Charusso created this revision.
Charusso added reviewers: NoQ, ravikandhadai.
Charusso added a project: clang.
Herald added subscribers: cfe-commits, dkrupp, donat.nagy, Szelethus,
mikhail.ramalho, a.sidorin, szepet, baloghadamsoftware, xazax.hun, mgorny.
It models the LLVM casts:
- `cast<>`
- `dyn_cast<>`
- `cast_or_null<>`
- `dyn_cast_or_null<>`
It has a very basic support without checking the `classof()` function.
Repository:
rC Clang
https://reviews.llvm.org/D64374
Files:
clang/include/clang/StaticAnalyzer/Checkers/Checkers.td
clang/lib/StaticAnalyzer/Checkers/CMakeLists.txt
clang/lib/StaticAnalyzer/Checkers/CastValueChecker.cpp
clang/test/Analysis/cast-value.cpp
Index: clang/test/Analysis/cast-value.cpp
===================================================================
--- /dev/null
+++ clang/test/Analysis/cast-value.cpp
@@ -0,0 +1,40 @@
+// RUN: %clang_analyze_cc1 \
+// RUN: -analyzer-checker=core,apiModeling.CastValue \
+// RUN: -analyzer-output=text -verify %s
+
+template <class X, class Y>
+const X *dyn_cast_or_null(Y Value);
+
+class Shape {};
+class Square : public Shape {};
+class Circle : public Shape {};
+
+namespace test_dyn_cast_or_null {
+void different_type(const Shape *C) {
+ if (const auto *Foo = dyn_cast_or_null<Square>(nullptr)) {
+ // expected-note@-1 {{Cast from a null pointer results in a null pointer}}
+ // expected-note@-2 {{'Foo' is null}}
+ // expected-note@-3 {{Taking false branch}}
+ (void)Foo;
+ }
+
+ if (const auto *Bar = dyn_cast_or_null<Square>(C)) {
+ // expected-note@-1 {{Cast to 'const class Square *' results in a null pointer}}
+ // expected-note@-2 {{Assuming pointer value is null}}
+ // expected-note@-3 {{'Bar' is null}}
+ // expected-note@-4 {{Taking false branch}}
+ (void)Bar;
+ }
+
+ if (const auto *Baz = dyn_cast_or_null<Circle>(C)) {
+ // expected-note@-1 {{Cast to 'const class Circle *' (from 'const class Shape *')}}
+ // expected-note@-2 {{'Baz' initialized here}}
+ // expected-note@-3 {{'Baz' is non-null}}
+ // expected-note@-4 {{Taking true branch}}
+ (void)(1 / !Baz);
+ // expected-note@-1 {{'Baz' is non-null}}
+ // expected-note@-2 {{Division by zero}}
+ // expected-warning@-3 {{Division by zero}}
+ }
+}
+} // namespace test_dyn_cast_or_null
Index: clang/lib/StaticAnalyzer/Checkers/CastValueChecker.cpp
===================================================================
--- /dev/null
+++ clang/lib/StaticAnalyzer/Checkers/CastValueChecker.cpp
@@ -0,0 +1,192 @@
+//===- CastValueChecker - Applies casts -------------------------*- C++ -*-===//
+//
+// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
+// See https://llvm.org/LICENSE.txt for license information.
+// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
+//
+//===----------------------------------------------------------------------===//
+//
+// This defines CastValueChecker which models casts.
+//
+//===----------------------------------------------------------------------===//
+
+#include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"
+#include "clang/StaticAnalyzer/Core/Checker.h"
+#include "clang/StaticAnalyzer/Core/CheckerManager.h"
+#include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h"
+#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
+#include "llvm/ADT/Optional.h"
+
+using namespace clang;
+using namespace ento;
+
+namespace {
+class CastValueChecker : public Checker<eval::Call> {
+ using CastCheck =
+ std::function<void(const CastValueChecker *, const CallExpr *,
+ DefinedOrUnknownSVal, CheckerContext &)>;
+
+public:
+ // We have three cases to evaluate a cast:
+ // 1) The parameter is non-null, the return value is non-null
+ // 2) The parameter is non-null, the return value is null
+ // 3) The parameter is null, the return value is null
+ //
+ // cast: 1; dyn_cast: 1, 2; cast_or_null: 1, 3; dyn_cast_or_null: 1, 2, 3.
