1//=== BuiltinFunctionChecker.cpp --------------------------------*- C++ -*-===//
2//
3//                     The LLVM Compiler Infrastructure
4//
5// This file is distributed under the University of Illinois Open Source
6// License. See LICENSE.TXT for details.
7//
8//===----------------------------------------------------------------------===//
9//
10// This checker evaluates clang builtin functions.
11//
12//===----------------------------------------------------------------------===//
13
14#include "ClangSACheckers.h"
15#include "clang/Basic/Builtins.h"
16#include "clang/StaticAnalyzer/Core/Checker.h"
17#include "clang/StaticAnalyzer/Core/CheckerManager.h"
18#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
19
20using namespace clang;
21using namespace ento;
22
23namespace {
24
25class BuiltinFunctionChecker : public Checker<eval::Call> {
26public:
27  bool evalCall(const CallExpr *CE, CheckerContext &C) const;
28};
29
30}
31
32bool BuiltinFunctionChecker::evalCall(const CallExpr *CE,
33                                      CheckerContext &C) const {
34  ProgramStateRef state = C.getState();
35  const FunctionDecl *FD = C.getCalleeDecl(CE);
36  const LocationContext *LCtx = C.getLocationContext();
37  if (!FD)
38    return false;
39
40  switch (FD->getBuiltinID()) {
41  default:
42    return false;
43
44  case Builtin::BI__builtin_unpredictable:
45  case Builtin::BI__builtin_expect:
46  case Builtin::BI__builtin_assume_aligned:
47  case Builtin::BI__builtin_addressof: {
48    // For __builtin_unpredictable, __builtin_expect, and
49    // __builtin_assume_aligned, just return the value of the subexpression.
50    // __builtin_addressof is going from a reference to a pointer, but those
51    // are represented the same way in the analyzer.
52    assert (CE->arg_begin() != CE->arg_end());
53    SVal X = state->getSVal(*(CE->arg_begin()), LCtx);
54    C.addTransition(state->BindExpr(CE, LCtx, X));
55    return true;
56  }
57
58  case Builtin::BI__builtin_alloca: {
59    // FIXME: Refactor into StoreManager itself?
60    MemRegionManager& RM = C.getStoreManager().getRegionManager();
61    const AllocaRegion* R =
62      RM.getAllocaRegion(CE, C.blockCount(), C.getLocationContext());
63
64    // Set the extent of the region in bytes. This enables us to use the
65    // SVal of the argument directly. If we save the extent in bits, we
66    // cannot represent values like symbol*8.
67    DefinedOrUnknownSVal Size =
68        state->getSVal(*(CE->arg_begin()), LCtx).castAs<DefinedOrUnknownSVal>();
69
70    SValBuilder& svalBuilder = C.getSValBuilder();
71    DefinedOrUnknownSVal Extent = R->getExtent(svalBuilder);
72    DefinedOrUnknownSVal extentMatchesSizeArg =
73      svalBuilder.evalEQ(state, Extent, Size);
74    state = state->assume(extentMatchesSizeArg, true);
75    assert(state && "The region should not have any previous constraints");
76
77    C.addTransition(state->BindExpr(CE, LCtx, loc::MemRegionVal(R)));
78    return true;
79  }
80
81  case Builtin::BI__builtin_object_size: {
82    // This must be resolvable at compile time, so we defer to the constant
83    // evaluator for a value.
84    SVal V = UnknownVal();
85    llvm::APSInt Result;
86    if (CE->EvaluateAsInt(Result, C.getASTContext(), Expr::SE_NoSideEffects)) {
87      // Make sure the result has the correct type.
88      SValBuilder &SVB = C.getSValBuilder();
89      BasicValueFactory &BVF = SVB.getBasicValueFactory();
90      BVF.getAPSIntType(CE->getType()).apply(Result);
91      V = SVB.makeIntVal(Result);
92    }
93
94    C.addTransition(state->BindExpr(CE, LCtx, V));
95    return true;
96  }
97  }
98}
99
100void ento::registerBuiltinFunctionChecker(CheckerManager &mgr) {
101  mgr.registerChecker<BuiltinFunctionChecker>();
102}
103