Go to the documentation of this file.
17 #include "llvm/ADT/StringRef.h"
18 #include "llvm/IR/Constants.h"
20 using namespace clang;
21 using namespace CodeGen;
26 return SS.
hasOneOf(SanitizerKind::Address | SanitizerKind::KernelAddress |
27 SanitizerKind::HWAddress | SanitizerKind::KernelHWAddress |
28 SanitizerKind::MemTag);
40 llvm::Metadata *LocDescr =
nullptr;
41 llvm::Metadata *GlobalName =
nullptr;
46 LocDescr = getLocationMetadata(Loc);
48 GlobalName = llvm::MDString::get(VMContext, Name);
51 llvm::Metadata *GlobalMetadata[] = {
52 llvm::ConstantAsMetadata::get(GV), LocDescr, GlobalName,
53 llvm::ConstantAsMetadata::get(
54 llvm::ConstantInt::get(llvm::Type::getInt1Ty(VMContext), IsDynInit)),
55 llvm::ConstantAsMetadata::get(llvm::ConstantInt::get(
56 llvm::Type::getInt1Ty(VMContext), IsExcluded))};
58 llvm::MDNode *ThisGlobal = llvm::MDNode::get(VMContext, GlobalMetadata);
59 llvm::NamedMDNode *AsanGlobals =
60 CGM.
getModule().getOrInsertNamedMetadata(
"llvm.asan.globals");
61 AsanGlobals->addOperand(ThisGlobal);
65 const VarDecl &D,
bool IsDynInit) {
69 llvm::raw_string_ostream OS(QualName);
72 bool IsExcluded =
false;
74 if (
Attr->getMask() & SanitizerKind::Address)
76 if (D.
hasAttr<DisableSanitizerInstrumentationAttr>())
90 I->setMetadata(CGM.
getModule().getMDKindID(
"nosanitize"),
94 llvm::MDNode *SanitizerMetadata::getLocationMetadata(
SourceLocation Loc) {
99 llvm::Metadata *LocMetadata[] = {
100 llvm::MDString::get(VMContext, PLoc.
getFilename()),
101 llvm::ConstantAsMetadata::get(llvm::ConstantInt::get(
102 llvm::Type::getInt32Ty(VMContext), PLoc.
getLine())),
103 llvm::ConstantAsMetadata::get(llvm::ConstantInt::get(
104 llvm::Type::getInt32Ty(VMContext), PLoc.
getColumn())),
106 return llvm::MDNode::get(VMContext, LocMetadata);
int __ovld __cnfn all(char)
Returns 1 if the most significant bit in all components of x is set; otherwise returns 0.
bool Add(InterpState &S, CodePtr OpPC)
and static some checkers Checker The latter are built on top of the former via the Checker and CheckerVisitor and attempts to isolate them from much of the gore of the internal analysis the analyzer is basically a source code simulator that traces out possible paths of execution The state of the and the combination of state and program point is a node in an exploded which has the entry program point and initial and then simulate transitions by analyzing individual expressions The analysis of an expression can cause the state to resulting in a new node in the ExplodedGraph with an updated program point and an updated state A bug is found by hitting a node that satisfies some bug condition(basically a violation of a checking invariant). The analyzer traces out multiple paths by reasoning about branches and then bifurcating the state it can contain cycles as paths loop back onto each other and cache out ProgramState and ExplodedNodes are basically immutable once created Once one creates a you need to create a new one to get a new ProgramState This immutability is key since the ExplodedGraph represents the behavior of the analyzed program from the entry point To represent these efficiently
and static some checkers Checker The latter are built on top of the former via the Checker and CheckerVisitor and attempts to isolate them from much of the gore of the internal analysis the analyzer is basically a source code simulator that traces out possible paths of execution The state of the and the combination of state and program point is a node in an exploded which has the entry program point and initial and then simulate transitions by analyzing individual expressions The analysis of an expression can cause the state to resulting in a new node in the ExplodedGraph with an updated program point and an updated state A bug is found by hitting a node that satisfies some bug condition(basically a violation of a checking invariant). The analyzer traces out multiple paths by reasoning about branches and then bifurcating the state it can contain cycles as paths loop back onto each other and cache out ProgramState and ExplodedNodes are basically immutable once created Once one creates a you need to create a new one to get a new ProgramState This immutability is key since the ExplodedGraph represents the behavior of the analyzed program from the entry point To represent these we use functional data individual Checkers work by also manipulating the analysis state The analyzer engine talks to them via a visitor interface For example
for(unsigned I=0, E=TL.getNumArgs();I !=E;++I)
unsigned getLine() const
Return the presumed line number of this location.
