1 //===- CallEvent.cpp - Wrapper for all function and method calls ----------===// 2 // 3 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. 4 // See https://llvm.org/LICENSE.txt for license information. 5 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception 6 // 7 //===----------------------------------------------------------------------===// 8 // 9 /// \file This file defines CallEvent and its subclasses, which represent path- 10 /// sensitive instances of different kinds of function and method calls 11 /// (C, C++, and Objective-C). 12 // 13 //===----------------------------------------------------------------------===// 14 15 #include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h" 16 #include "clang/AST/ASTContext.h" 17 #include "clang/AST/Attr.h" 18 #include "clang/AST/Decl.h" 19 #include "clang/AST/DeclBase.h" 20 #include "clang/AST/DeclCXX.h" 21 #include "clang/AST/DeclObjC.h" 22 #include "clang/AST/Expr.h" 23 #include "clang/AST/ExprCXX.h" 24 #include "clang/AST/ExprObjC.h" 25 #include "clang/AST/ParentMap.h" 26 #include "clang/AST/Stmt.h" 27 #include "clang/AST/Type.h" 28 #include "clang/Analysis/AnalysisDeclContext.h" 29 #include "clang/Analysis/CFG.h" 30 #include "clang/Analysis/CFGStmtMap.h" 31 #include "clang/Analysis/PathDiagnostic.h" 32 #include "clang/Analysis/ProgramPoint.h" 33 #include "clang/Basic/IdentifierTable.h" 34 #include "clang/Basic/LLVM.h" 35 #include "clang/Basic/SourceLocation.h" 36 #include "clang/Basic/SourceManager.h" 37 #include "clang/Basic/Specifiers.h" 38 #include "clang/CrossTU/CrossTranslationUnit.h" 39 #include "clang/StaticAnalyzer/Core/PathSensitive/CallDescription.h" 40 #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h" 41 #include "clang/StaticAnalyzer/Core/PathSensitive/DynamicType.h" 42 #include "clang/StaticAnalyzer/Core/PathSensitive/DynamicTypeInfo.h" 43 #include "clang/StaticAnalyzer/Core/PathSensitive/MemRegion.h" 44 #include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h" 45 #include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState_Fwd.h" 46 #include "clang/StaticAnalyzer/Core/PathSensitive/SValBuilder.h" 47 #include "clang/StaticAnalyzer/Core/PathSensitive/SVals.h" 48 #include "clang/StaticAnalyzer/Core/PathSensitive/Store.h" 49 #include "llvm/ADT/ArrayRef.h" 50 #include "llvm/ADT/DenseMap.h" 51 #include "llvm/ADT/ImmutableList.h" 52 #include "llvm/ADT/PointerIntPair.h" 53 #include "llvm/ADT/SmallSet.h" 54 #include "llvm/ADT/SmallVector.h" 55 #include "llvm/ADT/StringExtras.h" 56 #include "llvm/ADT/StringRef.h" 57 #include "llvm/Support/Casting.h" 58 #include "llvm/Support/Compiler.h" 59 #include "llvm/Support/Debug.h" 60 #include "llvm/Support/ErrorHandling.h" 61 #include "llvm/Support/raw_ostream.h" 62 #include <cassert> 63 #include <optional> 64 #include <utility> 65 66 #define DEBUG_TYPE "static-analyzer-call-event" 67 68 using namespace clang; 69 using namespace ento; 70 71 QualType CallEvent::getResultType() const { 72 ASTContext &Ctx = getState()->getStateManager().getContext(); 73 const Expr *E = getOriginExpr(); 74 if (!E) 75 return Ctx.VoidTy; 76 return Ctx.getReferenceQualifiedType(E); 77 } 78 79 static bool isCallback(QualType T) { 80 // If a parameter is a block or a callback, assume it can modify pointer. 81 if (T->isBlockPointerType() || 82 T->isFunctionPointerType() || 83 T->isObjCSelType()) 84 return true; 85 86 // Check if a callback is passed inside a struct (for both, struct passed by 87 // reference and by value). Dig just one level into the struct for now. 88 89 if (T->isAnyPointerType() || T->isReferenceType()) 90 T = T->getPointeeType(); 91 92 if (const RecordType *RT = T->getAsStructureType()) { 93 const RecordDecl *RD = RT->getDecl(); 94 for (const auto *I : RD->fields()) { 95 QualType FieldT = I->getType(); 96 if (FieldT->isBlockPointerType() || FieldT->isFunctionPointerType()) 97 return true; 98 } 99 } 100 return false; 101 } 102 103 static bool isVoidPointerToNonConst(QualType T) { 104 if (const auto *PT = T->getAs<PointerType>()) { 105 QualType PointeeTy = PT->getPointeeType(); 106 if (PointeeTy.isConstQualified()) 107 return false; 108 return PointeeTy->isVoidType(); 109 } else 110 return false; 111 } 112 113 bool CallEvent::hasNonNullArgumentsWithType(bool (*Condition)(QualType)) const { 114 unsigned NumOfArgs = getNumArgs(); 115 116 // If calling using a function pointer, assume the function does not 117 // satisfy the callback. 118 // TODO: We could check the types of the arguments here. 119 if (!getDecl()) 120 return false; 121 122 unsigned Idx = 0; 123 for (CallEvent::param_type_iterator I = param_type_begin(), 124 E = param_type_end(); 125 I != E && Idx < NumOfArgs; ++I, ++Idx) { 126 // If the parameter is 0, it's harmless. 127 if (getArgSVal(Idx).isZeroConstant()) 128 continue; 129 130 if (Condition(*I)) 131 return true; 132 } 133 return false; 134 } 135 136 bool CallEvent::hasNonZeroCallbackArg() const { 137 return hasNonNullArgumentsWithType(isCallback); 138 } 139 140 bool CallEvent::hasVoidPointerToNonConstArg() const { 141 return hasNonNullArgumentsWithType(isVoidPointerToNonConst); 142 } 143 144 bool CallEvent::isGlobalCFunction(StringRef FunctionName) const { 145 const auto *FD = dyn_cast_or_null<FunctionDecl>(getDecl()); 146 if (!FD) 147 return false; 148 149 return CheckerContext::isCLibraryFunction(FD, FunctionName); 150 } 151 152 AnalysisDeclContext *CallEvent::getCalleeAnalysisDeclContext() const { 153 const Decl *D = getDecl(); 154 if (!D) 155 return nullptr; 156 157 AnalysisDeclContext *ADC = 158 LCtx->getAnalysisDeclContext()->getManager()->getContext(D); 159 160 return ADC; 161 } 162 163 const StackFrameContext * 164 CallEvent::getCalleeStackFrame(unsigned BlockCount) const { 165 AnalysisDeclContext *ADC = getCalleeAnalysisDeclContext(); 166 if (!ADC) 167 return nullptr; 168 169 const Expr *E = getOriginExpr(); 170 if (!E) 171 return nullptr; 172 173 // Recover CFG block via reverse lookup. 174 // TODO: If we were to keep CFG element information as part of the CallEvent 175 // instead of doing this reverse lookup, we would be able to build the stack 176 // frame for non-expression-based calls, and also we wouldn't need the reverse 177 // lookup. 178 CFGStmtMap *Map = LCtx->getAnalysisDeclContext()->getCFGStmtMap(); 179 const CFGBlock *B = Map->getBlock(E); 180 assert(B); 181 182 // Also recover CFG index by scanning the CFG block. 183 unsigned Idx = 0, Sz = B->size(); 184 for (; Idx < Sz; ++Idx) 185 if (auto StmtElem = (*B)[Idx].getAs<CFGStmt>()) 186 if (StmtElem->getStmt() == E) 187 break; 188 assert(Idx < Sz); 189 190 return ADC->getManager()->getStackFrame(ADC, LCtx, E, B, BlockCount, Idx); 191 } 192 193 const ParamVarRegion 194 *CallEvent::getParameterLocation(unsigned Index, unsigned BlockCount) const { 195 const StackFrameContext *SFC = getCalleeStackFrame(BlockCount); 196 // We cannot construct a VarRegion without a stack frame. 