mirrors/llvm-project
0
0
Fork 0
mirror of https://github.com/llvm/llvm-project.git synced 2025-04-30 04:56:06 +00:00
Code Issues Projects Releases Wiki Activity
llvm-project/clang/lib/StaticAnalyzer/Core/CheckerContext.cpp

Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

171 lines
5.7 KiB
C++
Raw Normal View History

[analyzer] Put CheckerConext::getCalleeName out of line. llvm-svn: 144870
2011-11-17 01:09:15 +00:00
//== CheckerContext.cpp - Context info for path-sensitive checkers-----------=//
//
Update the file headers across all of the LLVM projects in the monorepo to reflect the new license. We understand that people may be surprised that we're moving the header entirely to discuss the new license. We checked this carefully with the Foundation's lawyer and we believe this is the correct approach. Essentially, all code in the project is now made available by the LLVM project under our new license, so you will see that the license headers include that license only. Some of our contributors have contributed code under our old license, and accordingly, we have retained a copy of our old license notice in the top-level files in each project and repository. llvm-svn: 351636
2019-01-19 08:50:56 +00:00
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
// See https://llvm.org/LICENSE.txt for license information.
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
[analyzer] Put CheckerConext::getCalleeName out of line. llvm-svn: 144870
2011-11-17 01:09:15 +00:00
//
//===----------------------------------------------------------------------===//
//
// This file defines CheckerContext that provides contextual info for
// path-sensitive checkers.
//
//===----------------------------------------------------------------------===//
#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
[analyzer] Taint: add taint propagation rules for string and memory copy functions. llvm-svn: 148370
2012-01-18 02:45:07 +00:00
#include "clang/Basic/Builtins.h"
[analyzer] Add a utility method that allows to find the macro name used at the given location. This could be useful when checkers' logic depends on whether a function is called with a given macro argument. llvm-svn: 148516
2012-01-20 00:11:12 +00:00
#include "clang/Lex/Lexer.h"
[llvm] Add missing StringExtras.h includes In preparation for removing the `#include "llvm/ADT/StringExtras.h"` from the header to source file of `llvm/Support/Error.h`, first add in all the missing includes that were previously included transitively through this header.
2023-06-17 13:18:23 +01:00
#include "llvm/ADT/StringExtras.h"
[analyzer] Taint: add taint propagation rules for string and memory copy functions. llvm-svn: 148370
2012-01-18 02:45:07 +00:00
[analyzer] Put CheckerConext::getCalleeName out of line. llvm-svn: 144870
2011-11-17 01:09:15 +00:00
using namespace clang;
using namespace ento;
[analyzer] Refactor checkers to use helper function for getting callee Decl and name. We are getting name of the called function or it's declaration in a few checkers. Refactor them to use the helper function in the CheckerContext. llvm-svn: 145576
2011-12-01 05:57:37 +00:00
const FunctionDecl *CheckerContext::getCalleeDecl(const CallExpr *CE) const {
[analyzer] Handle NTTP invocation in CallContext.getCalleeDecl() This fixes a crash in MallocChecker for the situation when operator new (delete) is invoked via NTTP and makes the behavior of CallContext.getCalleeDecl(Expr) identical to CallEvent.getDecl(). Reviewed By: vsavchenko Differential Revision: https://reviews.llvm.org/D103025
2021-06-18 14:20:17 +03:00
const FunctionDecl *D = CE->getDirectCallee();
if (D)
return D;
[analyzer] Put CheckerConext::getCalleeName out of line. llvm-svn: 144870
2011-11-17 01:09:15 +00:00
const Expr *Callee = CE->getCallee();
