &Eng;
425     ProgramPoint::Kind ProgarmPointKind;
426 
checkers_begin__anon5e8ab1010711::CheckDeadSymbolsContext427     CheckersTy::const_iterator checkers_begin() { return Checkers.begin(); }
checkers_end__anon5e8ab1010711::CheckDeadSymbolsContext428     CheckersTy::const_iterator checkers_end() { return Checkers.end(); }
429 
CheckDeadSymbolsContext__anon5e8ab1010711::CheckDeadSymbolsContext430     CheckDeadSymbolsContext(const CheckersTy &checkers, SymbolReaper &sr,
431                             const Stmt *s, ExprEngine &eng,
432                             ProgramPoint::Kind K)
433       : Checkers(checkers), SR(sr), S(s), Eng(eng), ProgarmPointKind(K) { }
434 
runChecker__anon5e8ab1010711::CheckDeadSymbolsContext435     void runChecker(CheckerManager::CheckDeadSymbolsFunc checkFn,
436                     NodeBuilder &Bldr, ExplodedNode *Pred) {
437       const ProgramPoint &L = ProgramPoint::getProgramPoint(S, ProgarmPointKind,
438                                 Pred->getLocationContext(), checkFn.Checker);
439       CheckerContext C(Bldr, Eng, Pred, L);
440 
441       // Note, do not pass the statement to the checkers without letting them
442       // differentiate if we ran remove dead bindings before or after the
443       // statement.
444       checkFn(SR, C);
445     }
446   };
447 }
448 
449 /// \brief Run checkers for dead symbols.
runCheckersForDeadSymbols(ExplodedNodeSet & Dst,const ExplodedNodeSet & Src,SymbolReaper & SymReaper,const Stmt * S,ExprEngine & Eng,ProgramPoint::Kind K)450 void CheckerManager::runCheckersForDeadSymbols(ExplodedNodeSet &Dst,
451                                                const ExplodedNodeSet &Src,
452                                                SymbolReaper &SymReaper,
453                                                const Stmt *S,
454                                                ExprEngine &Eng,
455                                                ProgramPoint::Kind K) {
456   CheckDeadSymbolsContext C(DeadSymbolsCheckers, SymReaper, S, Eng, K);
457   expandGraphWithCheckers(C, Dst, Src);
458 }
459 
460 /// \brief True if at least one checker wants to check region changes.
wantsRegionChangeUpdate(ProgramStateRef state)461 bool CheckerManager::wantsRegionChangeUpdate(ProgramStateRef state) {
462   for (unsigned i = 0, e = RegionChangesCheckers.size(); i != e; ++i)
463     if (RegionChangesCheckers[i].WantUpdateFn(state))
464       return true;
465 
466   return false;
467 }
468 
469 /// \brief Run checkers for region changes.
470 ProgramStateRef
runCheckersForRegionChanges(ProgramStateRef state,const InvalidatedSymbols * invalidated,ArrayRef<const MemRegion * > ExplicitRegions,ArrayRef<const MemRegion * > Regions,const CallEvent * Call)471 CheckerManager::runCheckersForRegionChanges(ProgramStateRef state,
472                                     const InvalidatedSymbols *invalidated,
473                                     ArrayRef<const MemRegion *> ExplicitRegions,
474                                     ArrayRef<const MemRegion *> Regions,
475                                     const CallEvent *Call) {
476   for (unsigned i = 0, e = RegionChangesCheckers.size(); i != e; ++i) {
477     // If any checker declares the state infeasible (or if it starts that way),
478     // bail out.
479     if (!state)
480       return nullptr;
481     state = RegionChangesCheckers[i].CheckFn(state, invalidated,
482                                              ExplicitRegions, Regions, Call);
483   }
484   return state;
485 }
486 
487 /// \brief Run checkers to process symbol escape event.
