1b000b770SStanislav Gatev //===-- UncheckedOptionalAccessModel.cpp ------------------------*- C++ -*-===// 2b000b770SStanislav Gatev // 3b000b770SStanislav Gatev // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. 4b000b770SStanislav Gatev // See https://llvm.org/LICENSE.txt for license information. 5b000b770SStanislav Gatev // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception 6b000b770SStanislav Gatev // 7b000b770SStanislav Gatev //===----------------------------------------------------------------------===// 8b000b770SStanislav Gatev // 9b000b770SStanislav Gatev // This file defines a dataflow analysis that detects unsafe uses of optional 10b000b770SStanislav Gatev // values. 11b000b770SStanislav Gatev // 12b000b770SStanislav Gatev //===----------------------------------------------------------------------===// 13b000b770SStanislav Gatev 14af98b0afSStanislav Gatev #include "clang/Analysis/FlowSensitive/Models/UncheckedOptionalAccessModel.h" 15af98b0afSStanislav Gatev #include "clang/AST/ASTContext.h" 167e63a0d4SYitzhak Mandelbaum #include "clang/AST/DeclCXX.h" 17af98b0afSStanislav Gatev #include "clang/AST/Expr.h" 18af98b0afSStanislav Gatev #include "clang/AST/ExprCXX.h" 19af98b0afSStanislav Gatev #include "clang/AST/Stmt.h" 20af98b0afSStanislav Gatev #include "clang/ASTMatchers/ASTMatchers.h" 217538b360SWei Yi Tee #include "clang/Analysis/CFG.h" 227538b360SWei Yi Tee #include "clang/Analysis/FlowSensitive/CFGMatchSwitch.h" 23af98b0afSStanislav Gatev #include "clang/Analysis/FlowSensitive/DataflowEnvironment.h" 24cf1f978dSSam Estep #include "clang/Analysis/FlowSensitive/NoopLattice.h" 250086a355SYitzhak Mandelbaum #include "clang/Analysis/FlowSensitive/StorageLocation.h" 26af98b0afSStanislav Gatev #include "clang/Analysis/FlowSensitive/Value.h" 2758fe7f96SSam Estep #include "clang/Basic/SourceLocation.h" 28af98b0afSStanislav Gatev #include "llvm/ADT/StringRef.h" 29af98b0afSStanislav Gatev #include "llvm/Support/Casting.h" 30*d34fbf2dSYitzhak Mandelbaum #include "llvm/Support/ErrorHandling.h" 31af98b0afSStanislav Gatev #include <cassert> 329e0fc676SStanislav Gatev #include <memory> 339e0fc676SStanislav Gatev #include <utility> 3458fe7f96SSam Estep #include <vector> 35af98b0afSStanislav Gatev 36af98b0afSStanislav Gatev namespace clang { 37af98b0afSStanislav Gatev namespace dataflow { 38af98b0afSStanislav Gatev namespace { 39af98b0afSStanislav Gatev 40af98b0afSStanislav Gatev using namespace ::clang::ast_matchers; 41cf1f978dSSam Estep using LatticeTransferState = TransferState<NoopLattice>; 42af98b0afSStanislav Gatev 437e63a0d4SYitzhak Mandelbaum DeclarationMatcher optionalClass() { 44af98b0afSStanislav Gatev return classTemplateSpecializationDecl( 45af98b0afSStanislav Gatev anyOf(hasName("std::optional"), hasName("std::__optional_storage_base"), 46af98b0afSStanislav Gatev hasName("__optional_destruct_base"), hasName("absl::optional"), 47af98b0afSStanislav Gatev hasName("base::Optional")), 48af98b0afSStanislav Gatev hasTemplateArgument(0, refersToType(type().bind("T")))); 49af98b0afSStanislav Gatev } 50af98b0afSStanislav Gatev 516adfc64eSYitzhak Mandelbaum auto optionalOrAliasType() { 5265e710c3SStanislav Gatev return hasUnqualifiedDesugaredType( 5365e710c3SStanislav Gatev recordType(hasDeclaration(optionalClass()))); 5465e710c3SStanislav Gatev } 5565e710c3SStanislav Gatev 566adfc64eSYitzhak Mandelbaum /// Matches any of the spellings of the optional types and sugar, aliases, etc. 576adfc64eSYitzhak Mandelbaum auto hasOptionalType() { return hasType(optionalOrAliasType()); } 586adfc64eSYitzhak Mandelbaum 59a184a0d8SYitzhak Mandelbaum auto isOptionalMemberCallWithName( 60a184a0d8SYitzhak Mandelbaum llvm::StringRef MemberName, 615d22d1f5SYitzhak Mandelbaum const llvm::Optional<StatementMatcher> &Ignorable = std::nullopt) { 62a184a0d8SYitzhak Mandelbaum auto Exception = unless(Ignorable ? expr(anyOf(*Ignorable, cxxThisExpr())) 63a184a0d8SYitzhak Mandelbaum : cxxThisExpr()); 64af98b0afSStanislav Gatev return cxxMemberCallExpr( 65a184a0d8SYitzhak Mandelbaum on(expr(Exception)), 66af98b0afSStanislav Gatev callee(cxxMethodDecl(hasName(MemberName), ofClass(optionalClass())))); 67af98b0afSStanislav Gatev } 68af98b0afSStanislav Gatev 69a184a0d8SYitzhak Mandelbaum auto isOptionalOperatorCallWithName( 70a184a0d8SYitzhak Mandelbaum llvm::StringRef operator_name, 715d22d1f5SYitzhak Mandelbaum const llvm::Optional<StatementMatcher> &Ignorable = std::nullopt) { 72a184a0d8SYitzhak Mandelbaum return cxxOperatorCallExpr( 73a184a0d8SYitzhak Mandelbaum hasOverloadedOperatorName(operator_name), 74a184a0d8SYitzhak Mandelbaum callee(cxxMethodDecl(ofClass(optionalClass()))), 75a184a0d8SYitzhak Mandelbaum Ignorable ? callExpr(unless(hasArgument(0, *Ignorable))) : callExpr()); 76af98b0afSStanislav Gatev } 77af98b0afSStanislav Gatev 78092a530cSStanislav Gatev auto isMakeOptionalCall() { 799e0fc676SStanislav Gatev return callExpr( 809e0fc676SStanislav Gatev callee(functionDecl(hasAnyName( 819e0fc676SStanislav Gatev "std::make_optional", "base::make_optional", "absl::make_optional"))), 829e0fc676SStanislav Gatev hasOptionalType()); 839e0fc676SStanislav Gatev } 849e0fc676SStanislav Gatev 85390029beSYitzhak Mandelbaum auto nulloptTypeDecl() { 86390029beSYitzhak Mandelbaum return namedDecl( 87390029beSYitzhak Mandelbaum hasAnyName("std::nullopt_t", "absl::nullopt_t", "base::nullopt_t")); 88092a530cSStanislav Gatev } 89092a530cSStanislav Gatev 90390029beSYitzhak Mandelbaum auto hasNulloptType() { return hasType(nulloptTypeDecl()); } 91390029beSYitzhak Mandelbaum 92390029beSYitzhak Mandelbaum // `optional` or `nullopt_t` 93390029beSYitzhak Mandelbaum auto hasAnyOptionalType() { 94390029beSYitzhak Mandelbaum return hasType(hasUnqualifiedDesugaredType( 95390029beSYitzhak Mandelbaum recordType(hasDeclaration(anyOf(nulloptTypeDecl(), optionalClass()))))); 96390029beSYitzhak Mandelbaum } 97390029beSYitzhak Mandelbaum 98390029beSYitzhak Mandelbaum 99092a530cSStanislav Gatev auto inPlaceClass() { 100092a530cSStanislav Gatev return recordDecl( 101092a530cSStanislav Gatev hasAnyName("std::in_place_t", "absl::in_place_t", "base::in_place_t")); 102092a530cSStanislav Gatev } 103092a530cSStanislav Gatev 104092a530cSStanislav Gatev auto isOptionalNulloptConstructor() { 1050086a355SYitzhak Mandelbaum return cxxConstructExpr( 1060086a355SYitzhak Mandelbaum hasOptionalType(), 1070086a355SYitzhak Mandelbaum hasDeclaration(cxxConstructorDecl(parameterCountIs(1), 1080086a355SYitzhak Mandelbaum hasParameter(0, hasNulloptType())))); 109092a530cSStanislav Gatev } 110092a530cSStanislav Gatev 111092a530cSStanislav Gatev auto isOptionalInPlaceConstructor() { 112092a530cSStanislav Gatev return cxxConstructExpr(hasOptionalType(), 113092a530cSStanislav Gatev hasArgument(0, hasType(inPlaceClass()))); 114092a530cSStanislav Gatev } 115092a530cSStanislav Gatev 116092a530cSStanislav Gatev auto isOptionalValueOrConversionConstructor() { 117092a530cSStanislav Gatev return cxxConstructExpr( 118092a530cSStanislav Gatev hasOptionalType(), 119092a530cSStanislav Gatev unless(hasDeclaration( 120092a530cSStanislav Gatev cxxConstructorDecl(anyOf(isCopyConstructor(), isMoveConstructor())))), 121092a530cSStanislav Gatev