1 //===- CallEvent.h - Wrapper for all function and method calls ----*- C++ -*--// 2 // 3 // The LLVM Compiler Infrastructure 4 // 5 // This file is distributed under the University of Illinois Open Source 6 // License. See LICENSE.TXT for details. 7 // 8 //===----------------------------------------------------------------------===// 9 // 10 /// \file This file defines CallEvent and its subclasses, which represent path- 11 /// sensitive instances of different kinds of function and method calls 12 /// (C, C++, and Objective-C). 13 // 14 //===----------------------------------------------------------------------===// 15 16 #ifndef LLVM_CLANG_STATICANALYZER_CORE_PATHSENSITIVE_CALLEVENT_H 17 #define LLVM_CLANG_STATICANALYZER_CORE_PATHSENSITIVE_CALLEVENT_H 18 19 #include "clang/AST/DeclCXX.h" 20 #include "clang/AST/ExprCXX.h" 21 #include "clang/AST/ExprObjC.h" 22 #include "clang/Analysis/AnalysisContext.h" 23 #include "clang/Basic/SourceManager.h" 24 #include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h" 25 #include "clang/StaticAnalyzer/Core/PathSensitive/SVals.h" 26 #include "llvm/ADT/PointerIntPair.h" 27 28 namespace clang { 29 class ProgramPoint; 30 class ProgramPointTag; 31 32 namespace ento { 33 34 enum CallEventKind { 35 CE_Function, 36 CE_CXXMember, 37 CE_CXXMemberOperator, 38 CE_CXXDestructor, 39 CE_BEG_CXX_INSTANCE_CALLS = CE_CXXMember, 40 CE_END_CXX_INSTANCE_CALLS = CE_CXXDestructor, 41 CE_CXXConstructor, 42 CE_CXXAllocator, 43 CE_BEG_FUNCTION_CALLS = CE_Function, 44 CE_END_FUNCTION_CALLS = CE_CXXAllocator, 45 CE_Block, 46 CE_ObjCMessage 47 }; 48 49 class CallEvent; 50 class CallEventManager; 51 52 template<typename T = CallEvent> 53 class CallEventRef : public IntrusiveRefCntPtr<const T> { 54 public: 55 CallEventRef(const T *Call) : IntrusiveRefCntPtr<const T>(Call) {} 56 CallEventRef(const CallEventRef &Orig) : IntrusiveRefCntPtr<const T>(Orig) {} 57 58 CallEventRef<T> cloneWithState(ProgramStateRef State) const { 59 return this->get()->template cloneWithState<T>(State); 60 } 61 62 // Allow implicit conversions to a superclass type, since CallEventRef 63 // behaves like a pointer-to-const. 64 template <typename SuperT> 65 operator CallEventRef<SuperT> () const { 66 return this->get(); 67 } 68 }; 69 70 /// \class RuntimeDefinition 71 /// \brief Defines the runtime definition of the called function. 72 /// 73 /// Encapsulates the information we have about which Decl will be used 74 /// when the call is executed on the given path. When dealing with dynamic 75 /// dispatch, the information is based on DynamicTypeInfo and might not be 76 /// precise. 77 class RuntimeDefinition { 78 /// The Declaration of the function which could be called at runtime. 79 /// NULL if not available. 80 const Decl *D; 81 82 /// The region representing an object (ObjC/C++) on which the method is 83 /// called. With dynamic dispatch, the method definition depends on the 84 /// runtime type of this object. NULL when the DynamicTypeInfo is 85 /// precise. 86 const MemRegion *R; 87 88 public: 89 RuntimeDefinition(): D(nullptr), R(nullptr) {} 90 RuntimeDefinition(const Decl *InD): D(InD), R(nullptr) {} 91 RuntimeDefinition(const Decl *InD, const MemRegion *InR): D(InD), R(InR) {} 92 const Decl *getDecl() { return D; } 93 94 /// \brief Check if the definition we have is precise. 95 /// If not, it is possible that the call dispatches to another definition at 96 /// execution time. 97 bool mayHaveOtherDefinitions() { return R != nullptr; } 98 99 /// When other definitions are possible, returns the region whose runtime type 100 /// determines the method definition. 101 const MemRegion *getDispatchRegion() { return R; } 102 }; 103 104 /// \brief Represents an abstract call to a function or method along a 105 /// particular path. 106 /// 107 /// CallEvents are created through the factory methods of CallEventManager. 108 /// 109 /// CallEvents should always be cheap to create and destroy. In order for 110 /// CallEventManager to be able to re-use CallEvent-sized memory blocks, 111 /// subclasses of CallEvent may not add any data members to the base class. 112 /// Use the "Data" and "Location" fields instead. 113 class CallEvent { 114 public: 115 typedef CallEventKind Kind; 116 117 private: 118 ProgramStateRef State; 119 const LocationContext *LCtx; 120 llvm::PointerUnion<const Expr *, const Decl *> Origin; 121 122 void operator=(const CallEvent &) = delete; 123 124 protected: 125 // This is user data for subclasses. 126 const void *Data; 127 128 // This is user data for subclasses. 129 // This should come right before RefCount, so that the two fields can be 130 // packed together on LP64 platforms. 