+ bool evalCall(const CallEvent &Call, CheckerContext &C) const;
+
+private:
+ const CallDescriptionMap<CastCheck> CDM = {
+ {{{"cast"}}, &CastValueChecker::evalCast},
+ {{{"dyn_cast"}}, &CastValueChecker::evalDynCast},
+ {{{"cast_or_null"}}, &CastValueChecker::evalCastOrNull},
+ {{{"dyn_cast_or_null"}}, &CastValueChecker::evalDynCastOrNull}};
+
+ void evalCast(const CallExpr *CE, DefinedOrUnknownSVal ParamDV,
+ CheckerContext &C) const;
+ void evalDynCast(const CallExpr *CE, DefinedOrUnknownSVal ParamDV,
+ CheckerContext &C) const;
+ void evalCastOrNull(const CallExpr *CE, DefinedOrUnknownSVal ParamDV,
+ CheckerContext &C) const;
+ void evalDynCastOrNull(const CallExpr *CE, DefinedOrUnknownSVal ParamDV,
+ CheckerContext &C) const;
+};
+} // namespace
+
+static void evalNonNullParamNonNullReturn(const CallExpr *CE,
+ DefinedOrUnknownSVal ParamDV,
+ CheckerContext &C) {
+ ProgramStateRef State = C.getState();
+ if (!State->assume(ParamDV, true))
+ return;
+
+ State = State->assume(ParamDV, true);
+ State = State->BindExpr(CE, C.getLocationContext(), ParamDV,
+ /*Invalidate=*/false);
+
+ std::string CastToName = CE->getType().getAsString();
+ std::string CastFromName = CE->getArg(0)->getType().getAsString();
+
+ const NoteTag *CastTag = C.getNoteTag(
+ [CastToName, CastFromName](BugReport &) -> std::string {
+ SmallString<128> Msg;
+ llvm::raw_svector_ostream Out(Msg);
+
+ Out << "Cast to '" << CastToName << "' (from '" << CastFromName << "')";
+ return Out.str();
+ },
+ /*IsPrunable=*/false);
+
+ C.addTransition(State, CastTag);
+}
+
+static void evalNonNullParamNullReturn(const CallExpr *CE,
+ DefinedOrUnknownSVal ParamDV,
+ CheckerContext &C) {
+ ProgramStateRef State = C.getState();
+ if (!State->assume(ParamDV, true))
+ return;
+
+ State = State->assume(ParamDV, true);
+ State = State->BindExpr(CE, C.getLocationContext(),
+ C.getSValBuilder().makeNull(), /*Invalidate=*/false);
+
+ std::string CastToName = CE->getType().getAsString();
+ const NoteTag *CastTag = C.getNoteTag(
+ [CastToName](BugReport &) -> std::string {
+ SmallString<128> Msg;
+ llvm::raw_svector_ostream Out(Msg);
+
+ Out << "Cast to '" << CastToName << "' results in a null pointer";
+ return Out.str();
+ },
+ /*IsPrunable=*/false);
+
+ C.addTransition(State, CastTag);
+}
+
+static void evalNullParamNullReturn(const CallExpr *CE,
+ DefinedOrUnknownSVal ParamDV,
+ CheckerContext &C) {
+ ProgramStateRef State = C.getState();
+ if (!State->assume(ParamDV, false))
+ return;
+
+ State = State->assume(ParamDV, false);
+ State = State->BindExpr(CE, C.getLocationContext(),
+ C.getSValBuilder().makeNull(), /*Invalidate=*/false);
+
+ const NoteTag *CastTag = C.getNoteTag(
+ [](BugReport &) -> std::string {
+ SmallString<128> Msg;
+ llvm::raw_svector_ostream Out(Msg);
+
+ Out << "Cast from a null pointer results in a null pointer";
+ return Out.str();
+ },
+ /*IsPrunable=*/false);
+
