doxygen/UncountedLocalVarsChecker_8cpp_source.html

//=======- UncountedLocalVarsChecker.cpp -------------------------*- C++ -*-==//

//

// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.

// See https://llvm.org/LICENSE.txt for license information.

// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception

//

//===----------------------------------------------------------------------===//


#include "ASTUtils.h"

#include "DiagOutputUtils.h"

#include "PtrTypesSemantics.h"

#include "clang/AST/CXXInheritance.h"

#include "clang/AST/Decl.h"

#include "clang/AST/DeclCXX.h"

#include "clang/AST/ParentMapContext.h"

#include "clang/AST/RecursiveASTVisitor.h"

#include "clang/Basic/SourceLocation.h"

#include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"

#include "clang/StaticAnalyzer/Core/BugReporter/BugReporter.h"

#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"

#include "clang/StaticAnalyzer/Core/Checker.h"

#include <optional>


using namespace clang;

using namespace ento;


namespace {


// FIXME: should be defined by anotations in the future

bool isRefcountedStringsHack(const VarDecl *V) {

  assert(V);

  auto safeClass = [](const std::string &className) {

    return className == "String" || className == "AtomString" ||

           className == "UniquedString" || className == "Identifier";

  };

  QualType QT = V->getType();

  auto *T = QT.getTypePtr();

  if (auto *CXXRD = T->getAsCXXRecordDecl()) {

    if (safeClass(safeGetName(CXXRD)))

      return true;

  }

  if (T->isPointerType() || T->isReferenceType()) {

    if (auto *CXXRD = T->getPointeeCXXRecordDecl()) {

      if (safeClass(safeGetName(CXXRD)))

        return true;

    }

  }

  return false;

}


bool isGuardedScopeEmbeddedInGuardianScope(const VarDecl *Guarded,

                                           const VarDecl *MaybeGuardian) {

  assert(Guarded);

  assert(MaybeGuardian);


  if (!MaybeGuardian->isLocalVarDecl())

    return false;


  const CompoundStmt *guardiansClosestCompStmtAncestor = nullptr;


  ASTContext &ctx = MaybeGuardian->getASTContext();


  for (DynTypedNodeList guardianAncestors = ctx.getParents(*MaybeGuardian);

       !guardianAncestors.empty();

       guardianAncestors = ctx.getParents(

           *guardianAncestors

                .begin()) // FIXME - should we handle all of the parents?

  ) {

    for (auto &guardianAncestor : guardianAncestors) {

      if (auto *CStmtParentAncestor = guardianAncestor.get<CompoundStmt>()) {

        guardiansClosestCompStmtAncestor = CStmtParentAncestor;

        break;

      }

    }

    if (guardiansClosestCompStmtAncestor)

      break;

  }


  if (!guardiansClosestCompStmtAncestor)

    return false;


  // We need to skip the first CompoundStmt to avoid situation when guardian is

  // defined in the same scope as guarded variable.

  bool HaveSkippedFirstCompoundStmt = false;

  for (DynTypedNodeList guardedVarAncestors = ctx.getParents(*Guarded);

       !guardedVarAncestors.empty();

       guardedVarAncestors = ctx.getParents(

           *guardedVarAncestors

                .begin()) // FIXME - should we handle all of the parents?

  ) {

    for (auto &guardedVarAncestor : guardedVarAncestors) {

      if (auto *CStmtAncestor = guardedVarAncestor.get<CompoundStmt>()) {

        if (!HaveSkippedFirstCompoundStmt) {

          HaveSkippedFirstCompoundStmt = true;

          continue;

        }

        if (CStmtAncestor == guardiansClosestCompStmtAncestor)

          return true;

      }

    }

  }


  return false;

}


class UncountedLocalVarsChecker

    : public Checker<check::ASTDecl<TranslationUnitDecl>> {

  BugType Bug{this,

              "Uncounted raw pointer or reference not provably backed by "

              "ref-counted variable",

              "WebKit coding guidelines"};

  mutable BugReporter *BR;


public:

  void checkASTDecl(const TranslationUnitDecl *TUD, AnalysisManager &MGR,

                    BugReporter &BRArg) const {

    BR = &BRArg;


    // The calls to checkAST* from AnalysisConsumer don't

    // visit template instantiations or lambda classes. We

    // want to visit those, so we make our own RecursiveASTVisitor.

    struct LocalVisitor : public RecursiveASTVisitor<LocalVisitor> {

      const UncountedLocalVarsChecker *Checker;


      TrivialFunctionAnalysis TFA;


      using Base = RecursiveASTVisitor<LocalVisitor>;


      explicit LocalVisitor(const UncountedLocalVarsChecker *Checker)

          : Checker(Checker) {

        assert(Checker);

      }


      bool shouldVisitTemplateInstantiations() const { return true; }

      bool shouldVisitImplicitCode() const { return false; }


      bool VisitVarDecl(VarDecl *V) {

        Checker->visitVarDecl(V);

        return true;

