clang  mainline
CheckerDocumentation.cpp
Go to the documentation of this file.
00001 //= CheckerDocumentation.cpp - Documentation checker ---------------*- C++ -*-//
00002 //
00003 //                     The LLVM Compiler Infrastructure
00004 //
00005 // This file is distributed under the University of Illinois Open Source
00006 // License. See LICENSE.TXT for details.
00007 //
00008 //===----------------------------------------------------------------------===//
00009 //
00010 // This checker lists all the checker callbacks and provides documentation for
00011 // checker writers.
00012 //
00013 //===----------------------------------------------------------------------===//
00014 
00015 #include "ClangSACheckers.h"
00016 #include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
00017 #include "clang/StaticAnalyzer/Core/Checker.h"
00018 #include "clang/StaticAnalyzer/Core/CheckerManager.h"
00019 #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
00020 #include "clang/StaticAnalyzer/Core/PathSensitive/ProgramStateTrait.h"
00021 
00022 using namespace clang;
00023 using namespace ento;
00024 
00025 // All checkers should be placed into anonymous namespace.
00026 // We place the CheckerDocumentation inside ento namespace to make the
00027 // it visible in doxygen.
00028 namespace clang {
00029 namespace ento {
00030 
00031 /// This checker documents the callback functions checkers can use to implement
00032 /// the custom handling of the specific events during path exploration as well
00033 /// as reporting bugs. Most of the callbacks are targeted at path-sensitive
00034 /// checking.
00035 ///
00036 /// \sa CheckerContext
00037 class CheckerDocumentation : public Checker< check::PreStmt<ReturnStmt>,
00038                                        check::PostStmt<DeclStmt>,
00039                                        check::PreObjCMessage,
00040                                        check::PostObjCMessage,
00041                                        check::PreCall,
00042                                        check::PostCall,
00043                                        check::BranchCondition,
00044                                        check::Location,
00045                                        check::Bind,
00046                                        check::DeadSymbols,
00047                                        check::EndFunction,
00048                                        check::EndAnalysis,
00049                                        check::EndOfTranslationUnit,
00050                                        eval::Call,
00051                                        eval::Assume,
00052                                        check::LiveSymbols,
00053                                        check::RegionChanges,
00054                                        check::PointerEscape,
00055                                        check::ConstPointerEscape,
00056                                        check::Event<ImplicitNullDerefEvent>,
00057                                        check::ASTDecl<FunctionDecl> > {
00058 public:
00059 
00060   /// \brief Pre-visit the Statement.
00061   ///
00062   /// The method will be called before the analyzer core processes the
00063   /// statement. The notification is performed for every explored CFGElement,
00064   /// which does not include the control flow statements such as IfStmt. The
00065   /// callback can be specialized to be called with any subclass of Stmt.
00066   ///
00067   /// See checkBranchCondition() callback for performing custom processing of
00068   /// the branching statements.
00069   ///
00070   /// check::PreStmt<ReturnStmt>
00071   void checkPreStmt(const ReturnStmt *DS, CheckerContext &C) const {}
00072 
00073   /// \brief Post-visit the Statement.
00074   ///
00075   /// The method will be called after the analyzer core processes the
00076   /// statement. The notification is performed for every explored CFGElement,
00077   /// which does not include the control flow statements such as IfStmt. The
00078   /// callback can be specialized to be called with any subclass of Stmt.
00079   ///
00080   /// check::PostStmt<DeclStmt>
00081   void checkPostStmt(const DeclStmt *DS, CheckerContext &C) const;
00082 
00083   /// \brief Pre-visit the Objective C message.
00084   ///
00085   /// This will be called before the analyzer core processes the method call.
00086   /// This is called for any action which produces an Objective-C message send,
00087   /// including explicit message syntax and property access.
00088   ///
00089   /// check::PreObjCMessage
00090   void checkPreObjCMessage(const ObjCMethodCall &M, CheckerContext &C) const {}
00091 
00092   /// \brief Post-visit the Objective C message.
00093   /// \sa checkPreObjCMessage()
00094   ///
00095   /// check::PostObjCMessage
00096   void checkPostObjCMessage(const ObjCMethodCall &M, CheckerContext &C) const {}
00097 
00098   /// \brief Pre-visit an abstract "call" event.
00099   ///
00100   /// This is used for checkers that want to check arguments or attributed
00101   /// behavior for functions and methods no matter how they are being invoked.
00102   ///
00103   /// Note that this includes ALL cross-body invocations, so if you want to
00104   /// limit your checks to, say, function calls, you should test for that at the
00105   /// beginning of your callback function.