488 ProgramStateRef
runCheckersForPointerEscape(ProgramStateRef State,const InvalidatedSymbols & Escaped,const CallEvent * Call,PointerEscapeKind Kind,RegionAndSymbolInvalidationTraits * ETraits)489 CheckerManager::runCheckersForPointerEscape(ProgramStateRef State,
490                                    const InvalidatedSymbols &Escaped,
491                                    const CallEvent *Call,
492                                    PointerEscapeKind Kind,
493                                    RegionAndSymbolInvalidationTraits *ETraits) {
494   assert((Call != nullptr ||
495           (Kind != PSK_DirectEscapeOnCall &&
496            Kind != PSK_IndirectEscapeOnCall)) &&
497          "Call must not be NULL when escaping on call");
498     for (unsigned i = 0, e = PointerEscapeCheckers.size(); i != e; ++i) {
499       // If any checker declares the state infeasible (or if it starts that
500       //  way), bail out.
501       if (!State)
502         return nullptr;
503       State = PointerEscapeCheckers[i](State, Escaped, Call, Kind, ETraits);
504     }
505   return State;
506 }
507 
508 /// \brief Run checkers for handling assumptions on symbolic values.
509 ProgramStateRef
runCheckersForEvalAssume(ProgramStateRef state,SVal Cond,bool Assumption)510 CheckerManager::runCheckersForEvalAssume(ProgramStateRef state,
511                                          SVal Cond, bool Assumption) {
512   for (unsigned i = 0, e = EvalAssumeCheckers.size(); i != e; ++i) {
513     // If any checker declares the state infeasible (or if it starts that way),
514     // bail out.
515     if (!state)
516       return nullptr;
517     state = EvalAssumeCheckers[i](state, Cond, Assumption);
518   }
519   return state;
520 }
521 
522 /// \brief Run checkers for evaluating a call.
523 /// Only one checker will evaluate the call.
runCheckersForEvalCall(ExplodedNodeSet & Dst,const ExplodedNodeSet & Src,const CallEvent & Call,ExprEngine & Eng)524 void CheckerManager::runCheckersForEvalCall(ExplodedNodeSet &Dst,
525                                             const ExplodedNodeSet &Src,
526                                             const CallEvent &Call,
527                                             ExprEngine &Eng) {
528   const CallExpr *CE = cast<CallExpr>(Call.getOriginExpr());
529   for (ExplodedNodeSet::iterator
530          NI = Src.begin(), NE = Src.end(); NI != NE; ++NI) {
531     ExplodedNode *Pred = *NI;
532     bool anyEvaluated = false;
533 
534     ExplodedNodeSet checkDst;
535     NodeBuilder B(Pred, checkDst, Eng.getBuilderContext());
536 
537     // Check if any of the EvalCall callbacks can evaluate the call.
538     for (std::vector<EvalCallFunc>::iterator
539            EI = EvalCallCheckers.begin(), EE = EvalCallCheckers.end();
540          EI != EE; ++EI) {
541       ProgramPoint::Kind K = ProgramPoint::PostStmtKind;
542       const ProgramPoint &L = ProgramPoint::getProgramPoint(CE, K,
543                                 Pred->getLocationContext(), EI->Checker);
544       bool evaluated = false;
545       { // CheckerContext generates transitions(populates checkDest) on
546         // destruction, so introduce the scope to make sure it gets properly
547         // populated.
548         CheckerContext C(B, Eng, Pred, L);
549         evaluated = (*EI)(CE, C);
550       }
551       assert(!(evaluated && anyEvaluated)
552              && "There are more than one checkers evaluating the call");
553       if (evaluated) {
554         anyEvaluated = true;
555         Dst.insert(checkDst);
556 #ifdef NDEBUG
557         break; // on release don't check that no other checker also evals.
558 #endif
559       }
560     }
561 
562     // If none of the checkers evaluated the call, ask ExprEngine to handle it.