131 SourceLocation Location; 132 133 private: 134 mutable unsigned RefCount; 135 136 template <typename T> friend struct llvm::IntrusiveRefCntPtrInfo; 137 void Retain() const { ++RefCount; } 138 void Release() const; 139 140 protected: 141 friend class CallEventManager; 142 143 CallEvent(const Expr *E, ProgramStateRef state, const LocationContext *lctx) 144 : State(state), LCtx(lctx), Origin(E), RefCount(0) {} 145 146 CallEvent(const Decl *D, ProgramStateRef state, const LocationContext *lctx) 147 : State(state), LCtx(lctx), Origin(D), RefCount(0) {} 148 149 // DO NOT MAKE PUBLIC 150 CallEvent(const CallEvent &Original) 151 : State(Original.State), LCtx(Original.LCtx), Origin(Original.Origin), 152 Data(Original.Data), Location(Original.Location), RefCount(0) {} 153 154 /// Copies this CallEvent, with vtable intact, into a new block of memory. 155 virtual void cloneTo(void *Dest) const = 0; 156 157 /// \brief Get the value of arbitrary expressions at this point in the path. 158 SVal getSVal(const Stmt *S) const { 159 return getState()->getSVal(S, getLocationContext()); 160 } 161 162 163 typedef SmallVectorImpl<SVal> ValueList; 164 165 /// \brief Used to specify non-argument regions that will be invalidated as a 166 /// result of this call. 167 virtual void getExtraInvalidatedValues(ValueList &Values, 168 RegionAndSymbolInvalidationTraits *ETraits) const {} 169 170 public: 171 virtual ~CallEvent() {} 172 173 /// \brief Returns the kind of call this is. 174 virtual Kind getKind() const = 0; 175 176 /// \brief Returns the declaration of the function or method that will be 177 /// called. May be null. 178 virtual const Decl *getDecl() const { 179 return Origin.dyn_cast<const Decl *>(); 180 } 181 182 /// \brief The state in which the call is being evaluated. 183 const ProgramStateRef &getState() const { 184 return State; 185 } 186 187 /// \brief The context in which the call is being evaluated. 188 const LocationContext *getLocationContext() const { 189 return LCtx; 190 } 191 192 /// \brief Returns the definition of the function or method that will be 193 /// called. 194 virtual RuntimeDefinition getRuntimeDefinition() const = 0; 195 196 /// \brief Returns the expression whose value will be the result of this call. 197 /// May be null. 198 const Expr *getOriginExpr() const { 199 return Origin.dyn_cast<const Expr *>(); 200 } 201 202 /// \brief Returns the number of arguments (explicit and implicit). 203 /// 204 /// Note that this may be greater than the number of parameters in the 205 /// callee's declaration, and that it may include arguments not written in 206 /// the source. 207 virtual unsigned getNumArgs() const = 0; 208 209 /// \brief Returns true if the callee is known to be from a system header. 210 bool isInSystemHeader() const { 211 const Decl *D = getDecl(); 212 if (!D) 213 return false; 214 215 SourceLocation Loc = D->getLocation(); 216 if (Loc.isValid()) { 217 const SourceManager &SM = 218 getState()->getStateManager().getContext().getSourceManager(); 219 return SM.isInSystemHeader(D->getLocation()); 220 } 221 222 // Special case for implicitly-declared global operator new/delete. 223 // These should be considered system functions. 224 if (const FunctionDecl *FD = dyn_cast<FunctionDecl>(D)) 225 return FD->isOverloadedOperator() && FD->isImplicit() && FD->isGlobal(); 226 227 return false; 228 } 229 230 /// \brief Returns a source range for the entire call, suitable for 231 /// outputting in diagnostics. 232 virtual SourceRange getSourceRange() const { 233 return getOriginExpr()->getSourceRange(); 234 } 235 236 /// \brief Returns the value of a given argument at the time of the call. 237 virtual SVal getArgSVal(unsigned Index) const; 238 239 /// \brief Returns the expression associated with a given argument. 240 /// May be null if this expression does not appear in the source. 241 virtual const Expr *getArgExpr(unsigned Index) const { return nullptr; } 242 243 /// \brief Returns the source range for errors associated with this argument. 244 /// 245 /// May be invalid if the argument is not written in the source. 246 virtual SourceRange getArgSourceRange(unsigned Index) const; 247 248 /// \brief Returns the result type, adjusted for references. 249 QualType getResultType() const; 250 251 /// \brief Returns the return value of the call. 252 /// 253 /// This should only be called if the CallEvent was created using a state in 254 /// which the return value has already been bound to the origin expression. 255 SVal getReturnValue() const; 256 257 /// \brief Returns true if the type of any of the non-null arguments satisfies 258 /// the condition. 259 bool hasNonNullArgumentsWithType(bool (*Condition)(QualType)) const; 260 261 /// \brief Returns true if any of the arguments appear to represent callbacks. 262 bool hasNonZeroCallbackArg() const; 263 264 /// \brief Returns true if any of the arguments is void*. 