00106   ///
00107   /// check::PreCall
00108   void checkPreCall(const CallEvent &Call, CheckerContext &C) const {}
00109 
00110   /// \brief Post-visit an abstract "call" event.
00111   /// \sa checkPreObjCMessage()
00112   ///
00113   /// check::PostCall
00114   void checkPostCall(const CallEvent &Call, CheckerContext &C) const {}
00115 
00116   /// \brief Pre-visit of the condition statement of a branch (such as IfStmt).
00117   void checkBranchCondition(const Stmt *Condition, CheckerContext &Ctx) const {}
00118 
00119   /// \brief Called on a load from and a store to a location.
00120   ///
00121   /// The method will be called each time a location (pointer) value is
00122   /// accessed.
00123   /// \param Loc    The value of the location (pointer).
00124   /// \param IsLoad The flag specifying if the location is a store or a load.
00125   /// \param S      The load is performed while processing the statement.
00126   ///
00127   /// check::Location
00128   void checkLocation(SVal Loc, bool IsLoad, const Stmt *S,
00129                      CheckerContext &) const {}
00130 
00131   /// \brief Called on binding of a value to a location.
00132   ///
00133   /// \param Loc The value of the location (pointer).
00134   /// \param Val The value which will be stored at the location Loc.
00135   /// \param S   The bind is performed while processing the statement S.
00136   ///
00137   /// check::Bind
00138   void checkBind(SVal Loc, SVal Val, const Stmt *S, CheckerContext &) const {}
00139 
00140 
00141   /// \brief Called whenever a symbol becomes dead.
00142   ///
00143   /// This callback should be used by the checkers to aggressively clean
00144   /// up/reduce the checker state, which is important for reducing the overall
00145   /// memory usage. Specifically, if a checker keeps symbol specific information
00146   /// in the sate, it can and should be dropped after the symbol becomes dead.
00147   /// In addition, reporting a bug as soon as the checker becomes dead leads to
00148   /// more precise diagnostics. (For example, one should report that a malloced
00149   /// variable is not freed right after it goes out of scope.)
00150   ///
00151   /// \param SR The SymbolReaper object can be queried to determine which
00152   ///           symbols are dead.
00153   ///
00154   /// check::DeadSymbols
00155   void checkDeadSymbols(SymbolReaper &SR, CheckerContext &C) const {}
00156 
00157   /// \brief Called when the analyzer core reaches the end of a
00158   /// function being analyzed.
00159   ///
00160   /// check::EndFunction
00161   void checkEndFunction(CheckerContext &Ctx) const {}
00162 
00163   /// \brief Called after all the paths in the ExplodedGraph reach end of path
00164   /// - the symbolic execution graph is fully explored.
00165   ///
00166   /// This callback should be used in cases when a checker needs to have a
00167   /// global view of the information generated on all paths. For example, to
00168   /// compare execution summary/result several paths.
00169   /// See IdempotentOperationChecker for a usage example.
00170   ///
00171   /// check::EndAnalysis
00172   void checkEndAnalysis(ExplodedGraph &G,
00173                         BugReporter &BR,
00174                         ExprEngine &Eng) const {}
00175 
00176   /// \brief Called after analysis of a TranslationUnit is complete.
00177   ///
00178   /// check::EndOfTranslationUnit
00179   void checkEndOfTranslationUnit(const TranslationUnitDecl *TU,
00180                                  AnalysisManager &Mgr,
00181                                  BugReporter &BR) const {}
00182 
00183 
00184   /// \brief Evaluates function call.
00185   ///
00186   /// The analysis core threats all function calls in the same way. However, some
00187   /// functions have special meaning, which should be reflected in the program
00188   /// state. This callback allows a checker to provide domain specific knowledge
00189   /// about the particular functions it knows about.
00190   ///
00191   /// \returns true if the call has been successfully evaluated
00192   /// and false otherwise. Note, that only one checker can evaluate a call. If
00193   /// more than one checker claims that they can evaluate the same call the
00194   /// first one wins.
00195   ///
00196   /// eval::Call
00197   bool evalCall(const CallExpr *CE, CheckerContext &C) const { return true; }
00198 
00199   /// \brief Handles assumptions on symbolic values.
00200   ///
00201   /// This method is called when a symbolic expression is assumed to be true or
00202   /// false. For example, the assumptions are performed when evaluating a
00203   /// condition at a branch. The callback allows checkers track the assumptions
00204   /// performed on the symbols of interest and change the state accordingly.
00205   ///
00206   /// eval::Assume
00207   ProgramStateRef evalAssume(ProgramStateRef State,
00208                                  SVal Cond,
00209                                  bool Assumption) const { return State; }
00210 
00211   /// Allows modifying SymbolReaper object. For example, checkers can explicitly
00212   /// register symbols of interest as live. These symbols will not be marked
00213   /// dead and removed.
