clang  15.0.0git
BuiltinFunctionChecker.cpp
Go to the documentation of this file.
1 //=== BuiltinFunctionChecker.cpp --------------------------------*- C++ -*-===//
2 //
3 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4 // See https://llvm.org/LICENSE.txt for license information.
5 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6 //
7 //===----------------------------------------------------------------------===//
8 //
9 // This checker evaluates clang builtin functions.
10 //
11 //===----------------------------------------------------------------------===//
12 
13 #include "clang/Basic/Builtins.h"
14 #include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"
15 #include "clang/StaticAnalyzer/Core/Checker.h"
16 #include "clang/StaticAnalyzer/Core/CheckerManager.h"
17 #include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h"
18 #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
19 #include "clang/StaticAnalyzer/Core/PathSensitive/DynamicExtent.h"
20 
21 using namespace clang;
22 using namespace ento;
23 
24 namespace {
25 
26 class BuiltinFunctionChecker : public Checker<eval::Call> {
27 public:
28  bool evalCall(const CallEvent &Call, CheckerContext &C) const;
29 };
30 
31 }
32 
33 bool BuiltinFunctionChecker::evalCall(const CallEvent &Call,
34  CheckerContext &C) const {
35  ProgramStateRef state = C.getState();
36  const auto *FD = dyn_cast_or_null<FunctionDecl>(Call.getDecl());
37  if (!FD)
38  return false;
39 
40  const LocationContext *LCtx = C.getLocationContext();
41  const Expr *CE = Call.getOriginExpr();
42 
43  switch (FD->getBuiltinID()) {
44  default:
45  return false;
46 
47  case Builtin::BI__builtin_assume: {
48  assert (Call.getNumArgs() > 0);
49  SVal Arg = Call.getArgSVal(0);
50  if (Arg.isUndef())
51  return true; // Return true to model purity.
52 
53  state = state->assume(Arg.castAs<DefinedOrUnknownSVal>(), true);
54  // FIXME: do we want to warn here? Not right now. The most reports might
55  // come from infeasible paths, thus being false positives.
56  if (!state) {
57  C.generateSink(C.getState(), C.getPredecessor());
58  return true;
59  }
60 
61  C.addTransition(state);
62  return true;
63  }
64 
65  case Builtin::BI__builtin_unpredictable:
66  case Builtin::BI__builtin_expect:
67  case Builtin::BI__builtin_expect_with_probability:
68  case Builtin::BI__builtin_assume_aligned:
69  case Builtin::BI__builtin_addressof:
70  case Builtin::BI__builtin_function_start: {
71  // For __builtin_unpredictable, __builtin_expect,
72  // __builtin_expect_with_probability and __builtin_assume_aligned,
73  // just return the value of the subexpression.
74  // __builtin_addressof is going from a reference to a pointer, but those
75  // are represented the same way in the analyzer.
76  assert (Call.getNumArgs() > 0);
77  SVal Arg = Call.getArgSVal(0);
78  C.addTransition(state->BindExpr(CE, LCtx, Arg));
79  return true;
80  }
81 
82  case Builtin::BI__builtin_alloca_with_align:
83  case Builtin::BI__builtin_alloca: {
84  // FIXME: Refactor into StoreManager itself?
85  MemRegionManager& RM = C.getStoreManager().getRegionManager();
86  const AllocaRegion* R =
87  RM.getAllocaRegion(CE, C.blockCount(), C.getLocationContext());
88 
89  // Set the extent of the region in bytes. This enables us to use the
90  // SVal of the argument directly. If we save the extent in bits, we
91  // cannot represent values like symbol*8.
92  auto Size = Call.getArgSVal(0);
93  if (Size.isUndef())
94  return true; // Return true to model purity.
95 
96  state = setDynamicExtent(state, R, Size.castAs<DefinedOrUnknownSVal>(),
97  C.getSValBuilder());
98 
99  C.addTransition(state->BindExpr(CE, LCtx, loc::MemRegionVal(R)));
100  return true;
101  }
102 
103  case Builtin::BI__builtin_dynamic_object_size:
104  case Builtin::BI__builtin_object_size:
105  case Builtin::BI__builtin_constant_p: {
106  // This must be resolvable at compile time, so we defer to the constant
107  // evaluator for a value.