and static some checkers Checker The latter are built on top of the former via the Checker and CheckerVisitor and attempts to isolate them from much of the gore of the internal analysis the analyzer is basically a source code simulator that traces out possible paths of execution The state of the and the combination of state and program point is a node in an exploded which has the entry program point and initial and then simulate transitions by analyzing individual expressions The analysis of an expression can cause the state to resulting in a new node in the ExplodedGraph with an updated program point and an updated state A bug is found by hitting a node that satisfies some bug condition(basically a violation of a checking invariant). The analyzer traces out multiple paths by reasoning about branches and then bifurcating the state it can contain cycles as paths loop back onto each other and cache out ProgramState and ExplodedNodes are basically immutable once created Once one creates a you need to create a new one to get a new ProgramState This immutability is key since the ExplodedGraph represents the behavior of the analyzed program from the entry point To represent these we use functional data individual Checkers work by also manipulating the analysis state The analyzer engine talks to them via a visitor interface For the PreVisitCallExpr() method is called by GRExprEngine to tell the Checker that we are about to analyze a CallExpr
if(T->getSizeExpr()) TRY_TO(TraverseStmt(T -> getSizeExpr()))
Encodes a location in the source.
A (possibly-)qualified type.
ASTContext & getContext() const
bool hasOneOf(SanitizerMask K) const
Check if one or more sanitizers are enabled.
and static some checkers Checker The latter are built on top of the former via the Checker and CheckerVisitor and attempts to isolate them from much of the gore of the internal analysis the analyzer is basically a source code simulator that traces out possible paths of execution The state of the and the combination of state and program point is a node in an exploded which has the entry program point and initial and then simulate transitions by analyzing individual expressions The analysis of an expression can cause the state to change
const LangOptions & getLangOpts() const
PresumedLoc getPresumedLoc(SourceLocation Loc, bool UseLineDirectives=true) const
Returns the "presumed" location of a SourceLocation specifies.
SourceManager & getSourceManager()
and static some checkers Checker The latter are built on top of the former via the Checker and CheckerVisitor and attempts to isolate them from much of the gore of the internal analysis engine
and static some checkers Checker The latter are built on top of the former via the Checker and CheckerVisitor interfaces(Checker.h and CheckerVisitor.h). The Checker interface is designed to be minimal and simple for checker writers
int __ovld __cnfn any(char)
Returns 1 if the most significant bit in any component of x is set; otherwise returns 0.
and static some checkers Checker The latter are built on top of the former via the Checker and CheckerVisitor and attempts to isolate them from much of the gore of the internal analysis the analyzer is basically a source code simulator that traces out possible paths of execution The state of the and the combination of state and program point is a node in an exploded graph(ExplodedGraph). The term "exploded" comes from exploding the control-flow edges in the control-flow graph(CFG). Conceptually the analyzer does a reachability analysis through the ExplodedGraph. We start at a root node
and static some checkers Checker The latter are built on top of the former via the Checker and CheckerVisitor and attempts to isolate them from much of the gore of the internal analysis the analyzer is basically a source code simulator that traces out possible paths of execution The state of the and the combination of state and program point is a node in an exploded which has the entry program point and initial and then simulate transitions by analyzing individual expressions The analysis of an expression can cause the state to resulting in a new node in the ExplodedGraph with an updated program point and an updated state A bug is found by hitting a node that satisfies some bug condition(basically a violation of a checking invariant). The analyzer traces out multiple paths by reasoning about branches and then bifurcating the state it can contain cycles as paths loop back onto each other and cache out ProgramState and ExplodedNodes are basically immutable once created Once one creates a you need to create a new one to get a new ProgramState This immutability is key since the ExplodedGraph represents the behavior of the analyzed program from the entry point To represent these we use functional data individual Checkers work by also manipulating the analysis state The analyzer engine talks to them via a visitor interface For the and the checker is asked to check for any preconditions that might not be satisfied The checker can do nothing
llvm::iterator_range< specific_attr_iterator< T > > specific_attrs() const
const char * getFilename() const
Return the presumed filename of this location.
llvm::Module & getModule() const
Represents a variable declaration or definition.
and static some checkers Checker The latter are built on top of the former via the Checker and CheckerVisitor and attempts to isolate them from much of the gore of the internal analysis the analyzer is basically a source code simulator that traces out possible paths of execution The state of the and the combination of state and program point is a node in an exploded which has the entry program point and initial and then simulate transitions by analyzing individual expressions The analysis of an expression can cause the state to resulting in a new node in the ExplodedGraph with an updated program point and an updated state A bug is found by hitting a node that satisfies some bug condition(basically a violation of a checking invariant). The analyzer traces out multiple paths by reasoning about branches and then bifurcating the state it can contain cycles as paths loop back onto each other and cache out ProgramState and ExplodedNodes are basically immutable once created Once one creates a you need to create a new one to get a new ProgramState This immutability is key since the ExplodedGraph represents the behavior of the analyzed program from the entry point To represent these we use functional data individual Checkers work by also manipulating the analysis state The analyzer engine talks to them via a visitor interface For the and the checker is asked to check for any preconditions that might not be satisfied The checker can do or it can generate a new ProgramState and ExplodedNode which contains updated checker state If it finds a it can tell the BugReporter object about the providing it an ExplodedNode which is the last node in the path that triggered the problem
unsigned getColumn() const
Return the presumed column number of this location.