197 if (!SFC) 198 return nullptr; 199 200 const ParamVarRegion *PVR = 201 State->getStateManager().getRegionManager().getParamVarRegion( 202 getOriginExpr(), Index, SFC); 203 return PVR; 204 } 205 206 /// Returns true if a type is a pointer-to-const or reference-to-const 207 /// with no further indirection. 208 static bool isPointerToConst(QualType Ty) { 209 QualType PointeeTy = Ty->getPointeeType(); 210 if (PointeeTy == QualType()) 211 return false; 212 if (!PointeeTy.isConstQualified()) 213 return false; 214 if (PointeeTy->isAnyPointerType()) 215 return false; 216 return true; 217 } 218 219 // Try to retrieve the function declaration and find the function parameter 220 // types which are pointers/references to a non-pointer const. 221 // We will not invalidate the corresponding argument regions. 222 static void findPtrToConstParams(llvm::SmallSet<unsigned, 4> &PreserveArgs, 223 const CallEvent &Call) { 224 unsigned Idx = 0; 225 for (CallEvent::param_type_iterator I = Call.param_type_begin(), 226 E = Call.param_type_end(); 227 I != E; ++I, ++Idx) { 228 if (isPointerToConst(*I)) 229 PreserveArgs.insert(Idx); 230 } 231 } 232 233 ProgramStateRef CallEvent::invalidateRegions(unsigned BlockCount, 234 ProgramStateRef Orig) const { 235 ProgramStateRef Result = (Orig ? Orig : getState()); 236 237 // Don't invalidate anything if the callee is marked pure/const. 238 if (const Decl *callee = getDecl()) 239 if (callee->hasAttr<PureAttr>() || callee->hasAttr<ConstAttr>()) 240 return Result; 241 242 SmallVector<SVal, 8> ValuesToInvalidate; 243 RegionAndSymbolInvalidationTraits ETraits; 244 245 getExtraInvalidatedValues(ValuesToInvalidate, &ETraits); 246 247 // Indexes of arguments whose values will be preserved by the call. 248 llvm::SmallSet<unsigned, 4> PreserveArgs; 249 if (!argumentsMayEscape()) 250 findPtrToConstParams(PreserveArgs, *this); 251 252 for (unsigned Idx = 0, Count = getNumArgs(); Idx != Count; ++Idx) { 253 // Mark this region for invalidation. We batch invalidate regions 254 // below for efficiency. 255 if (PreserveArgs.count(Idx)) 256 if (const MemRegion *MR = getArgSVal(Idx).getAsRegion()) 257 ETraits.setTrait(MR->getBaseRegion(), 258 RegionAndSymbolInvalidationTraits::TK_PreserveContents); 259 // TODO: Factor this out + handle the lower level const pointers. 260 261 ValuesToInvalidate.push_back(getArgSVal(Idx)); 262 263 // If a function accepts an object by argument (which would of course be a 264 // temporary that isn't lifetime-extended), invalidate the object itself, 265 // not only other objects reachable from it. This is necessary because the 266 // destructor has access to the temporary object after the call. 267 // TODO: Support placement arguments once we start 268 // constructing them directly. 269 // TODO: This is unnecessary when there's no destructor, but that's 270 // currently hard to figure out. 271 if (getKind() != CE_CXXAllocator) 272 if (isArgumentConstructedDirectly(Idx)) 273 if (auto AdjIdx = getAdjustedParameterIndex(Idx)) 274 if (const TypedValueRegion *TVR = 275 getParameterLocation(*AdjIdx, BlockCount)) 276 ValuesToInvalidate.push_back(loc::MemRegionVal(TVR)); 277 } 278 279 // Invalidate designated regions using the batch invalidation API. 280 // NOTE: Even if RegionsToInvalidate is empty, we may still invalidate 281 // global variables. 282 return Result->invalidateRegions(ValuesToInvalidate, getOriginExpr(), 283 BlockCount, getLocationContext(), 284 /*CausedByPointerEscape*/ true, 285 /*Symbols=*/nullptr, this, &ETraits); 286 } 287 288 ProgramPoint CallEvent::getProgramPoint(bool IsPreVisit, 289 const ProgramPointTag *Tag) const { 290 291 if (const Expr *E = getOriginExpr()) { 292 if (IsPreVisit) 293 return PreStmt(E, getLocationContext(), Tag); 294 return PostStmt(E, getLocationContext(), Tag); 295 } 296 297 const Decl *D = getDecl(); 298 assert(D && "Cannot get a program point without a statement or decl"); 299 assert(ElemRef.getParent() && 300 "Cannot get a program point without a CFGElementRef"); 301 302 SourceLocation Loc = getSourceRange().getBegin(); 303 if (IsPreVisit) 304 return PreImplicitCall(D, Loc, getLocationContext(), ElemRef, Tag); 305 return PostImplicitCall(D, Loc, getLocationContext(), ElemRef, Tag); 306 } 307 308 SVal CallEvent::getArgSVal(unsigned Index) const { 309 const Expr *ArgE = getArgExpr(Index); 310 if (!ArgE) 311 return UnknownVal(); 312 return getSVal(ArgE); 313 } 314 315 SourceRange CallEvent::getArgSourceRange(unsigned Index) const { 316 const Expr *ArgE = getArgExpr(Index); 317 if (!ArgE) 318 return {}; 319 return ArgE->getSourceRange(); 320 } 321 322 SVal CallEvent::getReturnValue() const { 323 const Expr *E = getOriginExpr(); 324 if (!E) 325 return UndefinedVal(); 326 return getSVal(E); 327 } 328 329 LLVM_DUMP_METHOD void CallEvent::dump() const { dump(llvm::errs()); } 330 331 void CallEvent::dump(raw_ostream &Out) const { 332 ASTContext &Ctx = getState()->getStateManager().getContext(); 333 if (const Expr *E = getOriginExpr()) { 334 E->printPretty(Out, nullptr, Ctx.getPrintingPolicy()); 335 return; 336 } 337 338 if (const Decl *D = getDecl()) { 339 Out << "Call to "; 340 D->print(Out, Ctx.getPrintingPolicy()); 341 return; 342 } 343 344 Out << "Unknown call (type " << getKindAsString() << ")"; 345 } 346 347 bool CallEvent::isCallStmt(const Stmt *S) { 348 return isa<CallExpr, ObjCMessageExpr, CXXConstructExpr, CXXNewExpr>(S); 349 } 350 351 QualType CallEvent::getDeclaredResultType(const Decl *D) { 352 assert(D); 353 if (const auto *FD = dyn_cast<FunctionDecl>(D)) 354 return FD->getReturnType(); 355 if (const auto *MD = dyn_cast<ObjCMethodDecl>(D)) 356 return MD->getReturnType(); 357 if (const auto *BD = dyn_cast<BlockDecl>(D)) { 358 // Blocks are difficult because the return type may not be stored in the 359 // BlockDecl itself. The AST should probably be enhanced, but for now we 360 // just do what we can. 361 // If the block is declared without an explicit argument list, the 362 // signature-as-written just includes the return type, not the entire 363 // function type. 364 // FIXME: All blocks should have signatures-as-written, even if the return 365 // type is inferred. (That's signified with a dependent result type.) 366 if (const TypeSourceInfo *TSI = BD->getSignatureAsWritten()) { 367 QualType Ty = TSI->getType(); 368 if (const FunctionType *FT = Ty->getAs<FunctionType>()) 369 Ty = FT->getReturnType(); 370 if (!Ty->isDependentType()) 371 return Ty; 372 } 373 374 return {}; 375 } 376 377 llvm_unreachable("unknown callable kind"); 378 } 379 380 bool CallEvent::isVariadic(const Decl *D) { 381 assert(D); 382 383 if (const auto *FD = dyn_cast<FunctionDecl>(D)) 384 return FD->isVariadic(); 385 if (const auto *MD = dyn_cast<ObjCMethodDecl>(D)) 386 return MD->isVariadic(); 387 if (const auto *BD = dyn_cast<BlockDecl>(D)) 388 return BD->isVariadic(); 389 390 llvm_unreachable("unknown callable kind"); 391 } 392 393 static bool isTransparentUnion(QualType T) { 394 const RecordType *UT = T->getAsUnionType(); 395 return UT && UT->getDecl()->hasAttr<TransparentUnionAttr>(); 396 } 397 398 // In some cases, symbolic cases should be transformed before we associate 399 // them with parameters. This function incapsulates such cases. 