563     if (!anyEvaluated) {
564       NodeBuilder B(Pred, Dst, Eng.getBuilderContext());
565       Eng.defaultEvalCall(B, Pred, Call);
566     }
567   }
568 }
569 
570 /// \brief Run checkers for the entire Translation Unit.
runCheckersOnEndOfTranslationUnit(const TranslationUnitDecl * TU,AnalysisManager & mgr,BugReporter & BR)571 void CheckerManager::runCheckersOnEndOfTranslationUnit(
572                                                   const TranslationUnitDecl *TU,
573                                                   AnalysisManager &mgr,
574                                                   BugReporter &BR) {
575   for (unsigned i = 0, e = EndOfTranslationUnitCheckers.size(); i != e; ++i)
576     EndOfTranslationUnitCheckers[i](TU, mgr, BR);
577 }
578 
runCheckersForPrintState(raw_ostream & Out,ProgramStateRef State,const char * NL,const char * Sep)579 void CheckerManager::runCheckersForPrintState(raw_ostream &Out,
580                                               ProgramStateRef State,
581                                               const char *NL, const char *Sep) {
582   for (llvm::DenseMap<CheckerTag, CheckerRef>::iterator
583         I = CheckerTags.begin(), E = CheckerTags.end(); I != E; ++I)
584     I->second->printState(Out, State, NL, Sep);
585 }
586 
587 //===----------------------------------------------------------------------===//
588 // Internal registration functions for AST traversing.
589 //===----------------------------------------------------------------------===//
590 
_registerForDecl(CheckDeclFunc checkfn,HandlesDeclFunc isForDeclFn)591 void CheckerManager::_registerForDecl(CheckDeclFunc checkfn,
592                                       HandlesDeclFunc isForDeclFn) {
593   DeclCheckerInfo info = { checkfn, isForDeclFn };
594   DeclCheckers.push_back(info);
595 }
596 
_registerForBody(CheckDeclFunc checkfn)597 void CheckerManager::_registerForBody(CheckDeclFunc checkfn) {
598   BodyCheckers.push_back(checkfn);
599 }
600 
601 //===----------------------------------------------------------------------===//
602 // Internal registration functions for path-sensitive checking.
603 //===----------------------------------------------------------------------===//
604 
_registerForPreStmt(CheckStmtFunc checkfn,HandlesStmtFunc isForStmtFn)605 void CheckerManager::_registerForPreStmt(CheckStmtFunc checkfn,
606                                          HandlesStmtFunc isForStmtFn) {
607   StmtCheckerInfo info = { checkfn, isForStmtFn, /*IsPreVisit*/true };
608   StmtCheckers.push_back(info);
609 }
_registerForPostStmt(CheckStmtFunc checkfn,HandlesStmtFunc isForStmtFn)610 void CheckerManager::_registerForPostStmt(CheckStmtFunc checkfn,
611                                           HandlesStmtFunc isForStmtFn) {
612   StmtCheckerInfo info = { checkfn, isForStmtFn, /*IsPreVisit*/false };
613   StmtCheckers.push_back(info);
614 }
615 
_registerForPreObjCMessage(CheckObjCMessageFunc checkfn)616 void CheckerManager::_registerForPreObjCMessage(CheckObjCMessageFunc checkfn) {
617   PreObjCMessageCheckers.push_back(checkfn);
618 }
_registerForPostObjCMessage(CheckObjCMessageFunc checkfn)619 void CheckerManager::_registerForPostObjCMessage(CheckObjCMessageFunc checkfn) {
620   PostObjCMessageCheckers.push_back(checkfn);
621 }
622 
_registerForPreCall(CheckCallFunc checkfn)623 void CheckerManager::_registerForPreCall(CheckCallFunc checkfn) {
624   PreCallCheckers.push_back(checkfn);
625 }
_registerForPostCall(CheckCallFunc checkfn)626 void CheckerManager::_registerForPostCall(CheckCallFunc checkfn) {
627   PostCallCheckers.push_back(checkfn);
628 }
629 
_registerForLocation(CheckLocationFunc checkfn)630 void CheckerManager::_registerForLocation(CheckLocationFunc checkfn) {
631   LocationCheckers.push_back(checkfn);
632 }
633 