IRgen optimization opportunities The common pattern of short x
and static some checkers Checker The latter are built on top of the former via the Checker and CheckerVisitor and attempts to isolate them from much of the gore of the internal analysis the analyzer is basically a source code simulator that traces out possible paths of execution The state of the and the combination of state and program point is a node in an exploded which has the entry program point and initial state
SanitizerSet Sanitize
Set of enabled sanitizers.
std::unique_ptr< DiagnosticConsumer > create(StringRef OutputFile, DiagnosticOptions *Diags, bool MergeChildRecords=false)
Returns a DiagnosticConsumer that serializes diagnostics to a bitcode file.
and static some checkers Checker The latter are built on top of the former via the Checker and CheckerVisitor and attempts to isolate them from much of the gore of the internal analysis the analyzer is basically a source code simulator that traces out possible paths of execution The state of the and the combination of state and program point is a node in an exploded which has the entry program point and initial and then simulate transitions by analyzing individual expressions The analysis of an expression can cause the state to resulting in a new node in the ExplodedGraph with an updated program point and an updated state A bug is found by hitting a node that satisfies some bug condition(basically a violation of a checking invariant). The analyzer traces out multiple paths by reasoning about branches and then bifurcating the state it can contain cycles as paths loop back onto each other and cache out ProgramState and ExplodedNodes are basically immutable once created Once one creates a you need to create a new one to get a new ProgramState This immutability is key since the ExplodedGraph represents the behavior of the analyzed program from the entry point To represent these we use functional data individual Checkers work by also manipulating the analysis state The analyzer engine talks to them via a visitor interface For the and the checker is asked to check for any preconditions that might not be satisfied The checker can do or it can generate a new ProgramState and ExplodedNode which contains updated checker state If it finds a bug
static void dump(llvm::raw_ostream &OS, StringRef FunctionName, ArrayRef< CounterExpression > Expressions, ArrayRef< CounterMappingRegion > Regions)
This class organizes the cross-function state that is used while generating LLVM code.
and static some checkers Checker The latter are built on top of the former via the Checker and CheckerVisitor and attempts to isolate them from much of the gore of the internal analysis the analyzer is basically a source code simulator that traces out possible paths of execution The state of the and the combination of state and program point is a node in an exploded which has the entry program point and initial and then simulate transitions by analyzing individual expressions The analysis of an expression can cause the state to resulting in a new node in the ExplodedGraph with an updated program point and an updated state A bug is found by hitting a node that satisfies some bug condition(basically a violation of a checking invariant). The analyzer traces out multiple paths by reasoning about branches and then bifurcating the state it can contain cycles as paths loop back onto each other and cache out ProgramState and ExplodedNodes are basically immutable once created Once one creates a ProgramState
and static some checkers Checker The latter are built on top of the former via the Checker and CheckerVisitor and attempts to isolate them from much of the gore of the internal analysis the analyzer is basically a source code simulator that traces out possible paths of execution The state of the program(values of variables and expressions) is encapsulated by the state(ProgramState). A location in the program is called a program point(ProgramPoint)
float __ovld __cnfn sign(float)
Returns 1.0 if x > 0, -0.0 if x = -0.0, +0.0 if x = +0.0, or -1.0 if x < 0.
float __ovld __cnfn dot(float, float)
Compute dot product.
static bool contains(const std::set< tok::TokenKind > &Terminators, const Token &Tok)
bool This(InterpState &S, CodePtr OpPC)
Attr - This represents one attribute.
Represents an unpacked "presumed" location which can be presented to the user.
void printQualifiedName(raw_ostream &OS) const
Returns a human-readable qualified name for this declaration, like A::B::i, for i being member of nam...
const internal::ArgumentAdaptingMatcherFunc< internal::HasMatcher > has
Matches AST nodes that have child AST nodes that match the provided matcher.
SourceLocation getLocation() const
llvm::LLVMContext & getLLVMContext()
and static some checkers Checker The latter are built on top of the former via the Checker and CheckerVisitor and attempts to isolate them from much of the gore of the internal analysis the analyzer is basically a source code simulator that traces out possible paths of execution The state of the and the combination of state and program point is a node in an exploded which has the entry program point and initial and then simulate transitions by analyzing individual expressions The analysis of an expression can cause the state to resulting in a new node in the ExplodedGraph with an updated program point and an updated state A bug is found by hitting a node that satisfies some bug condition(basically a violation of a checking invariant). The analyzer traces out multiple paths by reasoning about branches and then bifurcating the state it can contain cycles as paths loop back onto each other and cache out ProgramState and ExplodedNodes are basically immutable once created Once one creates a you need to create a new one to get a new ProgramState This immutability is key since the ExplodedGraph represents the behavior of the analyzed program from the entry point To represent these we use functional data structures(e.g., ImmutableMaps) which share data between instances. Finally
SymbolRef simplify(ProgramStateRef State, SymbolRef Sym)
Try to simplify a given symbolic expression based on the constraints in State.
bool isInNoSanitizeList(SanitizerMask Kind, llvm::Function *Fn, SourceLocation Loc) const