clang 18.0.0git
IteratorModeling.cpp
Go to the documentation of this file.
1//===-- IteratorModeling.cpp --------------------------------------*- C++ -*--//
2//
3// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4// See https://llvm.org/LICENSE.txt for license information.
5// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6//
7//===----------------------------------------------------------------------===//
8//
9// Defines a modeling-checker for modeling STL iterator-like iterators.
10//
11//===----------------------------------------------------------------------===//
12//
13// In the code, iterator can be represented as a:
14// * type-I: typedef-ed pointer. Operations over such iterator, such as
15// comparisons or increments, are modeled straightforwardly by the
16// analyzer.
17// * type-II: structure with its method bodies available. Operations over such
18// iterator are inlined by the analyzer, and results of modeling
19// these operations are exposing implementation details of the
20// iterators, which is not necessarily helping.
21// * type-III: completely opaque structure. Operations over such iterator are
22// modeled conservatively, producing conjured symbols everywhere.
23//
24// To handle all these types in a common way we introduce a structure called
25// IteratorPosition which is an abstraction of the position the iterator
26// represents using symbolic expressions. The checker handles all the
27// operations on this structure.
28//
29// Additionally, depending on the circumstances, operators of types II and III
30// can be represented as:
31// * type-IIa, type-IIIa: conjured structure symbols - when returned by value
32// from conservatively evaluated methods such as
33// `.begin()`.
34// * type-IIb, type-IIIb: memory regions of iterator-typed objects, such as
35// variables or temporaries, when the iterator object is
36// currently treated as an lvalue.
37// * type-IIc, type-IIIc: compound values of iterator-typed objects, when the
38// iterator object is treated as an rvalue taken of a
39// particular lvalue, eg. a copy of "type-a" iterator
40// object, or an iterator that existed before the
41// analysis has started.
42//
43// To handle any of these three different representations stored in an SVal we
44// use setter and getters functions which separate the three cases. To store
45// them we use a pointer union of symbol and memory region.
46//
47// The checker works the following way: We record the begin and the
48// past-end iterator for all containers whenever their `.begin()` and `.end()`
49// are called. Since the Constraint Manager cannot handle such SVals we need
50// to take over its role. We post-check equality and non-equality comparisons
51// and record that the two sides are equal if we are in the 'equal' branch
52// (true-branch for `==` and false-branch for `!=`).
53//
54// In case of type-I or type-II iterators we get a concrete integer as a result
55// of the comparison (1 or 0) but in case of type-III we only get a Symbol. In
56// this latter case we record the symbol and reload it in evalAssume() and do
57// the propagation there. We also handle (maybe double) negated comparisons
58// which are represented in the form of (x == 0 or x != 0) where x is the
59// comparison itself.
60//
61// Since `SimpleConstraintManager` cannot handle complex symbolic expressions
62// we only use expressions of the format S, S+n or S-n for iterator positions
63// where S is a conjured symbol and n is an unsigned concrete integer. When
64// making an assumption e.g. `S1 + n == S2 + m` we store `S1 - S2 == m - n` as
65// a constraint which we later retrieve when doing an actual comparison.
66
67#include "clang/AST/DeclTemplate.h"
68#include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"
69#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
70#include "clang/StaticAnalyzer/Core/Checker.h"
71#include "clang/StaticAnalyzer/Core/PathSensitive/CallDescription.h"
72#include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h"
73#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
74#include "clang/StaticAnalyzer/Core/PathSensitive/DynamicType.h"
75#include "llvm/ADT/STLExtras.h"
76
77#include "Iterator.h"
78
79#include <utility>
80
81using namespace clang;
82using namespace ento;
83using namespace iterator;
84
85namespace {
86
87class IteratorModeling
88 : public Checker<check::PostCall, check::PostStmt<UnaryOperator>,
89 check::PostStmt<BinaryOperator>,
90 check::PostStmt<MaterializeTemporaryExpr>,
91 check::Bind, check::LiveSymbols, check::DeadSymbols> {
92
93 using AdvanceFn = void (IteratorModeling::*)(CheckerContext &, const Expr *,
94 SVal, SVal, SVal) const;
95
96 void handleOverloadedOperator(CheckerContext &C, const CallEvent &Call,
97 OverloadedOperatorKind Op) const;
98 void handleAdvanceLikeFunction(CheckerContext &C, const CallEvent &Call,
