clang 17.0.0git
SmartPtrModeling.cpp
Go to the documentation of this file.
1// SmartPtrModeling.cpp - Model behavior of C++ smart pointers - C++ ------===//
2//
3// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4// See https://llvm.org/LICENSE.txt for license information.
5// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6//
7//===----------------------------------------------------------------------===//
8//
9// This file defines a checker that models various aspects of
10// C++ smart pointer behavior.
11//
12//===----------------------------------------------------------------------===//
13
14#include "Move.h"
15#include "SmartPtr.h"
16
17#include "clang/AST/DeclCXX.h"
18#include "clang/AST/DeclarationName.h"
19#include "clang/AST/ExprCXX.h"
20#include "clang/AST/Type.h"
21#include "clang/Basic/LLVM.h"
22#include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"
23#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
24#include "clang/StaticAnalyzer/Core/Checker.h"
25#include "clang/StaticAnalyzer/Core/CheckerManager.h"
26#include "clang/StaticAnalyzer/Core/PathSensitive/CallDescription.h"
27#include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h"
28#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
29#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerHelpers.h"
30#include "clang/StaticAnalyzer/Core/PathSensitive/MemRegion.h"
31#include "clang/StaticAnalyzer/Core/PathSensitive/SVals.h"
32#include "clang/StaticAnalyzer/Core/PathSensitive/SymExpr.h"
33#include "clang/StaticAnalyzer/Core/PathSensitive/SymbolManager.h"
34#include "llvm/ADT/StringMap.h"
35#include "llvm/Support/ErrorHandling.h"
36#include <optional>
37#include <string>
38
39using namespace clang;
40using namespace ento;
41
42namespace {
43
44class SmartPtrModeling
45 : public Checker<eval::Call, check::DeadSymbols, check::RegionChanges,
46 check::LiveSymbols> {
47
48 bool isBoolConversionMethod(const CallEvent &Call) const;
49
50public:
51 // Whether the checker should model for null dereferences of smart pointers.
52 bool ModelSmartPtrDereference = false;
53 bool evalCall(const CallEvent &Call, CheckerContext &C) const;
54 void checkDeadSymbols(SymbolReaper &SymReaper, CheckerContext &C) const;
55 ProgramStateRef
56 checkRegionChanges(ProgramStateRef State,
57 const InvalidatedSymbols *Invalidated,
58 ArrayRef<const MemRegion *> ExplicitRegions,
59 ArrayRef<const MemRegion *> Regions,
60 const LocationContext *LCtx, const CallEvent *Call) const;
61 void printState(raw_ostream &Out, ProgramStateRef State, const char *NL,
62 const char *Sep) const override;
63 void checkLiveSymbols(ProgramStateRef State, SymbolReaper &SR) const;
64
65private:
66 void handleReset(const CallEvent &Call, CheckerContext &C) const;
67 void handleRelease(const CallEvent &Call, CheckerContext &C) const;
68 void handleSwapMethod(const CallEvent &Call, CheckerContext &C) const;
69 void handleGet(const CallEvent &Call, CheckerContext &C) const;
70 bool handleAssignOp(const CallEvent &Call, CheckerContext &C) const;
71 bool handleMoveCtr(const CallEvent &Call, CheckerContext &C,
72 const MemRegion *ThisRegion) const;
73 bool updateMovedSmartPointers(CheckerContext &C, const MemRegion *ThisRegion,
74 const MemRegion *OtherSmartPtrRegion,
75 const CallEvent &Call) const;
76 void handleBoolConversion(const CallEvent &Call, CheckerContext &C) const;
77 bool handleComparisionOp(const CallEvent &Call, CheckerContext &C) const;
78 bool handleOstreamOperator(const CallEvent &Call, CheckerContext &C) const;
79 bool handleSwap(ProgramStateRef State, SVal First, SVal Second,
80 CheckerContext &C) const;
81 std::pair<SVal, ProgramStateRef>
82 retrieveOrConjureInnerPtrVal(ProgramStateRef State,
83 const MemRegion *ThisRegion, const Expr *E,
84 QualType Type, CheckerContext &C) const;
85
86 using SmartPtrMethodHandlerFn =
87 void (SmartPtrModeling::*)(const CallEvent &Call, CheckerContext &) const;
88 CallDescriptionMap<SmartPtrMethodHandlerFn> SmartPtrMethodHandlers{
89 {{{"reset"}}, &SmartPtrModeling::handleReset},
90 {{{"release"}}, &SmartPtrModeling::handleRelease},
91 {{{"swap"}, 1}, &SmartPtrModeling::handleSwapMethod},
92 {{{"get"}}, &SmartPtrModeling::handleGet}};
93 const CallDescription StdSwapCall{{"std", "swap"}, 2};
94 const CallDescription StdMakeUniqueCall{{"std", "make_unique"}};
95 const CallDescription StdMakeUniqueForOverwriteCall{
96 {"std", "make_unique_for_overwrite"}};
97};
98} // end of anonymous namespace
99
100REGISTER_MAP_WITH_PROGRAMSTATE(TrackedRegionMap, const MemRegion *, SVal)
101
102// Checks if RD has name in Names and is in std namespace
103static bool hasStdClassWithName(const CXXRecordDecl *RD,
104 ArrayRef<llvm::StringLiteral> Names) {
105 if (!RD || !RD->getDeclContext()->isStdNamespace())
106 return false;
107 if (RD->getDeclName().isIdentifier())
108 return llvm::is_contained(Names, RD->getName());
109 return false;
110}
111
112constexpr llvm::StringLiteral STD_PTR_NAMES[] = {"shared_ptr", "unique_ptr",
113 "weak_ptr"};
114
115static bool isStdSmartPtr(const CXXRecordDecl *RD) {
116 return hasStdClassWithName(RD, STD_PTR_NAMES);
117}
118
119static bool isStdSmartPtr(const Expr *E) {
120 return isStdSmartPtr(E->getType()->getAsCXXRecordDecl());
121}
122
123// Define the inter-checker API.