400 static SVal processArgument(SVal Value, const Expr *ArgumentExpr, 401 const ParmVarDecl *Parameter, SValBuilder &SVB) { 402 QualType ParamType = Parameter->getType(); 403 QualType ArgumentType = ArgumentExpr->getType(); 404 405 // Transparent unions allow users to easily convert values of union field 406 // types into union-typed objects. 407 // 408 // Also, more importantly, they allow users to define functions with different 409 // different parameter types, substituting types matching transparent union 410 // field types with the union type itself. 411 // 412 // Here, we check specifically for latter cases and prevent binding 413 // field-typed values to union-typed regions. 414 if (isTransparentUnion(ParamType) && 415 // Let's check that we indeed trying to bind different types. 416 !isTransparentUnion(ArgumentType)) { 417 BasicValueFactory &BVF = SVB.getBasicValueFactory(); 418 419 llvm::ImmutableList<SVal> CompoundSVals = BVF.getEmptySValList(); 420 CompoundSVals = BVF.prependSVal(Value, CompoundSVals); 421 422 // Wrap it with compound value. 423 return SVB.makeCompoundVal(ParamType, CompoundSVals); 424 } 425 426 return Value; 427 } 428 429 /// Cast the argument value to the type of the parameter at the function 430 /// declaration. 431 /// Returns the argument value if it didn't need a cast. 432 /// Or returns the cast argument if it needed a cast. 433 /// Or returns 'Unknown' if it would need a cast but the callsite and the 434 /// runtime definition don't match in terms of argument and parameter count. 435 static SVal castArgToParamTypeIfNeeded(const CallEvent &Call, unsigned ArgIdx, 436 SVal ArgVal, SValBuilder &SVB) { 437 const FunctionDecl *RTDecl = 438 Call.getRuntimeDefinition().getDecl()->getAsFunction(); 439 const auto *CallExprDecl = dyn_cast_or_null<FunctionDecl>(Call.getDecl()); 440 441 if (!RTDecl || !CallExprDecl) 442 return ArgVal; 443 444 // The function decl of the Call (in the AST) will not have any parameter 445 // declarations, if it was 'only' declared without a prototype. However, the 446 // engine will find the appropriate runtime definition - basically a 447 // redeclaration, which has a function body (and a function prototype). 448 if (CallExprDecl->hasPrototype() || !RTDecl->hasPrototype()) 449 return ArgVal; 450 451 // Only do this cast if the number arguments at the callsite matches with 452 // the parameters at the runtime definition. 453 if (Call.getNumArgs() != RTDecl->getNumParams()) 454 return UnknownVal(); 455 456 const Expr *ArgExpr = Call.getArgExpr(ArgIdx); 457 const ParmVarDecl *Param = RTDecl->getParamDecl(ArgIdx); 458 return SVB.evalCast(ArgVal, Param->getType(), ArgExpr->getType()); 459 } 460 461 static void addParameterValuesToBindings(const StackFrameContext *CalleeCtx, 462 CallEvent::BindingsTy &Bindings, 463 SValBuilder &SVB, 464 const CallEvent &Call, 465 ArrayRef<ParmVarDecl*> parameters) { 466 MemRegionManager &MRMgr = SVB.getRegionManager(); 467 468 // If the function has fewer parameters than the call has arguments, we simply 469 // do not bind any values to them. 470 unsigned NumArgs = Call.getNumArgs(); 471 unsigned Idx = 0; 472 ArrayRef<ParmVarDecl*>::iterator I = parameters.begin(), E = parameters.end(); 473 for (; I != E && Idx < NumArgs; ++I, ++Idx) { 474 assert(*I && "Formal parameter has no decl?"); 475 476 // TODO: Support allocator calls. 477 if (Call.getKind() != CE_CXXAllocator) 478 if (Call.isArgumentConstructedDirectly(Call.getASTArgumentIndex(Idx))) 479 continue; 480 481 // TODO: Allocators should receive the correct size and possibly alignment, 482 // determined in compile-time but not represented as arg-expressions, 483 // which makes getArgSVal() fail and return UnknownVal. 484 SVal ArgVal = Call.getArgSVal(Idx); 485 const Expr *ArgExpr = Call.getArgExpr(Idx); 486 487 if (ArgVal.isUnknown()) 488 continue; 489 490 // Cast the argument value to match the type of the parameter in some 491 // edge-cases. 492 ArgVal = castArgToParamTypeIfNeeded(Call, Idx, ArgVal, SVB); 493 494 Loc ParamLoc = SVB.makeLoc( 495 MRMgr.getParamVarRegion(Call.getOriginExpr(), Idx, CalleeCtx)); 496 Bindings.push_back( 497 std::make_pair(ParamLoc, processArgument(ArgVal, ArgExpr, *I, SVB))); 498 } 499 500 // FIXME: Variadic arguments are not handled at all right now. 501 } 502 503 const ConstructionContext *CallEvent::getConstructionContext() const { 504 const StackFrameContext *StackFrame = getCalleeStackFrame(0); 505 if (!StackFrame) 506 return nullptr; 507 508 const CFGElement Element = StackFrame->getCallSiteCFGElement(); 509 if (const auto Ctor = Element.getAs<CFGConstructor>()) { 510 return Ctor->getConstructionContext(); 511 } 512 513 if (const auto RecCall = Element.getAs<CFGCXXRecordTypedCall>()) { 514 return RecCall->getConstructionContext(); 515 } 516 517 return nullptr; 518 } 519 520 std::optional<SVal> CallEvent::getReturnValueUnderConstruction() const { 521 const auto *CC = getConstructionContext(); 522 if (!CC) 523 return std::nullopt; 524 525 EvalCallOptions CallOpts; 526 ExprEngine &Engine = getState()->getStateManager().getOwningEngine(); 527 SVal RetVal = Engine.computeObjectUnderConstruction( 528 getOriginExpr(), getState(), &Engine.getBuilderContext(), 529 getLocationContext(), CC, CallOpts); 530 return RetVal; 531 } 532 533 ArrayRef<ParmVarDecl*> AnyFunctionCall::parameters() const { 534 const FunctionDecl *D = getDecl(); 535 if (!D) 536 return std::nullopt; 537 return D->parameters(); 538 } 539 540 RuntimeDefinition AnyFunctionCall::getRuntimeDefinition() const { 541 const FunctionDecl *FD = getDecl(); 542 if (!FD) 543 return {}; 544 545 // Note that the AnalysisDeclContext will have the FunctionDecl with 546 // the definition (if one exists). 547 AnalysisDeclContext *AD = 548 getLocationContext()->getAnalysisDeclContext()-> 549 getManager()->getContext(FD); 550 bool IsAutosynthesized; 551 Stmt* Body = AD->getBody(IsAutosynthesized); 552 LLVM_DEBUG({ 553 if (IsAutosynthesized) 554 llvm::dbgs() << "Using autosynthesized body for " << FD->getName() 555 << "\n"; 556 }); 557 558 ExprEngine &Engine = getState()->getStateManager().getOwningEngine(); 559 cross_tu::CrossTranslationUnitContext &CTUCtx = 560 *Engine.getCrossTranslationUnitContext(); 561 562 AnalyzerOptions &Opts = Engine.getAnalysisManager().options; 563 564 if (Body) { 565 const Decl* Decl = AD->getDecl(); 566 if (Opts.IsNaiveCTUEnabled && CTUCtx.isImportedAsNew(Decl)) { 567 // A newly created definition, but we had error(s) during the import. 