clang  3.9.0svn
CheckerDocumentation.cpp
Go to the documentation of this file.
00001 //===- CheckerDocumentation.cpp - Documentation checker ---------*- C++ -*-===//
00002 //
00003 //                     The LLVM Compiler Infrastructure
00004 //
00005 // This file is distributed under the University of Illinois Open Source
00006 // License. See LICENSE.TXT for details.
00007 //
00008 //===----------------------------------------------------------------------===//
00009 //
00010 // This checker lists all the checker callbacks and provides documentation for
00011 // checker writers.
00012 //
00013 //===----------------------------------------------------------------------===//
00014 
00015 #include "ClangSACheckers.h"
00016 #include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
00017 #include "clang/StaticAnalyzer/Core/Checker.h"
00018 #include "clang/StaticAnalyzer/Core/CheckerManager.h"
00019 #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
00020 #include "clang/StaticAnalyzer/Core/PathSensitive/ProgramStateTrait.h"
00021 
00022 using namespace clang;
00023 using namespace ento;
00024 
00025 // All checkers should be placed into anonymous namespace.
00026 // We place the CheckerDocumentation inside ento namespace to make the
00027 // it visible in doxygen.
00028 namespace clang {
00029 namespace ento {
00030 
00031 /// This checker documents the callback functions checkers can use to implement
00032 /// the custom handling of the specific events during path exploration as well
00033 /// as reporting bugs. Most of the callbacks are targeted at path-sensitive
00034 /// checking.
00035 ///
00036 /// \sa CheckerContext
00037 class CheckerDocumentation : public Checker< check::PreStmt<ReturnStmt>,
00038                                        check::PostStmt<DeclStmt>,
00039                                        check::PreObjCMessage,
00040                                        check::PostObjCMessage,
00041                                        check::ObjCMessageNil,
00042                                        check::PreCall,
00043                                        check::PostCall,
00044                                        check::BranchCondition,
00045                                        check::Location,
00046                                        check::Bind,
00047                                        check::DeadSymbols,
00048                                        check::EndFunction,
00049                                        check::EndAnalysis,
00050                                        check::EndOfTranslationUnit,
00051                                        eval::Call,
00052                                        eval::Assume,
00053                                        check::LiveSymbols,
00054                                        check::RegionChanges,
00055                                        check::PointerEscape,
00056                                        check::ConstPointerEscape,
00057                                        check::Event<ImplicitNullDerefEvent>,
00058                                        check::ASTDecl<FunctionDecl> > {
00059 public:
00060   /// \brief Pre-visit the Statement.
00061   ///
00062   /// The method will be called before the analyzer core processes the
00063   /// statement. The notification is performed for every explored CFGElement,
00064   /// which does not include the control flow statements such as IfStmt. The
00065   /// callback can be specialized to be called with any subclass of Stmt.
00066   ///
00067   /// See checkBranchCondition() callback for performing custom processing of
00068   /// the branching statements.
00069   ///
00070   /// check::PreStmt<ReturnStmt>
00071   void checkPreStmt(const ReturnStmt *DS, CheckerContext &C) const {}
00072 
00073   /// \brief Post-visit the Statement.
00074   ///
00075   /// The method will be called after the analyzer core processes the
00076   /// statement. The notification is performed for every explored CFGElement,
00077   /// which does not include the control flow statements such as IfStmt. The
00078   /// callback can be specialized to be called with any subclass of Stmt.
00079   ///
00080   /// check::PostStmt<DeclStmt>
00081   void checkPostStmt(const DeclStmt *DS, CheckerContext &C) const;
00082 
00083   /// \brief Pre-visit the Objective C message.
00084   ///
00085   /// This will be called before the analyzer core processes the method call.
00086   /// This is called for any action which produces an Objective-C message send,
00087   /// including explicit message syntax and property access.
00088   ///
00089   /// check::PreObjCMessage
00090   void checkPreObjCMessage(const ObjCMethodCall &M, CheckerContext &C) const {}
00091 
00092   /// \brief Post-visit the Objective C message.
00093   /// \sa checkPreObjCMessage()
00094   ///
00095   /// check::PostObjCMessage
00096   void checkPostObjCMessage(const ObjCMethodCall &M, CheckerContext &C) const {}
00097 
00098   /// \brief Visit an Objective-C message whose receiver is nil.
00099   ///
00100   /// This will be called when the analyzer core processes a method call whose
00101   /// receiver is definitely nil. In this case, check{Pre/Post}ObjCMessage and
00102   /// check{Pre/Post}Call will not be called.
00103   ///
00104   /// check::ObjCMessageNil
00105   void checkObjCMessageNil(const ObjCMethodCall &M, CheckerContext &C) const {}
00106 
00107   /// \brief Pre-visit an abstract "call" event.