      }


      bool TraverseIfStmt(IfStmt *IS) {

        if (!TFA.isTrivial(IS))

          return Base::TraverseIfStmt(IS);

        return true;

      }


      bool TraverseForStmt(ForStmt *FS) {

        if (!TFA.isTrivial(FS))

          return Base::TraverseForStmt(FS);

        return true;

      }


      bool TraverseCXXForRangeStmt(CXXForRangeStmt *FRS) {

        if (!TFA.isTrivial(FRS))

          return Base::TraverseCXXForRangeStmt(FRS);

        return true;

      }


      bool TraverseWhileStmt(WhileStmt *WS) {

        if (!TFA.isTrivial(WS))

          return Base::TraverseWhileStmt(WS);

        return true;

      }


      bool TraverseCompoundStmt(CompoundStmt *CS) {

        if (!TFA.isTrivial(CS))

          return Base::TraverseCompoundStmt(CS);

        return true;

      }

    };


    LocalVisitor visitor(this);

    visitor.TraverseDecl(const_cast<TranslationUnitDecl *>(TUD));

  }


  void visitVarDecl(const VarDecl *V) const {

    if (shouldSkipVarDecl(V))

      return;


    const auto *ArgType = V->getType().getTypePtr();

    if (!ArgType)

      return;


    std::optional<bool> IsUncountedPtr = isUncountedPtr(ArgType);

    if (IsUncountedPtr && *IsUncountedPtr) {

      const Expr *const InitExpr = V->getInit();

      if (!InitExpr)

        return; // FIXME: later on we might warn on uninitialized vars too


      const clang::Expr *const InitArgOrigin =

          tryToFindPtrOrigin(InitExpr, /*StopAtFirstRefCountedObj=*/false)

              .first;

      if (!InitArgOrigin)

        return;


      if (isa<CXXThisExpr>(InitArgOrigin))

        return;


      if (auto *Ref = llvm::dyn_cast<DeclRefExpr>(InitArgOrigin)) {

        if (auto *MaybeGuardian =

                dyn_cast_or_null<VarDecl>(Ref->getFoundDecl())) {

          const auto *MaybeGuardianArgType =

              MaybeGuardian->getType().getTypePtr();

          if (MaybeGuardianArgType) {

            const CXXRecordDecl *const MaybeGuardianArgCXXRecord =

                MaybeGuardianArgType->getAsCXXRecordDecl();

            if (MaybeGuardianArgCXXRecord) {

              if (MaybeGuardian->isLocalVarDecl() &&

                  (isRefCounted(MaybeGuardianArgCXXRecord) ||

                   isRefcountedStringsHack(MaybeGuardian)) &&

                  isGuardedScopeEmbeddedInGuardianScope(V, MaybeGuardian))

                return;

            }

          }


          // Parameters are guaranteed to be safe for the duration of the call

          // by another checker.

          if (isa<ParmVarDecl>(MaybeGuardian))

            return;

        }

      }


      reportBug(V);

    }

  }


  bool shouldSkipVarDecl(const VarDecl *V) const {

    assert(V);

    if (!V->isLocalVarDecl())

      return true;


    return false;

  }


  void reportBug(const VarDecl *V) const {

    assert(V);

    SmallString<100> Buf;

    llvm::raw_svector_ostream Os(Buf);


    Os << "Local variable ";

    printQuotedQualifiedName(Os, V);

    Os << " is uncounted and unsafe.";


    PathDiagnosticLocation BSLoc(V->getLocation(), BR->getSourceManager());

    auto Report = std::make_unique<BasicBugReport>(Bug, Os.str(), BSLoc);

    Report->addRange(V->getSourceRange());

    BR->emitReport(std::move(Report));

  }

};

} // namespace


void ento::registerUncountedLocalVarsChecker(CheckerManager &Mgr) {

  Mgr.registerChecker<UncountedLocalVarsChecker>();

}


bool ento::shouldRegisterUncountedLocalVarsChecker(const CheckerManager &) {

  return true;

}

V
#define V(N, I)
Definition: ASTContext.h:3284

ASTUtils.h

BugReporter.h

BugType.h

BuiltinCheckerRegistration.h

CXXInheritance.h

Checker.h

DeclCXX.h
Defines the C++ Decl subclasses, other than those for templates (found in DeclTemplate....

Decl.h

DiagOutputUtils.h

ParentMapContext.h

PtrTypesSemantics.h

RecursiveASTVisitor.h

SourceLocation.h
Defines the clang::SourceLocation class and associated facilities.

