1 //== BodyFarm.cpp  - Factory for conjuring up fake bodies ----------*- C++ -*-//
2 //
3 //                     The LLVM Compiler Infrastructure
4 //
5 // This file is distributed under the University of Illinois Open Source
6 // License. See LICENSE.TXT for details.
7 //
8 //===----------------------------------------------------------------------===//
9 //
10 // BodyFarm is a factory for creating faux implementations for functions/methods
11 // for analysis purposes.
12 //
13 //===----------------------------------------------------------------------===//
14 
15 #include "BodyFarm.h"
16 #include "clang/AST/ASTContext.h"
17 #include "clang/AST/Decl.h"
18 #include "clang/AST/Expr.h"
19 #include "clang/AST/ExprObjC.h"
20 #include "clang/Analysis/CodeInjector.h"
21 #include "llvm/ADT/StringSwitch.h"
22 
23 using namespace clang;
24 
25 //===----------------------------------------------------------------------===//
26 // Helper creation functions for constructing faux ASTs.
27 //===----------------------------------------------------------------------===//
28 
isDispatchBlock(QualType Ty)29 static bool isDispatchBlock(QualType Ty) {
30   // Is it a block pointer?
31   const BlockPointerType *BPT = Ty->getAs<BlockPointerType>();
32   if (!BPT)
33     return false;
34 
35   // Check if the block pointer type takes no arguments and
36   // returns void.
37   const FunctionProtoType *FT =
38   BPT->getPointeeType()->getAs<FunctionProtoType>();
39   return FT && FT->getReturnType()->isVoidType() && FT->getNumParams() == 0;
40 }
41 
42 namespace {
43 class ASTMaker {
44 public:
ASTMaker(ASTContext & C)45   ASTMaker(ASTContext &C) : C(C) {}
46 
47   /// Create a new BinaryOperator representing a simple assignment.
48   BinaryOperator *makeAssignment(const Expr *LHS, const Expr *RHS, QualType Ty);
49 
50   /// Create a new BinaryOperator representing a comparison.
51   BinaryOperator *makeComparison(const Expr *LHS, const Expr *RHS,
52                                  BinaryOperator::Opcode Op);
53 
54   /// Create a new compound stmt using the provided statements.
55   CompoundStmt *makeCompound(ArrayRef<Stmt*>);
56 
57   /// Create a new DeclRefExpr for the referenced variable.
58   DeclRefExpr *makeDeclRefExpr(const VarDecl *D);
59 
60   /// Create a new UnaryOperator representing a dereference.
61   UnaryOperator *makeDereference(const Expr *Arg, QualType Ty);
62 
63   /// Create an implicit cast for an integer conversion.
64   Expr *makeIntegralCast(const Expr *Arg, QualType Ty);
65 
66   /// Create an implicit cast to a builtin boolean type.
67   ImplicitCastExpr *makeIntegralCastToBoolean(const Expr *Arg);
68 
69   // Create an implicit cast for lvalue-to-rvaluate conversions.
70   ImplicitCastExpr *makeLvalueToRvalue(const Expr *Arg, QualType Ty);
71 
72   /// Create an Objective-C bool literal.
73   ObjCBoolLiteralExpr *makeObjCBool(bool Val);
74 
75   /// Create an Objective-C ivar reference.
76   ObjCIvarRefExpr *makeObjCIvarRef(const Expr *Base, const ObjCIvarDecl *IVar);
77 
78   /// Create a Return statement.