124namespace clang {
125namespace ento {
126namespace smartptr {
127bool isStdSmartPtrCall(const CallEvent &Call) {
128 const auto *MethodDecl = dyn_cast_or_null<CXXMethodDecl>(Call.getDecl());
129 if (!MethodDecl || !MethodDecl->getParent())
130 return false;
131 return isStdSmartPtr(MethodDecl->getParent());
132}
133
134bool isStdSmartPtr(const CXXRecordDecl *RD) {
135 if (!RD || !RD->getDeclContext()->isStdNamespace())
136 return false;
137
138 if (RD->getDeclName().isIdentifier()) {
139 StringRef Name = RD->getName();
140 return Name == "shared_ptr" || Name == "unique_ptr" || Name == "weak_ptr";
141 }
142 return false;
143}
144
145bool isStdSmartPtr(const Expr *E) {
146 return isStdSmartPtr(E->getType()->getAsCXXRecordDecl());
147}
148
149bool isNullSmartPtr(const ProgramStateRef State, const MemRegion *ThisRegion) {
150 const auto *InnerPointVal = State->get<TrackedRegionMap>(ThisRegion);
151 return InnerPointVal &&
152 !State->assume(InnerPointVal->castAs<DefinedOrUnknownSVal>(), true);
153}
154} // namespace smartptr
155} // namespace ento
156} // namespace clang
157
158// If a region is removed all of the subregions need to be removed too.
159static TrackedRegionMapTy
160removeTrackedSubregions(TrackedRegionMapTy RegionMap,
161 TrackedRegionMapTy::Factory &RegionMapFactory,
162 const MemRegion *Region) {
163 if (!Region)
164 return RegionMap;
165 for (const auto &E : RegionMap) {
166 if (E.first->isSubRegionOf(Region))
167 RegionMap = RegionMapFactory.remove(RegionMap, E.first);
168 }
169 return RegionMap;
170}
171
172static ProgramStateRef updateSwappedRegion(ProgramStateRef State,
173 const MemRegion *Region,
174 const SVal *RegionInnerPointerVal) {
175 if (RegionInnerPointerVal) {
176 State = State->set<TrackedRegionMap>(Region, *RegionInnerPointerVal);
177 } else {
178 State = State->remove<TrackedRegionMap>(Region);
179 }
180 return State;
181}
182
183static QualType getInnerPointerType(CheckerContext C, const CXXRecordDecl *RD) {
184 if (!RD || !RD->isInStdNamespace())
185 return {};
186
187 const auto *TSD = dyn_cast<ClassTemplateSpecializationDecl>(RD);
188 if (!TSD)
189 return {};
190
191 auto TemplateArgs = TSD->getTemplateArgs().asArray();
192 if (TemplateArgs.empty())
193 return {};
194 auto InnerValueType = TemplateArgs[0].getAsType();
195 return C.getASTContext().getPointerType(InnerValueType.getCanonicalType());
196}
197
198// This is for use with standalone-functions like std::make_unique,
199// std::make_unique_for_overwrite, etc. It reads the template parameter and
200// returns the pointer type corresponding to it,
201static QualType getPointerTypeFromTemplateArg(const CallEvent &Call,
202 CheckerContext &C) {
203 const auto *FD = dyn_cast_or_null<FunctionDecl>(Call.getDecl());
204 if (!FD || !FD->isFunctionTemplateSpecialization())
205 return {};
206 const auto &TemplateArgs = FD->getTemplateSpecializationArgs()->asArray();
207 if (TemplateArgs.size() == 0)
208 return {};
209 auto ValueType = TemplateArgs[0].getAsType();
210 return C.getASTContext().getPointerType(ValueType.getCanonicalType());
211}
212
213// Helper method to get the inner pointer type of specialized smart pointer
214// Returns empty type if not found valid inner pointer type.
215static QualType getInnerPointerType(const CallEvent &Call, CheckerContext &C) {
216 const auto *MethodDecl = dyn_cast_or_null<CXXMethodDecl>(Call.getDecl());
217 if (!MethodDecl || !MethodDecl->getParent())
218 return {};
219
220 const auto *RecordDecl = MethodDecl->getParent();
221 return getInnerPointerType(C, RecordDecl);
222}
223
224// Helper method to pretty print region and avoid extra spacing.
225static void checkAndPrettyPrintRegion(llvm::raw_ostream &OS,
226 const MemRegion *Region) {
227 if (Region->canPrintPretty()) {
228 OS << " ";
229 Region->printPretty(OS);
230 }
231}
232
233bool SmartPtrModeling::isBoolConversionMethod(const CallEvent &Call) const {
234 // TODO: Update CallDescription to support anonymous calls?
235 // TODO: Handle other methods, such as .get() or .release().
236 // But once we do, we'd need a visitor to explain null dereferences
237 // that are found via such modeling.
238 const auto *CD = dyn_cast_or_null<CXXConversionDecl>(Call.getDecl());
239 return CD && CD->getConversionType()->isBooleanType();
240}
241
242constexpr llvm::StringLiteral BASIC_OSTREAM_NAMES[] = {"basic_ostream"};
243
244bool isStdBasicOstream(const Expr *E) {
245 const auto *RD = E->getType()->getAsCXXRecordDecl();
246 return hasStdClassWithName(RD, BASIC_OSTREAM_NAMES);
247}
248
249static bool isStdFunctionCall(const CallEvent &Call) {
250 return Call.getDecl() && Call.getDecl()->getDeclContext()->isStdNamespace();
251}
252
253bool isStdOstreamOperatorCall(const CallEvent &Call) {
254 if (Call.getNumArgs() != 2 || !isStdFunctionCall(Call))
255 return false;
256 const auto *FC = dyn_cast<SimpleFunctionCall>(&Call);
257 if (!FC)
258 return false;
259 const FunctionDecl *FD = FC->getDecl();
260 if (!FD->isOverloadedOperator())
261 return false;
262 const OverloadedOperatorKind OOK = FD->getOverloadedOperator();
263 if (OOK != clang::OO_LessLess)
264 return false;
265 return isStdSmartPtr(Call.getArgExpr(1)) &&
266 isStdBasicOstream(Call.getArgExpr(0));
267}
268
269static bool isPotentiallyComparisionOpCall(const CallEvent &Call) {
270 if (Call.getNumArgs() != 2 || !isStdFunctionCall(Call))
271 return false;
272 return smartptr::isStdSmartPtr(Call.getArgExpr(0)) ||
273 smartptr::isStdSmartPtr(Call.getArgExpr(1));
274}
275
276bool SmartPtrModeling::evalCall(const CallEvent &Call,
277 CheckerContext &C) const {
278
279 ProgramStateRef State = C.getState();
280
281 // If any one of the arg is a unique_ptr, then
282 // we can try this function
283 if (ModelSmartPtrDereference && isPotentiallyComparisionOpCall(Call))
284 if (handleComparisionOp(Call, C))
285 return true;
286
287 if (ModelSmartPtrDereference && isStdOstreamOperatorCall(Call))
288 return handleOstreamOperator(Call, C);
289
290 if (StdSwapCall.matches(Call)) {
291 // Check the first arg, if it is of std::unique_ptr type.