+ C.addTransition(State, CastTag);
+}
+
+void CastValueChecker::evalCast(const CallExpr *CE,
+ DefinedOrUnknownSVal ParamDV,
+ CheckerContext &C) const {
+ evalNonNullParamNonNullReturn(CE, ParamDV, C);
+}
+
+void CastValueChecker::evalDynCast(const CallExpr *CE,
+ DefinedOrUnknownSVal ParamDV,
+ CheckerContext &C) const {
+ evalNonNullParamNonNullReturn(CE, ParamDV, C);
+ evalNonNullParamNullReturn(CE, ParamDV, C);
+}
+
+void CastValueChecker::evalCastOrNull(const CallExpr *CE,
+ DefinedOrUnknownSVal ParamDV,
+ CheckerContext &C) const {
+ evalNonNullParamNonNullReturn(CE, ParamDV, C);
+ evalNullParamNullReturn(CE, ParamDV, C);
+}
+
+void CastValueChecker::evalDynCastOrNull(const CallExpr *CE,
+ DefinedOrUnknownSVal ParamDV,
+ CheckerContext &C) const {
+ evalNonNullParamNonNullReturn(CE, ParamDV, C);
+ evalNonNullParamNullReturn(CE, ParamDV, C);
+ evalNullParamNullReturn(CE, ParamDV, C);
+}
+
+bool CastValueChecker::evalCall(const CallEvent &Call,
+ CheckerContext &C) const {
+ const CastCheck *Check = CDM.lookup(Call);
+ if (!Check)
+ return false;
+
+ const auto *CE = cast<CallExpr>(Call.getOriginExpr());
+ if (!CE)
+ return false;
+
+ const Expr *Param = nullptr;
+ /* TODO: measure 'MCE'.
+ if (const auto *MCE = dyn_cast<CXXMemberCallExpr>(CE->IgnoreParenImpCasts()))
+ Param = MCE->getImplicitObjectArgument();
+ else*/
+ Param = CE->getArg(0);
+
+ SVal ParamV = C.getState()->getSVal(Param, C.getLocationContext());
+ auto ParamDV = ParamV.getAs<DefinedOrUnknownSVal>();
+ if (!ParamDV)
+ return false;
+
+ (*Check)(this, CE, *ParamDV, C);
+ return true;
+}
+
+void ento::registerCastValueChecker(CheckerManager &Mgr) {
+ Mgr.registerChecker<CastValueChecker>();
+}
+
+bool ento::shouldRegisterCastValueChecker(const LangOptions &LO) {
+ return true;
+}
Index: clang/lib/StaticAnalyzer/Checkers/CMakeLists.txt
===================================================================
--- clang/lib/StaticAnalyzer/Checkers/CMakeLists.txt
+++ clang/lib/StaticAnalyzer/Checkers/CMakeLists.txt
@@ -16,6 +16,7 @@
CallAndMessageChecker.cpp
CastSizeChecker.cpp
CastToStructChecker.cpp
+ CastValueChecker.cpp
CheckObjCDealloc.cpp
CheckObjCInstMethSignature.cpp
CheckSecuritySyntaxOnly.cpp
Index: clang/include/clang/StaticAnalyzer/Checkers/Checkers.td
===================================================================
--- clang/include/clang/StaticAnalyzer/Checkers/Checkers.td
+++ clang/include/clang/StaticAnalyzer/Checkers/Checkers.td
@@ -274,6 +274,10 @@
let ParentPackage = APIModeling in {
+def CastValueChecker : Checker<"CastValue">,
+ HelpText<"Model casts">,
+ Documentation<NotDocumented>;
+
def ReturnValueChecker : Checker<"ReturnValue">,
HelpText<"Model the guaranteed boolean return value of function calls">,
Documentation<NotDocumented>;
_______________________________________________
cfe-commits mailing list
cfe-commits@lists.llvm.org
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits
