clang 20.0.0git
StackAddrEscapeChecker.cpp
Go to the documentation of this file.
1//=== StackAddrEscapeChecker.cpp ----------------------------------*- C++ -*--//
2//
3// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4// See https://llvm.org/LICENSE.txt for license information.
5// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6//
7//===----------------------------------------------------------------------===//
8//
9// This file defines stack address leak checker, which checks if an invalid
10// stack address is stored into a global or heap location. See CERT DCL30-C.
11//
12//===----------------------------------------------------------------------===//
13
14#include "clang/AST/ExprCXX.h"
15#include "clang/Basic/SourceManager.h"
16#include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"
17#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
18#include "clang/StaticAnalyzer/Core/Checker.h"
19#include "clang/StaticAnalyzer/Core/CheckerManager.h"
20#include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h"
21#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
22#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h"
23#include "llvm/ADT/SmallString.h"
24#include "llvm/Support/raw_ostream.h"
25using namespace clang;
26using namespace ento;
27
28namespace {
29class StackAddrEscapeChecker
30 : public Checker<check::PreCall, check::PreStmt<ReturnStmt>,
31 check::EndFunction> {
32 mutable IdentifierInfo *dispatch_semaphore_tII = nullptr;
33 mutable std::unique_ptr<BugType> BT_stackleak;
34 mutable std::unique_ptr<BugType> BT_returnstack;
35 mutable std::unique_ptr<BugType> BT_capturedstackasync;
36 mutable std::unique_ptr<BugType> BT_capturedstackret;
37
38public:
39 enum CheckKind {
40 CK_StackAddrEscapeChecker,
41 CK_StackAddrAsyncEscapeChecker,
42 CK_NumCheckKinds
43 };
44
45 bool ChecksEnabled[CK_NumCheckKinds] = {false};
46 CheckerNameRef CheckNames[CK_NumCheckKinds];
47
48 void checkPreCall(const CallEvent &Call, CheckerContext &C) const;
49 void checkPreStmt(const ReturnStmt *RS, CheckerContext &C) const;
50 void checkEndFunction(const ReturnStmt *RS, CheckerContext &Ctx) const;
51
52private:
53 void checkReturnedBlockCaptures(const BlockDataRegion &B,
54 CheckerContext &C) const;
55 void checkAsyncExecutedBlockCaptures(const BlockDataRegion &B,
56 CheckerContext &C) const;
57 void EmitStackError(CheckerContext &C, const MemRegion *R,
58 const Expr *RetE) const;
59 bool isSemaphoreCaptured(const BlockDecl &B) const;
60 static SourceRange genName(raw_ostream &os, const MemRegion *R,
61 ASTContext &Ctx);
62 static SmallVector<const MemRegion *, 4>
63 getCapturedStackRegions(const BlockDataRegion &B, CheckerContext &C);
64 static bool isNotInCurrentFrame(const MemRegion *R, CheckerContext &C);
65};
66} // namespace
67
68SourceRange StackAddrEscapeChecker::genName(raw_ostream &os, const MemRegion *R,
69 ASTContext &Ctx) {
70 // Get the base region, stripping away fields and elements.
71 R = R->getBaseRegion();
72 SourceManager &SM = Ctx.getSourceManager();
73 SourceRange range;
74 os << "Address of ";
75
76 // Check if the region is a compound literal.
