doxygen/VirtualCallChecker_8cpp_source.html

//=======- VirtualCallChecker.cpp --------------------------------*- C++ -*-==//

//

// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.

// See https://llvm.org/LICENSE.txt for license information.

// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception

//

//===----------------------------------------------------------------------===//

//

//  This file defines a checker that checks virtual method calls during

//  construction or destruction of C++ objects.

//

//===----------------------------------------------------------------------===//


#include "clang/AST/Attr.h"

#include "clang/AST/DeclCXX.h"

#include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"

#include "clang/StaticAnalyzer/Core/BugReporter/BugReporter.h"

#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"

#include "clang/StaticAnalyzer/Core/Checker.h"

#include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h"

#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"

#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramStateTrait.h"

#include "clang/StaticAnalyzer/Core/PathSensitive/SValBuilder.h"


using namespace clang;

using namespace ento;


namespace {

enum class ObjectState : bool { CtorCalled, DtorCalled };

} // end namespace

  // FIXME: Ascending over StackFrameContext maybe another method.


namespace llvm {

template <> struct FoldingSetTrait<ObjectState> {

  static inline void Profile(ObjectState X, FoldingSetNodeID &ID) {

    ID.AddInteger(static_cast<int>(X));

  }

};

} // end namespace llvm


namespace {

class VirtualCallChecker

    : public Checker<check::BeginFunction, check::EndFunction, check::PreCall> {

public:

  // These are going to be null if the respective check is disabled.

  mutable std::unique_ptr<BugType> BT_Pure, BT_Impure;

  bool ShowFixIts = false;


  void checkBeginFunction(CheckerContext &C) const;

  void checkEndFunction(const ReturnStmt *RS, CheckerContext &C) const;

  void checkPreCall(const CallEvent &Call, CheckerContext &C) const;


private:

  void registerCtorDtorCallInState(bool IsBeginFunction,

                                   CheckerContext &C) const;

};

} // end namespace


// GDM (generic data map) to the memregion of this for the ctor and dtor.

REGISTER_MAP_WITH_PROGRAMSTATE(CtorDtorMap, const MemRegion *, ObjectState)


// The function to check if a callexpr is a virtual method call.

static bool isVirtualCall(const CallExpr *CE) {

  bool CallIsNonVirtual = false;


  if (const MemberExpr *CME = dyn_cast<MemberExpr>(CE->getCallee())) {

    // The member access is fully qualified (i.e., X::F).

    // Treat this as a non-virtual call and do not warn.

    if (CME->getQualifier())

      CallIsNonVirtual = true;


    if (const Expr *Base = CME->getBase()) {

      // The most derived class is marked final.

      if (Base->getBestDynamicClassType()->hasAttr<FinalAttr>())

        CallIsNonVirtual = true;

    }

  }


  const CXXMethodDecl *MD =

      dyn_cast_or_null<CXXMethodDecl>(CE->getDirectCallee());

  if (MD && MD->isVirtual() && !CallIsNonVirtual && !MD->hasAttr<FinalAttr>() &&

      !MD->getParent()->hasAttr<FinalAttr>())

    return true;

  return false;

}


// The BeginFunction callback when enter a constructor or a destructor.

void VirtualCallChecker::checkBeginFunction(CheckerContext &C) const {

  registerCtorDtorCallInState(true, C);

}


// The EndFunction callback when leave a constructor or a destructor.

void VirtualCallChecker::checkEndFunction(const ReturnStmt *RS,

                                          CheckerContext &C) const {

  registerCtorDtorCallInState(false, C);

}


void VirtualCallChecker::checkPreCall(const CallEvent &Call,

                                      CheckerContext &C) const {

  const auto MC = dyn_cast<CXXMemberCall>(&Call);

  if (!MC)

    return;


  const CXXMethodDecl *MD = dyn_cast_or_null<CXXMethodDecl>(Call.getDecl());

  if (!MD)

    return;


  ProgramStateRef State = C.getState();

  // Member calls are always represented by a call-expression.

  const auto *CE = cast<CallExpr>(Call.getOriginExpr());

  if (!isVirtualCall(CE))

    return;


  const MemRegion *Reg = MC->getCXXThisVal().getAsRegion();

  const ObjectState *ObState = State->get<CtorDtorMap>(Reg);

  if (!ObState)

    return;


  bool IsPure = MD->isPure();


  // At this point we're sure that we're calling a virtual method

  // during construction or destruction, so we'll emit a report.

