Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / clang / 7084da3e944fdfaa922dda0d57c0fe4cb7b88178 / . / lib / StaticAnalyzer / Checkers / IteratorsChecker.cpp
blob: 1925131632bf1f04e950321ce11ec5629db5bab9 [file] [log] [blame]
Ted Kremenekdd54de82011-03-12 02:49:15 +0000[diff] [blame]1//=== IteratorsChecker.cpp - Check for Invalidated Iterators ------*- C++ -*----
2//
3// The LLVM Compiler Infrastructure
4//
5// This file is distributed under the University of Illinois Open Source
6// License. See LICENSE.TXT for details.
7//
8//===----------------------------------------------------------------------===//
9//
10// This defines IteratorsChecker, a number of small checks for conditions
11// leading to invalid iterators being used.
12// FIXME: Currently only supports 'vector' and 'deque'
13//
14//===----------------------------------------------------------------------===//
15
16#include "clang/AST/DeclTemplate.h"
17#include "clang/Basic/SourceManager.h"
18#include "ClangSACheckers.h"
19#include "clang/StaticAnalyzer/Core/Checker.h"
20#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
21#include "clang/StaticAnalyzer/Core/CheckerManager.h"
22#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
23#include "clang/StaticAnalyzer/Core/PathSensitive/GRStateTrait.h"
24#include "clang/AST/DeclCXX.h"
25#include "clang/AST/Decl.h"
26#include "clang/AST/Type.h"
27#include "clang/AST/PrettyPrinter.h"
28#include "llvm/ADT/SmallPtrSet.h"
29#include "llvm/ADT/StringSwitch.h"
30
31
32using namespace clang;
33using namespace ento;
34
35// This is the state associated with each iterator which includes both the
36// kind of state and the instance used to initialize it.
37// FIXME: add location where invalidated for better error reporting.
38namespace {
39class RefState {
40 enum Kind { BeginValid, EndValid, Invalid, Undefined, Unknown } K;
41 const void *VR;
42
43public:
44 RefState(Kind k, const void *vr) : K(k), VR(vr) {}
45
46 bool isValid() const { return K == BeginValid || K == EndValid; }
47 bool isInvalid() const { return K == Invalid; }
48 bool isUndefined() const { return K == Undefined; }
49 bool isUnknown() const { return K == Unknown; }
50 const MemRegion *getMemRegion() const {
51 if (K == BeginValid || K == EndValid)
52 return(const MemRegion *)VR;
53 return 0;
54 }
55 const MemberExpr *getMemberExpr() const {
56 if (K == Invalid)
57 return(const MemberExpr *)VR;
58 return 0;
59 }
60
61 bool operator==(const RefState &X) const {
62 return K == X.K && VR == X.VR;
63 }
64
65 static RefState getBeginValid(const MemRegion *vr) {
66 assert(vr);
67 return RefState(BeginValid, vr);
68 }
69 static RefState getEndValid(const MemRegion *vr) {
70 assert(vr);
71 return RefState(EndValid, vr);
72 }
73 static RefState getInvalid( const MemberExpr *ME ) {
74 return RefState(Invalid, ME);
75 }
76 static RefState getUndefined( void ) {
77 return RefState(Undefined, 0);
78 }
79 static RefState getUnknown( void ) {
80 return RefState(Unknown, 0);
81 }
82
83 void Profile(llvm::FoldingSetNodeID &ID) const {
84 ID.AddInteger(K);
85 ID.AddPointer(VR);
86 }
87};
88
89enum RefKind { NoKind, VectorKind, VectorIteratorKind };
90
91class IteratorsChecker :
92 public Checker<check::PreStmt<CXXOperatorCallExpr>,
93 check::PreStmt<DeclStmt>,
94 check::PreStmt<CXXMemberCallExpr>,
95 check::PreStmt<CallExpr> >
96 {
97 // Used when parsing iterators and vectors and deques.
98 BuiltinBug *BT_Invalid, *BT_Undefined, *BT_Incompatible;
99
100public:
101 IteratorsChecker() :
102 BT_Invalid(0), BT_Undefined(0), BT_Incompatible(0)
103 {}
104 static void *getTag() { static int tag; return &tag; }
105
106 // Checker entry points.