00214   ///
00215   /// check::LiveSymbols
00216   void checkLiveSymbols(ProgramStateRef State, SymbolReaper &SR) const {}
00217 
00218   /// \brief Called to determine if the checker currently needs to know if when
00219   /// contents of any regions change.
00220   ///
00221   /// Since it is not necessarily cheap to compute which regions are being
00222   /// changed, this allows the analyzer core to skip the more expensive
00223   /// #checkRegionChanges when no checkers are tracking any state.
00224   bool wantsRegionChangeUpdate(ProgramStateRef St) const { return true; }
00225   
00226   /// \brief Called when the contents of one or more regions change.
00227   ///
00228   /// This can occur in many different ways: an explicit bind, a blanket
00229   /// invalidation of the region contents, or by passing a region to a function
00230   /// call whose behavior the analyzer cannot model perfectly.
00231   ///
00232   /// \param State The current program state.
00233   /// \param Invalidated A set of all symbols potentially touched by the change.
00234   /// \param ExplicitRegions The regions explicitly requested for invalidation.
00235   ///        For a function call, this would be the arguments. For a bind, this
00236   ///        would be the region being bound to.
00237   /// \param Regions The transitive closure of regions accessible from,
00238   ///        \p ExplicitRegions, i.e. all regions that may have been touched
00239   ///        by this change. For a simple bind, this list will be the same as
00240   ///        \p ExplicitRegions, since a bind does not affect the contents of
00241   ///        anything accessible through the base region.
00242   /// \param Call The opaque call triggering this invalidation. Will be 0 if the
00243   ///        change was not triggered by a call.
00244   ///
00245   /// Note that this callback will not be invoked unless
00246   /// #wantsRegionChangeUpdate returns \c true.
00247   ///
00248   /// check::RegionChanges
00249   ProgramStateRef 
00250     checkRegionChanges(ProgramStateRef State,
00251                        const InvalidatedSymbols *Invalidated,
00252                        ArrayRef<const MemRegion *> ExplicitRegions,
00253                        ArrayRef<const MemRegion *> Regions,
00254                        const CallEvent *Call) const {
00255     return State;
00256   }
00257 
00258   /// \brief Called when pointers escape.
00259   ///
00260   /// This notifies the checkers about pointer escape, which occurs whenever
00261   /// the analyzer cannot track the symbol any more. For example, as a
00262   /// result of assigning a pointer into a global or when it's passed to a 
00263   /// function call the analyzer cannot model.
00264   /// 
00265   /// \param State The state at the point of escape.
00266   /// \param Escaped The list of escaped symbols.
00267   /// \param Call The corresponding CallEvent, if the symbols escape as 
00268   /// parameters to the given call.
00269   /// \param Kind How the symbols have escaped.
00270   /// \returns Checkers can modify the state by returning a new state.
00271   ProgramStateRef checkPointerEscape(ProgramStateRef State,
00272                                      const InvalidatedSymbols &Escaped,
00273                                      const CallEvent *Call,
00274                                      PointerEscapeKind Kind) const {
00275     return State;
00276   }
00277 
00278   /// \brief Called when const pointers escape.
00279   ///
00280   /// Note: in most cases checkPointerEscape callback is sufficient.
00281   /// \sa checkPointerEscape
00282   ProgramStateRef checkConstPointerEscape(ProgramStateRef State,
00283                                      const InvalidatedSymbols &Escaped,
00284                                      const CallEvent *Call,
00285                                      PointerEscapeKind Kind) const {
00286     return State;
00287   }
00288                                          
00289   /// check::Event<ImplicitNullDerefEvent>
00290   void checkEvent(ImplicitNullDerefEvent Event) const {}
00291 
00292   /// \brief Check every declaration in the AST.
00293   ///
00294   /// An AST traversal callback, which should only be used when the checker is
00295   /// not path sensitive. It will be called for every Declaration in the AST and
00296   /// can be specialized to only be called on subclasses of Decl, for example,
00297   /// FunctionDecl.
00298   ///
00299   /// check::ASTDecl<FunctionDecl>
00300   void checkASTDecl(const FunctionDecl *D,
00301                     AnalysisManager &Mgr,
00302                     BugReporter &BR) const {}
00303 
00304 };
00305 
00306 void CheckerDocumentation::checkPostStmt(const DeclStmt *DS,
00307                                          CheckerContext &C) const {
00308   return;
00309 }
00310 
00311 } // end namespace ento
00312 } // end namespace clang