1 //===- CallEvent.cpp - Wrapper for all function and method calls ----------===// 2 // 3 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. 4 // See https://llvm.org/LICENSE.txt for license information. 5 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception 6 // 7 //===----------------------------------------------------------------------===// 8 // 9 /// \file This file defines CallEvent and its subclasses, which represent path- 10 /// sensitive instances of different kinds of function and method calls 11 /// (C, C++, and Objective-C). 12 // 13 //===----------------------------------------------------------------------===// 14 15 #include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h" 16 #include "clang/AST/ASTContext.h" 17 #include "clang/AST/Attr.h" 18 #include "clang/AST/Decl.h" 19 #include "clang/AST/DeclBase.h" 20 #include "clang/AST/DeclCXX.h" 21 #include "clang/AST/DeclObjC.h" 22 #include "clang/AST/Expr.h" 23 #include "clang/AST/ExprCXX.h" 24 #include "clang/AST/ExprObjC.h" 25 #include "clang/AST/ParentMap.h" 26 #include "clang/AST/Stmt.h" 27 #include "clang/AST/Type.h" 28 #include "clang/Analysis/AnalysisDeclContext.h" 29 #include "clang/Analysis/CFG.h" 30 #include "clang/Analysis/CFGStmtMap.h" 31 #include "clang/Analysis/PathDiagnostic.h" 32 #include "clang/Analysis/ProgramPoint.h" 33 #include "clang/Basic/IdentifierTable.h" 34 #include "clang/Basic/LLVM.h" 35 #include "clang/Basic/SourceLocation.h" 36 #include "clang/Basic/SourceManager.h" 37 #include "clang/Basic/Specifiers.h" 38 #include "clang/CrossTU/CrossTranslationUnit.h" 39 #include "clang/StaticAnalyzer/Core/PathSensitive/CallDescription.h" 40 #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h" 41 #include "clang/StaticAnalyzer/Core/PathSensitive/DynamicType.h" 42 #include "clang/StaticAnalyzer/Core/PathSensitive/DynamicTypeInfo.h" 43 #include "clang/StaticAnalyzer/Core/PathSensitive/MemRegion.h" 44 #include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h" 45 #include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState_Fwd.h" 46 #include "clang/StaticAnalyzer/Core/PathSensitive/SValBuilder.h" 47 #include "clang/StaticAnalyzer/Core/PathSensitive/SVals.h" 48 #include "clang/StaticAnalyzer/Core/PathSensitive/Store.h" 49 #include "llvm/ADT/ArrayRef.h" 50 #include "llvm/ADT/DenseMap.h" 51 #include "llvm/ADT/ImmutableList.h" 52 #include "llvm/ADT/PointerIntPair.h" 53 #include "llvm/ADT/SmallSet.h" 54 #include "llvm/ADT/SmallVector.h" 55 #include "llvm/ADT/StringExtras.h" 56 #include "llvm/ADT/StringRef.h" 57 #include "llvm/Support/Casting.h" 58 #include "llvm/Support/Compiler.h" 59 #include "llvm/Support/Debug.h" 60 #include "llvm/Support/ErrorHandling.h" 61 #include "llvm/Support/raw_ostream.h" 62 #include <cassert> 63 #include <optional> 64 #include <utility> 65 66 #define DEBUG_TYPE "static-analyzer-call-event" 67 68 using namespace clang; 69 using namespace ento; 70 71 QualType CallEvent::getResultType() const { 72 ASTContext &Ctx = getState()->getStateManager().getContext(); 73 const Expr *E = getOriginExpr(); 74 if (!E) 75 return Ctx.VoidTy; 76 return Ctx.getReferenceQualifiedType(E); 77 } 78 79 static bool isCallback(QualType T) { 80 // If a parameter is a block or a callback, assume it can modify pointer. 81 if (T->isBlockPointerType() || 82 T->isFunctionPointerType() || 83 T->isObjCSelType()) 84 return true; 85 86 // Check if a callback is passed inside a struct (for both, struct passed by 87 // reference and by value). Dig just one level into the struct for now. 88 89 if (T->isAnyPointerType() || T->isReferenceType()) 90 T = T->getPointeeType(); 91 92 if (const RecordType *RT = T->getAsStructureType()) { 93 const RecordDecl *RD = RT->getDecl(); 94 for (const auto *I : RD->fields()) { 95 QualType FieldT = I->getType(); 96 if (FieldT->isBlockPointerType() || FieldT->isFunctionPointerType()) 97 return true; 98 } 99 } 100 return false; 101 } 102 103 static bool isVoidPointerToNonConst(QualType T) { 104 if (const auto *PT = T->getAs<PointerType>()) { 105 QualType PointeeTy = PT->getPointeeType(); 106 if (PointeeTy.isConstQualified()) 107 return false; 108 return PointeeTy->isVoidType(); 109 } else 110 return false; 111 } 112 113 bool CallEvent::hasNonNullArgumentsWithType(bool (*Condition)(QualType)) const { 114 unsigned NumOfArgs = getNumArgs(); 115 116 // If calling using a function pointer, assume the function does not 117 // satisfy the callback. 118 // TODO: We could check the types of the arguments here. 119 if (!getDecl()) 120 return false; 121 122 unsigned Idx = 0; 123 for (CallEvent::param_type_iterator I = param_type_begin(), 124 E = param_type_end(); 125 I != E && Idx < NumOfArgs; ++I, ++Idx) { 126 // If the parameter is 0, it's harmless. 127 if (getArgSVal(Idx).isZeroConstant()) 128 continue; 129 130 if (Condition(*I)) 131 return true; 132 } 133 return false; 134 } 135 136 bool CallEvent::hasNonZeroCallbackArg() const { 137 return hasNonNullArgumentsWithType(isCallback); 138 } 139 140 bool CallEvent::hasVoidPointerToNonConstArg() const { 141 return hasNonNullArgumentsWithType(isVoidPointerToNonConst); 142 } 143 144 bool CallEvent::isGlobalCFunction(StringRef FunctionName) const { 145 const auto *FD = dyn_cast_or_null<FunctionDecl>(getDecl()); 146 if (!FD) 147 return false; 148 149 return CheckerContext::isCLibraryFunction(FD, FunctionName); 150 } 151 152 AnalysisDeclContext *CallEvent::getCalleeAnalysisDeclContext() const { 153 const Decl *D = getDecl(); 154 if (!D) 155 return nullptr; 156 157 AnalysisDeclContext *ADC = 158 LCtx->getAnalysisDeclContext()->getManager()->getContext(D); 159 160 return ADC; 161 } 162 163 const StackFrameContext * 164 CallEvent::getCalleeStackFrame(unsigned BlockCount) const { 165 AnalysisDeclContext *ADC = getCalleeAnalysisDeclContext(); 166 if (!ADC) 167 return nullptr; 168 169 const Expr *E = getOriginExpr(); 170 if (!E) 171 return nullptr; 172 173 // Recover CFG block via reverse lookup. 174 // TODO: If we were to keep CFG element information as part of the CallEvent 175 // instead of doing this reverse lookup, we would be able to build the stack 176 // frame for non-expression-based calls, and also we wouldn't need the reverse 177 // lookup. 178 CFGStmtMap *Map = LCtx->getAnalysisDeclContext()->getCFGStmtMap(); 179 const CFGBlock *B = Map->getBlock(E); 180 assert(B); 181 182 // Also recover CFG index by scanning the CFG block. 183 unsigned Idx = 0, Sz = B->size(); 184 for (; Idx < Sz; ++Idx) 185 if (auto StmtElem = (*B)[Idx].getAs<CFGStmt>()) 186 if (StmtElem->getStmt() == E) 187 break; 188 assert(Idx < Sz); 189 190 return ADC->getManager()->getStackFrame(ADC, LCtx, E, B, BlockCount, Idx); 191 } 192 193 const ParamVarRegion 194 *CallEvent::getParameterLocation(unsigned Index, unsigned BlockCount) const { 195 const StackFrameContext *SFC = getCalleeStackFrame(BlockCount); 196 // We cannot construct a VarRegion without a stack frame. 