107 void checkPreStmt(const CXXOperatorCallExpr *OCE,
108 CheckerContext &C) const;
109
110 void checkPreStmt(const DeclStmt *DS,
111 CheckerContext &C) const;
112
113 void checkPreStmt(const CXXMemberCallExpr *MCE,
114 CheckerContext &C) const;
115
116 void checkPreStmt(const CallExpr *CE,
117 CheckerContext &C) const;
118
119private:
120 const GRState *handleAssign(const GRState *state, const Expr *lexp,
121 const Expr *rexp, const LocationContext *LC) const;
122 const GRState *handleAssign(const GRState *state, const MemRegion *MR,
123 const Expr *rexp, const LocationContext *LC) const;
124 const GRState *invalidateIterators(const GRState *state, const MemRegion *MR,
125 const MemberExpr *ME) const;
126 void checkExpr(CheckerContext &C, const Expr *E) const;
127 void checkArgs(CheckerContext &C, const CallExpr *CE) const;
128 const MemRegion *getRegion(const GRState *state, const Expr *E,
129 const LocationContext *LC) const;
130 const DeclRefExpr *getDeclRefExpr(const Expr *E) const;
131};
132
133class IteratorState {
134public:
135 typedef llvm::ImmutableMap<const MemRegion *, RefState> EntryMap;
136};
137} //end anonymous namespace
138
139namespace clang {
140 namespace ento {
141 template <>
142 struct GRStateTrait<IteratorState>
143 : public GRStatePartialTrait<IteratorState::EntryMap> {
144 static void *GDMIndex() { return IteratorsChecker::getTag(); }
145 };
146 }
147}
148
149void ento::registerIteratorsChecker(CheckerManager &mgr) {
150 mgr.registerChecker<IteratorsChecker>();
151}
152
153// ===============================================
154// Utility functions used by visitor functions
155// ===============================================
156
157// check a templated type for std::vector or std::deque
158static RefKind getTemplateKind(const NamedDecl *td) {
159 const DeclContext *dc = td->getDeclContext();
160 const NamespaceDecl *nameSpace = dyn_cast<NamespaceDecl>(dc);
161 if (!nameSpace || !isa<TranslationUnitDecl>(nameSpace->getDeclContext())
162 || nameSpace->getName() != "std")
163 return NoKind;
164
165 llvm::StringRef name = td->getName();
166 return llvm::StringSwitch<RefKind>(name)
167 .Cases("vector", "deque", VectorKind)
168 .Default(NoKind);
169}
170
171static RefKind getTemplateKind(const DeclContext *dc) {
172 if (const ClassTemplateSpecializationDecl *td =
173 dyn_cast<ClassTemplateSpecializationDecl>(dc))
174 return getTemplateKind(cast<NamedDecl>(td));
175 return NoKind;
176}
177
178static RefKind getTemplateKind(const TypedefType *tdt) {
179 const TypedefDecl *td = tdt->getDecl();
180 RefKind parentKind = getTemplateKind(td->getDeclContext());
181 if (parentKind == VectorKind) {
182 return llvm::StringSwitch<RefKind>(td->getName())
183 .Cases("iterator",
184 "const_iterator",
185 "reverse_iterator", VectorIteratorKind)
186 .Default(NoKind);
187 }
188 return NoKind;
189}
190
191static RefKind getTemplateKind(const TemplateSpecializationType *tsp) {
192 const TemplateName &tname = tsp->getTemplateName();
193 TemplateDecl *td = tname.getAsTemplateDecl();
194 if (!td)
195 return NoKind;
196 return getTemplateKind(td);
197}
198
199static RefKind getTemplateKind(QualType T) {
200 if (const TemplateSpecializationType *tsp =
201 T->getAs<TemplateSpecializationType>()) {
202 return getTemplateKind(tsp);
203 }
204 if (const ElaboratedType *ET = dyn_cast<ElaboratedType>(T)) {
205 QualType namedType = ET->getNamedType();
206 if (const TypedefType *tdt = namedType->getAs<TypedefType>())
207 return getTemplateKind(tdt);
208 if (const TemplateSpecializationType *tsp =
209 namedType->getAs<TemplateSpecializationType>()) {
210 return getTemplateKind(tsp);
211 }
212 }
213 return NoKind;
214}
215
216// Iterate through our map and invalidate any iterators that were
217// initialized fromt the specified instance MemRegion.