292 assert(Call.getNumArgs() == 2 && "std::swap should have two arguments");
293 const Expr *FirstArg = Call.getArgExpr(0);
294 if (!smartptr::isStdSmartPtr(FirstArg->getType()->getAsCXXRecordDecl()))
295 return false;
296 return handleSwap(State, Call.getArgSVal(0), Call.getArgSVal(1), C);
297 }
298
299 if (matchesAny(Call, StdMakeUniqueCall, StdMakeUniqueForOverwriteCall)) {
300 if (!ModelSmartPtrDereference)
301 return false;
302
303 const std::optional<SVal> ThisRegionOpt =
304 Call.getReturnValueUnderConstruction();
305 if (!ThisRegionOpt)
306 return false;
307
308 const auto PtrVal = C.getSValBuilder().getConjuredHeapSymbolVal(
309 Call.getOriginExpr(), C.getLocationContext(),
310 getPointerTypeFromTemplateArg(Call, C), C.blockCount());
311
312 const MemRegion *ThisRegion = ThisRegionOpt->getAsRegion();
313 State = State->set<TrackedRegionMap>(ThisRegion, PtrVal);
314 State = State->assume(PtrVal, true);
315
316 // TODO: ExprEngine should do this for us.
317 // For a bit more context:
318 // 1) Why do we need this? Since we are modelling a "function"
319 // that returns a constructed object we need to store this information in
320 // the program state.
321 //
322 // 2) Why does this work?
323 // `updateObjectsUnderConstruction` does exactly as it sounds.
324 //
325 // 3) How should it look like when moved to the Engine?
326 // It would be nice if we can just
327 // pretend we don't need to know about this - ie, completely automatic work.
328 // However, realistically speaking, I think we would need to "signal" the
329 // ExprEngine evalCall handler that we are constructing an object with this
330 // function call (constructors obviously construct, hence can be
331 // automatically deduced).
332 auto &Engine = State->getStateManager().getOwningEngine();
333 State = Engine.updateObjectsUnderConstruction(
334 *ThisRegionOpt, nullptr, State, C.getLocationContext(),
335 Call.getConstructionContext(), {});
336
337 // We don't leave a note here since it is guaranteed the
338 // unique_ptr from this call is non-null (hence is safe to de-reference).
339 C.addTransition(State);
340 return true;
341 }
342
343 if (!smartptr::isStdSmartPtrCall(Call))
344 return false;
345
346 if (isBoolConversionMethod(Call)) {
347 const MemRegion *ThisR =
348 cast<CXXInstanceCall>(&Call)->getCXXThisVal().getAsRegion();
349
350 if (ModelSmartPtrDereference) {
351 // The check for the region is moved is duplicated in handleBoolOperation
352 // method.
353 // FIXME: Once we model std::move for smart pointers clean up this and use
354 // that modeling.
355 handleBoolConversion(Call, C);
356 return true;
357 } else {
358 if (!move::isMovedFrom(State, ThisR)) {
359 // TODO: Model this case as well. At least, avoid invalidation of
360 // globals.
361 return false;
362 }
363
364 // TODO: Add a note to bug reports describing this decision.
365 C.addTransition(State->BindExpr(
366 Call.getOriginExpr(), C.getLocationContext(),
367 C.getSValBuilder().makeZeroVal(Call.getResultType())));
368
369 return true;
370 }
371 }
372
373 if (!ModelSmartPtrDereference)
374 return false;
375
376 if (const auto *CC = dyn_cast<CXXConstructorCall>(&Call)) {
377 if (CC->getDecl()->isCopyConstructor())
378 return false;
379
380 const MemRegion *ThisRegion = CC->getCXXThisVal().getAsRegion();
381 if (!ThisRegion)
382 return false;
383
384 QualType ThisType = cast<CXXMethodDecl>(Call.getDecl())->getThisType();
385
386 if (CC->getDecl()->isMoveConstructor())
387 return handleMoveCtr(Call, C, ThisRegion);
388
389 if (Call.getNumArgs() == 0) {
390 auto NullVal = C.getSValBuilder().makeNullWithType(ThisType);
391 State = State->set<TrackedRegionMap>(ThisRegion, NullVal);
392
393 C.addTransition(
394 State, C.getNoteTag([ThisRegion](PathSensitiveBugReport &BR,
395 llvm::raw_ostream &OS) {
396 if (&BR.getBugType() != smartptr::getNullDereferenceBugType() ||
397 !BR.isInteresting(ThisRegion))
398 return;
399 OS << "Default constructed smart pointer";
400 checkAndPrettyPrintRegion(OS, ThisRegion);
401 OS << " is null";
402 }));
403 } else {
404 const auto *TrackingExpr = Call.getArgExpr(0);
405 assert(TrackingExpr->getType()->isPointerType() &&
406 "Adding a non pointer value to TrackedRegionMap");
407 auto ArgVal = Call.getArgSVal(0);
408 State = State->set<TrackedRegionMap>(ThisRegion, ArgVal);
409
410 C.addTransition(State, C.getNoteTag([ThisRegion, TrackingExpr,
411 ArgVal](PathSensitiveBugReport &BR,
412 llvm::raw_ostream &OS) {
413 if (&BR.getBugType() != smartptr::getNullDereferenceBugType() ||
414 !BR.isInteresting(ThisRegion))
415 return;
416 bugreporter::trackExpressionValue(BR.getErrorNode(), TrackingExpr, BR);
417 OS << "Smart pointer";
418 checkAndPrettyPrintRegion(OS, ThisRegion);
419 if (ArgVal.isZeroConstant())
420 OS << " is constructed using a null value";
421 else
422 OS << " is constructed";
423 }));
424 }
425 return true;
426 }
427
428 if (handleAssignOp(Call, C))
429 return true;
430
431 const SmartPtrMethodHandlerFn *Handler = SmartPtrMethodHandlers.lookup(Call);
432 if (!Handler)
433 return false;
434 (this->**Handler)(Call, C);
435
436 return C.isDifferent();
437}
438
439std::pair<SVal, ProgramStateRef> SmartPtrModeling::retrieveOrConjureInnerPtrVal(
440 ProgramStateRef State, const MemRegion *ThisRegion, const Expr *E,
441 QualType Type, CheckerContext &C) const {
442 const auto *Ptr = State->get<TrackedRegionMap>(ThisRegion);
443 if (Ptr)
444 return {*Ptr, State};
445 auto Val = C.getSValBuilder().conjureSymbolVal(E, C.getLocationContext(),
446 Type, C.blockCount());
447 State = State->set<TrackedRegionMap>(ThisRegion, Val);
448 return {Val, State};
449}
450
451bool SmartPtrModeling::handleComparisionOp(const CallEvent &Call,
452 CheckerContext &C) const {
453 const auto *FC = dyn_cast<SimpleFunctionCall>(&Call);
454 if (!FC)
455 return false;
456 const FunctionDecl *FD = FC->getDecl();
457 if (!FD->isOverloadedOperator())
458 return false;
459 const OverloadedOperatorKind OOK = FD->getOverloadedOperator();
460 if (!(OOK == OO_EqualEqual || OOK == OO_ExclaimEqual || OOK == OO_Less ||
461 OOK == OO_LessEqual || OOK == OO_Greater || OOK == OO_GreaterEqual ||
462 OOK == OO_Spaceship))
463 return false;
464
465 // There are some special cases about which we can infer about
466 // the resulting answer.
