1 //===-- UncheckedOptionalAccessModel.cpp ------------------------*- C++ -*-===//
2 //
3 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4 // See https://llvm.org/LICENSE.txt for license information.
5 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6 //
7 //===----------------------------------------------------------------------===//
8 //
9 // This file defines a dataflow analysis that detects unsafe uses of optional
10 // values.
11 //
12 //===----------------------------------------------------------------------===//
13
14 #include "clang/Analysis/FlowSensitive/Models/UncheckedOptionalAccessModel.h"
15 #include "clang/AST/ASTContext.h"
16 #include "clang/AST/DeclCXX.h"
17 #include "clang/AST/Expr.h"
18 #include "clang/AST/ExprCXX.h"
19 #include "clang/AST/Stmt.h"
20 #include "clang/ASTMatchers/ASTMatchers.h"
21 #include "clang/Analysis/CFG.h"
22 #include "clang/Analysis/FlowSensitive/CFGMatchSwitch.h"
23 #include "clang/Analysis/FlowSensitive/DataflowEnvironment.h"
24 #include "clang/Analysis/FlowSensitive/NoopLattice.h"
25 #include "clang/Analysis/FlowSensitive/StorageLocation.h"
26 #include "clang/Analysis/FlowSensitive/Value.h"
27 #include "clang/Basic/SourceLocation.h"
28 #include "llvm/ADT/StringRef.h"
29 #include "llvm/Support/Casting.h"
30 #include "llvm/Support/ErrorHandling.h"
31 #include <cassert>
32 #include <memory>
33 #include <optional>
34 #include <utility>
35 #include <vector>
36
37 namespace clang {
38 namespace dataflow {
39 namespace {
40
41 using namespace ::clang::ast_matchers;
42 using LatticeTransferState = TransferState<NoopLattice>;
43
optionalClass()44 DeclarationMatcher optionalClass() {
45 return classTemplateSpecializationDecl(
46 anyOf(hasName("std::optional"), hasName("std::__optional_storage_base"),
47 hasName("__optional_destruct_base"), hasName("absl::optional"),
48 hasName("base::Optional")),
49 hasTemplateArgument(0, refersToType(type().bind("T"))));
50 }
51
optionalOrAliasType()52 auto optionalOrAliasType() {
53 return hasUnqualifiedDesugaredType(
54 recordType(hasDeclaration(optionalClass())));
55 }
56
57 /// Matches any of the spellings of the optional types and sugar, aliases, etc.
hasOptionalType()58 auto hasOptionalType() { return hasType(optionalOrAliasType()); }
59
isOptionalMemberCallWithName(llvm::StringRef MemberName,const std::optional<StatementMatcher> & Ignorable=std::nullopt)60 auto isOptionalMemberCallWithName(
61 llvm::StringRef MemberName,
62 const std::optional<StatementMatcher> &Ignorable = std::nullopt) {
63 auto Exception = unless(Ignorable ? expr(anyOf(*Ignorable, cxxThisExpr()))
64 : cxxThisExpr());
65 return cxxMemberCallExpr(
66 on(expr(Exception)),
67 callee(cxxMethodDecl(hasName(MemberName), ofClass(optionalClass()))));
68 }
69
isOptionalOperatorCallWithName(llvm::StringRef operator_name,const std::optional<StatementMatcher> & Ignorable=std::nullopt)70 auto isOptionalOperatorCallWithName(
71 llvm::StringRef operator_name,
72 const std::optional<StatementMatcher> &Ignorable = std::nullopt) {
73 return cxxOperatorCallExpr(
74 hasOverloadedOperatorName(operator_name),
75 callee(cxxMethodDecl(ofClass(optionalClass()))),
76 Ignorable ? callExpr(unless(hasArgument(0, *Ignorable))) : callExpr());
77 }
78
isMakeOptionalCall()79 auto isMakeOptionalCall() {
80 return callExpr(
81 callee(functionDecl(hasAnyName(
82 "std::make_optional", "base::make_optional", "absl::make_optional"))),
83 hasOptionalType());
84 }
85
nulloptTypeDecl()86 auto nulloptTypeDecl() {
87 return namedDecl(
88 hasAnyName("std::nullopt_t", "absl::nullopt_t", "base::nullopt_t"));
89 }
90
hasNulloptType()91 auto hasNulloptType() { return hasType(nulloptTypeDecl()); }
92
93 // `optional` or `nullopt_t`
hasAnyOptionalType()94 auto hasAnyOptionalType() {
95 return hasType(hasUnqualifiedDesugaredType(
96 recordType(hasDeclaration(anyOf(nulloptTypeDecl(), optionalClass())))));
97 }
98
99
inPlaceClass()100 auto inPlaceClass() {
101 return recordDecl(
102 hasAnyName("std::in_place_t", "absl::in_place_t", "base::in_place_t"));
103 }
104
isOptionalNulloptConstructor()105 auto isOptionalNulloptConstructor() {
106 return cxxConstructExpr(
107 hasOptionalType(),
108 hasDeclaration(cxxConstructorDecl(parameterCountIs(1),
109 hasParameter(0, hasNulloptType()))));
110 }
111
isOptionalInPlaceConstructor()112 auto isOptionalInPlaceConstructor() {
113 return cxxConstructExpr(hasOptionalType(),
114 hasArgument(0, hasType(inPlaceClass())));
115 }
116
isOptionalValueOrConversionConstructor()117 auto isOptionalValueOrConversionConstructor() {
118 return cxxConstructExpr(
119 hasOptionalType(),
120 unless(hasDeclaration(
121 cxxConstructorDecl(anyOf(isCopyConstructor(), isMoveConstructor())))),
122 argumentCountIs(1), hasArgument(0, unless(hasNulloptType())));
123 }
124
isOptionalValueOrConversionAssignment()125 auto isOptionalValueOrConversionAssignment() {
126 return cxxOperatorCallExpr(
127 hasOverloadedOperatorName("="),
128 callee(cxxMethodDecl(ofClass(optionalClass()))),
129 unless(hasDeclaration(cxxMethodDecl(
130 anyOf(isCopyAssignmentOperator(), isMoveAssignmentOperator())))),
131 argumentCountIs(2), hasArgument(1, unless(hasNulloptType())));