218const GRState *IteratorsChecker::invalidateIterators(const GRState *state,
219 const MemRegion *MR, const MemberExpr *ME) const {
220 IteratorState::EntryMap Map = state->get<IteratorState>();
221 if (Map.isEmpty())
222 return state;
223
224 // Loop over the entries in the current state.
225 // The key doesn't change, so the map iterators won't change.
226 for (IteratorState::EntryMap::iterator I = Map.begin(), E = Map.end();
227 I != E; ++I) {
228 RefState RS = I.getData();
229 if (RS.getMemRegion() == MR)
230 state = state->set<IteratorState>(I.getKey(), RefState::getInvalid(ME));
231 }
232
233 return state;
234}
235
236// Handle assigning to an iterator where we don't have the LValue MemRegion.
237const GRState *IteratorsChecker::handleAssign(const GRState *state,
238 const Expr *lexp, const Expr *rexp, const LocationContext *LC) const {
239 // Skip the cast if present.
240 if (isa<ImplicitCastExpr>(lexp))
241 lexp = dyn_cast<ImplicitCastExpr>(lexp)->getSubExpr();
242 SVal sv = state->getSVal(lexp);
243 const MemRegion *MR = sv.getAsRegion();
244 if (!MR)
245 return state;
246 RefKind kind = getTemplateKind(lexp->getType());
247
248 // If assigning to a vector, invalidate any iterators currently associated.
249 if (kind == VectorKind)
250 return invalidateIterators(state, MR, 0);
251
252 // Make sure that we are assigning to an iterator.
253 if (getTemplateKind(lexp->getType()) != VectorIteratorKind)
254 return state;
255 return handleAssign(state, MR, rexp, LC);
256}
257
258// handle assigning to an iterator
259const GRState *IteratorsChecker::handleAssign(const GRState *state,
260 const MemRegion *MR, const Expr *rexp, const LocationContext *LC) const {
261 // Assume unknown until we find something definite.
262 state = state->set<IteratorState>(MR, RefState::getUnknown());
263 if (isa<ImplicitCastExpr>(rexp))
264 rexp = dyn_cast<ImplicitCastExpr>(rexp)->getSubExpr();
265 // Need to handle three cases: MemberCall, copy, copy with addition.
266 if (const CallExpr *CE = dyn_cast<CallExpr>(rexp)) {
267 // Handle MemberCall.
268 if (const MemberExpr *ME = dyn_cast<MemberExpr>(CE->getCallee())) {
269 const DeclRefExpr *DRE = dyn_cast<DeclRefExpr>(ME->getBase());
270 if (!DRE)
271 return state;
272 // Verify that the type is std::vector<T>.
273 if (getTemplateKind(DRE->getType()) != VectorKind)
274 return state;
275 // Now get the MemRegion associated with the instance.
276 const VarDecl *VD = dyn_cast<VarDecl>(DRE->getDecl());
277 if (!VD)
278 return state;
279 const MemRegion *IMR = state->getRegion(VD, LC);
280 if (!IMR)
281 return state;
282 // Finally, see if it is one of the calls that will create
283 // a valid iterator and mark it if so, else mark as Unknown.
284 llvm::StringRef mName = ME->getMemberDecl()->getName();
Ted Kremenek7084da32011-03-12 04:08:07 +0000[diff] [blame^]285
286 if (llvm::StringSwitch<bool>(mName)
287 .Cases("begin", "insert", "erase", true).Default(false)) {
288 return state->set<IteratorState>(MR, RefState::getBeginValid(IMR));
289 }
290 if (mName == "end")
291 return state->set<IteratorState>(MR, RefState::getEndValid(IMR));
292
293 return state->set<IteratorState>(MR, RefState::getUnknown());
Ted Kremenekdd54de82011-03-12 02:49:15 +0000[diff] [blame]294 }
295 }
296 // Handle straight copy from another iterator.
