Home | History | Annotate | Download | only in Checkers 
      1 //= CheckerDocumentation.cpp - Documentation checker ---------------*- C++ -*-//
      2 //
      3 //                     The LLVM Compiler Infrastructure
      4 //
      5 // This file is distributed under the University of Illinois Open Source
      6 // License. See LICENSE.TXT for details.
      7 //
      8 //===----------------------------------------------------------------------===//
      9 //
     10 // This checker lists all the checker callbacks and provides documentation for
     11 // checker writers.
     12 //
     13 //===----------------------------------------------------------------------===//
     14 
     15 #include "ClangSACheckers.h"
     16 #include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
     17 #include "clang/StaticAnalyzer/Core/Checker.h"
     18 #include "clang/StaticAnalyzer/Core/CheckerManager.h"
     19 #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
     20 #include "clang/StaticAnalyzer/Core/PathSensitive/ProgramStateTrait.h"
     21 
     22 using namespace clang;
     23 using namespace ento;
     24 
     25 // All checkers should be placed into anonymous namespace.
     26 // We place the CheckerDocumentation inside ento namespace to make the
     27 // it visible in doxygen.
     28 namespace clang {
     29 namespace ento {
     30 
     31 /// This checker documents the callback functions checkers can use to implement
     32 /// the custom handling of the specific events during path exploration as well
     33 /// as reporting bugs. Most of the callbacks are targeted at path-sensitive
     34 /// checking.
     35 ///
     36 /// \sa CheckerContext
     37 class CheckerDocumentation : public Checker< check::PreStmt<ReturnStmt>,
     38                                        check::PostStmt<DeclStmt>,
     39                                        check::PreObjCMessage,
     40                                        check::PostObjCMessage,
     41                                        check::PreCall,
     42                                        check::PostCall,
     43                                        check::BranchCondition,
     44                                        check::Location,
     45                                        check::Bind,
     46                                        check::DeadSymbols,
     47                                        check::EndFunction,
     48                                        check::EndAnalysis,
     49                                        check::EndOfTranslationUnit,
     50                                        eval::Call,
     51                                        eval::Assume,
     52                                        check::LiveSymbols,
     53                                        check::RegionChanges,
     54                                        check::PointerEscape,
     55                                        check::Event<ImplicitNullDerefEvent>,
     56                                        check::ASTDecl<FunctionDecl> > {
     57 public:
     58 
     59   /// \brief Pre-visit the Statement.
     60   ///
     61   /// The method will be called before the analyzer core processes the
     62   /// statement. The notification is performed for every explored CFGElement,
     63   /// which does not include the control flow statements such as IfStmt. The
     64   /// callback can be specialized to be called with any subclass of Stmt.
     65   ///
     66   /// See checkBranchCondition() callback for performing custom processing of
     67   /// the branching statements.
     68   ///
     69   /// check::PreStmt<ReturnStmt>
     70   void checkPreStmt(const ReturnStmt *DS, CheckerContext &C) const {}
     71 
     72   /// \brief Post-visit the Statement.
     73   ///
     74   /// The method will be called after the analyzer core processes the
     75   /// statement. The notification is performed for every explored CFGElement,
     76   /// which does not include the control flow statements such as IfStmt. The
     77   /// callback can be specialized to be called with any subclass of Stmt.
     78   ///
     79   /// check::PostStmt<DeclStmt>
     80   void checkPostStmt(const DeclStmt *DS, CheckerContext &C) const;
     81 
     82   /// \brief Pre-visit the Objective C message.
     83   ///
     84   /// This will be called before the analyzer core processes the method call.
     85   /// This is called for any action which produces an Objective-C message send,
     86   /// including explicit message syntax and property access.
     87   ///
     88   /// check::PreObjCMessage
     89   void checkPreObjCMessage(const ObjCMethodCall &M, CheckerContext &C) const {}
     90 
     91   /// \brief Post-visit the Objective C message.
     92   /// \sa checkPreObjCMessage()
     93   ///
     94   /// check::PostObjCMessage
     95   void checkPostObjCMessage(const ObjCMethodCall &M, CheckerContext &C) const {}
     96 
     97   /// \brief Pre-visit an abstract "call" event.
     98   ///
     99   /// This is used for checkers that want to check arguments or attributed
    100   /// behavior for functions and methods no matter how they are being invoked.
    101   ///
    102   /// Note that this includes ALL cross-body invocations, so if you want to
    103   /// limit your checks to, say, function calls, you should test for that at the
    104   /// beginning of your callback function.