197 if (!SFC) 198 return nullptr; 199 200 const ParamVarRegion *PVR = 201 State->getStateManager().getRegionManager().getParamVarRegion( 202 getOriginExpr(), Index, SFC); 203 return PVR; 204 } 205 206 /// Returns true if a type is a pointer-to-const or reference-to-const 207 /// with no further indirection. 208 static bool isPointerToConst(QualType Ty) { 209 QualType PointeeTy = Ty->getPointeeType(); 210 if (PointeeTy == QualType()) 211 return false; 212 if (!PointeeTy.isConstQualified()) 213 return false; 214 if (PointeeTy->isAnyPointerType()) 215 return false; 216 return true; 217 } 218 219 // Try to retrieve the function declaration and find the function parameter 220 // types which are pointers/references to a non-pointer const. 221 // We will not invalidate the corresponding argument regions. 222 static void findPtrToConstParams(llvm::SmallSet<unsigned, 4> &PreserveArgs, 223 const CallEvent &Call) { 224 unsigned Idx = 0; 225 for (CallEvent::param_type_iterator I = Call.param_type_begin(), 226 E = Call.param_type_end(); 227 I != E; ++I, ++Idx) { 228 if (isPointerToConst(*I)) 229 PreserveArgs.insert(Idx); 230 } 231 } 232 233 ProgramStateRef CallEvent::invalidateRegions(unsigned BlockCount, 234 ProgramStateRef Orig) const { 235 ProgramStateRef Result = (Orig ? Orig : getState()); 236 237 // Don't invalidate anything if the callee is marked pure/const. 238 if (const Decl *callee = getDecl()) 239 if (callee->hasAttr<PureAttr>() || callee->hasAttr<ConstAttr>()) 240 return Result; 241 242 SmallVector<SVal, 8> ValuesToInvalidate; 243 RegionAndSymbolInvalidationTraits ETraits; 244 245 getExtraInvalidatedValues(ValuesToInvalidate, &ETraits); 246 247 // Indexes of arguments whose values will be preserved by the call. 248 llvm::SmallSet<unsigned, 4> PreserveArgs; 249 if (!argumentsMayEscape()) 250 findPtrToConstParams(PreserveArgs, *this); 251 252 for (unsigned Idx = 0, Count = getNumArgs(); Idx != Count; ++Idx) { 253 // Mark this region for invalidation. We batch invalidate regions 254 // below for efficiency. 255 if (PreserveArgs.count(Idx)) 256 if (const MemRegion *MR = getArgSVal(Idx).getAsRegion()) 257 ETraits.setTrait(MR->getBaseRegion(), 258 RegionAndSymbolInvalidationTraits::TK_PreserveContents); 259 // TODO: Factor this out + handle the lower level const pointers. 260 261 ValuesToInvalidate.push_back(getArgSVal(Idx)); 262 263 // If a function accepts an object by argument (which would of course be a 264 // temporary that isn't lifetime-extended), invalidate the object itself, 265 // not only other objects reachable from it. This is necessary because the 266 // destructor has access to the temporary object after the call. 267 // TODO: Support placement arguments once we start 268 // constructing them directly. 269 // TODO: This is unnecessary when there's no destructor, but that's 270 // currently hard to figure out. 271 if (getKind() != CE_CXXAllocator) 272 if (isArgumentConstructedDirectly(Idx)) 273 if (auto AdjIdx = getAdjustedParameterIndex(Idx)) 274 if (const TypedValueRegion *TVR = 275 getParameterLocation(*AdjIdx, BlockCount)) 276 ValuesToInvalidate.push_back(loc::MemRegionVal(TVR)); 277 } 278 279 // Invalidate designated regions using the batch invalidation API. 280 // NOTE: Even if RegionsToInvalidate is empty, we may still invalidate 281 // global variables. 282 return Result->invalidateRegions(ValuesToInvalidate, getOriginExpr(), 283 BlockCount, getLocationContext(), 284 /*CausedByPointerEscape*/ true, 285 /*Symbols=*/nullptr, this, &ETraits); 286 } 287 288 ProgramPoint CallEvent::getProgramPoint(bool IsPreVisit, 289 const ProgramPointTag *Tag) const { 290 291 if (const Expr *E = getOriginExpr()) { 292 if (IsPreVisit) 293 return PreStmt(E, getLocationContext(), Tag); 294 return PostStmt(E, getLocationContext(), Tag); 295 } 296 297 const Decl *D = getDecl(); 298 assert(D && "Cannot get a program point without a statement or decl"); 299 assert(ElemRef.getParent() && 300 "Cannot get a program point without a CFGElementRef"); 301 302 SourceLocation Loc = getSourceRange().getBegin(); 303 if (IsPreVisit) 304 return PreImplicitCall(D, Loc, getLocationContext(), ElemRef, Tag); 305 return PostImplicitCall(D, Loc, getLocationContext(), ElemRef, Tag); 306 } 307 308 SVal CallEvent::getArgSVal(unsigned Index) const { 309 const Expr *ArgE = getArgExpr(Index); 310 if (!ArgE) 311 return UnknownVal(); 312 return getSVal(ArgE); 313 } 314 315 SourceRange CallEvent::getArgSourceRange(unsigned Index) const { 316 const Expr *ArgE = getArgExpr(Index); 317 if (!ArgE) 318 return {}; 319 return ArgE->getSourceRange(); 320 } 321 322 SVal CallEvent::getReturnValue() const { 323 const Expr *E = getOriginExpr(); 324 if (!E) 325 return UndefinedVal(); 326 return getSVal(E); 327 } 328 329 LLVM_DUMP_METHOD void CallEvent::dump() const { dump(llvm::errs()); } 330 331 void CallEvent::dump(raw_ostream &Out) const { 332 ASTContext &Ctx = getState()->getStateManager().getContext(); 333 if (const Expr *E = getOriginExpr()) { 334 E->printPretty(Out, nullptr, Ctx.getPrintingPolicy()); 335 return; 336 } 337 338 if (const Decl *D = getDecl()) { 339 Out << "Call to "; 340 D->print(Out, Ctx.getPrintingPolicy()); 341 return; 342 } 343 344 Out << "Unknown call (type " << getKindAsString() << ")"; 345 } 346 347 bool CallEvent::isCallStmt(const Stmt *S) { 348 return isa<CallExpr, ObjCMessageExpr, CXXConstructExpr, CXXNewExpr>(S); 349 } 350 351 QualType CallEvent::getDeclaredResultType(const Decl *D) { 352 assert(D); 353 if (const auto *FD = dyn_cast<FunctionDecl>(D)) 354 return FD->getReturnType(); 355 if (const auto *MD = dyn_cast<ObjCMethodDecl>(D)) 356 return MD->getReturnType(); 357 if (const auto *BD = dyn_cast<BlockDecl>(D)) { 358 // Blocks are difficult because the return type may not be stored in the 359 // BlockDecl itself. The AST should probably be enhanced, but for now we 360 // just do what we can. 361 // If the block is declared without an explicit argument list, the 362 // signature-as-written just includes the return type, not the entire 363 // function type. 364 // FIXME: All blocks should have signatures-as-written, even if the return 365 // type is inferred. (That's signified with a dependent result type.) 366 if (const TypeSourceInfo *TSI = BD->getSignatureAsWritten()) { 367 QualType Ty = TSI->getType(); 368 if (const FunctionType *FT = Ty->getAs<FunctionType>()) 369 Ty = FT->getReturnType(); 370 if (!Ty->isDependentType()) 371 return Ty; 372 } 373 374 return {}; 375 } 376 377 llvm_unreachable("unknown callable kind"); 378 } 379 380 bool CallEvent::isVariadic(const Decl *D) { 381 assert(D); 382 383 if (const auto *FD = dyn_cast<FunctionDecl>(D)) 384 return FD->isVariadic(); 385 if (const auto *MD = dyn_cast<ObjCMethodDecl>(D)) 386 return MD->isVariadic(); 387 if (const auto *BD = dyn_cast<BlockDecl>(D)) 388 return BD->isVariadic(); 389 390 llvm_unreachable("unknown callable kind"); 391 } 392 393 static bool isTransparentUnion(QualType T) { 394 const RecordType *UT = T->getAsUnionType(); 395 return UT && UT->getDecl()->hasAttr<TransparentUnionAttr>(); 396 } 397 398 // In some cases, symbolic cases should be transformed before we associate 399 // them with parameters. This function incapsulates such cases. 