doxygen/StdVariantChecker_8cpp_source.html

//===- StdVariantChecker.cpp -------------------------------------*- C++ -*-==//

//

// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.

// See https://llvm.org/LICENSE.txt for license information.

// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception

//

//===----------------------------------------------------------------------===//


#include "clang/AST/Type.h"

#include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"

#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"

#include "clang/StaticAnalyzer/Core/Checker.h"

#include "clang/StaticAnalyzer/Core/CheckerManager.h"

#include "clang/StaticAnalyzer/Core/PathSensitive/CallDescription.h"

#include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h"

#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"

#include "clang/StaticAnalyzer/Core/PathSensitive/SVals.h"

#include "llvm/ADT/FoldingSet.h"

#include "llvm/ADT/StringRef.h"

#include "llvm/Support/Casting.h"

#include <optional>

#include <string_view>


#include "TaggedUnionModeling.h"


using namespace clang;

using namespace ento;

using namespace tagged_union_modeling;


REGISTER_MAP_WITH_PROGRAMSTATE(VariantHeldTypeMap, const MemRegion *, QualType)


namespace clang::ento::tagged_union_modeling {


const CXXConstructorDecl *

getConstructorDeclarationForCall(const CallEvent &Call) {

  const auto *ConstructorCall = dyn_cast<CXXConstructorCall>(&Call);

  if (!ConstructorCall)

    return nullptr;


  return ConstructorCall->getDecl();

}


bool isCopyConstructorCall(const CallEvent &Call) {

  if (const CXXConstructorDecl *ConstructorDecl =

          getConstructorDeclarationForCall(Call))

    return ConstructorDecl->isCopyConstructor();

  return false;

}


bool isCopyAssignmentCall(const CallEvent &Call) {

  const Decl *CopyAssignmentDecl = Call.getDecl();


  if (const auto *AsMethodDecl =

          dyn_cast_or_null<CXXMethodDecl>(CopyAssignmentDecl))

    return AsMethodDecl->isCopyAssignmentOperator();

  return false;

}


bool isMoveConstructorCall(const CallEvent &Call) {

  const CXXConstructorDecl *ConstructorDecl =

      getConstructorDeclarationForCall(Call);

  if (!ConstructorDecl)

    return false;


  return ConstructorDecl->isMoveConstructor();

}


bool isMoveAssignmentCall(const CallEvent &Call) {

  const Decl *CopyAssignmentDecl = Call.getDecl();


  const auto *AsMethodDecl =

      dyn_cast_or_null<CXXMethodDecl>(CopyAssignmentDecl);

  if (!AsMethodDecl)

    return false;


  return AsMethodDecl->isMoveAssignmentOperator();

}


bool isStdType(const Type *Type, llvm::StringRef TypeName) {

  auto *Decl = Type->getAsRecordDecl();

  if (!Decl)

    return false;

  return (Decl->getName() == TypeName) && Decl->isInStdNamespace();

}


bool isStdVariant(const Type *Type) {

  return isStdType(Type, llvm::StringLiteral("variant"));

}


} // end of namespace clang::ento::tagged_union_modeling


static std::optional<ArrayRef<TemplateArgument>>

getTemplateArgsFromVariant(const Type *VariantType) {

  const auto *TempSpecType = VariantType->getAs<TemplateSpecializationType>();

  if (!TempSpecType)

    return {};


  return TempSpecType->template_arguments();

}


static std::optional<QualType>

getNthTemplateTypeArgFromVariant(const Type *varType, unsigned i) {

  std::optional<ArrayRef<TemplateArgument>> VariantTemplates =

      getTemplateArgsFromVariant(varType);

  if (!VariantTemplates)

    return {};


  return (*VariantTemplates)[i].getAsType();

}


static bool isVowel(char a) {

  switch (a) {

  case 'a':

  case 'e':

  case 'i':

  case 'o':

  case 'u':

    return true;

  default:

    return false;

