clang  10.0.0svn
CheckerContext.h
Go to the documentation of this file.
1 //== CheckerContext.h - Context info for path-sensitive checkers--*- C++ -*--=//
2 //
3 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4 // See https://llvm.org/LICENSE.txt for license information.
5 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6 //
7 //===----------------------------------------------------------------------===//
8 //
9 // This file defines CheckerContext that provides contextual info for
10 // path-sensitive checkers.
11 //
12 //===----------------------------------------------------------------------===//
13 
14 #ifndef LLVM_CLANG_STATICANALYZER_CORE_PATHSENSITIVE_CHECKERCONTEXT_H
15 #define LLVM_CLANG_STATICANALYZER_CORE_PATHSENSITIVE_CHECKERCONTEXT_H
16 
19 
20 namespace clang {
21 namespace ento {
22 
24  ExprEngine &Eng;
25  /// The current exploded(symbolic execution) graph node.
26  ExplodedNode *Pred;
27  /// The flag is true if the (state of the execution) has been modified
28  /// by the checker using this context. For example, a new transition has been
29  /// added or a bug report issued.
30  bool Changed;
31  /// The tagged location, which is used to generate all new nodes.
32  const ProgramPoint Location;
33  NodeBuilder &NB;
34 
35 public:
36  /// If we are post visiting a call, this flag will be set if the
37  /// call was inlined. In all other cases it will be false.
38  const bool wasInlined;
39 
41  ExprEngine &eng,
42  ExplodedNode *pred,
43  const ProgramPoint &loc,
44  bool wasInlined = false)
45  : Eng(eng),
46  Pred(pred),
47  Changed(false),
48  Location(loc),
49  NB(builder),
50  wasInlined(wasInlined) {
51  assert(Pred->getState() &&
52  "We should not call the checkers on an empty state.");
53  }
54 
56  return Eng.getAnalysisManager();
57  }
58 
60  return Eng.getConstraintManager();
61  }
62 
64  return Eng.getStoreManager();
65  }
66 
67  /// Returns the previous node in the exploded graph, which includes
68  /// the state of the program before the checker ran. Note, checkers should
69  /// not retain the node in their state since the nodes might get invalidated.
70  ExplodedNode *getPredecessor() { return Pred; }
71  const ProgramStateRef &getState() const { return Pred->getState(); }
72 
73  /// Check if the checker changed the state of the execution; ex: added
74  /// a new transition or a bug report.
75  bool isDifferent() { return Changed; }
76 
77  /// Returns the number of times the current block has been visited
78  /// along the analyzed path.
79  unsigned blockCount() const {
80  return NB.getContext().blockCount();
81  }
82 
84  return Eng.getContext();
85  }
86 
87  const LangOptions &getLangOpts() const {
88  return Eng.getContext().getLangOpts();
89  }
90 
92  return Pred->getLocationContext();
93  }
94 
96  return Pred->getStackFrame();
97  }
98 
99  /// Return true if the current LocationContext has no caller context.
100  bool inTopFrame() const { return getLocationContext()->inTopFrame(); }
101 
103  return Eng.getBugReporter();
104  }
105 
107  return getBugReporter().getSourceManager();
108  }
109 
111  return Eng.getSValBuilder();
112  }
113 
115  return getSValBuilder().getSymbolManager();
116  }
117 
119  return Eng.getStateManager();
120  }
121 
123  return Pred->getLocationContext()->getAnalysisDeclContext();
124  }
125 
126  /// Get the blockID.
127  unsigned getBlockID() const {
128  return NB.getContext().getBlock()->getBlockID();
129  }
130 
131  /// If the given node corresponds to a PostStore program point,
132  /// retrieve the location region as it was uttered in the code.
133  ///
134  /// This utility can be useful for generating extensive diagnostics, for
135  /// example, for finding variables that the given symbol was assigned to.
137  ProgramPoint L = N->getLocation();
138  if (Optional<PostStore> PSL = L.getAs<PostStore>())
139  return reinterpret_cast<const MemRegion*>(PSL->getLocationValue());
140  return nullptr;
141  }
142 
143  /// Get the value of arbitrary expressions at this point in the path.
144  SVal getSVal(const Stmt *S) const {
145  return Pred->getSVal(S);
146  }
147 
148  /// Returns true if the value of \p E is greater than or equal to \p
149  /// Val under unsigned comparison
150  bool isGreaterOrEqual(const Expr *E, unsigned long long Val);
151 
152  /// Returns true if the value of \p E is negative.
153  bool isNegative(const Expr *E);
154 
155  /// Generates a new transition in the program state graph
156  /// (ExplodedGraph). Uses the default CheckerContext predecessor node.
157  ///
158  /// @param State The state of the generated node. If not specified, the state
159  /// will not be changed, but the new node will have the checker's tag.
160  /// @param Tag The tag is used to uniquely identify the creation site. If no
161  /// tag is specified, a default tag, unique to the given checker,
162  /// will be used. Tags are used to prevent states generated at
163  /// different sites from caching out.
165  const ProgramPointTag *Tag = nullptr) {
166  return addTransitionImpl(State ? State : getState(), false, nullptr, Tag);
167  }
168 
169  /// Generates a new transition with the given predecessor.
170  /// Allows checkers to generate a chain of nodes.
171  ///
172  /// @param State The state of the generated node.
173  /// @param Pred The transition will be generated from the specified Pred node
174  /// to the newly generated node.
175  /// @param Tag The tag to uniquely identify the creation site.
177  ExplodedNode *Pred,
178  const ProgramPointTag *Tag = nullptr) {
179  return addTransitionImpl(State, false, Pred, Tag);
180  }
181 
182  /// Generate a sink node. Generating a sink stops exploration of the
183  /// given path. To create a sink node for the purpose of reporting an error,
184  /// checkers should use generateErrorNode() instead.
186  const ProgramPointTag *Tag = nullptr) {
187  return addTransitionImpl(State ? State : getState(), true, Pred, Tag);
188  }
189 
190  /// Generate a transition to a node that will be used to report
191  /// an error. This node will be a sink. That is, it will stop exploration of
192  /// the given path.
193  ///
194  /// @param State The state of the generated node.
195  /// @param Tag The tag to uniquely identify the creation site. If null,
196  /// the default tag for the checker will be used.
198  const ProgramPointTag *Tag = nullptr) {
199  return generateSink(State, Pred,
200  (Tag ? Tag : Location.getTag()));
201  }
202 
203  /// Generate a transition to a node that will be used to report
204  /// an error. This node will not be a sink. That is, exploration will
205  /// continue along this path.
206  ///
207  /// @param State The state of the generated node.
208  /// @param Tag The tag to uniquely identify the creation site. If null,
209  /// the default tag for the checker will be used.
210  ExplodedNode *
212  const ProgramPointTag *Tag = nullptr) {
213  return addTransition(State, (Tag ? Tag : Location.getTag()));
214  }
215 
216  /// Emit the diagnostics report.
217  void emitReport(std::unique_ptr<BugReport> R) {
218  Changed = true;
219  Eng.getBugReporter().emitReport(std::move(R));
220  }
221 
222  /// Produce a program point tag that displays an additional path note
223  /// to the user. This is a lightweight alternative to the
224  /// BugReporterVisitor mechanism: instead of visiting the bug report
225  /// node-by-node to restore the sequence of events that led to discovering
226  /// a bug, you can add notes as you add your transitions.
227  ///
228  /// @param Cb Callback with 'BugReporterContext &, BugReport &' parameters.
229  /// @param IsPrunable Whether the note is prunable. It allows BugReporter
230  /// to omit the note from the report if it would make the displayed
231  /// bug path significantly shorter.
232  const NoteTag *getNoteTag(NoteTag::Callback &&Cb, bool IsPrunable = false) {
233  return Eng.getNoteTags().makeNoteTag(std::move(Cb), IsPrunable);
234  }
235 
236  /// A shorthand version of getNoteTag that doesn't require you to accept
237  /// the 'BugReporterContext' argument when you don't need it.
238  ///
239  /// @param Cb Callback only with 'BugReport &' parameter.
240  /// @param IsPrunable Whether the note is prunable. It allows BugReporter
241  /// to omit the note from the report if it would make the displayed
242  /// bug path significantly shorter.
243  const NoteTag *getNoteTag(std::function<std::string(BugReport &)> &&Cb,
244  bool IsPrunable = false) {
245  return getNoteTag(
246  [Cb](BugReporterContext &, BugReport &BR) { return Cb(BR); },
247  IsPrunable);
248  }
249 
250  /// A shorthand version of getNoteTag that doesn't require you to accept
251  /// the arguments when you don't need it.
252  ///
253  /// @param Cb Callback without parameters.
254  /// @param IsPrunable Whether the note is prunable. It allows BugReporter
255  /// to omit the note from the report if it would make the displayed
256  /// bug path significantly shorter.