568 if (CTUCtx.hasError(Decl)) 569 return {}; 570 return RuntimeDefinition(Decl, /*Foreign=*/true); 571 } 572 return RuntimeDefinition(Decl, /*Foreign=*/false); 573 } 574 575 // Try to get CTU definition only if CTUDir is provided. 576 if (!Opts.IsNaiveCTUEnabled) 577 return {}; 578 579 llvm::Expected<const FunctionDecl *> CTUDeclOrError = 580 CTUCtx.getCrossTUDefinition(FD, Opts.CTUDir, Opts.CTUIndexName, 581 Opts.DisplayCTUProgress); 582 583 if (!CTUDeclOrError) { 584 handleAllErrors(CTUDeclOrError.takeError(), 585 [&](const cross_tu::IndexError &IE) { 586 CTUCtx.emitCrossTUDiagnostics(IE); 587 }); 588 return {}; 589 } 590 591 return RuntimeDefinition(*CTUDeclOrError, /*Foreign=*/true); 592 } 593 594 void AnyFunctionCall::getInitialStackFrameContents( 595 const StackFrameContext *CalleeCtx, 596 BindingsTy &Bindings) const { 597 const auto *D = cast<FunctionDecl>(CalleeCtx->getDecl()); 598 SValBuilder &SVB = getState()->getStateManager().getSValBuilder(); 599 addParameterValuesToBindings(CalleeCtx, Bindings, SVB, *this, 600 D->parameters()); 601 } 602 603 bool AnyFunctionCall::argumentsMayEscape() const { 604 if (CallEvent::argumentsMayEscape() || hasVoidPointerToNonConstArg()) 605 return true; 606 607 const FunctionDecl *D = getDecl(); 608 if (!D) 609 return true; 610 611 const IdentifierInfo *II = D->getIdentifier(); 612 if (!II) 613 return false; 614 615 // This set of "escaping" APIs is 616 617 // - 'int pthread_setspecific(ptheread_key k, const void *)' stores a 618 // value into thread local storage. The value can later be retrieved with 619 // 'void *ptheread_getspecific(pthread_key)'. So even thought the 620 // parameter is 'const void *', the region escapes through the call. 621 if (II->isStr("pthread_setspecific")) 622 return true; 623 624 // - xpc_connection_set_context stores a value which can be retrieved later 625 // with xpc_connection_get_context. 626 if (II->isStr("xpc_connection_set_context")) 627 return true; 628 629 // - funopen - sets a buffer for future IO calls. 630 if (II->isStr("funopen")) 631 return true; 632 633 // - __cxa_demangle - can reallocate memory and can return the pointer to 634 // the input buffer. 635 if (II->isStr("__cxa_demangle")) 636 return true; 637 638 StringRef FName = II->getName(); 639 640 // - CoreFoundation functions that end with "NoCopy" can free a passed-in 641 // buffer even if it is const. 642 if (FName.endswith("NoCopy")) 643 return true; 644 645 // - NSXXInsertXX, for example NSMapInsertIfAbsent, since they can 646 // be deallocated by NSMapRemove. 647 if (FName.startswith("NS") && FName.contains("Insert")) 648 return true; 649 650 // - Many CF containers allow objects to escape through custom 651 // allocators/deallocators upon container construction. (PR12101) 652 if (FName.startswith("CF") || FName.startswith("CG")) { 653 return StrInStrNoCase(FName, "InsertValue") != StringRef::npos || 654 StrInStrNoCase(FName, "AddValue") != StringRef::npos || 655 StrInStrNoCase(FName, "SetValue") != StringRef::npos || 656 StrInStrNoCase(FName, "WithData") != StringRef::npos || 657 StrInStrNoCase(FName, "AppendValue") != StringRef::npos || 658 StrInStrNoCase(FName, "SetAttribute") != StringRef::npos; 659 } 660 661 return false; 662 } 663 664 const FunctionDecl *SimpleFunctionCall::getDecl() const { 665 const FunctionDecl *D = getOriginExpr()->getDirectCallee(); 666 if (D) 667 return D; 668 669 return getSVal(getOriginExpr()->getCallee()).getAsFunctionDecl(); 670 } 671 672 const FunctionDecl *CXXInstanceCall::getDecl() const { 673 const auto *CE = cast_or_null<CallExpr>(getOriginExpr()); 674 if (!CE) 675 return AnyFunctionCall::getDecl(); 676 677 const FunctionDecl *D = CE->getDirectCallee(); 678 if (D) 679 return D; 680 681 return getSVal(CE->getCallee()).getAsFunctionDecl(); 682 } 683 684 void CXXInstanceCall::getExtraInvalidatedValues( 685 ValueList &Values, RegionAndSymbolInvalidationTraits *ETraits) const { 686 SVal ThisVal = getCXXThisVal(); 687 Values.push_back(ThisVal); 688 689 // Don't invalidate if the method is const and there are no mutable fields. 690 if (const auto *D = cast_or_null<CXXMethodDecl>(getDecl())) { 691 if (!D->isConst()) 692 return; 693 // Get the record decl for the class of 'This'. D->getParent() may return a 694 // base class decl, rather than the class of the instance which needs to be 695 // checked for mutable fields. 696 // TODO: We might as well look at the dynamic type of the object. 697 const Expr *Ex = getCXXThisExpr()->IgnoreParenBaseCasts(); 698 QualType T = Ex->getType(); 699 if (T->isPointerType()) // Arrow or implicit-this syntax? 700 T = T->getPointeeType(); 701 const CXXRecordDecl *ParentRecord = T->getAsCXXRecordDecl(); 702 assert(ParentRecord); 703 if (ParentRecord->hasMutableFields()) 704 return; 705 // Preserve CXXThis. 706 const MemRegion *ThisRegion = ThisVal.getAsRegion(); 707 if (!ThisRegion) 708 return; 709 710 ETraits->setTrait(ThisRegion->getBaseRegion(), 711 RegionAndSymbolInvalidationTraits::TK_PreserveContents); 712 } 713 } 714 715 SVal CXXInstanceCall::getCXXThisVal() const { 716 const Expr *Base = getCXXThisExpr(); 717 // FIXME: This doesn't handle an overloaded ->* operator. 718 SVal ThisVal = Base ? getSVal(Base) : UnknownVal(); 719 720 if (isa<NonLoc>(ThisVal)) { 721 SValBuilder &SVB = getState()->getStateManager().getSValBuilder(); 722 QualType OriginalTy = ThisVal.getType(SVB.getContext()); 723 return SVB.evalCast(ThisVal, Base->getType(), OriginalTy); 724 } 725 726 assert(ThisVal.isUnknownOrUndef() || isa<Loc>(ThisVal)); 727 return ThisVal; 728 } 729 730 RuntimeDefinition CXXInstanceCall::getRuntimeDefinition() const { 731 // Do we have a decl at all? 732 const Decl *D = getDecl(); 733 if (!D) 734 return {}; 735 736 // If the method is non-virtual, we know we can inline it. 737 const auto *MD = cast<CXXMethodDecl>(D); 738 if (!MD->isVirtual()) 739 return AnyFunctionCall::getRuntimeDefinition(); 740 741 // Do we know the implicit 'this' object being called? 742 const MemRegion *R = getCXXThisVal().getAsRegion(); 743 if (!R) 744 return {}; 745 746 // Do we know anything about the type of 'this'? 747 DynamicTypeInfo DynType = getDynamicTypeInfo(getState(), R); 748 if (!DynType.isValid()) 749 return {}; 750 751 // Is the type a C++ class? (This is mostly a defensive check.) 