467 // For reference, there is a discussion at https://reviews.llvm.org/D104616.
468 // Also, the cppreference page is good to look at
469 // https://en.cppreference.com/w/cpp/memory/unique_ptr/operator_cmp.
470
471 auto makeSValFor = [&C, this](ProgramStateRef State, const Expr *E,
472 SVal S) -> std::pair<SVal, ProgramStateRef> {
473 if (S.isZeroConstant()) {
474 return {S, State};
475 }
476 const MemRegion *Reg = S.getAsRegion();
477 assert(Reg &&
478 "this pointer of std::unique_ptr should be obtainable as MemRegion");
479 QualType Type = getInnerPointerType(C, E->getType()->getAsCXXRecordDecl());
480 return retrieveOrConjureInnerPtrVal(State, Reg, E, Type, C);
481 };
482
483 SVal First = Call.getArgSVal(0);
484 SVal Second = Call.getArgSVal(1);
485 const auto *FirstExpr = Call.getArgExpr(0);
486 const auto *SecondExpr = Call.getArgExpr(1);
487
488 const auto *ResultExpr = Call.getOriginExpr();
489 const auto *LCtx = C.getLocationContext();
490 auto &Bldr = C.getSValBuilder();
491 ProgramStateRef State = C.getState();
492
493 SVal FirstPtrVal, SecondPtrVal;
494 std::tie(FirstPtrVal, State) = makeSValFor(State, FirstExpr, First);
495 std::tie(SecondPtrVal, State) = makeSValFor(State, SecondExpr, Second);
496 BinaryOperatorKind BOK =
497 operationKindFromOverloadedOperator(OOK, true).GetBinaryOpUnsafe();
498 auto RetVal = Bldr.evalBinOp(State, BOK, FirstPtrVal, SecondPtrVal,
499 Call.getResultType());
500
501 if (OOK != OO_Spaceship) {
502 ProgramStateRef TrueState, FalseState;
503 std::tie(TrueState, FalseState) =
504 State->assume(*RetVal.getAs<DefinedOrUnknownSVal>());
505 if (TrueState)
506 C.addTransition(
507 TrueState->BindExpr(ResultExpr, LCtx, Bldr.makeTruthVal(true)));
508 if (FalseState)
509 C.addTransition(
510 FalseState->BindExpr(ResultExpr, LCtx, Bldr.makeTruthVal(false)));
511 } else {
512 C.addTransition(State->BindExpr(ResultExpr, LCtx, RetVal));
513 }
514 return true;
515}
516
517bool SmartPtrModeling::handleOstreamOperator(const CallEvent &Call,
518 CheckerContext &C) const {
519 // operator<< does not modify the smart pointer.
520 // And we don't really have much of modelling of basic_ostream.
521 // So, we are better off:
522 // 1) Invalidating the mem-region of the ostream object at hand.
523 // 2) Setting the SVal of the basic_ostream as the return value.
524 // Not very satisfying, but it gets the job done, and is better
525 // than the default handling. :)
526
527 ProgramStateRef State = C.getState();
528 const auto StreamVal = Call.getArgSVal(0);
529 const MemRegion *StreamThisRegion = StreamVal.getAsRegion();
530 if (!StreamThisRegion)
531 return false;
532 State =
533 State->invalidateRegions({StreamThisRegion}, Call.getOriginExpr(),
534 C.blockCount(), C.getLocationContext(), false);
535 State =
536 State->BindExpr(Call.getOriginExpr(), C.getLocationContext(), StreamVal);
537 C.addTransition(State);
538 return true;
539}
540
541void SmartPtrModeling::checkDeadSymbols(SymbolReaper &SymReaper,
542 CheckerContext &C) const {
543 ProgramStateRef State = C.getState();
544 // Clean up dead regions from the region map.
545 TrackedRegionMapTy TrackedRegions = State->get<TrackedRegionMap>();
546 for (auto E : TrackedRegions) {
547 const MemRegion *Region = E.first;
548 bool IsRegDead = !SymReaper.isLiveRegion(Region);
549
550 if (IsRegDead)
551 State = State->remove<TrackedRegionMap>(Region);
552 }
553 C.addTransition(State);
554}
555
556void SmartPtrModeling::printState(raw_ostream &Out, ProgramStateRef State,
557 const char *NL, const char *Sep) const {
558 TrackedRegionMapTy RS = State->get<TrackedRegionMap>();
559
560 if (!RS.isEmpty()) {
561 Out << Sep << "Smart ptr regions :" << NL;
562 for (auto I : RS) {
563 I.first->dumpToStream(Out);
564 if (smartptr::isNullSmartPtr(State, I.first))
565 Out << ": Null";
566 else
567 Out << ": Non Null";
568 Out << NL;
569 }
570 }
571}
572
573ProgramStateRef SmartPtrModeling::checkRegionChanges(
574 ProgramStateRef State, const InvalidatedSymbols *Invalidated,
575 ArrayRef<const MemRegion *> ExplicitRegions,
576 ArrayRef<const MemRegion *> Regions, const LocationContext *LCtx,
577 const CallEvent *Call) const {
578 TrackedRegionMapTy RegionMap = State->get<TrackedRegionMap>();
579 TrackedRegionMapTy::Factory &RegionMapFactory =
580 State->get_context<TrackedRegionMap>();
581 for (const auto *Region : Regions)
582 RegionMap = removeTrackedSubregions(RegionMap, RegionMapFactory,
583 Region->getBaseRegion());
584 return State->set<TrackedRegionMap>(RegionMap);
585}
586
587void SmartPtrModeling::checkLiveSymbols(ProgramStateRef State,
588 SymbolReaper &SR) const {
589 // Marking tracked symbols alive
590 TrackedRegionMapTy TrackedRegions = State->get<TrackedRegionMap>();
591 for (auto I = TrackedRegions.begin(), E = TrackedRegions.end(); I != E; ++I) {
592 SVal Val = I->second;
593 for (auto si = Val.symbol_begin(), se = Val.symbol_end(); si != se; ++si) {
594 SR.markLive(*si);
595 }
596 }
597}
598
599void SmartPtrModeling::handleReset(const CallEvent &Call,
600 CheckerContext &C) const {
601 ProgramStateRef State = C.getState();
602 const auto *IC = dyn_cast<CXXInstanceCall>(&Call);
603 if (!IC)
604 return;
605
606 const MemRegion *ThisRegion = IC->getCXXThisVal().getAsRegion();
607 if (!ThisRegion)
608 return;
609
610 assert(Call.getArgExpr(0)->getType()->isPointerType() &&
611 "Adding a non pointer value to TrackedRegionMap");
612 State = State->set<TrackedRegionMap>(ThisRegion, Call.getArgSVal(0));
613 const auto *TrackingExpr = Call.getArgExpr(0);
614 C.addTransition(
615 State, C.getNoteTag([ThisRegion, TrackingExpr](PathSensitiveBugReport &BR,
616 llvm::raw_ostream &OS) {
617 if (&BR.getBugType() != smartptr::getNullDereferenceBugType() ||
618 !BR.isInteresting(ThisRegion))
619 return;
620 bugreporter::trackExpressionValue(BR.getErrorNode(), TrackingExpr, BR);
621 OS << "Smart pointer";
622 checkAndPrettyPrintRegion(OS, ThisRegion);
623 OS << " reset using a null value";
624 }));
625 // TODO: Make sure to ivalidate the region in the Store if we don't have
626 // time to model all methods.