  }

}


static llvm::StringRef indefiniteArticleBasedOnVowel(char a) {

  if (isVowel(a))

    return "an";

  return "a";

}


class StdVariantChecker : public Checker<eval::Call, check::RegionChanges> {

  // Call descriptors to find relevant calls

  CallDescription VariantConstructor{CDM::CXXMethod,

                                     {"std", "variant", "variant"}};

  CallDescription VariantAssignmentOperator{CDM::CXXMethod,

                                            {"std", "variant", "operator="}};

  CallDescription StdGet{CDM::SimpleFunc, {"std", "get"}, 1, 1};


  BugType BadVariantType{this, "BadVariantType", "BadVariantType"};


public:

  ProgramStateRef checkRegionChanges(ProgramStateRef State,

                                     const InvalidatedSymbols *,

                                     ArrayRef<const MemRegion *>,

                                     ArrayRef<const MemRegion *> Regions,

                                     const LocationContext *,

                                     const CallEvent *Call) const {

    if (!Call)

      return State;


    return removeInformationStoredForDeadInstances<VariantHeldTypeMap>(

        *Call, State, Regions);

  }


  bool evalCall(const CallEvent &Call, CheckerContext &C) const {

    // Check if the call was not made from a system header. If it was then

    // we do an early return because it is part of the implementation.

    if (Call.isCalledFromSystemHeader())

      return false;


    if (StdGet.matches(Call))

      return handleStdGetCall(Call, C);


    // First check if a constructor call is happening. If it is a

    // constructor call, check if it is an std::variant constructor call.

    bool IsVariantConstructor =

        isa<CXXConstructorCall>(Call) && VariantConstructor.matches(Call);

    bool IsVariantAssignmentOperatorCall =

        isa<CXXMemberOperatorCall>(Call) &&

        VariantAssignmentOperator.matches(Call);


    if (IsVariantConstructor || IsVariantAssignmentOperatorCall) {

      if (Call.getNumArgs() == 0 && IsVariantConstructor) {

        handleDefaultConstructor(cast<CXXConstructorCall>(&Call), C);

        return true;

      }


      // FIXME Later this checker should be extended to handle constructors

      // with multiple arguments.

      if (Call.getNumArgs() != 1)

        return false;


      SVal ThisSVal;

      if (IsVariantConstructor) {

        const auto &AsConstructorCall = cast<CXXConstructorCall>(Call);

        ThisSVal = AsConstructorCall.getCXXThisVal();

      } else if (IsVariantAssignmentOperatorCall) {

        const auto &AsMemberOpCall = cast<CXXMemberOperatorCall>(Call);

        ThisSVal = AsMemberOpCall.getCXXThisVal();

      } else {

        return false;

      }


      handleConstructorAndAssignment<VariantHeldTypeMap>(Call, C, ThisSVal);

      return true;

    }

    return false;

  }


private:

  // The default constructed std::variant must be handled separately

  // by default the std::variant is going to hold a default constructed instance

  // of the first type of the possible types

  void handleDefaultConstructor(const CXXConstructorCall *ConstructorCall,

                                CheckerContext &C) const {

    SVal ThisSVal = ConstructorCall->getCXXThisVal();


    const auto *const ThisMemRegion = ThisSVal.getAsRegion();

    if (!ThisMemRegion)

      return;


    std::optional<QualType> DefaultType = getNthTemplateTypeArgFromVariant(

        ThisSVal.getType(C.getASTContext())->getPointeeType().getTypePtr(), 0);

    if (!DefaultType)

      return;


    ProgramStateRef State = ConstructorCall->getState();

    State = State->set<VariantHeldTypeMap>(ThisMemRegion, *DefaultType);

    C.addTransition(State);

  }


  bool handleStdGetCall(const CallEvent &Call, CheckerContext &C) const {

    ProgramStateRef State = Call.getState();


    const auto &ArgType = Call.getArgSVal(0)

                              .getType(C.getASTContext())

                              ->getPointeeType()

                              .getTypePtr();

    // We have to make sure that the argument is an std::variant.