752 QualType RegionType = DynType.getType()->getPointeeType(); 753 assert(!RegionType.isNull() && "DynamicTypeInfo should always be a pointer."); 754 755 const CXXRecordDecl *RD = RegionType->getAsCXXRecordDecl(); 756 if (!RD || !RD->hasDefinition()) 757 return {}; 758 759 // Find the decl for this method in that class. 760 const CXXMethodDecl *Result = MD->getCorrespondingMethodInClass(RD, true); 761 if (!Result) { 762 // We might not even get the original statically-resolved method due to 763 // some particularly nasty casting (e.g. casts to sister classes). 764 // However, we should at least be able to search up and down our own class 765 // hierarchy, and some real bugs have been caught by checking this. 766 assert(!RD->isDerivedFrom(MD->getParent()) && "Couldn't find known method"); 767 768 // FIXME: This is checking that our DynamicTypeInfo is at least as good as 769 // the static type. However, because we currently don't update 770 // DynamicTypeInfo when an object is cast, we can't actually be sure the 771 // DynamicTypeInfo is up to date. This assert should be re-enabled once 772 // this is fixed. 773 // 774 // assert(!MD->getParent()->isDerivedFrom(RD) && "Bad DynamicTypeInfo"); 775 776 return {}; 777 } 778 779 // Does the decl that we found have an implementation? 780 const FunctionDecl *Definition; 781 if (!Result->hasBody(Definition)) { 782 if (!DynType.canBeASubClass()) 783 return AnyFunctionCall::getRuntimeDefinition(); 784 return {}; 785 } 786 787 // We found a definition. If we're not sure that this devirtualization is 788 // actually what will happen at runtime, make sure to provide the region so 789 // that ExprEngine can decide what to do with it. 790 if (DynType.canBeASubClass()) 791 return RuntimeDefinition(Definition, R->StripCasts()); 792 return RuntimeDefinition(Definition, /*DispatchRegion=*/nullptr); 793 } 794 795 void CXXInstanceCall::getInitialStackFrameContents( 796 const StackFrameContext *CalleeCtx, 797 BindingsTy &Bindings) const { 798 AnyFunctionCall::getInitialStackFrameContents(CalleeCtx, Bindings); 799 800 // Handle the binding of 'this' in the new stack frame. 801 SVal ThisVal = getCXXThisVal(); 802 if (!ThisVal.isUnknown()) { 803 ProgramStateManager &StateMgr = getState()->getStateManager(); 804 SValBuilder &SVB = StateMgr.getSValBuilder(); 805 806 const auto *MD = cast<CXXMethodDecl>(CalleeCtx->getDecl()); 807 Loc ThisLoc = SVB.getCXXThis(MD, CalleeCtx); 808 809 // If we devirtualized to a different member function, we need to make sure 810 // we have the proper layering of CXXBaseObjectRegions. 811 if (MD->getCanonicalDecl() != getDecl()->getCanonicalDecl()) { 812 ASTContext &Ctx = SVB.getContext(); 813 const CXXRecordDecl *Class = MD->getParent(); 814 QualType Ty = Ctx.getPointerType(Ctx.getRecordType(Class)); 815 816 // FIXME: CallEvent maybe shouldn't be directly accessing StoreManager. 817 std::optional<SVal> V = 818 StateMgr.getStoreManager().evalBaseToDerived(ThisVal, Ty); 819 if (!V) { 820 // We might have suffered some sort of placement new earlier, so 821 // we're constructing in a completely unexpected storage. 822 // Fall back to a generic pointer cast for this-value. 823 const CXXMethodDecl *StaticMD = cast<CXXMethodDecl>(getDecl()); 824 const CXXRecordDecl *StaticClass = StaticMD->getParent(); 825 QualType StaticTy = Ctx.getPointerType(Ctx.getRecordType(StaticClass)); 826 ThisVal = SVB.evalCast(ThisVal, Ty, StaticTy); 827 } else 828 ThisVal = *V; 829 } 830 831 if (!ThisVal.isUnknown()) 832 Bindings.push_back(std::make_pair(ThisLoc, ThisVal)); 833 } 834 } 835 836 const Expr *CXXMemberCall::getCXXThisExpr() const { 837 return getOriginExpr()->getImplicitObjectArgument(); 838 } 839 840 RuntimeDefinition CXXMemberCall::getRuntimeDefinition() const { 841 // C++11 [expr.call]p1: ...If the selected function is non-virtual, or if the 842 // id-expression in the class member access expression is a qualified-id, 843 // that function is called. Otherwise, its final overrider in the dynamic type 844 // of the object expression is called. 845 if (const auto *ME = dyn_cast<MemberExpr>(getOriginExpr()->getCallee())) 846 if (ME->hasQualifier()) 847 return AnyFunctionCall::getRuntimeDefinition(); 848 849 return CXXInstanceCall::getRuntimeDefinition(); 850 } 851 852 const Expr *CXXMemberOperatorCall::getCXXThisExpr() const { 853 return getOriginExpr()->getArg(0); 854 } 855 856 const BlockDataRegion *BlockCall::getBlockRegion() const { 857 const Expr *Callee = getOriginExpr()->getCallee(); 858 const MemRegion *DataReg = getSVal(Callee).getAsRegion(); 859 860 return dyn_cast_or_null<BlockDataRegion>(DataReg); 861 } 862 863 ArrayRef<ParmVarDecl*> BlockCall::parameters() const { 864 const BlockDecl *D = getDecl(); 865 if (!D) 866 return std::nullopt; 867 return D->parameters(); 868 } 869 870 void BlockCall::getExtraInvalidatedValues(ValueList &Values, 871 RegionAndSymbolInvalidationTraits *ETraits) const { 872 // FIXME: This also needs to invalidate captured globals. 873 if (const MemRegion *R = getBlockRegion()) 874 Values.push_back(loc::MemRegionVal(R)); 875 } 876 877 void BlockCall::getInitialStackFrameContents(const StackFrameContext *CalleeCtx, 878 BindingsTy &Bindings) const { 879 SValBuilder &SVB = getState()->getStateManager().getSValBuilder(); 880 ArrayRef<ParmVarDecl*> Params; 881 if (isConversionFromLambda()) { 882 auto *LambdaOperatorDecl = cast<CXXMethodDecl>(CalleeCtx->getDecl()); 883 Params = LambdaOperatorDecl->parameters(); 884 885 // For blocks converted from a C++ lambda, the callee declaration is the 886 // operator() method on the lambda so we bind "this" to 887 // the lambda captured by the block. 888 const VarRegion *CapturedLambdaRegion = getRegionStoringCapturedLambda(); 889 SVal ThisVal = loc::MemRegionVal(CapturedLambdaRegion); 890 Loc ThisLoc = SVB.getCXXThis(LambdaOperatorDecl, CalleeCtx); 891 Bindings.push_back(std::make_pair(ThisLoc, ThisVal)); 892 } else { 893 Params = cast<BlockDecl>(CalleeCtx->getDecl())->parameters(); 894 } 895 896 addParameterValuesToBindings(CalleeCtx, Bindings, SVB, *this, 897 Params); 898 } 899 900 SVal AnyCXXConstructorCall::getCXXThisVal() const { 901 if (Data) 902 return loc::MemRegionVal(static_cast<const MemRegion *>(Data)); 903 return UnknownVal(); 904 } 905 906 void AnyCXXConstructorCall::getExtraInvalidatedValues(ValueList &Values, 907 RegionAndSymbolInvalidationTraits *ETraits) const { 908 SVal V = getCXXThisVal(); 909 if (SymbolRef Sym = V.getAsSymbol(true)) 910 ETraits->setTrait(Sym, 911 RegionAndSymbolInvalidationTraits::TK_SuppressEscape); 912 Values.push_back(V); 913 } 914 915 void AnyCXXConstructorCall::getInitialStackFrameContents( 916 const StackFrameContext *CalleeCtx, 917 BindingsTy &Bindings) const { 918 AnyFunctionCall::getInitialStackFrameContents(CalleeCtx, Bindings); 919 920 SVal ThisVal = getCXXThisVal(); 921 if (!ThisVal.isUnknown()) { 922 SValBuilder &SVB = getState()->getStateManager().getSValBuilder(); 923 const auto *MD = cast<CXXMethodDecl>(CalleeCtx->getDecl()); 924 Loc ThisLoc = SVB.getCXXThis(MD, CalleeCtx); 925 Bindings.push_back(std::make_pair(ThisLoc, ThisVal)); 926 } 927 } 928 929 const StackFrameContext * 930 CXXInheritedConstructorCall::getInheritingStackFrame() const { 931 const StackFrameContext *SFC = getLocationContext()->getStackFrame(); 932 while (isa<CXXInheritedCtorInitExpr>(SFC->getCallSite())) 933 SFC = SFC->getParent()->getStackFrame(); 934 return SFC; 935 } 936 937 SVal CXXDestructorCall::getCXXThisVal() const { 938 if (Data) 939 return loc::MemRegionVal(DtorDataTy::getFromOpaqueValue(Data).getPointer()); 940 return UnknownVal(); 941 } 942 943 RuntimeDefinition CXXDestructorCall::getRuntimeDefinition() const { 944 // Base destructors are always called non-virtually. 