265 bool hasVoidPointerToNonConstArg() const; 266 267 /// \brief Returns true if any of the arguments are known to escape to long- 268 /// term storage, even if this method will not modify them. 269 // NOTE: The exact semantics of this are still being defined! 270 // We don't really want a list of hardcoded exceptions in the long run, 271 // but we don't want duplicated lists of known APIs in the short term either. 272 virtual bool argumentsMayEscape() const { 273 return hasNonZeroCallbackArg(); 274 } 275 276 /// \brief Returns true if the callee is an externally-visible function in the 277 /// top-level namespace, such as \c malloc. 278 /// 279 /// You can use this call to determine that a particular function really is 280 /// a library function and not, say, a C++ member function with the same name. 281 /// 282 /// If a name is provided, the function must additionally match the given 283 /// name. 284 /// 285 /// Note that this deliberately excludes C++ library functions in the \c std 286 /// namespace, but will include C library functions accessed through the 287 /// \c std namespace. This also does not check if the function is declared 288 /// as 'extern "C"', or if it uses C++ name mangling. 289 // FIXME: Add a helper for checking namespaces. 290 // FIXME: Move this down to AnyFunctionCall once checkers have more 291 // precise callbacks. 292 bool isGlobalCFunction(StringRef SpecificName = StringRef()) const; 293 294 /// \brief Returns the name of the callee, if its name is a simple identifier. 295 /// 296 /// Note that this will fail for Objective-C methods, blocks, and C++ 297 /// overloaded operators. The former is named by a Selector rather than a 298 /// simple identifier, and the latter two do not have names. 299 // FIXME: Move this down to AnyFunctionCall once checkers have more 300 // precise callbacks. 301 const IdentifierInfo *getCalleeIdentifier() const { 302 const NamedDecl *ND = dyn_cast_or_null<NamedDecl>(getDecl()); 303 if (!ND) 304 return nullptr; 305 return ND->getIdentifier(); 306 } 307 308 /// \brief Returns an appropriate ProgramPoint for this call. 309 ProgramPoint getProgramPoint(bool IsPreVisit = false, 310 const ProgramPointTag *Tag = nullptr) const; 311 312 /// \brief Returns a new state with all argument regions invalidated. 313 /// 314 /// This accepts an alternate state in case some processing has already 315 /// occurred. 316 ProgramStateRef invalidateRegions(unsigned BlockCount, 317 ProgramStateRef Orig = nullptr) const; 318 319 typedef std::pair<Loc, SVal> FrameBindingTy; 320 typedef SmallVectorImpl<FrameBindingTy> BindingsTy; 321 322 /// Populates the given SmallVector with the bindings in the callee's stack 323 /// frame at the start of this call. 324 virtual void getInitialStackFrameContents(const StackFrameContext *CalleeCtx, 325 BindingsTy &Bindings) const = 0; 326 327 /// Returns a copy of this CallEvent, but using the given state. 328 template <typename T> 329 CallEventRef<T> cloneWithState(ProgramStateRef NewState) const; 330 331 /// Returns a copy of this CallEvent, but using the given state. 332 CallEventRef<> cloneWithState(ProgramStateRef NewState) const { 333 return cloneWithState<CallEvent>(NewState); 334 } 335 336 /// \brief Returns true if this is a statement is a function or method call 337 /// of some kind. 338 static bool isCallStmt(const Stmt *S); 339 340 /// \brief Returns the result type of a function or method declaration. 341 /// 342 /// This will return a null QualType if the result type cannot be determined. 343 static QualType getDeclaredResultType(const Decl *D); 344 345 /// \brief Returns true if the given decl is known to be variadic. 346 /// 347 /// \p D must not be null. 348 static bool isVariadic(const Decl *D); 349 350 // Iterator access to formal parameters and their types. 351 private: 352 typedef std::const_mem_fun_t<QualType, ParmVarDecl> get_type_fun; 353 354 public: 355 /// Return call's formal parameters. 356 /// 357 /// Remember that the number of formal parameters may not match the number 358 /// of arguments for all calls. However, the first parameter will always 359 /// correspond with the argument value returned by \c getArgSVal(0). 360 virtual ArrayRef<ParmVarDecl*> parameters() const = 0; 361 362 typedef llvm::mapped_iterator<ArrayRef<ParmVarDecl*>::iterator, get_type_fun> 363 param_type_iterator; 364 365 /// Returns an iterator over the types of the call's formal parameters. 366 /// 367 /// This uses the callee decl found by default name lookup rather than the 368 /// definition because it represents a public interface, and probably has 369 /// more annotations. 