    // There is another std::get with std::pair argument

    if (!isStdVariant(ArgType))

      return false;


    // Get the mem region of the argument std::variant and look up the type

    // information that we know about it.

    const MemRegion *ArgMemRegion = Call.getArgSVal(0).getAsRegion();

    const QualType *StoredType = State->get<VariantHeldTypeMap>(ArgMemRegion);

    if (!StoredType)

      return false;


    const CallExpr *CE = cast<CallExpr>(Call.getOriginExpr());

    const FunctionDecl *FD = CE->getDirectCallee();

    if (FD->getTemplateSpecializationArgs()->size() < 1)

      return false;


    const auto &TypeOut = FD->getTemplateSpecializationArgs()->asArray()[0];

    // std::get's first template parameter can be the type we want to get

    // out of the std::variant or a natural number which is the position of

    // the requested type in the argument type list of the std::variant's

    // argument.

    QualType RetrievedType;

    switch (TypeOut.getKind()) {

    case TemplateArgument::ArgKind::Type:

      RetrievedType = TypeOut.getAsType();

      break;

    case TemplateArgument::ArgKind::Integral:

      // In the natural number case we look up which type corresponds to the

      // number.

      if (std::optional<QualType> NthTemplate =

              getNthTemplateTypeArgFromVariant(

                  ArgType, TypeOut.getAsIntegral().getSExtValue())) {

        RetrievedType = *NthTemplate;

        break;

      }

      [[fallthrough]];

    default:

      return false;

    }


    QualType RetrievedCanonicalType = RetrievedType.getCanonicalType();

    QualType StoredCanonicalType = StoredType->getCanonicalType();

    if (RetrievedCanonicalType == StoredCanonicalType)

      return true;


    ExplodedNode *ErrNode = C.generateNonFatalErrorNode();

    if (!ErrNode)

      return false;

    llvm::SmallString<128> Str;

    llvm::raw_svector_ostream OS(Str);

    std::string StoredTypeName = StoredType->getAsString();

    std::string RetrievedTypeName = RetrievedType.getAsString();

    OS << "std::variant " << ArgMemRegion->getDescriptiveName() << " held "

       << indefiniteArticleBasedOnVowel(StoredTypeName[0]) << " \'"

       << StoredTypeName << "\', not "

       << indefiniteArticleBasedOnVowel(RetrievedTypeName[0]) << " \'"

       << RetrievedTypeName << "\'";

    auto R = std::make_unique<PathSensitiveBugReport>(BadVariantType, OS.str(),

                                                      ErrNode);

    C.emitReport(std::move(R));

    return true;

  }

};


bool clang::ento::shouldRegisterStdVariantChecker(

    clang::ento::CheckerManager const &mgr) {

  return true;

}


void clang::ento::registerStdVariantChecker(clang::ento::CheckerManager &mgr) {

  mgr.registerChecker<StdVariantChecker>();

}

BugType.h

BuiltinCheckerRegistration.h

CallDescription.h

CallEvent.h

CheckerContext.h

CheckerManager.h

Checker.h

REGISTER_MAP_WITH_PROGRAMSTATE
#define REGISTER_MAP_WITH_PROGRAMSTATE(Name, Key, Value)
Declares an immutable map of type NameTy, suitable for placement into the ProgramState.
Definition: ProgramStateTrait.h:87

SVals.h

getTemplateArgsFromVariant
static std::optional< ArrayRef< TemplateArgument > > getTemplateArgsFromVariant(const Type *VariantType)
Definition: StdVariantChecker.cpp:93

getNthTemplateTypeArgFromVariant
static std::optional< QualType > getNthTemplateTypeArgFromVariant(const Type *varType, unsigned i)
Definition: StdVariantChecker.cpp:102

indefiniteArticleBasedOnVowel
static llvm::StringRef indefiniteArticleBasedOnVowel(char a)
Definition: StdVariantChecker.cpp:124

isVowel
static bool isVowel(char a)
Definition: StdVariantChecker.cpp:111

TaggedUnionModeling.h

Type.h
C Language Family Type Representation.