945 // Skip CXXInstanceCall's devirtualization logic in this case. 946 if (isBaseDestructor()) 947 return AnyFunctionCall::getRuntimeDefinition(); 948 949 return CXXInstanceCall::getRuntimeDefinition(); 950 } 951 952 ArrayRef<ParmVarDecl*> ObjCMethodCall::parameters() const { 953 const ObjCMethodDecl *D = getDecl(); 954 if (!D) 955 return std::nullopt; 956 return D->parameters(); 957 } 958 959 void ObjCMethodCall::getExtraInvalidatedValues( 960 ValueList &Values, RegionAndSymbolInvalidationTraits *ETraits) const { 961 962 // If the method call is a setter for property known to be backed by 963 // an instance variable, don't invalidate the entire receiver, just 964 // the storage for that instance variable. 965 if (const ObjCPropertyDecl *PropDecl = getAccessedProperty()) { 966 if (const ObjCIvarDecl *PropIvar = PropDecl->getPropertyIvarDecl()) { 967 SVal IvarLVal = getState()->getLValue(PropIvar, getReceiverSVal()); 968 if (const MemRegion *IvarRegion = IvarLVal.getAsRegion()) { 969 ETraits->setTrait( 970 IvarRegion, 971 RegionAndSymbolInvalidationTraits::TK_DoNotInvalidateSuperRegion); 972 ETraits->setTrait( 973 IvarRegion, 974 RegionAndSymbolInvalidationTraits::TK_SuppressEscape); 975 Values.push_back(IvarLVal); 976 } 977 return; 978 } 979 } 980 981 Values.push_back(getReceiverSVal()); 982 } 983 984 SVal ObjCMethodCall::getReceiverSVal() const { 985 // FIXME: Is this the best way to handle class receivers? 986 if (!isInstanceMessage()) 987 return UnknownVal(); 988 989 if (const Expr *RecE = getOriginExpr()->getInstanceReceiver()) 990 return getSVal(RecE); 991 992 // An instance message with no expression means we are sending to super. 993 // In this case the object reference is the same as 'self'. 994 assert(getOriginExpr()->getReceiverKind() == ObjCMessageExpr::SuperInstance); 995 SVal SelfVal = getState()->getSelfSVal(getLocationContext()); 996 assert(SelfVal.isValid() && "Calling super but not in ObjC method"); 997 return SelfVal; 998 } 999 1000 bool ObjCMethodCall::isReceiverSelfOrSuper() const { 1001 if (getOriginExpr()->getReceiverKind() == ObjCMessageExpr::SuperInstance || 1002 getOriginExpr()->getReceiverKind() == ObjCMessageExpr::SuperClass) 1003 return true; 1004 1005 if (!isInstanceMessage()) 1006 return false; 1007 1008 SVal RecVal = getSVal(getOriginExpr()->getInstanceReceiver()); 1009 SVal SelfVal = getState()->getSelfSVal(getLocationContext()); 1010 1011 return (RecVal == SelfVal); 1012 } 1013 1014 SourceRange ObjCMethodCall::getSourceRange() const { 1015 switch (getMessageKind()) { 1016 case OCM_Message: 1017 return getOriginExpr()->getSourceRange(); 1018 case OCM_PropertyAccess: 1019 case OCM_Subscript: 1020 return getContainingPseudoObjectExpr()->getSourceRange(); 1021 } 1022 llvm_unreachable("unknown message kind"); 1023 } 1024 1025 using ObjCMessageDataTy = llvm::PointerIntPair<const PseudoObjectExpr *, 2>; 1026 1027 const PseudoObjectExpr *ObjCMethodCall::getContainingPseudoObjectExpr() const { 1028 assert(Data && "Lazy lookup not yet performed."); 1029 assert(getMessageKind() != OCM_Message && "Explicit message send."); 1030 return ObjCMessageDataTy::getFromOpaqueValue(Data).getPointer(); 1031 } 1032 1033 static const Expr * 1034 getSyntacticFromForPseudoObjectExpr(const PseudoObjectExpr *POE) { 1035 const Expr *Syntactic = POE->getSyntacticForm()->IgnoreParens(); 1036 1037 // This handles the funny case of assigning to the result of a getter. 1038 // This can happen if the getter returns a non-const reference. 1039 if (const auto *BO = dyn_cast<BinaryOperator>(Syntactic)) 1040 Syntactic = BO->getLHS()->IgnoreParens(); 1041 1042 return Syntactic; 1043 } 1044 1045 ObjCMessageKind ObjCMethodCall::getMessageKind() const { 1046 if (!Data) { 1047 // Find the parent, ignoring implicit casts. 1048 const ParentMap &PM = getLocationContext()->getParentMap(); 1049 const Stmt *S = PM.getParentIgnoreParenCasts(getOriginExpr()); 1050 1051 // Check if parent is a PseudoObjectExpr. 1052 if (const auto *POE = dyn_cast_or_null<PseudoObjectExpr>(S)) { 1053 const Expr *Syntactic = getSyntacticFromForPseudoObjectExpr(POE); 1054 1055 ObjCMessageKind K; 1056 switch (Syntactic->getStmtClass()) { 1057 case Stmt::ObjCPropertyRefExprClass: 1058 K = OCM_PropertyAccess; 1059 break; 1060 case Stmt::ObjCSubscriptRefExprClass: 1061 K = OCM_Subscript; 1062 break; 1063 default: 1064 // FIXME: Can this ever happen? 1065 K = OCM_Message; 1066 break; 1067 } 1068 1069 if (K != OCM_Message) { 1070 const_cast<ObjCMethodCall *>(this)->Data 1071 = ObjCMessageDataTy(POE, K).getOpaqueValue(); 1072 assert(getMessageKind() == K); 1073 return K; 1074 } 1075 } 1076 1077 const_cast<ObjCMethodCall *>(this)->Data 1078 = ObjCMessageDataTy(nullptr, 1).getOpaqueValue(); 1079 assert(getMessageKind() == OCM_Message); 1080 return OCM_Message; 1081 } 1082 1083 ObjCMessageDataTy Info = ObjCMessageDataTy::getFromOpaqueValue(Data); 1084 if (!Info.getPointer()) 1085 return OCM_Message; 1086 return static_cast<ObjCMessageKind>(Info.getInt()); 1087 } 1088 1089 const ObjCPropertyDecl *ObjCMethodCall::getAccessedProperty() const { 1090 // Look for properties accessed with property syntax (foo.bar = ...) 1091 if (getMessageKind() == OCM_PropertyAccess) { 1092 const PseudoObjectExpr *POE = getContainingPseudoObjectExpr(); 1093 assert(POE && "Property access without PseudoObjectExpr?"); 1094 1095 const Expr *Syntactic = getSyntacticFromForPseudoObjectExpr(POE); 1096 auto *RefExpr = cast<ObjCPropertyRefExpr>(Syntactic); 1097 1098 if (RefExpr->isExplicitProperty()) 1099 return RefExpr->getExplicitProperty(); 1100 } 1101 1102 // Look for properties accessed with method syntax ([foo setBar:...]). 