[analyzer] introduce getSVal(Stmt *) helper on ExplodedNode, make sure the helper is used consistently In most cases using `N->getState()->getSVal(E, N->getLocationContext())` is ugly, verbose, and also opens up more surface area for bugs if an inconsistent location context is used. This patch introduces a helper on an exploded node, and ensures consistent usage of either `ExplodedNode::getSVal` or `CheckContext::getSVal` across the codebase. As a result, a large number of redundant lines is removed. Differential Revision: https://reviews.llvm.org/D42155 llvm-svn: 322753
2018-01-17 20:27:29 +00:00
SVal L = Pred->getSVal(Callee);
[analyzer] Refactor checkers to use helper function for getting callee Decl and name. We are getting name of the called function or it's declaration in a few checkers. Refactor them to use the helper function in the CheckerContext. llvm-svn: 145576
2011-12-01 05:57:37 +00:00
return L.getAsFunctionDecl();
}
[analyzer] Put CheckerConext::getCalleeName out of line. llvm-svn: 144870
2011-11-17 01:09:15 +00:00
[analyzer] Taint: add taint propagation rules for string and memory copy functions. llvm-svn: 148370
2012-01-18 02:45:07 +00:00
StringRef CheckerContext::getCalleeName(const FunctionDecl *FunDecl) const {
if (!FunDecl)
[analyzer] Put CheckerConext::getCalleeName out of line. llvm-svn: 144870
2011-11-17 01:09:15 +00:00
return StringRef();
[analyzer] Taint: add taint propagation rules for string and memory copy functions. llvm-svn: 148370
2012-01-18 02:45:07 +00:00
IdentifierInfo *funI = FunDecl->getIdentifier();
[analyzer] Put CheckerConext::getCalleeName out of line. llvm-svn: 144870
2011-11-17 01:09:15 +00:00
if (!funI)
return StringRef();
return funI->getName();
}
[analyzer] Taint: add taint propagation rules for string and memory copy functions. llvm-svn: 148370
2012-01-18 02:45:07 +00:00
[analyzer] Improve Nullability checker diagnostics - Include the position of the argument on which the nullability is violated - Differentiate between a 'method' and a 'function' in the message wording - Test for the error message text in the tests - Fix a bug with setting 'IsDirectDereference' which resulted in regular dereferences assumed to have call context. llvm-svn: 259221
2016-01-29 18:43:15 +00:00
StringRef CheckerContext::getDeclDescription(const Decl *D) {
[analyzer][NFC] Refactor llvm::isa<> usages in the StaticAnalyzer It turns out llvm::isa<> is variadic, and we could have used this at a lot of places. The following patterns: x && isa<T1>(x) || isa<T2>(x) ... Will be replaced by: isa_and_non_null<T1, T2, ...>(x) Sometimes it caused further simplifications, when it would cause even more code smell. Aside from this, keep in mind that within `assert()` or any macro functions, we need to wrap the isa<> expression within a parenthesis, due to the parsing of the comma. Reviewed By: martong Differential Revision: https://reviews.llvm.org/D111982
2021-10-20 17:43:31 +02:00
if (isa<ObjCMethodDecl, CXXMethodDecl>(D))
[analyzer] Improve Nullability checker diagnostics - Include the position of the argument on which the nullability is violated - Differentiate between a 'method' and a 'function' in the message wording - Test for the error message text in the tests - Fix a bug with setting 'IsDirectDereference' which resulted in regular dereferences assumed to have call context. llvm-svn: 259221
2016-01-29 18:43:15 +00:00
return "method";
if (isa<BlockDecl>(D))
return "anonymous block";
return "function";
}
[analyzer] Taint: add taint propagation rules for string and memory copy functions. llvm-svn: 148370
2012-01-18 02:45:07 +00:00
bool CheckerContext::isCLibraryFunction(const FunctionDecl *FD,
[analyzer] Add checks for common anti-patterns in strncat. (Since this is syntax only, might be a good candidate for turning into a compiler warning.) llvm-svn: 149407
2012-01-31 19:33:39 +00:00
StringRef Name) {
[analyzer] Taint: add taint propagation rules for string and memory copy functions. llvm-svn: 148370
2012-01-18 02:45:07 +00:00
// To avoid false positives (Ex: finding user defined functions with
// similar names), only perform fuzzy name matching when it's a builtin.