370 param_type_iterator param_type_begin() const { 371 return llvm::map_iterator(parameters().begin(), 372 get_type_fun(&ParmVarDecl::getType)); 373 } 374 /// \sa param_type_begin() 375 param_type_iterator param_type_end() const { 376 return llvm::map_iterator(parameters().end(), 377 get_type_fun(&ParmVarDecl::getType)); 378 } 379 380 // For debugging purposes only 381 void dump(raw_ostream &Out) const; 382 void dump() const; 383 }; 384 385 386 /// \brief Represents a call to any sort of function that might have a 387 /// FunctionDecl. 388 class AnyFunctionCall : public CallEvent { 389 protected: 390 AnyFunctionCall(const Expr *E, ProgramStateRef St, 391 const LocationContext *LCtx) 392 : CallEvent(E, St, LCtx) {} 393 AnyFunctionCall(const Decl *D, ProgramStateRef St, 394 const LocationContext *LCtx) 395 : CallEvent(D, St, LCtx) {} 396 AnyFunctionCall(const AnyFunctionCall &Other) : CallEvent(Other) {} 397 398 public: 399 // This function is overridden by subclasses, but they must return 400 // a FunctionDecl. 401 const FunctionDecl *getDecl() const override { 402 return cast<FunctionDecl>(CallEvent::getDecl()); 403 } 404 405 RuntimeDefinition getRuntimeDefinition() const override { 406 const FunctionDecl *FD = getDecl(); 407 // Note that the AnalysisDeclContext will have the FunctionDecl with 408 // the definition (if one exists). 409 if (FD) { 410 AnalysisDeclContext *AD = 411 getLocationContext()->getAnalysisDeclContext()-> 412 getManager()->getContext(FD); 413 if (AD->getBody()) 414 return RuntimeDefinition(AD->getDecl()); 415 } 416 417 return RuntimeDefinition(); 418 } 419 420 bool argumentsMayEscape() const override; 421 422 void getInitialStackFrameContents(const StackFrameContext *CalleeCtx, 423 BindingsTy &Bindings) const override; 424 425 ArrayRef<ParmVarDecl *> parameters() const override; 426 427 static bool classof(const CallEvent *CA) { 428 return CA->getKind() >= CE_BEG_FUNCTION_CALLS && 429 CA->getKind() <= CE_END_FUNCTION_CALLS; 430 } 431 }; 432 433 /// \brief Represents a C function or static C++ member function call. 434 /// 435 /// Example: \c fun() 436 class SimpleFunctionCall : public AnyFunctionCall { 437 friend class CallEventManager; 438 439 protected: 440 SimpleFunctionCall(const CallExpr *CE, ProgramStateRef St, 441 const LocationContext *LCtx) 442 : AnyFunctionCall(CE, St, LCtx) {} 443 SimpleFunctionCall(const SimpleFunctionCall &Other) 444 : AnyFunctionCall(Other) {} 445 void cloneTo(void *Dest) const override { 446 new (Dest) SimpleFunctionCall(*this); 447 } 448 449 public: 450 virtual const CallExpr *getOriginExpr() const { 451 return cast<CallExpr>(AnyFunctionCall::getOriginExpr()); 452 } 453 454 const FunctionDecl *getDecl() const override; 455 456 unsigned getNumArgs() const override { return getOriginExpr()->getNumArgs(); } 457 458 const Expr *getArgExpr(unsigned Index) const override { 459 return getOriginExpr()->getArg(Index); 460 } 461 462 Kind getKind() const override { return CE_Function; } 463 464 static bool classof(const CallEvent *CA) { 465 return CA->getKind() == CE_Function; 466 } 467 }; 468 469 /// \brief Represents a call to a block. 470 /// 471 /// Example: <tt>^{ /* ... */ }()</tt> 472 class BlockCall : public CallEvent { 473 friend class CallEventManager; 474 475 protected: 476 BlockCall(const CallExpr *CE, ProgramStateRef St, 477 const LocationContext *LCtx) 478 : CallEvent(CE, St, LCtx) {} 479 480 BlockCall(const BlockCall &Other) : CallEvent(Other) {} 481 void cloneTo(void *Dest) const override { new (Dest) BlockCall(*this); } 482 483 void getExtraInvalidatedValues(ValueList &Values, 484 RegionAndSymbolInvalidationTraits *ETraits) const override; 485 486 public: 487 virtual const CallExpr *getOriginExpr() const { 488 return cast<CallExpr>(CallEvent::getOriginExpr()); 489 } 490 491 unsigned getNumArgs() const override { return getOriginExpr()->getNumArgs(); } 492 493 const Expr *getArgExpr(unsigned Index) const override { 494 return getOriginExpr()->getArg(Index); 495 } 496 497 /// \brief Returns the region associated with this instance of the block. 498 /// 499 /// This may be NULL if the block's origin is unknown. 500 const BlockDataRegion *getBlockRegion() const; 501 502 const BlockDecl *getDecl() const override { 503 const BlockDataRegion *BR = getBlockRegion(); 504 if (!BR) 505 return nullptr; 506 return BR->getDecl(); 507 } 508 509 bool isConversionFromLambda() const { 510 const BlockDecl *BD = getDecl(); 511 if (!BD) 512 return false; 513 514 return BD->isConversionFromLambda(); 515 } 516 517 /// \brief For a block converted from a C++ lambda, returns the block 518 /// VarRegion for the variable holding the captured C++ lambda record. 