132 }
133
isNulloptConstructor()134 auto isNulloptConstructor() {
135 return cxxConstructExpr(hasNulloptType(), argumentCountIs(1),
136 hasArgument(0, hasNulloptType()));
137 }
138
isOptionalNulloptAssignment()139 auto isOptionalNulloptAssignment() {
140 return cxxOperatorCallExpr(hasOverloadedOperatorName("="),
141 callee(cxxMethodDecl(ofClass(optionalClass()))),
142 argumentCountIs(2),
143 hasArgument(1, hasNulloptType()));
144 }
145
isStdSwapCall()146 auto isStdSwapCall() {
147 return callExpr(callee(functionDecl(hasName("std::swap"))),
148 argumentCountIs(2), hasArgument(0, hasOptionalType()),
149 hasArgument(1, hasOptionalType()));
150 }
151
152 constexpr llvm::StringLiteral ValueOrCallID = "ValueOrCall";
153
isValueOrStringEmptyCall()154 auto isValueOrStringEmptyCall() {
155 // `opt.value_or("").empty()`
156 return cxxMemberCallExpr(
157 callee(cxxMethodDecl(hasName("empty"))),
158 onImplicitObjectArgument(ignoringImplicit(
159 cxxMemberCallExpr(on(expr(unless(cxxThisExpr()))),
160 callee(cxxMethodDecl(hasName("value_or"),
161 ofClass(optionalClass()))),
162 hasArgument(0, stringLiteral(hasSize(0))))
163 .bind(ValueOrCallID))));
164 }
165
isValueOrNotEqX()166 auto isValueOrNotEqX() {
167 auto ComparesToSame = [](ast_matchers::internal::Matcher<Stmt> Arg) {
168 return hasOperands(
169 ignoringImplicit(
170 cxxMemberCallExpr(on(expr(unless(cxxThisExpr()))),
171 callee(cxxMethodDecl(hasName("value_or"),
172 ofClass(optionalClass()))),
173 hasArgument(0, Arg))
174 .bind(ValueOrCallID)),
175 ignoringImplicit(Arg));
176 };
177
178 // `opt.value_or(X) != X`, for X is `nullptr`, `""`, or `0`. Ideally, we'd
179 // support this pattern for any expression, but the AST does not have a
180 // generic expression comparison facility, so we specialize to common cases
181 // seen in practice. FIXME: define a matcher that compares values across
182 // nodes, which would let us generalize this to any `X`.
183 return binaryOperation(hasOperatorName("!="),
184 anyOf(ComparesToSame(cxxNullPtrLiteralExpr()),
185 ComparesToSame(stringLiteral(hasSize(0))),
186 ComparesToSame(integerLiteral(equals(0)))));
187 }
188
isCallReturningOptional()189 auto isCallReturningOptional() {
190 return callExpr(hasType(qualType(anyOf(
191 optionalOrAliasType(), referenceType(pointee(optionalOrAliasType()))))));
192 }
193
194 template <typename L, typename R>
isComparisonOperatorCall(L lhs_arg_matcher,R rhs_arg_matcher)195 auto isComparisonOperatorCall(L lhs_arg_matcher, R rhs_arg_matcher) {
196 return cxxOperatorCallExpr(
197 anyOf(hasOverloadedOperatorName("=="), hasOverloadedOperatorName("!=")),
198 argumentCountIs(2), hasArgument(0, lhs_arg_matcher),
199 hasArgument(1, rhs_arg_matcher));
200 }
201
202 // Ensures that `Expr` is mapped to a `BoolValue` and returns it.
forceBoolValue(Environment & Env,const Expr & Expr)203 BoolValue &forceBoolValue(Environment &Env, const Expr &Expr) {
204 auto *Value = cast_or_null<BoolValue>(Env.getValue(Expr, SkipPast::None));
205 if (Value != nullptr)
206 return *Value;
207
208 auto &Loc = Env.createStorageLocation(Expr);
209 Value = &Env.makeAtomicBoolValue();
210 Env.setValue(Loc, *Value);
211 Env.setStorageLocation(Expr, Loc);
212 return *Value;
213 }
214
215 /// Sets `HasValueVal` as the symbolic value that represents the "has_value"
216 /// property of the optional value `OptionalVal`.
setHasValue(Value & OptionalVal,BoolValue & HasValueVal)217 void setHasValue(Value &OptionalVal, BoolValue &HasValueVal) {
218 OptionalVal.setProperty("has_value", HasValueVal);
219 }
220
221 /// Creates a symbolic value for an `optional` value using `HasValueVal` as the
222 /// symbolic value of its "has_value" property.
createOptionalValue(Environment & Env,BoolValue & HasValueVal)223 StructValue &createOptionalValue(Environment &Env, BoolValue &HasValueVal) {
224 auto OptionalVal = std::make_unique<StructValue>();
225 setHasValue(*OptionalVal, HasValueVal);
226 return Env.takeOwnership(std::move(OptionalVal));
227 }
228
229 /// Returns the symbolic value that represents the "has_value" property of the
230 /// optional value `OptionalVal`. Returns null if `OptionalVal` is null.
getHasValue(Environment & Env,Value * OptionalVal)231 BoolValue *getHasValue(Environment &Env, Value *OptionalVal) {
232 if (OptionalVal != nullptr) {
233 auto *HasValueVal =
234 cast_or_null<BoolValue>(OptionalVal->getProperty("has_value"));
235 if (HasValueVal == nullptr) {
236 HasValueVal = &Env.makeAtomicBoolValue();
237 OptionalVal->setProperty("has_value", *HasValueVal);
238 }
239 return HasValueVal;
240 }
241 return nullptr;
242 }
243
244 /// If `Type` is a reference type, returns the type of its pointee. Otherwise,
245 /// returns `Type` itself.
stripReference(QualType Type)246 QualType stripReference(QualType Type) {
247 return Type->isReferenceType() ? Type->getPointeeType() : Type;
248 }
249
250 /// Returns true if and only if `Type` is an optional type.
isOptionalType(QualType Type)251 bool isOptionalType(QualType Type) {
252 if (!Type->isRecordType())
253 return false;
254 // FIXME: Optimize this by avoiding the `getQualifiedNameAsString` call.
