1//== CheckerContext.h - Context info for path-sensitive checkers--*- C++ -*--=//
2//
3// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4// See https://llvm.org/LICENSE.txt for license information.
5// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6//
7//===----------------------------------------------------------------------===//
8//
9// This file defines CheckerContext that provides contextual info for
10// path-sensitive checkers.
11//
12//===----------------------------------------------------------------------===//
13
14#ifndef LLVM_CLANG_STATICANALYZER_CORE_PATHSENSITIVE_CHECKERCONTEXT_H
15#define LLVM_CLANG_STATICANALYZER_CORE_PATHSENSITIVE_CHECKERCONTEXT_H
16
17#include "clang/StaticAnalyzer/Core/PathSensitive/ExprEngine.h"
18#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramStateTrait.h"
19
20namespace clang {
21namespace ento {
22
23class CheckerContext {
24 ExprEngine &Eng;
25 /// The current exploded(symbolic execution) graph node.
26 ExplodedNode *Pred;
27 /// The flag is true if the (state of the execution) has been modified
28 /// by the checker using this context. For example, a new transition has been
29 /// added or a bug report issued.
30 bool Changed;
31 /// The tagged location, which is used to generate all new nodes.
32 const ProgramPoint Location;
33 NodeBuilder &NB;
34
35public:
36 /// If we are post visiting a call, this flag will be set if the
37 /// call was inlined. In all other cases it will be false.
38 const bool wasInlined;
39
40 CheckerContext(NodeBuilder &builder,
41 ExprEngine &eng,
42 ExplodedNode *pred,
43 const ProgramPoint &loc,
44 bool wasInlined = false)
45 : Eng(eng),
46 Pred(pred),
47 Changed(false),
48 Location(loc),
49 NB(builder),
50 wasInlined(wasInlined) {
51 assert(Pred->getState() &&
52 "We should not call the checkers on an empty state.");
53 }
54
55 AnalysisManager &getAnalysisManager() {
56 return Eng.getAnalysisManager();
57 }
58
59 ConstraintManager &getConstraintManager() {
60 return Eng.getConstraintManager();
61 }
62
63 StoreManager &getStoreManager() {
64 return Eng.getStoreManager();
65 }
66
67 /// Returns the previous node in the exploded graph, which includes
68 /// the state of the program before the checker ran. Note, checkers should
69 /// not retain the node in their state since the nodes might get invalidated.
70 ExplodedNode *getPredecessor() { return Pred; }
71 const ProgramStateRef &getState() const { return Pred->getState(); }
72
73 /// Check if the checker changed the state of the execution; ex: added
74 /// a new transition or a bug report.
75 bool isDifferent() { return Changed; }
76
77 /// Returns the number of times the current block has been visited
78 /// along the analyzed path.
79 unsigned blockCount() const {
80 return NB.getContext().blockCount();
81 }
82
83 ASTContext &getASTContext() {
84 return Eng.getContext();
85 }
86
87 const LangOptions &getLangOpts() const {
88 return Eng.getContext().getLangOpts();
89 }
90
91 const LocationContext *getLocationContext() const {
92 return Pred->getLocationContext();
93 }
94
95 const StackFrameContext *getStackFrame() const {
96 return Pred->getStackFrame();
97 }
98
99 /// Return true if the current LocationContext has no caller context.
100 bool inTopFrame() const { return getLocationContext()->inTopFrame(); }
101
102 BugReporter &getBugReporter() {
103 return Eng.getBugReporter();
104 }
105
106 SourceManager &getSourceManager() {
107 return getBugReporter().getSourceManager();
108 }
109
110 SValBuilder &getSValBuilder() {
111 return Eng.getSValBuilder();
112 }
113
114 SymbolManager &getSymbolManager() {
115 return getSValBuilder().getSymbolManager();
116 }
117
118 ProgramStateManager &getStateManager() {
119 return Eng.getStateManager();
120 }
121
122 AnalysisDeclContext *getCurrentAnalysisDeclContext() const {
123 return Pred->getLocationContext()->getAnalysisDeclContext();
124 }
125
126 /// Get the blockID.