519 const VarRegion *getRegionStoringCapturedLambda() const { 520 assert(isConversionFromLambda()); 521 const BlockDataRegion *BR = getBlockRegion(); 522 assert(BR && "Block converted from lambda must have a block region"); 523 524 auto I = BR->referenced_vars_begin(); 525 assert(I != BR->referenced_vars_end()); 526 527 return I.getCapturedRegion(); 528 } 529 530 RuntimeDefinition getRuntimeDefinition() const override { 531 if (!isConversionFromLambda()) 532 return RuntimeDefinition(getDecl()); 533 534 // Clang converts lambdas to blocks with an implicit user-defined 535 // conversion operator method on the lambda record that looks (roughly) 536 // like: 537 // 538 // typedef R(^block_type)(P1, P2, ...); 539 // operator block_type() const { 540 // auto Lambda = *this; 541 // return ^(P1 p1, P2 p2, ...){ 542 // /* return Lambda(p1, p2, ...); */ 543 // }; 544 // } 545 // 546 // Here R is the return type of the lambda and P1, P2, ... are 547 // its parameter types. 'Lambda' is a fake VarDecl captured by the block 548 // that is initialized to a copy of the lambda. 549 // 550 // Sema leaves the body of a lambda-converted block empty (it is 551 // produced by CodeGen), so we can't analyze it directly. Instead, we skip 552 // the block body and analyze the operator() method on the captured lambda. 553 const VarDecl *LambdaVD = getRegionStoringCapturedLambda()->getDecl(); 554 const CXXRecordDecl *LambdaDecl = LambdaVD->getType()->getAsCXXRecordDecl(); 555 CXXMethodDecl* LambdaCallOperator = LambdaDecl->getLambdaCallOperator(); 556 557 return RuntimeDefinition(LambdaCallOperator); 558 } 559 560 bool argumentsMayEscape() const override { 561 return true; 562 } 563 564 void getInitialStackFrameContents(const StackFrameContext *CalleeCtx, 565 BindingsTy &Bindings) const override; 566 567 ArrayRef<ParmVarDecl*> parameters() const override; 568 569 Kind getKind() const override { return CE_Block; } 570 571 static bool classof(const CallEvent *CA) { 572 return CA->getKind() == CE_Block; 573 } 574 }; 575 576 /// \brief Represents a non-static C++ member function call, no matter how 577 /// it is written. 578 class CXXInstanceCall : public AnyFunctionCall { 579 protected: 580 void getExtraInvalidatedValues(ValueList &Values, 581 RegionAndSymbolInvalidationTraits *ETraits) const override; 582 583 CXXInstanceCall(const CallExpr *CE, ProgramStateRef St, 584 const LocationContext *LCtx) 585 : AnyFunctionCall(CE, St, LCtx) {} 586 CXXInstanceCall(const FunctionDecl *D, ProgramStateRef St, 587 const LocationContext *LCtx) 588 : AnyFunctionCall(D, St, LCtx) {} 589 590 591 CXXInstanceCall(const CXXInstanceCall &Other) : AnyFunctionCall(Other) {} 592 593 public: 594 /// \brief Returns the expression representing the implicit 'this' object. 595 virtual const Expr *getCXXThisExpr() const { return nullptr; } 596 597 /// \brief Returns the value of the implicit 'this' object. 598 virtual SVal getCXXThisVal() const; 599 600 const FunctionDecl *getDecl() const override; 601 602 RuntimeDefinition getRuntimeDefinition() const override; 603 604 void getInitialStackFrameContents(const StackFrameContext *CalleeCtx, 605 BindingsTy &Bindings) const override; 606 607 static bool classof(const CallEvent *CA) { 608 return CA->getKind() >= CE_BEG_CXX_INSTANCE_CALLS && 609 CA->getKind() <= CE_END_CXX_INSTANCE_CALLS; 610 } 611 }; 612 613 /// \brief Represents a non-static C++ member function call. 614 /// 615 /// Example: \c obj.fun() 616 class CXXMemberCall : public CXXInstanceCall { 617 friend class CallEventManager; 618 619 protected: 620 CXXMemberCall(const CXXMemberCallExpr *CE, ProgramStateRef St, 621 const LocationContext *LCtx) 622 : CXXInstanceCall(CE, St, LCtx) {} 623 624 CXXMemberCall(const CXXMemberCall &Other) : CXXInstanceCall(Other) {} 625 void cloneTo(void *Dest) const override { new (Dest) CXXMemberCall(*this); } 626 627 public: 628 virtual const CXXMemberCallExpr *getOriginExpr() const { 629 return cast<CXXMemberCallExpr>(CXXInstanceCall::getOriginExpr()); 630 } 631 632 unsigned getNumArgs() const override { 633 if (const CallExpr *CE = getOriginExpr()) 634 return CE->getNumArgs(); 635 return 0; 636 } 637 638 const Expr *getArgExpr(unsigned Index) const override { 639 return getOriginExpr()->getArg(Index); 640 } 641 642 const Expr *getCXXThisExpr() const override; 643 644 RuntimeDefinition getRuntimeDefinition() const override; 645 646 Kind getKind() const override { return CE_CXXMember; } 647 648 static bool classof(const CallEvent *CA) { 649 return CA->getKind() == CE_CXXMember; 650 } 651 }; 652 653 /// \brief Represents a C++ overloaded operator call where the operator is 654 /// implemented as a non-static member function. 