clang  14.0.0git
BuiltinFunctionChecker.cpp
Go to the documentation of this file.
1 //=== BuiltinFunctionChecker.cpp --------------------------------*- C++ -*-===//
2 //
3 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4 // See https://llvm.org/LICENSE.txt for license information.
5 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6 //
7 //===----------------------------------------------------------------------===//
8 //
9 // This checker evaluates clang builtin functions.
10 //
11 //===----------------------------------------------------------------------===//
12 
13 #include "clang/Basic/Builtins.h"
14 #include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"
15 #include "clang/StaticAnalyzer/Core/Checker.h"
16 #include "clang/StaticAnalyzer/Core/CheckerManager.h"
17 #include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h"
18 #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
19 #include "clang/StaticAnalyzer/Core/PathSensitive/DynamicExtent.h"
20 
21 using namespace clang;
22 using namespace ento;
23 
24 namespace {
25 
26 class BuiltinFunctionChecker : public Checker<eval::Call> {
27 public:
28  bool evalCall(const CallEvent &Call, CheckerContext &C) const;
29 };
30 
31 }
32 
33 bool BuiltinFunctionChecker::evalCall(const CallEvent &Call,
34  CheckerContext &C) const {
35  ProgramStateRef state = C.getState();
36  const auto *FD = dyn_cast_or_null<FunctionDecl>(Call.getDecl());
37  if (!FD)
38  return false;
39 
40  const LocationContext *LCtx = C.getLocationContext();
41  const Expr *CE = Call.getOriginExpr();
42 
43  switch (FD->getBuiltinID()) {
44  default:
45  return false;
46 
47  case Builtin::BI__builtin_assume: {
48  assert (Call.getNumArgs() > 0);
49  SVal Arg = Call.getArgSVal(0);
50  if (Arg.isUndef())
51  return true; // Return true to model purity.
52 
53  state = state->assume(Arg.castAs<DefinedOrUnknownSVal>(), true);
54  // FIXME: do we want to warn here? Not right now. The most reports might
55  // come from infeasible paths, thus being false positives.
56  if (!state) {
57  C.generateSink(C.getState(), C.getPredecessor());
58  return true;
59  }
60 
61  C.addTransition(state);
62  return true;
63  }
64 
65  case Builtin::BI__builtin_unpredictable:
66  case Builtin::BI__builtin_expect:
67  case Builtin::BI__builtin_expect_with_probability:
68  case Builtin::BI__builtin_assume_aligned:
69  case Builtin::BI__builtin_addressof: {
70  // For __builtin_unpredictable, __builtin_expect,
71  // __builtin_expect_with_probability and __builtin_assume_aligned,
72  // just return the value of the subexpression.
73  // __builtin_addressof is going from a reference to a pointer, but those
74  // are represented the same way in the analyzer.
75  assert (Call.getNumArgs() > 0);
76  SVal Arg = Call.getArgSVal(0);
77  C.addTransition(state->BindExpr(CE, LCtx, Arg));
78  return true;
79  }
80 
81  case Builtin::BI__builtin_alloca_with_align:
82  case Builtin::BI__builtin_alloca: {
83  // FIXME: Refactor into StoreManager itself?
84  MemRegionManager& RM = C.getStoreManager().getRegionManager();
85  const AllocaRegion* R =
86  RM.getAllocaRegion(CE, C.blockCount(), C.getLocationContext());
87 
88  // Set the extent of the region in bytes. This enables us to use the
89  // SVal of the argument directly. If we save the extent in bits, we
90  // cannot represent values like symbol*8.
91  auto Size = Call.getArgSVal(0);
92  if (Size.isUndef())
93  return true; // Return true to model purity.
94 
95  state = setDynamicExtent(state, R, Size.castAs<DefinedOrUnknownSVal>(),
96  C.getSValBuilder());
97 
98  C.addTransition(state->BindExpr(CE, LCtx, loc::MemRegionVal(R)));
99  return true;
100  }
101 
102  case Builtin::BI__builtin_dynamic_object_size:
103  case Builtin::BI__builtin_object_size:
104  case Builtin::BI__builtin_constant_p: {
105  // This must be resolvable at compile time, so we defer to the constant
106  // evaluator for a value.