argumentCountIs(1), hasArgument(0, unless(hasNulloptType()))); 122092a530cSStanislav Gatev } 123092a530cSStanislav Gatev 124b000b770SStanislav Gatev auto isOptionalValueOrConversionAssignment() { 125b000b770SStanislav Gatev return cxxOperatorCallExpr( 126b000b770SStanislav Gatev hasOverloadedOperatorName("="), 127b000b770SStanislav Gatev callee(cxxMethodDecl(ofClass(optionalClass()))), 128b000b770SStanislav Gatev unless(hasDeclaration(cxxMethodDecl( 129b000b770SStanislav Gatev anyOf(isCopyAssignmentOperator(), isMoveAssignmentOperator())))), 130b000b770SStanislav Gatev argumentCountIs(2), hasArgument(1, unless(hasNulloptType()))); 131b000b770SStanislav Gatev } 132b000b770SStanislav Gatev 133390029beSYitzhak Mandelbaum auto isNulloptConstructor() { 134390029beSYitzhak Mandelbaum return cxxConstructExpr(hasNulloptType(), argumentCountIs(1), 135390029beSYitzhak Mandelbaum hasArgument(0, hasNulloptType())); 136390029beSYitzhak Mandelbaum } 137390029beSYitzhak Mandelbaum 138b000b770SStanislav Gatev auto isOptionalNulloptAssignment() { 139b000b770SStanislav Gatev return cxxOperatorCallExpr(hasOverloadedOperatorName("="), 140b000b770SStanislav Gatev callee(cxxMethodDecl(ofClass(optionalClass()))), 141b000b770SStanislav Gatev argumentCountIs(2), 142b000b770SStanislav Gatev hasArgument(1, hasNulloptType())); 143b000b770SStanislav Gatev } 144b000b770SStanislav Gatev 1452ddd57aeSStanislav Gatev auto isStdSwapCall() { 1462ddd57aeSStanislav Gatev return callExpr(callee(functionDecl(hasName("std::swap"))), 1472ddd57aeSStanislav Gatev argumentCountIs(2), hasArgument(0, hasOptionalType()), 1482ddd57aeSStanislav Gatev hasArgument(1, hasOptionalType())); 1492ddd57aeSStanislav Gatev } 1502ddd57aeSStanislav Gatev 1517f076004SYitzhak Mandelbaum constexpr llvm::StringLiteral ValueOrCallID = "ValueOrCall"; 1527f076004SYitzhak Mandelbaum 1537f076004SYitzhak Mandelbaum auto isValueOrStringEmptyCall() { 1547f076004SYitzhak Mandelbaum // `opt.value_or("").empty()` 1557f076004SYitzhak Mandelbaum return cxxMemberCallExpr( 1567f076004SYitzhak Mandelbaum callee(cxxMethodDecl(hasName("empty"))), 1577f076004SYitzhak Mandelbaum onImplicitObjectArgument(ignoringImplicit( 1587f076004SYitzhak Mandelbaum cxxMemberCallExpr(on(expr(unless(cxxThisExpr()))), 1597f076004SYitzhak Mandelbaum callee(cxxMethodDecl(hasName("value_or"), 1607f076004SYitzhak Mandelbaum ofClass(optionalClass()))), 1617f076004SYitzhak Mandelbaum hasArgument(0, stringLiteral(hasSize(0)))) 1627f076004SYitzhak Mandelbaum .bind(ValueOrCallID)))); 1637f076004SYitzhak Mandelbaum } 1647f076004SYitzhak Mandelbaum 1657f076004SYitzhak Mandelbaum auto isValueOrNotEqX() { 1667f076004SYitzhak Mandelbaum auto ComparesToSame = [](ast_matchers::internal::Matcher<Stmt> Arg) { 1677f076004SYitzhak Mandelbaum return hasOperands( 1687f076004SYitzhak Mandelbaum ignoringImplicit( 1697f076004SYitzhak Mandelbaum cxxMemberCallExpr(on(expr(unless(cxxThisExpr()))), 1707f076004SYitzhak Mandelbaum callee(cxxMethodDecl(hasName("value_or"), 1717f076004SYitzhak Mandelbaum ofClass(optionalClass()))), 1727f076004SYitzhak Mandelbaum hasArgument(0, Arg)) 1737f076004SYitzhak Mandelbaum .bind(ValueOrCallID)), 1747f076004SYitzhak Mandelbaum ignoringImplicit(Arg)); 1757f076004SYitzhak Mandelbaum }; 1767f076004SYitzhak Mandelbaum 1777f076004SYitzhak Mandelbaum // `opt.value_or(X) != X`, for X is `nullptr`, `""`, or `0`. Ideally, we'd 1787f076004SYitzhak Mandelbaum // support this pattern for any expression, but the AST does not have a 1797f076004SYitzhak Mandelbaum // generic expression comparison facility, so we specialize to common cases 1807f076004SYitzhak Mandelbaum // seen in practice. FIXME: define a matcher that compares values across 1817f076004SYitzhak Mandelbaum // nodes, which would let us generalize this to any `X`. 1827f076004SYitzhak Mandelbaum return binaryOperation(hasOperatorName("!="), 1837f076004SYitzhak Mandelbaum anyOf(ComparesToSame(cxxNullPtrLiteralExpr()), 1847f076004SYitzhak Mandelbaum ComparesToSame(stringLiteral(hasSize(0))), 1857f076004SYitzhak Mandelbaum ComparesToSame(integerLiteral(equals(0))))); 1867f076004SYitzhak Mandelbaum } 1877f076004SYitzhak Mandelbaum 18865e710c3SStanislav Gatev auto isCallReturningOptional() { 189cd0d5261SSam Estep return callExpr(hasType(qualType(anyOf( 190cd0d5261SSam Estep optionalOrAliasType(), referenceType(pointee(optionalOrAliasType())))))); 19165e710c3SStanislav Gatev } 19265e710c3SStanislav Gatev 193390029beSYitzhak Mandelbaum template <typename L, typename R> 194390029beSYitzhak Mandelbaum auto isComparisonOperatorCall(L lhs_arg_matcher, R rhs_arg_matcher) { 195390029beSYitzhak Mandelbaum return cxxOperatorCallExpr( 196390029beSYitzhak Mandelbaum anyOf(hasOverloadedOperatorName("=="), hasOverloadedOperatorName("!=")), 197390029beSYitzhak Mandelbaum argumentCountIs(2), hasArgument(0, lhs_arg_matcher), 198390029beSYitzhak Mandelbaum hasArgument(1, rhs_arg_matcher)); 199390029beSYitzhak Mandelbaum } 200390029beSYitzhak Mandelbaum 201390029beSYitzhak Mandelbaum // Ensures that `Expr` is mapped to a `BoolValue` and returns it. 202390029beSYitzhak Mandelbaum BoolValue &forceBoolValue(Environment &Env, const Expr &Expr) { 203390029beSYitzhak Mandelbaum auto *Value = cast_or_null<BoolValue>(Env.getValue(Expr, SkipPast::None)); 204390029beSYitzhak Mandelbaum if (Value != nullptr) 205390029beSYitzhak Mandelbaum return *Value; 206390029beSYitzhak Mandelbaum 207390029beSYitzhak Mandelbaum auto &Loc = Env.createStorageLocation(Expr); 208390029beSYitzhak Mandelbaum Value = &Env.makeAtomicBoolValue(); 209390029beSYitzhak Mandelbaum Env.setValue(Loc, *Value); 210390029beSYitzhak Mandelbaum Env.setStorageLocation(Expr, Loc); 211390029beSYitzhak Mandelbaum return *Value; 212390029beSYitzhak Mandelbaum } 213390029beSYitzhak Mandelbaum 2148fcdd625SStanislav Gatev /// Sets `HasValueVal` as the symbolic value that represents the "has_value" 2158fcdd625SStanislav Gatev /// property of the optional value `OptionalVal`. 2168fcdd625SStanislav Gatev void setHasValue(Value &OptionalVal, BoolValue &HasValueVal) { 2178fcdd625SStanislav Gatev OptionalVal.setProperty("has_value", HasValueVal); 2188fcdd625SStanislav Gatev } 2198fcdd625SStanislav Gatev 2209e0fc676SStanislav Gatev /// Creates a symbolic value for an `optional` value using `HasValueVal` as the 2219e0fc676SStanislav Gatev /// symbolic value of its "has_value" property. 2229e0fc676SStanislav Gatev StructValue &createOptionalValue(Environment &Env, BoolValue &HasValueVal) { 2239e0fc676SStanislav Gatev auto OptionalVal = std::make_unique<StructValue>(); 2248fcdd625SStanislav Gatev setHasValue(*OptionalVal, HasValueVal); 2259e0fc676SStanislav Gatev return Env.takeOwnership(std::move(OptionalVal)); 2269e0fc676SStanislav Gatev } 2279e0fc676SStanislav Gatev 228af98b0afSStanislav Gatev /// Returns the symbolic value that represents the "has_value" property of the 22949ed5bf5SWei Yi Tee /// optional value `OptionalVal`. Returns null if `OptionalVal` is null. 230dd38caf3SYitzhak Mandelbaum BoolValue *getHasValue(Environment &Env, Value *OptionalVal) { 231dd38caf3SYitzhak Mandelbaum if (OptionalVal != nullptr) { 232dd38caf3SYitzhak Mandelbaum auto *HasValueVal = 233dd38caf3SYitzhak Mandelbaum cast_or_null<BoolValue>(OptionalVal->getProperty("has_value")); 234dd38caf3SYitzhak Mandelbaum if (HasValueVal == nullptr) { 235dd38caf3SYitzhak Mandelbaum HasValueVal = &Env.makeAtomicBoolValue(); 236dd38caf3SYitzhak Mandelbaum OptionalVal->setProperty("has_value", *HasValueVal); 237dd38caf3SYitzhak Mandelbaum } 238dd38caf3SYitzhak Mandelbaum return HasValueVal; 239af98b0afSStanislav Gatev } 240af98b0afSStanislav Gatev return nullptr; 241af98b0afSStanislav Gatev } 242af98b0afSStanislav Gatev 243092a530cSStanislav Gatev /// If `Type` is a reference type, returns the type of its pointee. Otherwise, 244092a530cSStanislav Gatev /// returns `Type` itself. 