655 /// 656 /// Example: <tt>iter + 1</tt> 657 class CXXMemberOperatorCall : public CXXInstanceCall { 658 friend class CallEventManager; 659 660 protected: 661 CXXMemberOperatorCall(const CXXOperatorCallExpr *CE, ProgramStateRef St, 662 const LocationContext *LCtx) 663 : CXXInstanceCall(CE, St, LCtx) {} 664 665 CXXMemberOperatorCall(const CXXMemberOperatorCall &Other) 666 : CXXInstanceCall(Other) {} 667 void cloneTo(void *Dest) const override { 668 new (Dest) CXXMemberOperatorCall(*this); 669 } 670 671 public: 672 virtual const CXXOperatorCallExpr *getOriginExpr() const { 673 return cast<CXXOperatorCallExpr>(CXXInstanceCall::getOriginExpr()); 674 } 675 676 unsigned getNumArgs() const override { 677 return getOriginExpr()->getNumArgs() - 1; 678 } 679 const Expr *getArgExpr(unsigned Index) const override { 680 return getOriginExpr()->getArg(Index + 1); 681 } 682 683 const Expr *getCXXThisExpr() const override; 684 685 Kind getKind() const override { return CE_CXXMemberOperator; } 686 687 static bool classof(const CallEvent *CA) { 688 return CA->getKind() == CE_CXXMemberOperator; 689 } 690 }; 691 692 /// \brief Represents an implicit call to a C++ destructor. 693 /// 694 /// This can occur at the end of a scope (for automatic objects), at the end 695 /// of a full-expression (for temporaries), or as part of a delete. 696 class CXXDestructorCall : public CXXInstanceCall { 697 friend class CallEventManager; 698 699 protected: 700 typedef llvm::PointerIntPair<const MemRegion *, 1, bool> DtorDataTy; 701 702 /// Creates an implicit destructor. 703 /// 704 /// \param DD The destructor that will be called. 705 /// \param Trigger The statement whose completion causes this destructor call. 706 /// \param Target The object region to be destructed. 707 /// \param St The path-sensitive state at this point in the program. 708 /// \param LCtx The location context at this point in the program. 709 CXXDestructorCall(const CXXDestructorDecl *DD, const Stmt *Trigger, 710 const MemRegion *Target, bool IsBaseDestructor, 711 ProgramStateRef St, const LocationContext *LCtx) 712 : CXXInstanceCall(DD, St, LCtx) { 713 Data = DtorDataTy(Target, IsBaseDestructor).getOpaqueValue(); 714 Location = Trigger->getLocEnd(); 715 } 716 717 CXXDestructorCall(const CXXDestructorCall &Other) : CXXInstanceCall(Other) {} 718 void cloneTo(void *Dest) const override {new (Dest) CXXDestructorCall(*this);} 719 720 public: 721 SourceRange getSourceRange() const override { return Location; } 722 unsigned getNumArgs() const override { return 0; } 723 724 RuntimeDefinition getRuntimeDefinition() const override; 725 726 /// \brief Returns the value of the implicit 'this' object. 727 SVal getCXXThisVal() const override; 728 729 /// Returns true if this is a call to a base class destructor. 730 bool isBaseDestructor() const { 731 return DtorDataTy::getFromOpaqueValue(Data).getInt(); 732 } 733 734 Kind getKind() const override { return CE_CXXDestructor; } 735 736 static bool classof(const CallEvent *CA) { 737 return CA->getKind() == CE_CXXDestructor; 738 } 739 }; 740 741 /// \brief Represents a call to a C++ constructor. 742 /// 743 /// Example: \c T(1) 744 class CXXConstructorCall : public AnyFunctionCall { 745 friend class CallEventManager; 746 747 protected: 748 /// Creates a constructor call. 749 /// 750 /// \param CE The constructor expression as written in the source. 751 /// \param Target The region where the object should be constructed. If NULL, 752 /// a new symbolic region will be used. 753 /// \param St The path-sensitive state at this point in the program. 754 /// \param LCtx The location context at this point in the program. 755 CXXConstructorCall(const CXXConstructExpr *CE, const MemRegion *Target, 756 ProgramStateRef St, const LocationContext *LCtx) 757 : AnyFunctionCall(CE, St, LCtx) { 758 Data = Target; 759 } 760 761 CXXConstructorCall(const CXXConstructorCall &Other) : AnyFunctionCall(Other){} 762 void cloneTo(void *Dest) const override { new (Dest) CXXConstructorCall(*this); } 763 764 void getExtraInvalidatedValues(ValueList &Values, 765 RegionAndSymbolInvalidationTraits *ETraits) const override; 766 767 public: 768 virtual const CXXConstructExpr *getOriginExpr() const { 769 return cast<CXXConstructExpr>(AnyFunctionCall::getOriginExpr()); 770 } 771 772 const CXXConstructorDecl *getDecl() const override { 773 return getOriginExpr()->getConstructor(); 774 } 775 776 unsigned getNumArgs() const override { return getOriginExpr()->getNumArgs(); } 777 778 const Expr *getArgExpr(unsigned Index) const override { 779 return getOriginExpr()->getArg(Index); 780 } 781 782 /// \brief Returns the value of the implicit 'this' object. 783 SVal getCXXThisVal() const; 784 785 void getInitialStackFrameContents(const StackFrameContext *CalleeCtx, 786 BindingsTy &Bindings) const override; 787 788 Kind getKind() const override { return CE_CXXConstructor; } 789 790 static bool classof(const CallEvent *CA) { 791 return CA->getKind() == CE_CXXConstructor; 792 } 793 }; 794 795 /// \brief Represents the memory allocation call in a C++ new-expression. 796 /// 797 /// This is a call to "operator new". 