doxygen/InvalidatedIteratorChecker_8cpp_source.html

//===-- InvalidatedIteratorChecker.cpp ----------------------------*- C++ -*--//

//

// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.

// See https://llvm.org/LICENSE.txt for license information.

// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception

//

//===----------------------------------------------------------------------===//

//

// Defines a checker for access of invalidated iterators.

//

//===----------------------------------------------------------------------===//


#include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"

#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"

#include "clang/StaticAnalyzer/Core/Checker.h"

#include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h"

#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"


#include "Iterator.h"


using namespace clang;

using namespace ento;

using namespace iterator;


namespace {


class InvalidatedIteratorChecker

  : public Checker<check::PreCall, check::PreStmt<UnaryOperator>,

                   check::PreStmt<BinaryOperator>,

                   check::PreStmt<ArraySubscriptExpr>,

                   check::PreStmt<MemberExpr>> {


  std::unique_ptr<BugType> InvalidatedBugType;


  void verifyAccess(CheckerContext &C, const SVal &Val) const;

  void reportBug(const StringRef &Message, const SVal &Val,

                 CheckerContext &C, ExplodedNode *ErrNode) const;

public:

  InvalidatedIteratorChecker();


  void checkPreCall(const CallEvent &Call, CheckerContext &C) const;

  void checkPreStmt(const UnaryOperator *UO, CheckerContext &C) const;

  void checkPreStmt(const BinaryOperator *BO, CheckerContext &C) const;

  void checkPreStmt(const ArraySubscriptExpr *ASE, CheckerContext &C) const;

  void checkPreStmt(const MemberExpr *ME, CheckerContext &C) const;


};


} //namespace


InvalidatedIteratorChecker::InvalidatedIteratorChecker() {

  InvalidatedBugType.reset(

      new BugType(this, "Iterator invalidated", "Misuse of STL APIs"));

}


void InvalidatedIteratorChecker::checkPreCall(const CallEvent &Call,

                                              CheckerContext &C) const {

  // Check for access of invalidated position

  const auto *Func = dyn_cast_or_null<FunctionDecl>(Call.getDecl());

  if (!Func)

    return;


  if (Func->isOverloadedOperator() &&

      isAccessOperator(Func->getOverloadedOperator())) {

    // Check for any kind of access of invalidated iterator positions

    if (const auto *InstCall = dyn_cast<CXXInstanceCall>(&Call)) {

      verifyAccess(C, InstCall->getCXXThisVal());

    } else {

      verifyAccess(C, Call.getArgSVal(0));

    }

  }

}


void InvalidatedIteratorChecker::checkPreStmt(const UnaryOperator *UO,

                                              CheckerContext &C) const {

  if (isa<CXXThisExpr>(UO->getSubExpr()))

    return;


  ProgramStateRef State = C.getState();

  UnaryOperatorKind OK = UO->getOpcode();

  SVal SubVal = State->getSVal(UO->getSubExpr(), C.getLocationContext());


  if (isAccessOperator(OK)) {

    verifyAccess(C, SubVal);

  }

}


void InvalidatedIteratorChecker::checkPreStmt(const BinaryOperator *BO,

                                              CheckerContext &C) const {

  ProgramStateRef State = C.getState();

  BinaryOperatorKind OK = BO->getOpcode();

  SVal LVal = State->getSVal(BO->getLHS(), C.getLocationContext());


  if (isAccessOperator(OK)) {

    verifyAccess(C, LVal);

  }

}


void InvalidatedIteratorChecker::checkPreStmt(const ArraySubscriptExpr *ASE,

                                              CheckerContext &C) const {

  ProgramStateRef State = C.getState();

  SVal LVal = State->getSVal(ASE->getLHS(), C.getLocationContext());

  verifyAccess(C, LVal);

}


void InvalidatedIteratorChecker::checkPreStmt(const MemberExpr *ME,

                                              CheckerContext &C) const {

  if (!ME->isArrow() || ME->isImplicitAccess())

    return;


  ProgramStateRef State = C.getState();

  SVal BaseVal = State->getSVal(ME->getBase(), C.getLocationContext());

  verifyAccess(C, BaseVal);

}


void InvalidatedIteratorChecker::verifyAccess(CheckerContext &C, const SVal &Val) const {

  auto State = C.getState();

  const auto *Pos = getIteratorPosition(State, Val);

  if (Pos && !Pos->isValid()) {

    auto *N = C.generateErrorNode(State);

    if (!N) {

      return;

    }

    reportBug("Invalidated iterator accessed.", Val, C, N);

  }

}


void InvalidatedIteratorChecker::reportBug(const StringRef &Message,

                                           const SVal &Val, CheckerContext &C,

                                           ExplodedNode *ErrNode) const {

  auto R = std::make_unique<PathSensitiveBugReport>(*InvalidatedBugType,

                                                    Message, ErrNode);

  R->markInteresting(Val);

  C.emitReport(std::move(R));

}


void ento::registerInvalidatedIteratorChecker(CheckerManager &mgr) {

  mgr.registerChecker<InvalidatedIteratorChecker>();

}


bool ento::shouldRegisterInvalidatedIteratorChecker(const CheckerManager &mgr) {

  return true;

}

BugType.h

BuiltinCheckerRegistration.h

CallEvent.h

CheckerContext.h

Checker.h

Iterator.h

clang::ArraySubscriptExpr
ArraySubscriptExpr - [C99 6.5.2.1] Array Subscripting.
Definition: Expr.h:2656

clang::ArraySubscriptExpr::getLHS
Expr * getLHS()
An array access can be written A[4] or 4[A] (both are equivalent).
Definition: Expr.h:2685

clang::BinaryOperator
A builtin binary operation expression such as "x + y" or "x <= y".
Definition: Expr.h:3814

clang::BinaryOperator::getLHS
Expr * getLHS() const
Definition: Expr.h:3863

clang::BinaryOperator::getOpcode
Opcode getOpcode() const
Definition: Expr.h:3858

clang::MemberExpr
MemberExpr - [C99 6.5.2.3] Structure and Union Members.
Definition: Expr.h:3175

clang::MemberExpr::isImplicitAccess
bool isImplicitAccess() const
Determine whether the base of this explicit is implicit.
Definition: Expr.h:3369

clang::MemberExpr::getBase
Expr * getBase() const
Definition: Expr.h:3248

clang::MemberExpr::isArrow
bool isArrow() const
Definition: Expr.h:3355

clang::UnaryOperator
UnaryOperator - This represents the unary-expression's (except sizeof and alignof),...
Definition: Expr.h:2176

clang::UnaryOperator::getSubExpr
Expr * getSubExpr() const
Definition: Expr.h:2221

clang::UnaryOperator::getOpcode
Opcode getOpcode() const
Definition: Expr.h:2216

clang::ento::BugType
Definition: BugType.h:27

clang::ento::CallEvent
Represents an abstract call to a function or method along a particular path.
Definition: CallEvent.h:149

clang::ento::CheckerContext
Definition: CheckerContext.h:24

clang::ento::CheckerManager
Definition: CheckerManager.h:126

clang::ento::CheckerManager::registerChecker
CHECKER * registerChecker(AT &&... Args)
Used to register checkers.
Definition: CheckerManager.h:204

clang::ento::Checker
Definition: Checker.h:517

clang::ento::ExplodedNode
Definition: ExplodedGraph.h:65

clang::ento::SVal
SVal - This represents a symbolic expression, which can be either an L-value or an R-value.
Definition: SVals.h:72

llvm::IntrusiveRefCntPtr< const ProgramState >

clang::ento::iterator::isAccessOperator
bool isAccessOperator(OverloadedOperatorKind OK)
Definition: Iterator.cpp:126

clang::ento::iterator::getIteratorPosition
const IteratorPosition * getIteratorPosition(ProgramStateRef State, const SVal &Val)
Definition: Iterator.cpp:184

clang::interp::Call
bool Call(InterpState &S, CodePtr &PC, const Function *Func)
Definition: Interp.h:1493

clang
Definition: CalledOnceCheck.h:17

clang::BinaryOperatorKind
BinaryOperatorKind
Definition: OperationKinds.h:25

clang::Language::C
@ C
Languages that the frontend can parse and compile.

clang::UnaryOperatorKind
UnaryOperatorKind
Definition: OperationKinds.h:30