clang  7.0.0svn
CheckerDocumentation.cpp
Go to the documentation of this file.
1 //===- CheckerDocumentation.cpp - Documentation checker ---------*- C++ -*-===//
2 //
3 // The LLVM Compiler Infrastructure
4 //
5 // This file is distributed under the University of Illinois Open Source
6 // License. See LICENSE.TXT for details.
7 //
8 //===----------------------------------------------------------------------===//
9 //
10 // This checker lists all the checker callbacks and provides documentation for
11 // checker writers.
12 //
13 //===----------------------------------------------------------------------===//
14 
15 #include "ClangSACheckers.h"
21 
22 using namespace clang;
23 using namespace ento;
24 
25 // All checkers should be placed into anonymous namespace.
26 // We place the CheckerDocumentation inside ento namespace to make the
27 // it visible in doxygen.
28 namespace clang {
29 namespace ento {
30 
31 /// This checker documents the callback functions checkers can use to implement
32 /// the custom handling of the specific events during path exploration as well
33 /// as reporting bugs. Most of the callbacks are targeted at path-sensitive
34 /// checking.
35 ///
36 /// \sa CheckerContext
37 class CheckerDocumentation : public Checker< check::PreStmt<ReturnStmt>,
38  check::PostStmt<DeclStmt>,
39  check::PreObjCMessage,
40  check::PostObjCMessage,
41  check::ObjCMessageNil,
42  check::PreCall,
43  check::PostCall,
44  check::BranchCondition,
45  check::NewAllocator,
46  check::Location,
47  check::Bind,
48  check::DeadSymbols,
49  check::BeginFunction,
50  check::EndFunction,
51  check::EndAnalysis,
52  check::EndOfTranslationUnit,
53  eval::Call,
54  eval::Assume,
55  check::LiveSymbols,
56  check::RegionChanges,
57  check::PointerEscape,
58  check::ConstPointerEscape,
59  check::Event<ImplicitNullDerefEvent>,
60  check::ASTDecl<FunctionDecl> > {
61 public:
62  /// Pre-visit the Statement.
63  ///
64  /// The method will be called before the analyzer core processes the
65  /// statement. The notification is performed for every explored CFGElement,
66  /// which does not include the control flow statements such as IfStmt. The
67  /// callback can be specialized to be called with any subclass of Stmt.
68  ///
69  /// See checkBranchCondition() callback for performing custom processing of
70  /// the branching statements.
71  ///
72  /// check::PreStmt<ReturnStmt>
73  void checkPreStmt(const ReturnStmt *DS, CheckerContext &C) const {}
74 
75  /// Post-visit the Statement.
76  ///
77  /// The method will be called after the analyzer core processes the
78  /// statement. The notification is performed for every explored CFGElement,
79  /// which does not include the control flow statements such as IfStmt. The
80  /// callback can be specialized to be called with any subclass of Stmt.
81  ///
82  /// check::PostStmt<DeclStmt>
83  void checkPostStmt(const DeclStmt *DS, CheckerContext &C) const;
84 
85  /// Pre-visit the Objective C message.
86  ///
87  /// This will be called before the analyzer core processes the method call.
88  /// This is called for any action which produces an Objective-C message send,
89  /// including explicit message syntax and property access.
90  ///
91  /// check::PreObjCMessage
93 
94  /// Post-visit the Objective C message.
95  /// \sa checkPreObjCMessage()
96  ///
97  /// check::PostObjCMessage
99 
100  /// Visit an Objective-C message whose receiver is nil.
101  ///
102  /// This will be called when the analyzer core processes a method call whose
103  /// receiver is definitely nil. In this case, check{Pre/Post}ObjCMessage and
104  /// check{Pre/Post}Call will not be called.
105  ///
106  /// check::ObjCMessageNil
108 
109  /// Pre-visit an abstract "call" event.
110  ///
111  /// This is used for checkers that want to check arguments or attributed
112  /// behavior for functions and methods no matter how they are being invoked.
113  ///
114  /// Note that this includes ALL cross-body invocations, so if you want to
115  /// limit your checks to, say, function calls, you should test for that at the
116  /// beginning of your callback function.
117  ///
118  /// check::PreCall
119  void checkPreCall(const CallEvent &Call, CheckerContext &C) const {}
120 
121  /// Post-visit an abstract "call" event.