Base

clang::ASTContext
Holds long-lived AST nodes (such as types and decls) that can be referred to throughout the semantic ...
Definition: ASTContext.h:182

clang::ASTContext::getParents
DynTypedNodeList getParents(const NodeT &Node)
Forwards to get node parents from the ParentMapContext.
Definition: ParentMapContext.h:131

clang::CXXForRangeStmt
CXXForRangeStmt - This represents C++0x [stmt.ranged]'s ranged for statement, represented as 'for (ra...
Definition: StmtCXX.h:135

clang::CXXRecordDecl
Represents a C++ struct/union/class.
Definition: DeclCXX.h:258

clang::CompoundStmt
CompoundStmt - This represents a group of statements like { stmt stmt }.
Definition: Stmt.h:1606

clang::Decl::getASTContext
ASTContext & getASTContext() const LLVM_READONLY
Definition: DeclBase.cpp:501

clang::DynTypedNodeList
Container for either a single DynTypedNode or for an ArrayRef to DynTypedNode.
Definition: ParentMapContext.h:92

clang::DynTypedNodeList::empty
bool empty() const
Definition: ParentMapContext.h:117

clang::Expr
This represents one expression.
Definition: Expr.h:110

clang::ForStmt
ForStmt - This represents a 'for (init;cond;inc)' stmt.
Definition: Stmt.h:2781

clang::IfStmt
IfStmt - This represents an if/then/else.
Definition: Stmt.h:2138

clang::QualType
A (possibly-)qualified type.
Definition: Type.h:940

clang::QualType::getTypePtr
const Type * getTypePtr() const
Retrieves a pointer to the underlying (unqualified) type.
Definition: Type.h:7359

clang::RecursiveASTVisitor
A class that does preorder or postorder depth-first traversal on the entire Clang AST and visits each...
Definition: RecursiveASTVisitor.h:153

clang::TranslationUnitDecl
The top declaration context.
Definition: Decl.h:84

clang::TrivialFunctionAnalysis
An inter-procedural analysis facility that detects functions with "trivial" behavior with respect to ...
Definition: PtrTypesSemantics.h:75

clang::TrivialFunctionAnalysis::isTrivial
bool isTrivial(const Decl *D) const
Definition: PtrTypesSemantics.h:78

clang::Type::getAsCXXRecordDecl
CXXRecordDecl * getAsCXXRecordDecl() const
Retrieves the CXXRecordDecl that this type refers to, either because the type is a RecordType or beca...
Definition: Type.cpp:1870

clang::Type::isPointerType
bool isPointerType() const
Definition: Type.h:7612

clang::Type::isReferenceType
bool isReferenceType() const
Definition: Type.h:7624

clang::Type::getPointeeCXXRecordDecl
const CXXRecordDecl * getPointeeCXXRecordDecl() const
If this is a pointer or reference to a RecordType, return the CXXRecordDecl that the type refers to.
Definition: Type.cpp:1855

clang::ValueDecl::getType
QualType getType() const
Definition: Decl.h:717

clang::VarDecl
Represents a variable declaration or definition.
Definition: Decl.h:918

clang::VarDecl::isLocalVarDecl
bool isLocalVarDecl() const
Returns true for local variable declarations other than parameters.
Definition: Decl.h:1240

clang::WhileStmt
WhileStmt - This represents a 'while' stmt.
Definition: Stmt.h:2584

clang::ento::AnalysisManager
Definition: AnalysisManager.h:31

clang::ento::BugReporter
BugReporter is a utility class for generating PathDiagnostics for analysis.
Definition: BugReporter.h:585

clang::ento::BugReporter::getSourceManager
const SourceManager & getSourceManager()
Definition: BugReporter.h:623

clang::ento::BugReporter::emitReport
virtual void emitReport(std::unique_ptr< BugReport > R)
Add the given report to the set of reports tracked by BugReporter.
Definition: BugReporter.cpp:2907

clang::ento::BugType
Definition: BugType.h:27

clang::ento::CheckerManager
Definition: CheckerManager.h:126

clang::ento::CheckerManager::registerChecker
CHECKER * registerChecker(AT &&... Args)
Used to register checkers.
Definition: CheckerManager.h:204

clang::ento::Checker
Definition: Checker.h:512

clang::ento::PathDiagnosticLocation
Definition: PathDiagnostic.h:195

llvm::SmallString
Definition: LLVM.h:34

clang
The JSON file list parser is used to communicate input to InstallAPI.
Definition: CalledOnceCheck.h:17

clang::isUncountedPtr
std::optional< bool > isUncountedPtr(const Type *T)
Definition: PtrTypesSemantics.cpp:159

clang::tryToFindPtrOrigin
std::pair< const Expr *, bool > tryToFindPtrOrigin(const Expr *E, bool StopAtFirstRefCountedObj)
This function de-facto defines a set of transformations that we consider safe (in heuristical sense).
Definition: ASTUtils.cpp:20

clang::printQuotedQualifiedName
void printQuotedQualifiedName(llvm::raw_ostream &Os, const NamedDeclDerivedT &D)
Definition: DiagOutputUtils.h:18

clang::isRefCounted
bool isRefCounted(const CXXRecordDecl *R)
Definition: PtrTypesSemantics.cpp:201

clang::T
const FunctionProtoType * T
Definition: RecursiveASTVisitor.h:1339

clang::safeGetName
std::string safeGetName(const T *ASTNode)
Definition: ASTUtils.h:65