107  SValBuilder &SVB = C.getSValBuilder();
108  SVal V = UnknownVal();
109  Expr::EvalResult EVResult;
110  if (CE->EvaluateAsInt(EVResult, C.getASTContext(), Expr::SE_NoSideEffects)) {
111  // Make sure the result has the correct type.
112  llvm::APSInt Result = EVResult.Val.getInt();
113  BasicValueFactory &BVF = SVB.getBasicValueFactory();
114  BVF.getAPSIntType(CE->getType()).apply(Result);
115  V = SVB.makeIntVal(Result);
116  }
117 
118  if (FD->getBuiltinID() == Builtin::BI__builtin_constant_p) {
119  // If we didn't manage to figure out if the value is constant or not,
120  // it is safe to assume that it's not constant and unsafe to assume
121  // that it's constant.
122  if (V.isUnknown())
123  V = SVB.makeIntVal(0, CE->getType());
124  }
125 
126  C.addTransition(state->BindExpr(CE, LCtx, V));
127  return true;
128  }
129  }
130 }
131 
132 void ento::registerBuiltinFunctionChecker(CheckerManager &mgr) {
133  mgr.registerChecker<BuiltinFunctionChecker>();
134 }
135 
136 bool ento::shouldRegisterBuiltinFunctionChecker(const CheckerManager &mgr) {
137  return true;
138 }
Builtins.h
DynamicExtent.h
clang::LocationContext
It wraps the AnalysisDeclContext to represent both the call stack with the help of StackFrameContext ...
Definition: AnalysisDeclContext.h:215
clang::APValue::getInt
APSInt & getInt()
Definition: APValue.h:415
clang::ento::ProgramStateRef
IntrusiveRefCntPtr< const ProgramState > ProgramStateRef
Definition: ProgramState_Fwd.h:37
AttributeLangSupport::C
@ C
Definition: SemaDeclAttr.cpp:54
clang::index::SymbolRole::Call
@ Call
clang::Expr::EvalResult::Val
APValue Val
Val - This is the value the expression can be folded to.
Definition: Expr.h:608
clang::Expr::SE_NoSideEffects
@ SE_NoSideEffects
Strictly evaluate the expression.
Definition: Expr.h:632
CallEvent.h
APSInt
llvm::APSInt APSInt
Definition: ByteCodeEmitter.cpp:19
V
#define V(N, I)
Definition: ASTContext.h:3121
BuiltinCheckerRegistration.h
CheckerManager.h
clang::Expr::EvalResult
EvalResult is a struct with detailed info about an evaluated expression.
Definition: Expr.h:606
state
and static some checkers Checker The latter are built on top of the former via the Checker and CheckerVisitor and attempts to isolate them from much of the gore of the internal analysis the analyzer is basically a source code simulator that traces out possible paths of execution The state of the and the combination of state and program point is a node in an exploded which has the entry program point and initial state
Definition: README.txt:30
clang::syntax::NodeRole::Size
@ Size
clang::Expr::EvaluateAsInt
bool EvaluateAsInt(EvalResult &Result, const ASTContext &Ctx, SideEffectsKind AllowSideEffects=SE_NoSideEffects, bool InConstantContext=false) const
EvaluateAsInt - Return true if this is a constant which we can fold and convert to an integer,...
Definition: ExprConstant.cpp:14735
CheckerContext.h
Checker.h
clang
Definition: CalledOnceCheck.h:17
clang::Expr::getType
QualType getType() const
Definition: Expr.h:141
clang::ento::setDynamicExtent
ProgramStateRef setDynamicExtent(ProgramStateRef State, const MemRegion *MR, DefinedOrUnknownSVal Extent, SValBuilder &SVB)
Set the dynamic extent Extent of the region MR.
clang::Expr
This represents one expression.
Definition: Expr.h:109
Generated on Tue Oct 26 2021 11:02:24 for clang by   doxygen 1.8.17