257  const NoteTag *getNoteTag(std::function<std::string()> &&Cb,
258  bool IsPrunable = false) {
259  return getNoteTag([Cb](BugReporterContext &, BugReport &) { return Cb(); },
260  IsPrunable);
261  }
262 
263  /// A shorthand version of getNoteTag that accepts a plain note.
264  ///
265  /// @param Note The note.
266  /// @param IsPrunable Whether the note is prunable. It allows BugReporter
267  /// to omit the note from the report if it would make the displayed
268  /// bug path significantly shorter.
269  const NoteTag *getNoteTag(StringRef Note, bool IsPrunable = false) {
270  return getNoteTag(
271  [Note](BugReporterContext &, BugReport &) { return Note; }, IsPrunable);
272  }
273 
274  /// Returns the word that should be used to refer to the declaration
275  /// in the report.
276  StringRef getDeclDescription(const Decl *D);
277 
278  /// Get the declaration of the called function (path-sensitive).
279  const FunctionDecl *getCalleeDecl(const CallExpr *CE) const;
280 
281  /// Get the name of the called function (path-sensitive).
282  StringRef getCalleeName(const FunctionDecl *FunDecl) const;
283 
284  /// Get the identifier of the called function (path-sensitive).
285  const IdentifierInfo *getCalleeIdentifier(const CallExpr *CE) const {
286  const FunctionDecl *FunDecl = getCalleeDecl(CE);
287  if (FunDecl)
288  return FunDecl->getIdentifier();
289  else
290  return nullptr;
291  }
292 
293  /// Get the name of the called function (path-sensitive).
294  StringRef getCalleeName(const CallExpr *CE) const {
295  const FunctionDecl *FunDecl = getCalleeDecl(CE);
296  return getCalleeName(FunDecl);
297  }
298 
299  /// Returns true if the callee is an externally-visible function in the
300  /// top-level namespace, such as \c malloc.
301  ///
302  /// If a name is provided, the function must additionally match the given
303  /// name.
304  ///
305  /// Note that this deliberately excludes C++ library functions in the \c std
306  /// namespace, but will include C library functions accessed through the
307  /// \c std namespace. This also does not check if the function is declared
308  /// as 'extern "C"', or if it uses C++ name mangling.
309  static bool isCLibraryFunction(const FunctionDecl *FD,
310  StringRef Name = StringRef());
311 
312  /// Depending on wither the location corresponds to a macro, return
313  /// either the macro name or the token spelling.
314  ///
315  /// This could be useful when checkers' logic depends on whether a function
316  /// is called with a given macro argument. For example:
317  /// s = socket(AF_INET,..)
318  /// If AF_INET is a macro, the result should be treated as a source of taint.
319  ///
320  /// \sa clang::Lexer::getSpelling(), clang::Lexer::getImmediateMacroName().
322 
323 private:
324  ExplodedNode *addTransitionImpl(ProgramStateRef State,
325  bool MarkAsSink,
326  ExplodedNode *P = nullptr,
327  const ProgramPointTag *Tag = nullptr) {
328  // The analyzer may stop exploring if it sees a state it has previously
329  // visited ("cache out"). The early return here is a defensive check to
330  // prevent accidental caching out by checker API clients. Unless there is a
331  // tag or the client checker has requested that the generated node be
332  // marked as a sink, we assume that a client requesting a transition to a
333  // state that is the same as the predecessor state has made a mistake. We
334  // return the predecessor rather than cache out.
335  //
336  // TODO: We could potentially change the return to an assertion to alert
337  // clients to their mistake, but several checkers (including
338  // DereferenceChecker, CallAndMessageChecker, and DynamicTypePropagation)
339  // rely upon the defensive behavior and would need to be updated.
340  if (!State || (State == Pred->getState() && !Tag && !MarkAsSink))
341  return Pred;
342 
343  Changed = true;
344  const ProgramPoint &LocalLoc = (Tag ? Location.withTag(Tag) : Location);
345  if (!P)
346  P = Pred;
347 
349  if (MarkAsSink)
350  node = NB.generateSink(LocalLoc, State, P);
351  else
352  node = NB.generateNode(LocalLoc, State, P);
353  return node;
354  }
355 };
356 
357 } // end GR namespace
358 
359 } // end clang namespace
360 
361 #endif
Represents a function declaration or definition.