99 const Expr *OrigExpr,
100 const AdvanceFn *Handler) const;
101
102 void handleComparison(CheckerContext &C, const Expr *CE, SVal RetVal,
103 const SVal &LVal, const SVal &RVal,
104 OverloadedOperatorKind Op) const;
105 void processComparison(CheckerContext &C, ProgramStateRef State,
106 SymbolRef Sym1, SymbolRef Sym2, const SVal &RetVal,
107 OverloadedOperatorKind Op) const;
108 void handleIncrement(CheckerContext &C, const SVal &RetVal, const SVal &Iter,
109 bool Postfix) const;
110 void handleDecrement(CheckerContext &C, const SVal &RetVal, const SVal &Iter,
111 bool Postfix) const;
112 void handleRandomIncrOrDecr(CheckerContext &C, const Expr *CE,
113 OverloadedOperatorKind Op, const SVal &RetVal,
114 const SVal &Iterator, const SVal &Amount) const;
115 void handlePtrIncrOrDecr(CheckerContext &C, const Expr *Iterator,
116 OverloadedOperatorKind OK, SVal Offset) const;
117 void handleAdvance(CheckerContext &C, const Expr *CE, SVal RetVal, SVal Iter,
118 SVal Amount) const;
119 void handlePrev(CheckerContext &C, const Expr *CE, SVal RetVal, SVal Iter,
120 SVal Amount) const;
121 void handleNext(CheckerContext &C, const Expr *CE, SVal RetVal, SVal Iter,
122 SVal Amount) const;
123 void assignToContainer(CheckerContext &C, const Expr *CE, const SVal &RetVal,
124 const MemRegion *Cont) const;
125 bool noChangeInAdvance(CheckerContext &C, SVal Iter, const Expr *CE) const;
126 void printState(raw_ostream &Out, ProgramStateRef State, const char *NL,
127 const char *Sep) const override;
128
129 // std::advance, std::prev & std::next
130 CallDescriptionMap<AdvanceFn> AdvanceLikeFunctions = {
131 // template<class InputIt, class Distance>
132 // void advance(InputIt& it, Distance n);
133 {{{"std", "advance"}, 2}, &IteratorModeling::handleAdvance},
134
135 // template<class BidirIt>
136 // BidirIt prev(
137 // BidirIt it,
138 // typename std::iterator_traits<BidirIt>::difference_type n = 1);
139 {{{"std", "prev"}, 2}, &IteratorModeling::handlePrev},
140
141 // template<class ForwardIt>
142 // ForwardIt next(
143 // ForwardIt it,
144 // typename std::iterator_traits<ForwardIt>::difference_type n = 1);
145 {{{"std", "next"}, 2}, &IteratorModeling::handleNext},
146 };
147
148public:
149 IteratorModeling() = default;
150
151 void checkPostCall(const CallEvent &Call, CheckerContext &C) const;
152 void checkBind(SVal Loc, SVal Val, const Stmt *S, CheckerContext &C) const;
153 void checkPostStmt(const UnaryOperator *UO, CheckerContext &C) const;
154 void checkPostStmt(const BinaryOperator *BO, CheckerContext &C) const;
155 void checkPostStmt(const MaterializeTemporaryExpr *MTE,
156 CheckerContext &C) const;
157 void checkLiveSymbols(ProgramStateRef State, SymbolReaper &SR) const;
158 void checkDeadSymbols(SymbolReaper &SR, CheckerContext &C) const;
159};
160
161bool isSimpleComparisonOperator(OverloadedOperatorKind OK);
162bool isSimpleComparisonOperator(BinaryOperatorKind OK);
163ProgramStateRef removeIteratorPosition(ProgramStateRef State, const SVal &Val);
164ProgramStateRef relateSymbols(ProgramStateRef State, SymbolRef Sym1,
165 SymbolRef Sym2, bool Equal);
166bool isBoundThroughLazyCompoundVal(const Environment &Env,
167 const MemRegion *Reg);
168const ExplodedNode *findCallEnter(const ExplodedNode *Node, const Expr *Call);
169
170} // namespace
171
172void IteratorModeling::checkPostCall(const CallEvent &Call,
173 CheckerContext &C) const {
174 // Record new iterator positions and iterator position changes
175 const auto *Func = dyn_cast_or_null<FunctionDecl>(Call.getDecl());
176 if (!Func)
177 return;
178
179 if (Func->isOverloadedOperator()) {
180 const auto Op = Func->getOverloadedOperator();
181 handleOverloadedOperator(C, Call, Op);
182 return;
183 }
184
185 const auto *OrigExpr = Call.getOriginExpr();
186 if (!OrigExpr)
187 return;
188
189 const AdvanceFn *Handler = AdvanceLikeFunctions.lookup(Call);
190 if (Handler) {
191 handleAdvanceLikeFunction(C, Call, OrigExpr, Handler);
192 return;
193 }
194
195 if (!isIteratorType(Call.getResultType()))
196 return;
197
198 auto State = C.getState();
199
200 // Already bound to container?
201 if (getIteratorPosition(State, Call.getReturnValue()))
202 return;
203
204 // Copy-like and move constructors
205 if (isa<CXXConstructorCall>(&Call) && Call.getNumArgs() == 1) {
206 if (const auto *Pos = getIteratorPosition(State, Call.getArgSVal(0))) {
207 State = setIteratorPosition(State, Call.getReturnValue(), *Pos);
208 if (cast<CXXConstructorDecl>(Func)->isMoveConstructor()) {
209 State = removeIteratorPosition(State, Call.getArgSVal(0));
210 }
211 C.addTransition(State);
212 return;
213 }
214 }
215
216 // Assumption: if return value is an iterator which is not yet bound to a
217 // container, then look for the first iterator argument of the
218 // same type as the return value and bind the return value to
219 // the same container. This approach works for STL algorithms.