255 auto TypeName = Type->getAsCXXRecordDecl()->getQualifiedNameAsString();
256 return TypeName == "std::optional" || TypeName == "absl::optional" ||
257 TypeName == "base::Optional";
258 }
259
260 /// Returns the number of optional wrappers in `Type`.
261 ///
262 /// For example, if `Type` is `optional<optional<int>>`, the result of this
263 /// function will be 2.
countOptionalWrappers(const ASTContext & ASTCtx,QualType Type)264 int countOptionalWrappers(const ASTContext &ASTCtx, QualType Type) {
265 if (!isOptionalType(Type))
266 return 0;
267 return 1 + countOptionalWrappers(
268 ASTCtx,
269 cast<ClassTemplateSpecializationDecl>(Type->getAsRecordDecl())
270 ->getTemplateArgs()
271 .get(0)
272 .getAsType()
273 .getDesugaredType(ASTCtx));
274 }
275
276 /// Tries to initialize the `optional`'s value (that is, contents), and return
277 /// its location. Returns nullptr if the value can't be represented.
maybeInitializeOptionalValueMember(QualType Q,Value & OptionalVal,Environment & Env)278 StorageLocation *maybeInitializeOptionalValueMember(QualType Q,
279 Value &OptionalVal,
280 Environment &Env) {
281 // The "value" property represents a synthetic field. As such, it needs
282 // `StorageLocation`, like normal fields (and other variables). So, we model
283 // it with a `ReferenceValue`, since that includes a storage location. Once
284 // the property is set, it will be shared by all environments that access the
285 // `Value` representing the optional (here, `OptionalVal`).
286 if (auto *ValueProp = OptionalVal.getProperty("value")) {
287 auto *ValueRef = clang::cast<ReferenceValue>(ValueProp);
288 auto &ValueLoc = ValueRef->getReferentLoc();
289 if (Env.getValue(ValueLoc) == nullptr) {
290 // The property was previously set, but the value has been lost. This can
291 // happen, for example, because of an environment merge (where the two
292 // environments mapped the property to different values, which resulted in
293 // them both being discarded), or when two blocks in the CFG, with neither
294 // a dominator of the other, visit the same optional value, or even when a
295 // block is revisited during testing to collect per-statement state.
296 // FIXME: This situation means that the optional contents are not shared
297 // between branches and the like. Practically, this lack of sharing
298 // reduces the precision of the model when the contents are relevant to
299 // the check, like another optional or a boolean that influences control
300 // flow.
301 auto *ValueVal = Env.createValue(ValueLoc.getType());
302 if (ValueVal == nullptr)
303 return nullptr;
304 Env.setValue(ValueLoc, *ValueVal);
305 }
306 return &ValueLoc;
307 }
308
309 auto Ty = stripReference(Q);
310 auto *ValueVal = Env.createValue(Ty);
311 if (ValueVal == nullptr)
312 return nullptr;
313 auto &ValueLoc = Env.createStorageLocation(Ty);
314 Env.setValue(ValueLoc, *ValueVal);
315 auto ValueRef = std::make_unique<ReferenceValue>(ValueLoc);
316 OptionalVal.setProperty("value", Env.takeOwnership(std::move(ValueRef)));
317 return &ValueLoc;
318 }
319
initializeOptionalReference(const Expr * OptionalExpr,const MatchFinder::MatchResult &,LatticeTransferState & State)320 void initializeOptionalReference(const Expr *OptionalExpr,
321 const MatchFinder::MatchResult &,
322 LatticeTransferState &State) {
323 if (auto *OptionalVal =
324 State.Env.getValue(*OptionalExpr, SkipPast::Reference)) {
325 if (OptionalVal->getProperty("has_value") == nullptr) {
326 setHasValue(*OptionalVal, State.Env.makeAtomicBoolValue());
327 }
328 }
329 }
330
331 /// Returns true if and only if `OptionalVal` is initialized and known to be
332 /// empty in `Env.
isEmptyOptional(const Value & OptionalVal,const Environment & Env)333 bool isEmptyOptional(const Value &OptionalVal, const Environment &Env) {
334 auto *HasValueVal =
335 cast_or_null<BoolValue>(OptionalVal.getProperty("has_value"));
336 return HasValueVal != nullptr &&
337 Env.flowConditionImplies(Env.makeNot(*HasValueVal));
338 }
339
340 /// Returns true if and only if `OptionalVal` is initialized and known to be
341 /// non-empty in `Env.