127 unsigned getBlockID() const {
128 return NB.getContext().getBlock()->getBlockID();
129 }
130
131 /// If the given node corresponds to a PostStore program point,
132 /// retrieve the location region as it was uttered in the code.
133 ///
134 /// This utility can be useful for generating extensive diagnostics, for
135 /// example, for finding variables that the given symbol was assigned to.
136 static const MemRegion *getLocationRegionIfPostStore(const ExplodedNode *N) {
137 ProgramPoint L = N->getLocation();
138 if (Optional<PostStore> PSL = L.getAs<PostStore>())
139 return reinterpret_cast<const MemRegion*>(PSL->getLocationValue());
140 return nullptr;
141 }
142
143 /// Get the value of arbitrary expressions at this point in the path.
144 SVal getSVal(const Stmt *S) const {
145 return Pred->getSVal(S);
146 }
147
148 /// Returns true if the value of \p E is greater than or equal to \p
149 /// Val under unsigned comparison
150 bool isGreaterOrEqual(const Expr *E, unsigned long long Val);
151
152 /// Returns true if the value of \p E is negative.
153 bool isNegative(const Expr *E);
154
155 /// Generates a new transition in the program state graph
156 /// (ExplodedGraph). Uses the default CheckerContext predecessor node.
157 ///
158 /// @param State The state of the generated node. If not specified, the state
159 /// will not be changed, but the new node will have the checker's tag.
160 /// @param Tag The tag is used to uniquely identify the creation site. If no
161 /// tag is specified, a default tag, unique to the given checker,
162 /// will be used. Tags are used to prevent states generated at
163 /// different sites from caching out.
164 ExplodedNode *addTransition(ProgramStateRef State = nullptr,
165 const ProgramPointTag *Tag = nullptr) {
166 return addTransitionImpl(State ? State : getState(), false, nullptr, Tag);
167 }
168
169 /// Generates a new transition with the given predecessor.
170 /// Allows checkers to generate a chain of nodes.
171 ///
172 /// @param State The state of the generated node.
173 /// @param Pred The transition will be generated from the specified Pred node
174 /// to the newly generated node.
175 /// @param Tag The tag to uniquely identify the creation site.
176 ExplodedNode *addTransition(ProgramStateRef State,
177 ExplodedNode *Pred,
178 const ProgramPointTag *Tag = nullptr) {
179 return addTransitionImpl(State, false, Pred, Tag);
180 }
181
182 /// Generate a sink node. Generating a sink stops exploration of the
183 /// given path. To create a sink node for the purpose of reporting an error,
184 /// checkers should use generateErrorNode() instead.
185 ExplodedNode *generateSink(ProgramStateRef State, ExplodedNode *Pred,
186 const ProgramPointTag *Tag = nullptr) {
187 return addTransitionImpl(State ? State : getState(), true, Pred, Tag);
188 }
189
190 /// Generate a transition to a node that will be used to report
191 /// an error. This node will be a sink. That is, it will stop exploration of
192 /// the given path.
193 ///
194 /// @param State The state of the generated node.
195 /// @param Tag The tag to uniquely identify the creation site. If null,
196 /// the default tag for the checker will be used.
197 ExplodedNode *generateErrorNode(ProgramStateRef State = nullptr,
198 const ProgramPointTag *Tag = nullptr) {
199 return generateSink(State, Pred,
200 (Tag ? Tag : Location.getTag()));
201 }
202
203 /// Generate a transition to a node that will be used to report
204 /// an error. This node will not be a sink. That is, exploration will
205 /// continue along this path.
206 ///
207 /// @param State The state of the generated node.
208 /// @param Tag The tag to uniquely identify the creation site. If null,
209 /// the default tag for the checker will be used.