627}
628
629void SmartPtrModeling::handleRelease(const CallEvent &Call,
630 CheckerContext &C) const {
631 ProgramStateRef State = C.getState();
632 const auto *IC = dyn_cast<CXXInstanceCall>(&Call);
633 if (!IC)
634 return;
635
636 const MemRegion *ThisRegion = IC->getCXXThisVal().getAsRegion();
637 if (!ThisRegion)
638 return;
639
640 const auto *InnerPointVal = State->get<TrackedRegionMap>(ThisRegion);
641
642 if (InnerPointVal) {
643 State = State->BindExpr(Call.getOriginExpr(), C.getLocationContext(),
644 *InnerPointVal);
645 }
646
647 QualType ThisType = cast<CXXMethodDecl>(Call.getDecl())->getThisType();
648 auto ValueToUpdate = C.getSValBuilder().makeNullWithType(ThisType);
649 State = State->set<TrackedRegionMap>(ThisRegion, ValueToUpdate);
650
651 C.addTransition(State, C.getNoteTag([ThisRegion](PathSensitiveBugReport &BR,
652 llvm::raw_ostream &OS) {
653 if (&BR.getBugType() != smartptr::getNullDereferenceBugType() ||
654 !BR.isInteresting(ThisRegion))
655 return;
656
657 OS << "Smart pointer";
658 checkAndPrettyPrintRegion(OS, ThisRegion);
659 OS << " is released and set to null";
660 }));
661 // TODO: Add support to enable MallocChecker to start tracking the raw
662 // pointer.
663}
664
665void SmartPtrModeling::handleSwapMethod(const CallEvent &Call,
666 CheckerContext &C) const {
667 // To model unique_ptr::swap() method.
668 const auto *IC = dyn_cast<CXXInstanceCall>(&Call);
669 if (!IC)
670 return;
671
672 auto State = C.getState();
673 handleSwap(State, IC->getCXXThisVal(), Call.getArgSVal(0), C);
674}
675
676bool SmartPtrModeling::handleSwap(ProgramStateRef State, SVal First,
677 SVal Second, CheckerContext &C) const {
678 const MemRegion *FirstThisRegion = First.getAsRegion();
679 if (!FirstThisRegion)
680 return false;
681 const MemRegion *SecondThisRegion = Second.getAsRegion();
682 if (!SecondThisRegion)
683 return false;
684
685 const auto *FirstInnerPtrVal = State->get<TrackedRegionMap>(FirstThisRegion);
686 const auto *SecondInnerPtrVal =
687 State->get<TrackedRegionMap>(SecondThisRegion);
688
689 State = updateSwappedRegion(State, FirstThisRegion, SecondInnerPtrVal);
690 State = updateSwappedRegion(State, SecondThisRegion, FirstInnerPtrVal);
691
692 C.addTransition(State, C.getNoteTag([FirstThisRegion, SecondThisRegion](
693 PathSensitiveBugReport &BR,
694 llvm::raw_ostream &OS) {
695 if (&BR.getBugType() != smartptr::getNullDereferenceBugType())
696 return;
697 if (BR.isInteresting(FirstThisRegion) &&
698 !BR.isInteresting(SecondThisRegion)) {
699 BR.markInteresting(SecondThisRegion);
700 BR.markNotInteresting(FirstThisRegion);
701 }
702 if (BR.isInteresting(SecondThisRegion) &&
703 !BR.isInteresting(FirstThisRegion)) {
704 BR.markInteresting(FirstThisRegion);
705 BR.markNotInteresting(SecondThisRegion);
706 }
707 // TODO: We need to emit some note here probably!!
708 }));
709
710 return true;
711}
712
713void SmartPtrModeling::handleGet(const CallEvent &Call,
714 CheckerContext &C) const {
715 ProgramStateRef State = C.getState();
716 const auto *IC = dyn_cast<CXXInstanceCall>(&Call);
717 if (!IC)
718 return;
719
720 const MemRegion *ThisRegion = IC->getCXXThisVal().getAsRegion();
721 if (!ThisRegion)
722 return;
723
724 SVal InnerPointerVal;
725 std::tie(InnerPointerVal, State) = retrieveOrConjureInnerPtrVal(
726 State, ThisRegion, Call.getOriginExpr(), Call.getResultType(), C);
727 State = State->BindExpr(Call.getOriginExpr(), C.getLocationContext(),
728 InnerPointerVal);
729 // TODO: Add NoteTag, for how the raw pointer got using 'get' method.
