clang 17.0.0git
BuiltinFunctionChecker.cpp
Go to the documentation of this file.
1//=== BuiltinFunctionChecker.cpp --------------------------------*- C++ -*-===//
2//
3// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4// See https://llvm.org/LICENSE.txt for license information.
5// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6//
7//===----------------------------------------------------------------------===//
8//
9// This checker evaluates clang builtin functions.
10//
11//===----------------------------------------------------------------------===//
12
13#include "clang/Basic/Builtins.h"
14#include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"
15#include "clang/StaticAnalyzer/Core/Checker.h"
16#include "clang/StaticAnalyzer/Core/CheckerManager.h"
17#include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h"
18#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
19#include "clang/StaticAnalyzer/Core/PathSensitive/DynamicExtent.h"
20
21using namespace clang;
22using namespace ento;
23
24namespace {
25
26class BuiltinFunctionChecker : public Checker<eval::Call> {
27public:
28 bool evalCall(const CallEvent &Call, CheckerContext &C) const;
29};
30
31}
32
33bool BuiltinFunctionChecker::evalCall(const CallEvent &Call,
34 CheckerContext &C) const {
35 ProgramStateRef state = C.getState();
36 const auto *FD = dyn_cast_or_null<FunctionDecl>(Call.getDecl());
37 if (!FD)
38 return false;
39
40 const LocationContext *LCtx = C.getLocationContext();
41 const Expr *CE = Call.getOriginExpr();
42
43 switch (FD->getBuiltinID()) {
44 default:
45 return false;
46
47 case Builtin::BI__builtin_assume: {
48 assert (Call.getNumArgs() > 0);
49 SVal Arg = Call.getArgSVal(0);
50 if (Arg.isUndef())
51 return true; // Return true to model purity.
52
53 state = state->assume(Arg.castAs<DefinedOrUnknownSVal>(), true);
54 // FIXME: do we want to warn here? Not right now. The most reports might
55 // come from infeasible paths, thus being false positives.
56 if (!state) {
57 C.generateSink(C.getState(), C.getPredecessor());
58 return true;
59 }
60
61 C.addTransition(state);
62 return true;
63 }
64
65 case Builtin::BI__builtin_unpredictable:
66 case Builtin::BI__builtin_expect:
67 case Builtin::BI__builtin_expect_with_probability:
68 case Builtin::BI__builtin_assume_aligned:
69 case Builtin::BI__builtin_addressof:
70 case Builtin::BI__builtin_function_start: {
71 // For __builtin_unpredictable, __builtin_expect,
72 // __builtin_expect_with_probability and __builtin_assume_aligned,
73 // just return the value of the subexpression.
74 // __builtin_addressof is going from a reference to a pointer, but those
75 // are represented the same way in the analyzer.
76 assert (Call.getNumArgs() > 0);
77 SVal Arg = Call.getArgSVal(0);
78 C.addTransition(state->BindExpr(CE, LCtx, Arg));
79 return true;
80 }
81
82 case Builtin::BI__builtin_alloca_with_align:
83 case Builtin::BI__builtin_alloca: {
84 // FIXME: Refactor into StoreManager itself?
85 MemRegionManager& RM = C.getStoreManager().getRegionManager();
86 const AllocaRegion* R =
87 RM.getAllocaRegion(CE, C.blockCount(), C.getLocationContext());
88
89 // Set the extent of the region in bytes. This enables us to use the
90 // SVal of the argument directly. If we save the extent in bits, we
91 // cannot represent values like symbol*8.
92 auto Size = Call.getArgSVal(0);
93 if (Size.isUndef())
94 return true; // Return true to model purity.
95
96 state = setDynamicExtent(state, R, Size.castAs<DefinedOrUnknownSVal>(),
97 C.getSValBuilder());
98
99 C.addTransition(state->BindExpr(CE, LCtx, loc::MemRegionVal(R)));
100 return true;
101 }
102
103 case Builtin::BI__builtin_dynamic_object_size:
104 case Builtin::BI__builtin_object_size:
105 case Builtin::BI__builtin_constant_p: {
106 // This must be resolvable at compile time, so we defer to the constant
107 // evaluator for a value.
108 SValBuilder &SVB = C.getSValBuilder();
109 SVal V = UnknownVal();
110 Expr::EvalResult EVResult;
111 if (CE->EvaluateAsInt(EVResult, C.getASTContext(), Expr::SE_NoSideEffects)) {
112 // Make sure the result has the correct type.