79   ReturnStmt *makeReturn(const Expr *RetVal);
80 
81 private:
82   ASTContext &C;
83 };
84 }
85 
makeAssignment(const Expr * LHS,const Expr * RHS,QualType Ty)86 BinaryOperator *ASTMaker::makeAssignment(const Expr *LHS, const Expr *RHS,
87                                          QualType Ty) {
88  return new (C) BinaryOperator(const_cast<Expr*>(LHS), const_cast<Expr*>(RHS),
89                                BO_Assign, Ty, VK_RValue,
90                                OK_Ordinary, SourceLocation(), false);
91 }
92 
makeComparison(const Expr * LHS,const Expr * RHS,BinaryOperator::Opcode Op)93 BinaryOperator *ASTMaker::makeComparison(const Expr *LHS, const Expr *RHS,
94                                          BinaryOperator::Opcode Op) {
95   assert(BinaryOperator::isLogicalOp(Op) ||
96          BinaryOperator::isComparisonOp(Op));
97   return new (C) BinaryOperator(const_cast<Expr*>(LHS),
98                                 const_cast<Expr*>(RHS),
99                                 Op,
100                                 C.getLogicalOperationType(),
101                                 VK_RValue,
102                                 OK_Ordinary, SourceLocation(), false);
103 }
104 
makeCompound(ArrayRef<Stmt * > Stmts)105 CompoundStmt *ASTMaker::makeCompound(ArrayRef<Stmt *> Stmts) {
106   return new (C) CompoundStmt(C, Stmts, SourceLocation(), SourceLocation());
107 }
108 
makeDeclRefExpr(const VarDecl * D)109 DeclRefExpr *ASTMaker::makeDeclRefExpr(const VarDecl *D) {
110   DeclRefExpr *DR =
111     DeclRefExpr::Create(/* Ctx = */ C,
112                         /* QualifierLoc = */ NestedNameSpecifierLoc(),
113                         /* TemplateKWLoc = */ SourceLocation(),
114                         /* D = */ const_cast<VarDecl*>(D),
115                         /* RefersToEnclosingVariableOrCapture = */ false,
116                         /* NameLoc = */ SourceLocation(),
117                         /* T = */ D->getType(),
118                         /* VK = */ VK_LValue);
119   return DR;
120 }
121 
makeDereference(const Expr * Arg,QualType Ty)122 UnaryOperator *ASTMaker::makeDereference(const Expr *Arg, QualType Ty) {
123   return new (C) UnaryOperator(const_cast<Expr*>(Arg), UO_Deref, Ty,
124                                VK_LValue, OK_Ordinary, SourceLocation());
125 }
126 
makeLvalueToRvalue(const Expr * Arg,QualType Ty)127 ImplicitCastExpr *ASTMaker::makeLvalueToRvalue(const Expr *Arg, QualType Ty) {
128   return ImplicitCastExpr::Create(C, Ty, CK_LValueToRValue,
129                                   const_cast<Expr*>(Arg), nullptr, VK_RValue);
130 }
131 
makeIntegralCast(const Expr * Arg,QualType Ty)132 Expr *ASTMaker::makeIntegralCast(const Expr *Arg, QualType Ty) {
133   if (Arg->getType() == Ty)
134     return const_cast<Expr*>(Arg);
135 
136   return ImplicitCastExpr::Create(C, Ty, CK_IntegralCast,
137                                   const_cast<Expr*>(Arg), nullptr, VK_RValue);
138 }
139 
makeIntegralCastToBoolean(const Expr * Arg)140 ImplicitCastExpr *ASTMaker::makeIntegralCastToBoolean(const Expr *Arg) {
141   return ImplicitCastExpr::Create(C, C.BoolTy, CK_IntegralToBoolean,
142                                   const_cast<Expr*>(Arg), nullptr, VK_RValue);
143 }
144 
makeObjCBool(bool Val)145 ObjCBoolLiteralExpr *ASTMaker::makeObjCBool(bool Val) {
146   QualType Ty = C.getBOOLDecl() ? C.getBOOLType() : C.ObjCBuiltinBoolTy;
147   return new (C) ObjCBoolLiteralExpr(Val, Ty, SourceLocation());
148 }
149 
makeObjCIvarRef(const Expr * Base,const ObjCIvarDecl * IVar)150 ObjCIvarRefExpr *ASTMaker::makeObjCIvarRef(const Expr *Base,
151                                            const ObjCIvarDecl *IVar) {
152   return new (C) ObjCIvarRefExpr(const_cast<ObjCIvarDecl*>(IVar),
153                                  IVar->getType(), SourceLocation(),
154                                  SourceLocation(), const_cast<Expr*>(Base),
155                                  /*arrow=*/true, /*free=*/false);
156 }
157 
158 
makeReturn(const Expr * RetVal)159 ReturnStmt *ASTMaker::makeReturn(const Expr *RetVal) {
160   return new (C) ReturnStmt(SourceLocation(), const_cast<Expr*>(RetVal),
161                             nullptr);
162 }
163 
164 //===----------------------------------------------------------------------===//
165 // Creation functions for faux ASTs.
166 //===----------------------------------------------------------------------===//
167 
168 typedef Stmt *(*FunctionFarmer)(ASTContext &C, const FunctionDecl *D);
169 
170 /// Create a fake body for dispatch_once.
create_dispatch_once(ASTContext & C,const FunctionDecl * D)171 static Stmt *create_dispatch_once(ASTContext &C, const FunctionDecl *D) {
172   // Check if we have at least two parameters.
173   if (D->param_size() != 2)
174     return nullptr;
175 
176   // Check if the first parameter is a pointer to integer type.
177   const ParmVarDecl *Predicate = D->getParamDecl(0);
178   QualType PredicateQPtrTy = Predicate->getType();
179   const PointerType *PredicatePtrTy = PredicateQPtrTy->getAs<PointerType>();
180   if (!PredicatePtrTy)
181     return nullptr;
182   QualType PredicateTy = PredicatePtrTy->getPointeeType();
183   if (!PredicateTy->isIntegerType())
184     return nullptr;
185 
186   // Check if the second parameter is the proper block type.
187   const ParmVarDecl *Block = D->getParamDecl(1);
188   QualType Ty = Block->getType();
189   if (!isDispatchBlock(Ty))
190     return nullptr;
191 
192   // Everything checks out.  Create a fakse body that checks the predicate,
193   // sets it, and calls the block.  Basically, an AST dump of:
194   //
195   // void dispatch_once(dispatch_once_t *predicate, dispatch_block_t block) {
196   //  if (!*predicate) {
197   //    *predicate = 1;
198   //    block();
199   //  }
200   // }
201 
202   ASTMaker M(C);
203 
204   // (1) Create the call.
205   DeclRefExpr *DR = M.makeDeclRefExpr(Block);
206   ImplicitCastExpr *ICE = M.makeLvalueToRvalue(DR, Ty);
207   CallExpr *CE = new (C) CallExpr(C, ICE, None, C.VoidTy, VK_RValue,
208                                   SourceLocation());
209 
210   // (2) Create the assignment to the predicate.
211   IntegerLiteral *IL =
212     IntegerLiteral::Create(C, llvm::APInt(C.getTypeSize(C.IntTy), (uint64_t) 1),
213                            C.IntTy, SourceLocation());
214   BinaryOperator *B =
215     M.makeAssignment(
216        M.makeDereference(
217           M.makeLvalueToRvalue(
218             M.makeDeclRefExpr(Predicate), PredicateQPtrTy),
219             PredicateTy),
220        M.makeIntegralCast(IL, PredicateTy),
221        PredicateTy);
222 
223   // (3) Create the compound statement.
224   Stmt *Stmts[] = { B, CE };
225   CompoundStmt *CS = M.makeCompound(Stmts);
226 
227   // (4) Create the 'if' condition.
228   ImplicitCastExpr *LValToRval =
229     M.makeLvalueToRvalue(
230       M.makeDereference(
231         M.makeLvalueToRvalue(
232           M.makeDeclRefExpr(Predicate),
233           PredicateQPtrTy),
234         PredicateTy),
235     PredicateTy);
236 
237   UnaryOperator *UO = new (C) UnaryOperator(LValToRval, UO_LNot, C.IntTy,
238                                            VK_RValue, OK_Ordinary,
239                                            SourceLocation());
240 
241   // (5) Create the 'if' statement.
242   IfStmt *If = new (C) IfStmt(C, SourceLocation(), nullptr, UO, CS);
243   return If;
244 }
245 
246 /// Create a fake body for dispatch_sync.
create_dispatch_sync(ASTContext & C,const FunctionDecl * D)247 static Stmt *create_dispatch_sync(ASTContext &C, const FunctionDecl *D) {
248   // Check if we have at least two parameters.
249   if (D->param_size() != 2)
250     return nullptr;
251 
252   // Check if the second parameter is a block.
253   const ParmVarDecl *PV = D->getParamDecl(1);
254   QualType Ty = PV->getType();
255   if (!isDispatchBlock(Ty))
256     return nullptr;
257 
258   // Everything checks out.  Create a fake body that just calls the block.