730 C.addTransition(State);
731}
732
733bool SmartPtrModeling::handleAssignOp(const CallEvent &Call,
734 CheckerContext &C) const {
735 ProgramStateRef State = C.getState();
736 const auto *OC = dyn_cast<CXXMemberOperatorCall>(&Call);
737 if (!OC)
738 return false;
739 OverloadedOperatorKind OOK = OC->getOverloadedOperator();
740 if (OOK != OO_Equal)
741 return false;
742 const MemRegion *ThisRegion = OC->getCXXThisVal().getAsRegion();
743 if (!ThisRegion)
744 return false;
745
746 QualType ThisType = cast<CXXMethodDecl>(Call.getDecl())->getThisType();
747
748 const MemRegion *OtherSmartPtrRegion = OC->getArgSVal(0).getAsRegion();
749 // In case of 'nullptr' or '0' assigned
750 if (!OtherSmartPtrRegion) {
751 bool AssignedNull = Call.getArgSVal(0).isZeroConstant();
752 if (!AssignedNull)
753 return false;
754 auto NullVal = C.getSValBuilder().makeNullWithType(ThisType);
755 State = State->set<TrackedRegionMap>(ThisRegion, NullVal);
756 C.addTransition(State, C.getNoteTag([ThisRegion](PathSensitiveBugReport &BR,
757 llvm::raw_ostream &OS) {
758 if (&BR.getBugType() != smartptr::getNullDereferenceBugType() ||
759 !BR.isInteresting(ThisRegion))
760 return;
761 OS << "Smart pointer";
762 checkAndPrettyPrintRegion(OS, ThisRegion);
763 OS << " is assigned to null";
764 }));
765 return true;
766 }
767
768 return updateMovedSmartPointers(C, ThisRegion, OtherSmartPtrRegion, Call);
769}
770
771bool SmartPtrModeling::handleMoveCtr(const CallEvent &Call, CheckerContext &C,
772 const MemRegion *ThisRegion) const {
773 const auto *OtherSmartPtrRegion = Call.getArgSVal(0).getAsRegion();
774 if (!OtherSmartPtrRegion)
775 return false;
776
777 return updateMovedSmartPointers(C, ThisRegion, OtherSmartPtrRegion, Call);
778}
779
780bool SmartPtrModeling::updateMovedSmartPointers(
781 CheckerContext &C, const MemRegion *ThisRegion,
782 const MemRegion *OtherSmartPtrRegion, const CallEvent &Call) const {
783 ProgramStateRef State = C.getState();
784 QualType ThisType = cast<CXXMethodDecl>(Call.getDecl())->getThisType();
785 const auto *OtherInnerPtr = State->get<TrackedRegionMap>(OtherSmartPtrRegion);
786 if (OtherInnerPtr) {
787 State = State->set<TrackedRegionMap>(ThisRegion, *OtherInnerPtr);
788
789 auto NullVal = C.getSValBuilder().makeNullWithType(ThisType);
790 State = State->set<TrackedRegionMap>(OtherSmartPtrRegion, NullVal);
791 bool IsArgValNull = OtherInnerPtr->isZeroConstant();
792
793 C.addTransition(
794 State,
795 C.getNoteTag([ThisRegion, OtherSmartPtrRegion, IsArgValNull](
796 PathSensitiveBugReport &BR, llvm::raw_ostream &OS) {
797 if (&BR.getBugType() != smartptr::getNullDereferenceBugType())
798 return;
799 if (BR.isInteresting(OtherSmartPtrRegion)) {
800 OS << "Smart pointer";
801 checkAndPrettyPrintRegion(OS, OtherSmartPtrRegion);
802 OS << " is null after being moved to";
803 checkAndPrettyPrintRegion(OS, ThisRegion);
804 }
805 if (BR.isInteresting(ThisRegion) && IsArgValNull) {
806 OS << "A null pointer value is moved to";
807 checkAndPrettyPrintRegion(OS, ThisRegion);
808 BR.markInteresting(OtherSmartPtrRegion);
809 }
810 }));
811 return true;
812 } else {
813 // In case we dont know anything about value we are moving from
814 // remove the entry from map for which smart pointer got moved to.
815 // For unique_ptr<A>, Ty will be 'A*'.
816 auto NullVal = C.getSValBuilder().makeNullWithType(ThisType);
817 State = State->remove<TrackedRegionMap>(ThisRegion);
818 State = State->set<TrackedRegionMap>(OtherSmartPtrRegion, NullVal);
819 C.addTransition(State, C.getNoteTag([OtherSmartPtrRegion,
820 ThisRegion](PathSensitiveBugReport &BR,
821 llvm::raw_ostream &OS) {
822 if (&BR.getBugType() != smartptr::getNullDereferenceBugType() ||
823 !BR.isInteresting(OtherSmartPtrRegion))
824 return;
825 OS << "Smart pointer";
826 checkAndPrettyPrintRegion(OS, OtherSmartPtrRegion);
827 OS << " is null after; previous value moved to";
828 checkAndPrettyPrintRegion(OS, ThisRegion);
829 }));
830 return true;
831 }
832 return false;
833}
834
835void SmartPtrModeling::handleBoolConversion(const CallEvent &Call,
836 CheckerContext &C) const {
837 // To model unique_ptr::operator bool
838 ProgramStateRef State = C.getState();
839 const Expr *CallExpr = Call.getOriginExpr();
840 const MemRegion *ThisRegion =
841 cast<CXXInstanceCall>(&Call)->getCXXThisVal().getAsRegion();
842
843 QualType ThisType = cast<CXXMethodDecl>(Call.getDecl())->getThisType();
844
845 SVal InnerPointerVal;
846 if (const auto *InnerValPtr = State->get<TrackedRegionMap>(ThisRegion)) {
847 InnerPointerVal = *InnerValPtr;
848 } else {
849 // In case of inner pointer SVal is not available we create
850 // conjureSymbolVal for inner pointer value.
851 auto InnerPointerType = getInnerPointerType(Call, C);
852 if (InnerPointerType.isNull())
853 return;
854
855 const LocationContext *LC = C.getLocationContext();
856 InnerPointerVal = C.getSValBuilder().conjureSymbolVal(
857 CallExpr, LC, InnerPointerType, C.blockCount());
858 State = State->set<TrackedRegionMap>(ThisRegion, InnerPointerVal);
859 }
860
861 if (State->isNull(InnerPointerVal).isConstrainedTrue()) {
862 State = State->BindExpr(CallExpr, C.getLocationContext(),
863 C.getSValBuilder().makeTruthVal(false));
864
865 C.addTransition(State);
866 return;
867 } else if (State->isNonNull(InnerPointerVal).isConstrainedTrue()) {
868 State = State->BindExpr(CallExpr, C.getLocationContext(),
869 C.getSValBuilder().makeTruthVal(true));
870
871 C.addTransition(State);
872 return;
873 } else if (move::isMovedFrom(State, ThisRegion)) {
874 C.addTransition(
875 State->BindExpr(CallExpr, C.getLocationContext(),
876 C.getSValBuilder().makeZeroVal(Call.getResultType())));
877 return;
878 } else {
879 ProgramStateRef NotNullState, NullState;
880 std::tie(NotNullState, NullState) =
881 State->assume(InnerPointerVal.castAs<DefinedOrUnknownSVal>());
882
883 auto NullVal = C.getSValBuilder().makeNullWithType(ThisType);
884 // Explicitly tracking the region as null.