113 llvm::APSInt Result = EVResult.Val.getInt();
114 BasicValueFactory &BVF = SVB.getBasicValueFactory();
115 BVF.getAPSIntType(CE->getType()).apply(Result);
116 V = SVB.makeIntVal(Result);
117 }
118
119 if (FD->getBuiltinID() == Builtin::BI__builtin_constant_p) {
120 // If we didn't manage to figure out if the value is constant or not,
121 // it is safe to assume that it's not constant and unsafe to assume
122 // that it's constant.
123 if (V.isUnknown())
124 V = SVB.makeIntVal(0, CE->getType());
125 }
126
127 C.addTransition(state->BindExpr(CE, LCtx, V));
128 return true;
129 }
130 }
131}
132
133void ento::registerBuiltinFunctionChecker(CheckerManager &mgr) {
134 mgr.registerChecker<BuiltinFunctionChecker>();
135}
136
137bool ento::shouldRegisterBuiltinFunctionChecker(const CheckerManager &mgr) {
138 return true;
139}
V
#define V(N, I)
Definition: ASTContext.h:3230
Builtins.h
Defines enum values for all the target-independent builtin functions.
clang::APValue::getInt
APSInt & getInt()
Definition: APValue.h:415
clang::Expr
This represents one expression.
Definition: Expr.h:110
clang::Expr::EvaluateAsInt
bool EvaluateAsInt(EvalResult &Result, const ASTContext &Ctx, SideEffectsKind AllowSideEffects=SE_NoSideEffects, bool InConstantContext=false) const
EvaluateAsInt - Return true if this is a constant which we can fold and convert to an integer,...
Definition: ExprConstant.cpp:15254
clang::Expr::SE_NoSideEffects
@ SE_NoSideEffects
Strictly evaluate the expression.
Definition: Expr.h:648
clang::Expr::getType
QualType getType() const
Definition: Expr.h:142
clang::LocationContext
It wraps the AnalysisDeclContext to represent both the call stack with the help of StackFrameContext ...
Definition: AnalysisDeclContext.h:215
clang::ento::APSIntType::apply
void apply(llvm::APSInt &Value) const
Convert a given APSInt, in place, to match this type.
Definition: APSIntType.h:37
clang::ento::AllocaRegion
AllocaRegion - A region that represents an untyped blob of bytes created by a call to 'alloca'.
Definition: MemRegion.h:474
clang::ento::BasicValueFactory::getAPSIntType
APSIntType getAPSIntType(QualType T) const
Returns the type of the APSInt used to store values of the given QualType.
Definition: BasicValueFactory.h:148
clang::ento::CallEvent
Represents an abstract call to a function or method along a particular path.
Definition: CallEvent.h:149
clang::ento::CheckerManager::registerChecker
CHECKER * registerChecker(AT &&... Args)
Used to register checkers.
Definition: CheckerManager.h:204
clang::ento::MemRegionManager::getAllocaRegion
const AllocaRegion * getAllocaRegion(const Expr *Ex, unsigned Cnt, const LocationContext *LC)
getAllocaRegion - Retrieve a region associated with a call to alloca().
Definition: MemRegion.cpp:1257
clang::ento::SValBuilder::getBasicValueFactory
BasicValueFactory & getBasicValueFactory()
Definition: SValBuilder.h:149
clang::ento::SValBuilder::makeIntVal
nonloc::ConcreteInt makeIntVal(const IntegerLiteral *integer)
Definition: SValBuilder.h:269
clang::ento::SVal
SVal - This represents a symbolic expression, which can be either an L-value or an R-value.
Definition: SVals.h:72
clang::ento::SVal::isUndef
bool isUndef() const
Definition: SVals.h:128
clang::ento::SVal::castAs
T castAs() const
Convert to the specified SVal type, asserting that this SVal is of the desired type.
Definition: SVals.h:99
clang::ento::setDynamicExtent
ProgramStateRef setDynamicExtent(ProgramStateRef State, const MemRegion *MR, DefinedOrUnknownSVal Extent, SValBuilder &SVB)
Set the dynamic extent Extent of the region MR.
clang::interp::Call
bool Call(InterpState &S, CodePtr OpPC, const Function *Func)
Definition: Interp.h:1585
clang::Language::C
@ C
Languages that the frontend can parse and compile.
clang::Expr::EvalResult
EvalResult is a struct with detailed info about an evaluated expression.
Definition: Expr.h:622
clang::Expr::EvalResult::Val
APValue Val
Val - This is the value the expression can be folded to.
Definition: Expr.h:624
Generated on Wed Jun 7 2023 21:25:05 for clang by doxygen 1.9.6