77 if (const auto *CR = dyn_cast<CompoundLiteralRegion>(R)) {
78 const CompoundLiteralExpr *CL = CR->getLiteralExpr();
79 os << "stack memory associated with a compound literal "
80 "declared on line "
81 << SM.getExpansionLineNumber(CL->getBeginLoc());
82 range = CL->getSourceRange();
83 } else if (const auto *AR = dyn_cast<AllocaRegion>(R)) {
84 const Expr *ARE = AR->getExpr();
85 SourceLocation L = ARE->getBeginLoc();
86 range = ARE->getSourceRange();
87 os << "stack memory allocated by call to alloca() on line "
88 << SM.getExpansionLineNumber(L);
89 } else if (const auto *BR = dyn_cast<BlockDataRegion>(R)) {
90 const BlockDecl *BD = BR->getCodeRegion()->getDecl();
91 SourceLocation L = BD->getBeginLoc();
92 range = BD->getSourceRange();
93 os << "stack-allocated block declared on line "
94 << SM.getExpansionLineNumber(L);
95 } else if (const auto *VR = dyn_cast<VarRegion>(R)) {
96 os << "stack memory associated with local variable '" << VR->getString()
97 << '\'';
98 range = VR->getDecl()->getSourceRange();
99 } else if (const auto *LER = dyn_cast<CXXLifetimeExtendedObjectRegion>(R)) {
100 QualType Ty = LER->getValueType().getLocalUnqualifiedType();
101 os << "stack memory associated with temporary object of type '";
102 Ty.print(os, Ctx.getPrintingPolicy());
103 os << "' lifetime extended by local variable";
104 if (const IdentifierInfo *ID = LER->getExtendingDecl()->getIdentifier())
105 os << " '" << ID->getName() << '\'';
106 range = LER->getExpr()->getSourceRange();
107 } else if (const auto *TOR = dyn_cast<CXXTempObjectRegion>(R)) {
108 QualType Ty = TOR->getValueType().getLocalUnqualifiedType();
109 os << "stack memory associated with temporary object of type '";
110 Ty.print(os, Ctx.getPrintingPolicy());
111 os << "'";
112 range = TOR->getExpr()->getSourceRange();
113 } else {
114 llvm_unreachable("Invalid region in ReturnStackAddressChecker.");
115 }
116
117 return range;
118}
119
120bool StackAddrEscapeChecker::isNotInCurrentFrame(const MemRegion *R,
121 CheckerContext &C) {
122 const StackSpaceRegion *S = cast<StackSpaceRegion>(R->getMemorySpace());
123 return S->getStackFrame() != C.getStackFrame();
124}
125
126bool StackAddrEscapeChecker::isSemaphoreCaptured(const BlockDecl &B) const {
127 if (!dispatch_semaphore_tII)
128 dispatch_semaphore_tII = &B.getASTContext().Idents.get("dispatch_semaphore_t");
129 for (const auto &C : B.captures()) {
130 const auto *T = C.getVariable()->getType()->getAs<TypedefType>();
131 if (T && T->getDecl()->getIdentifier() == dispatch_semaphore_tII)
132 return true;
133 }
134 return false;
135}
136
137SmallVector<const MemRegion *, 4>
138StackAddrEscapeChecker::getCapturedStackRegions(const BlockDataRegion &B,
139 CheckerContext &C) {
140 SmallVector<const MemRegion *, 4> Regions;
141 for (auto Var : B.referenced_vars()) {
142 SVal Val = C.getState()->getSVal(Var.getCapturedRegion());
143 const MemRegion *Region = Val.getAsRegion();
144 if (Region && isa<StackSpaceRegion>(Region->getMemorySpace()))
145 Regions.push_back(Region);
146 }
147 return Regions;
148}
149
150void StackAddrEscapeChecker::EmitStackError(CheckerContext &C,
151 const MemRegion *R,
152 const Expr *RetE) const {
153 ExplodedNode *N = C.generateNonFatalErrorNode();
154 if (!N)
155 return;
156 if (!BT_returnstack)
157 BT_returnstack = std::make_unique<BugType>(
158 CheckNames[CK_StackAddrEscapeChecker],
159 "Return of address to stack-allocated memory");
160 // Generate a report for this bug.
161 SmallString<128> buf;
162 llvm::raw_svector_ostream os(buf);
163 SourceRange range = genName(os, R, C.getASTContext());
164 os << " returned to caller";
165 auto report =
166 std::make_unique<PathSensitiveBugReport>(*BT_returnstack, os.str(), N);
167 report->addRange(RetE->getSourceRange());
168 if (range.isValid())
169 report->addRange(range);
170 C.emitReport(std::move(report));
171}
172
173void StackAddrEscapeChecker::checkAsyncExecutedBlockCaptures(
174 const BlockDataRegion &B, CheckerContext &C) const {
175 // There is a not-too-uncommon idiom
176 // where a block passed to dispatch_async captures a semaphore
177 // and then the thread (which called dispatch_async) is blocked on waiting
178 // for the completion of the execution of the block
179 // via dispatch_semaphore_wait. To avoid false-positives (for now)
180 // we ignore all the blocks which have captured
181 // a variable of the type "dispatch_semaphore_t".