00108   ///
00109   /// This is used for checkers that want to check arguments or attributed
00110   /// behavior for functions and methods no matter how they are being invoked.
00111   ///
00112   /// Note that this includes ALL cross-body invocations, so if you want to
00113   /// limit your checks to, say, function calls, you should test for that at the
00114   /// beginning of your callback function.
00115   ///
00116   /// check::PreCall
00117   void checkPreCall(const CallEvent &Call, CheckerContext &C) const {}
00118 
00119   /// \brief Post-visit an abstract "call" event.
00120   /// \sa checkPreObjCMessage()
00121   ///
00122   /// check::PostCall
00123   void checkPostCall(const CallEvent &Call, CheckerContext &C) const {}
00124 
00125   /// \brief Pre-visit of the condition statement of a branch (such as IfStmt).
00126   void checkBranchCondition(const Stmt *Condition, CheckerContext &Ctx) const {}
00127 
00128   /// \brief Called on a load from and a store to a location.
00129   ///
00130   /// The method will be called each time a location (pointer) value is
00131   /// accessed.
00132   /// \param Loc    The value of the location (pointer).
00133   /// \param IsLoad The flag specifying if the location is a store or a load.
00134   /// \param S      The load is performed while processing the statement.
00135   ///
00136   /// check::Location
00137   void checkLocation(SVal Loc, bool IsLoad, const Stmt *S,
00138                      CheckerContext &) const {}
00139 
00140   /// \brief Called on binding of a value to a location.
00141   ///
00142   /// \param Loc The value of the location (pointer).
00143   /// \param Val The value which will be stored at the location Loc.
00144   /// \param S   The bind is performed while processing the statement S.
00145   ///
00146   /// check::Bind
00147   void checkBind(SVal Loc, SVal Val, const Stmt *S, CheckerContext &) const {}
00148 
00149   /// \brief Called whenever a symbol becomes dead.
00150   ///
00151   /// This callback should be used by the checkers to aggressively clean
00152   /// up/reduce the checker state, which is important for reducing the overall
00153   /// memory usage. Specifically, if a checker keeps symbol specific information
00154   /// in the sate, it can and should be dropped after the symbol becomes dead.
00155   /// In addition, reporting a bug as soon as the checker becomes dead leads to
00156   /// more precise diagnostics. (For example, one should report that a malloced
00157   /// variable is not freed right after it goes out of scope.)
00158   ///
00159   /// \param SR The SymbolReaper object can be queried to determine which
00160   ///           symbols are dead.
00161   ///
00162   /// check::DeadSymbols
00163   void checkDeadSymbols(SymbolReaper &SR, CheckerContext &C) const {}
00164 
00165   /// \brief Called when the analyzer core reaches the end of a
00166   /// function being analyzed.
00167   ///
00168   /// check::EndFunction
00169   void checkEndFunction(CheckerContext &Ctx) const {}
00170 
00171   /// \brief Called after all the paths in the ExplodedGraph reach end of path
00172   /// - the symbolic execution graph is fully explored.
00173   ///
00174   /// This callback should be used in cases when a checker needs to have a
00175   /// global view of the information generated on all paths. For example, to
00176   /// compare execution summary/result several paths.
00177   /// See IdempotentOperationChecker for a usage example.
00178   ///
00179   /// check::EndAnalysis
00180   void checkEndAnalysis(ExplodedGraph &G,
00181                         BugReporter &BR,
00182                         ExprEngine &Eng) const {}
00183 
00184   /// \brief Called after analysis of a TranslationUnit is complete.
00185   ///
00186   /// check::EndOfTranslationUnit
00187   void checkEndOfTranslationUnit(const TranslationUnitDecl *TU,
00188                                  AnalysisManager &Mgr,
00189                                  BugReporter &BR) const {}
00190 
00191   /// \brief Evaluates function call.
00192   ///
00193   /// The analysis core threats all function calls in the same way. However, some
00194   /// functions have special meaning, which should be reflected in the program
00195   /// state. This callback allows a checker to provide domain specific knowledge
00196   /// about the particular functions it knows about.
00197   ///
00198   /// \returns true if the call has been successfully evaluated
00199   /// and false otherwise. Note, that only one checker can evaluate a call. If
00200   /// more than one checker claims that they can evaluate the same call the
00201   /// first one wins.
00202   ///
00203   /// eval::Call
00204   bool evalCall(const CallExpr *CE, CheckerContext &C) const { return true; }
00205 
00206   /// \brief Handles assumptions on symbolic values.
00207   ///
00208   /// This method is called when a symbolic expression is assumed to be true or
00209   /// false. For example, the assumptions are performed when evaluating a
00210   /// condition at a branch. The callback allows checkers track the assumptions
00211   /// performed on the symbols of interest and change the state accordingly.
