#include "clang/AST/Attr.h"
#include "clang/AST/DeclCXX.h"
#include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"
#include "clang/StaticAnalyzer/Core/BugReporter/BugReporter.h"
#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
#include "clang/StaticAnalyzer/Core/Checker.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramStateTrait.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/SValBuilder.h"
using namespace clang;
using namespace ento;
namespace {
enum class ObjectState : bool { CtorCalled, DtorCalled };
}
namespace llvm {
template <> struct FoldingSetTrait<ObjectState> {
static inline void Profile(ObjectState X, FoldingSetNodeID &ID) {
ID.AddInteger(static_cast<int>(X));
}
};
}
namespace {
class VirtualCallChecker
: public Checker<check::BeginFunction, check::EndFunction, check::PreCall> {
public:
mutable std::unique_ptr<BugType> BT_Pure, BT_Impure;
bool ShowFixIts = false;
void checkBeginFunction(CheckerContext &C) const;
void checkEndFunction(const ReturnStmt *RS, CheckerContext &C) const;
void checkPreCall(const CallEvent &Call, CheckerContext &C) const;
private:
void registerCtorDtorCallInState(bool IsBeginFunction,
CheckerContext &C) const;
};
}
REGISTER_MAP_WITH_PROGRAMSTATE(CtorDtorMap, const MemRegion *, ObjectState)
static bool isVirtualCall(const CallExpr *CE) {
bool CallIsNonVirtual = false;
if (const MemberExpr *CME = dyn_cast<MemberExpr>(CE->getCallee())) {
if (CME->getQualifier())
CallIsNonVirtual = true;
if (const Expr *Base = CME->getBase()) {
if (Base->getBestDynamicClassType()->hasAttr<FinalAttr>())
CallIsNonVirtual = true;
}
}
const CXXMethodDecl *MD =
dyn_cast_or_null<CXXMethodDecl>(CE->getDirectCallee());
if (MD && MD->isVirtual() && !CallIsNonVirtual && !MD->hasAttr<FinalAttr>() &&
!MD->getParent()->hasAttr<FinalAttr>())
return true;
return false;
}
void VirtualCallChecker::checkBeginFunction(CheckerContext &C) const {
registerCtorDtorCallInState(true, C);
}
void VirtualCallChecker::checkEndFunction(const ReturnStmt *RS,
CheckerContext &C) const {
registerCtorDtorCallInState(false, C);
}
void VirtualCallChecker::checkPreCall(const CallEvent &Call,
CheckerContext &C) const {
const auto MC = dyn_cast<CXXMemberCall>(&Call);
if (!MC)
return;
const CXXMethodDecl *MD = dyn_cast_or_null<CXXMethodDecl>(Call.getDecl());
if (!MD)
return;
ProgramStateRef State = C.getState();
const auto *CE = cast<CallExpr>(Call.getOriginExpr());
if (!isVirtualCall(CE))
return;
const MemRegion *Reg = MC->getCXXThisVal().getAsRegion();
const ObjectState *ObState = State->get<CtorDtorMap>(Reg);
if (!ObState)
return;
bool IsPure = MD->isPure();
SmallString<128> Msg;
llvm::raw_svector_ostream OS(Msg);
OS << "Call to ";
if (IsPure)
OS << "pure ";
OS << "virtual method '" << MD->getParent()->getDeclName()
<< "::" << MD->getDeclName() << "' during ";
if (*ObState == ObjectState::CtorCalled)
OS << "construction ";
else
OS << "destruction ";
if (IsPure)
OS << "has undefined behavior";
else
OS << "bypasses virtual dispatch";
ExplodedNode *N =
IsPure ? C.generateErrorNode() : C.generateNonFatalErrorNode();
if (!N)
return;
const std::unique_ptr<BugType> &BT = IsPure ? BT_Pure : BT_Impure;
if (!BT) {
return;
}
auto Report = std::make_unique<PathSensitiveBugReport>(*BT, OS.str(), N);
if (ShowFixIts && !IsPure) {
FixItHint Fixit = FixItHint::CreateInsertion(
CE->getBeginLoc(), MD->getParent()->getNameAsString() + "::");
Report->addFixItHint(Fixit);
}
C.emitReport(std::move(Report));
}
void VirtualCallChecker::registerCtorDtorCallInState(bool IsBeginFunction,
CheckerContext &C) const {
const auto *LCtx = C.getLocationContext();
const auto *MD = dyn_cast_or_null<CXXMethodDecl>(LCtx->getDecl());
if (!MD)
return;
ProgramStateRef State = C.getState();
auto &SVB = C.getSValBuilder();
if (isa<CXXConstructorDecl>(MD)) {
auto ThiSVal =
State->getSVal(SVB.getCXXThis(MD, LCtx->getStackFrame()));
const MemRegion *Reg = ThiSVal.getAsRegion();
if (IsBeginFunction)
State = State->set<CtorDtorMap>(Reg, ObjectState::CtorCalled);
else
State = State->remove<CtorDtorMap>(Reg);
C.addTransition(State);
return;
}
if (isa<CXXDestructorDecl>(MD)) {
auto ThiSVal =
State->getSVal(SVB.getCXXThis(MD, LCtx->getStackFrame()));
const MemRegion *Reg = ThiSVal.getAsRegion();
if (IsBeginFunction)
State = State->set<CtorDtorMap>(Reg, ObjectState::DtorCalled);
else
State = State->remove<CtorDtorMap>(Reg);
C.addTransition(State);
return;
}
}
void ento::registerVirtualCallModeling(CheckerManager &Mgr) {
Mgr.registerChecker<VirtualCallChecker>();
}
void ento::registerPureVirtualCallChecker(CheckerManager &Mgr) {
auto *Chk = Mgr.getChecker<VirtualCallChecker>();
Chk->BT_Pure = std::make_unique<BugType>(Mgr.getCurrentCheckerName(),
"Pure virtual method call",
categories::CXXObjectLifecycle);
}
void ento::registerVirtualCallChecker(CheckerManager &Mgr) {
auto *Chk = Mgr.getChecker<VirtualCallChecker>();
if (!Mgr.getAnalyzerOptions().getCheckerBooleanOption(
Mgr.getCurrentCheckerName(), "PureOnly")) {
Chk->BT_Impure = std::make_unique<BugType>(
Mgr.getCurrentCheckerName(), "Unexpected loss of virtual dispatch",
categories::CXXObjectLifecycle);
Chk->ShowFixIts = Mgr.getAnalyzerOptions().getCheckerBooleanOption(
Mgr.getCurrentCheckerName(), "ShowFixIts");
}
}
bool ento::shouldRegisterVirtualCallModeling(const CheckerManager &mgr) {
const LangOptions &LO = mgr.getLangOpts();
return LO.CPlusPlus;
}
bool ento::shouldRegisterPureVirtualCallChecker(const CheckerManager &mgr) {
const LangOptions &LO = mgr.getLangOpts();
return LO.CPlusPlus;
}
bool ento::shouldRegisterVirtualCallChecker(const CheckerManager &mgr) {
const LangOptions &LO = mgr.getLangOpts();
return LO.CPlusPlus;
}