182 if (isSemaphoreCaptured(*B.getDecl()))
183 return;
184 for (const MemRegion *Region : getCapturedStackRegions(B, C)) {
185 // The block passed to dispatch_async may capture another block
186 // created on the stack. However, there is no leak in this situaton,
187 // no matter if ARC or no ARC is enabled:
188 // dispatch_async copies the passed "outer" block (via Block_copy)
189 // and if the block has captured another "inner" block,
190 // the "inner" block will be copied as well.
191 if (isa<BlockDataRegion>(Region))
192 continue;
193 ExplodedNode *N = C.generateNonFatalErrorNode();
194 if (!N)
195 continue;
196 if (!BT_capturedstackasync)
197 BT_capturedstackasync = std::make_unique<BugType>(
198 CheckNames[CK_StackAddrAsyncEscapeChecker],
199 "Address of stack-allocated memory is captured");
200 SmallString<128> Buf;
201 llvm::raw_svector_ostream Out(Buf);
202 SourceRange Range = genName(Out, Region, C.getASTContext());
203 Out << " is captured by an asynchronously-executed block";
204 auto Report = std::make_unique<PathSensitiveBugReport>(
205 *BT_capturedstackasync, Out.str(), N);
206 if (Range.isValid())
207 Report->addRange(Range);
208 C.emitReport(std::move(Report));
209 }
210}
211
212void StackAddrEscapeChecker::checkReturnedBlockCaptures(
213 const BlockDataRegion &B, CheckerContext &C) const {
214 for (const MemRegion *Region : getCapturedStackRegions(B, C)) {
215 if (isNotInCurrentFrame(Region, C))
216 continue;
217 ExplodedNode *N = C.generateNonFatalErrorNode();
218 if (!N)
219 continue;
220 if (!BT_capturedstackret)
221 BT_capturedstackret = std::make_unique<BugType>(
222 CheckNames[CK_StackAddrEscapeChecker],
223 "Address of stack-allocated memory is captured");
224 SmallString<128> Buf;
225 llvm::raw_svector_ostream Out(Buf);
226 SourceRange Range = genName(Out, Region, C.getASTContext());
227 Out << " is captured by a returned block";
228 auto Report = std::make_unique<PathSensitiveBugReport>(*BT_capturedstackret,
229 Out.str(), N);
230 if (Range.isValid())
231 Report->addRange(Range);
232 C.emitReport(std::move(Report));
233 }
234}
235
236void StackAddrEscapeChecker::checkPreCall(const CallEvent &Call,
237 CheckerContext &C) const {
238 if (!ChecksEnabled[CK_StackAddrAsyncEscapeChecker])
239 return;
240 if (!Call.isGlobalCFunction("dispatch_after") &&
241 !Call.isGlobalCFunction("dispatch_async"))
242 return;
243 for (unsigned Idx = 0, NumArgs = Call.getNumArgs(); Idx < NumArgs; ++Idx) {
244 if (const BlockDataRegion *B = dyn_cast_or_null<BlockDataRegion>(
245 Call.getArgSVal(Idx).getAsRegion()))
246 checkAsyncExecutedBlockCaptures(*B, C);
247 }
248}
249
250void StackAddrEscapeChecker::checkPreStmt(const ReturnStmt *RS,
251 CheckerContext &C) const {
252 if (!ChecksEnabled[CK_StackAddrEscapeChecker])
253 return;
254
255 const Expr *RetE = RS->getRetValue();
256 if (!RetE)
257 return;
258 RetE = RetE->IgnoreParens();
259
260 SVal V = C.getSVal(RetE);
261 const MemRegion *R = V.getAsRegion();
262 if (!R)
263 return;
264
265 if (const BlockDataRegion *B = dyn_cast<BlockDataRegion>(R))
266 checkReturnedBlockCaptures(*B, C);
267
268 if (!isa<StackSpaceRegion>(R->getMemorySpace()) || isNotInCurrentFrame(R, C))
269 return;
270
271 // Returning a record by value is fine. (In this case, the returned
272 // expression will be a copy-constructor, possibly wrapped in an
273 // ExprWithCleanups node.)