Definition: Decl.h:1756
StringRef getCalleeName(const CallExpr *CE) const
Get the name of the called function (path-sensitive).
const NoteTag * getNoteTag(NoteTag::Callback &&Cb, bool IsPrunable=false)
Produce a program point tag that displays an additional path note to the user.
SymbolManager & getSymbolManager()
Definition: SValBuilder.h:171
MemRegion - The root abstract class for all memory regions.
Definition: MemRegion.h:94
ExplodedNode * generateErrorNode(ProgramStateRef State=nullptr, const ProgramPointTag *Tag=nullptr)
Generate a transition to a node that will be used to report an error.
unsigned blockCount() const
Returns the number of times the current basic block has been visited on the exploded graph path...
Definition: CoreEngine.h:220
Stmt - This represents one statement.
Definition: Stmt.h:66
const NoteTag * makeNoteTag(Callback &&Cb, bool IsPrunable=false)
Definition: BugReporter.h:764
unsigned getBlockID() const
Definition: CFG.h:1075
ExplodedNode * addTransition(ProgramStateRef State=nullptr, const ProgramPointTag *Tag=nullptr)
Generates a new transition in the program state graph (ExplodedGraph).
Decl - This represents one declaration (or definition), e.g.
Definition: DeclBase.h:88
StringRef P
ProgramPoint withTag(const ProgramPointTag *tag) const
Create a new ProgramPoint object that is the same as the original except for using the specified tag ...
Definition: ProgramPoint.h:132
StringRef getDeclDescription(const Decl *D)
Returns the word that should be used to refer to the declaration in the report.
AnalysisManager & getAnalysisManager()
const ProgramStateRef & getState() const
CheckerContext(NodeBuilder &builder, ExprEngine &eng, ExplodedNode *pred, const ProgramPoint &loc, bool wasInlined=false)
const FunctionDecl * getCalleeDecl(const CallExpr *CE) const
Get the declaration of the called function (path-sensitive).
ExplodedNode * getPredecessor()
Returns the previous node in the exploded graph, which includes the state of the program before the c...
SVal getSVal(const Stmt *S) const
Get the value of arbitrary expressions at this point in the path.
const bool wasInlined
If we are post visiting a call, this flag will be set if the call was inlined.
IdentifierInfo * getIdentifier() const
Get the identifier that names this declaration, if there is one.
Definition: Decl.h:269
StringRef getCalleeName(const FunctionDecl *FunDecl) const
Get the name of the called function (path-sensitive).
One of these records is kept for each identifier that is lexed.
virtual void emitReport(std::unique_ptr< BugReport > R)
Add the given report to the set of reports tracked by BugReporter.
bool isGreaterOrEqual(const Expr *E, unsigned long long Val)
Returns true if the value of E is greater than or equal to Val under unsigned comparison.
Holds long-lived AST nodes (such as types and decls) that can be referred to throughout the semantic ...
Definition: ASTContext.h:160
LineState State
AnalysisDeclContext contains the context data for the function or method under analysis.
std::function< std::string(BugReporterContext &, BugReport &)> Callback
Definition: BugReporter.h:725
Represents a program point after a store evaluation.
Definition: ProgramPoint.h:431
Keeps track of the various options that can be enabled, which controls the dialect of C or C++ that i...
Definition: LangOptions.h:49
BugReporter & getBugReporter()
NoteTag::Factory & getNoteTags()
Definition: ExprEngine.h:400
ProgramStateManager & getStateManager()
const LocationContext * getLocationContext() const
virtual bool inTopFrame() const
Return true if the current LocationContext has no caller context.
const NoteTag * getNoteTag(std::function< std::string(BugReport &)> &&Cb, bool IsPrunable=false)
A shorthand version of getNoteTag that doesn&#39;t require you to accept the &#39;BugReporterContext&#39; argumen...
RangeSelector node(std::string ID)
Selects a node, including trailing semicolon (for non-expression statements).
const IdentifierInfo * getCalleeIdentifier(const CallExpr *CE) const
Get the identifier of the called function (path-sensitive).
const SourceManager & getSourceManager()
ExplodedNode * generateSink(const ProgramPoint &PP, ProgramStateRef State, ExplodedNode *Pred)
Generates a sink in the ExplodedGraph.
Definition: CoreEngine.h:300
This represents one expression.
Definition: Expr.h:108
static bool isCLibraryFunction(const FunctionDecl *FD, StringRef Name=StringRef())
Returns true if the callee is an externally-visible function in the top-level namespace, such as malloc.
This is the simplest builder which generates nodes in the ExplodedGraph.