122  /// \sa checkPreObjCMessage()
123  ///
124  /// check::PostCall
125  void checkPostCall(const CallEvent &Call, CheckerContext &C) const {}
126 
127  /// Pre-visit of the condition statement of a branch (such as IfStmt).
128  void checkBranchCondition(const Stmt *Condition, CheckerContext &Ctx) const {}
129 
130  /// Post-visit the C++ operator new's allocation call.
131  ///
132  /// Execution of C++ operator new consists of the following phases: (1) call
133  /// default or overridden operator new() to allocate memory (2) cast the
134  /// return value of operator new() from void pointer type to class pointer
135  /// type, (3) assuming that the value is non-null, call the object's
136  /// constructor over this pointer, (4) declare that the value of the
137  /// new-expression is this pointer. This callback is called between steps
138  /// (2) and (3). Post-call for the allocator is called after step (1).
139  /// Pre-statement for the new-expression is called on step (4) when the value
140  /// of the expression is evaluated.
141  /// \param NE The C++ new-expression that triggered the allocation.
142  /// \param Target The allocated region, casted to the class type.
143  void checkNewAllocator(const CXXNewExpr *NE, SVal Target,
144  CheckerContext &) const {}
145 
146  /// Called on a load from and a store to a location.
147  ///
148  /// The method will be called each time a location (pointer) value is
149  /// accessed.
150  /// \param Loc The value of the location (pointer).
151  /// \param IsLoad The flag specifying if the location is a store or a load.
152  /// \param S The load is performed while processing the statement.
153  ///
154  /// check::Location
155  void checkLocation(SVal Loc, bool IsLoad, const Stmt *S,
156  CheckerContext &) const {}
157 
158  /// Called on binding of a value to a location.
159  ///
160  /// \param Loc The value of the location (pointer).
161  /// \param Val The value which will be stored at the location Loc.
162  /// \param S The bind is performed while processing the statement S.
163  ///
164  /// check::Bind
165  void checkBind(SVal Loc, SVal Val, const Stmt *S, CheckerContext &) const {}
166 
167  /// Called whenever a symbol becomes dead.
168  ///
169  /// This callback should be used by the checkers to aggressively clean
170  /// up/reduce the checker state, which is important for reducing the overall
171  /// memory usage. Specifically, if a checker keeps symbol specific information
172  /// in the sate, it can and should be dropped after the symbol becomes dead.
173  /// In addition, reporting a bug as soon as the checker becomes dead leads to
174  /// more precise diagnostics. (For example, one should report that a malloced
175  /// variable is not freed right after it goes out of scope.)
176  ///
177  /// \param SR The SymbolReaper object can be queried to determine which
178  /// symbols are dead.
179  ///
180  /// check::DeadSymbols
182 
183 
184  /// Called when the analyzer core starts analyzing a function,
185  /// regardless of whether it is analyzed at the top level or is inlined.
186  ///
187  /// check::BeginFunction
188  void checkBeginFunction(CheckerContext &Ctx) const {}
189 
190  /// Called when the analyzer core reaches the end of a
191  /// function being analyzed regardless of whether it is analyzed at the top
192  /// level or is inlined.
193  ///
194  /// check::EndFunction
195  void checkEndFunction(CheckerContext &Ctx) const {}
196 
197  /// Called after all the paths in the ExplodedGraph reach end of path
198  /// - the symbolic execution graph is fully explored.
199  ///
200  /// This callback should be used in cases when a checker needs to have a
201  /// global view of the information generated on all paths. For example, to
202  /// compare execution summary/result several paths.
203  /// See IdempotentOperationChecker for a usage example.
204  ///
205  /// check::EndAnalysis
207  BugReporter &BR,
208  ExprEngine &Eng) const {}
209 
210  /// Called after analysis of a TranslationUnit is complete.
211  ///
212  /// check::EndOfTranslationUnit
214  AnalysisManager &Mgr,
215  BugReporter &BR) const {}
216 
217  /// Evaluates function call.
218  ///
219  /// The analysis core threats all function calls in the same way. However, some
220  /// functions have special meaning, which should be reflected in the program
221  /// state. This callback allows a checker to provide domain specific knowledge
222  /// about the particular functions it knows about.
223  ///
224  /// \returns true if the call has been successfully evaluated
225  /// and false otherwise. Note, that only one checker can evaluate a call. If
226  /// more than one checker claims that they can evaluate the same call the
227  /// first one wins.