274 if (const ExprWithCleanups *Cleanup = dyn_cast<ExprWithCleanups>(RetE))
275 RetE = Cleanup->getSubExpr();
276 if (isa<CXXConstructExpr>(RetE) && RetE->getType()->isRecordType())
277 return;
278
279 // The CK_CopyAndAutoreleaseBlockObject cast causes the block to be copied
280 // so the stack address is not escaping here.
281 if (const auto *ICE = dyn_cast<ImplicitCastExpr>(RetE)) {
282 if (isa<BlockDataRegion>(R) &&
283 ICE->getCastKind() == CK_CopyAndAutoreleaseBlockObject) {
284 return;
285 }
286 }
287
288 EmitStackError(C, R, RetE);
289}
290
291static const MemSpaceRegion *getStackOrGlobalSpaceRegion(const MemRegion *R) {
292 assert(R);
293 if (const auto *MemSpace = R->getMemorySpace()) {
294 if (const auto *SSR = MemSpace->getAs<StackSpaceRegion>())
295 return SSR;
296 if (const auto *GSR = MemSpace->getAs<GlobalsSpaceRegion>())
297 return GSR;
298 }
299 // If R describes a lambda capture, it will be a symbolic region
300 // referring to a field region of another symbolic region.
301 if (const auto *SymReg = R->getBaseRegion()->getAs<SymbolicRegion>()) {
302 if (const auto *OriginReg = SymReg->getSymbol()->getOriginRegion())
303 return getStackOrGlobalSpaceRegion(OriginReg);
304 }
305 return nullptr;
306}
307
308static const MemRegion *getOriginBaseRegion(const MemRegion *Reg) {
309 Reg = Reg->getBaseRegion();
310 while (const auto *SymReg = dyn_cast<SymbolicRegion>(Reg)) {
311 const auto *OriginReg = SymReg->getSymbol()->getOriginRegion();
312 if (!OriginReg)
313 break;
314 Reg = OriginReg->getBaseRegion();
315 }
316 return Reg;
317}
318
319static std::optional<std::string> printReferrer(const MemRegion *Referrer) {
320 assert(Referrer);
321 const StringRef ReferrerMemorySpace = [](const MemSpaceRegion *Space) {
322 if (isa<StaticGlobalSpaceRegion>(Space))
323 return "static";
324 if (isa<GlobalsSpaceRegion>(Space))
325 return "global";
326 assert(isa<StackSpaceRegion>(Space));
327 // This case covers top-level and inlined analyses.
328 return "caller";
329 }(getStackOrGlobalSpaceRegion(Referrer));
330
331 while (!Referrer->canPrintPretty()) {
332 if (const auto *SymReg = dyn_cast<SymbolicRegion>(Referrer);
333 SymReg && SymReg->getSymbol()->getOriginRegion()) {
334 Referrer = SymReg->getSymbol()->getOriginRegion()->getBaseRegion();
335 } else if (isa<CXXThisRegion>(Referrer)) {
336 // Skip members of a class, it is handled in CheckExprLifetime.cpp as
337 // warn_bind_ref_member_to_parameter or
338 // warn_init_ptr_member_to_parameter_addr
339 return std::nullopt;
340 } else if (isa<AllocaRegion>(Referrer)) {
341 // Skip alloca() regions, they indicate advanced memory management
342 // and higher likelihood of CSA false positives.
343 return std::nullopt;
344 } else {
345 assert(false && "Unexpected referrer region type.");
346 return std::nullopt;
347 }
348 }
349 assert(Referrer);
350 assert(Referrer->canPrintPretty());
351
352 std::string buf;
353 llvm::raw_string_ostream os(buf);
354 os << ReferrerMemorySpace << " variable ";
355 Referrer->printPretty(os);
356 return buf;
357}
358
359/// Check whether \p Region refers to a freshly minted symbol after an opaque
360/// function call.