297 if (const DeclRefExpr *DRE = dyn_cast<DeclRefExpr>(rexp)) {
298 if (getTemplateKind(DRE->getType()) != VectorIteratorKind)
299 return state;
300 // Now get the MemRegion associated with the instance.
301 const VarDecl *VD = dyn_cast<VarDecl>(DRE->getDecl());
302 if (!VD)
303 return state;
304 const MemRegion *IMR = state->getRegion(VD, LC);
305 if (!IMR)
306 return state;
307 // Get the RefState of the iterator being copied.
308 const RefState *RS = state->get<IteratorState>(IMR);
309 if (!RS)
310 return state;
311 // Use it to set the state of the LValue.
312 return state->set<IteratorState>(MR, *RS);
313 }
314 // If we have operator+ or operator- ...
315 if (const CXXOperatorCallExpr *OCE = dyn_cast<CXXOperatorCallExpr>(rexp)) {
316 OverloadedOperatorKind Kind = OCE->getOperator();
317 if (Kind == OO_Plus || Kind == OO_Minus) {
318 // Check left side of tree for a valid value.
319 state = handleAssign( state, MR, OCE->getArg(0), LC);
320 const RefState *RS = state->get<IteratorState>(MR);
321 // If found, return it.
322 if (!RS->isUnknown())
323 return state;
324 // Otherwise return what we find in the right side.
325 return handleAssign(state, MR, OCE->getArg(1), LC);
326 }
327 }
328 // Fall through if nothing matched.
329 return state;
330}
331
332// Iterate through the arguments looking for an Invalid or Undefined iterator.
333void IteratorsChecker::checkArgs(CheckerContext &C, const CallExpr *CE) const {
334 for (CallExpr::const_arg_iterator I = CE->arg_begin(), E = CE->arg_end();
335 I != E; ++I) {
336 checkExpr(C, *I);
337 }
338}
339
340// Get the DeclRefExpr associated with the expression.
341const DeclRefExpr *IteratorsChecker::getDeclRefExpr(const Expr *E) const {
342 // If it is a CXXConstructExpr, need to get the subexpression.
343 if (const CXXConstructExpr *CE = dyn_cast<CXXConstructExpr>(E)) {
344 if (CE->getNumArgs()== 1) {
345 CXXConstructorDecl *CD = CE->getConstructor();
346 if (CD->isTrivial())
347 E = CE->getArg(0);
348 }
349 }
350 if (isa<ImplicitCastExpr>(E))
351 E = dyn_cast<ImplicitCastExpr>(E)->getSubExpr();
352 // If it isn't one of our types, don't do anything.
353 if (getTemplateKind(E->getType()) != VectorIteratorKind)
354 return NULL;
355 return dyn_cast<DeclRefExpr>(E);
356}
357
358// Get the MemRegion associated with the expresssion.
359const MemRegion *IteratorsChecker::getRegion(const GRState *state,
360 const Expr *E, const LocationContext *LC) const {
361 const DeclRefExpr *DRE = getDeclRefExpr(E);
362 if (!DRE)
363 return NULL;
364 const VarDecl *VD = dyn_cast<VarDecl>(DRE->getDecl());
365 if (!VD)
366 return NULL;
367 // return the MemRegion associated with the iterator
368 return state->getRegion(VD, LC);
369}
370
371// Check the expression and if it is an iterator, generate a diagnostic
372// if the iterator is not valid.
373// FIXME: this method can generate new nodes, and subsequent logic should
374// use those nodes. We also cannot create multiple nodes at one ProgramPoint
375// with the same tag.
376void IteratorsChecker::checkExpr(CheckerContext &C, const Expr *E) const {
377 const GRState *state = C.getState();
378 const MemRegion *MR = getRegion(state, E,
379 C.getPredecessor()->getLocationContext());
380 if (!MR)
381 return;
382
383 // Get the state associated with the iterator.