228  ///
229  /// eval::Call
230  bool evalCall(const CallExpr *CE, CheckerContext &C) const { return true; }
231 
232  /// Handles assumptions on symbolic values.
233  ///
234  /// This method is called when a symbolic expression is assumed to be true or
235  /// false. For example, the assumptions are performed when evaluating a
236  /// condition at a branch. The callback allows checkers track the assumptions
237  /// performed on the symbols of interest and change the state accordingly.
238  ///
239  /// eval::Assume
241  SVal Cond,
242  bool Assumption) const { return State; }
243 
244  /// Allows modifying SymbolReaper object. For example, checkers can explicitly
245  /// register symbols of interest as live. These symbols will not be marked
246  /// dead and removed.
247  ///
248  /// check::LiveSymbols
250 
251  /// Called when the contents of one or more regions change.
252  ///
253  /// This can occur in many different ways: an explicit bind, a blanket
254  /// invalidation of the region contents, or by passing a region to a function
255  /// call whose behavior the analyzer cannot model perfectly.
256  ///
257  /// \param State The current program state.
258  /// \param Invalidated A set of all symbols potentially touched by the change.
259  /// \param ExplicitRegions The regions explicitly requested for invalidation.
260  /// For a function call, this would be the arguments. For a bind, this
261  /// would be the region being bound to.
262  /// \param Regions The transitive closure of regions accessible from,
263  /// \p ExplicitRegions, i.e. all regions that may have been touched
264  /// by this change. For a simple bind, this list will be the same as
265  /// \p ExplicitRegions, since a bind does not affect the contents of
266  /// anything accessible through the base region.
267  /// \param LCtx LocationContext that is useful for getting various contextual
268  /// info, like callstack, CFG etc.
269  /// \param Call The opaque call triggering this invalidation. Will be 0 if the
270  /// change was not triggered by a call.
271  ///
272  /// check::RegionChanges
275  const InvalidatedSymbols *Invalidated,
276  ArrayRef<const MemRegion *> ExplicitRegions,
278  const LocationContext *LCtx,
279  const CallEvent *Call) const {
280  return State;
281  }
282 
283  /// Called when pointers escape.
284  ///
285  /// This notifies the checkers about pointer escape, which occurs whenever
286  /// the analyzer cannot track the symbol any more. For example, as a
287  /// result of assigning a pointer into a global or when it's passed to a
288  /// function call the analyzer cannot model.
289  ///
290  /// \param State The state at the point of escape.
291  /// \param Escaped The list of escaped symbols.
292  /// \param Call The corresponding CallEvent, if the symbols escape as
293  /// parameters to the given call.
294  /// \param Kind How the symbols have escaped.
295  /// \returns Checkers can modify the state by returning a new state.
297  const InvalidatedSymbols &Escaped,
298  const CallEvent *Call,
299  PointerEscapeKind Kind) const {
300  return State;
301  }
302 
303  /// Called when const pointers escape.
304  ///
305  /// Note: in most cases checkPointerEscape callback is sufficient.
306  /// \sa checkPointerEscape
308  const InvalidatedSymbols &Escaped,
309  const CallEvent *Call,
310  PointerEscapeKind Kind) const {
311  return State;
312  }
313 
314  /// check::Event<ImplicitNullDerefEvent>
315  void checkEvent(ImplicitNullDerefEvent Event) const {}
316 
317  /// Check every declaration in the AST.
318  ///
319  /// An AST traversal callback, which should only be used when the checker is
320  /// not path sensitive. It will be called for every Declaration in the AST and
321  /// can be specialized to only be called on subclasses of Decl, for example,
322  /// FunctionDecl.
323  ///
324  /// check::ASTDecl<FunctionDecl>
325  void checkASTDecl(const FunctionDecl *D,
326  AnalysisManager &Mgr,
327  BugReporter &BR) const {}
328 };
329 
331  CheckerContext &C) const {
332 }
333 
334 } // end namespace ento
335 } // end namespace clang
Represents a function declaration or definition.
Definition: Decl.h:1714
void checkASTDecl(const FunctionDecl *D, AnalysisManager &Mgr, BugReporter &BR) const
Check every declaration in the AST.
void checkObjCMessageNil(const ObjCMethodCall &M, CheckerContext &C) const
Visit an Objective-C message whose receiver is nil.
Stmt - This represents one statement.