361static bool isInvalidatedSymbolRegion(const MemRegion *Region) {
362 const auto *SymReg = Region->getAs<SymbolicRegion>();
363 if (!SymReg)
364 return false;
365 SymbolRef Symbol = SymReg->getSymbol();
366
367 const auto *DerS = dyn_cast<SymbolDerived>(Symbol);
368 return DerS && isa_and_nonnull<SymbolConjured>(DerS->getParentSymbol());
369}
370
371void StackAddrEscapeChecker::checkEndFunction(const ReturnStmt *RS,
372 CheckerContext &Ctx) const {
373 if (!ChecksEnabled[CK_StackAddrEscapeChecker])
374 return;
375
376 ExplodedNode *Node = Ctx.getPredecessor();
377
378 bool ExitingTopFrame =
379 Ctx.getPredecessor()->getLocationContext()->inTopFrame();
380
381 if (ExitingTopFrame &&
382 Node->getLocation().getTag() == ExprEngine::cleanupNodeTag() &&
383 Node->getFirstPred()) {
384 // When finishing analysis of a top-level function, engine proactively
385 // removes dead symbols thus preventing this checker from looking through
386 // the output parameters. Take 1 step back, to the node where these symbols
387 // and their bindings are still present
388 Node = Node->getFirstPred();
389 }
390
391 // Iterate over all bindings to global variables and see if it contains
392 // a memory region in the stack space.
393 class CallBack : public StoreManager::BindingsHandler {
394 private:
395 CheckerContext &Ctx;
396 const StackFrameContext *PoppedFrame;
397 const bool TopFrame;
398
399 /// Look for stack variables referring to popped stack variables.
400 /// Returns true only if it found some dangling stack variables
401 /// referred by an other stack variable from different stack frame.
402 bool checkForDanglingStackVariable(const MemRegion *Referrer,
403 const MemRegion *Referred) {
404 const auto *ReferrerMemSpace = getStackOrGlobalSpaceRegion(Referrer);
405 const auto *ReferredMemSpace =
406 Referred->getMemorySpace()->getAs<StackSpaceRegion>();
407
408 if (!ReferrerMemSpace || !ReferredMemSpace)
409 return false;
410
411 const auto *ReferrerStackSpace =
412 ReferrerMemSpace->getAs<StackSpaceRegion>();
413
414 if (!ReferrerStackSpace)
415 return false;
416
417 if (const auto *ReferredFrame = ReferredMemSpace->getStackFrame();
418 ReferredFrame != PoppedFrame) {
419 return false;
420 }
421
422 if (ReferrerStackSpace->getStackFrame()->isParentOf(PoppedFrame)) {
423 V.emplace_back(Referrer, Referred);
424 return true;
425 }
426 if (isa<StackArgumentsSpaceRegion>(ReferrerMemSpace) &&
427 // Not a simple ptr (int*) but something deeper, e.g. int**
428 isa<SymbolicRegion>(Referrer->getBaseRegion()) &&
429 ReferrerStackSpace->getStackFrame() == PoppedFrame && TopFrame) {
430 // Output parameter of a top-level function
431 V.emplace_back(Referrer, Referred);
432 return true;
433 }
434 return false;
435 }
436
437 // Keep track of the variables that were invalidated through an opaque
438 // function call. Even if the initial values of such variables were bound to
439 // an address of a local variable, we cannot claim anything now, at the
440 // function exit, so skip them to avoid false positives.
441 void recordInInvalidatedRegions(const MemRegion *Region) {
442 if (isInvalidatedSymbolRegion(Region))
443 ExcludedRegions.insert(getOriginBaseRegion(Region));
444 }
445
446 public:
447 SmallVector<std::pair<const MemRegion *, const MemRegion *>, 10> V;
448 // ExcludedRegions are skipped from reporting.
449 // I.e., if a referrer in this set, skip the related bug report.
450 // It is useful to avoid false positive for the variables that were
451 // reset to a conjured value after an opaque function call.
452 llvm::SmallPtrSet<const MemRegion *, 4> ExcludedRegions;
453
454 CallBack(CheckerContext &CC, bool TopFrame)
455 : Ctx(CC), PoppedFrame(CC.getStackFrame()), TopFrame(TopFrame) {}
456
457 bool HandleBinding(StoreManager &SMgr, Store S, const MemRegion *Region,
458 SVal Val) override {
459 recordInInvalidatedRegions(Region);
460 const MemRegion *VR = Val.getAsRegion();
461 if (!VR)
462 return true;
463
464 if (checkForDanglingStackVariable(Region, VR))
465 return true;
466
467 // Check the globals for the same.