  SmallString<128> Msg;

  llvm::raw_svector_ostream OS(Msg);

  OS << "Call to ";

  if (IsPure)

    OS << "pure ";

  OS << "virtual method '" << MD->getParent()->getDeclName()

     << "::" << MD->getDeclName() << "' during ";

  if (*ObState == ObjectState::CtorCalled)

    OS << "construction ";

  else

    OS << "destruction ";

  if (IsPure)

    OS << "has undefined behavior";

  else

    OS << "bypasses virtual dispatch";


  ExplodedNode *N =

      IsPure ? C.generateErrorNode() : C.generateNonFatalErrorNode();

  if (!N)

    return;


  const std::unique_ptr<BugType> &BT = IsPure ? BT_Pure : BT_Impure;

  if (!BT) {

    // The respective check is disabled.

    return;

  }


  auto Report = std::make_unique<PathSensitiveBugReport>(*BT, OS.str(), N);


  if (ShowFixIts && !IsPure) {

    // FIXME: These hints are valid only when the virtual call is made

    // directly from the constructor/destructor. Otherwise the dispatch

    // will work just fine from other callees, and the fix may break

    // the otherwise correct program.

    FixItHint Fixit = FixItHint::CreateInsertion(

        CE->getBeginLoc(), MD->getParent()->getNameAsString() + "::");

    Report->addFixItHint(Fixit);

  }


  C.emitReport(std::move(Report));

}


void VirtualCallChecker::registerCtorDtorCallInState(bool IsBeginFunction,

                                                     CheckerContext &C) const {

  const auto *LCtx = C.getLocationContext();

  const auto *MD = dyn_cast_or_null<CXXMethodDecl>(LCtx->getDecl());

  if (!MD)

    return;


  ProgramStateRef State = C.getState();

  auto &SVB = C.getSValBuilder();


  // Enter a constructor, set the corresponding memregion be true.

  if (isa<CXXConstructorDecl>(MD)) {

    auto ThiSVal =

        State->getSVal(SVB.getCXXThis(MD, LCtx->getStackFrame()));

    const MemRegion *Reg = ThiSVal.getAsRegion();

    if (IsBeginFunction)

      State = State->set<CtorDtorMap>(Reg, ObjectState::CtorCalled);

    else

      State = State->remove<CtorDtorMap>(Reg);


    C.addTransition(State);

    return;

  }


  // Enter a Destructor, set the corresponding memregion be true.

  if (isa<CXXDestructorDecl>(MD)) {

    auto ThiSVal =

        State->getSVal(SVB.getCXXThis(MD, LCtx->getStackFrame()));

    const MemRegion *Reg = ThiSVal.getAsRegion();

    if (IsBeginFunction)

      State = State->set<CtorDtorMap>(Reg, ObjectState::DtorCalled);

    else

      State = State->remove<CtorDtorMap>(Reg);


    C.addTransition(State);

    return;

  }

}


void ento::registerVirtualCallModeling(CheckerManager &Mgr) {

  Mgr.registerChecker<VirtualCallChecker>();

}


void ento::registerPureVirtualCallChecker(CheckerManager &Mgr) {

  auto *Chk = Mgr.getChecker<VirtualCallChecker>();

  Chk->BT_Pure = std::make_unique<BugType>(Mgr.getCurrentCheckerName(),

                                           "Pure virtual method call",

                                           categories::CXXObjectLifecycle);

}


void ento::registerVirtualCallChecker(CheckerManager &Mgr) {

  auto *Chk = Mgr.getChecker<VirtualCallChecker>();

  if (!Mgr.getAnalyzerOptions().getCheckerBooleanOption(

          Mgr.getCurrentCheckerName(), "PureOnly")) {

    Chk->BT_Impure = std::make_unique<BugType>(

        Mgr.getCurrentCheckerName(), "Unexpected loss of virtual dispatch",

        categories::CXXObjectLifecycle);

    Chk->ShowFixIts = Mgr.getAnalyzerOptions().getCheckerBooleanOption(

        Mgr.getCurrentCheckerName(), "ShowFixIts");

  }

}


bool ento::shouldRegisterVirtualCallModeling(const CheckerManager &mgr) {

  const LangOptions &LO = mgr.getLangOpts();

  return LO.CPlusPlus;

}


bool ento::shouldRegisterPureVirtualCallChecker(const CheckerManager &mgr) {

  const LangOptions &LO = mgr.getLangOpts();

  return LO.CPlusPlus;

}


bool ento::shouldRegisterVirtualCallChecker(const CheckerManager &mgr) {

  const LangOptions &LO = mgr.getLangOpts();

  return LO.CPlusPlus;

}

Attr.h

BugReporter.h

BugType.h

BuiltinCheckerRegistration.h

CallEvent.h

CheckerContext.h

Checker.h

DeclCXX.h
Defines the C++ Decl subclasses, other than those for templates (found in DeclTemplate....