400 static SVal processArgument(SVal Value, const Expr *ArgumentExpr, 401 const ParmVarDecl *Parameter, SValBuilder &SVB) { 402 QualType ParamType = Parameter->getType(); 403 QualType ArgumentType = ArgumentExpr->getType(); 404 405 // Transparent unions allow users to easily convert values of union field 406 // types into union-typed objects. 407 // 408 // Also, more importantly, they allow users to define functions with different 409 // different parameter types, substituting types matching transparent union 410 // field types with the union type itself. 411 // 412 // Here, we check specifically for latter cases and prevent binding 413 // field-typed values to union-typed regions. 414 if (isTransparentUnion(ParamType) && 415 // Let's check that we indeed trying to bind different types. 416 !isTransparentUnion(ArgumentType)) { 417 BasicValueFactory &BVF = SVB.getBasicValueFactory(); 418 419 llvm::ImmutableList<SVal> CompoundSVals = BVF.getEmptySValList(); 420 CompoundSVals = BVF.prependSVal(Value, CompoundSVals); 421 422 // Wrap it with compound value. 423 return SVB.makeCompoundVal(ParamType, CompoundSVals); 424 } 425 426 return Value; 427 } 428 429 /// Cast the argument value to the type of the parameter at the function 430 /// declaration. 431 /// Returns the argument value if it didn't need a cast. 432 /// Or returns the cast argument if it needed a cast. 433 /// Or returns 'Unknown' if it would need a cast but the callsite and the 434 /// runtime definition don't match in terms of argument and parameter count. 435 static SVal castArgToParamTypeIfNeeded(const CallEvent &Call, unsigned ArgIdx, 436 SVal ArgVal, SValBuilder &SVB) { 437 const FunctionDecl *RTDecl = 438 Call.getRuntimeDefinition().getDecl()->getAsFunction(); 439 const auto *CallExprDecl = dyn_cast_or_null<FunctionDecl>(Call.getDecl()); 440 441 if (!RTDecl || !CallExprDecl) 442 return ArgVal; 443 444 // The function decl of the Call (in the AST) will not have any parameter 445 // declarations, if it was 'only' declared without a prototype. However, the 446 // engine will find the appropriate runtime definition - basically a 447 // redeclaration, which has a function body (and a function prototype). 448 if (CallExprDecl->hasPrototype() || !RTDecl->hasPrototype()) 449 return ArgVal; 450 451 // Only do this cast if the number arguments at the callsite matches with 452 // the parameters at the runtime definition. 453 if (Call.getNumArgs() != RTDecl->getNumParams()) 454 return UnknownVal(); 455 456 const Expr *ArgExpr = Call.getArgExpr(ArgIdx); 457 const ParmVarDecl *Param = RTDecl->getParamDecl(ArgIdx); 458 return SVB.evalCast(ArgVal, Param->getType(), ArgExpr->getType()); 459 } 460 461 static void addParameterValuesToBindings(const StackFrameContext *CalleeCtx, 462 CallEvent::BindingsTy &Bindings, 463 SValBuilder &SVB, 464 const CallEvent &Call, 465 ArrayRef<ParmVarDecl*> parameters) { 466 MemRegionManager &MRMgr = SVB.getRegionManager(); 467 468 // If the function has fewer parameters than the call has arguments, we simply 469 // do not bind any values to them. 470 unsigned NumArgs = Call.getNumArgs(); 471 unsigned Idx = 0; 472 ArrayRef<ParmVarDecl*>::iterator I = parameters.begin(), E = parameters.end(); 473 for (; I != E && Idx < NumArgs; ++I, ++Idx) { 474 assert(*I && "Formal parameter has no decl?"); 475 476 // TODO: Support allocator calls. 477 if (Call.getKind() != CE_CXXAllocator) 478 if (Call.isArgumentConstructedDirectly(Call.getASTArgumentIndex(Idx))) 479 continue; 480 481 // TODO: Allocators should receive the correct size and possibly alignment, 482 // determined in compile-time but not represented as arg-expressions, 483 // which makes getArgSVal() fail and return UnknownVal. 484 SVal ArgVal = Call.getArgSVal(Idx); 485 const Expr *ArgExpr = Call.getArgExpr(Idx); 486 487 if (ArgVal.isUnknown()) 488 continue; 489 490 // Cast the argument value to match the type of the parameter in some 491 // edge-cases. 492 ArgVal = castArgToParamTypeIfNeeded(Call, Idx, ArgVal, SVB); 493 494 Loc ParamLoc = SVB.makeLoc( 495 MRMgr.getParamVarRegion(Call.getOriginExpr(), Idx, CalleeCtx)); 496 Bindings.push_back( 497 std::make_pair(ParamLoc, processArgument(ArgVal, ArgExpr, *I, SVB))); 498 } 499 500 // FIXME: Variadic arguments are not handled at all right now. 501 } 502 503 const ConstructionContext *CallEvent::getConstructionContext() const { 504 const StackFrameContext *StackFrame = getCalleeStackFrame(0); 505 if (!StackFrame) 506 return nullptr; 507 508 const CFGElement Element = StackFrame->getCallSiteCFGElement(); 509 if (const auto Ctor = Element.getAs<CFGConstructor>()) { 510 return Ctor->getConstructionContext(); 511 } 512 513 if (const auto RecCall = Element.getAs<CFGCXXRecordTypedCall>()) { 514 return RecCall->getConstructionContext(); 515 } 516 517 return nullptr; 518 } 519 520 const CallEventRef<> CallEvent::getCaller() const { 521 const auto *CallLocationContext = this->getLocationContext(); 522 if (!CallLocationContext || CallLocationContext->inTopFrame()) 523 return nullptr; 524 525 const auto *CallStackFrameContext = CallLocationContext->getStackFrame(); 526 if (!CallStackFrameContext) 527 return nullptr; 528 529 CallEventManager &CEMgr = State->getStateManager().getCallEventManager(); 530 return CEMgr.getCaller(CallStackFrameContext, State); 531 } 532 533 bool CallEvent::isCalledFromSystemHeader() const { 534 if (const CallEventRef<> Caller = getCaller()) 535 return Caller->isInSystemHeader(); 536 537 return false; 538 } 539 540 std::optional<SVal> CallEvent::getReturnValueUnderConstruction() const { 541 const auto *CC = getConstructionContext(); 542 if (!CC) 543 return std::nullopt; 544 545 EvalCallOptions CallOpts; 546 ExprEngine &Engine = getState()->getStateManager().getOwningEngine(); 547 SVal RetVal = Engine.computeObjectUnderConstruction( 548 getOriginExpr(), getState(), &Engine.getBuilderContext(), 549 getLocationContext(), CC, CallOpts); 550 return RetVal; 551 } 552 553 ArrayRef<ParmVarDecl*> AnyFunctionCall::parameters() const { 554 const FunctionDecl *D = getDecl(); 555 if (!D) 556 return std::nullopt; 557 return D->parameters(); 558 } 559 560 RuntimeDefinition AnyFunctionCall::getRuntimeDefinition() const { 561 const FunctionDecl *FD = getDecl(); 562 if (!FD) 563 return {}; 564 565 // Note that the AnalysisDeclContext will have the FunctionDecl with 566 // the definition (if one exists). 