468 if (!isa_and_nonnull<GlobalsSpaceRegion>(
469 getStackOrGlobalSpaceRegion(Region)))
470 return true;
471 if (VR && VR->hasStackStorage() && !isNotInCurrentFrame(VR, Ctx))
472 V.emplace_back(Region, VR);
473 return true;
474 }
475 };
476
477 CallBack Cb(Ctx, ExitingTopFrame);
478 ProgramStateRef State = Node->getState();
479 State->getStateManager().getStoreManager().iterBindings(State->getStore(),
480 Cb);
481
482 if (Cb.V.empty())
483 return;
484
485 // Generate an error node.
486 ExplodedNode *N = Ctx.generateNonFatalErrorNode(State, Node);
487 if (!N)
488 return;
489
490 if (!BT_stackleak)
491 BT_stackleak =
492 std::make_unique<BugType>(CheckNames[CK_StackAddrEscapeChecker],
493 "Stack address leaks outside of stack frame");
494
495 for (const auto &P : Cb.V) {
496 const MemRegion *Referrer = P.first->getBaseRegion();
497 const MemRegion *Referred = P.second;
498 if (Cb.ExcludedRegions.contains(getOriginBaseRegion(Referrer))) {
499 continue;
500 }
501
502 // Generate a report for this bug.
503 const StringRef CommonSuffix =
504 " upon returning to the caller. This will be a dangling reference";
505 SmallString<128> Buf;
506 llvm::raw_svector_ostream Out(Buf);
507 const SourceRange Range = genName(Out, Referred, Ctx.getASTContext());
508
509 if (isa<CXXTempObjectRegion, CXXLifetimeExtendedObjectRegion>(Referrer)) {
510 Out << " is still referred to by a temporary object on the stack"
511 << CommonSuffix;
512 auto Report =
513 std::make_unique<PathSensitiveBugReport>(*BT_stackleak, Out.str(), N);
514 if (Range.isValid())
515 Report->addRange(Range);
516 Ctx.emitReport(std::move(Report));
517 return;
518 }
519
520 auto ReferrerVariable = printReferrer(Referrer);
521 if (!ReferrerVariable) {
522 continue;
523 }
524
525 Out << " is still referred to by the " << *ReferrerVariable << CommonSuffix;
526 auto Report =
527 std::make_unique<PathSensitiveBugReport>(*BT_stackleak, Out.str(), N);
528 if (Range.isValid())
529 Report->addRange(Range);
530
531 Ctx.emitReport(std::move(Report));
532 }
533}
534
535void ento::registerStackAddrEscapeBase(CheckerManager &mgr) {
536 mgr.registerChecker<StackAddrEscapeChecker>();
537}
538
539bool ento::shouldRegisterStackAddrEscapeBase(const CheckerManager &mgr) {
540 return true;
541}
542
543#define REGISTER_CHECKER(name) \
544 void ento::register##name(CheckerManager &Mgr) { \
545 StackAddrEscapeChecker *Chk = Mgr.getChecker<StackAddrEscapeChecker>(); \
546 Chk->ChecksEnabled[StackAddrEscapeChecker::CK_##name] = true; \
547 Chk->CheckNames[StackAddrEscapeChecker::CK_##name] = \
548 Mgr.getCurrentCheckerName(); \
549 } \
550 \
551 bool ento::shouldRegister##name(const CheckerManager &mgr) { return true; }
552
553REGISTER_CHECKER(StackAddrEscapeChecker)
554REGISTER_CHECKER(StackAddrAsyncEscapeChecker)
V
#define V(N, I)
Definition: ASTContext.h:3460
Node
DynTypedNode Node
Definition: ASTMatchFinder.cpp:70
P
StringRef P
Definition: ASTMatchersInternal.cpp:574
SM
#define SM(sm)
Definition: Cuda.cpp:85
ExprCXX.h
Defines the clang::Expr interface and subclasses for C++ expressions.
SourceManager.h
Defines the SourceManager interface.