245092a530cSStanislav Gatev QualType stripReference(QualType Type) { 246092a530cSStanislav Gatev return Type->isReferenceType() ? Type->getPointeeType() : Type; 247092a530cSStanislav Gatev } 248092a530cSStanislav Gatev 249092a530cSStanislav Gatev /// Returns true if and only if `Type` is an optional type. 250c0725865SYitzhak Mandelbaum bool isOptionalType(QualType Type) { 251092a530cSStanislav Gatev if (!Type->isRecordType()) 252092a530cSStanislav Gatev return false; 253092a530cSStanislav Gatev // FIXME: Optimize this by avoiding the `getQualifiedNameAsString` call. 254092a530cSStanislav Gatev auto TypeName = Type->getAsCXXRecordDecl()->getQualifiedNameAsString(); 255092a530cSStanislav Gatev return TypeName == "std::optional" || TypeName == "absl::optional" || 256092a530cSStanislav Gatev TypeName == "base::Optional"; 257092a530cSStanislav Gatev } 258092a530cSStanislav Gatev 259092a530cSStanislav Gatev /// Returns the number of optional wrappers in `Type`. 260092a530cSStanislav Gatev /// 261092a530cSStanislav Gatev /// For example, if `Type` is `optional<optional<int>>`, the result of this 262092a530cSStanislav Gatev /// function will be 2. 263092a530cSStanislav Gatev int countOptionalWrappers(const ASTContext &ASTCtx, QualType Type) { 264c0725865SYitzhak Mandelbaum if (!isOptionalType(Type)) 265092a530cSStanislav Gatev return 0; 266092a530cSStanislav Gatev return 1 + countOptionalWrappers( 267092a530cSStanislav Gatev ASTCtx, 268092a530cSStanislav Gatev cast<ClassTemplateSpecializationDecl>(Type->getAsRecordDecl()) 269092a530cSStanislav Gatev ->getTemplateArgs() 270092a530cSStanislav Gatev .get(0) 271092a530cSStanislav Gatev .getAsType() 272092a530cSStanislav Gatev .getDesugaredType(ASTCtx)); 273092a530cSStanislav Gatev } 274092a530cSStanislav Gatev 275dd38caf3SYitzhak Mandelbaum /// Tries to initialize the `optional`'s value (that is, contents), and return 276dd38caf3SYitzhak Mandelbaum /// its location. Returns nullptr if the value can't be represented. 277dd38caf3SYitzhak Mandelbaum StorageLocation *maybeInitializeOptionalValueMember(QualType Q, 278dd38caf3SYitzhak Mandelbaum Value &OptionalVal, 279dd38caf3SYitzhak Mandelbaum Environment &Env) { 280dd38caf3SYitzhak Mandelbaum // The "value" property represents a synthetic field. As such, it needs 281dd38caf3SYitzhak Mandelbaum // `StorageLocation`, like normal fields (and other variables). So, we model 282dd38caf3SYitzhak Mandelbaum // it with a `ReferenceValue`, since that includes a storage location. Once 283dd38caf3SYitzhak Mandelbaum // the property is set, it will be shared by all environments that access the 284dd38caf3SYitzhak Mandelbaum // `Value` representing the optional (here, `OptionalVal`). 285dd38caf3SYitzhak Mandelbaum if (auto *ValueProp = OptionalVal.getProperty("value")) { 286dd38caf3SYitzhak Mandelbaum auto *ValueRef = clang::cast<ReferenceValue>(ValueProp); 28797d69cdaSWei Yi Tee auto &ValueLoc = ValueRef->getReferentLoc(); 288dd38caf3SYitzhak Mandelbaum if (Env.getValue(ValueLoc) == nullptr) { 289dd38caf3SYitzhak Mandelbaum // The property was previously set, but the value has been lost. This can 290dd38caf3SYitzhak Mandelbaum // happen, for example, because of an environment merge (where the two 291dd38caf3SYitzhak Mandelbaum // environments mapped the property to different values, which resulted in 292dd38caf3SYitzhak Mandelbaum // them both being discarded), or when two blocks in the CFG, with neither 293dd38caf3SYitzhak Mandelbaum // a dominator of the other, visit the same optional value, or even when a 294dd38caf3SYitzhak Mandelbaum // block is revisited during testing to collect per-statement state. 295dd38caf3SYitzhak Mandelbaum // FIXME: This situation means that the optional contents are not shared 296dd38caf3SYitzhak Mandelbaum // between branches and the like. Practically, this lack of sharing 297dd38caf3SYitzhak Mandelbaum // reduces the precision of the model when the contents are relevant to 298dd38caf3SYitzhak Mandelbaum // the check, like another optional or a boolean that influences control 299dd38caf3SYitzhak Mandelbaum // flow. 300dd38caf3SYitzhak Mandelbaum auto *ValueVal = Env.createValue(ValueLoc.getType()); 301dd38caf3SYitzhak Mandelbaum if (ValueVal == nullptr) 302dd38caf3SYitzhak Mandelbaum return nullptr; 303dd38caf3SYitzhak Mandelbaum Env.setValue(ValueLoc, *ValueVal); 304dd38caf3SYitzhak Mandelbaum } 305dd38caf3SYitzhak Mandelbaum return &ValueLoc; 306dd38caf3SYitzhak Mandelbaum } 307dd38caf3SYitzhak Mandelbaum 308dd38caf3SYitzhak Mandelbaum auto Ty = stripReference(Q); 309dd38caf3SYitzhak Mandelbaum auto *ValueVal = Env.createValue(Ty); 310dd38caf3SYitzhak Mandelbaum if (ValueVal == nullptr) 311dd38caf3SYitzhak Mandelbaum return nullptr; 312dd38caf3SYitzhak Mandelbaum auto &ValueLoc = Env.createStorageLocation(Ty); 313dd38caf3SYitzhak Mandelbaum Env.setValue(ValueLoc, *ValueVal); 314dd38caf3SYitzhak Mandelbaum auto ValueRef = std::make_unique<ReferenceValue>(ValueLoc); 315dd38caf3SYitzhak Mandelbaum OptionalVal.setProperty("value", Env.takeOwnership(std::move(ValueRef))); 316dd38caf3SYitzhak Mandelbaum return &ValueLoc; 317dd38caf3SYitzhak Mandelbaum } 318dd38caf3SYitzhak Mandelbaum 319092a530cSStanislav Gatev void initializeOptionalReference(const Expr *OptionalExpr, 320092a530cSStanislav Gatev const MatchFinder::MatchResult &, 321af98b0afSStanislav Gatev LatticeTransferState &State) { 32249ed5bf5SWei Yi Tee if (auto *OptionalVal = 32349ed5bf5SWei Yi Tee State.Env.getValue(*OptionalExpr, SkipPast::Reference)) { 324af98b0afSStanislav Gatev if (OptionalVal->getProperty("has_value") == nullptr) { 3258fcdd625SStanislav Gatev setHasValue(*OptionalVal, State.Env.makeAtomicBoolValue()); 326af98b0afSStanislav Gatev } 327af98b0afSStanislav Gatev } 328af98b0afSStanislav Gatev } 329af98b0afSStanislav Gatev 3308fcdd625SStanislav Gatev /// Returns true if and only if `OptionalVal` is initialized and known to be 3318fcdd625SStanislav Gatev /// empty in `Env. 3328fcdd625SStanislav Gatev bool isEmptyOptional(const Value &OptionalVal, const Environment &Env) { 3338fcdd625SStanislav Gatev auto *HasValueVal = 3348fcdd625SStanislav Gatev cast_or_null<BoolValue>(OptionalVal.getProperty("has_value")); 3358fcdd625SStanislav Gatev return HasValueVal != nullptr && 3368fcdd625SStanislav Gatev Env.flowConditionImplies(Env.makeNot(*HasValueVal)); 3378fcdd625SStanislav Gatev } 3388fcdd625SStanislav Gatev 3398fcdd625SStanislav Gatev /// Returns true if and only if `OptionalVal` is initialized and known to be 3408fcdd625SStanislav Gatev /// non-empty in `Env. 3418fcdd625SStanislav Gatev bool isNonEmptyOptional(const Value &OptionalVal, const Environment &Env) { 3428fcdd625SStanislav Gatev auto *HasValueVal = 3438fcdd625SStanislav Gatev cast_or_null<BoolValue>(OptionalVal.getProperty("has_value")); 3448fcdd625SStanislav Gatev return HasValueVal != nullptr && Env.flowConditionImplies(*HasValueVal); 3458fcdd625SStanislav Gatev } 3468fcdd625SStanislav Gatev 347092a530cSStanislav Gatev void transferUnwrapCall(const Expr *UnwrapExpr, const Expr *ObjectExpr, 348af98b0afSStanislav Gatev LatticeTransferState &State) { 34949ed5bf5SWei Yi Tee if (auto *OptionalVal = 35049ed5bf5SWei Yi Tee State.Env.getValue(*ObjectExpr, SkipPast::ReferenceThenPointer)) { 351dd38caf3SYitzhak Mandelbaum if (State.Env.getStorageLocation(*UnwrapExpr, SkipPast::None) == nullptr) 352dd38caf3SYitzhak Mandelbaum if (auto *Loc = maybeInitializeOptionalValueMember( 353dd38caf3SYitzhak Mandelbaum UnwrapExpr->getType(), *OptionalVal, State.Env)) 354dd38caf3SYitzhak Mandelbaum State.Env.setStorageLocation(*UnwrapExpr, *Loc); 355af98b0afSStanislav Gatev } 356dd38caf3SYitzhak Mandelbaum } 357af98b0afSStanislav Gatev 358092a530cSStanislav Gatev void transferMakeOptionalCall(const CallExpr *E, 359092a530cSStanislav Gatev const MatchFinder::MatchResult &, 360092a530cSStanislav Gatev LatticeTransferState &State) { 3619e0fc676SStanislav Gatev auto &Loc = State.Env.createStorageLocation(*E); 3629e0fc676SStanislav Gatev State.Env.setStorageLocation(*E, Loc); 3639e0fc676SStanislav Gatev State.Env.setValue( 3649e0fc676SStanislav Gatev Loc, createOptionalValue(State.Env, State.Env.getBoolLiteralValue(true))); 3659e0fc676SStanislav Gatev } 3669e0fc676SStanislav Gatev 367092a530cSStanislav Gatev void transferOptionalHasValueCall(const CXXMemberCallExpr *CallExpr, 368092a530cSStanislav Gatev const MatchFinder::MatchResult &, 369af98b0afSStanislav Gatev LatticeTransferState &State) { 370dd38caf3SYitzhak Mandelbaum if (auto *HasValueVal = getHasValue( 371dd38caf3SYitzhak Mandelbaum State.Env, State.Env.getValue(*CallExpr->getImplicitObjectArgument(), 372af98b0afSStanislav Gatev SkipPast::ReferenceThenPointer))) { 373af98b0afSStanislav Gatev auto &CallExprLoc = State.Env.createStorageLocation(*CallExpr); 374af98b0afSStanislav Gatev State.Env.setValue(CallExprLoc, *HasValueVal); 375af98b0afSStanislav Gatev State.Env.setStorageLocation(*CallExpr, CallExprLoc); 376af98b0afSStanislav Gatev } 377af98b0afSStanislav Gatev } 378af98b0afSStanislav Gatev 3797f076004SYitzhak Mandelbaum /// `ModelPred` builds a logical formula relating the predicate in 3807f076004SYitzhak Mandelbaum /// `ValueOrPredExpr` to the optional's `has_value` property. 3817f076004SYitzhak Mandelbaum void transferValueOrImpl(const clang::Expr *ValueOrPredExpr, 3827f076004SYitzhak Mandelbaum const MatchFinder::MatchResult &Result, 3837f076004SYitzhak Mandelbaum LatticeTransferState &State, 3847f076004SYitzhak Mandelbaum BoolValue &(*ModelPred)(Environment &Env, 3857f076004SYitzhak Mandelbaum BoolValue &ExprVal, 3867f076004SYitzhak Mandelbaum BoolValue &HasValueVal)) { 3877f076004SYitzhak Mandelbaum auto &Env = State.Env; 3887f076004SYitzhak Mandelbaum 3897f076004SYitzhak Mandelbaum const auto *ObjectArgumentExpr = 3907f076004SYitzhak Mandelbaum Result.Nodes.getNodeAs<clang::CXXMemberCallExpr>(ValueOrCallID) 3917f076004SYitzhak Mandelbaum ->getImplicitObjectArgument(); 3927f076004SYitzhak Mandelbaum 393dd38caf3SYitzhak Mandelbaum auto *HasValueVal = getHasValue( 394dd38caf3SYitzhak Mandelbaum State.Env, 395dd38caf3SYitzhak Mandelbaum State.Env.getValue(*ObjectArgumentExpr, SkipPast::ReferenceThenPointer)); 396dd38caf3SYitzhak Mandelbaum if (HasValueVal == nullptr) 3977f076004SYitzhak Mandelbaum return; 3987f076004SYitzhak Mandelbaum 399390029beSYitzhak Mandelbaum Env.addToFlowCondition( 400390029beSYitzhak Mandelbaum ModelPred(Env, forceBoolValue(Env, *ValueOrPredExpr), *HasValueVal)); 4017f076004SYitzhak Mandelbaum } 4027f076004SYitzhak Mandelbaum 4037f076004SYitzhak Mandelbaum void transferValueOrStringEmptyCall(const clang::Expr *ComparisonExpr, 4047f076004SYitzhak Mandelbaum const MatchFinder::MatchResult &Result, 4057f076004SYitzhak Mandelbaum LatticeTransferState &State) { 4067f076004SYitzhak Mandelbaum return transferValueOrImpl(ComparisonExpr, Result, State, 4077f076004SYitzhak Mandelbaum [](Environment &Env, BoolValue &ExprVal, 4087f076004SYitzhak Mandelbaum BoolValue &HasValueVal) -> BoolValue & { 4097f076004SYitzhak Mandelbaum // If the result is *not* empty, then we know the 4107f076004SYitzhak Mandelbaum // optional must have been holding a value. If 4117f076004SYitzhak Mandelbaum // `ExprVal` is true, though, we don't learn 4127f076004SYitzhak Mandelbaum // anything definite about `has_value`, so we 4137f076004SYitzhak Mandelbaum // don't add any corresponding implications to 4147f076004SYitzhak Mandelbaum // the flow condition. 4157f076004SYitzhak Mandelbaum return Env.makeImplication(Env.makeNot(ExprVal), 4167f076004SYitzhak Mandelbaum HasValueVal); 4177f076004SYitzhak Mandelbaum }); 4187f076004SYitzhak Mandelbaum } 4197f076004SYitzhak Mandelbaum 4207f076004SYitzhak Mandelbaum void transferValueOrNotEqX(const Expr *ComparisonExpr, 4217f076004SYitzhak Mandelbaum const MatchFinder::MatchResult &Result, 4227f076004SYitzhak Mandelbaum LatticeTransferState &State) { 4237f076004SYitzhak Mandelbaum transferValueOrImpl(ComparisonExpr, Result, State, 4247f076004SYitzhak Mandelbaum [](Environment &Env, BoolValue &ExprVal, 4257f076004SYitzhak Mandelbaum BoolValue &HasValueVal) -> BoolValue & { 4267f076004SYitzhak Mandelbaum // We know that if `(opt.value_or(X) != X)` then 4277f076004SYitzhak Mandelbaum // `opt.hasValue()`, even without knowing further 4287f076004SYitzhak Mandelbaum // details about the contents of `opt`. 4297f076004SYitzhak Mandelbaum return Env.makeImplication(ExprVal, HasValueVal); 4307f076004SYitzhak Mandelbaum }); 4317f076004SYitzhak Mandelbaum } 4327f076004SYitzhak Mandelbaum 43365e710c3SStanislav Gatev void transferCallReturningOptional(const CallExpr *E, 43465e710c3SStanislav Gatev const MatchFinder::MatchResult &Result, 43565e710c3SStanislav Gatev LatticeTransferState &State) { 43665e710c3SStanislav Gatev if (State.Env.getStorageLocation(*E, SkipPast::None) != nullptr) 43765e710c3SStanislav Gatev return; 43865e710c3SStanislav Gatev 43965e710c3SStanislav Gatev auto &Loc = State.Env.createStorageLocation(*E); 44065e710c3SStanislav Gatev State.Env.setStorageLocation(*E, Loc); 44165e710c3SStanislav Gatev State.Env.setValue( 44265e710c3SStanislav Gatev Loc, createOptionalValue(State.Env, State.Env.makeAtomicBoolValue())); 44365e710c3SStanislav Gatev } 44465e710c3SStanislav Gatev 4450e8d4a6dSYitzhak Mandelbaum void assignOptionalValue(const Expr &E, Environment &Env, 446092a530cSStanislav Gatev BoolValue &HasValueVal) { 447092a530cSStanislav Gatev if (auto *OptionalLoc = 4480e8d4a6dSYitzhak Mandelbaum Env.getStorageLocation(E, SkipPast::ReferenceThenPointer)) { 4490e8d4a6dSYitzhak Mandelbaum Env.setValue(*OptionalLoc, createOptionalValue(Env, HasValueVal)); 4509e0fc676SStanislav Gatev } 4519e0fc676SStanislav Gatev } 4529e0fc676SStanislav Gatev 453b000b770SStanislav Gatev /// Returns a symbolic value for the "has_value" property of an `optional<T>` 454b000b770SStanislav Gatev /// value that is constructed/assigned from a value of type `U` or `optional<U>` 455b000b770SStanislav Gatev /// where `T` is constructible from `U`. 