567 AnalysisDeclContext *AD = 568 getLocationContext()->getAnalysisDeclContext()-> 569 getManager()->getContext(FD); 570 bool IsAutosynthesized; 571 Stmt* Body = AD->getBody(IsAutosynthesized); 572 LLVM_DEBUG({ 573 if (IsAutosynthesized) 574 llvm::dbgs() << "Using autosynthesized body for " << FD->getName() 575 << "\n"; 576 }); 577 578 ExprEngine &Engine = getState()->getStateManager().getOwningEngine(); 579 cross_tu::CrossTranslationUnitContext &CTUCtx = 580 *Engine.getCrossTranslationUnitContext(); 581 582 AnalyzerOptions &Opts = Engine.getAnalysisManager().options; 583 584 if (Body) { 585 const Decl* Decl = AD->getDecl(); 586 if (Opts.IsNaiveCTUEnabled && CTUCtx.isImportedAsNew(Decl)) { 587 // A newly created definition, but we had error(s) during the import. 588 if (CTUCtx.hasError(Decl)) 589 return {}; 590 return RuntimeDefinition(Decl, /*Foreign=*/true); 591 } 592 return RuntimeDefinition(Decl, /*Foreign=*/false); 593 } 594 595 // Try to get CTU definition only if CTUDir is provided. 596 if (!Opts.IsNaiveCTUEnabled) 597 return {}; 598 599 llvm::Expected<const FunctionDecl *> CTUDeclOrError = 600 CTUCtx.getCrossTUDefinition(FD, Opts.CTUDir, Opts.CTUIndexName, 601 Opts.DisplayCTUProgress); 602 603 if (!CTUDeclOrError) { 604 handleAllErrors(CTUDeclOrError.takeError(), 605 [&](const cross_tu::IndexError &IE) { 606 CTUCtx.emitCrossTUDiagnostics(IE); 607 }); 608 return {}; 609 } 610 611 return RuntimeDefinition(*CTUDeclOrError, /*Foreign=*/true); 612 } 613 614 void AnyFunctionCall::getInitialStackFrameContents( 615 const StackFrameContext *CalleeCtx, 616 BindingsTy &Bindings) const { 617 const auto *D = cast<FunctionDecl>(CalleeCtx->getDecl()); 618 SValBuilder &SVB = getState()->getStateManager().getSValBuilder(); 619 addParameterValuesToBindings(CalleeCtx, Bindings, SVB, *this, 620 D->parameters()); 621 } 622 623 bool AnyFunctionCall::argumentsMayEscape() const { 624 if (CallEvent::argumentsMayEscape() || hasVoidPointerToNonConstArg()) 625 return true; 626 627 const FunctionDecl *D = getDecl(); 628 if (!D) 629 return true; 630 631 const IdentifierInfo *II = D->getIdentifier(); 632 if (!II) 633 return false; 634 635 // This set of "escaping" APIs is 636 637 // - 'int pthread_setspecific(ptheread_key k, const void *)' stores a 638 // value into thread local storage. The value can later be retrieved with 639 // 'void *ptheread_getspecific(pthread_key)'. So even thought the 640 // parameter is 'const void *', the region escapes through the call. 641 if (II->isStr("pthread_setspecific")) 642 return true; 643 644 // - xpc_connection_set_context stores a value which can be retrieved later 645 // with xpc_connection_get_context. 646 if (II->isStr("xpc_connection_set_context")) 647 return true; 648 649 // - funopen - sets a buffer for future IO calls. 650 if (II->isStr("funopen")) 651 return true; 652 653 // - __cxa_demangle - can reallocate memory and can return the pointer to 654 // the input buffer. 655 if (II->isStr("__cxa_demangle")) 656 return true; 657 658 StringRef FName = II->getName(); 659 660 // - CoreFoundation functions that end with "NoCopy" can free a passed-in 661 // buffer even if it is const. 662 if (FName.ends_with("NoCopy")) 663 return true; 664 665 // - NSXXInsertXX, for example NSMapInsertIfAbsent, since they can 666 // be deallocated by NSMapRemove. 667 if (FName.starts_with("NS") && FName.contains("Insert")) 668 return true; 669 670 // - Many CF containers allow objects to escape through custom 671 // allocators/deallocators upon container construction. (PR12101) 672 if (FName.starts_with("CF") || FName.starts_with("CG")) { 673 return StrInStrNoCase(FName, "InsertValue") != StringRef::npos || 674 StrInStrNoCase(FName, "AddValue") != StringRef::npos || 675 StrInStrNoCase(FName, "SetValue") != StringRef::npos || 676 StrInStrNoCase(FName, "WithData") != StringRef::npos || 677 StrInStrNoCase(FName, "AppendValue") != StringRef::npos || 678 StrInStrNoCase(FName, "SetAttribute") != StringRef::npos; 679 } 680 681 return false; 682 } 683 684 const FunctionDecl *SimpleFunctionCall::getDecl() const { 685 const FunctionDecl *D = getOriginExpr()->getDirectCallee(); 686 if (D) 687 return D; 688 689 return getSVal(getOriginExpr()->getCallee()).getAsFunctionDecl(); 690 } 691 692 const FunctionDecl *CXXInstanceCall::getDecl() const { 693 const auto *CE = cast_or_null<CallExpr>(getOriginExpr()); 694 if (!CE) 695 return AnyFunctionCall::getDecl(); 696 697 const FunctionDecl *D = CE->getDirectCallee(); 698 if (D) 699 return D; 700 701 return getSVal(CE->getCallee()).getAsFunctionDecl(); 702 } 703 704 void CXXInstanceCall::getExtraInvalidatedValues( 705 ValueList &Values, RegionAndSymbolInvalidationTraits *ETraits) const { 706 SVal ThisVal = getCXXThisVal(); 707 Values.push_back(ThisVal); 708 709 // Don't invalidate if the method is const and there are no mutable fields. 710 if (const auto *D = cast_or_null<CXXMethodDecl>(getDecl())) { 711 if (!D->isConst()) 712 return; 713 // Get the record decl for the class of 'This'. D->getParent() may return a 714 // base class decl, rather than the class of the instance which needs to be 715 // checked for mutable fields. 716 // TODO: We might as well look at the dynamic type of the object. 717 const Expr *Ex = getCXXThisExpr()->IgnoreParenBaseCasts(); 718 QualType T = Ex->getType(); 719 if (T->isPointerType()) // Arrow or implicit-this syntax? 720 T = T->getPointeeType(); 721 const CXXRecordDecl *ParentRecord = T->getAsCXXRecordDecl(); 722 assert(ParentRecord); 723 if (ParentRecord->hasMutableFields()) 724 return; 725 // Preserve CXXThis. 726 const MemRegion *ThisRegion = ThisVal.getAsRegion(); 727 if (!ThisRegion) 728 return; 729 730 ETraits->setTrait(ThisRegion->getBaseRegion(), 731 RegionAndSymbolInvalidationTraits::TK_PreserveContents); 732 } 733 } 734 735 SVal CXXInstanceCall::getCXXThisVal() const { 736 const Expr *Base = getCXXThisExpr(); 737 // FIXME: This doesn't handle an overloaded ->* operator. 738 SVal ThisVal = Base ? getSVal(Base) : UnknownVal(); 739 740 if (isa<NonLoc>(ThisVal)) { 741 SValBuilder &SVB = getState()->getStateManager().getSValBuilder(); 742 QualType OriginalTy = ThisVal.getType(SVB.getContext()); 743 return SVB.evalCast(ThisVal, Base->getType(), OriginalTy); 744 } 745 746 assert(ThisVal.isUnknownOrUndef() || isa<Loc>(ThisVal)); 747 return ThisVal; 748 } 749 750 RuntimeDefinition CXXInstanceCall::getRuntimeDefinition() const { 751 // Do we have a decl at all? 752 const Decl *D = getDecl(); 753 if (!D) 754 return {}; 755 756 // If the method is non-virtual, we know we can inline it. 757 const auto *MD = cast<CXXMethodDecl>(D); 758 if (!MD->isVirtual()) 759 return AnyFunctionCall::getRuntimeDefinition(); 760 761 // Do we know the implicit 'this' object being called? 762 const MemRegion *R = getCXXThisVal().getAsRegion(); 763 if (!R) 764 return {}; 765 766 // Do we know anything about the type of 'this'? 