REGISTER_CHECKER
#define REGISTER_CHECKER(name)
Definition: StackAddrEscapeChecker.cpp:543
printReferrer
static std::optional< std::string > printReferrer(const MemRegion *Referrer)
Definition: StackAddrEscapeChecker.cpp:319
isInvalidatedSymbolRegion
static bool isInvalidatedSymbolRegion(const MemRegion *Region)
Check whether Region refers to a freshly minted symbol after an opaque function call.
Definition: StackAddrEscapeChecker.cpp:361
getStackOrGlobalSpaceRegion
static const MemSpaceRegion * getStackOrGlobalSpaceRegion(const MemRegion *R)
Definition: StackAddrEscapeChecker.cpp:291
getOriginBaseRegion
static const MemRegion * getOriginBaseRegion(const MemRegion *Reg)
Definition: StackAddrEscapeChecker.cpp:308
clang::ASTContext
Holds long-lived AST nodes (such as types and decls) that can be referred to throughout the semantic ...
Definition: ASTContext.h:188
clang::ASTContext::getSourceManager
SourceManager & getSourceManager()
Definition: ASTContext.h:741
clang::ASTContext::Idents
IdentifierTable & Idents
Definition: ASTContext.h:680
clang::ASTContext::getPrintingPolicy
const clang::PrintingPolicy & getPrintingPolicy() const
Definition: ASTContext.h:733
clang::BlockDecl
Represents a block literal declaration, which is like an unnamed FunctionDecl.
Definition: Decl.h:4496
clang::BlockDecl::captures
ArrayRef< Capture > captures() const
Definition: Decl.h:4623
clang::BlockDecl::getSourceRange
SourceRange getSourceRange() const override LLVM_READONLY
Source range that this declaration covers.
Definition: Decl.cpp:5308
clang::CompoundLiteralExpr
CompoundLiteralExpr - [C99 6.5.2.5].
Definition: Expr.h:3477
clang::CompoundLiteralExpr::getBeginLoc
SourceLocation getBeginLoc() const LLVM_READONLY
Definition: Expr.h:3517
clang::Decl::getASTContext
ASTContext & getASTContext() const LLVM_READONLY
Definition: DeclBase.cpp:528
clang::Decl::getBeginLoc
SourceLocation getBeginLoc() const LLVM_READONLY
Definition: DeclBase.h:434
clang::ExprWithCleanups
Represents an expression – generally a full-expression – that introduces cleanups to be run at the en...
Definition: ExprCXX.h:3474
clang::Expr
This represents one expression.
Definition: Expr.h:110
clang::Expr::IgnoreParens
Expr * IgnoreParens() LLVM_READONLY
Skip past any parentheses which might surround this expression until reaching a fixed point.
Definition: Expr.cpp:3092
clang::Expr::getType
QualType getType() const
Definition: Expr.h:142
clang::IdentifierInfo
One of these records is kept for each identifier that is lexed.
Definition: IdentifierTable.h:117
clang::IdentifierTable::get
IdentifierInfo & get(StringRef Name)
Return the identifier token info for the specified named identifier.
Definition: IdentifierTable.h:688
clang::QualType
A (possibly-)qualified type.
Definition: Type.h:929
clang::QualType::print
void print(raw_ostream &OS, const PrintingPolicy &Policy, const Twine &PlaceHolder=Twine(), unsigned Indentation=0) const
Definition: TypePrinter.cpp:2646
clang::ReturnStmt
ReturnStmt - This represents a return, optionally of an expression: return; return 4;.
Definition: Stmt.h:3046
clang::ReturnStmt::getRetValue
Expr * getRetValue()
Definition: Stmt.h:3077
clang::SourceLocation
Encodes a location in the source.
Definition: SourceLocation.h:88
clang::SourceManager
This class handles loading and caching of source files into memory.
Definition: SourceManager.h:663
clang::SourceRange
A trivial tuple used to represent a source range.
Definition: SourceLocation.h:213
clang::StackFrameContext
It represents a stack frame of the call stack (based on CallEvent).
Definition: AnalysisDeclContext.h:299
clang::Stmt::getSourceRange
SourceRange getSourceRange() const LLVM_READONLY
SourceLocation tokens are not useful in isolation - they are low level value objects created/interpre...