885 NullState = NullState->set<TrackedRegionMap>(ThisRegion, NullVal);
886
887 NullState = NullState->BindExpr(CallExpr, C.getLocationContext(),
888 C.getSValBuilder().makeTruthVal(false));
889 C.addTransition(NullState, C.getNoteTag(
890 [ThisRegion](PathSensitiveBugReport &BR,
891 llvm::raw_ostream &OS) {
892 OS << "Assuming smart pointer";
893 checkAndPrettyPrintRegion(OS, ThisRegion);
894 OS << " is null";
895 },
896 /*IsPrunable=*/true));
897 NotNullState =
898 NotNullState->BindExpr(CallExpr, C.getLocationContext(),
899 C.getSValBuilder().makeTruthVal(true));
900 C.addTransition(
901 NotNullState,
902 C.getNoteTag(
903 [ThisRegion](PathSensitiveBugReport &BR, llvm::raw_ostream &OS) {
904 OS << "Assuming smart pointer";
905 checkAndPrettyPrintRegion(OS, ThisRegion);
906 OS << " is non-null";
907 },
908 /*IsPrunable=*/true));
909 return;
910 }
911}
912
913void ento::registerSmartPtrModeling(CheckerManager &Mgr) {
914 auto *Checker = Mgr.registerChecker<SmartPtrModeling>();
915 Checker->ModelSmartPtrDereference =
916 Mgr.getAnalyzerOptions().getCheckerBooleanOption(
917 Checker, "ModelSmartPtrDereference");
918}
919
920bool ento::shouldRegisterSmartPtrModeling(const CheckerManager &mgr) {
921 const LangOptions &LO = mgr.getLangOpts();
922 return LO.CPlusPlus;
923}
DeclCXX.h
Defines the C++ Decl subclasses, other than those for templates (found in DeclTemplate....
ExprCXX.h
Defines the clang::Expr interface and subclasses for C++ expressions.
LLVM.h
Forward-declares and imports various common LLVM datatypes that clang wants to use unqualified.
REGISTER_MAP_WITH_PROGRAMSTATE
#define REGISTER_MAP_WITH_PROGRAMSTATE(Name, Key, Value)
Declares an immutable map of type NameTy, suitable for placement into the ProgramState.
Definition: ProgramStateTrait.h:87
isStdFunctionCall
static bool isStdFunctionCall(const CallEvent &Call)
Definition: SmartPtrModeling.cpp:249
isStdBasicOstream
bool isStdBasicOstream(const Expr *E)
Definition: SmartPtrModeling.cpp:244
checkAndPrettyPrintRegion
static void checkAndPrettyPrintRegion(llvm::raw_ostream &OS, const MemRegion *Region)
Definition: SmartPtrModeling.cpp:225
isStdOstreamOperatorCall
bool isStdOstreamOperatorCall(const CallEvent &Call)
Definition: SmartPtrModeling.cpp:253
getInnerPointerType
static QualType getInnerPointerType(CheckerContext C, const CXXRecordDecl *RD)
Definition: SmartPtrModeling.cpp:183
updateSwappedRegion
static ProgramStateRef updateSwappedRegion(ProgramStateRef State, const MemRegion *Region, const SVal *RegionInnerPointerVal)
Definition: SmartPtrModeling.cpp:172
removeTrackedSubregions
static TrackedRegionMapTy removeTrackedSubregions(TrackedRegionMapTy RegionMap, TrackedRegionMapTy::Factory &RegionMapFactory, const MemRegion *Region)
Definition: SmartPtrModeling.cpp:160
isPotentiallyComparisionOpCall
static bool isPotentiallyComparisionOpCall(const CallEvent &Call)
Definition: SmartPtrModeling.cpp:269
getPointerTypeFromTemplateArg
static QualType getPointerTypeFromTemplateArg(const CallEvent &Call, CheckerContext &C)
Definition: SmartPtrModeling.cpp:201
hasStdClassWithName
static bool hasStdClassWithName(const CXXRecordDecl *RD, ArrayRef< llvm::StringLiteral > Names)
Definition: SmartPtrModeling.cpp:103
isStdSmartPtr
static bool isStdSmartPtr(const CXXRecordDecl *RD)
Definition: SmartPtrModeling.cpp:115
BASIC_OSTREAM_NAMES
constexpr llvm::StringLiteral BASIC_OSTREAM_NAMES[]
Definition: SmartPtrModeling.cpp:242
STD_PTR_NAMES
constexpr llvm::StringLiteral STD_PTR_NAMES[]
Definition: SmartPtrModeling.cpp:112
Type.h
C Language Family Type Representation.
clang::AnalyzerOptions::getCheckerBooleanOption
bool getCheckerBooleanOption(StringRef CheckerName, StringRef OptionName, bool SearchInParents=false) const
Interprets an option's string value as a boolean.
Definition: AnalyzerOptions.cpp:161
clang::CXXRecordDecl
Represents a C++ struct/union/class.
Definition: DeclCXX.h:254
clang::CallExpr
CallExpr - Represents a function call (C99 6.5.2.2, C++ [expr.call]).
Definition: Expr.h:2817
clang::DeclContext::getParent
DeclContext * getParent()
getParent - Returns the containing DeclContext.
Definition: DeclBase.h:1942
clang::DeclContext::isStdNamespace
bool isStdNamespace() const
Definition: DeclBase.cpp:1193
clang::Decl::isInStdNamespace
bool isInStdNamespace() const
Definition: DeclBase.cpp:404
clang::Decl::getDeclContext
DeclContext * getDeclContext()
Definition: DeclBase.h:441
clang::DeclarationName::isIdentifier
bool isIdentifier() const
Predicate functions for querying what type of name this is.
Definition: DeclarationName.h:384
clang::Expr
This represents one expression.
Definition: Expr.h:110
clang::Expr::getType
QualType getType() const
Definition: Expr.h:142
clang::FunctionDecl
Represents a function declaration or definition.
Definition: Decl.h:1917
clang::FunctionDecl::isOverloadedOperator
bool isOverloadedOperator() const
Whether this function declaration represents an C++ overloaded operator, e.g., "operator+".
Definition: Decl.h:2728
clang::FunctionDecl::getOverloadedOperator
OverloadedOperatorKind getOverloadedOperator() const
getOverloadedOperator - Which C++ overloaded operator this function represents, if any.