767 DynamicTypeInfo DynType = getDynamicTypeInfo(getState(), R); 768 if (!DynType.isValid()) 769 return {}; 770 771 // Is the type a C++ class? (This is mostly a defensive check.) 772 QualType RegionType = DynType.getType()->getPointeeType(); 773 assert(!RegionType.isNull() && "DynamicTypeInfo should always be a pointer."); 774 775 const CXXRecordDecl *RD = RegionType->getAsCXXRecordDecl(); 776 if (!RD || !RD->hasDefinition()) 777 return {}; 778 779 // Find the decl for this method in that class. 780 const CXXMethodDecl *Result = MD->getCorrespondingMethodInClass(RD, true); 781 if (!Result) { 782 // We might not even get the original statically-resolved method due to 783 // some particularly nasty casting (e.g. casts to sister classes). 784 // However, we should at least be able to search up and down our own class 785 // hierarchy, and some real bugs have been caught by checking this. 786 assert(!RD->isDerivedFrom(MD->getParent()) && "Couldn't find known method"); 787 788 // FIXME: This is checking that our DynamicTypeInfo is at least as good as 789 // the static type. However, because we currently don't update 790 // DynamicTypeInfo when an object is cast, we can't actually be sure the 791 // DynamicTypeInfo is up to date. This assert should be re-enabled once 792 // this is fixed. 793 // 794 // assert(!MD->getParent()->isDerivedFrom(RD) && "Bad DynamicTypeInfo"); 795 796 return {}; 797 } 798 799 // Does the decl that we found have an implementation? 800 const FunctionDecl *Definition; 801 if (!Result->hasBody(Definition)) { 802 if (!DynType.canBeASubClass()) 803 return AnyFunctionCall::getRuntimeDefinition(); 804 return {}; 805 } 806 807 // We found a definition. If we're not sure that this devirtualization is 808 // actually what will happen at runtime, make sure to provide the region so 809 // that ExprEngine can decide what to do with it. 810 if (DynType.canBeASubClass()) 811 return RuntimeDefinition(Definition, R->StripCasts()); 812 return RuntimeDefinition(Definition, /*DispatchRegion=*/nullptr); 813 } 814 815 void CXXInstanceCall::getInitialStackFrameContents( 816 const StackFrameContext *CalleeCtx, 817 BindingsTy &Bindings) const { 818 AnyFunctionCall::getInitialStackFrameContents(CalleeCtx, Bindings); 819 820 // Handle the binding of 'this' in the new stack frame. 821 SVal ThisVal = getCXXThisVal(); 822 if (!ThisVal.isUnknown()) { 823 ProgramStateManager &StateMgr = getState()->getStateManager(); 824 SValBuilder &SVB = StateMgr.getSValBuilder(); 825 826 const auto *MD = cast<CXXMethodDecl>(CalleeCtx->getDecl()); 827 Loc ThisLoc = SVB.getCXXThis(MD, CalleeCtx); 828 829 // If we devirtualized to a different member function, we need to make sure 830 // we have the proper layering of CXXBaseObjectRegions. 831 if (MD->getCanonicalDecl() != getDecl()->getCanonicalDecl()) { 832 ASTContext &Ctx = SVB.getContext(); 833 const CXXRecordDecl *Class = MD->getParent(); 834 QualType Ty = Ctx.getPointerType(Ctx.getRecordType(Class)); 835 836 // FIXME: CallEvent maybe shouldn't be directly accessing StoreManager. 837 std::optional<SVal> V = 838 StateMgr.getStoreManager().evalBaseToDerived(ThisVal, Ty); 839 if (!V) { 840 // We might have suffered some sort of placement new earlier, so 841 // we're constructing in a completely unexpected storage. 842 // Fall back to a generic pointer cast for this-value. 843 const CXXMethodDecl *StaticMD = cast<CXXMethodDecl>(getDecl()); 844 const CXXRecordDecl *StaticClass = StaticMD->getParent(); 845 QualType StaticTy = Ctx.getPointerType(Ctx.getRecordType(StaticClass)); 846 ThisVal = SVB.evalCast(ThisVal, Ty, StaticTy); 847 } else 848 ThisVal = *V; 849 } 850 851 if (!ThisVal.isUnknown()) 852 Bindings.push_back(std::make_pair(ThisLoc, ThisVal)); 853 } 854 } 855 856 const Expr *CXXMemberCall::getCXXThisExpr() const { 857 return getOriginExpr()->getImplicitObjectArgument(); 858 } 859 860 RuntimeDefinition CXXMemberCall::getRuntimeDefinition() const { 861 // C++11 [expr.call]p1: ...If the selected function is non-virtual, or if the 862 // id-expression in the class member access expression is a qualified-id, 863 // that function is called. Otherwise, its final overrider in the dynamic type 864 // of the object expression is called. 865 if (const auto *ME = dyn_cast<MemberExpr>(getOriginExpr()->getCallee())) 866 if (ME->hasQualifier()) 867 return AnyFunctionCall::getRuntimeDefinition(); 868 869 return CXXInstanceCall::getRuntimeDefinition(); 870 } 871 872 const Expr *CXXMemberOperatorCall::getCXXThisExpr() const { 873 return getOriginExpr()->getArg(0); 874 } 875 876 const BlockDataRegion *BlockCall::getBlockRegion() const { 877 const Expr *Callee = getOriginExpr()->getCallee(); 878 const MemRegion *DataReg = getSVal(Callee).getAsRegion(); 879 880 return dyn_cast_or_null<BlockDataRegion>(DataReg); 881 } 882 883 ArrayRef<ParmVarDecl*> BlockCall::parameters() const { 884 const BlockDecl *D = getDecl(); 885 if (!D) 886 return std::nullopt; 887 return D->parameters(); 888 } 889 890 void BlockCall::getExtraInvalidatedValues(ValueList &Values, 891 RegionAndSymbolInvalidationTraits *ETraits) const { 892 // FIXME: This also needs to invalidate captured globals. 893 if (const MemRegion *R = getBlockRegion()) 894 Values.push_back(loc::MemRegionVal(R)); 895 } 896 897 void BlockCall::getInitialStackFrameContents(const StackFrameContext *CalleeCtx, 898 BindingsTy &Bindings) const { 899 SValBuilder &SVB = getState()->getStateManager().getSValBuilder(); 900 ArrayRef<ParmVarDecl*> Params; 901 if (isConversionFromLambda()) { 902 auto *LambdaOperatorDecl = cast<CXXMethodDecl>(CalleeCtx->getDecl()); 903 Params = LambdaOperatorDecl->parameters(); 904 905 // For blocks converted from a C++ lambda, the callee declaration is the 906 // operator() method on the lambda so we bind "this" to 907 // the lambda captured by the block. 908 const VarRegion *CapturedLambdaRegion = getRegionStoringCapturedLambda(); 909 SVal ThisVal = loc::MemRegionVal(CapturedLambdaRegion); 910 Loc ThisLoc = SVB.getCXXThis(LambdaOperatorDecl, CalleeCtx); 911 Bindings.push_back(std::make_pair(ThisLoc, ThisVal)); 912 } else { 913 Params = cast<BlockDecl>(CalleeCtx->getDecl())->parameters(); 914 } 915 916 addParameterValuesToBindings(CalleeCtx, Bindings, SVB, *this, 917 Params); 918 } 919 920 SVal AnyCXXConstructorCall::getCXXThisVal() const { 921 if (Data) 922 return loc::MemRegionVal(static_cast<const MemRegion *>(Data)); 923 return UnknownVal(); 924 } 925 926 void AnyCXXConstructorCall::getExtraInvalidatedValues(ValueList &Values, 927 RegionAndSymbolInvalidationTraits *ETraits) const { 928 SVal V = getCXXThisVal(); 929 if (SymbolRef Sym = V.getAsSymbol(true)) 930 ETraits->setTrait(Sym, 931 RegionAndSymbolInvalidationTraits::TK_SuppressEscape); 932 Values.push_back(V); 933 } 934 935 void AnyCXXConstructorCall::getInitialStackFrameContents( 936 const StackFrameContext *CalleeCtx, 937 