Definition: Stmt.cpp:334
clang::Stmt::getBeginLoc
SourceLocation getBeginLoc() const LLVM_READONLY
Definition: Stmt.cpp:346
clang::Type::isRecordType
bool isRecordType() const
Definition: Type.h:8292
clang::ento::BlockDataRegion
BlockDataRegion - A region that represents a block instance.
Definition: MemRegion.h:678
clang::ento::BlockDataRegion::getDecl
LLVM_ATTRIBUTE_RETURNS_NONNULL const BlockDecl * getDecl() const
Definition: MemRegion.h:708
clang::ento::BlockDataRegion::referenced_vars
llvm::iterator_range< referenced_vars_iterator > referenced_vars() const
Definition: MemRegion.cpp:1786
clang::ento::CallEvent
Represents an abstract call to a function or method along a particular path.
Definition: CallEvent.h:153
clang::ento::CheckerManager::registerChecker
CHECKER * registerChecker(AT &&... Args)
Used to register checkers.
Definition: CheckerManager.h:202
clang::ento::CheckerNameRef
This wrapper is used to ensure that only StringRefs originating from the CheckerRegistry are used as ...
Definition: CheckerManager.h:106
clang::ento::ExprEngine::cleanupNodeTag
static const ProgramPointTag * cleanupNodeTag()
A tag to track convenience transitions, which can be removed at cleanup.
Definition: ExprEngine.cpp:1107
clang::ento::MemRegion
MemRegion - The root abstract class for all memory regions.
Definition: MemRegion.h:97
clang::ento::MemRegion::getMemorySpace
LLVM_ATTRIBUTE_RETURNS_NONNULL const MemSpaceRegion * getMemorySpace() const
Definition: MemRegion.cpp:1351
clang::ento::MemRegion::hasStackStorage
bool hasStackStorage() const
Definition: MemRegion.cpp:1363
clang::ento::MemRegion::getBaseRegion
LLVM_ATTRIBUTE_RETURNS_NONNULL const MemRegion * getBaseRegion() const
Definition: MemRegion.cpp:1377
clang::ento::MemRegion::printPretty
virtual void printPretty(raw_ostream &os) const
Print the region for use in diagnostics.
Definition: MemRegion.cpp:652
clang::ento::MemRegion::getAs
const RegionTy * getAs() const
Definition: MemRegion.h:1388
clang::ento::MemRegion::canPrintPretty
virtual bool canPrintPretty() const
Returns true if this region can be printed in a user-friendly way.
Definition: MemRegion.cpp:633
clang::ento::MemSpaceRegion
MemSpaceRegion - A memory region that represents a "memory space"; for example, the set of global var...
Definition: MemRegion.h:208
clang::ento::Range
A Range represents the closed range [from, to].
Definition: RangedConstraintManager.h:29
clang::ento::SVal
SVal - This represents a symbolic expression, which can be either an L-value or an R-value.
Definition: SVals.h:56
clang::ento::SVal::getAsRegion
const MemRegion * getAsRegion() const
Definition: SVals.cpp:120
clang::ento::StoreManager::BindingsHandler::HandleBinding
virtual bool HandleBinding(StoreManager &SMgr, Store store, const MemRegion *region, SVal val)=0
clang::ento::StoreManager::Ctx
ASTContext & Ctx
Definition: Store.h:60
clang::ento::SymExpr
Symbolic value.
Definition: SymExpr.h:32
clang::ento::SymbolicRegion
SymbolicRegion - A special, "non-concrete" region.
Definition: MemRegion.h:780
clang::ento::Store
const void * Store
Store - This opaque type encapsulates an immutable mapping from locations to values.
Definition: StoreRef.h:27
clang::transformer::range
RangeSelector range(RangeSelector Begin, RangeSelector End)
DEPRECATED. Use enclose.
Definition: RangeSelector.h:41
clang
The JSON file list parser is used to communicate input to InstallAPI.
Definition: CalledOnceCheck.h:17
clang::T
const FunctionProtoType * T
Definition: RecursiveASTVisitor.h:1365
Generated on Sun Jul 13 2025 07:14:59 for clang by doxygen 1.9.6