    105   ///
    106   /// check::PreCall
    107   void checkPreCall(const CallEvent &Call, CheckerContext &C) const {}
    108 
    109   /// \brief Post-visit an abstract "call" event.
    110   /// \sa checkPreObjCMessage()
    111   ///
    112   /// check::PostCall
    113   void checkPostCall(const CallEvent &Call, CheckerContext &C) const {}
    114 
    115   /// \brief Pre-visit of the condition statement of a branch (such as IfStmt).
    116   void checkBranchCondition(const Stmt *Condition, CheckerContext &Ctx) const {}
    117 
    118   /// \brief Called on a load from and a store to a location.
    119   ///
    120   /// The method will be called each time a location (pointer) value is
    121   /// accessed.
    122   /// \param Loc    The value of the location (pointer).
    123   /// \param IsLoad The flag specifying if the location is a store or a load.
    124   /// \param S      The load is performed while processing the statement.
    125   ///
    126   /// check::Location
    127   void checkLocation(SVal Loc, bool IsLoad, const Stmt *S,
    128                      CheckerContext &) const {}
    129 
    130   /// \brief Called on binding of a value to a location.
    131   ///
    132   /// \param Loc The value of the location (pointer).
    133   /// \param Val The value which will be stored at the location Loc.
    134   /// \param S   The bind is performed while processing the statement S.
    135   ///
    136   /// check::Bind
    137   void checkBind(SVal Loc, SVal Val, const Stmt *S, CheckerContext &) const {}
    138 
    139 
    140   /// \brief Called whenever a symbol becomes dead.
    141   ///
    142   /// This callback should be used by the checkers to aggressively clean
    143   /// up/reduce the checker state, which is important for reducing the overall
    144   /// memory usage. Specifically, if a checker keeps symbol specific information
    145   /// in the sate, it can and should be dropped after the symbol becomes dead.
    146   /// In addition, reporting a bug as soon as the checker becomes dead leads to
    147   /// more precise diagnostics. (For example, one should report that a malloced
    148   /// variable is not freed right after it goes out of scope.)
    149   ///
    150   /// \param SR The SymbolReaper object can be queried to determine which
    151   ///           symbols are dead.
    152   ///
    153   /// check::DeadSymbols
    154   void checkDeadSymbols(SymbolReaper &SR, CheckerContext &C) const {}
    155 
    156   /// \brief Called when the analyzer core reaches the end of a
    157   /// function being analyzed.
    158   ///
    159   /// check::EndFunction
    160   void checkEndFunction(CheckerContext &Ctx) const {}
    161 
    162   /// \brief Called after all the paths in the ExplodedGraph reach end of path
    163   /// - the symbolic execution graph is fully explored.
    164   ///
    165   /// This callback should be used in cases when a checker needs to have a
    166   /// global view of the information generated on all paths. For example, to
    167   /// compare execution summary/result several paths.
    168   /// See IdempotentOperationChecker for a usage example.
    169   ///
    170   /// check::EndAnalysis
    171   void checkEndAnalysis(ExplodedGraph &G,
    172                         BugReporter &BR,
    173                         ExprEngine &Eng) const {}
    174 
    175   /// \brief Called after analysis of a TranslationUnit is complete.
    176   ///
    177   /// check::EndOfTranslationUnit
    178   void checkEndOfTranslationUnit(const TranslationUnitDecl *TU,
    179                                  AnalysisManager &Mgr,
    180                                  BugReporter &BR) const {}
    181 
    182 
    183   /// \brief Evaluates function call.
    184   ///
    185   /// The analysis core threats all function calls in the same way. However, some
    186   /// functions have special meaning, which should be reflected in the program
    187   /// state. This callback allows a checker to provide domain specific knowledge
    188   /// about the particular functions it knows about.
    189   ///
    190   /// \returns true if the call has been successfully evaluated
    191   /// and false otherwise. Note, that only one checker can evaluate a call. If
    192   /// more then one checker claim that they can evaluate the same call the
    193   /// first one wins.
    194   ///
    195   /// eval::Call
    196   bool evalCall(const CallExpr *CE, CheckerContext &C) const { return true; }
    197 
    198   /// \brief Handles assumptions on symbolic values.
    199   ///
    200   /// This method is called when a symbolic expression is assumed to be true or
    201   /// false. For example, the assumptions are performed when evaluating a
    202   /// condition at a branch. The callback allows checkers track the assumptions
    203   /// performed on the symbols of interest and change the state accordingly.