BindingsTy &Bindings) const { 938 AnyFunctionCall::getInitialStackFrameContents(CalleeCtx, Bindings); 939 940 SVal ThisVal = getCXXThisVal(); 941 if (!ThisVal.isUnknown()) { 942 SValBuilder &SVB = getState()->getStateManager().getSValBuilder(); 943 const auto *MD = cast<CXXMethodDecl>(CalleeCtx->getDecl()); 944 Loc ThisLoc = SVB.getCXXThis(MD, CalleeCtx); 945 Bindings.push_back(std::make_pair(ThisLoc, ThisVal)); 946 } 947 } 948 949 const StackFrameContext * 950 CXXInheritedConstructorCall::getInheritingStackFrame() const { 951 const StackFrameContext *SFC = getLocationContext()->getStackFrame(); 952 while (isa<CXXInheritedCtorInitExpr>(SFC->getCallSite())) 953 SFC = SFC->getParent()->getStackFrame(); 954 return SFC; 955 } 956 957 SVal CXXDestructorCall::getCXXThisVal() const { 958 if (Data) 959 return loc::MemRegionVal(DtorDataTy::getFromOpaqueValue(Data).getPointer()); 960 return UnknownVal(); 961 } 962 963 RuntimeDefinition CXXDestructorCall::getRuntimeDefinition() const { 964 // Base destructors are always called non-virtually. 965 // Skip CXXInstanceCall's devirtualization logic in this case. 966 if (isBaseDestructor()) 967 return AnyFunctionCall::getRuntimeDefinition(); 968 969 return CXXInstanceCall::getRuntimeDefinition(); 970 } 971 972 ArrayRef<ParmVarDecl*> ObjCMethodCall::parameters() const { 973 const ObjCMethodDecl *D = getDecl(); 974 if (!D) 975 return std::nullopt; 976 return D->parameters(); 977 } 978 979 void ObjCMethodCall::getExtraInvalidatedValues( 980 ValueList &Values, RegionAndSymbolInvalidationTraits *ETraits) const { 981 982 // If the method call is a setter for property known to be backed by 983 // an instance variable, don't invalidate the entire receiver, just 984 // the storage for that instance variable. 985 if (const ObjCPropertyDecl *PropDecl = getAccessedProperty()) { 986 if (const ObjCIvarDecl *PropIvar = PropDecl->getPropertyIvarDecl()) { 987 SVal IvarLVal = getState()->getLValue(PropIvar, getReceiverSVal()); 988 if (const MemRegion *IvarRegion = IvarLVal.getAsRegion()) { 989 ETraits->setTrait( 990 IvarRegion, 991 RegionAndSymbolInvalidationTraits::TK_DoNotInvalidateSuperRegion); 992 ETraits->setTrait( 993 IvarRegion, 994 RegionAndSymbolInvalidationTraits::TK_SuppressEscape); 995 Values.push_back(IvarLVal); 996 } 997 return; 998 } 999 } 1000 1001 Values.push_back(getReceiverSVal()); 1002 } 1003 1004 SVal ObjCMethodCall::getReceiverSVal() const { 1005 // FIXME: Is this the best way to handle class receivers? 1006 if (!isInstanceMessage()) 1007 return UnknownVal(); 1008 1009 if (const Expr *RecE = getOriginExpr()->getInstanceReceiver()) 1010 return getSVal(RecE); 1011 1012 // An instance message with no expression means we are sending to super. 1013 // In this case the object reference is the same as 'self'. 1014 assert(getOriginExpr()->getReceiverKind() == ObjCMessageExpr::SuperInstance); 1015 SVal SelfVal = getState()->getSelfSVal(getLocationContext()); 1016 assert(SelfVal.isValid() && "Calling super but not in ObjC method"); 1017 return SelfVal; 1018 } 1019 1020 bool ObjCMethodCall::isReceiverSelfOrSuper() const { 1021 if (getOriginExpr()->getReceiverKind() == ObjCMessageExpr::SuperInstance || 1022 getOriginExpr()->getReceiverKind() == ObjCMessageExpr::SuperClass) 1023 return true; 1024 1025 if (!isInstanceMessage()) 1026 return false; 1027 1028 SVal RecVal = getSVal(getOriginExpr()->getInstanceReceiver()); 1029 SVal SelfVal = getState()->getSelfSVal(getLocationContext()); 1030 1031 return (RecVal == SelfVal); 1032 } 1033 1034 SourceRange ObjCMethodCall::getSourceRange() const { 1035 switch (getMessageKind()) { 1036 case OCM_Message: 1037 return getOriginExpr()->getSourceRange(); 1038 case OCM_PropertyAccess: 1039 case OCM_Subscript: 1040 return getContainingPseudoObjectExpr()->getSourceRange(); 1041 } 1042 llvm_unreachable("unknown message kind"); 1043 } 1044 1045 using ObjCMessageDataTy = llvm::PointerIntPair<const PseudoObjectExpr *, 2>; 1046 1047 const PseudoObjectExpr *ObjCMethodCall::getContainingPseudoObjectExpr() const { 1048 assert(Data && "Lazy lookup not yet performed."); 1049 assert(getMessageKind() != OCM_Message && "Explicit message send."); 1050 return ObjCMessageDataTy::getFromOpaqueValue(Data).getPointer(); 1051 } 1052 1053 static const Expr * 1054 getSyntacticFromForPseudoObjectExpr(const PseudoObjectExpr *POE) { 1055 const Expr *Syntactic = POE->getSyntacticForm()->IgnoreParens(); 1056 1057 // This handles the funny case of assigning to the result of a getter. 1058 // This can happen if the getter returns a non-const reference. 1059 if (const auto *BO = dyn_cast<BinaryOperator>(Syntactic)) 1060 Syntactic = BO->getLHS()->IgnoreParens(); 1061 1062 return Syntactic; 1063 } 1064 1065 ObjCMessageKind ObjCMethodCall::getMessageKind() const { 1066 if (!Data) { 1067 // Find the parent, ignoring implicit casts. 1068 const ParentMap &PM = getLocationContext()->getParentMap(); 1069 const Stmt *S = PM.getParentIgnoreParenCasts(getOriginExpr()); 1070 1071 // Check if parent is a PseudoObjectExpr. 1072 if (const auto *POE = dyn_cast_or_null<PseudoObjectExpr>(S)) { 1073 const Expr *Syntactic = getSyntacticFromForPseudoObjectExpr(POE); 1074 1075 ObjCMessageKind K; 1076 switch (Syntactic->getStmtClass()) { 1077 case Stmt::ObjCPropertyRefExprClass: 1078 K = OCM_PropertyAccess; 1079 break; 1080 case Stmt::ObjCSubscriptRefExprClass: 1081 K = OCM_Subscript; 1082 break; 1083 default: 1084 // FIXME: Can this ever happen? 1085 K = OCM_Message; 1086 break; 1087 } 1088 1089 if (K != OCM_Message) { 1090 const_cast<ObjCMethodCall *>(this)->Data 1091 = ObjCMessageDataTy(POE, K).getOpaqueValue(); 1092 assert(getMessageKind() == K); 1093 return K; 1094 } 1095 } 1096 1097 const_cast<ObjCMethodCall *>(this)->Data 1098 = ObjCMessageDataTy(nullptr, 1).getOpaqueValue(); 1099 assert(getMessageKind() == OCM_Message); 1100 return OCM_Message; 1101 } 1102 1103 ObjCMessageDataTy Info = ObjCMessageDataTy::getFromOpaqueValue(Data); 1104 if (!Info.getPointer()) 1105 return OCM_Message; 1106 return static_cast<ObjCMessageKind>(Info.getInt()); 1107 } 1108 1109 const ObjCPropertyDecl *ObjCMethodCall::getAccessedProperty() const { 1110 // Look for properties accessed with property syntax (foo.bar = ...) 1111 if (getMessageKind() == OCM_PropertyAccess) { 1112 const PseudoObjectExpr *POE = getContainingPseudoObjectExpr(); 1113 assert(POE && "Property access without PseudoObjectExpr?"); 1114 1115 const Expr *Syntactic = getSyntacticFromForPseudoObjectExpr(POE); 1116 auto *RefExpr = cast<ObjCPropertyRefExpr>(Syntactic); 1117 1118 if (RefExpr->isExplicitProperty()) 1119 return RefExpr->getExplicitProperty(); 1120 } 1121 1122 // Look for properties accessed with method syntax ([foo setBar:...]). 