798 class CXXAllocatorCall : public AnyFunctionCall { 799 friend class CallEventManager; 800 801 protected: 802 CXXAllocatorCall(const CXXNewExpr *E, ProgramStateRef St, 803 const LocationContext *LCtx) 804 : AnyFunctionCall(E, St, LCtx) {} 805 806 CXXAllocatorCall(const CXXAllocatorCall &Other) : AnyFunctionCall(Other) {} 807 void cloneTo(void *Dest) const override { new (Dest) CXXAllocatorCall(*this); } 808 809 public: 810 virtual const CXXNewExpr *getOriginExpr() const { 811 return cast<CXXNewExpr>(AnyFunctionCall::getOriginExpr()); 812 } 813 814 const FunctionDecl *getDecl() const override { 815 return getOriginExpr()->getOperatorNew(); 816 } 817 818 unsigned getNumArgs() const override { 819 return getOriginExpr()->getNumPlacementArgs() + 1; 820 } 821 822 const Expr *getArgExpr(unsigned Index) const override { 823 // The first argument of an allocator call is the size of the allocation. 824 if (Index == 0) 825 return nullptr; 826 return getOriginExpr()->getPlacementArg(Index - 1); 827 } 828 829 Kind getKind() const override { return CE_CXXAllocator; } 830 831 static bool classof(const CallEvent *CE) { 832 return CE->getKind() == CE_CXXAllocator; 833 } 834 }; 835 836 /// \brief Represents the ways an Objective-C message send can occur. 837 // 838 // Note to maintainers: OCM_Message should always be last, since it does not 839 // need to fit in the Data field's low bits. 840 enum ObjCMessageKind { 841 OCM_PropertyAccess, 842 OCM_Subscript, 843 OCM_Message 844 }; 845 846 /// \brief Represents any expression that calls an Objective-C method. 847 /// 848 /// This includes all of the kinds listed in ObjCMessageKind. 849 class ObjCMethodCall : public CallEvent { 850 friend class CallEventManager; 851 852 const PseudoObjectExpr *getContainingPseudoObjectExpr() const; 853 854 protected: 855 ObjCMethodCall(const ObjCMessageExpr *Msg, ProgramStateRef St, 856 const LocationContext *LCtx) 857 : CallEvent(Msg, St, LCtx) { 858 Data = nullptr; 859 } 860 861 ObjCMethodCall(const ObjCMethodCall &Other) : CallEvent(Other) {} 862 void cloneTo(void *Dest) const override { new (Dest) ObjCMethodCall(*this); } 863 864 void getExtraInvalidatedValues(ValueList &Values, 865 RegionAndSymbolInvalidationTraits *ETraits) const override; 866 867 /// Check if the selector may have multiple definitions (may have overrides). 868 virtual bool canBeOverridenInSubclass(ObjCInterfaceDecl *IDecl, 869 Selector Sel) const; 870 871 public: 872 virtual const ObjCMessageExpr *getOriginExpr() const { 873 return cast<ObjCMessageExpr>(CallEvent::getOriginExpr()); 874 } 875 const ObjCMethodDecl *getDecl() const override { 876 return getOriginExpr()->getMethodDecl(); 877 } 878 unsigned getNumArgs() const override { 879 return getOriginExpr()->getNumArgs(); 880 } 881 const Expr *getArgExpr(unsigned Index) const override { 882 return getOriginExpr()->getArg(Index); 883 } 884 885 bool isInstanceMessage() const { 886 return getOriginExpr()->isInstanceMessage(); 887 } 888 ObjCMethodFamily getMethodFamily() const { 889 return getOriginExpr()->getMethodFamily(); 890 } 891 Selector getSelector() const { 892 return getOriginExpr()->getSelector(); 893 } 894 895 SourceRange getSourceRange() const override; 896 897 /// \brief Returns the value of the receiver at the time of this call. 898 SVal getReceiverSVal() const; 899 900 /// \brief Return the value of 'self' if available. 901 SVal getSelfSVal() const; 902 903 /// \brief Get the interface for the receiver. 904 /// 905 /// This works whether this is an instance message or a class message. 906 /// However, it currently just uses the static type of the receiver. 907 const ObjCInterfaceDecl *getReceiverInterface() const { 908 return getOriginExpr()->getReceiverInterface(); 909 } 910 911 /// \brief Checks if the receiver refers to 'self' or 'super'. 912 bool isReceiverSelfOrSuper() const; 913 914 /// Returns how the message was written in the source (property access, 915 /// subscript, or explicit message send). 916 ObjCMessageKind getMessageKind() const; 917 918 /// Returns true if this property access or subscript is a setter (has the 919 /// form of an assignment). 920 bool isSetter() const { 921 switch (getMessageKind()) { 922 case OCM_Message: 923 llvm_unreachable("This is not a pseudo-object access!"); 924 case OCM_PropertyAccess: 925 return getNumArgs() > 0; 926 case OCM_Subscript: 927 return getNumArgs() > 1; 928 } 929 llvm_unreachable("Unknown message kind"); 930 } 931 932 RuntimeDefinition getRuntimeDefinition() const override; 933 934 bool argumentsMayEscape() const override; 935 936 void getInitialStackFrameContents(const StackFrameContext *CalleeCtx, 937 BindingsTy &Bindings) const override; 938 939 ArrayRef<ParmVarDecl*> parameters() const override; 940 941 Kind getKind() const override { return CE_ObjCMessage; } 942 943 static bool classof(const CallEvent *CA) { 944 return CA->getKind() == CE_ObjCMessage; 945 } 946 }; 947 948 949 /// \brief Manages the lifetime of CallEvent objects. 