    204   ///
    205   /// eval::Assume
    206   ProgramStateRef evalAssume(ProgramStateRef State,
    207                                  SVal Cond,
    208                                  bool Assumption) const { return State; }
    209 
    210   /// Allows modifying SymbolReaper object. For example, checkers can explicitly
    211   /// register symbols of interest as live. These symbols will not be marked
    212   /// dead and removed.
    213   ///
    214   /// check::LiveSymbols
    215   void checkLiveSymbols(ProgramStateRef State, SymbolReaper &SR) const {}
    216 
    217   /// \brief Called to determine if the checker currently needs to know if when
    218   /// contents of any regions change.
    219   ///
    220   /// Since it is not necessarily cheap to compute which regions are being
    221   /// changed, this allows the analyzer core to skip the more expensive
    222   /// #checkRegionChanges when no checkers are tracking any state.
    223   bool wantsRegionChangeUpdate(ProgramStateRef St) const { return true; }
    224 
    225   /// \brief Called when the contents of one or more regions change.
    226   ///
    227   /// This can occur in many different ways: an explicit bind, a blanket
    228   /// invalidation of the region contents, or by passing a region to a function
    229   /// call whose behavior the analyzer cannot model perfectly.
    230   ///
    231   /// \param State The current program state.
    232   /// \param Invalidated A set of all symbols potentially touched by the change.
    233   /// \param ExplicitRegions The regions explicitly requested for invalidation.
    234   ///        For a function call, this would be the arguments. For a bind, this
    235   ///        would be the region being bound to.
    236   /// \param Regions The transitive closure of regions accessible from,
    237   ///        \p ExplicitRegions, i.e. all regions that may have been touched
    238   ///        by this change. For a simple bind, this list will be the same as
    239   ///        \p ExplicitRegions, since a bind does not affect the contents of
    240   ///        anything accessible through the base region.
    241   /// \param Call The opaque call triggering this invalidation. Will be 0 if the
    242   ///        change was not triggered by a call.
    243   ///
    244   /// Note that this callback will not be invoked unless
    245   /// #wantsRegionChangeUpdate returns \c true.
    246   ///
    247   /// check::RegionChanges
    248   ProgramStateRef
    249     checkRegionChanges(ProgramStateRef State,
    250                        const InvalidatedSymbols *Invalidated,
    251                        ArrayRef<const MemRegion *> ExplicitRegions,
    252                        ArrayRef<const MemRegion *> Regions,
    253                        const CallEvent *Call) const {
    254     return State;
    255   }
    256 
    257   /// \brief Called when pointers escape.
    258   ///
    259   /// This notifies the checkers about pointer escape, which occurs whenever
    260   /// the analyzer cannot track the symbol any more. For example, as a
    261   /// result of assigning a pointer into a global or when it's passed to a
    262   /// function call the analyzer cannot model.
    263   ///
    264   /// \param State The state at the point of escape.
    265   /// \param Escaped The list of escaped symbols.
    266   /// \param Call The corresponding CallEvent, if the symbols escape as
    267   /// parameters to the given call.
    268   /// \param Kind How the symbols have escaped.
    269   /// \returns Checkers can modify the state by returning a new state.
    270   ProgramStateRef checkPointerEscape(ProgramStateRef State,
    271                                      const InvalidatedSymbols &Escaped,
    272                                      const CallEvent *Call,
    273                                      PointerEscapeKind Kind) const {
    274     return State;
    275   }
    276 
    277   /// check::Event<ImplicitNullDerefEvent>
    278   void checkEvent(ImplicitNullDerefEvent Event) const {}
    279 
    280   /// \brief Check every declaration in the AST.
    281   ///
    282   /// An AST traversal callback, which should only be used when the checker is
    283   /// not path sensitive. It will be called for every Declaration in the AST and
    284   /// can be specialized to only be called on subclasses of Decl, for example,
    285   /// FunctionDecl.
    286   ///
    287   /// check::ASTDecl<FunctionDecl>
    288   void checkASTDecl(const FunctionDecl *D,
    289                     AnalysisManager &Mgr,
    290                     BugReporter &BR) const {}
    291 
    292 };
    293 
    294 void CheckerDocumentation::checkPostStmt(const DeclStmt *DS,
    295                                          CheckerContext &C) const {
    296   return;
    297 }
    298 
    299 } // end namespace ento
    300 } // end namespace clang
    301