384 const RefState *RS = state->get<IteratorState>(MR);
385 if (!RS)
386 return;
387 if (RS->isInvalid()) {
388 if (ExplodedNode *N = C.generateNode()) {
389 if (!BT_Invalid)
390 // FIXME: We are eluding constness here.
391 const_cast<IteratorsChecker*>(this)->BT_Invalid = new BuiltinBug("");
392
393 std::string msg;
394 const MemberExpr *ME = RS->getMemberExpr();
395 if (ME) {
396 std::string name = ME->getMemberNameInfo().getAsString();
397 msg = "Attempt to use an iterator made invalid by call to '" +
398 name + "'";
399 }
400 else {
401 msg = "Attempt to use an iterator made invalid by copying another "
402 "container to its container";
403 }
404
405 EnhancedBugReport *R = new EnhancedBugReport(*BT_Invalid, msg, N);
406 R->addRange(getDeclRefExpr(E)->getSourceRange());
407 C.EmitReport(R);
408 }
409 }
410 else if (RS->isUndefined()) {
411 if (ExplodedNode *N = C.generateNode()) {
412 if (!BT_Undefined)
413 // FIXME: We are eluding constness here.
414 const_cast<IteratorsChecker*>(this)->BT_Undefined =
415 new BuiltinBug("Use of iterator that is not defined");
416
417 EnhancedBugReport *R = new EnhancedBugReport(*BT_Undefined,
418 BT_Undefined->getDescription(), N);
419 R->addRange(getDeclRefExpr(E)->getSourceRange());
420 C.EmitReport(R);
421 }
422 }
423}
424
425// ===============================================
426// Path analysis visitor functions
427// ===============================================
428
429// For a generic Call, just check the args for bad iterators.
430void IteratorsChecker::checkPreStmt(const CallExpr *CE,
431 CheckerContext &C) const{
432
433 // FIXME: These checks are to currently work around a bug
434 // in CheckerManager.
435 if (isa<CXXOperatorCallExpr>(CE))
436 return;
437 if (isa<CXXMemberCallExpr>(CE))
438 return;
439
440 checkArgs(C, CE);
441}
442
443// Handle operator calls. First, if it is operator=, check the argument,
444// and handle assigning and set target state appropriately. Otherwise, for
445// other operators, check the args for bad iterators and handle comparisons.
446void IteratorsChecker::checkPreStmt(const CXXOperatorCallExpr *OCE,
447 CheckerContext &C) const
448{
449 const LocationContext *LC = C.getPredecessor()->getLocationContext();
450 const GRState *state = C.getState();
451 OverloadedOperatorKind Kind = OCE->getOperator();
452 if (Kind == OO_Equal) {
453 checkExpr(C, OCE->getArg(1));
454 state = handleAssign(state, OCE->getArg(0), OCE->getArg(1), LC);
455 C.addTransition(state);
456 return;
457 }
458 else {
459 checkArgs(C, OCE);
460 // If it is a compare and both are iterators, ensure that they are for
461 // the same container.
462 if (Kind == OO_EqualEqual || Kind == OO_ExclaimEqual ||
463 Kind == OO_Less || Kind == OO_LessEqual ||
464 Kind == OO_Greater || Kind == OO_GreaterEqual) {
465 const MemRegion *MR0, *MR1;
466 MR0 = getRegion(state, OCE->getArg(0), LC);
467 if (!MR0)
468 return;
469 MR1 = getRegion(state, OCE->getArg(1), LC);
470 if (!MR1)
471 return;
472 const RefState *RS0, *RS1;
473 RS0 = state->get<IteratorState>(MR0);
474 if (!RS0)
475 return;
476 RS1 = state->get<IteratorState>(MR1);
477 if (!RS1)
478 return;
479 if (RS0->getMemRegion() != RS1->getMemRegion()) {
480 if (ExplodedNode *N = C.generateNode()) {
481 if (!BT_Incompatible)
482 const_cast<IteratorsChecker*>(this)->BT_Incompatible =
483 new BuiltinBug(
484 "Cannot compare iterators from different containers");
485
486 EnhancedBugReport *R = new EnhancedBugReport(*BT_Incompatible,
487 BT_Incompatible->getDescription(), N);
488 R->addRange(OCE->getSourceRange());
489 C.EmitReport(R);
490 }
491 }
492 }
493 }
494}
495
496// Need to handle DeclStmts to pick up initializing of iterators and to mark
497// uninitialized ones as Undefined.