Definition: Stmt.h:66
This checker documents the callback functions checkers can use to implement the custom handling of th...
void checkEndAnalysis(ExplodedGraph &G, BugReporter &BR, ExprEngine &Eng) const
Called after all the paths in the ExplodedGraph reach end of path.
void checkPreStmt(const ReturnStmt *DS, CheckerContext &C) const
Pre-visit the Statement.
void checkLocation(SVal Loc, bool IsLoad, const Stmt *S, CheckerContext &) const
Called on a load from and a store to a location.
ProgramStateRef checkPointerEscape(ProgramStateRef State, const InvalidatedSymbols &Escaped, const CallEvent *Call, PointerEscapeKind Kind) const
Called when pointers escape.
LineState State
void checkEndOfTranslationUnit(const TranslationUnitDecl *TU, AnalysisManager &Mgr, BugReporter &BR) const
Called after analysis of a TranslationUnit is complete.
Represents any expression that calls an Objective-C method.
Definition: CallEvent.h:892
void checkBind(SVal Loc, SVal Val, const Stmt *S, CheckerContext &) const
Called on binding of a value to a location.
void checkBranchCondition(const Stmt *Condition, CheckerContext &Ctx) const
Pre-visit of the condition statement of a branch (such as IfStmt).
We dereferenced a location that may be null.
Definition: Checker.h:552
void checkBeginFunction(CheckerContext &Ctx) const
Called when the analyzer core starts analyzing a function, regardless of whether it is analyzed at th...
void checkDeadSymbols(SymbolReaper &SR, CheckerContext &C) const
Called whenever a symbol becomes dead.
bool evalCall(const CallExpr *CE, CheckerContext &C) const
Evaluates function call.
void checkEndFunction(CheckerContext &Ctx) const
Called when the analyzer core reaches the end of a function being analyzed regardless of whether it i...
ReturnStmt - This represents a return, optionally of an expression: return; return 4;...
Definition: Stmt.h:1433
BugReporter is a utility class for generating PathDiagnostics for analysis.
Definition: BugReporter.h:409
Kind
Represents a new-expression for memory allocation and constructor calls, e.g: "new CXXNewExpr(foo)"...
Definition: ExprCXX.h:1845
DeclStmt - Adaptor class for mixing declarations with statements and expressions. ...
Definition: Stmt.h:499
void checkLiveSymbols(ProgramStateRef State, SymbolReaper &SR) const
Allows modifying SymbolReaper object.
SVal - This represents a symbolic expression, which can be either an L-value or an R-value...
Definition: SVals.h:76
void checkPreCall(const CallEvent &Call, CheckerContext &C) const
Pre-visit an abstract "call" event.
A class responsible for cleaning up unused symbols.
ProgramStateRef checkConstPointerEscape(ProgramStateRef State, const InvalidatedSymbols &Escaped, const CallEvent *Call, PointerEscapeKind Kind) const
Called when const pointers escape.
void checkPreObjCMessage(const ObjCMethodCall &M, CheckerContext &C) const
Pre-visit the Objective C message.
Dataflow Directional Tag Classes.
void checkPostCall(const CallEvent &Call, CheckerContext &C) const
Post-visit an abstract "call" event.
void checkPostStmt(const DeclStmt *DS, CheckerContext &C) const
Post-visit the Statement.
ProgramStateRef evalAssume(ProgramStateRef State, SVal Cond, bool Assumption) const
Handles assumptions on symbolic values.
Represents an abstract call to a function or method along a particular path.
Definition: CallEvent.h:164
PointerEscapeKind
Describes the different reasons a pointer escapes during analysis.
void checkPostObjCMessage(const ObjCMethodCall &M, CheckerContext &C) const
Post-visit the Objective C message.
CallExpr - Represents a function call (C99 6.5.2.2, C++ [expr.call]).
Definition: Expr.h:2283
ProgramStateRef checkRegionChanges(ProgramStateRef State, const InvalidatedSymbols *Invalidated, ArrayRef< const MemRegion *> ExplicitRegions, ArrayRef< const MemRegion *> Regions, const LocationContext *LCtx, const CallEvent *Call) const
Called when the contents of one or more regions change.
The top declaration context.
Definition: Decl.h:107
void checkEvent(ImplicitNullDerefEvent Event) const
check::Event<ImplicitNullDerefEvent>
void checkNewAllocator(const CXXNewExpr *NE, SVal Target, CheckerContext &) const
Post-visit the C++ operator new&#39;s allocation call.