isNonEmptyOptional(const Value & OptionalVal,const Environment & Env)342 bool isNonEmptyOptional(const Value &OptionalVal, const Environment &Env) {
343 auto *HasValueVal =
344 cast_or_null<BoolValue>(OptionalVal.getProperty("has_value"));
345 return HasValueVal != nullptr && Env.flowConditionImplies(*HasValueVal);
346 }
347
transferUnwrapCall(const Expr * UnwrapExpr,const Expr * ObjectExpr,LatticeTransferState & State)348 void transferUnwrapCall(const Expr *UnwrapExpr, const Expr *ObjectExpr,
349 LatticeTransferState &State) {
350 if (auto *OptionalVal =
351 State.Env.getValue(*ObjectExpr, SkipPast::ReferenceThenPointer)) {
352 if (State.Env.getStorageLocation(*UnwrapExpr, SkipPast::None) == nullptr)
353 if (auto *Loc = maybeInitializeOptionalValueMember(
354 UnwrapExpr->getType(), *OptionalVal, State.Env))
355 State.Env.setStorageLocation(*UnwrapExpr, *Loc);
356 }
357 }
358
transferMakeOptionalCall(const CallExpr * E,const MatchFinder::MatchResult &,LatticeTransferState & State)359 void transferMakeOptionalCall(const CallExpr *E,
360 const MatchFinder::MatchResult &,
361 LatticeTransferState &State) {
362 auto &Loc = State.Env.createStorageLocation(*E);
363 State.Env.setStorageLocation(*E, Loc);
364 State.Env.setValue(
365 Loc, createOptionalValue(State.Env, State.Env.getBoolLiteralValue(true)));
366 }
367
transferOptionalHasValueCall(const CXXMemberCallExpr * CallExpr,const MatchFinder::MatchResult &,LatticeTransferState & State)368 void transferOptionalHasValueCall(const CXXMemberCallExpr *CallExpr,
369 const MatchFinder::MatchResult &,
370 LatticeTransferState &State) {
371 if (auto *HasValueVal = getHasValue(
372 State.Env, State.Env.getValue(*CallExpr->getImplicitObjectArgument(),
373 SkipPast::ReferenceThenPointer))) {
374 auto &CallExprLoc = State.Env.createStorageLocation(*CallExpr);
375 State.Env.setValue(CallExprLoc, *HasValueVal);
376 State.Env.setStorageLocation(*CallExpr, CallExprLoc);
377 }
378 }
379
380 /// `ModelPred` builds a logical formula relating the predicate in
381 /// `ValueOrPredExpr` to the optional's `has_value` property.
transferValueOrImpl(const clang::Expr * ValueOrPredExpr,const MatchFinder::MatchResult & Result,LatticeTransferState & State,BoolValue & (* ModelPred)(Environment & Env,BoolValue & ExprVal,BoolValue & HasValueVal))382 void transferValueOrImpl(const clang::Expr *ValueOrPredExpr,
383 const MatchFinder::MatchResult &Result,
384 LatticeTransferState &State,
385 BoolValue &(*ModelPred)(Environment &Env,
386 BoolValue &ExprVal,
387 BoolValue &HasValueVal)) {
388 auto &Env = State.Env;
389
390 const auto *ObjectArgumentExpr =
391 Result.Nodes.getNodeAs<clang::CXXMemberCallExpr>(ValueOrCallID)
392 ->getImplicitObjectArgument();
393
394 auto *HasValueVal = getHasValue(
395 State.Env,
396 State.Env.getValue(*ObjectArgumentExpr, SkipPast::ReferenceThenPointer));
397 if (HasValueVal == nullptr)
398 return;
399
400 Env.addToFlowCondition(
401 ModelPred(Env, forceBoolValue(Env, *ValueOrPredExpr), *HasValueVal));
402 }
403
transferValueOrStringEmptyCall(const clang::Expr * ComparisonExpr,const MatchFinder::MatchResult & Result,LatticeTransferState & State)404 void transferValueOrStringEmptyCall(const clang::Expr *ComparisonExpr,
405 const MatchFinder::MatchResult &Result,
406 LatticeTransferState &State) {
407 return transferValueOrImpl(ComparisonExpr, Result, State,
408 [](Environment &Env, BoolValue &ExprVal,
409 BoolValue &HasValueVal) -> BoolValue & {
410 // If the result is *not* empty, then we know the
411 // optional must have been holding a value. If
412 // `ExprVal` is true, though, we don't learn
413 // anything definite about `has_value`, so we
414 // don't add any corresponding implications to
415 // the flow condition.
416 return Env.makeImplication(Env.makeNot(ExprVal),
417 HasValueVal);
418 });
419 }
420
transferValueOrNotEqX(const Expr * ComparisonExpr,const MatchFinder::MatchResult & Result,LatticeTransferState & State)421 void transferValueOrNotEqX(const Expr *ComparisonExpr,
422 const MatchFinder::MatchResult &Result,
423 LatticeTransferState &State) {
424 transferValueOrImpl(ComparisonExpr, Result, State,
425 [](Environment &Env, BoolValue &ExprVal,
426 BoolValue &HasValueVal) -> BoolValue & {
427 // We know that if `(opt.value_or(X) != X)` then
428 // `opt.hasValue()`, even without knowing further
429 // details about the contents of `opt`.
430 return Env.makeImplication(ExprVal, HasValueVal);
431 });
432 }
433
transferCallReturningOptional(const CallExpr * E,const MatchFinder::MatchResult & Result,LatticeTransferState & State)434 void transferCallReturningOptional(const CallExpr *E,
435 const MatchFinder::MatchResult &Result,
436 LatticeTransferState &State) {
437 if (State.Env.getStorageLocation(*E, SkipPast::None) != nullptr)
438 return;
439
440 auto &Loc = State.Env.createStorageLocation(*E);
441 State.Env.setStorageLocation(*E, Loc);
442 State.Env.setValue(
443 Loc, createOptionalValue(State.Env, State.Env.makeAtomicBoolValue()));
444 }
445
assignOptionalValue(const Expr & E,Environment & Env,BoolValue & HasValueVal)446 void assignOptionalValue(const Expr &E, Environment &Env,
447 BoolValue &HasValueVal) {
448 if (auto *OptionalLoc =
449 Env.getStorageLocation(E, SkipPast::ReferenceThenPointer)) {
450 Env.setValue(*OptionalLoc, createOptionalValue(Env, HasValueVal));
451 }
452 }
453
454 /// Returns a symbolic value for the "has_value" property of an `optional<T>`
455 /// value that is constructed/assigned from a value of type `U` or `optional<U>`
456 /// where `T` is constructible from `U`.
valueOrConversionHasValue(const FunctionDecl & F,const Expr & E,const MatchFinder::MatchResult & MatchRes,LatticeTransferState & State)457 BoolValue &valueOrConversionHasValue(const FunctionDecl &F, const Expr &E,
458 const MatchFinder::MatchResult &MatchRes,
459 LatticeTransferState &State) {
460 assert(F.getTemplateSpecializationArgs() != nullptr);
461 assert(F.getTemplateSpecializationArgs()->size() > 0);
462
463 const int TemplateParamOptionalWrappersCount = countOptionalWrappers(
464 *MatchRes.Context,
465 stripReference(F.getTemplateSpecializationArgs()->get(0).getAsType()));
466 const int ArgTypeOptionalWrappersCount =
467 countOptionalWrappers(*MatchRes.Context, stripReference(E.getType()));
468
469 // Check if this is a constructor/assignment call for `optional<T>` with
470 // argument of type `U` such that `T` is constructible from `U`.