X
#define X(type, name)
Definition: Value.h:142

ProgramStateTrait.h

REGISTER_MAP_WITH_PROGRAMSTATE
#define REGISTER_MAP_WITH_PROGRAMSTATE(Name, Key, Value)
Declares an immutable map of type NameTy, suitable for placement into the ProgramState.
Definition: ProgramStateTrait.h:87

SValBuilder.h

isVirtualCall
static bool isVirtualCall(const CallExpr *CE)
Definition: VirtualCallChecker.cpp:63

Base

clang::AnalyzerOptions::getCheckerBooleanOption
bool getCheckerBooleanOption(StringRef CheckerName, StringRef OptionName, bool SearchInParents=false) const
Interprets an option's string value as a boolean.
Definition: AnalyzerOptions.cpp:161

clang::CXXMethodDecl
Represents a static or instance method of a struct/union/class.
Definition: DeclCXX.h:2035

clang::CXXMethodDecl::isVirtual
bool isVirtual() const
Definition: DeclCXX.h:2079

clang::CXXMethodDecl::getParent
const CXXRecordDecl * getParent() const
Return the parent of this method declaration, which is the class in which this method is defined.
Definition: DeclCXX.h:2150

clang::CallExpr
CallExpr - Represents a function call (C99 6.5.2.2, C++ [expr.call]).
Definition: Expr.h:2817

clang::Decl::hasAttr
bool hasAttr() const
Definition: DeclBase.h:560

clang::Expr
This represents one expression.
Definition: Expr.h:110

clang::FixItHint
Annotates a diagnostic with some code that should be inserted, removed, or replaced to fix the proble...
Definition: Diagnostic.h:71

clang::FixItHint::CreateInsertion
static FixItHint CreateInsertion(SourceLocation InsertionLoc, StringRef Code, bool BeforePreviousInsertions=false)
Create a code modification hint that inserts the given code string at a specific location.
Definition: Diagnostic.h:97

clang::FunctionDecl::isPure
bool isPure() const
Whether this virtual function is pure, i.e.
Definition: Decl.h:2255

clang::LangOptions
Keeps track of the various options that can be enabled, which controls the dialect of C or C++ that i...
Definition: LangOptions.h:82

clang::MemberExpr
MemberExpr - [C99 6.5.2.3] Structure and Union Members.
Definition: Expr.h:3180

clang::NamedDecl::getDeclName
DeclarationName getDeclName() const
Get the actual, stored name of the declaration, which may be a special name.
Definition: Decl.h:313

clang::NamedDecl::getNameAsString
std::string getNameAsString() const
Get a human-readable name for the declaration, even if it is one of the special kinds of names (C++ c...
Definition: Decl.h:290

clang::ReturnStmt
ReturnStmt - This represents a return, optionally of an expression: return; return 4;.
Definition: Stmt.h:2835

clang::ento::CallEvent
Represents an abstract call to a function or method along a particular path.
Definition: CallEvent.h:149

clang::ento::CheckerContext
Definition: CheckerContext.h:24

clang::ento::CheckerManager
Definition: CheckerManager.h:126

clang::ento::CheckerManager::getAnalyzerOptions
const AnalyzerOptions & getAnalyzerOptions() const
Definition: CheckerManager.h:170

clang::ento::CheckerManager::registerChecker
CHECKER * registerChecker(AT &&... Args)
Used to register checkers.
Definition: CheckerManager.h:204

clang::ento::CheckerManager::getChecker
CHECKER * getChecker()
Definition: CheckerManager.h:218

clang::ento::CheckerManager::getLangOpts
const LangOptions & getLangOpts() const
Definition: CheckerManager.h:169

clang::ento::CheckerManager::getCurrentCheckerName
CheckerNameRef getCurrentCheckerName() const
Definition: CheckerManager.h:163

clang::ento::Checker
Definition: Checker.h:517

clang::ento::ExplodedNode
Definition: ExplodedGraph.h:65

clang::ento::MemRegion
MemRegion - The root abstract class for all memory regions.
Definition: MemRegion.h:95

llvm::IntrusiveRefCntPtr< const ProgramState >

llvm::SmallString
Definition: LLVM.h:34

clang::ento::categories::CXXObjectLifecycle
const char *const CXXObjectLifecycle
Definition: CommonBugCategories.cpp:22

clang::interp::Call
bool Call(InterpState &S, CodePtr OpPC, const Function *Func)
Definition: Interp.h:1584

clang
Definition: CalledOnceCheck.h:17

clang::Language::C
@ C
Languages that the frontend can parse and compile.

llvm
YAML serialization mapping.
Definition: Dominators.h:30

llvm::FoldingSetTrait< ObjectState >::Profile
static void Profile(ObjectState X, FoldingSetNodeID &ID)
Definition: VirtualCallChecker.cpp:35

llvm::FoldingSetTrait
Definition: SourceLocation.h:27