Definition: Decl.cpp:3815
clang::LangOptions
Keeps track of the various options that can be enabled, which controls the dialect of C or C++ that i...
Definition: LangOptions.h:82
clang::LocationContext
It wraps the AnalysisDeclContext to represent both the call stack with the help of StackFrameContext ...
Definition: AnalysisDeclContext.h:215
clang::NamedDecl::getName
StringRef getName() const
Get the name of identifier for this declaration as a StringRef.
Definition: Decl.h:274
clang::NamedDecl::getDeclName
DeclarationName getDeclName() const
Get the actual, stored name of the declaration, which may be a special name.
Definition: Decl.h:313
clang::QualType
A (possibly-)qualified type.
Definition: Type.h:736
clang::RecordDecl
Represents a struct/union/class.
Definition: Decl.h:4012
clang::StringLiteral
StringLiteral - This represents a string literal expression, e.g.
Definition: Expr.h:1780
clang::Type
The base class of the type hierarchy.
Definition: Type.h:1568
clang::Type::getAsCXXRecordDecl
CXXRecordDecl * getAsCXXRecordDecl() const
Retrieves the CXXRecordDecl that this type refers to, either because the type is a RecordType or beca...
Definition: Type.cpp:1799
clang::ento::BugReport::getBugType
const BugType & getBugType() const
Definition: BugReporter.h:149
clang::ento::CallDescriptionMap
An immutable map from CallDescriptions to arbitrary data.
Definition: CallDescription.h:164
clang::ento::CallDescription
This class represents a description of a function call using the number of arguments and the name of ...
Definition: CallDescription.h:43
clang::ento::CallEvent
Represents an abstract call to a function or method along a particular path.
Definition: CallEvent.h:149
clang::ento::CheckerBase::printState
virtual void printState(raw_ostream &Out, ProgramStateRef State, const char *NL, const char *Sep) const
See CheckerManager::runCheckersForPrintState.
Definition: Checker.h:501
clang::ento::CheckerManager::getAnalyzerOptions
const AnalyzerOptions & getAnalyzerOptions() const
Definition: CheckerManager.h:170
clang::ento::CheckerManager::registerChecker
CHECKER * registerChecker(AT &&... Args)
Used to register checkers.
Definition: CheckerManager.h:204
clang::ento::CheckerManager::getLangOpts
const LangOptions & getLangOpts() const
Definition: CheckerManager.h:169
clang::ento::MemRegion
MemRegion - The root abstract class for all memory regions.
Definition: MemRegion.h:95
clang::ento::MemRegion::getBaseRegion
LLVM_ATTRIBUTE_RETURNS_NONNULL const MemRegion * getBaseRegion() const
Definition: MemRegion.cpp:1303
clang::ento::MemRegion::printPretty
virtual void printPretty(raw_ostream &os) const
Print the region for use in diagnostics.
Definition: MemRegion.cpp:601
clang::ento::MemRegion::canPrintPretty
virtual bool canPrintPretty() const
Returns true if this region can be printed in a user-friendly way.
Definition: MemRegion.cpp:593
clang::ento::OperatorKind::GetBinaryOpUnsafe
BinaryOperatorKind GetBinaryOpUnsafe() const
Definition: CheckerHelpers.h:86
clang::ento::PathSensitiveBugReport::markInteresting
void markInteresting(SymbolRef sym, bugreporter::TrackingKind TKind=bugreporter::TrackingKind::Thorough)
Marks a symbol as interesting.
Definition: BugReporter.cpp:2253
clang::ento::PathSensitiveBugReport::isInteresting
bool isInteresting(SymbolRef sym) const
Definition: BugReporter.cpp:2369
clang::ento::SVal
SVal - This represents a symbolic expression, which can be either an L-value or an R-value.
Definition: SVals.h:72
clang::ento::SVal::symbol_begin
SymExpr::symbol_iterator symbol_begin() const
Definition: SVals.h:183
clang::ento::SVal::symbol_end
SymExpr::symbol_iterator symbol_end() const
Definition: SVals.h:191
clang::ento::SVal::getAsRegion
const MemRegion * getAsRegion() const
Definition: SVals.cpp:120
clang::ento::SVal::castAs
T castAs() const
Convert to the specified SVal type, asserting that this SVal is of the desired type.
Definition: SVals.h:99
clang::ento::SymbolReaper
A class responsible for cleaning up unused symbols.
Definition: SymbolManager.h:572
clang::ento::SymbolReaper::markLive
void markLive(SymbolRef sym)
Unconditionally marks a symbol as live.
Definition: SymbolManager.cpp:408
clang::ento::SymbolReaper::isLiveRegion
bool isLiveRegion(const MemRegion *region)
Definition: SymbolManager.cpp:438
clang::ento::move::isMovedFrom
bool isMovedFrom(ProgramStateRef State, const MemRegion *Region)
Returns true if the object is known to have been recently std::moved.
Definition: MoveChecker.cpp:234
clang::ento::smartptr::getNullDereferenceBugType
const BugType * getNullDereferenceBugType()
Definition: SmartPtrChecker.cpp:54
clang::ento::smartptr::isNullSmartPtr
bool isNullSmartPtr(const ProgramStateRef State, const MemRegion *ThisRegion)
Returns whether the smart pointer is null or not.
Definition: SmartPtrModeling.cpp:149
clang::ento::smartptr::isStdSmartPtr
bool isStdSmartPtr(const CXXRecordDecl *RD)
Definition: SmartPtrModeling.cpp:134
clang::ento::smartptr::isStdSmartPtrCall
bool isStdSmartPtrCall(const CallEvent &Call)
Returns true if the event call is on smart pointer.
Definition: SmartPtrModeling.cpp:127
clang::ento::operationKindFromOverloadedOperator
OperatorKind operationKindFromOverloadedOperator(OverloadedOperatorKind OOK, bool IsBinary)
Definition: CheckerHelpers.cpp:151
clang::interp::Call
bool Call(InterpState &S, CodePtr OpPC, const Function *Func)
Definition: Interp.h:1585
clang::OverloadedOperatorKind
OverloadedOperatorKind
Enumeration specifying the different kinds of C++ overloaded operators.
Definition: OperatorKinds.h:21
clang::BinaryOperatorKind
BinaryOperatorKind
Definition: OperationKinds.h:25
clang::Language::C
@ C
Languages that the frontend can parse and compile.
clang::if
if(T->getSizeExpr()) TRY_TO(TraverseStmt(T -> getSizeExpr()))
Definition: RecursiveASTVisitor.h:1081
llvm
YAML serialization mapping.
Definition: Dominators.h:30
Generated on Wed May 31 2023 07:41:11 for clang by doxygen 1.9.6