1123 const ObjCMethodDecl *MD = getDecl(); 1124 if (!MD || !MD->isPropertyAccessor()) 1125 return nullptr; 1126 1127 // Note: This is potentially quite slow. 1128 return MD->findPropertyDecl(); 1129 } 1130 1131 bool ObjCMethodCall::canBeOverridenInSubclass(ObjCInterfaceDecl *IDecl, 1132 Selector Sel) const { 1133 assert(IDecl); 1134 AnalysisManager &AMgr = 1135 getState()->getStateManager().getOwningEngine().getAnalysisManager(); 1136 // If the class interface is declared inside the main file, assume it is not 1137 // subcassed. 1138 // TODO: It could actually be subclassed if the subclass is private as well. 1139 // This is probably very rare. 1140 SourceLocation InterfLoc = IDecl->getEndOfDefinitionLoc(); 1141 if (InterfLoc.isValid() && AMgr.isInCodeFile(InterfLoc)) 1142 return false; 1143 1144 // Assume that property accessors are not overridden. 1145 if (getMessageKind() == OCM_PropertyAccess) 1146 return false; 1147 1148 // We assume that if the method is public (declared outside of main file) or 1149 // has a parent which publicly declares the method, the method could be 1150 // overridden in a subclass. 1151 1152 // Find the first declaration in the class hierarchy that declares 1153 // the selector. 1154 ObjCMethodDecl *D = nullptr; 1155 while (true) { 1156 D = IDecl->lookupMethod(Sel, true); 1157 1158 // Cannot find a public definition. 1159 if (!D) 1160 return false; 1161 1162 // If outside the main file, 1163 if (D->getLocation().isValid() && !AMgr.isInCodeFile(D->getLocation())) 1164 return true; 1165 1166 if (D->isOverriding()) { 1167 // Search in the superclass on the next iteration. 1168 IDecl = D->getClassInterface(); 1169 if (!IDecl) 1170 return false; 1171 1172 IDecl = IDecl->getSuperClass(); 1173 if (!IDecl) 1174 return false; 1175 1176 continue; 1177 } 1178 1179 return false; 1180 }; 1181 1182 llvm_unreachable("The while loop should always terminate."); 1183 } 1184 1185 static const ObjCMethodDecl *findDefiningRedecl(const ObjCMethodDecl *MD) { 1186 if (!MD) 1187 return MD; 1188 1189 // Find the redeclaration that defines the method. 1190 if (!MD->hasBody()) { 1191 for (auto *I : MD->redecls()) 1192 if (I->hasBody()) 1193 MD = cast<ObjCMethodDecl>(I); 1194 } 1195 return MD; 1196 } 1197 1198 struct PrivateMethodKey { 1199 const ObjCInterfaceDecl *Interface; 1200 Selector LookupSelector; 1201 bool IsClassMethod; 1202 }; 1203 1204 namespace llvm { 1205 template <> struct DenseMapInfo<PrivateMethodKey> { 1206 using InterfaceInfo = DenseMapInfo<const ObjCInterfaceDecl *>; 1207 using SelectorInfo = DenseMapInfo<Selector>; 1208 1209 static inline PrivateMethodKey getEmptyKey() { 1210 return {InterfaceInfo::getEmptyKey(), SelectorInfo::getEmptyKey(), false}; 1211 } 1212 1213 static inline PrivateMethodKey getTombstoneKey() { 1214 return {InterfaceInfo::getTombstoneKey(), SelectorInfo::getTombstoneKey(), 1215 true}; 1216 } 1217 1218 static unsigned getHashValue(const PrivateMethodKey &Key) { 1219 return llvm::hash_combine( 1220 llvm::hash_code(InterfaceInfo::getHashValue(Key.Interface)), 1221 llvm::hash_code(SelectorInfo::getHashValue(Key.LookupSelector)), 1222 Key.IsClassMethod); 1223 } 1224 1225 static bool isEqual(const PrivateMethodKey &LHS, 1226 const PrivateMethodKey &RHS) { 1227 return InterfaceInfo::isEqual(LHS.Interface, RHS.Interface) && 1228 SelectorInfo::isEqual(LHS.LookupSelector, RHS.LookupSelector) && 1229 LHS.IsClassMethod == RHS.IsClassMethod; 1230 } 1231 }; 1232 } // end namespace llvm 1233 1234 static const ObjCMethodDecl * 1235 lookupRuntimeDefinition(const ObjCInterfaceDecl *Interface, 1236 Selector LookupSelector, bool InstanceMethod) { 1237 // Repeatedly calling lookupPrivateMethod() is expensive, especially 1238 // when in many cases it returns null. We cache the results so 1239 // that repeated queries on the same ObjCIntefaceDecl and Selector 1240 // don't incur the same cost. On some test cases, we can see the 1241 // same query being issued thousands of times. 1242 // 1243 // NOTE: This cache is essentially a "global" variable, but it 1244 // only gets lazily created when we get here. The value of the 1245 // cache probably comes from it being global across ExprEngines, 1246 // where the same queries may get issued. If we are worried about 1247 // concurrency, or possibly loading/unloading ASTs, etc., we may 1248 // need to revisit this someday. In terms of memory, this table 1249 // stays around until clang quits, which also may be bad if we 1250 // need to release memory. 1251 using PrivateMethodCache = 1252 llvm::DenseMap<PrivateMethodKey, std::optional<const ObjCMethodDecl *>>; 1253 1254 static PrivateMethodCache PMC; 1255 std::optional<const ObjCMethodDecl *> &Val = 1256 PMC[{Interface, LookupSelector, InstanceMethod}]; 1257 1258 // Query lookupPrivateMethod() if the cache does not hit. 1259 if (!Val) { 1260 Val = Interface->lookupPrivateMethod(LookupSelector, InstanceMethod); 1261 1262 if (!*Val) { 1263 // Query 'lookupMethod' as a backup. 1264 Val = Interface->lookupMethod(LookupSelector, InstanceMethod); 1265 } 1266 } 1267 1268 return *Val; 1269 } 1270 1271 RuntimeDefinition ObjCMethodCall::getRuntimeDefinition() const { 1272 const ObjCMessageExpr *E = getOriginExpr(); 1273 assert(E); 1274 Selector Sel = E->getSelector(); 1275 1276 if (E->isInstanceMessage()) { 1277 // Find the receiver type. 1278 const ObjCObjectType *ReceiverT = nullptr; 1279 bool CanBeSubClassed = false; 1280 bool LookingForInstanceMethod = true; 1281 QualType SupersType = E->getSuperType(); 1282 const MemRegion *Receiver = nullptr; 1283 1284 if (!SupersType.isNull()) { 1285 // The receiver is guaranteed to be 'super' in this case. 1286 // Super always means the type of immediate predecessor to the method 1287 // where the call occurs. 1288 ReceiverT = cast<ObjCObjectPointerType>(SupersType)->getObjectType(); 1289 } else { 1290 Receiver = getReceiverSVal().getAsRegion(); 1291 if (!Receiver) 1292 return {}; 1293 1294 DynamicTypeInfo DTI = getDynamicTypeInfo(getState(), Receiver); 1295 if (!DTI.isValid()) { 1296 assert(isa<AllocaRegion>(Receiver) && 1297 "Unhandled untyped region class!"); 1298 return {}; 1299 } 1300 1301 QualType DynType = DTI.getType(); 1302 CanBeSubClassed = DTI.canBeASubClass(); 1303 1304 const auto *ReceiverDynT = 1305 dyn_cast<ObjCObjectPointerType>(DynType.getCanonicalType()); 1306 1307 if (ReceiverDynT) { 1308 ReceiverT = ReceiverDynT->getObjectType(); 1309 1310 // It can be actually class methods called with Class object as a 1311 // receiver. This type of messages is treated by the compiler as 1312 // instance (not class). 1313 if (ReceiverT->isObjCClass()) { 1314 1315 SVal SelfVal = getState()->getSelfSVal(getLocationContext()); 1316 // For [self classMethod], return compiler visible declaration. 1317 if (Receiver == SelfVal.getAsRegion()) { 1318 return RuntimeDefinition(findDefiningRedecl(E->getMethodDecl())); 1319 } 1320 1321 // Otherwise, let's check if we know something about the type 1322 // inside of this class object. 