456390029beSYitzhak Mandelbaum BoolValue &valueOrConversionHasValue(const FunctionDecl &F, const Expr &E, 457b000b770SStanislav Gatev const MatchFinder::MatchResult &MatchRes, 458b000b770SStanislav Gatev LatticeTransferState &State) { 4590086a355SYitzhak Mandelbaum assert(F.getTemplateSpecializationArgs() != nullptr); 460b000b770SStanislav Gatev assert(F.getTemplateSpecializationArgs()->size() > 0); 461b000b770SStanislav Gatev 462b000b770SStanislav Gatev const int TemplateParamOptionalWrappersCount = countOptionalWrappers( 463b000b770SStanislav Gatev *MatchRes.Context, 464b000b770SStanislav Gatev stripReference(F.getTemplateSpecializationArgs()->get(0).getAsType())); 465b000b770SStanislav Gatev const int ArgTypeOptionalWrappersCount = 466b000b770SStanislav Gatev countOptionalWrappers(*MatchRes.Context, stripReference(E.getType())); 467b000b770SStanislav Gatev 468b000b770SStanislav Gatev // Check if this is a constructor/assignment call for `optional<T>` with 469b000b770SStanislav Gatev // argument of type `U` such that `T` is constructible from `U`. 470b000b770SStanislav Gatev if (TemplateParamOptionalWrappersCount == ArgTypeOptionalWrappersCount) 471b000b770SStanislav Gatev return State.Env.getBoolLiteralValue(true); 472b000b770SStanislav Gatev 473b000b770SStanislav Gatev // This is a constructor/assignment call for `optional<T>` with argument of 474b000b770SStanislav Gatev // type `optional<U>` such that `T` is constructible from `U`. 475dd38caf3SYitzhak Mandelbaum if (auto *HasValueVal = 476dd38caf3SYitzhak Mandelbaum getHasValue(State.Env, State.Env.getValue(E, SkipPast::Reference))) 477dd38caf3SYitzhak Mandelbaum return *HasValueVal; 478b000b770SStanislav Gatev return State.Env.makeAtomicBoolValue(); 479b000b770SStanislav Gatev } 480b000b770SStanislav Gatev 481092a530cSStanislav Gatev void transferValueOrConversionConstructor( 482092a530cSStanislav Gatev const CXXConstructExpr *E, const MatchFinder::MatchResult &MatchRes, 4839e0fc676SStanislav Gatev LatticeTransferState &State) { 484092a530cSStanislav Gatev assert(E->getNumArgs() > 0); 485092a530cSStanislav Gatev 4860e8d4a6dSYitzhak Mandelbaum assignOptionalValue(*E, State.Env, 487390029beSYitzhak Mandelbaum valueOrConversionHasValue(*E->getConstructor(), 488b000b770SStanislav Gatev *E->getArg(0), MatchRes, 489b000b770SStanislav Gatev State)); 490b000b770SStanislav Gatev } 491092a530cSStanislav Gatev 492b000b770SStanislav Gatev void transferAssignment(const CXXOperatorCallExpr *E, BoolValue &HasValueVal, 493b000b770SStanislav Gatev LatticeTransferState &State) { 494b000b770SStanislav Gatev assert(E->getNumArgs() > 0); 495b000b770SStanislav Gatev 496b000b770SStanislav Gatev auto *OptionalLoc = 497b000b770SStanislav Gatev State.Env.getStorageLocation(*E->getArg(0), SkipPast::Reference); 498a9ad689eSSam Estep if (OptionalLoc == nullptr) 499a9ad689eSSam Estep return; 500b000b770SStanislav Gatev 501b000b770SStanislav Gatev State.Env.setValue(*OptionalLoc, createOptionalValue(State.Env, HasValueVal)); 502b000b770SStanislav Gatev 503b000b770SStanislav Gatev // Assign a storage location for the whole expression. 504b000b770SStanislav Gatev State.Env.setStorageLocation(*E, *OptionalLoc); 505b000b770SStanislav Gatev } 506b000b770SStanislav Gatev 507b000b770SStanislav Gatev void transferValueOrConversionAssignment( 508b000b770SStanislav Gatev const CXXOperatorCallExpr *E, const MatchFinder::MatchResult &MatchRes, 509b000b770SStanislav Gatev LatticeTransferState &State) { 510b000b770SStanislav Gatev assert(E->getNumArgs() > 1); 511b000b770SStanislav Gatev transferAssignment(E, 512390029beSYitzhak Mandelbaum valueOrConversionHasValue(*E->getDirectCallee(), 51306decd0bSKazu Hirata *E->getArg(1), MatchRes, State), 514b000b770SStanislav Gatev State); 515b000b770SStanislav Gatev } 516b000b770SStanislav Gatev 517b000b770SStanislav Gatev void transferNulloptAssignment(const CXXOperatorCallExpr *E, 518b000b770SStanislav Gatev const MatchFinder::MatchResult &, 519b000b770SStanislav Gatev LatticeTransferState &State) { 520b000b770SStanislav Gatev transferAssignment(E, State.Env.getBoolLiteralValue(false), State); 5219e0fc676SStanislav Gatev } 5229e0fc676SStanislav Gatev 5232ddd57aeSStanislav Gatev void transferSwap(const StorageLocation &OptionalLoc1, 5242ddd57aeSStanislav Gatev const StorageLocation &OptionalLoc2, 5252ddd57aeSStanislav Gatev LatticeTransferState &State) { 5262ddd57aeSStanislav Gatev auto *OptionalVal1 = State.Env.getValue(OptionalLoc1); 5272ddd57aeSStanislav Gatev assert(OptionalVal1 != nullptr); 5282ddd57aeSStanislav Gatev 5292ddd57aeSStanislav Gatev auto *OptionalVal2 = State.Env.getValue(OptionalLoc2); 5302ddd57aeSStanislav Gatev assert(OptionalVal2 != nullptr); 5312ddd57aeSStanislav Gatev 5322ddd57aeSStanislav Gatev State.Env.setValue(OptionalLoc1, *OptionalVal2); 5332ddd57aeSStanislav Gatev State.Env.setValue(OptionalLoc2, *OptionalVal1); 5342ddd57aeSStanislav Gatev } 5352ddd57aeSStanislav Gatev 5362ddd57aeSStanislav Gatev void transferSwapCall(const CXXMemberCallExpr *E, 5372ddd57aeSStanislav Gatev const MatchFinder::MatchResult &, 5382ddd57aeSStanislav Gatev LatticeTransferState &State) { 5392ddd57aeSStanislav Gatev assert(E->getNumArgs() == 1); 5402ddd57aeSStanislav Gatev 5412ddd57aeSStanislav Gatev auto *OptionalLoc1 = State.Env.getStorageLocation( 5422ddd57aeSStanislav Gatev *E->getImplicitObjectArgument(), SkipPast::ReferenceThenPointer); 5432ddd57aeSStanislav Gatev assert(OptionalLoc1 != nullptr); 5442ddd57aeSStanislav Gatev 5452ddd57aeSStanislav Gatev auto *OptionalLoc2 = 5462ddd57aeSStanislav Gatev State.Env.getStorageLocation(*E->getArg(0), SkipPast::Reference); 5472ddd57aeSStanislav Gatev assert(OptionalLoc2 != nullptr); 5482ddd57aeSStanislav Gatev 5492ddd57aeSStanislav Gatev transferSwap(*OptionalLoc1, *OptionalLoc2, State); 5502ddd57aeSStanislav Gatev } 5512ddd57aeSStanislav Gatev 5522ddd57aeSStanislav Gatev void transferStdSwapCall(const CallExpr *E, const MatchFinder::MatchResult &, 5532ddd57aeSStanislav Gatev LatticeTransferState &State) { 5542ddd57aeSStanislav Gatev assert(E->getNumArgs() == 2); 5552ddd57aeSStanislav Gatev 5562ddd57aeSStanislav Gatev auto *OptionalLoc1 = 5572ddd57aeSStanislav Gatev State.Env.getStorageLocation(*E->getArg(0), SkipPast::Reference); 5582ddd57aeSStanislav Gatev assert(OptionalLoc1 != nullptr); 5592ddd57aeSStanislav Gatev 5602ddd57aeSStanislav Gatev auto *OptionalLoc2 = 5612ddd57aeSStanislav Gatev State.Env.getStorageLocation(*E->getArg(1), SkipPast::Reference); 5622ddd57aeSStanislav Gatev assert(OptionalLoc2 != nullptr); 5632ddd57aeSStanislav Gatev 5642ddd57aeSStanislav Gatev transferSwap(*OptionalLoc1, *OptionalLoc2, State); 5652ddd57aeSStanislav Gatev } 5662ddd57aeSStanislav Gatev 567390029beSYitzhak Mandelbaum BoolValue &evaluateEquality(Environment &Env, BoolValue &EqVal, BoolValue &LHS, 568390029beSYitzhak Mandelbaum BoolValue &RHS) { 569390029beSYitzhak Mandelbaum // Logically, an optional<T> object is composed of two values - a `has_value` 570390029beSYitzhak Mandelbaum // bit and a value of type T. Equality of optional objects compares both 571390029beSYitzhak Mandelbaum // values. Therefore, merely comparing the `has_value` bits isn't sufficient: 572390029beSYitzhak Mandelbaum // when two optional objects are engaged, the equality of their respective 573390029beSYitzhak Mandelbaum // values of type T matters. Since we only track the `has_value` bits, we 574390029beSYitzhak Mandelbaum // can't make any conclusions about equality when we know that two optional 575390029beSYitzhak Mandelbaum // objects are engaged. 