220 // FIXME: Add a more conservative mode
221 for (unsigned i = 0; i < Call.getNumArgs(); ++i) {
222 if (isIteratorType(Call.getArgExpr(i)->getType()) &&
223 Call.getArgExpr(i)->getType().getNonReferenceType().getDesugaredType(
224 C.getASTContext()).getTypePtr() ==
225 Call.getResultType().getDesugaredType(C.getASTContext()).getTypePtr()) {
226 if (const auto *Pos = getIteratorPosition(State, Call.getArgSVal(i))) {
227 assignToContainer(C, OrigExpr, Call.getReturnValue(),
228 Pos->getContainer());
229 return;
230 }
231 }
232 }
233}
234
235void IteratorModeling::checkBind(SVal Loc, SVal Val, const Stmt *S,
236 CheckerContext &C) const {
237 auto State = C.getState();
238 const auto *Pos = getIteratorPosition(State, Val);
239 if (Pos) {
240 State = setIteratorPosition(State, Loc, *Pos);
241 C.addTransition(State);
242 } else {
243 const auto *OldPos = getIteratorPosition(State, Loc);
244 if (OldPos) {
245 State = removeIteratorPosition(State, Loc);
246 C.addTransition(State);
247 }
248 }
249}
250
251void IteratorModeling::checkPostStmt(const UnaryOperator *UO,
252 CheckerContext &C) const {
253 UnaryOperatorKind OK = UO->getOpcode();
254 if (!isIncrementOperator(OK) && !isDecrementOperator(OK))
255 return;
256
257 auto &SVB = C.getSValBuilder();
258 handlePtrIncrOrDecr(C, UO->getSubExpr(),
259 isIncrementOperator(OK) ? OO_Plus : OO_Minus,
260 SVB.makeArrayIndex(1));
261}
262
263void IteratorModeling::checkPostStmt(const BinaryOperator *BO,
264 CheckerContext &C) const {
265 const ProgramStateRef State = C.getState();
266 const BinaryOperatorKind OK = BO->getOpcode();
267 const Expr *const LHS = BO->getLHS();
268 const Expr *const RHS = BO->getRHS();
269 const SVal LVal = State->getSVal(LHS, C.getLocationContext());
270 const SVal RVal = State->getSVal(RHS, C.getLocationContext());
271
272 if (isSimpleComparisonOperator(BO->getOpcode())) {
273 SVal Result = State->getSVal(BO, C.getLocationContext());
274 handleComparison(C, BO, Result, LVal, RVal,
275 BinaryOperator::getOverloadedOperator(OK));
276 } else if (isRandomIncrOrDecrOperator(OK)) {
277 // In case of operator+ the iterator can be either on the LHS (eg.: it + 1),
278 // or on the RHS (eg.: 1 + it). Both cases are modeled.
279 const bool IsIterOnLHS = BO->getLHS()->getType()->isPointerType();
280 const Expr *const &IterExpr = IsIterOnLHS ? LHS : RHS;
281 const Expr *const &AmountExpr = IsIterOnLHS ? RHS : LHS;
282
283 // The non-iterator side must have an integral or enumeration type.
284 if (!AmountExpr->getType()->isIntegralOrEnumerationType())
285 return;
286 const SVal &AmountVal = IsIterOnLHS ? RVal : LVal;
287 handlePtrIncrOrDecr(C, IterExpr, BinaryOperator::getOverloadedOperator(OK),
288 AmountVal);
289 }
290}
291
292void IteratorModeling::checkPostStmt(const MaterializeTemporaryExpr *MTE,
293 CheckerContext &C) const {
294 /* Transfer iterator state to temporary objects */
295 auto State = C.getState();
296 const auto *Pos = getIteratorPosition(State, C.getSVal(MTE->getSubExpr()));
297 if (!Pos)
298 return;
299 State = setIteratorPosition(State, C.getSVal(MTE), *Pos);
300 C.addTransition(State);
301}
302
303void IteratorModeling::checkLiveSymbols(ProgramStateRef State,
304 SymbolReaper &SR) const {
305 // Keep symbolic expressions of iterator positions alive
306 auto RegionMap = State->get<IteratorRegionMap>();
307 for (const IteratorPosition &Pos : llvm::make_second_range(RegionMap)) {
308 for (SymbolRef Sym : Pos.getOffset()->symbols())
309 if (isa<SymbolData>(Sym))
310 SR.markLive(Sym);
311 }
312
313 auto SymbolMap = State->get<IteratorSymbolMap>();
314 for (const IteratorPosition &Pos : llvm::make_second_range(SymbolMap)) {
315 for (SymbolRef Sym : Pos.getOffset()->symbols())
316 if (isa<SymbolData>(Sym))
317 SR.markLive(Sym);
318 }
319}
320
321void IteratorModeling::checkDeadSymbols(SymbolReaper &SR,
322 CheckerContext &C) const {
323 // Cleanup
324 auto State = C.getState();
325
326 auto RegionMap = State->get<IteratorRegionMap>();
327 for (const auto &Reg : RegionMap) {
328 if (!SR.isLiveRegion(Reg.first)) {
329 // The region behind the `LazyCompoundVal` is often cleaned up before
330 // the `LazyCompoundVal` itself. If there are iterator positions keyed
331 // by these regions their cleanup must be deferred.
332 if (!isBoundThroughLazyCompoundVal(State->getEnvironment(), Reg.first)) {
333 State = State->remove<IteratorRegionMap>(Reg.first);
334 }
335 }
336 }
337
338 auto SymbolMap = State->get<IteratorSymbolMap>();
339 for (const auto &Sym : SymbolMap) {
340 if (!SR.isLive(Sym.first)) {
341 State = State->remove<IteratorSymbolMap>(Sym.first);
342 }
343 }
344
345 C.addTransition(State);
346}
347
348void
349IteratorModeling::handleOverloadedOperator(CheckerContext &C,
350 const CallEvent &Call,
351 OverloadedOperatorKind Op) const {
352 if (isSimpleComparisonOperator(Op)) {
353 const auto *OrigExpr = Call.getOriginExpr();
354 if (!OrigExpr)
355 return;
356
357 if (const auto *InstCall = dyn_cast<CXXInstanceCall>(&Call)) {
358 handleComparison(C, OrigExpr, Call.getReturnValue(),
359 InstCall->getCXXThisVal(), Call.getArgSVal(0), Op);
360 return;
361 }
362
363 handleComparison(C, OrigExpr, Call.getReturnValue(), Call.getArgSVal(0),
364 Call.getArgSVal(1), Op);
365 return;
366 } else if (isRandomIncrOrDecrOperator(Op)) {
367 const auto *OrigExpr = Call.getOriginExpr();
368 if (!OrigExpr)
369 return;
370
371 if (const auto *InstCall = dyn_cast<CXXInstanceCall>(&Call)) {
372 if (Call.getNumArgs() >= 1 &&
373 Call.getArgExpr(0)->getType()->isIntegralOrEnumerationType()) {
374 handleRandomIncrOrDecr(C, OrigExpr, Op, Call.getReturnValue(),
375 InstCall->getCXXThisVal(), Call.getArgSVal(0));
376 return;
377 }
378 } else if (Call.getNumArgs() >= 2) {
379 const Expr *FirstArg = Call.getArgExpr(0);
380 const Expr *SecondArg = Call.getArgExpr(1);
381 const QualType FirstType = FirstArg->getType();
382 const QualType SecondType = SecondArg->getType();
383
384 if (FirstType->isIntegralOrEnumerationType() ||
385 SecondType->isIntegralOrEnumerationType()) {
386 // In case of operator+ the iterator can be either on the LHS (eg.:
387 // it + 1), or on the RHS (eg.: 1 + it). Both cases are modeled.