471 if (TemplateParamOptionalWrappersCount == ArgTypeOptionalWrappersCount)
472 return State.Env.getBoolLiteralValue(true);
473
474 // This is a constructor/assignment call for `optional<T>` with argument of
475 // type `optional<U>` such that `T` is constructible from `U`.
476 if (auto *HasValueVal =
477 getHasValue(State.Env, State.Env.getValue(E, SkipPast::Reference)))
478 return *HasValueVal;
479 return State.Env.makeAtomicBoolValue();
480 }
481
transferValueOrConversionConstructor(const CXXConstructExpr * E,const MatchFinder::MatchResult & MatchRes,LatticeTransferState & State)482 void transferValueOrConversionConstructor(
483 const CXXConstructExpr *E, const MatchFinder::MatchResult &MatchRes,
484 LatticeTransferState &State) {
485 assert(E->getNumArgs() > 0);
486
487 assignOptionalValue(*E, State.Env,
488 valueOrConversionHasValue(*E->getConstructor(),
489 *E->getArg(0), MatchRes,
490 State));
491 }
492
transferAssignment(const CXXOperatorCallExpr * E,BoolValue & HasValueVal,LatticeTransferState & State)493 void transferAssignment(const CXXOperatorCallExpr *E, BoolValue &HasValueVal,
494 LatticeTransferState &State) {
495 assert(E->getNumArgs() > 0);
496
497 auto *OptionalLoc =
498 State.Env.getStorageLocation(*E->getArg(0), SkipPast::Reference);
499 if (OptionalLoc == nullptr)
500 return;
501
502 State.Env.setValue(*OptionalLoc, createOptionalValue(State.Env, HasValueVal));
503
504 // Assign a storage location for the whole expression.
505 State.Env.setStorageLocation(*E, *OptionalLoc);
506 }
507
transferValueOrConversionAssignment(const CXXOperatorCallExpr * E,const MatchFinder::MatchResult & MatchRes,LatticeTransferState & State)508 void transferValueOrConversionAssignment(
509 const CXXOperatorCallExpr *E, const MatchFinder::MatchResult &MatchRes,
510 LatticeTransferState &State) {
511 assert(E->getNumArgs() > 1);
512 transferAssignment(E,
513 valueOrConversionHasValue(*E->getDirectCallee(),
514 *E->getArg(1), MatchRes, State),
515 State);
516 }
517
transferNulloptAssignment(const CXXOperatorCallExpr * E,const MatchFinder::MatchResult &,LatticeTransferState & State)518 void transferNulloptAssignment(const CXXOperatorCallExpr *E,
519 const MatchFinder::MatchResult &,
520 LatticeTransferState &State) {
521 transferAssignment(E, State.Env.getBoolLiteralValue(false), State);
522 }
523
transferSwap(const StorageLocation & OptionalLoc1,const StorageLocation & OptionalLoc2,LatticeTransferState & State)524 void transferSwap(const StorageLocation &OptionalLoc1,
525 const StorageLocation &OptionalLoc2,
526 LatticeTransferState &State) {
527 auto *OptionalVal1 = State.Env.getValue(OptionalLoc1);
528 assert(OptionalVal1 != nullptr);
529
530 auto *OptionalVal2 = State.Env.getValue(OptionalLoc2);
531 assert(OptionalVal2 != nullptr);
532
533 State.Env.setValue(OptionalLoc1, *OptionalVal2);
534 State.Env.setValue(OptionalLoc2, *OptionalVal1);
535 }
536
transferSwapCall(const CXXMemberCallExpr * E,const MatchFinder::MatchResult &,LatticeTransferState & State)537 void transferSwapCall(const CXXMemberCallExpr *E,
538 const MatchFinder::MatchResult &,
539 LatticeTransferState &State) {
540 assert(E->getNumArgs() == 1);
541
542 auto *OptionalLoc1 = State.Env.getStorageLocation(
543 *E->getImplicitObjectArgument(), SkipPast::ReferenceThenPointer);
544 assert(OptionalLoc1 != nullptr);
545
546 auto *OptionalLoc2 =
547 State.Env.getStorageLocation(*E->getArg(0), SkipPast::Reference);
548 assert(OptionalLoc2 != nullptr);
549
550 transferSwap(*OptionalLoc1, *OptionalLoc2, State);
551 }
552
transferStdSwapCall(const CallExpr * E,const MatchFinder::MatchResult &,LatticeTransferState & State)553 void transferStdSwapCall(const CallExpr *E, const MatchFinder::MatchResult &,
554 LatticeTransferState &State) {
555 assert(E->getNumArgs() == 2);
556
557 auto *OptionalLoc1 =
558 State.Env.getStorageLocation(*E->getArg(0), SkipPast::Reference);
559 assert(OptionalLoc1 != nullptr);
560
561 auto *OptionalLoc2 =
562 State.Env.getStorageLocation(*E->getArg(1), SkipPast::Reference);
563 assert(OptionalLoc2 != nullptr);
564
565 transferSwap(*OptionalLoc1, *OptionalLoc2, State);
566 }
567
evaluateEquality(Environment & Env,BoolValue & EqVal,BoolValue & LHS,BoolValue & RHS)568 BoolValue &evaluateEquality(Environment &Env, BoolValue &EqVal, BoolValue &LHS,
569 BoolValue &RHS) {
570 // Logically, an optional<T> object is composed of two values - a `has_value`
571 // bit and a value of type T. Equality of optional objects compares both
572 // values. Therefore, merely comparing the `has_value` bits isn't sufficient:
573 // when two optional objects are engaged, the equality of their respective
574 // values of type T matters. Since we only track the `has_value` bits, we
575 // can't make any conclusions about equality when we know that two optional
576 // objects are engaged.