00212   ///
00213   /// eval::Assume
00214   ProgramStateRef evalAssume(ProgramStateRef State,
00215                                  SVal Cond,
00216                                  bool Assumption) const { return State; }
00217 
00218   /// Allows modifying SymbolReaper object. For example, checkers can explicitly
00219   /// register symbols of interest as live. These symbols will not be marked
00220   /// dead and removed.
00221   ///
00222   /// check::LiveSymbols
00223   void checkLiveSymbols(ProgramStateRef State, SymbolReaper &SR) const {}
00224 
00225   /// \brief Called to determine if the checker currently needs to know if when
00226   /// contents of any regions change.
00227   ///
00228   /// Since it is not necessarily cheap to compute which regions are being
00229   /// changed, this allows the analyzer core to skip the more expensive
00230   /// #checkRegionChanges when no checkers are tracking any state.
00231   bool wantsRegionChangeUpdate(ProgramStateRef St) const { return true; }
00232 
00233   /// \brief Called when the contents of one or more regions change.
00234   ///
00235   /// This can occur in many different ways: an explicit bind, a blanket
00236   /// invalidation of the region contents, or by passing a region to a function
00237   /// call whose behavior the analyzer cannot model perfectly.
00238   ///
00239   /// \param State The current program state.
00240   /// \param Invalidated A set of all symbols potentially touched by the change.
00241   /// \param ExplicitRegions The regions explicitly requested for invalidation.
00242   ///        For a function call, this would be the arguments. For a bind, this
00243   ///        would be the region being bound to.
00244   /// \param Regions The transitive closure of regions accessible from,
00245   ///        \p ExplicitRegions, i.e. all regions that may have been touched
00246   ///        by this change. For a simple bind, this list will be the same as
00247   ///        \p ExplicitRegions, since a bind does not affect the contents of
00248   ///        anything accessible through the base region.
00249   /// \param Call The opaque call triggering this invalidation. Will be 0 if the
00250   ///        change was not triggered by a call.
00251   ///
00252   /// Note that this callback will not be invoked unless
00253   /// #wantsRegionChangeUpdate returns \c true.
00254   ///
00255   /// check::RegionChanges
00256   ProgramStateRef
00257     checkRegionChanges(ProgramStateRef State,
00258                        const InvalidatedSymbols *Invalidated,
00259                        ArrayRef<const MemRegion *> ExplicitRegions,
00260                        ArrayRef<const MemRegion *> Regions,
00261                        const CallEvent *Call) const {
00262     return State;
00263   }
00264 
00265   /// \brief Called when pointers escape.
00266   ///
00267   /// This notifies the checkers about pointer escape, which occurs whenever
00268   /// the analyzer cannot track the symbol any more. For example, as a
00269   /// result of assigning a pointer into a global or when it's passed to a
00270   /// function call the analyzer cannot model.
00271   ///
00272   /// \param State The state at the point of escape.
00273   /// \param Escaped The list of escaped symbols.
00274   /// \param Call The corresponding CallEvent, if the symbols escape as
00275   /// parameters to the given call.
00276   /// \param Kind How the symbols have escaped.
00277   /// \returns Checkers can modify the state by returning a new state.
00278   ProgramStateRef checkPointerEscape(ProgramStateRef State,
00279                                      const InvalidatedSymbols &Escaped,
00280                                      const CallEvent *Call,
00281                                      PointerEscapeKind Kind) const {
00282     return State;
00283   }
00284 
00285   /// \brief Called when const pointers escape.
00286   ///
00287   /// Note: in most cases checkPointerEscape callback is sufficient.
00288   /// \sa checkPointerEscape
00289   ProgramStateRef checkConstPointerEscape(ProgramStateRef State,
00290                                      const InvalidatedSymbols &Escaped,
00291                                      const CallEvent *Call,
00292                                      PointerEscapeKind Kind) const {
00293     return State;
00294   }
00295 
00296   /// check::Event<ImplicitNullDerefEvent>
00297   void checkEvent(ImplicitNullDerefEvent Event) const {}
00298 
00299   /// \brief Check every declaration in the AST.
00300   ///
00301   /// An AST traversal callback, which should only be used when the checker is
00302   /// not path sensitive. It will be called for every Declaration in the AST and
00303   /// can be specialized to only be called on subclasses of Decl, for example,
00304   /// FunctionDecl.
00305   ///
00306   /// check::ASTDecl<FunctionDecl>
00307   void checkASTDecl(const FunctionDecl *D,
00308                     AnalysisManager &Mgr,
00309                     BugReporter &BR) const {}
00310 };
00311 
00312 void CheckerDocumentation::checkPostStmt(const DeclStmt *DS,
00313                                          CheckerContext &C) const {
00314 }
00315 
00316 } // end namespace ento
00317 } // end namespace clang