210 ExplodedNode *
211 generateNonFatalErrorNode(ProgramStateRef State = nullptr,
212 const ProgramPointTag *Tag = nullptr) {
213 return addTransition(State, (Tag ? Tag : Location.getTag()));
214 }
215
216 /// Emit the diagnostics report.
217 void emitReport(std::unique_ptr<BugReport> R) {
218 Changed = true;
219 Eng.getBugReporter().emitReport(std::move(R));
220 }
221
222 /// Returns the word that should be used to refer to the declaration
223 /// in the report.
224 StringRef getDeclDescription(const Decl *D);
225
226 /// Get the declaration of the called function (path-sensitive).
227 const FunctionDecl *getCalleeDecl(const CallExpr *CE) const;
228
229 /// Get the name of the called function (path-sensitive).
230 StringRef getCalleeName(const FunctionDecl *FunDecl) const;
231
232 /// Get the identifier of the called function (path-sensitive).
233 const IdentifierInfo *getCalleeIdentifier(const CallExpr *CE) const {
234 const FunctionDecl *FunDecl = getCalleeDecl(CE);
235 if (FunDecl)
236 return FunDecl->getIdentifier();
237 else
238 return nullptr;
239 }
240
241 /// Get the name of the called function (path-sensitive).
242 StringRef getCalleeName(const CallExpr *CE) const {
243 const FunctionDecl *FunDecl = getCalleeDecl(CE);
244 return getCalleeName(FunDecl);
245 }
246
247 /// Returns true if the callee is an externally-visible function in the
248 /// top-level namespace, such as \c malloc.
249 ///
250 /// If a name is provided, the function must additionally match the given
251 /// name.
252 ///
253 /// Note that this deliberately excludes C++ library functions in the \c std
254 /// namespace, but will include C library functions accessed through the
255 /// \c std namespace. This also does not check if the function is declared
256 /// as 'extern "C"', or if it uses C++ name mangling.
257 static bool isCLibraryFunction(const FunctionDecl *FD,
258 StringRef Name = StringRef());
259
260 /// Depending on wither the location corresponds to a macro, return
261 /// either the macro name or the token spelling.
262 ///
263 /// This could be useful when checkers' logic depends on whether a function
264 /// is called with a given macro argument. For example:
265 /// s = socket(AF_INET,..)
266 /// If AF_INET is a macro, the result should be treated as a source of taint.
267 ///
268 /// \sa clang::Lexer::getSpelling(), clang::Lexer::getImmediateMacroName().
269 StringRef getMacroNameOrSpelling(SourceLocation &Loc);
270
271private:
272 ExplodedNode *addTransitionImpl(ProgramStateRef State,
273 bool MarkAsSink,
274 ExplodedNode *P = nullptr,
275 const ProgramPointTag *Tag = nullptr) {
276 // The analyzer may stop exploring if it sees a state it has previously
277 // visited ("cache out"). The early return here is a defensive check to
278 // prevent accidental caching out by checker API clients. Unless there is a
279 // tag or the client checker has requested that the generated node be
280 // marked as a sink, we assume that a client requesting a transition to a
281 // state that is the same as the predecessor state has made a mistake. We
282 // return the predecessor rather than cache out.
283 //
284 // TODO: We could potentially change the return to an assertion to alert
285 // clients to their mistake, but several checkers (including
286 // DereferenceChecker, CallAndMessageChecker, and DynamicTypePropagation)
287 // rely upon the defensive behavior and would need to be updated.
288 if (!State || (State == Pred->getState() && !Tag && !MarkAsSink))
289 return Pred;
290
291 Changed = true;
292 const ProgramPoint &LocalLoc = (Tag ? Location.withTag(Tag) : Location);
293 if (!P)
294 P = Pred;
295
296 ExplodedNode *node;
297 if (MarkAsSink)
298 node = NB.generateSink(LocalLoc, State, P);
299 else
300 node = NB.generateNode(LocalLoc, State, P);
301 return node;
302 }
303};
304
305} // end GR namespace
306
307} // end clang namespace
308
309#endif
310