388 const bool IsIterFirst = FirstType->isStructureOrClassType();
389 const SVal FirstArg = Call.getArgSVal(0);
390 const SVal SecondArg = Call.getArgSVal(1);
391 const SVal &Iterator = IsIterFirst ? FirstArg : SecondArg;
392 const SVal &Amount = IsIterFirst ? SecondArg : FirstArg;
393
394 handleRandomIncrOrDecr(C, OrigExpr, Op, Call.getReturnValue(),
395 Iterator, Amount);
396 return;
397 }
398 }
399 } else if (isIncrementOperator(Op)) {
400 if (const auto *InstCall = dyn_cast<CXXInstanceCall>(&Call)) {
401 handleIncrement(C, Call.getReturnValue(), InstCall->getCXXThisVal(),
402 Call.getNumArgs());
403 return;
404 }
405
406 handleIncrement(C, Call.getReturnValue(), Call.getArgSVal(0),
407 Call.getNumArgs());
408 return;
409 } else if (isDecrementOperator(Op)) {
410 if (const auto *InstCall = dyn_cast<CXXInstanceCall>(&Call)) {
411 handleDecrement(C, Call.getReturnValue(), InstCall->getCXXThisVal(),
412 Call.getNumArgs());
413 return;
414 }
415
416 handleDecrement(C, Call.getReturnValue(), Call.getArgSVal(0),
417 Call.getNumArgs());
418 return;
419 }
420}
421
422void
423IteratorModeling::handleAdvanceLikeFunction(CheckerContext &C,
424 const CallEvent &Call,
425 const Expr *OrigExpr,
426 const AdvanceFn *Handler) const {
427 if (!C.wasInlined) {
428 (this->**Handler)(C, OrigExpr, Call.getReturnValue(),
429 Call.getArgSVal(0), Call.getArgSVal(1));
430 return;
431 }
432
433 // If std::advance() was inlined, but a non-standard function it calls inside
434 // was not, then we have to model it explicitly
435 const auto *IdInfo = cast<FunctionDecl>(Call.getDecl())->getIdentifier();
436 if (IdInfo) {
437 if (IdInfo->getName() == "advance") {
438 if (noChangeInAdvance(C, Call.getArgSVal(0), OrigExpr)) {
439 (this->**Handler)(C, OrigExpr, Call.getReturnValue(),
440 Call.getArgSVal(0), Call.getArgSVal(1));
441 }
442 }
443 }
444}
445
446void IteratorModeling::handleComparison(CheckerContext &C, const Expr *CE,
447 SVal RetVal, const SVal &LVal,
448 const SVal &RVal,
449 OverloadedOperatorKind Op) const {
450 // Record the operands and the operator of the comparison for the next
451 // evalAssume, if the result is a symbolic expression. If it is a concrete
452 // value (only one branch is possible), then transfer the state between
453 // the operands according to the operator and the result
454 auto State = C.getState();
455 const auto *LPos = getIteratorPosition(State, LVal);
456 const auto *RPos = getIteratorPosition(State, RVal);
457 const MemRegion *Cont = nullptr;
458 if (LPos) {
459 Cont = LPos->getContainer();
460 } else if (RPos) {
461 Cont = RPos->getContainer();
462 }
463 if (!Cont)
464 return;
465
466 // At least one of the iterators has recorded positions. If one of them does
467 // not then create a new symbol for the offset.
468 SymbolRef Sym;
469 if (!LPos || !RPos) {
470 auto &SymMgr = C.getSymbolManager();
471 Sym = SymMgr.conjureSymbol(CE, C.getLocationContext(),
472 C.getASTContext().LongTy, C.blockCount());
473 State = assumeNoOverflow(State, Sym, 4);
474 }
475
476 if (!LPos) {
477 State = setIteratorPosition(State, LVal,
478 IteratorPosition::getPosition(Cont, Sym));
479 LPos = getIteratorPosition(State, LVal);
480 } else if (!RPos) {
481 State = setIteratorPosition(State, RVal,
482 IteratorPosition::getPosition(Cont, Sym));
483 RPos = getIteratorPosition(State, RVal);
484 }
485
486 // If the value for which we just tried to set a new iterator position is
487 // an `SVal`for which no iterator position can be set then the setting was
488 // unsuccessful. We cannot handle the comparison in this case.
489 if (!LPos || !RPos)
490 return;
491
492 // We cannot make assumptions on `UnknownVal`. Let us conjure a symbol
493 // instead.