StdVariantChecker
Definition: StdVariantChecker.cpp:130

StdVariantChecker::checkRegionChanges
ProgramStateRef checkRegionChanges(ProgramStateRef State, const InvalidatedSymbols *, ArrayRef< const MemRegion * >, ArrayRef< const MemRegion * > Regions, const LocationContext *, const CallEvent *Call) const
Definition: StdVariantChecker.cpp:141

StdVariantChecker::evalCall
bool evalCall(const CallEvent &Call, CheckerContext &C) const
Definition: StdVariantChecker.cpp:154

clang::CXXConstructorDecl
Represents a C++ constructor within a class.
Definition: DeclCXX.h:2535

clang::CXXConstructorDecl::isMoveConstructor
bool isMoveConstructor(unsigned &TypeQuals) const
Determine whether this constructor is a move constructor (C++11 [class.copy]p3), which can be used to...
Definition: DeclCXX.cpp:2767

clang::CallExpr
CallExpr - Represents a function call (C99 6.5.2.2, C++ [expr.call]).
Definition: Expr.h:2820

clang::CallExpr::getDirectCallee
FunctionDecl * getDirectCallee()
If the callee is a FunctionDecl, return it. Otherwise return null.
Definition: Expr.h:2990

clang::Decl
Decl - This represents one declaration (or definition), e.g.
Definition: DeclBase.h:86

clang::Decl::isInStdNamespace
bool isInStdNamespace() const
Definition: DeclBase.cpp:403

clang::FunctionDecl
Represents a function declaration or definition.
Definition: Decl.h:1971

clang::FunctionDecl::getTemplateSpecializationArgs
const TemplateArgumentList * getTemplateSpecializationArgs() const
Retrieve the template arguments used to produce this function template specialization from the primar...
Definition: Decl.cpp:4178

clang::LocationContext
It wraps the AnalysisDeclContext to represent both the call stack with the help of StackFrameContext ...
Definition: AnalysisDeclContext.h:215

clang::QualType
A (possibly-)qualified type.
Definition: Type.h:940

clang::QualType::getTypePtr
const Type * getTypePtr() const
Retrieves a pointer to the underlying (unqualified) type.
Definition: Type.h:7359

clang::QualType::getCanonicalType
QualType getCanonicalType() const
Definition: Type.h:7411

clang::QualType::getAsString
static std::string getAsString(SplitQualType split, const PrintingPolicy &Policy)
Definition: Type.h:1327

clang::TemplateArgumentList::size
unsigned size() const
Retrieve the number of template arguments in this template argument list.
Definition: DeclTemplate.h:280

clang::TemplateArgumentList::asArray
ArrayRef< TemplateArgument > asArray() const
Produce this as an array ref.
Definition: DeclTemplate.h:274

clang::TemplateSpecializationType
Represents a type template specialization; the template must be a class template, a type alias templa...
Definition: Type.h:6089

clang::TemplateSpecializationType::template_arguments
ArrayRef< TemplateArgument > template_arguments() const
Definition: Type.h:6157

clang::Type
The base class of the type hierarchy.
Definition: Type.h:1813

clang::Type::getPointeeType
QualType getPointeeType() const
If this is a pointer, ObjC object pointer, or block pointer, this returns the respective pointee.
Definition: Type.cpp:694

clang::Type::getAs
const T * getAs() const
Member-template getAs<specific type>'.
Definition: Type.h:8123

clang::Type::getAsRecordDecl
RecordDecl * getAsRecordDecl() const
Retrieves the RecordDecl this type refers to.
Definition: Type.cpp:1874