// Using a string compare is slow, we might want to switch on BuiltinID here.
unsigned BId = FD->getBuiltinID();
if (BId != 0) {
[analyzer] Add some convenience accessors to CallEvent, and use them. These are CallEvent-equivalents of helpers already accessible in CheckerContext, as part of making it easier for new checkers to be written using CallEvent rather than raw CallExprs. llvm-svn: 167338
2012-11-02 23:49:29 +00:00
if (Name.empty())
return true;
Rename the non-coding style conformant functions in namespace Builtins to match the rest of their brethren and reformat the bits that need it. llvm-svn: 244186
2015-08-06 01:01:12 +00:00
StringRef BName = FD->getASTContext().BuiltinInfo.getName(BId);
[analyzer] Restrict CallDescription fuzzy builtin matching `CallDescriptions` for builtin functions relaxes the match rules somewhat, so that the `CallDescription` will match for calls that have some prefix or suffix. This was achieved by doing a `StringRef::contains()`. However, this is somewhat problematic for builtins that are substrings of each other. Consider the following: `CallDescription{ builtin, "memcpy"}` will match for `__builtin_wmemcpy()` calls, which is unfortunate. This patch addresses/works around the issue by checking if the characters around the function's name are not part of the 'name' semantically. In other words, to accept a match for `"memcpy"` the call should not have alphanumeric (`[a-zA-Z]`) characters around the 'match'. So, `CallDescription{ builtin, "memcpy"}` will not match on: - `__builtin_wmemcpy: there is a `w` alphanumeric character before the match. - `__builtin_memcpyFOoBar_inline`: there is a `F` character after the match. - `__builtin_memcpyX_inline`: there is an `X` character after the match. But it will still match for: - `memcpy`: exact match - `__builtin_memcpy`: there is an _ before the match - `__builtin_memcpy_inline`: there is an _ after the match - `memcpy_inline_builtinFooBar`: there is an _ after the match Reviewed By: NoQ Differential Revision: https://reviews.llvm.org/D118388
2022-02-11 10:45:18 +01:00
size_t start = BName.find(Name);
if (start != StringRef::npos) {
// Accept exact match.
if (BName.size() == Name.size())
return true;
// v-- match starts here
// ...xxxxx...
// _xxxxx_
// ^ ^ lookbehind and lookahead characters
const auto MatchPredecessor = [=]() -> bool {
return start <= 0 || !llvm::isAlpha(BName[start - 1]);
};
const auto MatchSuccessor = [=]() -> bool {
std::size_t LookbehindPlace = start + Name.size();
return LookbehindPlace >= BName.size() ||
!llvm::isAlpha(BName[LookbehindPlace]);
};
if (MatchPredecessor() && MatchSuccessor())
return true;
}
[analyzer] Taint: add taint propagation rules for string and memory copy functions. llvm-svn: 148370
2012-01-18 02:45:07 +00:00
}
[analyzer] Fix a crash in CheckerContext::isCLibraryFunction for C++ declarations with special names. A patch by Dmitri Gribenko. llvm-svn: 149525
2012-02-01 19:16:20 +00:00
const IdentifierInfo *II = FD->getIdentifier();
// If this is a special C++ name without IdentifierInfo, it can't be a
// C library function.
if (!II)
return false;
Reapply "[analyzer] Accept C library functions from the `std` namespace" again (#85791) This reapplies 80ab8234ac309418637488b97e0a62d8377b2ecf again, after fixing a name collision warning in the unit tests (see the revert commit 13ccaf9b9d4400bb128b35ff4ac733e4afc3ad1c for details). In addition to the previously applied changes, this commit also clarifies the code in MallocChecker that distinguishes POSIX "getline()" and C++ standard library "std::getline()" (which are two completely different functions). Note that "std::getline()" was (accidentally) handled correctly even without this clarification; but it's better to explicitly handle and test this corner case. --------- Co-authored-by: Balazs Benics <benicsbalazs@gmail.com>
2024-03-25 12:43:51 +01:00
// C library functions are either declared directly within a TU (the common
// case) or they are accessed through the namespace `std` (when they are used
// in C++ via headers like <cstdlib>).