577 //
578 // We express this as two facts about the equality:
579 // a) EqVal => (LHS & RHS) v (!RHS & !LHS)
580 // If they are equal, then either both are set or both are unset.
581 // b) (!LHS & !RHS) => EqVal
582 // If neither is set, then they are equal.
583 // We rewrite b) as !EqVal => (LHS v RHS), for a more compact formula.
584 return Env.makeAnd(
585 Env.makeImplication(
586 EqVal, Env.makeOr(Env.makeAnd(LHS, RHS),
587 Env.makeAnd(Env.makeNot(LHS), Env.makeNot(RHS)))),
588 Env.makeImplication(Env.makeNot(EqVal), Env.makeOr(LHS, RHS)));
589 }
590
transferOptionalAndOptionalCmp(const clang::CXXOperatorCallExpr * CmpExpr,const MatchFinder::MatchResult &,LatticeTransferState & State)591 void transferOptionalAndOptionalCmp(const clang::CXXOperatorCallExpr *CmpExpr,
592 const MatchFinder::MatchResult &,
593 LatticeTransferState &State) {
594 Environment &Env = State.Env;
595 auto *CmpValue = &forceBoolValue(Env, *CmpExpr);
596 if (auto *LHasVal = getHasValue(
597 Env, Env.getValue(*CmpExpr->getArg(0), SkipPast::Reference)))
598 if (auto *RHasVal = getHasValue(
599 Env, Env.getValue(*CmpExpr->getArg(1), SkipPast::Reference))) {
600 if (CmpExpr->getOperator() == clang::OO_ExclaimEqual)
601 CmpValue = &State.Env.makeNot(*CmpValue);
602 Env.addToFlowCondition(
603 evaluateEquality(Env, *CmpValue, *LHasVal, *RHasVal));
604 }
605 }
606
transferOptionalAndValueCmp(const clang::CXXOperatorCallExpr * CmpExpr,const clang::Expr * E,Environment & Env)607 void transferOptionalAndValueCmp(const clang::CXXOperatorCallExpr *CmpExpr,
608 const clang::Expr *E, Environment &Env) {
609 auto *CmpValue = &forceBoolValue(Env, *CmpExpr);
610 if (auto *HasVal = getHasValue(Env, Env.getValue(*E, SkipPast::Reference))) {
611 if (CmpExpr->getOperator() == clang::OO_ExclaimEqual)
612 CmpValue = &Env.makeNot(*CmpValue);
613 Env.addToFlowCondition(evaluateEquality(Env, *CmpValue, *HasVal,
614 Env.getBoolLiteralValue(true)));
615 }
616 }
617
618 std::optional<StatementMatcher>
ignorableOptional(const UncheckedOptionalAccessModelOptions & Options)619 ignorableOptional(const UncheckedOptionalAccessModelOptions &Options) {
620 if (Options.IgnoreSmartPointerDereference) {
621 auto SmartPtrUse = expr(ignoringParenImpCasts(cxxOperatorCallExpr(
622 anyOf(hasOverloadedOperatorName("->"), hasOverloadedOperatorName("*")),
623 unless(hasArgument(0, expr(hasOptionalType()))))));
624 return expr(
625 anyOf(SmartPtrUse, memberExpr(hasObjectExpression(SmartPtrUse))));
626 }
627 return std::nullopt;
628 }
629
630 StatementMatcher
valueCall(const std::optional<StatementMatcher> & IgnorableOptional)631 valueCall(const std::optional<StatementMatcher> &IgnorableOptional) {
632 return isOptionalMemberCallWithName("value", IgnorableOptional);
633 }
634
635 StatementMatcher
valueOperatorCall(const std::optional<StatementMatcher> & IgnorableOptional)636 valueOperatorCall(const std::optional<StatementMatcher> &IgnorableOptional) {
637 return expr(anyOf(isOptionalOperatorCallWithName("*", IgnorableOptional),
638 isOptionalOperatorCallWithName("->", IgnorableOptional)));
639 }
640
buildTransferMatchSwitch()641 auto buildTransferMatchSwitch() {
642 // FIXME: Evaluate the efficiency of matchers. If using matchers results in a
643 // lot of duplicated work (e.g. string comparisons), consider providing APIs
644 // that avoid it through memoization.
645 return CFGMatchSwitchBuilder<LatticeTransferState>()
646 // Attach a symbolic "has_value" state to optional values that we see for
647 // the first time.