clang::ento::AnyCXXConstructorCall::getCXXThisVal
SVal getCXXThisVal() const
Returns the value of the implicit 'this' object.
Definition: CallEvent.cpp:920

clang::ento::BugType
Definition: BugType.h:27

clang::ento::CXXConstructorCall
Represents a call to a C++ constructor.
Definition: CallEvent.h:979

clang::ento::CallDescription
A CallDescription is a pattern that can be used to match calls based on the qualified name and the ar...
Definition: CallDescription.h:32

clang::ento::CallDescription::matches
bool matches(const CallEvent &Call) const
Returns true if the CallEvent is a call to a function that matches the CallDescription.
Definition: CallDescription.cpp:58

clang::ento::CallEvent
Represents an abstract call to a function or method along a particular path.
Definition: CallEvent.h:153

clang::ento::CallEvent::getState
const ProgramStateRef & getState() const
The state in which the call is being evaluated.
Definition: CallEvent.h:235

clang::ento::CheckerContext
Definition: CheckerContext.h:24

clang::ento::CheckerManager
Definition: CheckerManager.h:126

clang::ento::CheckerManager::registerChecker
CHECKER * registerChecker(AT &&... Args)
Used to register checkers.
Definition: CheckerManager.h:204

clang::ento::Checker
Definition: Checker.h:512

clang::ento::ExplodedNode
Definition: ExplodedGraph.h:66

clang::ento::MemRegion
MemRegion - The root abstract class for all memory regions.
Definition: MemRegion.h:96

clang::ento::MemRegion::getDescriptiveName
std::string getDescriptiveName(bool UseQuotes=true) const
Get descriptive name for memory region.
Definition: MemRegion.cpp:707

clang::ento::SVal
SVal - This represents a symbolic expression, which can be either an L-value or an R-value.
Definition: SVals.h:55

clang::ento::SVal::getType
QualType getType(const ASTContext &) const
Try to get a reasonable type for the given value.
Definition: SVals.cpp:181

clang::ento::SVal::getAsRegion
const MemRegion * getAsRegion() const
Definition: SVals.cpp:120

llvm::ArrayRef
Definition: LLVM.h:31

llvm::DenseSet< SymbolRef >

llvm::IntrusiveRefCntPtr< const ProgramState >

llvm::SmallString
Definition: LLVM.h:34

clang::ento::tagged_union_modeling::isCopyAssignmentCall
bool isCopyAssignmentCall(const CallEvent &Call)
Definition: StdVariantChecker.cpp:50

clang::ento::tagged_union_modeling::isStdType
bool isStdType(const Type *Type, llvm::StringRef TypeName)
Definition: StdVariantChecker.cpp:79

clang::ento::tagged_union_modeling::isMoveAssignmentCall
bool isMoveAssignmentCall(const CallEvent &Call)
Definition: StdVariantChecker.cpp:68

clang::ento::tagged_union_modeling::isCopyConstructorCall
bool isCopyConstructorCall(const CallEvent &Call)
Definition: StdVariantChecker.cpp:43

clang::ento::tagged_union_modeling::isStdVariant
bool isStdVariant(const Type *Type)
Definition: StdVariantChecker.cpp:86

clang::ento::tagged_union_modeling::isMoveConstructorCall
bool isMoveConstructorCall(const CallEvent &Call)
Definition: StdVariantChecker.cpp:59

clang::ento::tagged_union_modeling::getConstructorDeclarationForCall
const CXXConstructorDecl * getConstructorDeclarationForCall(const CallEvent &Call)
Definition: StdVariantChecker.cpp:35

clang
The JSON file list parser is used to communicate input to InstallAPI.
Definition: CalledOnceCheck.h:17

clang::LinkageSpecLanguageIDs::C
@ C

clang::OMPDeclareReductionInitKind::Call
@ Call

clang::DeclaratorContext::TypeName
@ TypeName