const DeclContext *DC = FD->getDeclContext()->getRedeclContext();
if (!(DC->isTranslationUnit() || DC->isStdNamespace()))
[analyzer] isCLibraryFunction: check that the function is at TU-scope. Also, Decls already carry a pointer to the ASTContext, so there's no need to pass an extra argument to the predicate. llvm-svn: 167337
2012-11-02 23:49:24 +00:00
return false;
// If this function is not externally visible, it is not a C library function.
[analyzer] Add some convenience accessors to CallEvent, and use them. These are CallEvent-equivalents of helpers already accessible in CheckerContext, as part of making it easier for new checkers to be written using CallEvent rather than raw CallExprs. llvm-svn: 167338
2012-11-02 23:49:29 +00:00
// Note that we make an exception for inline functions, which may be
// declared in header files without external linkage.
Cleanup handling of UniqueExternalLinkage. This patch renames getLinkage to getLinkageInternal. Only code that needs to handle UniqueExternalLinkage specially should call this. Linkage, as defined in the c++ standard, is provided by getFormalLinkage. It maps UniqueExternalLinkage to ExternalLinkage. Most places in the compiler actually want isExternallyVisible, which handles UniqueExternalLinkage as internal. llvm-svn: 181677
2013-05-13 00:12:11 +00:00
if (!FD->isInlined() && !FD->isExternallyVisible())
[analyzer] isCLibraryFunction: check that the function is at TU-scope. Also, Decls already carry a pointer to the ASTContext, so there's no need to pass an extra argument to the predicate. llvm-svn: 167337
2012-11-02 23:49:24 +00:00
return false;
[analyzer] Add some convenience accessors to CallEvent, and use them. These are CallEvent-equivalents of helpers already accessible in CheckerContext, as part of making it easier for new checkers to be written using CallEvent rather than raw CallExprs. llvm-svn: 167338
2012-11-02 23:49:29 +00:00
if (Name.empty())
return true;
[analyzer] Fix a crash in CheckerContext::isCLibraryFunction for C++ declarations with special names. A patch by Dmitri Gribenko. llvm-svn: 149525
2012-02-01 19:16:20 +00:00
StringRef FName = II->getName();
[clang] Use StringRef::operator== instead of StringRef::equals (NFC) (#91844) I'm planning to remove StringRef::equals in favor of StringRef::operator==. - StringRef::operator==/!= outnumber StringRef::equals by a factor of 24 under clang/ in terms of their usage. - The elimination of StringRef::equals brings StringRef closer to std::string_view, which has operator== but not equals. - S == "foo" is more readable than S.equals("foo"), especially for !Long.Expression.equals("str") vs Long.Expression != "str".
2024-05-11 11:38:52 -07:00
if (FName == Name)
[analyzer] Generalize function name checking in CString checker. (Ex: It was not treating __inline_strcpy as strcpy. Will add tests that rely on this later on.) llvm-svn: 150845
2012-02-17 22:35:26 +00:00
return true;
[clang] Use StringRef::{starts,ends}_with (NFC) (#75149) This patch replaces uses of StringRef::{starts,ends}with with StringRef::{starts,ends}_with for consistency with std::{string,string_view}::{starts,ends}_with in C++20. I'm planning to deprecate and eventually remove StringRef::{starts,ends}with.
2023-12-13 08:54:13 -08:00
if (FName.starts_with("__inline") && FName.contains(Name))
[analyzer] Generalize function name checking in CString checker. (Ex: It was not treating __inline_strcpy as strcpy. Will add tests that rely on this later on.) llvm-svn: 150845
2012-02-17 22:35:26 +00:00
return true;
[analyzer] Add checks for common anti-patterns in strncat. (Since this is syntax only, might be a good candidate for turning into a compiler warning.) llvm-svn: 149407
2012-01-31 19:33:39 +00:00
[analyzer] Taint: add taint propagation rules for string and memory copy functions. llvm-svn: 148370
2012-01-18 02:45:07 +00:00
return false;
}
[analyzer] Add a utility method that allows to find the macro name used at the given location. This could be useful when checkers' logic depends on whether a function is called with a given macro argument. llvm-svn: 148516
2012-01-20 00:11:12 +00:00
[analyzer] Make recognition of hardened __FOO_chk functions explicit (#86536) In builds that use source hardening (-D_FORTIFY_SOURCE), many standard functions are implemented as macros that expand to calls of hardened functions that take one additional argument compared to the "usual" variant and perform additional input validation. For example, a `memcpy` call may expand to `__memcpy_chk()` or `__builtin___memcpy_chk()`. Before this commit, `CallDescription`s created with the matching mode `CDM::CLibrary` automatically matched these hardened variants (in a addition to the "usual" function) with a fairly lenient heuristic. Unfortunately this heuristic meant that the `CLibrary` matching mode was only usable by checkers that were prepared to handle matches with an unusual number of arguments. This commit limits the recognition of the hardened functions to a separate matching mode `CDM::CLibraryMaybeHardened` and applies this mode for functions that have hardened variants and were previously recognized with `CDM::CLibrary`. This way checkers that are prepared to handle the hardened variants will be able to detect them easily; while other checkers can simply use `CDM::CLibrary` for matching C library functions (and they won't encounter surprising argument counts). The initial motivation for refactoring this area was that previously `CDM::CLibrary` accepted calls with more arguments/parameters than the expected number, so I wasn't able to use it for `malloc` without accidentally matching calls to the 3-argument BSD kernel malloc. After this commit this "may have more args/params" logic will only activate when we're actually matching a hardened variant function (in `CDM::CLibraryMaybeHardened` mode). The recognition of "sprintf()" and "snprintf()" in CStringChecker was refactored, because previously it was abusing the behavior that extra arguments are accepted even if the matched function is not a hardened variant. This commit also fixes the oversight that the old code would've recognized e.g. `__wmemcpy_chk` as a hardened variant of `memcpy`. After this commit I'm planning to create several follow-up commits that ensure that checkers looking for C library functions use `CDM::CLibrary` as a "sane default" matching mode. This commit is not truly NFC (it eliminates some buggy corner cases), but it does not intentionally modify the behavior of CSA on real-world non-crazy code. As a minor unrelated change I'm eliminating the argument/variable "IsBuiltin" from the evalSprintf function family in CStringChecker, because it was completely unused. --------- Co-authored-by: Balazs Benics <benicsbalazs@gmail.com>
2024-04-05 11:20:27 +02:00
bool CheckerContext::isHardenedVariantOf(const FunctionDecl *FD,
StringRef Name) {
const IdentifierInfo *II = FD->getIdentifier();
if (!II)
return false;
auto CompletelyMatchesParts = [II](auto... Parts) -> bool {
StringRef FName = II->getName();
return (FName.consume_front(Parts) && ...) && FName.empty();
};
return CompletelyMatchesParts("__", Name, "_chk") ||
CompletelyMatchesParts("__builtin_", "__", Name, "_chk");
}
[analyzer] Add a utility method that allows to find the macro name used at the given location. This could be useful when checkers' logic depends on whether a function is called with a given macro argument. llvm-svn: 148516
2012-01-20 00:11:12 +00:00
StringRef CheckerContext::getMacroNameOrSpelling(SourceLocation &Loc) {
More dead code removal (using -Wunreachable-code) llvm-svn: 148577
2012-01-20 21:50:17 +00:00
if (Loc.isMacroID())
[analyzer] Add a utility method that allows to find the macro name used at the given location. This could be useful when checkers' logic depends on whether a function is called with a given macro argument. llvm-svn: 148516
2012-01-20 00:11:12 +00:00
return Lexer::getImmediateMacroName(Loc, getSourceManager(),
Unify naming of LangOptions variable/get function across the Clang stack (Lex to AST). The member variable is always "LangOpts" and the member function is always "getLangOpts". Reviewed by Chris Lattner llvm-svn: 152536
2012-03-11 07:00:24 +00:00
getLangOpts());
[clang][NFC] Use SmallString instead of SmallVector<char Simplifies code in some places and is more explicit about what is being used. No additional includes were added here so no impact on compile time.
2020-11-17 13:02:58 +00:00
SmallString<16> buf;
Unify naming of LangOptions variable/get function across the Clang stack (Lex to AST). The member variable is always "LangOpts" and the member function is always "getLangOpts". Reviewed by Chris Lattner llvm-svn: 152536
2012-03-11 07:00:24 +00:00
return Lexer::getSpelling(Loc, buf, getSourceManager(), getLangOpts());
[analyzer] Add a utility method that allows to find the macro name used at the given location. This could be useful when checkers' logic depends on whether a function is called with a given macro argument. llvm-svn: 148516
2012-01-20 00:11:12 +00:00
}
[Analyzer] Clarify error messages for undefined result Differential Revision: https://reviews.llvm.org/D30295 llvm-svn: 315462
2017-10-11 14:49:35 +00:00
/// Evaluate comparison and return true if it's known that condition is true
static bool evalComparison(SVal LHSVal, BinaryOperatorKind ComparisonOp,
SVal RHSVal, ProgramStateRef State) {
if (LHSVal.isUnknownOrUndef())
return false;
ProgramStateManager &Mgr = State->getStateManager();
[analyzer][NFC] Prefer using isa<> instead getAs<> in conditions Depends on D125709 Reviewed By: martong Differential Revision: https://reviews.llvm.org/D127742
2022-06-15 16:58:08 +02:00
if (!isa<NonLoc>(LHSVal)) {
[Analyzer] Clarify error messages for undefined result Differential Revision: https://reviews.llvm.org/D30295 llvm-svn: 315462
2017-10-11 14:49:35 +00:00
LHSVal = Mgr.getStoreManager().getBinding(State->getStore(),
LHSVal.castAs<Loc>());
[analyzer][NFC] Prefer using isa<> instead getAs<> in conditions Depends on D125709 Reviewed By: martong Differential Revision: https://reviews.llvm.org/D127742
2022-06-15 16:58:08 +02:00
if (LHSVal.isUnknownOrUndef() || !isa<NonLoc>(LHSVal))
[Analyzer] Clarify error messages for undefined result Differential Revision: https://reviews.llvm.org/D30295 llvm-svn: 315462
2017-10-11 14:49:35 +00:00
return false;
}
SValBuilder &Bldr = Mgr.getSValBuilder();
SVal Eval = Bldr.evalBinOp(State, ComparisonOp, LHSVal, RHSVal,
Bldr.getConditionType());
if (Eval.isUnknownOrUndef())
return false;
ProgramStateRef StTrue, StFalse;
std::tie(StTrue, StFalse) = State->assume(Eval.castAs<DefinedSVal>());
return StTrue && !StFalse;
}
bool CheckerContext::isGreaterOrEqual(const Expr *E, unsigned long long Val) {
DefinedSVal V = getSValBuilder().makeIntVal(Val, getASTContext().LongLongTy);
return evalComparison(getSVal(E), BO_GE, V, getState());
}
bool CheckerContext::isNegative(const Expr *E) {
DefinedSVal V = getSValBuilder().makeIntVal(0, false);
return evalComparison(getSVal(E), BO_LT, V, getState());
}
Reference in New Issue Copy Permalink