648 .CaseOfCFGStmt<Expr>(
649 expr(anyOf(declRefExpr(), memberExpr()), hasOptionalType()),
650 initializeOptionalReference)
651
652 // make_optional
653 .CaseOfCFGStmt<CallExpr>(isMakeOptionalCall(), transferMakeOptionalCall)
654
655 // optional::optional (in place)
656 .CaseOfCFGStmt<CXXConstructExpr>(
657 isOptionalInPlaceConstructor(),
658 [](const CXXConstructExpr *E, const MatchFinder::MatchResult &,
659 LatticeTransferState &State) {
660 assignOptionalValue(*E, State.Env,
661 State.Env.getBoolLiteralValue(true));
662 })
663 // nullopt_t::nullopt_t
664 .CaseOfCFGStmt<CXXConstructExpr>(
665 isNulloptConstructor(),
666 [](const CXXConstructExpr *E, const MatchFinder::MatchResult &,
667 LatticeTransferState &State) {
668 assignOptionalValue(*E, State.Env,
669 State.Env.getBoolLiteralValue(false));
670 })
671 // optional::optional(nullopt_t)
672 .CaseOfCFGStmt<CXXConstructExpr>(
673 isOptionalNulloptConstructor(),
674 [](const CXXConstructExpr *E, const MatchFinder::MatchResult &,
675 LatticeTransferState &State) {
676 assignOptionalValue(*E, State.Env,
677 State.Env.getBoolLiteralValue(false));
678 })
679 // optional::optional (value/conversion)
680 .CaseOfCFGStmt<CXXConstructExpr>(isOptionalValueOrConversionConstructor(),
681 transferValueOrConversionConstructor)
682
683
684 // optional::operator=
685 .CaseOfCFGStmt<CXXOperatorCallExpr>(
686 isOptionalValueOrConversionAssignment(),
687 transferValueOrConversionAssignment)
688 .CaseOfCFGStmt<CXXOperatorCallExpr>(isOptionalNulloptAssignment(),
689 transferNulloptAssignment)
690
691 // optional::value
692 .CaseOfCFGStmt<CXXMemberCallExpr>(
693 valueCall(std::nullopt),
694 [](const CXXMemberCallExpr *E, const MatchFinder::MatchResult &,
695 LatticeTransferState &State) {
696 transferUnwrapCall(E, E->getImplicitObjectArgument(), State);
697 })
698
699 // optional::operator*, optional::operator->
700 .CaseOfCFGStmt<CallExpr>(valueOperatorCall(std::nullopt),
701 [](const CallExpr *E,
702 const MatchFinder::MatchResult &,
703 LatticeTransferState &State) {
704 transferUnwrapCall(E, E->getArg(0), State);
705 })
706
707 // optional::has_value
708 .CaseOfCFGStmt<CXXMemberCallExpr>(
709 isOptionalMemberCallWithName("has_value"),
710 transferOptionalHasValueCall)
711
712 // optional::operator bool
713 .CaseOfCFGStmt<CXXMemberCallExpr>(
714 isOptionalMemberCallWithName("operator bool"),
715 transferOptionalHasValueCall)
716
717 // optional::emplace
718 .CaseOfCFGStmt<CXXMemberCallExpr>(
719 isOptionalMemberCallWithName("emplace"),
720 [](const CXXMemberCallExpr *E, const MatchFinder::MatchResult &,
721 LatticeTransferState &State) {
722 assignOptionalValue(*E->getImplicitObjectArgument(), State.Env,
723 State.Env.getBoolLiteralValue(true));
724 })
725
726 // optional::reset
727 .CaseOfCFGStmt<CXXMemberCallExpr>(
728 isOptionalMemberCallWithName("reset"),
729 [](const CXXMemberCallExpr *E, const MatchFinder::MatchResult &,
730 LatticeTransferState &State) {
731 assignOptionalValue(*E->getImplicitObjectArgument(), State.Env,
732 State.Env.getBoolLiteralValue(false));
733 })
734
735 // optional::swap
736 .CaseOfCFGStmt<CXXMemberCallExpr>(isOptionalMemberCallWithName("swap"),
737 transferSwapCall)
738
739 // std::swap
740 .CaseOfCFGStmt<CallExpr>(isStdSwapCall(), transferStdSwapCall)
741
742 // opt.value_or("").empty()
743 .CaseOfCFGStmt<Expr>(isValueOrStringEmptyCall(),
744 transferValueOrStringEmptyCall)
745
746 // opt.value_or(X) != X
747 .CaseOfCFGStmt<Expr>(isValueOrNotEqX(), transferValueOrNotEqX)
748
749 // Comparisons (==, !=):
750 .CaseOfCFGStmt<CXXOperatorCallExpr>(
751 isComparisonOperatorCall(hasAnyOptionalType(), hasAnyOptionalType()),
752 transferOptionalAndOptionalCmp)
753 .CaseOfCFGStmt<CXXOperatorCallExpr>(
754 isComparisonOperatorCall(hasOptionalType(),
755 unless(hasAnyOptionalType())),
756 [](const clang::CXXOperatorCallExpr *Cmp,
757 const MatchFinder::MatchResult &, LatticeTransferState &State) {
758 transferOptionalAndValueCmp(Cmp, Cmp->getArg(0), State.Env);
759 })
760 .CaseOfCFGStmt<CXXOperatorCallExpr>(
761 isComparisonOperatorCall(unless(hasAnyOptionalType()),
762 hasOptionalType()),
763 [](const clang::CXXOperatorCallExpr *Cmp,
764 const MatchFinder::MatchResult &, LatticeTransferState &State) {
765 transferOptionalAndValueCmp(Cmp, Cmp->getArg(1), State.Env);
766 })
767
768 // returns optional
769 .CaseOfCFGStmt<CallExpr>(isCallReturningOptional(),
770 transferCallReturningOptional)
771
772 .Build();
773 }
774
diagnoseUnwrapCall(const Expr * UnwrapExpr,const Expr * ObjectExpr,const Environment & Env)775 std::vector<SourceLocation> diagnoseUnwrapCall(const Expr *UnwrapExpr,
776 const Expr *ObjectExpr,
777 const Environment &Env) {
778 if (auto *OptionalVal =
779 Env.getValue(*ObjectExpr, SkipPast::ReferenceThenPointer)) {
780 auto *Prop = OptionalVal->getProperty("has_value");
781 if (auto *HasValueVal = cast_or_null<BoolValue>(Prop)) {
782 if (Env.flowConditionImplies(*HasValueVal))
783 return {};
784 }
785 }
786
787 // Record that this unwrap is *not* provably safe.
788 // FIXME: include either the name of the optional (if applicable) or a source
789 // range of the access for easier interpretation of the result.
790 return {ObjectExpr->getBeginLoc()};
791 }
792
buildDiagnoseMatchSwitch(const UncheckedOptionalAccessModelOptions & Options)793 auto buildDiagnoseMatchSwitch(
794 const UncheckedOptionalAccessModelOptions &Options) {
795 // FIXME: Evaluate the efficiency of matchers. If using matchers results in a
796 // lot of duplicated work (e.g. string comparisons), consider providing APIs
797 // that avoid it through memoization.