494 if (RetVal.isUnknown()) {
495 auto &SymMgr = C.getSymbolManager();
496 auto *LCtx = C.getLocationContext();
497 RetVal = nonloc::SymbolVal(SymMgr.conjureSymbol(
498 CE, LCtx, C.getASTContext().BoolTy, C.blockCount()));
499 State = State->BindExpr(CE, LCtx, RetVal);
500 }
501
502 processComparison(C, State, LPos->getOffset(), RPos->getOffset(), RetVal, Op);
503}
504
505void IteratorModeling::processComparison(CheckerContext &C,
506 ProgramStateRef State, SymbolRef Sym1,
507 SymbolRef Sym2, const SVal &RetVal,
508 OverloadedOperatorKind Op) const {
509 if (const auto TruthVal = RetVal.getAs<nonloc::ConcreteInt>()) {
510 if ((State = relateSymbols(State, Sym1, Sym2,
511 (Op == OO_EqualEqual) ==
512 (TruthVal->getValue() != 0)))) {
513 C.addTransition(State);
514 } else {
515 C.generateSink(State, C.getPredecessor());
516 }
517 return;
518 }
519
520 const auto ConditionVal = RetVal.getAs<DefinedSVal>();
521 if (!ConditionVal)
522 return;
523
524 if (auto StateTrue = relateSymbols(State, Sym1, Sym2, Op == OO_EqualEqual)) {
525 StateTrue = StateTrue->assume(*ConditionVal, true);
526 C.addTransition(StateTrue);
527 }
528
529 if (auto StateFalse = relateSymbols(State, Sym1, Sym2, Op != OO_EqualEqual)) {
530 StateFalse = StateFalse->assume(*ConditionVal, false);
531 C.addTransition(StateFalse);
532 }
533}
534
535void IteratorModeling::handleIncrement(CheckerContext &C, const SVal &RetVal,
536 const SVal &Iter, bool Postfix) const {
537 // Increment the symbolic expressions which represents the position of the
538 // iterator
539 auto State = C.getState();
540 auto &BVF = C.getSymbolManager().getBasicVals();
541
542 const auto *Pos = getIteratorPosition(State, Iter);
543 if (!Pos)
544 return;
545
546 auto NewState =
547 advancePosition(State, Iter, OO_Plus,
548 nonloc::ConcreteInt(BVF.getValue(llvm::APSInt::get(1))));
549 assert(NewState &&
550 "Advancing position by concrete int should always be successful");
551
552 const auto *NewPos = getIteratorPosition(NewState, Iter);
553 assert(NewPos &&
554 "Iterator should have position after successful advancement");
555
556 State = setIteratorPosition(State, Iter, *NewPos);
557 State = setIteratorPosition(State, RetVal, Postfix ? *Pos : *NewPos);
558 C.addTransition(State);
559}
560
561void IteratorModeling::handleDecrement(CheckerContext &C, const SVal &RetVal,
562 const SVal &Iter, bool Postfix) const {
563 // Decrement the symbolic expressions which represents the position of the
564 // iterator
565 auto State = C.getState();
566 auto &BVF = C.getSymbolManager().getBasicVals();
567
568 const auto *Pos = getIteratorPosition(State, Iter);
569 if (!Pos)
570 return;
571
572 auto NewState =
573 advancePosition(State, Iter, OO_Minus,
574 nonloc::ConcreteInt(BVF.getValue(llvm::APSInt::get(1))));
575 assert(NewState &&
576 "Advancing position by concrete int should always be successful");
577
578 const auto *NewPos = getIteratorPosition(NewState, Iter);
579 assert(NewPos &&
580 "Iterator should have position after successful advancement");
581
582 State = setIteratorPosition(State, Iter, *NewPos);
583 State = setIteratorPosition(State, RetVal, Postfix ? *Pos : *NewPos);
584 C.addTransition(State);
585}
586
587void IteratorModeling::handleRandomIncrOrDecr(CheckerContext &C, const Expr *CE,
588 OverloadedOperatorKind Op,
589 const SVal &RetVal,
590 const SVal &Iterator,
591 const SVal &Amount) const {
592 // Increment or decrement the symbolic expressions which represents the
593 // position of the iterator
594 auto State = C.getState();
595
596 const auto *Pos = getIteratorPosition(State, Iterator);
597 if (!Pos)
598 return;
599
600 const auto *Value = &Amount;
601 SVal Val;
602 if (auto LocAmount = Amount.getAs<Loc>()) {
603 Val = State->getRawSVal(*LocAmount);
604 Value = &Val;
605 }
606
607 const auto &TgtVal =
608 (Op == OO_PlusEqual || Op == OO_MinusEqual) ? Iterator : RetVal;
609
610 // `AdvancedState` is a state where the position of `LHS` is advanced. We
611 // only need this state to retrieve the new position, but we do not want
612 // to change the position of `LHS` (in every case).
613 auto AdvancedState = advancePosition(State, Iterator, Op, *Value);
614 if (AdvancedState) {
615 const auto *NewPos = getIteratorPosition(AdvancedState, Iterator);
616 assert(NewPos &&
617 "Iterator should have position after successful advancement");
618
619 State = setIteratorPosition(State, TgtVal, *NewPos);
620 C.addTransition(State);
621 } else {
622 assignToContainer(C, CE, TgtVal, Pos->getContainer());
623 }
624}
625
626void IteratorModeling::handlePtrIncrOrDecr(CheckerContext &C,
627 const Expr *Iterator,
628 OverloadedOperatorKind OK,
629 SVal Offset) const {
630 if (!isa<DefinedSVal>(Offset))
631 return;
632
633 QualType PtrType = Iterator->getType();
634 if (!PtrType->isPointerType())
635 return;
636 QualType ElementType = PtrType->getPointeeType();
637
638 ProgramStateRef State = C.getState();
639 SVal OldVal = State->getSVal(Iterator, C.getLocationContext());
640
641 const IteratorPosition *OldPos = getIteratorPosition(State, OldVal);
642 if (!OldPos)
643 return;
644
645 SVal NewVal;
646 if (OK == OO_Plus || OK == OO_PlusEqual) {
647 NewVal = State->getLValue(ElementType, Offset, OldVal);
648 } else {
649 auto &SVB = C.getSValBuilder();
650 SVal NegatedOffset = SVB.evalMinus(Offset.castAs<NonLoc>());
651 NewVal = State->getLValue(ElementType, NegatedOffset, OldVal);
652 }
653
654 // `AdvancedState` is a state where the position of `Old` is advanced. We
655 // only need this state to retrieve the new position, but we do not want
656 // ever to change the position of `OldVal`.
657 auto AdvancedState = advancePosition(State, OldVal, OK, Offset);
658 if (AdvancedState) {
659 const IteratorPosition *NewPos = getIteratorPosition(AdvancedState, OldVal);
660 assert(NewPos &&
661 "Iterator should have position after successful advancement");
662
663 ProgramStateRef NewState = setIteratorPosition(State, NewVal, *NewPos);
664 C.addTransition(NewState);
665 } else {
666 assignToContainer(C, Iterator, NewVal, OldPos->getContainer());
667 }
668}
669
670void IteratorModeling::handleAdvance(CheckerContext &C, const Expr *CE,
671 SVal RetVal, SVal Iter,
672 SVal Amount) const {
673 handleRandomIncrOrDecr(C, CE, OO_PlusEqual, RetVal, Iter, Amount);
674}
675
676void IteratorModeling::handlePrev(CheckerContext &C, const Expr *CE,
677 SVal RetVal, SVal Iter, SVal Amount) const {
678 handleRandomIncrOrDecr(C, CE, OO_Minus, RetVal, Iter, Amount);
679}
680
681void IteratorModeling::handleNext(CheckerContext &C, const Expr *CE,
682 SVal RetVal, SVal Iter, SVal Amount) const {
683 handleRandomIncrOrDecr(C, CE, OO_Plus, RetVal, Iter, Amount);
684}
685
686void IteratorModeling::assignToContainer(CheckerContext &C, const Expr *CE,
687 const SVal &RetVal,
688 const MemRegion *Cont) const {
689 Cont = Cont->getMostDerivedObjectRegion();
690
691 auto State = C.getState();
692 const auto *LCtx = C.getLocationContext();
693 State = createIteratorPosition(State, RetVal, Cont, CE, LCtx, C.blockCount());
694
695 C.addTransition(State);
696}
697
698bool IteratorModeling::noChangeInAdvance(CheckerContext &C, SVal Iter,
699 const Expr *CE) const {
700 // Compare the iterator position before and after the call. (To be called
701 // from `checkPostCall()`.)
702 const auto StateAfter = C.getState();
703
704 const auto *PosAfter = getIteratorPosition(StateAfter, Iter);
705 // If we have no position after the call of `std::advance`, then we are not
706 // interested. (Modeling of an inlined `std::advance()` should not remove the
707 // position in any case.)
708 if (!PosAfter)
709 return false;
710
711 const ExplodedNode *N = findCallEnter(C.getPredecessor(), CE);
712 assert(N && "Any call should have a `CallEnter` node.");
713
714 const auto StateBefore = N->getState();
715 const auto *PosBefore = getIteratorPosition(StateBefore, Iter);
716 // FIXME: `std::advance()` should not create a new iterator position but
717 // change existing ones. However, in case of iterators implemented as
718 // pointers the handling of parameters in `std::advance()`-like
719 // functions is still incomplete which may result in cases where
720 // the new position is assigned to the wrong pointer. This causes
721 // crash if we use an assertion here.
722 if (!PosBefore)
723 return false;
724
725 return PosBefore->getOffset() == PosAfter->getOffset();
726}
727
728void IteratorModeling::printState(raw_ostream &Out, ProgramStateRef State,
729 const char *NL, const char *Sep) const {
730 auto SymbolMap = State->get<IteratorSymbolMap>();
731 auto RegionMap = State->get<IteratorRegionMap>();
732 // Use a counter to add newlines before every line except the first one.
733 unsigned Count = 0;
734
735 if (!SymbolMap.isEmpty() || !RegionMap.isEmpty()) {
736 Out << Sep << "Iterator Positions :" << NL;
737 for (const auto &Sym : SymbolMap) {
738 if (Count++)
739 Out << NL;
740
741 Sym.first->dumpToStream(Out);
742 Out << " : ";
743 const auto Pos = Sym.second;
744 Out << (Pos.isValid() ? "Valid" : "Invalid") << " ; Container == ";
745 Pos.getContainer()->dumpToStream(Out);
746 Out<<" ; Offset == ";
747 Pos.getOffset()->dumpToStream(Out);
748 }
749
750 for (const auto &Reg : RegionMap) {
751 if (Count++)
752 Out << NL;
753
754 Reg.first->dumpToStream(Out);
755 Out << " : ";
756 const auto Pos = Reg.second;
757 Out << (Pos.isValid() ? "Valid" : "Invalid") << " ; Container == ";
758 Pos.getContainer()->dumpToStream(Out);
759 Out<<" ; Offset == ";
760 Pos.getOffset()->dumpToStream(Out);
761 }
762 }
763}
764
765namespace {
766
767bool isSimpleComparisonOperator(OverloadedOperatorKind OK) {
768 return OK == OO_EqualEqual || OK == OO_ExclaimEqual;
769}
770
771bool isSimpleComparisonOperator(BinaryOperatorKind OK) {
772 return OK == BO_EQ || OK == BO_NE;
773}
774
775ProgramStateRef removeIteratorPosition(ProgramStateRef State, const SVal &Val) {
776 if (auto Reg = Val.getAsRegion()) {
777 Reg = Reg->getMostDerivedObjectRegion();
778 return State->remove<IteratorRegionMap>(Reg);
779 } else if (const auto Sym = Val.getAsSymbol()) {
780 return State->remove<IteratorSymbolMap>(Sym);
781 } else if (const auto LCVal = Val.getAs<nonloc::LazyCompoundVal>()) {
782 return State->remove<IteratorRegionMap>(LCVal->getRegion());
783 }
784 return nullptr;
785}
786
787ProgramStateRef relateSymbols(ProgramStateRef State, SymbolRef Sym1,
788 SymbolRef Sym2, bool Equal) {
789 auto &SVB = State->getStateManager().getSValBuilder();
790
791 // FIXME: This code should be reworked as follows:
792 // 1. Subtract the operands using evalBinOp().
