StaticAnalyzer/Checkers/NoOwnershipChangeVisitor.cpp

*0fca6ea1SDimitry Andric//===--------------------------------------------------------------*- C++ -*--//
*0fca6ea1SDimitry Andric//
*0fca6ea1SDimitry Andric// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
*0fca6ea1SDimitry Andric// See https://llvm.org/LICENSE.txt for license information.
*0fca6ea1SDimitry Andric// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
*0fca6ea1SDimitry Andric//
*0fca6ea1SDimitry Andric//===----------------------------------------------------------------------===//
*0fca6ea1SDimitry Andric
*0fca6ea1SDimitry Andric#include "NoOwnershipChangeVisitor.h"
*0fca6ea1SDimitry Andric#include "clang/StaticAnalyzer/Core/BugReporter/BugReporterVisitors.h"
*0fca6ea1SDimitry Andric#include "clang/StaticAnalyzer/Core/PathSensitive/AnalysisManager.h"
*0fca6ea1SDimitry Andric#include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h"
*0fca6ea1SDimitry Andric#include "clang/StaticAnalyzer/Core/PathSensitive/ExplodedGraph.h"
*0fca6ea1SDimitry Andric#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState_Fwd.h"
*0fca6ea1SDimitry Andric#include "llvm/ADT/SetOperations.h"
*0fca6ea1SDimitry Andric
*0fca6ea1SDimitry Andricusing namespace clang;
*0fca6ea1SDimitry Andricusing namespace ento;
*0fca6ea1SDimitry Andricusing OwnerSet = NoOwnershipChangeVisitor::OwnerSet;
*0fca6ea1SDimitry Andric
*0fca6ea1SDimitry Andricnamespace {
*0fca6ea1SDimitry Andric// Collect which entities point to the allocated memory, and could be
*0fca6ea1SDimitry Andric// responsible for deallocating it.
*0fca6ea1SDimitry Andricclass OwnershipBindingsHandler : public StoreManager::BindingsHandler {
*0fca6ea1SDimitry Andric  SymbolRef Sym;
*0fca6ea1SDimitry Andric  OwnerSet &Owners;
*0fca6ea1SDimitry Andric
*0fca6ea1SDimitry Andricpublic:
*0fca6ea1SDimitry Andric  OwnershipBindingsHandler(SymbolRef Sym, OwnerSet &Owners)
*0fca6ea1SDimitry Andric      : Sym(Sym), Owners(Owners) {}
*0fca6ea1SDimitry Andric
*0fca6ea1SDimitry Andric  bool HandleBinding(StoreManager &SMgr, Store Store, const MemRegion *Region,
*0fca6ea1SDimitry Andric                     SVal Val) override {
*0fca6ea1SDimitry Andric    if (Val.getAsSymbol() == Sym)
*0fca6ea1SDimitry Andric      Owners.insert(Region);
*0fca6ea1SDimitry Andric    return true;
*0fca6ea1SDimitry Andric  }
*0fca6ea1SDimitry Andric
*0fca6ea1SDimitry Andric  LLVM_DUMP_METHOD void dump() const { dumpToStream(llvm::errs()); }
*0fca6ea1SDimitry Andric  LLVM_DUMP_METHOD void dumpToStream(llvm::raw_ostream &out) const {
*0fca6ea1SDimitry Andric    out << "Owners: {\n";
*0fca6ea1SDimitry Andric    for (const MemRegion *Owner : Owners) {
*0fca6ea1SDimitry Andric      out << "  ";
*0fca6ea1SDimitry Andric      Owner->dumpToStream(out);
*0fca6ea1SDimitry Andric      out << ",\n";
*0fca6ea1SDimitry Andric    }
*0fca6ea1SDimitry Andric    out << "}\n";
*0fca6ea1SDimitry Andric  }
*0fca6ea1SDimitry Andric};
*0fca6ea1SDimitry Andric} // namespace
*0fca6ea1SDimitry Andric
*0fca6ea1SDimitry AndricOwnerSet NoOwnershipChangeVisitor::getOwnersAtNode(const ExplodedNode *N) {
*0fca6ea1SDimitry Andric  OwnerSet Ret;
*0fca6ea1SDimitry Andric
*0fca6ea1SDimitry Andric  ProgramStateRef State = N->getState();
*0fca6ea1SDimitry Andric  OwnershipBindingsHandler Handler{Sym, Ret};
*0fca6ea1SDimitry Andric  State->getStateManager().getStoreManager().iterBindings(State->getStore(),
*0fca6ea1SDimitry Andric                                                          Handler);
*0fca6ea1SDimitry Andric  return Ret;
*0fca6ea1SDimitry Andric}
*0fca6ea1SDimitry Andric
*0fca6ea1SDimitry AndricLLVM_DUMP_METHOD std::string
*0fca6ea1SDimitry AndricNoOwnershipChangeVisitor::getFunctionName(const ExplodedNode *CallEnterN) {
*0fca6ea1SDimitry Andric  if (const CallExpr *CE = llvm::dyn_cast_or_null<CallExpr>(
*0fca6ea1SDimitry Andric          CallEnterN->getLocationAs<CallEnter>()->getCallExpr()))
*0fca6ea1SDimitry Andric    if (const FunctionDecl *FD = CE->getDirectCallee())
*0fca6ea1SDimitry Andric      return FD->getQualifiedNameAsString();
*0fca6ea1SDimitry Andric  return "";
*0fca6ea1SDimitry Andric}
*0fca6ea1SDimitry Andric
*0fca6ea1SDimitry Andricbool NoOwnershipChangeVisitor::wasModifiedInFunction(
*0fca6ea1SDimitry Andric    const ExplodedNode *CallEnterN, const ExplodedNode *CallExitEndN) {
*0fca6ea1SDimitry Andric  const Decl *Callee =
*0fca6ea1SDimitry Andric      CallExitEndN->getFirstPred()->getLocationContext()->getDecl();
*0fca6ea1SDimitry Andric  const FunctionDecl *FD = dyn_cast<FunctionDecl>(Callee);
*0fca6ea1SDimitry Andric
*0fca6ea1SDimitry Andric  // Given that the stack frame was entered, the body should always be
*0fca6ea1SDimitry Andric  // theoretically obtainable. In case of body farms, the synthesized body
*0fca6ea1SDimitry Andric  // is not attached to declaration, thus triggering the '!FD->hasBody()'
*0fca6ea1SDimitry Andric  // branch. That said, would a synthesized body ever intend to handle
*0fca6ea1SDimitry Andric  // ownership? As of today they don't. And if they did, how would we
*0fca6ea1SDimitry Andric  // put notes inside it, given that it doesn't match any source locations?
*0fca6ea1SDimitry Andric  if (!FD || !FD->hasBody())
*0fca6ea1SDimitry Andric    return false;
*0fca6ea1SDimitry Andric  if (!doesFnIntendToHandleOwnership(
*0fca6ea1SDimitry Andric          Callee,
*0fca6ea1SDimitry Andric          CallExitEndN->getState()->getAnalysisManager().getASTContext()))
*0fca6ea1SDimitry Andric    return true;
*0fca6ea1SDimitry Andric
*0fca6ea1SDimitry Andric  if (hasResourceStateChanged(CallEnterN->getState(), CallExitEndN->getState()))
*0fca6ea1SDimitry Andric    return true;
*0fca6ea1SDimitry Andric
*0fca6ea1SDimitry Andric  OwnerSet CurrOwners = getOwnersAtNode(CallEnterN);
*0fca6ea1SDimitry Andric  OwnerSet ExitOwners = getOwnersAtNode(CallExitEndN);
*0fca6ea1SDimitry Andric
*0fca6ea1SDimitry Andric  // Owners in the current set may be purged from the analyzer later on.
*0fca6ea1SDimitry Andric  // If a variable is dead (is not referenced directly or indirectly after
*0fca6ea1SDimitry Andric  // some point), it will be removed from the Store before the end of its
*0fca6ea1SDimitry Andric  // actual lifetime.
*0fca6ea1SDimitry Andric  // This means that if the ownership status didn't change, CurrOwners
*0fca6ea1SDimitry Andric  // must be a superset of, but not necessarily equal to ExitOwners.
*0fca6ea1SDimitry Andric  return !llvm::set_is_subset(ExitOwners, CurrOwners);
*0fca6ea1SDimitry Andric}
*0fca6ea1SDimitry Andric
*0fca6ea1SDimitry AndricPathDiagnosticPieceRef NoOwnershipChangeVisitor::maybeEmitNoteForParameters(
*0fca6ea1SDimitry Andric    PathSensitiveBugReport &R, const CallEvent &Call, const ExplodedNode *N) {
*0fca6ea1SDimitry Andric  // TODO: Factor the logic of "what constitutes as an entity being passed
*0fca6ea1SDimitry Andric  // into a function call" out by reusing the code in
*0fca6ea1SDimitry Andric  // NoStoreFuncVisitor::maybeEmitNoteForParameters, maybe by incorporating
*0fca6ea1SDimitry Andric  // the printing technology in UninitializedObject's FieldChainInfo.
*0fca6ea1SDimitry Andric  ArrayRef<ParmVarDecl *> Parameters = Call.parameters();
*0fca6ea1SDimitry Andric  for (unsigned I = 0; I < Call.getNumArgs() && I < Parameters.size(); ++I) {
*0fca6ea1SDimitry Andric    SVal V = Call.getArgSVal(I);
*0fca6ea1SDimitry Andric    if (V.getAsSymbol() == Sym)
*0fca6ea1SDimitry Andric      return emitNote(N);
*0fca6ea1SDimitry Andric  }
*0fca6ea1SDimitry Andric  return nullptr;
*0fca6ea1SDimitry Andric}