1103 const ObjCMethodDecl *MD = getDecl(); 1104 if (!MD || !MD->isPropertyAccessor()) 1105 return nullptr; 1106 1107 // Note: This is potentially quite slow. 1108 return MD->findPropertyDecl(); 1109 } 1110 1111 bool ObjCMethodCall::canBeOverridenInSubclass(ObjCInterfaceDecl *IDecl, 1112 Selector Sel) const { 1113 assert(IDecl); 1114 AnalysisManager &AMgr = 1115 getState()->getStateManager().getOwningEngine().getAnalysisManager(); 1116 // If the class interface is declared inside the main file, assume it is not 1117 // subcassed. 1118 // TODO: It could actually be subclassed if the subclass is private as well. 1119 // This is probably very rare. 1120 SourceLocation InterfLoc = IDecl->getEndOfDefinitionLoc(); 1121 if (InterfLoc.isValid() && AMgr.isInCodeFile(InterfLoc)) 1122 return false; 1123 1124 // Assume that property accessors are not overridden. 1125 if (getMessageKind() == OCM_PropertyAccess) 1126 return false; 1127 1128 // We assume that if the method is public (declared outside of main file) or 1129 // has a parent which publicly declares the method, the method could be 1130 // overridden in a subclass. 1131 1132 // Find the first declaration in the class hierarchy that declares 1133 // the selector. 1134 ObjCMethodDecl *D = nullptr; 1135 while (true) { 1136 D = IDecl->lookupMethod(Sel, true); 1137 1138 // Cannot find a public definition. 1139 if (!D) 1140 return false; 1141 1142 // If outside the main file, 1143 if (D->getLocation().isValid() && !AMgr.isInCodeFile(D->getLocation())) 1144 return true; 1145 1146 if (D->isOverriding()) { 1147 // Search in the superclass on the next iteration. 1148 IDecl = D->getClassInterface(); 1149 if (!IDecl) 1150 return false; 1151 1152 IDecl = IDecl->getSuperClass(); 1153 if (!IDecl) 1154 return false; 1155 1156 continue; 1157 } 1158 1159 return false; 1160 }; 1161 1162 llvm_unreachable("The while loop should always terminate."); 1163 } 1164 1165 static const ObjCMethodDecl *findDefiningRedecl(const ObjCMethodDecl *MD) { 1166 if (!MD) 1167 return MD; 1168 1169 // Find the redeclaration that defines the method. 1170 if (!MD->hasBody()) { 1171 for (auto *I : MD->redecls()) 1172 if (I->hasBody()) 1173 MD = cast<ObjCMethodDecl>(I); 1174 } 1175 return MD; 1176 } 1177 1178 struct PrivateMethodKey { 1179 const ObjCInterfaceDecl *Interface; 1180 Selector LookupSelector; 1181 bool IsClassMethod; 1182 }; 1183 1184 namespace llvm { 1185 template <> struct DenseMapInfo<PrivateMethodKey> { 1186 using InterfaceInfo = DenseMapInfo<const ObjCInterfaceDecl *>; 1187 using SelectorInfo = DenseMapInfo<Selector>; 1188 1189 static inline PrivateMethodKey getEmptyKey() { 1190 return {InterfaceInfo::getEmptyKey(), SelectorInfo::getEmptyKey(), false}; 1191 } 1192 1193 static inline PrivateMethodKey getTombstoneKey() { 1194 return {InterfaceInfo::getTombstoneKey(), SelectorInfo::getTombstoneKey(), 1195 true}; 1196 } 1197 1198 static unsigned getHashValue(const PrivateMethodKey &Key) { 1199 return llvm::hash_combine( 1200 llvm::hash_code(InterfaceInfo::getHashValue(Key.Interface)), 1201 llvm::hash_code(SelectorInfo::getHashValue(Key.LookupSelector)), 1202 Key.IsClassMethod); 1203 } 1204 1205 static bool isEqual(const PrivateMethodKey &LHS, 1206 const PrivateMethodKey &RHS) { 1207 return InterfaceInfo::isEqual(LHS.Interface, RHS.Interface) && 1208 SelectorInfo::isEqual(LHS.LookupSelector, RHS.LookupSelector) && 1209 LHS.IsClassMethod == RHS.IsClassMethod; 1210 } 1211 }; 1212 } // end namespace llvm 1213 1214 static const ObjCMethodDecl * 1215 lookupRuntimeDefinition(const ObjCInterfaceDecl *Interface, 1216 Selector LookupSelector, bool InstanceMethod) { 1217 // Repeatedly calling lookupPrivateMethod() is expensive, especially 1218 // when in many cases it returns null. We cache the results so 1219 // that repeated queries on the same ObjCIntefaceDecl and Selector 1220 // don't incur the same cost. On some test cases, we can see the 1221 // same query being issued thousands of times. 1222 // 1223 // NOTE: This cache is essentially a "global" variable, but it 1224 // only gets lazily created when we get here. The value of the 1225 // cache probably comes from it being global across ExprEngines, 1226 // where the same queries may get issued. If we are worried about 1227 // concurrency, or possibly loading/unloading ASTs, etc., we may 1228 // need to revisit this someday. In terms of memory, this table 1229 // stays around until clang quits, which also may be bad if we 1230 // need to release memory. 1231 using PrivateMethodCache = 1232 llvm::DenseMap<PrivateMethodKey, std::optional<const ObjCMethodDecl *>>; 1233 1234 static PrivateMethodCache PMC; 1235 std::optional<const ObjCMethodDecl *> &Val = 1236 PMC[{Interface, LookupSelector, InstanceMethod}]; 1237 1238 // Query lookupPrivateMethod() if the cache does not hit. 1239 if (!Val) { 1240 Val = Interface->lookupPrivateMethod(LookupSelector, InstanceMethod); 1241 1242 if (!*Val) { 1243 // Query 'lookupMethod' as a backup. 1244 Val = Interface->lookupMethod(LookupSelector, InstanceMethod); 1245 } 1246 } 1247 1248 return *Val; 1249 } 1250 1251 RuntimeDefinition ObjCMethodCall::getRuntimeDefinition() const { 1252 const ObjCMessageExpr *E = getOriginExpr(); 1253 assert(E); 1254 Selector Sel = E->getSelector(); 1255 1256 if (E->isInstanceMessage()) { 1257 // Find the receiver type. 1258 const ObjCObjectType *ReceiverT = nullptr; 1259 bool CanBeSubClassed = false; 1260 bool LookingForInstanceMethod = true; 1261 QualType SupersType = E->getSuperType(); 1262 const MemRegion *Receiver = nullptr; 1263 1264 if (!SupersType.isNull()) { 1265 // The receiver is guaranteed to be 'super' in this case. 1266 // Super always means the type of immediate predecessor to the method 1267 // where the call occurs. 1268 ReceiverT = cast<ObjCObjectPointerType>(SupersType)->getObjectType(); 1269 } else { 1270 Receiver = getReceiverSVal().getAsRegion(); 1271 if (!Receiver) 1272 return {}; 1273 1274 DynamicTypeInfo DTI = getDynamicTypeInfo(getState(), Receiver); 1275 if (!DTI.isValid()) { 1276 assert(isa<AllocaRegion>(Receiver) && 1277 "Unhandled untyped region class!"); 1278 return {}; 1279 } 1280 1281 QualType DynType = DTI.getType(); 1282 CanBeSubClassed = DTI.canBeASubClass(); 1283 1284 const auto *ReceiverDynT = 1285 dyn_cast<ObjCObjectPointerType>(DynType.getCanonicalType()); 1286 1287 if (ReceiverDynT) { 1288 ReceiverT = ReceiverDynT->getObjectType(); 1289 1290 // It can be actually class methods called with Class object as a 1291 // receiver. This type of messages is treated by the compiler as 1292 // instance (not class). 1293 if (ReceiverT->isObjCClass()) { 1294 1295 SVal SelfVal = getState()->getSelfSVal(getLocationContext()); 1296 // For [self classMethod], return compiler visible declaration. 1297 if (Receiver == SelfVal.getAsRegion()) { 1298 return RuntimeDefinition(findDefiningRedecl(E->getMethodDecl())); 1299 } 1300 1301 // Otherwise, let's check if we know something about the type 1302 // inside of this class object. 