793 // 2. Assume that the result doesn't overflow.
794 // 3. Compare the result to 0.
795 // 4. Assume the result of the comparison.
796 const auto comparison =
797 SVB.evalBinOp(State, BO_EQ, nonloc::SymbolVal(Sym1),
798 nonloc::SymbolVal(Sym2), SVB.getConditionType());
799
800 assert(isa<DefinedSVal>(comparison) &&
801 "Symbol comparison must be a `DefinedSVal`");
802
803 auto NewState = State->assume(comparison.castAs<DefinedSVal>(), Equal);
804 if (!NewState)
805 return nullptr;
806
807 if (const auto CompSym = comparison.getAsSymbol()) {
808 assert(isa<SymIntExpr>(CompSym) &&
809 "Symbol comparison must be a `SymIntExpr`");
810 assert(BinaryOperator::isComparisonOp(
811 cast<SymIntExpr>(CompSym)->getOpcode()) &&
812 "Symbol comparison must be a comparison");
813 return assumeNoOverflow(NewState, cast<SymIntExpr>(CompSym)->getLHS(), 2);
814 }
815
816 return NewState;
817}
818
819bool isBoundThroughLazyCompoundVal(const Environment &Env,
820 const MemRegion *Reg) {
821 for (const auto &Binding : Env) {
822 if (const auto LCVal = Binding.second.getAs<nonloc::LazyCompoundVal>()) {
823 if (LCVal->getRegion() == Reg)
824 return true;
825 }
826 }
827
828 return false;
829}
830
831const ExplodedNode *findCallEnter(const ExplodedNode *Node, const Expr *Call) {
832 while (Node) {
833 ProgramPoint PP = Node->getLocation();
834 if (auto Enter = PP.getAs<CallEnter>()) {
835 if (Enter->getCallExpr() == Call)
836 break;
837 }
838
839 Node = Node->getFirstPred();
840 }
841
842 return Node;
843}
844
845} // namespace
846
847void ento::registerIteratorModeling(CheckerManager &mgr) {
848 mgr.registerChecker<IteratorModeling>();
849}
850
851bool ento::shouldRegisterIteratorModeling(const CheckerManager &mgr) {
852 return true;
853}
Node
DynTypedNode Node
Definition: ASTMatchFinder.cpp:70
DeclTemplate.h
Defines the C++ template declaration subclasses.
Env
const Environment & Env
Definition: HTMLLogger.cpp:144
Iter
unsigned Iter
Definition: HTMLLogger.cpp:150
clang::BinaryOperator
A builtin binary operation expression such as "x + y" or "x <= y".
Definition: Expr.h:3862
clang::BinaryOperator::getLHS
Expr * getLHS() const
Definition: Expr.h:3911
clang::BinaryOperator::getOverloadedOperator
static OverloadedOperatorKind getOverloadedOperator(Opcode Opc)
Retrieve the overloaded operator kind that corresponds to the given binary opcode.
Definition: Expr.cpp:2156
clang::BinaryOperator::isComparisonOp
bool isComparisonOp() const
Definition: Expr.h:3962
clang::BinaryOperator::getRHS
Expr * getRHS() const
Definition: Expr.h:3913
clang::BinaryOperator::getOpcode
Opcode getOpcode() const
Definition: Expr.h:3906
clang::CallEnter
Represents a point when we begin processing an inlined call.
Definition: ProgramPoint.h:628
clang::Expr
This represents one expression.
Definition: Expr.h:110
clang::Expr::getType
QualType getType() const
Definition: Expr.h:142
clang::MaterializeTemporaryExpr
Represents a prvalue temporary that is written into memory so that a reference can bind to it.
Definition: ExprCXX.h:4593
clang::MaterializeTemporaryExpr::getSubExpr
Expr * getSubExpr() const
Retrieve the temporary-generating subexpression whose value will be materialized into a glvalue.
Definition: ExprCXX.h:4610
clang::ProgramPoint::getAs
std::optional< T > getAs() const
Convert to the specified ProgramPoint type, returning std::nullopt if this ProgramPoint is not of the...
Definition: ProgramPoint.h:147
clang::QualType
A (possibly-)qualified type.
Definition: Type.h:736
clang::Stmt
Stmt - This represents one statement.
Definition: Stmt.h:84
clang::Type::isPointerType
bool isPointerType() const
Definition: Type.h:7033
clang::Type::getPointeeType
QualType getPointeeType() const
If this is a pointer, ObjC object pointer, or block pointer, this returns the respective pointee.
Definition: Type.cpp:651
clang::Type::isIntegralOrEnumerationType
bool isIntegralOrEnumerationType() const
Determine whether this type is an integral or enumeration type.
Definition: Type.h:7455
clang::Type::isStructureOrClassType
bool isStructureOrClassType() const
Definition: Type.cpp:607
clang::UnaryOperator
UnaryOperator - This represents the unary-expression's (except sizeof and alignof),...