108  SValBuilder &SVB = C.getSValBuilder();
109  SVal V = UnknownVal();
110  Expr::EvalResult EVResult;
111  if (CE->EvaluateAsInt(EVResult, C.getASTContext(), Expr::SE_NoSideEffects)) {
112  // Make sure the result has the correct type.
113  llvm::APSInt Result = EVResult.Val.getInt();
114  BasicValueFactory &BVF = SVB.getBasicValueFactory();
115  BVF.getAPSIntType(CE->getType()).apply(Result);
116  V = SVB.makeIntVal(Result);
117  }
118 
119  if (FD->getBuiltinID() == Builtin::BI__builtin_constant_p) {
120  // If we didn't manage to figure out if the value is constant or not,
121  // it is safe to assume that it's not constant and unsafe to assume
122  // that it's constant.
123  if (V.isUnknown())
124  V = SVB.makeIntVal(0, CE->getType());
125  }
126 
127  C.addTransition(state->BindExpr(CE, LCtx, V));
128  return true;
129  }
130  }
131 }
132 
133 void ento::registerBuiltinFunctionChecker(CheckerManager &mgr) {
134  mgr.registerChecker<BuiltinFunctionChecker>();
135 }
136 
137 bool ento::shouldRegisterBuiltinFunctionChecker(const CheckerManager &mgr) {
138  return true;
139 }
Builtins.h
DynamicExtent.h
clang::LocationContext
It wraps the AnalysisDeclContext to represent both the call stack with the help of StackFrameContext ...
Definition: AnalysisDeclContext.h:215
clang::APValue::getInt
APSInt & getInt()
Definition: APValue.h:415
clang::ento::ProgramStateRef
IntrusiveRefCntPtr< const ProgramState > ProgramStateRef
Definition: ProgramState_Fwd.h:37
AttributeLangSupport::C
@ C
Definition: SemaDeclAttr.cpp:55
clang::index::SymbolRole::Call
@ Call
clang::Expr::EvalResult::Val
APValue Val
Val - This is the value the expression can be folded to.
Definition: Expr.h:614
clang::Expr::SE_NoSideEffects
@ SE_NoSideEffects
Strictly evaluate the expression.
Definition: Expr.h:638
CallEvent.h
APSInt
llvm::APSInt APSInt
Definition: ByteCodeEmitter.cpp:19
V
#define V(N, I)
Definition: ASTContext.h:3176
BuiltinCheckerRegistration.h
CheckerManager.h
clang::Expr::EvalResult
EvalResult is a struct with detailed info about an evaluated expression.
Definition: Expr.h:612
state
and static some checkers Checker The latter are built on top of the former via the Checker and CheckerVisitor and attempts to isolate them from much of the gore of the internal analysis the analyzer is basically a source code simulator that traces out possible paths of execution The state of the and the combination of state and program point is a node in an exploded which has the entry program point and initial state
Definition: README.txt:30
clang::syntax::NodeRole::Size
@ Size
clang::Expr::EvaluateAsInt
bool EvaluateAsInt(EvalResult &Result, const ASTContext &Ctx, SideEffectsKind AllowSideEffects=SE_NoSideEffects, bool InConstantContext=false) const
EvaluateAsInt - Return true if this is a constant which we can fold and convert to an integer,...
Definition: ExprConstant.cpp:14993
CheckerContext.h
Checker.h
clang
Definition: CalledOnceCheck.h:17
clang::Expr::getType
QualType getType() const
Definition: Expr.h:141
clang::ento::setDynamicExtent
ProgramStateRef setDynamicExtent(ProgramStateRef State, const MemRegion *MR, DefinedOrUnknownSVal Extent, SValBuilder &SVB)
Set the dynamic extent Extent of the region MR.
clang::Expr
This represents one expression.
Definition: Expr.h:109
Generated on Wed Jun 29 2022 16:38:18 for clang by   doxygen 1.8.17