259   // This is basically just an AST dump of:
260   //
261   // void dispatch_sync(dispatch_queue_t queue, void (^block)(void)) {
262   //   block();
263   // }
264   //
265   ASTMaker M(C);
266   DeclRefExpr *DR = M.makeDeclRefExpr(PV);
267   ImplicitCastExpr *ICE = M.makeLvalueToRvalue(DR, Ty);
268   CallExpr *CE = new (C) CallExpr(C, ICE, None, C.VoidTy, VK_RValue,
269                                   SourceLocation());
270   return CE;
271 }
272 
create_OSAtomicCompareAndSwap(ASTContext & C,const FunctionDecl * D)273 static Stmt *create_OSAtomicCompareAndSwap(ASTContext &C, const FunctionDecl *D)
274 {
275   // There are exactly 3 arguments.
276   if (D->param_size() != 3)
277     return nullptr;
278 
279   // Signature:
280   // _Bool OSAtomicCompareAndSwapPtr(void *__oldValue,
281   //                                 void *__newValue,
282   //                                 void * volatile *__theValue)
283   // Generate body:
284   //   if (oldValue == *theValue) {
285   //    *theValue = newValue;
286   //    return YES;
287   //   }
288   //   else return NO;
289 
290   QualType ResultTy = D->getReturnType();
291   bool isBoolean = ResultTy->isBooleanType();
292   if (!isBoolean && !ResultTy->isIntegralType(C))
293     return nullptr;
294 
295   const ParmVarDecl *OldValue = D->getParamDecl(0);
296   QualType OldValueTy = OldValue->getType();
297 
298   const ParmVarDecl *NewValue = D->getParamDecl(1);
299   QualType NewValueTy = NewValue->getType();
300 
301   assert(OldValueTy == NewValueTy);
302 
303   const ParmVarDecl *TheValue = D->getParamDecl(2);
304   QualType TheValueTy = TheValue->getType();
305   const PointerType *PT = TheValueTy->getAs<PointerType>();
306   if (!PT)
307     return nullptr;
308   QualType PointeeTy = PT->getPointeeType();
309 
310   ASTMaker M(C);
311   // Construct the comparison.
312   Expr *Comparison =
313     M.makeComparison(
314       M.makeLvalueToRvalue(M.makeDeclRefExpr(OldValue), OldValueTy),
315       M.makeLvalueToRvalue(
316         M.makeDereference(
317           M.makeLvalueToRvalue(M.makeDeclRefExpr(TheValue), TheValueTy),
318           PointeeTy),
319         PointeeTy),
320       BO_EQ);
321 
322   // Construct the body of the IfStmt.
323   Stmt *Stmts[2];
324   Stmts[0] =
325     M.makeAssignment(
326       M.makeDereference(
327         M.makeLvalueToRvalue(M.makeDeclRefExpr(TheValue), TheValueTy),
328         PointeeTy),
329       M.makeLvalueToRvalue(M.makeDeclRefExpr(NewValue), NewValueTy),
330       NewValueTy);
331 
332   Expr *BoolVal = M.makeObjCBool(true);
333   Expr *RetVal = isBoolean ? M.makeIntegralCastToBoolean(BoolVal)
334                            : M.makeIntegralCast(BoolVal, ResultTy);
335   Stmts[1] = M.makeReturn(RetVal);
336   CompoundStmt *Body = M.makeCompound(Stmts);
337 
338   // Construct the else clause.
339   BoolVal = M.makeObjCBool(false);
340   RetVal = isBoolean ? M.makeIntegralCastToBoolean(BoolVal)
341                      : M.makeIntegralCast(BoolVal, ResultTy);
342   Stmt *Else = M.makeReturn(RetVal);
343 
344   /// Construct the If.