Definition: CoreEngine.h:236
ExplodedNode * addTransition(ProgramStateRef State, ExplodedNode *Pred, const ProgramPointTag *Tag=nullptr)
Generates a new transition with the given predecessor.
SymbolManager & getSymbolManager()
ASTContext & getContext() const
getContext - Return the ASTContext associated with this analysis.
Definition: ExprEngine.h:182
ExplodedNode * generateNonFatalErrorNode(ProgramStateRef State=nullptr, const ProgramPointTag *Tag=nullptr)
Generate a transition to a node that will be used to report an error.
The tag upon which the TagVisitor reacts.
Definition: BugReporter.h:722
ConstraintManager & getConstraintManager()
void emitReport(std::unique_ptr< BugReport > R)
Emit the diagnostics report.
const NoteTag * getNoteTag(std::function< std::string()> &&Cb, bool IsPrunable=false)
A shorthand version of getNoteTag that doesn&#39;t require you to accept the arguments when you don&#39;t nee...
BugReporter is a utility class for generating PathDiagnostics for analysis.
Definition: BugReporter.h:576
#define false
Definition: stdbool.h:17
StoreManager & getStoreManager()
Encodes a location in the source.
ExplodedNode * generateSink(ProgramStateRef State, ExplodedNode *Pred, const ProgramPointTag *Tag=nullptr)
Generate a sink node.
ProgramPoints can be "tagged" as representing points specific to a given analysis entity...
Definition: ProgramPoint.h:39
AnalysisManager & getAnalysisManager() override
Definition: ExprEngine.h:184
ProgramPoint getLocation() const
getLocation - Returns the edge associated with the given node.
SVal - This represents a symbolic expression, which can be either an L-value or an R-value...
Definition: SVals.h:75
BugReporter & getBugReporter()
Definition: ExprEngine.h:196
SVal getSVal(const Stmt *S) const
Get the value of an arbitrary expression at this node.
unsigned blockCount() const
Returns the number of times the current block has been visited along the analyzed path...
unsigned getBlockID() const
Get the blockID.
Dataflow Directional Tag Classes.
SValBuilder & getSValBuilder()
Definition: ExprEngine.h:194
StoreManager & getStoreManager()
Definition: ExprEngine.h:386
const NodeBuilderContext & getContext()
Definition: CoreEngine.h:326
const NoteTag * getNoteTag(StringRef Note, bool IsPrunable=false)
A shorthand version of getNoteTag that accepts a plain note.
StringRef getMacroNameOrSpelling(SourceLocation &Loc)
Depending on wither the location corresponds to a macro, return either the macro name or the token sp...
const ProgramPointTag * getTag() const
Definition: ProgramPoint.h:177
ProgramStateManager & getStateManager() override
Definition: ExprEngine.h:384
const StackFrameContext * getStackFrame() const
const ProgramStateRef & getState() const
bool isNegative(const Expr *E)
Returns true if the value of E is negative.
ExplodedNode * generateNode(const ProgramPoint &PP, ProgramStateRef State, ExplodedNode *Pred)
Generates a node in the ExplodedGraph.
Definition: CoreEngine.h:289
AnalysisDeclContext * getCurrentAnalysisDeclContext() const
SValBuilder & getSValBuilder()
CallExpr - Represents a function call (C99 6.5.2.2, C++ [expr.call]).
Definition: Expr.h:2516
static const MemRegion * getLocationRegionIfPostStore(const ExplodedNode *N)
If the given node corresponds to a PostStore program point, retrieve the location region as it was ut...
const StackFrameContext * getStackFrame() const
Optional< T > getAs() const
Convert to the specified ProgramPoint type, returning None if this ProgramPoint is not of the desired...
Definition: ProgramPoint.h:151
This class provides an interface through which checkers can create individual bug reports...
Definition: BugReporter.h:119
ConstraintManager & getConstraintManager()
Definition: ExprEngine.h:388
bool inTopFrame() const
Return true if the current LocationContext has no caller context.
AnalysisDeclContext * getAnalysisDeclContext() const
const LocationContext * getLocationContext() const
bool isDifferent()
Check if the checker changed the state of the execution; ex: added a new transition or a bug report...
const LangOptions & getLangOpts() const
Definition: ASTContext.h:720
This class handles loading and caching of source files into memory.
const CFGBlock * getBlock() const
Return the CFGBlock associated with this builder.
Definition: CoreEngine.h:216
const LangOptions & getLangOpts() const
const SourceManager & getSourceManager()
Definition: BugReporter.h:607