Definition: Expr.h:2210
clang::UnaryOperator::getSubExpr
Expr * getSubExpr() const
Definition: Expr.h:2255
clang::UnaryOperator::getOpcode
Opcode getOpcode() const
Definition: Expr.h:2250
clang::ento::CallDescriptionMap
An immutable map from CallDescriptions to arbitrary data.
Definition: CallDescription.h:164
clang::ento::CallEvent
Represents an abstract call to a function or method along a particular path.
Definition: CallEvent.h:152
clang::ento::CheckerBase::printState
virtual void printState(raw_ostream &Out, ProgramStateRef State, const char *NL, const char *Sep) const
See CheckerManager::runCheckersForPrintState.
Definition: Checker.h:500
clang::ento::CheckerManager::registerChecker
CHECKER * registerChecker(AT &&... Args)
Used to register checkers.
Definition: CheckerManager.h:204
clang::ento::Environment
An immutable map from EnvironemntEntries to SVals.
Definition: Environment.h:56
clang::ento::ExplodedNode::getState
const ProgramStateRef & getState() const
Definition: ExplodedGraph.h:169
clang::ento::MemRegion
MemRegion - The root abstract class for all memory regions.
Definition: MemRegion.h:96
clang::ento::MemRegion::getMostDerivedObjectRegion
LLVM_ATTRIBUTE_RETURNS_NONNULL const MemRegion * getMostDerivedObjectRegion() const
Recursively retrieve the region of the most derived class instance of regions of C++ base class insta...
Definition: MemRegion.cpp:1355
clang::ento::SVal
SVal - This represents a symbolic expression, which can be either an L-value or an R-value.
Definition: SVals.h:55
clang::ento::SVal::getAsSymbol
SymbolRef getAsSymbol(bool IncludeBaseRegions=false) const
If this SVal wraps a symbol return that SymbolRef.
Definition: SVals.cpp:104
clang::ento::SVal::getAs
std::optional< T > getAs() const
Convert to the specified SVal type, returning std::nullopt if this SVal is not of the desired type.
Definition: SVals.h:86
clang::ento::SVal::getAsRegion
const MemRegion * getAsRegion() const
Definition: SVals.cpp:120
clang::ento::SVal::isUnknown
bool isUnknown() const
Definition: SVals.h:102
clang::ento::SymExpr
Symbolic value.
Definition: SymExpr.h:30
clang::ento::SymExpr::dumpToStream
virtual void dumpToStream(raw_ostream &os) const
Definition: SymExpr.h:61
clang::ento::SymExpr::symbols
llvm::iterator_range< symbol_iterator > symbols() const
Definition: SymExpr.h:87
clang::ento::SymbolReaper
A class responsible for cleaning up unused symbols.
Definition: SymbolManager.h:573
clang::ento::SymbolReaper::markLive
void markLive(SymbolRef sym)
Unconditionally marks a symbol as live.
Definition: SymbolManager.cpp:398
clang::ento::SymbolReaper::isLiveRegion
bool isLiveRegion(const MemRegion *region)
Definition: SymbolManager.cpp:428
clang::ento::SymbolReaper::isLive
bool isLive(SymbolRef sym)
Definition: SymbolManager.cpp:459
clang::ento::nonloc::ConcreteInt
Value representing integer constant.
Definition: SVals.h:305
clang::ento::nonloc::SymbolVal
Represents symbolic expression that isn't a location.
Definition: SVals.h:284
clang::ento::iterator::isIteratorType
bool isIteratorType(const QualType &Type)
Definition: Iterator.cpp:19
clang::ento::iterator::advancePosition
ProgramStateRef advancePosition(ProgramStateRef State, const SVal &Iter, OverloadedOperatorKind Op, const SVal &Distance)
Definition: Iterator.cpp:224
clang::ento::iterator::getIteratorPosition
const IteratorPosition * getIteratorPosition(ProgramStateRef State, const SVal &Val)
Definition: Iterator.cpp:184
clang::ento::iterator::assumeNoOverflow
ProgramStateRef assumeNoOverflow(ProgramStateRef State, SymbolRef Sym, long Scale)
Definition: Iterator.cpp:265
clang::ento::iterator::setIteratorPosition
ProgramStateRef setIteratorPosition(ProgramStateRef State, const SVal &Val, const IteratorPosition &Pos)
Definition: Iterator.cpp:197
clang::ento::iterator::isRandomIncrOrDecrOperator
bool isRandomIncrOrDecrOperator(OverloadedOperatorKind OK)
Definition: Iterator.cpp:169
clang::ento::iterator::isDecrementOperator
bool isDecrementOperator(OverloadedOperatorKind OK)
Definition: Iterator.cpp:161
clang::ento::iterator::isIncrementOperator
bool isIncrementOperator(OverloadedOperatorKind OK)
Definition: Iterator.cpp:153
clang::ento::iterator::createIteratorPosition
ProgramStateRef createIteratorPosition(ProgramStateRef State, const SVal &Val, const MemRegion *Cont, const Stmt *S, const LocationContext *LCtx, unsigned blockCount)
Definition: Iterator.cpp:210
clang::OverloadedOperatorKind
OverloadedOperatorKind
Enumeration specifying the different kinds of C++ overloaded operators.
Definition: OperatorKinds.h:21
clang::BinaryOperatorKind
BinaryOperatorKind
Definition: OperationKinds.h:25
clang::UnaryOperatorKind
UnaryOperatorKind
Definition: OperationKinds.h:30
clang::ento::iterator::IteratorPosition::getContainer
const MemRegion * getContainer() const
Definition: Iterator.h:42
clang::ento::iterator::IteratorPosition::getPosition
static IteratorPosition getPosition(const MemRegion *C, SymbolRef Of)
Definition: Iterator.h:50
Generated on Sun Dec 3 2023 10:22:48 for clang by doxygen 1.9.6