345   Stmt *If =
346     new (C) IfStmt(C, SourceLocation(), nullptr, Comparison, Body,
347                    SourceLocation(), Else);
348 
349   return If;
350 }
351 
getBody(const FunctionDecl * D)352 Stmt *BodyFarm::getBody(const FunctionDecl *D) {
353   D = D->getCanonicalDecl();
354 
355   Optional<Stmt *> &Val = Bodies[D];
356   if (Val.hasValue())
357     return Val.getValue();
358 
359   Val = nullptr;
360 
361   if (D->getIdentifier() == nullptr)
362     return nullptr;
363 
364   StringRef Name = D->getName();
365   if (Name.empty())
366     return nullptr;
367 
368   FunctionFarmer FF;
369 
370   if (Name.startswith("OSAtomicCompareAndSwap") ||
371       Name.startswith("objc_atomicCompareAndSwap")) {
372     FF = create_OSAtomicCompareAndSwap;
373   }
374   else {
375     FF = llvm::StringSwitch<FunctionFarmer>(Name)
376           .Case("dispatch_sync", create_dispatch_sync)
377           .Case("dispatch_once", create_dispatch_once)
378           .Default(nullptr);
379   }
380 
381   if (FF) { Val = FF(C, D); }
382   else if (Injector) { Val = Injector->getBody(D); }
383   return Val.getValue();
384 }
385 
createObjCPropertyGetter(ASTContext & Ctx,const ObjCPropertyDecl * Prop)386 static Stmt *createObjCPropertyGetter(ASTContext &Ctx,
387                                       const ObjCPropertyDecl *Prop) {
388   // First, find the backing ivar.
389   const ObjCIvarDecl *IVar = Prop->getPropertyIvarDecl();
390   if (!IVar)
391     return nullptr;
392 
393   // Ignore weak variables, which have special behavior.
394   if (Prop->getPropertyAttributes() & ObjCPropertyDecl::OBJC_PR_weak)
395     return nullptr;
396 
397   // Look to see if Sema has synthesized a body for us. This happens in
398   // Objective-C++ because the return value may be a C++ class type with a
399   // non-trivial copy constructor. We can only do this if we can find the
400   // @synthesize for this property, though (or if we know it's been auto-
401   // synthesized).
402   const ObjCImplementationDecl *ImplDecl =
403     IVar->getContainingInterface()->getImplementation();
404   if (ImplDecl) {
405     for (const auto *I : ImplDecl->property_impls()) {
406       if (I->getPropertyDecl() != Prop)
407         continue;
408 
409       if (I->getGetterCXXConstructor()) {
410         ASTMaker M(Ctx);
411         return M.makeReturn(I->getGetterCXXConstructor());
412       }
413     }
414   }
415 
416   // Sanity check that the property is the same type as the ivar, or a
417   // reference to it, and that it is either an object pointer or trivially
418   // copyable.
419   if (!Ctx.hasSameUnqualifiedType(IVar->getType(),
420                                   Prop->getType().getNonReferenceType()))
421     return nullptr;
422   if (!IVar->getType()->isObjCLifetimeType() &&
423       !IVar->getType().isTriviallyCopyableType(Ctx))
424     return nullptr;
425 
426   // Generate our body:
427   //   return self->_ivar;
428   ASTMaker M(Ctx);
429 
430   const VarDecl *selfVar = Prop->getGetterMethodDecl()->getSelfDecl();
431 
432   Expr *loadedIVar =
433     M.makeObjCIvarRef(
434       M.makeLvalueToRvalue(
435         M.makeDeclRefExpr(selfVar),
436         selfVar->getType()),
437       IVar);
438 
439   if (!Prop->getType()->isReferenceType())
440     loadedIVar = M.makeLvalueToRvalue(loadedIVar, IVar->getType());
441 
442   return M.makeReturn(loadedIVar);
443 }
444 
getBody(const ObjCMethodDecl * D)445 Stmt *BodyFarm::getBody(const ObjCMethodDecl *D) {
446   // We currently only know how to synthesize property accessors.
447   if (!D->isPropertyAccessor())
448     return nullptr;
449 
450   D = D->getCanonicalDecl();
451 
452   Optional<Stmt *> &Val = Bodies[D];
453   if (Val.hasValue())
454     return Val.getValue();
455   Val = nullptr;
456 
457   const ObjCPropertyDecl *Prop = D->findPropertyDecl();
458   if (!Prop)
459     return nullptr;
460 
461   // For now, we only synthesize getters.
462   if (D->param_size() != 0)
463     return nullptr;
464 
465   Val = createObjCPropertyGetter(C, Prop);
466 
467   return Val.getValue();
468 }
469 
470