576390029beSYitzhak Mandelbaum // 577390029beSYitzhak Mandelbaum // We express this as two facts about the equality: 578390029beSYitzhak Mandelbaum // a) EqVal => (LHS & RHS) v (!RHS & !LHS) 579390029beSYitzhak Mandelbaum // If they are equal, then either both are set or both are unset. 580390029beSYitzhak Mandelbaum // b) (!LHS & !RHS) => EqVal 581390029beSYitzhak Mandelbaum // If neither is set, then they are equal. 582390029beSYitzhak Mandelbaum // We rewrite b) as !EqVal => (LHS v RHS), for a more compact formula. 583390029beSYitzhak Mandelbaum return Env.makeAnd( 584390029beSYitzhak Mandelbaum Env.makeImplication( 585390029beSYitzhak Mandelbaum EqVal, Env.makeOr(Env.makeAnd(LHS, RHS), 586390029beSYitzhak Mandelbaum Env.makeAnd(Env.makeNot(LHS), Env.makeNot(RHS)))), 587390029beSYitzhak Mandelbaum Env.makeImplication(Env.makeNot(EqVal), Env.makeOr(LHS, RHS))); 588390029beSYitzhak Mandelbaum } 589390029beSYitzhak Mandelbaum 590390029beSYitzhak Mandelbaum void transferOptionalAndOptionalCmp(const clang::CXXOperatorCallExpr *CmpExpr, 591390029beSYitzhak Mandelbaum const MatchFinder::MatchResult &, 592390029beSYitzhak Mandelbaum LatticeTransferState &State) { 593390029beSYitzhak Mandelbaum Environment &Env = State.Env; 594390029beSYitzhak Mandelbaum auto *CmpValue = &forceBoolValue(Env, *CmpExpr); 595390029beSYitzhak Mandelbaum if (auto *LHasVal = getHasValue( 596390029beSYitzhak Mandelbaum Env, Env.getValue(*CmpExpr->getArg(0), SkipPast::Reference))) 597390029beSYitzhak Mandelbaum if (auto *RHasVal = getHasValue( 598390029beSYitzhak Mandelbaum Env, Env.getValue(*CmpExpr->getArg(1), SkipPast::Reference))) { 599390029beSYitzhak Mandelbaum if (CmpExpr->getOperator() == clang::OO_ExclaimEqual) 600390029beSYitzhak Mandelbaum CmpValue = &State.Env.makeNot(*CmpValue); 601390029beSYitzhak Mandelbaum Env.addToFlowCondition( 602390029beSYitzhak Mandelbaum evaluateEquality(Env, *CmpValue, *LHasVal, *RHasVal)); 603390029beSYitzhak Mandelbaum } 604390029beSYitzhak Mandelbaum } 605390029beSYitzhak Mandelbaum 606390029beSYitzhak Mandelbaum void transferOptionalAndValueCmp(const clang::CXXOperatorCallExpr *CmpExpr, 607390029beSYitzhak Mandelbaum const clang::Expr *E, Environment &Env) { 608390029beSYitzhak Mandelbaum auto *CmpValue = &forceBoolValue(Env, *CmpExpr); 609390029beSYitzhak Mandelbaum if (auto *HasVal = getHasValue(Env, Env.getValue(*E, SkipPast::Reference))) { 610390029beSYitzhak Mandelbaum if (CmpExpr->getOperator() == clang::OO_ExclaimEqual) 611390029beSYitzhak Mandelbaum CmpValue = &Env.makeNot(*CmpValue); 612390029beSYitzhak Mandelbaum Env.addToFlowCondition(evaluateEquality(Env, *CmpValue, *HasVal, 613390029beSYitzhak Mandelbaum Env.getBoolLiteralValue(true))); 614390029beSYitzhak Mandelbaum } 615390029beSYitzhak Mandelbaum } 616390029beSYitzhak Mandelbaum 617a184a0d8SYitzhak Mandelbaum llvm::Optional<StatementMatcher> 618a184a0d8SYitzhak Mandelbaum ignorableOptional(const UncheckedOptionalAccessModelOptions &Options) { 6195d22d1f5SYitzhak Mandelbaum if (Options.IgnoreSmartPointerDereference) { 6205d22d1f5SYitzhak Mandelbaum auto SmartPtrUse = expr(ignoringParenImpCasts(cxxOperatorCallExpr( 6215d22d1f5SYitzhak Mandelbaum anyOf(hasOverloadedOperatorName("->"), hasOverloadedOperatorName("*")), 6225d22d1f5SYitzhak Mandelbaum unless(hasArgument(0, expr(hasOptionalType())))))); 6235d22d1f5SYitzhak Mandelbaum return expr( 6245d22d1f5SYitzhak Mandelbaum anyOf(SmartPtrUse, memberExpr(hasObjectExpression(SmartPtrUse)))); 6255d22d1f5SYitzhak Mandelbaum } 62634e0d057SKazu Hirata return std::nullopt; 627a184a0d8SYitzhak Mandelbaum } 628a184a0d8SYitzhak Mandelbaum 62958fe7f96SSam Estep StatementMatcher 6305d22d1f5SYitzhak Mandelbaum valueCall(const llvm::Optional<StatementMatcher> &IgnorableOptional) { 63158fe7f96SSam Estep return isOptionalMemberCallWithName("value", IgnorableOptional); 63258fe7f96SSam Estep } 63358fe7f96SSam Estep 63458fe7f96SSam Estep StatementMatcher 6355d22d1f5SYitzhak Mandelbaum valueOperatorCall(const llvm::Optional<StatementMatcher> &IgnorableOptional) { 63658fe7f96SSam Estep return expr(anyOf(isOptionalOperatorCallWithName("*", IgnorableOptional), 63758fe7f96SSam Estep isOptionalOperatorCallWithName("->", IgnorableOptional))); 63858fe7f96SSam Estep } 63958fe7f96SSam Estep 6405d22d1f5SYitzhak Mandelbaum auto buildTransferMatchSwitch() { 641b000b770SStanislav Gatev // FIXME: Evaluate the efficiency of matchers. If using matchers results in a 642b000b770SStanislav Gatev // lot of duplicated work (e.g. string comparisons), consider providing APIs 643b000b770SStanislav Gatev // that avoid it through memoization. 6447538b360SWei Yi Tee return CFGMatchSwitchBuilder<LatticeTransferState>() 645af98b0afSStanislav Gatev // Attach a symbolic "has_value" state to optional values that we see for 646af98b0afSStanislav Gatev // the first time. 6477538b360SWei Yi Tee .CaseOfCFGStmt<Expr>( 6486adfc64eSYitzhak Mandelbaum expr(anyOf(declRefExpr(), memberExpr()), hasOptionalType()), 649af98b0afSStanislav Gatev initializeOptionalReference) 650af98b0afSStanislav Gatev 6519e0fc676SStanislav Gatev // make_optional 6527538b360SWei Yi Tee .CaseOfCFGStmt<CallExpr>(isMakeOptionalCall(), transferMakeOptionalCall) 653092a530cSStanislav Gatev 6540e8d4a6dSYitzhak Mandelbaum // optional::optional (in place) 6557538b360SWei Yi Tee .CaseOfCFGStmt<CXXConstructExpr>( 656092a530cSStanislav Gatev isOptionalInPlaceConstructor(), 657092a530cSStanislav Gatev [](const CXXConstructExpr *E, const MatchFinder::MatchResult &, 658092a530cSStanislav Gatev LatticeTransferState &State) { 6590e8d4a6dSYitzhak Mandelbaum assignOptionalValue(*E, State.Env, 6600e8d4a6dSYitzhak Mandelbaum State.Env.getBoolLiteralValue(true)); 661092a530cSStanislav Gatev }) 6620e8d4a6dSYitzhak Mandelbaum // nullopt_t::nullopt_t 6637538b360SWei Yi Tee .CaseOfCFGStmt<CXXConstructExpr>( 664390029beSYitzhak Mandelbaum isNulloptConstructor(), 665092a530cSStanislav Gatev [](const CXXConstructExpr *E, const MatchFinder::MatchResult &, 666092a530cSStanislav Gatev LatticeTransferState &State) { 6670e8d4a6dSYitzhak Mandelbaum assignOptionalValue(*E, State.Env, 668092a530cSStanislav Gatev State.Env.getBoolLiteralValue(false)); 669092a530cSStanislav Gatev }) 6700e8d4a6dSYitzhak Mandelbaum // optional::optional(nullopt_t) 671390029beSYitzhak Mandelbaum .CaseOfCFGStmt<CXXConstructExpr>( 672390029beSYitzhak Mandelbaum isOptionalNulloptConstructor(), 673390029beSYitzhak Mandelbaum [](const CXXConstructExpr *E, const MatchFinder::MatchResult &, 674390029beSYitzhak Mandelbaum LatticeTransferState &State) { 