1323 if (SymbolRef ReceiverSym = getReceiverSVal().getAsSymbol()) { 1324 DynamicTypeInfo DTI = 1325 getClassObjectDynamicTypeInfo(getState(), ReceiverSym); 1326 if (DTI.isValid()) { 1327 // Let's use this type for lookup. 1328 ReceiverT = 1329 cast<ObjCObjectType>(DTI.getType().getCanonicalType()); 1330 1331 CanBeSubClassed = DTI.canBeASubClass(); 1332 // And it should be a class method instead. 1333 LookingForInstanceMethod = false; 1334 } 1335 } 1336 } 1337 1338 if (CanBeSubClassed) 1339 if (ObjCInterfaceDecl *IDecl = ReceiverT->getInterface()) 1340 // Even if `DynamicTypeInfo` told us that it can be 1341 // not necessarily this type, but its descendants, we still want 1342 // to check again if this selector can be actually overridden. 1343 CanBeSubClassed = canBeOverridenInSubclass(IDecl, Sel); 1344 } 1345 } 1346 1347 // Lookup the instance method implementation. 1348 if (ReceiverT) 1349 if (ObjCInterfaceDecl *IDecl = ReceiverT->getInterface()) { 1350 const ObjCMethodDecl *MD = 1351 lookupRuntimeDefinition(IDecl, Sel, LookingForInstanceMethod); 1352 1353 if (MD && !MD->hasBody()) 1354 MD = MD->getCanonicalDecl(); 1355 1356 if (CanBeSubClassed) 1357 return RuntimeDefinition(MD, Receiver); 1358 else 1359 return RuntimeDefinition(MD, nullptr); 1360 } 1361 } else { 1362 // This is a class method. 1363 // If we have type info for the receiver class, we are calling via 1364 // class name. 1365 if (ObjCInterfaceDecl *IDecl = E->getReceiverInterface()) { 1366 // Find/Return the method implementation. 1367 return RuntimeDefinition(IDecl->lookupPrivateClassMethod(Sel)); 1368 } 1369 } 1370 1371 return {}; 1372 } 1373 1374 bool ObjCMethodCall::argumentsMayEscape() const { 1375 if (isInSystemHeader() && !isInstanceMessage()) { 1376 Selector Sel = getSelector(); 1377 if (Sel.getNumArgs() == 1 && 1378 Sel.getIdentifierInfoForSlot(0)->isStr("valueWithPointer")) 1379 return true; 1380 } 1381 1382 return CallEvent::argumentsMayEscape(); 1383 } 1384 1385 void ObjCMethodCall::getInitialStackFrameContents( 1386 const StackFrameContext *CalleeCtx, 1387 BindingsTy &Bindings) const { 1388 const auto *D = cast<ObjCMethodDecl>(CalleeCtx->getDecl()); 1389 SValBuilder &SVB = getState()->getStateManager().getSValBuilder(); 1390 addParameterValuesToBindings(CalleeCtx, Bindings, SVB, *this, 1391 D->parameters()); 1392 1393 SVal SelfVal = getReceiverSVal(); 1394 if (!SelfVal.isUnknown()) { 1395 const VarDecl *SelfD = CalleeCtx->getAnalysisDeclContext()->getSelfDecl(); 1396 MemRegionManager &MRMgr = SVB.getRegionManager(); 1397 Loc SelfLoc = SVB.makeLoc(MRMgr.getVarRegion(SelfD, CalleeCtx)); 1398 Bindings.push_back(std::make_pair(SelfLoc, SelfVal)); 1399 } 1400 } 1401 1402 CallEventRef<> 1403 CallEventManager::getSimpleCall(const CallExpr *CE, ProgramStateRef State, 1404 const LocationContext *LCtx, 1405 CFGBlock::ConstCFGElementRef ElemRef) { 1406 if (const auto *MCE = dyn_cast<CXXMemberCallExpr>(CE)) 1407 return create<CXXMemberCall>(MCE, State, LCtx, ElemRef); 1408 1409 if (const auto *OpCE = dyn_cast<CXXOperatorCallExpr>(CE)) { 1410 const FunctionDecl *DirectCallee = OpCE->getDirectCallee(); 1411 if (const auto *MD = dyn_cast<CXXMethodDecl>(DirectCallee)) { 1412 if (MD->isImplicitObjectMemberFunction()) 1413 return create<CXXMemberOperatorCall>(OpCE, State, LCtx, ElemRef); 1414 if (MD->isStatic()) 1415 return create<CXXStaticOperatorCall>(OpCE, State, LCtx, ElemRef); 1416 } 1417 1418 } else if (CE->getCallee()->getType()->isBlockPointerType()) { 1419 return create<BlockCall>(CE, State, LCtx, ElemRef); 1420 } 1421 1422 // Otherwise, it's a normal function call, static member function call, or 1423 // something we can't reason about. 1424 return create<SimpleFunctionCall>(CE, State, LCtx, ElemRef); 1425 } 1426 1427 CallEventRef<> 1428 CallEventManager::getCaller(const StackFrameContext *CalleeCtx, 1429 ProgramStateRef State) { 1430 const LocationContext *ParentCtx = CalleeCtx->getParent(); 1431 const LocationContext *CallerCtx = ParentCtx->getStackFrame(); 1432 CFGBlock::ConstCFGElementRef ElemRef = {CalleeCtx->getCallSiteBlock(), 1433 CalleeCtx->getIndex()}; 1434 assert(CallerCtx && "This should not be used for top-level stack frames"); 1435 1436 const Stmt *CallSite = CalleeCtx->getCallSite(); 1437 1438 if (CallSite) { 1439 if (CallEventRef<> Out = getCall(CallSite, State, CallerCtx, ElemRef)) 1440 return Out; 1441 1442 SValBuilder &SVB = State->getStateManager().getSValBuilder(); 1443 const auto *Ctor = cast<CXXMethodDecl>(CalleeCtx->getDecl()); 1444 Loc ThisPtr = SVB.getCXXThis(Ctor, CalleeCtx); 1445 SVal ThisVal = State->getSVal(ThisPtr); 1446 1447 if (const auto *CE = dyn_cast<CXXConstructExpr>(CallSite)) 1448 return getCXXConstructorCall(CE, ThisVal.getAsRegion(), State, CallerCtx, 1449 ElemRef); 1450 else if (const auto *CIE = dyn_cast<CXXInheritedCtorInitExpr>(CallSite)) 1451 return getCXXInheritedConstructorCall(CIE, ThisVal.getAsRegion(), State, 1452 CallerCtx, ElemRef); 1453 else { 1454 // All other cases are handled by getCall. 1455 llvm_unreachable("This is not an inlineable statement"); 1456 } 1457 } 1458 1459 // Fall back to the CFG. The only thing we haven't handled yet is 1460 // destructors, though this could change in the future. 1461 const CFGBlock *B = CalleeCtx->getCallSiteBlock(); 1462 CFGElement E = (*B)[CalleeCtx->getIndex()]; 1463 assert((E.getAs<CFGImplicitDtor>() || E.getAs<CFGTemporaryDtor>()) && 1464 "All other CFG elements should have exprs"); 1465 1466 SValBuilder &SVB = State->getStateManager().getSValBuilder(); 1467 const auto *Dtor = cast<CXXDestructorDecl>(CalleeCtx->getDecl()); 1468 Loc ThisPtr = SVB.getCXXThis(Dtor, CalleeCtx); 1469 SVal ThisVal = State->getSVal(ThisPtr); 1470 1471 const Stmt *Trigger; 1472 if (std::optional<CFGAutomaticObjDtor> AutoDtor = 1473 E.getAs<CFGAutomaticObjDtor>()) 1474 Trigger = AutoDtor->getTriggerStmt(); 1475 else if (std::optional<CFGDeleteDtor> DeleteDtor = E.getAs<CFGDeleteDtor>()) 1476 Trigger = DeleteDtor->getDeleteExpr(); 1477 else 1478 Trigger = Dtor->getBody(); 1479 1480 return getCXXDestructorCall(Dtor, Trigger, ThisVal.getAsRegion(), 1481 E.getAs<CFGBaseDtor>().has_value(), State, 1482 CallerCtx, ElemRef); 1483 } 1484 1485 CallEventRef<> CallEventManager::getCall(const Stmt *S, ProgramStateRef State, 1486 const LocationContext *LC, 1487 CFGBlock::ConstCFGElementRef ElemRef) { 1488 if (const auto *CE = dyn_cast<CallExpr>(S)) { 1489 return getSimpleCall(CE, State, LC, ElemRef); 1490 } else if (const auto *NE = dyn_cast<CXXNewExpr>(S)) { 1491 return getCXXAllocatorCall(NE, State, LC, ElemRef); 1492 } else if (const auto *DE = dyn_cast<CXXDeleteExpr>(S)) { 1493 return getCXXDeallocatorCall(DE, State, LC, ElemRef); 1494 } else if (const auto *ME = dyn_cast<ObjCMessageExpr>(S)) { 1495 return getObjCMethodCall(ME, State, LC, ElemRef); 1496 } else { 1497 return nullptr; 1498 } 1499 } 1500