1303 if (SymbolRef ReceiverSym = getReceiverSVal().getAsSymbol()) { 1304 DynamicTypeInfo DTI = 1305 getClassObjectDynamicTypeInfo(getState(), ReceiverSym); 1306 if (DTI.isValid()) { 1307 // Let's use this type for lookup. 1308 ReceiverT = 1309 cast<ObjCObjectType>(DTI.getType().getCanonicalType()); 1310 1311 CanBeSubClassed = DTI.canBeASubClass(); 1312 // And it should be a class method instead. 1313 LookingForInstanceMethod = false; 1314 } 1315 } 1316 } 1317 1318 if (CanBeSubClassed) 1319 if (ObjCInterfaceDecl *IDecl = ReceiverT->getInterface()) 1320 // Even if `DynamicTypeInfo` told us that it can be 1321 // not necessarily this type, but its descendants, we still want 1322 // to check again if this selector can be actually overridden. 1323 CanBeSubClassed = canBeOverridenInSubclass(IDecl, Sel); 1324 } 1325 } 1326 1327 // Lookup the instance method implementation. 1328 if (ReceiverT) 1329 if (ObjCInterfaceDecl *IDecl = ReceiverT->getInterface()) { 1330 const ObjCMethodDecl *MD = 1331 lookupRuntimeDefinition(IDecl, Sel, LookingForInstanceMethod); 1332 1333 if (MD && !MD->hasBody()) 1334 MD = MD->getCanonicalDecl(); 1335 1336 if (CanBeSubClassed) 1337 return RuntimeDefinition(MD, Receiver); 1338 else 1339 return RuntimeDefinition(MD, nullptr); 1340 } 1341 } else { 1342 // This is a class method. 1343 // If we have type info for the receiver class, we are calling via 1344 // class name. 1345 if (ObjCInterfaceDecl *IDecl = E->getReceiverInterface()) { 1346 // Find/Return the method implementation. 1347 return RuntimeDefinition(IDecl->lookupPrivateClassMethod(Sel)); 1348 } 1349 } 1350 1351 return {}; 1352 } 1353 1354 bool ObjCMethodCall::argumentsMayEscape() const { 1355 if (isInSystemHeader() && !isInstanceMessage()) { 1356 Selector Sel = getSelector(); 1357 if (Sel.getNumArgs() == 1 && 1358 Sel.getIdentifierInfoForSlot(0)->isStr("valueWithPointer")) 1359 return true; 1360 } 1361 1362 return CallEvent::argumentsMayEscape(); 1363 } 1364 1365 void ObjCMethodCall::getInitialStackFrameContents( 1366 const StackFrameContext *CalleeCtx, 1367 BindingsTy &Bindings) const { 1368 const auto *D = cast<ObjCMethodDecl>(CalleeCtx->getDecl()); 1369 SValBuilder &SVB = getState()->getStateManager().getSValBuilder(); 1370 addParameterValuesToBindings(CalleeCtx, Bindings, SVB, *this, 1371 D->parameters()); 1372 1373 SVal SelfVal = getReceiverSVal(); 1374 if (!SelfVal.isUnknown()) { 1375 const VarDecl *SelfD = CalleeCtx->getAnalysisDeclContext()->getSelfDecl(); 1376 MemRegionManager &MRMgr = SVB.getRegionManager(); 1377 Loc SelfLoc = SVB.makeLoc(MRMgr.getVarRegion(SelfD, CalleeCtx)); 1378 Bindings.push_back(std::make_pair(SelfLoc, SelfVal)); 1379 } 1380 } 1381 1382 CallEventRef<> 1383 CallEventManager::getSimpleCall(const CallExpr *CE, ProgramStateRef State, 1384 const LocationContext *LCtx, 1385 CFGBlock::ConstCFGElementRef ElemRef) { 1386 if (const auto *MCE = dyn_cast<CXXMemberCallExpr>(CE)) 1387 return create<CXXMemberCall>(MCE, State, LCtx, ElemRef); 1388 1389 if (const auto *OpCE = dyn_cast<CXXOperatorCallExpr>(CE)) { 1390 const FunctionDecl *DirectCallee = OpCE->getDirectCallee(); 1391 if (const auto *MD = dyn_cast<CXXMethodDecl>(DirectCallee)) 1392 if (MD->isInstance()) 1393 return create<CXXMemberOperatorCall>(OpCE, State, LCtx, ElemRef); 1394 1395 } else if (CE->getCallee()->getType()->isBlockPointerType()) { 1396 return create<BlockCall>(CE, State, LCtx, ElemRef); 1397 } 1398 1399 // Otherwise, it's a normal function call, static member function call, or 1400 // something we can't reason about. 1401 return create<SimpleFunctionCall>(CE, State, LCtx, ElemRef); 1402 } 1403 1404 CallEventRef<> 1405 CallEventManager::getCaller(const StackFrameContext *CalleeCtx, 1406 ProgramStateRef State) { 1407 const LocationContext *ParentCtx = CalleeCtx->getParent(); 1408 const LocationContext *CallerCtx = ParentCtx->getStackFrame(); 1409 CFGBlock::ConstCFGElementRef ElemRef = {CalleeCtx->getCallSiteBlock(), 1410 CalleeCtx->getIndex()}; 1411 assert(CallerCtx && "This should not be used for top-level stack frames"); 1412 1413 const Stmt *CallSite = CalleeCtx->getCallSite(); 1414 1415 if (CallSite) { 1416 if (CallEventRef<> Out = getCall(CallSite, State, CallerCtx, ElemRef)) 1417 return Out; 1418 1419 SValBuilder &SVB = State->getStateManager().getSValBuilder(); 1420 const auto *Ctor = cast<CXXMethodDecl>(CalleeCtx->getDecl()); 1421 Loc ThisPtr = SVB.getCXXThis(Ctor, CalleeCtx); 1422 SVal ThisVal = State->getSVal(ThisPtr); 1423 1424 if (const auto *CE = dyn_cast<CXXConstructExpr>(CallSite)) 1425 return getCXXConstructorCall(CE, ThisVal.getAsRegion(), State, CallerCtx, 1426 ElemRef); 1427 else if (const auto *CIE = dyn_cast<CXXInheritedCtorInitExpr>(CallSite)) 1428 return getCXXInheritedConstructorCall(CIE, ThisVal.getAsRegion(), State, 1429 CallerCtx, ElemRef); 1430 else { 1431 // All other cases are handled by getCall. 1432 llvm_unreachable("This is not an inlineable statement"); 1433 } 1434 } 1435 1436 // Fall back to the CFG. The only thing we haven't handled yet is 1437 // destructors, though this could change in the future. 1438 const CFGBlock *B = CalleeCtx->getCallSiteBlock(); 1439 CFGElement E = (*B)[CalleeCtx->getIndex()]; 1440 assert((E.getAs<CFGImplicitDtor>() || E.getAs<CFGTemporaryDtor>()) && 1441 "All other CFG elements should have exprs"); 1442 1443 SValBuilder &SVB = State->getStateManager().getSValBuilder(); 1444 const auto *Dtor = cast<CXXDestructorDecl>(CalleeCtx->getDecl()); 1445 Loc ThisPtr = SVB.getCXXThis(Dtor, CalleeCtx); 1446 SVal ThisVal = State->getSVal(ThisPtr); 1447 1448 const Stmt *Trigger; 1449 if (std::optional<CFGAutomaticObjDtor> AutoDtor = 1450 E.getAs<CFGAutomaticObjDtor>()) 1451 Trigger = AutoDtor->getTriggerStmt(); 1452 else if (std::optional<CFGDeleteDtor> DeleteDtor = E.getAs<CFGDeleteDtor>()) 1453 Trigger = DeleteDtor->getDeleteExpr(); 1454 else 1455 Trigger = Dtor->getBody(); 1456 1457 return getCXXDestructorCall(Dtor, Trigger, ThisVal.getAsRegion(), 1458 E.getAs<CFGBaseDtor>().has_value(), State, 1459 CallerCtx, ElemRef); 1460 } 1461 1462 CallEventRef<> CallEventManager::getCall(const Stmt *S, ProgramStateRef State, 1463 const LocationContext *LC, 1464 CFGBlock::ConstCFGElementRef ElemRef) { 1465 if (const auto *CE = dyn_cast<CallExpr>(S)) { 1466 return getSimpleCall(CE, State, LC, ElemRef); 1467 } else if (const auto *NE = dyn_cast<CXXNewExpr>(S)) { 1468 return getCXXAllocatorCall(NE, State, LC, ElemRef); 1469 } else if (const auto *DE = dyn_cast<CXXDeleteExpr>(S)) { 1470 return getCXXDeallocatorCall(DE, State, LC, ElemRef); 1471 } else if (const auto *ME = dyn_cast<ObjCMessageExpr>(S)) { 1472 return getObjCMethodCall(ME, State, LC, ElemRef); 1473 } else { 1474 return nullptr; 1475 } 1476 } 1477