6750e8d4a6dSYitzhak Mandelbaum assignOptionalValue(*E, State.Env, 6760e8d4a6dSYitzhak Mandelbaum State.Env.getBoolLiteralValue(false)); 677390029beSYitzhak Mandelbaum }) 6780e8d4a6dSYitzhak Mandelbaum // optional::optional (value/conversion) 6797538b360SWei Yi Tee .CaseOfCFGStmt<CXXConstructExpr>(isOptionalValueOrConversionConstructor(), 680092a530cSStanislav Gatev transferValueOrConversionConstructor) 6819e0fc676SStanislav Gatev 6820e8d4a6dSYitzhak Mandelbaum 683b000b770SStanislav Gatev // optional::operator= 6847538b360SWei Yi Tee .CaseOfCFGStmt<CXXOperatorCallExpr>( 6857538b360SWei Yi Tee isOptionalValueOrConversionAssignment(), 686b000b770SStanislav Gatev transferValueOrConversionAssignment) 6877538b360SWei Yi Tee .CaseOfCFGStmt<CXXOperatorCallExpr>(isOptionalNulloptAssignment(), 688b000b770SStanislav Gatev transferNulloptAssignment) 689b000b770SStanislav Gatev 690af98b0afSStanislav Gatev // optional::value 6917538b360SWei Yi Tee .CaseOfCFGStmt<CXXMemberCallExpr>( 6925d22d1f5SYitzhak Mandelbaum valueCall(std::nullopt), 693092a530cSStanislav Gatev [](const CXXMemberCallExpr *E, const MatchFinder::MatchResult &, 694092a530cSStanislav Gatev LatticeTransferState &State) { 695af98b0afSStanislav Gatev transferUnwrapCall(E, E->getImplicitObjectArgument(), State); 696af98b0afSStanislav Gatev }) 697af98b0afSStanislav Gatev 698af98b0afSStanislav Gatev // optional::operator*, optional::operator-> 6995d22d1f5SYitzhak Mandelbaum .CaseOfCFGStmt<CallExpr>(valueOperatorCall(std::nullopt), 7007538b360SWei Yi Tee [](const CallExpr *E, 7017538b360SWei Yi Tee const MatchFinder::MatchResult &, 702092a530cSStanislav Gatev LatticeTransferState &State) { 703af98b0afSStanislav Gatev transferUnwrapCall(E, E->getArg(0), State); 704af98b0afSStanislav Gatev }) 705af98b0afSStanislav Gatev 706af98b0afSStanislav Gatev // optional::has_value 7077538b360SWei Yi Tee .CaseOfCFGStmt<CXXMemberCallExpr>( 7087538b360SWei Yi Tee isOptionalMemberCallWithName("has_value"), 709af98b0afSStanislav Gatev transferOptionalHasValueCall) 710af98b0afSStanislav Gatev 7119e0fc676SStanislav Gatev // optional::operator bool 7127538b360SWei Yi Tee .CaseOfCFGStmt<CXXMemberCallExpr>( 7137538b360SWei Yi Tee isOptionalMemberCallWithName("operator bool"), 7149e0fc676SStanislav Gatev transferOptionalHasValueCall) 7159e0fc676SStanislav Gatev 7169e0fc676SStanislav Gatev // optional::emplace 7177538b360SWei Yi Tee .CaseOfCFGStmt<CXXMemberCallExpr>( 718092a530cSStanislav Gatev isOptionalMemberCallWithName("emplace"), 719092a530cSStanislav Gatev [](const CXXMemberCallExpr *E, const MatchFinder::MatchResult &, 720092a530cSStanislav Gatev LatticeTransferState &State) { 7210e8d4a6dSYitzhak Mandelbaum assignOptionalValue(*E->getImplicitObjectArgument(), State.Env, 722092a530cSStanislav Gatev State.Env.getBoolLiteralValue(true)); 723092a530cSStanislav Gatev }) 7249e0fc676SStanislav Gatev 7259e0fc676SStanislav Gatev // optional::reset 7267538b360SWei Yi Tee .CaseOfCFGStmt<CXXMemberCallExpr>( 727092a530cSStanislav Gatev isOptionalMemberCallWithName("reset"), 728092a530cSStanislav Gatev [](const CXXMemberCallExpr *E, const MatchFinder::MatchResult &, 729092a530cSStanislav Gatev LatticeTransferState &State) { 7300e8d4a6dSYitzhak Mandelbaum assignOptionalValue(*E->getImplicitObjectArgument(), State.Env, 731092a530cSStanislav Gatev State.Env.getBoolLiteralValue(false)); 732092a530cSStanislav Gatev }) 7339e0fc676SStanislav Gatev 7342ddd57aeSStanislav Gatev // optional::swap 7357538b360SWei Yi Tee .CaseOfCFGStmt<CXXMemberCallExpr>(isOptionalMemberCallWithName("swap"), 7362ddd57aeSStanislav Gatev transferSwapCall) 7372ddd57aeSStanislav Gatev 7382ddd57aeSStanislav Gatev // std::swap 7397538b360SWei Yi Tee .CaseOfCFGStmt<CallExpr>(isStdSwapCall(), transferStdSwapCall) 7402ddd57aeSStanislav Gatev 7417f076004SYitzhak Mandelbaum // opt.value_or("").empty() 7427538b360SWei Yi Tee .CaseOfCFGStmt<Expr>(isValueOrStringEmptyCall(), 7437538b360SWei Yi Tee transferValueOrStringEmptyCall) 7447f076004SYitzhak Mandelbaum 7457f076004SYitzhak Mandelbaum // opt.value_or(X) != X 7467538b360SWei Yi Tee .CaseOfCFGStmt<Expr>(isValueOrNotEqX(), transferValueOrNotEqX) 7477f076004SYitzhak Mandelbaum 748390029beSYitzhak Mandelbaum // Comparisons (==, !=): 749390029beSYitzhak Mandelbaum .CaseOfCFGStmt<CXXOperatorCallExpr>( 750390029beSYitzhak Mandelbaum isComparisonOperatorCall(hasAnyOptionalType(), hasAnyOptionalType()), 751390029beSYitzhak Mandelbaum transferOptionalAndOptionalCmp) 752390029beSYitzhak Mandelbaum .CaseOfCFGStmt<CXXOperatorCallExpr>( 753390029beSYitzhak Mandelbaum isComparisonOperatorCall(hasOptionalType(), 754390029beSYitzhak Mandelbaum unless(hasAnyOptionalType())), 755390029beSYitzhak Mandelbaum [](const clang::CXXOperatorCallExpr *Cmp, 756390029beSYitzhak Mandelbaum const MatchFinder::MatchResult &, LatticeTransferState &State) { 757390029beSYitzhak Mandelbaum transferOptionalAndValueCmp(Cmp, Cmp->getArg(0), State.Env); 758390029beSYitzhak Mandelbaum }) 759390029beSYitzhak Mandelbaum .CaseOfCFGStmt<CXXOperatorCallExpr>( 760390029beSYitzhak Mandelbaum isComparisonOperatorCall(unless(hasAnyOptionalType()), 761390029beSYitzhak Mandelbaum hasOptionalType()), 762390029beSYitzhak Mandelbaum [](const clang::CXXOperatorCallExpr *Cmp, 763390029beSYitzhak Mandelbaum const MatchFinder::MatchResult &, LatticeTransferState &State) { 764390029beSYitzhak Mandelbaum transferOptionalAndValueCmp(Cmp, Cmp->getArg(1), State.Env); 765390029beSYitzhak Mandelbaum }) 766390029beSYitzhak Mandelbaum 76765e710c3SStanislav Gatev // returns optional 7687538b360SWei Yi Tee .CaseOfCFGStmt<CallExpr>(isCallReturningOptional(), 76965e710c3SStanislav Gatev transferCallReturningOptional) 77065e710c3SStanislav Gatev 771af98b0afSStanislav Gatev .Build(); 772af98b0afSStanislav Gatev } 773af98b0afSStanislav Gatev 77458fe7f96SSam Estep std::vector<SourceLocation> diagnoseUnwrapCall(const Expr *UnwrapExpr, 77558fe7f96SSam Estep const Expr *ObjectExpr, 77658fe7f96SSam Estep const Environment &Env) { 77758fe7f96SSam Estep if (auto *OptionalVal = 77858fe7f96SSam Estep Env.getValue(*ObjectExpr, SkipPast::ReferenceThenPointer)) { 77958fe7f96SSam Estep auto *Prop = OptionalVal->getProperty("has_value"); 78058fe7f96SSam Estep if (auto *HasValueVal = cast_or_null<BoolValue>(Prop)) { 78158fe7f96SSam Estep if (Env.flowConditionImplies(*HasValueVal)) 78258fe7f96SSam Estep return {}; 78358fe7f96SSam Estep } 78458fe7f96SSam Estep } 78558fe7f96SSam Estep 78658fe7f96SSam Estep // Record that this unwrap is *not* provably safe. 78758fe7f96SSam Estep // FIXME: include either the name of the optional (if applicable) or a source 78858fe7f96SSam Estep // range of the access for easier interpretation of the result. 78958fe7f96SSam Estep return {ObjectExpr->getBeginLoc()}; 79058fe7f96SSam Estep } 79158fe7f96SSam Estep 79258fe7f96SSam Estep auto buildDiagnoseMatchSwitch( 79358fe7f96SSam Estep const UncheckedOptionalAccessModelOptions &Options) { 79458fe7f96SSam Estep // FIXME: Evaluate the efficiency of matchers. If using matchers results in a 79558fe7f96SSam Estep // lot of duplicated work (e.g. string comparisons), consider providing APIs 79658fe7f96SSam Estep // that avoid it through memoization. 