950 /// 951 /// CallEventManager provides a way to create arbitrary CallEvents "on the 952 /// stack" as if they were value objects by keeping a cache of CallEvent-sized 953 /// memory blocks. The CallEvents created by CallEventManager are only valid 954 /// for the lifetime of the OwnedCallEvent that holds them; right now these 955 /// objects cannot be copied and ownership cannot be transferred. 956 class CallEventManager { 957 friend class CallEvent; 958 959 llvm::BumpPtrAllocator &Alloc; 960 SmallVector<void *, 8> Cache; 961 typedef SimpleFunctionCall CallEventTemplateTy; 962 963 void reclaim(const void *Memory) { 964 Cache.push_back(const_cast<void *>(Memory)); 965 } 966 967 /// Returns memory that can be initialized as a CallEvent. 968 void *allocate() { 969 if (Cache.empty()) 970 return Alloc.Allocate<CallEventTemplateTy>(); 971 else 972 return Cache.pop_back_val(); 973 } 974 975 template <typename T, typename Arg> 976 T *create(Arg A, ProgramStateRef St, const LocationContext *LCtx) { 977 static_assert(sizeof(T) == sizeof(CallEventTemplateTy), 978 "CallEvent subclasses are not all the same size"); 979 return new (allocate()) T(A, St, LCtx); 980 } 981 982 template <typename T, typename Arg1, typename Arg2> 983 T *create(Arg1 A1, Arg2 A2, ProgramStateRef St, const LocationContext *LCtx) { 984 static_assert(sizeof(T) == sizeof(CallEventTemplateTy), 985 "CallEvent subclasses are not all the same size"); 986 return new (allocate()) T(A1, A2, St, LCtx); 987 } 988 989 template <typename T, typename Arg1, typename Arg2, typename Arg3> 990 T *create(Arg1 A1, Arg2 A2, Arg3 A3, ProgramStateRef St, 991 const LocationContext *LCtx) { 992 static_assert(sizeof(T) == sizeof(CallEventTemplateTy), 993 "CallEvent subclasses are not all the same size"); 994 return new (allocate()) T(A1, A2, A3, St, LCtx); 995 } 996 997 template <typename T, typename Arg1, typename Arg2, typename Arg3, 998 typename Arg4> 999 T *create(Arg1 A1, Arg2 A2, Arg3 A3, Arg4 A4, ProgramStateRef St, 1000 const LocationContext *LCtx) { 1001 static_assert(sizeof(T) == sizeof(CallEventTemplateTy), 1002 "CallEvent subclasses are not all the same size"); 1003 return new (allocate()) T(A1, A2, A3, A4, St, LCtx); 1004 } 1005 1006 public: 1007 CallEventManager(llvm::BumpPtrAllocator &alloc) : Alloc(alloc) {} 1008 1009 1010 CallEventRef<> 1011 getCaller(const StackFrameContext *CalleeCtx, ProgramStateRef State); 1012 1013 1014 CallEventRef<> 1015 getSimpleCall(const CallExpr *E, ProgramStateRef State, 1016 const LocationContext *LCtx); 1017 1018 CallEventRef<ObjCMethodCall> 1019 getObjCMethodCall(const ObjCMessageExpr *E, ProgramStateRef State, 1020 const LocationContext *LCtx) { 1021 return create<ObjCMethodCall>(E, State, LCtx); 1022 } 1023 1024 CallEventRef<CXXConstructorCall> 1025 getCXXConstructorCall(const CXXConstructExpr *E, const MemRegion *Target, 1026 ProgramStateRef State, const LocationContext *LCtx) { 1027 return create<CXXConstructorCall>(E, Target, State, LCtx); 1028 } 1029 1030 CallEventRef<CXXDestructorCall> 1031 getCXXDestructorCall(const CXXDestructorDecl *DD, const Stmt *Trigger, 1032 const MemRegion *Target, bool IsBase, 1033 ProgramStateRef State, const LocationContext *LCtx) { 1034 return create<CXXDestructorCall>(DD, Trigger, Target, IsBase, State, LCtx); 1035 } 1036 1037 CallEventRef<CXXAllocatorCall> 1038 getCXXAllocatorCall(const CXXNewExpr *E, ProgramStateRef State, 1039 const LocationContext *LCtx) { 1040 return create<CXXAllocatorCall>(E, State, LCtx); 1041 } 1042 }; 1043 1044 1045 template <typename T> 1046 CallEventRef<T> CallEvent::cloneWithState(ProgramStateRef NewState) const { 1047 assert(isa<T>(*this) && "Cloning to unrelated type"); 1048 static_assert(sizeof(T) == sizeof(CallEvent), 1049 "Subclasses may not add fields"); 1050 1051 if (NewState == State) 1052 return cast<T>(this); 1053 1054 CallEventManager &Mgr = State->getStateManager().getCallEventManager(); 1055 T *Copy = static_cast<T *>(Mgr.allocate()); 1056 cloneTo(Copy); 1057 assert(Copy->getKind() == this->getKind() && "Bad copy"); 1058 1059 Copy->State = NewState; 1060 return Copy; 1061 } 1062 1063 inline void CallEvent::Release() const { 1064 assert(RefCount > 0 && "Reference count is already zero."); 1065 --RefCount; 1066 1067 if (RefCount > 0) 1068 return; 1069 1070 CallEventManager &Mgr = State->getStateManager().getCallEventManager(); 1071 Mgr.reclaim(this); 1072 1073 this->~CallEvent(); 1074 } 1075 1076 } // end namespace ento 1077 } // end namespace clang 1078 1079 namespace llvm { 1080 // Support isa<>, cast<>, and dyn_cast<> for CallEventRef. 1081 template<class T> struct simplify_type< clang::ento::CallEventRef<T> > { 1082 typedef const T *SimpleType; 1083 1084 static SimpleType 1085 getSimplifiedValue(clang::ento::CallEventRef<T> Val) { 1086 return Val.get(); 1087 } 1088 }; 1089 } 1090 1091 #endif 1092