498void IteratorsChecker::checkPreStmt(const DeclStmt *DS,
499 CheckerContext &C) const {
500 const Decl* D = *DS->decl_begin();
501 const VarDecl* VD = dyn_cast<VarDecl>(D);
502 // Only care about iterators.
503 if (getTemplateKind(VD->getType()) != VectorIteratorKind)
504 return;
505
506 // Get the MemRegion associated with the iterator and mark it as Undefined.
507 const GRState *state = C.getState();
508 Loc VarLoc = state->getLValue(VD, C.getPredecessor()->getLocationContext());
509 const MemRegion *MR = VarLoc.getAsRegion();
510 if (!MR)
511 return;
512 state = state->set<IteratorState>(MR, RefState::getUndefined());
513
514 // if there is an initializer, handle marking Valid if a proper initializer
515 const Expr* InitEx = VD->getInit();
516 if (InitEx) {
517 // FIXME: This is too syntactic. Since 'InitEx' will be analyzed first
518 // it should resolve to an SVal that we can check for validity
519 // *semantically* instead of walking through the AST.
520 if (const CXXConstructExpr *CE = dyn_cast<CXXConstructExpr>(InitEx)) {
521 if (CE->getNumArgs() == 1) {
522 const Expr *E = CE->getArg(0);
523 if (isa<ImplicitCastExpr>(E))
524 InitEx = dyn_cast<ImplicitCastExpr>(E)->getSubExpr();
525 state = handleAssign(state, MR, InitEx,
526 C.getPredecessor()->getLocationContext());
527 }
528 }
529 }
530 C.addTransition(state);
531}
532
533
534namespace { struct CalledReserved {}; }
535namespace clang { namespace ento {
536template<> struct GRStateTrait<CalledReserved>
537 : public GRStatePartialTrait<llvm::ImmutableSet<const MemRegion*> > {
538 static void *GDMIndex() { static int index = 0; return &index; }
539};
540}}
541
542// on a member call, first check the args for any bad iterators
543// then, check to see if it is a call to a function that will invalidate
544// the iterators
545void IteratorsChecker::checkPreStmt(const CXXMemberCallExpr *MCE,
546 CheckerContext &C) const {
547 // Check the arguments.
548 checkArgs(C, MCE);
549 const MemberExpr *ME = dyn_cast<MemberExpr>(MCE->getCallee());
550 if (!ME)
551 return;
552 // Make sure we have the right kind of container.
553 const DeclRefExpr *DRE = dyn_cast<DeclRefExpr>(ME->getBase());
554 if (!DRE || getTemplateKind(DRE->getType()) != VectorKind)
555 return;
556 SVal tsv = C.getState()->getSVal(DRE);
557 // Get the MemRegion associated with the container instance.
558 const MemRegion *MR = tsv.getAsRegion();
559 if (!MR)
560 return;
561 // If we are calling a function that invalidates iterators, mark them
562 // appropriately by finding matching instances.
563 const GRState *state = C.getState();
564 llvm::StringRef mName = ME->getMemberDecl()->getName();
565 if (llvm::StringSwitch<bool>(mName)
566 .Cases("insert", "reserve", "push_back", true)
567 .Cases("erase", "pop_back", "clear", "resize", true)
568 .Default(false)) {
569 // If there was a 'reserve' call, assume iterators are good.
570 if (!state->contains<CalledReserved>(MR))
571 state = invalidateIterators(state, MR, ME);
572 }
573 // Keep track of instances that have called 'reserve'
574 // note: do this after we invalidate any iterators by calling
575 // 'reserve' itself.
576 if (mName == "reserve")
577 state = state->add<CalledReserved>(MR);
578
579 if (state != C.getState())
580 C.addTransition(state);
581}
582