79758fe7f96SSam Estep auto IgnorableOptional = ignorableOptional(Options); 7987538b360SWei Yi Tee return CFGMatchSwitchBuilder<const Environment, std::vector<SourceLocation>>() 79958fe7f96SSam Estep // optional::value 8007538b360SWei Yi Tee .CaseOfCFGStmt<CXXMemberCallExpr>( 80158fe7f96SSam Estep valueCall(IgnorableOptional), 80258fe7f96SSam Estep [](const CXXMemberCallExpr *E, const MatchFinder::MatchResult &, 80358fe7f96SSam Estep const Environment &Env) { 80458fe7f96SSam Estep return diagnoseUnwrapCall(E, E->getImplicitObjectArgument(), Env); 80558fe7f96SSam Estep }) 80658fe7f96SSam Estep 80758fe7f96SSam Estep // optional::operator*, optional::operator-> 8087538b360SWei Yi Tee .CaseOfCFGStmt<CallExpr>( 80958fe7f96SSam Estep valueOperatorCall(IgnorableOptional), 81058fe7f96SSam Estep [](const CallExpr *E, const MatchFinder::MatchResult &, 81158fe7f96SSam Estep const Environment &Env) { 81258fe7f96SSam Estep return diagnoseUnwrapCall(E, E->getArg(0), Env); 81358fe7f96SSam Estep }) 81458fe7f96SSam Estep .Build(); 81558fe7f96SSam Estep } 81658fe7f96SSam Estep 817af98b0afSStanislav Gatev } // namespace 818af98b0afSStanislav Gatev 8197e63a0d4SYitzhak Mandelbaum ast_matchers::DeclarationMatcher 8207e63a0d4SYitzhak Mandelbaum UncheckedOptionalAccessModel::optionalClassDecl() { 8217e63a0d4SYitzhak Mandelbaum return optionalClass(); 8227e63a0d4SYitzhak Mandelbaum } 8237e63a0d4SYitzhak Mandelbaum 8245d22d1f5SYitzhak Mandelbaum UncheckedOptionalAccessModel::UncheckedOptionalAccessModel(ASTContext &Ctx) 825cf1f978dSSam Estep : DataflowAnalysis<UncheckedOptionalAccessModel, NoopLattice>(Ctx), 8265d22d1f5SYitzhak Mandelbaum TransferMatchSwitch(buildTransferMatchSwitch()) {} 827af98b0afSStanislav Gatev 8287538b360SWei Yi Tee void UncheckedOptionalAccessModel::transfer(const CFGElement *Elt, 8297538b360SWei Yi Tee NoopLattice &L, Environment &Env) { 830af98b0afSStanislav Gatev LatticeTransferState State(L, Env); 8317538b360SWei Yi Tee TransferMatchSwitch(*Elt, getASTContext(), State); 832af98b0afSStanislav Gatev } 833af98b0afSStanislav Gatev 834c0725865SYitzhak Mandelbaum ComparisonResult UncheckedOptionalAccessModel::compare( 835c0725865SYitzhak Mandelbaum QualType Type, const Value &Val1, const Environment &Env1, 836c0725865SYitzhak Mandelbaum const Value &Val2, const Environment &Env2) { 837c0725865SYitzhak Mandelbaum if (!isOptionalType(Type)) 838c0725865SYitzhak Mandelbaum return ComparisonResult::Unknown; 839*d34fbf2dSYitzhak Mandelbaum bool MustNonEmpty1 = isNonEmptyOptional(Val1, Env1); 840*d34fbf2dSYitzhak Mandelbaum bool MustNonEmpty2 = isNonEmptyOptional(Val2, Env2); 841*d34fbf2dSYitzhak Mandelbaum if (MustNonEmpty1 && MustNonEmpty2) return ComparisonResult::Same; 842*d34fbf2dSYitzhak Mandelbaum // If exactly one is true, then they're different, no reason to check whether 843*d34fbf2dSYitzhak Mandelbaum // they're definitely empty. 844*d34fbf2dSYitzhak Mandelbaum if (MustNonEmpty1 || MustNonEmpty2) return ComparisonResult::Different; 845*d34fbf2dSYitzhak Mandelbaum // Check if they're both definitely empty. 846*d34fbf2dSYitzhak Mandelbaum return (isEmptyOptional(Val1, Env1) && isEmptyOptional(Val2, Env2)) 847c0725865SYitzhak Mandelbaum ? ComparisonResult::Same 848c0725865SYitzhak Mandelbaum : ComparisonResult::Different; 8498fcdd625SStanislav Gatev } 8508fcdd625SStanislav Gatev 8518fcdd625SStanislav Gatev bool UncheckedOptionalAccessModel::merge(QualType Type, const Value &Val1, 8528fcdd625SStanislav Gatev const Environment &Env1, 8538fcdd625SStanislav Gatev const Value &Val2, 8548fcdd625SStanislav Gatev const Environment &Env2, 8558fcdd625SStanislav Gatev Value &MergedVal, 8568fcdd625SStanislav Gatev Environment &MergedEnv) { 857c0725865SYitzhak Mandelbaum if (!isOptionalType(Type)) 8588fcdd625SStanislav Gatev return true; 859*d34fbf2dSYitzhak Mandelbaum // FIXME: uses same approach as join for `BoolValues`. Requires non-const 860*d34fbf2dSYitzhak Mandelbaum // values, though, so will require updating the interface. 8618fcdd625SStanislav Gatev auto &HasValueVal = MergedEnv.makeAtomicBoolValue(); 862*d34fbf2dSYitzhak Mandelbaum bool MustNonEmpty1 = isNonEmptyOptional(Val1, Env1); 863*d34fbf2dSYitzhak Mandelbaum bool MustNonEmpty2 = isNonEmptyOptional(Val2, Env2); 864*d34fbf2dSYitzhak Mandelbaum if (MustNonEmpty1 && MustNonEmpty2) 8658fcdd625SStanislav Gatev MergedEnv.addToFlowCondition(HasValueVal); 866*d34fbf2dSYitzhak Mandelbaum else if ( 867*d34fbf2dSYitzhak Mandelbaum // Only make the costly calls to `isEmptyOptional` if we got "unknown" 868*d34fbf2dSYitzhak Mandelbaum // (false) for both calls to `isNonEmptyOptional`. 869*d34fbf2dSYitzhak Mandelbaum !MustNonEmpty1 && !MustNonEmpty2 && isEmptyOptional(Val1, Env1) && 870*d34fbf2dSYitzhak Mandelbaum isEmptyOptional(Val2, Env2)) 8718fcdd625SStanislav Gatev MergedEnv.addToFlowCondition(MergedEnv.makeNot(HasValueVal)); 8728fcdd625SStanislav Gatev setHasValue(MergedVal, HasValueVal); 8738fcdd625SStanislav Gatev return true; 8748fcdd625SStanislav Gatev } 8758fcdd625SStanislav Gatev 876*d34fbf2dSYitzhak Mandelbaum Value *UncheckedOptionalAccessModel::widen(QualType Type, Value &Prev, 877*d34fbf2dSYitzhak Mandelbaum const Environment &PrevEnv, 878*d34fbf2dSYitzhak Mandelbaum Value &Current, 879*d34fbf2dSYitzhak Mandelbaum Environment &CurrentEnv) { 880*d34fbf2dSYitzhak Mandelbaum switch (compare(Type, Prev, PrevEnv, Current, CurrentEnv)) { 881*d34fbf2dSYitzhak Mandelbaum case ComparisonResult::Same: 882*d34fbf2dSYitzhak Mandelbaum return &Prev; 883*d34fbf2dSYitzhak Mandelbaum case ComparisonResult::Different: 884*d34fbf2dSYitzhak Mandelbaum if (auto *PrevHasVal = 885*d34fbf2dSYitzhak Mandelbaum cast_or_null<BoolValue>(Prev.getProperty("has_value"))) { 886*d34fbf2dSYitzhak Mandelbaum if (isa<TopBoolValue>(PrevHasVal)) 887*d34fbf2dSYitzhak Mandelbaum return &Prev; 888*d34fbf2dSYitzhak Mandelbaum } 889*d34fbf2dSYitzhak Mandelbaum if (auto *CurrentHasVal = 890*d34fbf2dSYitzhak Mandelbaum cast_or_null<BoolValue>(Current.getProperty("has_value"))) { 891*d34fbf2dSYitzhak Mandelbaum if (isa<TopBoolValue>(CurrentHasVal)) 892*d34fbf2dSYitzhak Mandelbaum return &Current; 893*d34fbf2dSYitzhak Mandelbaum } 894*d34fbf2dSYitzhak Mandelbaum return &createOptionalValue(CurrentEnv, CurrentEnv.makeTopBoolValue()); 895*d34fbf2dSYitzhak Mandelbaum case ComparisonResult::Unknown: 896*d34fbf2dSYitzhak Mandelbaum return nullptr; 897*d34fbf2dSYitzhak Mandelbaum } 898*d34fbf2dSYitzhak Mandelbaum llvm_unreachable("all cases covered in switch"); 899*d34fbf2dSYitzhak Mandelbaum } 900*d34fbf2dSYitzhak Mandelbaum 90158fe7f96SSam Estep UncheckedOptionalAccessDiagnoser::UncheckedOptionalAccessDiagnoser( 90258fe7f96SSam Estep UncheckedOptionalAccessModelOptions Options) 90358fe7f96SSam Estep : DiagnoseMatchSwitch(buildDiagnoseMatchSwitch(Options)) {} 90458fe7f96SSam Estep 90558fe7f96SSam Estep std::vector<SourceLocation> UncheckedOptionalAccessDiagnoser::diagnose( 9067538b360SWei Yi Tee ASTContext &Ctx, const CFGElement *Elt, const Environment &Env) { 9077538b360SWei Yi Tee return DiagnoseMatchSwitch(*Elt, Ctx, Env); 90858fe7f96SSam Estep } 90958fe7f96SSam Estep 910af98b0afSStanislav Gatev } // namespace dataflow 911af98b0afSStanislav Gatev } // namespace clang 912