_registerForBind(CheckBindFunc checkfn)634 void CheckerManager::_registerForBind(CheckBindFunc checkfn) {
635   BindCheckers.push_back(checkfn);
636 }
637 
_registerForEndAnalysis(CheckEndAnalysisFunc checkfn)638 void CheckerManager::_registerForEndAnalysis(CheckEndAnalysisFunc checkfn) {
639   EndAnalysisCheckers.push_back(checkfn);
640 }
641 
_registerForEndFunction(CheckEndFunctionFunc checkfn)642 void CheckerManager::_registerForEndFunction(CheckEndFunctionFunc checkfn) {
643   EndFunctionCheckers.push_back(checkfn);
644 }
645 
_registerForBranchCondition(CheckBranchConditionFunc checkfn)646 void CheckerManager::_registerForBranchCondition(
647                                              CheckBranchConditionFunc checkfn) {
648   BranchConditionCheckers.push_back(checkfn);
649 }
650 
_registerForLiveSymbols(CheckLiveSymbolsFunc checkfn)651 void CheckerManager::_registerForLiveSymbols(CheckLiveSymbolsFunc checkfn) {
652   LiveSymbolsCheckers.push_back(checkfn);
653 }
654 
_registerForDeadSymbols(CheckDeadSymbolsFunc checkfn)655 void CheckerManager::_registerForDeadSymbols(CheckDeadSymbolsFunc checkfn) {
656   DeadSymbolsCheckers.push_back(checkfn);
657 }
658 
_registerForRegionChanges(CheckRegionChangesFunc checkfn,WantsRegionChangeUpdateFunc wantUpdateFn)659 void CheckerManager::_registerForRegionChanges(CheckRegionChangesFunc checkfn,
660                                      WantsRegionChangeUpdateFunc wantUpdateFn) {
661   RegionChangesCheckerInfo info = {checkfn, wantUpdateFn};
662   RegionChangesCheckers.push_back(info);
663 }
664 
_registerForPointerEscape(CheckPointerEscapeFunc checkfn)665 void CheckerManager::_registerForPointerEscape(CheckPointerEscapeFunc checkfn){
666   PointerEscapeCheckers.push_back(checkfn);
667 }
668 
_registerForConstPointerEscape(CheckPointerEscapeFunc checkfn)669 void CheckerManager::_registerForConstPointerEscape(
670                                           CheckPointerEscapeFunc checkfn) {
671   PointerEscapeCheckers.push_back(checkfn);
672 }
673 
_registerForEvalAssume(EvalAssumeFunc checkfn)674 void CheckerManager::_registerForEvalAssume(EvalAssumeFunc checkfn) {
675   EvalAssumeCheckers.push_back(checkfn);
676 }
677 
_registerForEvalCall(EvalCallFunc checkfn)678 void CheckerManager::_registerForEvalCall(EvalCallFunc checkfn) {
679   EvalCallCheckers.push_back(checkfn);
680 }
681 
_registerForEndOfTranslationUnit(CheckEndOfTranslationUnit checkfn)682 void CheckerManager::_registerForEndOfTranslationUnit(
683                                             CheckEndOfTranslationUnit checkfn) {
684   EndOfTranslationUnitCheckers.push_back(checkfn);
685 }
686 
687 //===----------------------------------------------------------------------===//
688 // Implementation details.
689 //===----------------------------------------------------------------------===//
690 
691 const CheckerManager::CachedStmtCheckers &
getCachedStmtCheckersFor(const Stmt * S,bool isPreVisit)692 CheckerManager::getCachedStmtCheckersFor(const Stmt *S, bool isPreVisit) {
693   assert(S);
694 
695   unsigned Key = (S->getStmtClass() << 1) | unsigned(isPreVisit);
696   CachedStmtCheckersMapTy::iterator CCI = CachedStmtCheckersMap.find(Key);
697   if (CCI != CachedStmtCheckersMap.end())
698     return CCI->second;
699 
700   // Find the checkers that should run for this Stmt and cache them.
701   CachedStmtCheckers &Checkers = CachedStmtCheckersMap[Key];
702   for (unsigned i = 0, e = StmtCheckers.size(); i != e; ++i) {
703     StmtCheckerInfo &Info = StmtCheckers[i];
704     if (Info.IsPreVisit == isPreVisit && Info.IsForStmtFn(S))
705       Checkers.push_back(Info.CheckFn);
706   }
707   return Checkers;
708 }
709 
~CheckerManager()710 CheckerManager::~CheckerManager() {
711   for (unsigned i = 0, e = CheckerDtors.size(); i != e; ++i)
712     CheckerDtors[i]();
713 }
714