798 auto IgnorableOptional = ignorableOptional(Options);
799 return CFGMatchSwitchBuilder<const Environment, std::vector<SourceLocation>>()
800 // optional::value
801 .CaseOfCFGStmt<CXXMemberCallExpr>(
802 valueCall(IgnorableOptional),
803 [](const CXXMemberCallExpr *E, const MatchFinder::MatchResult &,
804 const Environment &Env) {
805 return diagnoseUnwrapCall(E, E->getImplicitObjectArgument(), Env);
806 })
807
808 // optional::operator*, optional::operator->
809 .CaseOfCFGStmt<CallExpr>(
810 valueOperatorCall(IgnorableOptional),
811 [](const CallExpr *E, const MatchFinder::MatchResult &,
812 const Environment &Env) {
813 return diagnoseUnwrapCall(E, E->getArg(0), Env);
814 })
815 .Build();
816 }
817
818 } // namespace
819
820 ast_matchers::DeclarationMatcher
optionalClassDecl()821 UncheckedOptionalAccessModel::optionalClassDecl() {
822 return optionalClass();
823 }
824
UncheckedOptionalAccessModel(ASTContext & Ctx)825 UncheckedOptionalAccessModel::UncheckedOptionalAccessModel(ASTContext &Ctx)
826 : DataflowAnalysis<UncheckedOptionalAccessModel, NoopLattice>(Ctx),
827 TransferMatchSwitch(buildTransferMatchSwitch()) {}
828
transfer(const CFGElement * Elt,NoopLattice & L,Environment & Env)829 void UncheckedOptionalAccessModel::transfer(const CFGElement *Elt,
830 NoopLattice &L, Environment &Env) {
831 LatticeTransferState State(L, Env);
832 TransferMatchSwitch(*Elt, getASTContext(), State);
833 }
834
compare(QualType Type,const Value & Val1,const Environment & Env1,const Value & Val2,const Environment & Env2)835 ComparisonResult UncheckedOptionalAccessModel::compare(
836 QualType Type, const Value &Val1, const Environment &Env1,
837 const Value &Val2, const Environment &Env2) {
838 if (!isOptionalType(Type))
839 return ComparisonResult::Unknown;
840 bool MustNonEmpty1 = isNonEmptyOptional(Val1, Env1);
841 bool MustNonEmpty2 = isNonEmptyOptional(Val2, Env2);
842 if (MustNonEmpty1 && MustNonEmpty2) return ComparisonResult::Same;
843 // If exactly one is true, then they're different, no reason to check whether
844 // they're definitely empty.
845 if (MustNonEmpty1 || MustNonEmpty2) return ComparisonResult::Different;
846 // Check if they're both definitely empty.
847 return (isEmptyOptional(Val1, Env1) && isEmptyOptional(Val2, Env2))
848 ? ComparisonResult::Same
849 : ComparisonResult::Different;
850 }
851
merge(QualType Type,const Value & Val1,const Environment & Env1,const Value & Val2,const Environment & Env2,Value & MergedVal,Environment & MergedEnv)852 bool UncheckedOptionalAccessModel::merge(QualType Type, const Value &Val1,
853 const Environment &Env1,
854 const Value &Val2,
855 const Environment &Env2,
856 Value &MergedVal,
857 Environment &MergedEnv) {
858 if (!isOptionalType(Type))
859 return true;
860 // FIXME: uses same approach as join for `BoolValues`. Requires non-const
861 // values, though, so will require updating the interface.
862 auto &HasValueVal = MergedEnv.makeAtomicBoolValue();
863 bool MustNonEmpty1 = isNonEmptyOptional(Val1, Env1);
864 bool MustNonEmpty2 = isNonEmptyOptional(Val2, Env2);
865 if (MustNonEmpty1 && MustNonEmpty2)
866 MergedEnv.addToFlowCondition(HasValueVal);
867 else if (
868 // Only make the costly calls to `isEmptyOptional` if we got "unknown"
869 // (false) for both calls to `isNonEmptyOptional`.
870 !MustNonEmpty1 && !MustNonEmpty2 && isEmptyOptional(Val1, Env1) &&
871 isEmptyOptional(Val2, Env2))
872 MergedEnv.addToFlowCondition(MergedEnv.makeNot(HasValueVal));
873 setHasValue(MergedVal, HasValueVal);
874 return true;
875 }
876
widen(QualType Type,Value & Prev,const Environment & PrevEnv,Value & Current,Environment & CurrentEnv)877 Value *UncheckedOptionalAccessModel::widen(QualType Type, Value &Prev,
878 const Environment &PrevEnv,
879 Value &Current,
880 Environment &CurrentEnv) {
881 switch (compare(Type, Prev, PrevEnv, Current, CurrentEnv)) {
882 case ComparisonResult::Same:
883 return &Prev;
884 case ComparisonResult::Different:
885 if (auto *PrevHasVal =
886 cast_or_null<BoolValue>(Prev.getProperty("has_value"))) {
887 if (isa<TopBoolValue>(PrevHasVal))
888 return &Prev;
889 }
890 if (auto *CurrentHasVal =
891 cast_or_null<BoolValue>(Current.getProperty("has_value"))) {
892 if (isa<TopBoolValue>(CurrentHasVal))
893 return &Current;
894 }
895 return &createOptionalValue(CurrentEnv, CurrentEnv.makeTopBoolValue());
896 case ComparisonResult::Unknown:
897 return nullptr;
898 }
899 llvm_unreachable("all cases covered in switch");
900 }
901
UncheckedOptionalAccessDiagnoser(UncheckedOptionalAccessModelOptions Options)902 UncheckedOptionalAccessDiagnoser::UncheckedOptionalAccessDiagnoser(
903 UncheckedOptionalAccessModelOptions Options)
904 : DiagnoseMatchSwitch(buildDiagnoseMatchSwitch(Options)) {}
905
diagnose(ASTContext & Ctx,const CFGElement * Elt,const Environment & Env)906 std::vector<SourceLocation> UncheckedOptionalAccessDiagnoser::diagnose(
907 ASTContext &Ctx, const CFGElement *Elt, const Environment &Env) {
908 return DiagnoseMatchSwitch(*Elt, Ctx, Env);
909 }
910
911 } // namespace dataflow
912 } // namespace clang
913