CallEvent.cpp revision 251662
1//===- Calls.cpp - Wrapper for all function and method calls ------*- C++ -*--// 2// 3// The LLVM Compiler Infrastructure 4// 5// This file is distributed under the University of Illinois Open Source 6// License. See LICENSE.TXT for details. 7// 8//===----------------------------------------------------------------------===// 9// 10/// \file This file defines CallEvent and its subclasses, which represent path- 11/// sensitive instances of different kinds of function and method calls 12/// (C, C++, and Objective-C). 13// 14//===----------------------------------------------------------------------===// 15 16#include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h" 17#include "clang/AST/ParentMap.h" 18#include "clang/Analysis/ProgramPoint.h" 19#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h" 20#include "llvm/ADT/SmallSet.h" 21#include "llvm/ADT/StringExtras.h" 22#include "llvm/Support/raw_ostream.h" 23 24using namespace clang; 25using namespace ento; 26 27QualType CallEvent::getResultType() const { 28 const Expr *E = getOriginExpr(); 29 assert(E && "Calls without origin expressions do not have results"); 30 QualType ResultTy = E->getType(); 31 32 ASTContext &Ctx = getState()->getStateManager().getContext(); 33 34 // A function that returns a reference to 'int' will have a result type 35 // of simply 'int'. Check the origin expr's value kind to recover the 36 // proper type. 37 switch (E->getValueKind()) { 38 case VK_LValue: 39 ResultTy = Ctx.getLValueReferenceType(ResultTy); 40 break; 41 case VK_XValue: 42 ResultTy = Ctx.getRValueReferenceType(ResultTy); 43 break; 44 case VK_RValue: 45 // No adjustment is necessary. 46 break; 47 } 48 49 return ResultTy; 50} 51 52static bool isCallbackArg(SVal V, QualType T) { 53 // If the parameter is 0, it's harmless. 54 if (V.isZeroConstant()) 55 return false; 56 57 // If a parameter is a block or a callback, assume it can modify pointer. 58 if (T->isBlockPointerType() || 59 T->isFunctionPointerType() || 60 T->isObjCSelType()) 61 return true; 62 63 // Check if a callback is passed inside a struct (for both, struct passed by 64 // reference and by value). Dig just one level into the struct for now. 65 66 if (T->isAnyPointerType() || T->isReferenceType()) 67 T = T->getPointeeType(); 68 69 if (const RecordType *RT = T->getAsStructureType()) { 70 const RecordDecl *RD = RT->getDecl(); 71 for (RecordDecl::field_iterator I = RD->field_begin(), E = RD->field_end(); 72 I != E; ++I) { 73 QualType FieldT = I->getType(); 74 if (FieldT->isBlockPointerType() || FieldT->isFunctionPointerType()) 75 return true; 76 } 77 } 78 79 return false; 80} 81 82bool CallEvent::hasNonZeroCallbackArg() const { 83 unsigned NumOfArgs = getNumArgs(); 84 85 // If calling using a function pointer, assume the function does not 86 // have a callback. TODO: We could check the types of the arguments here. 87 if (!getDecl()) 88 return false; 89 90 unsigned Idx = 0; 91 for (CallEvent::param_type_iterator I = param_type_begin(), 92 E = param_type_end(); 93 I != E && Idx < NumOfArgs; ++I, ++Idx) { 94 if (NumOfArgs <= Idx) 95 break; 96 97 if (isCallbackArg(getArgSVal(Idx), *I)) 98 return true; 99 } 100 101 return false; 102} 103 104bool CallEvent::isGlobalCFunction(StringRef FunctionName) const { 105 const FunctionDecl *FD = dyn_cast_or_null<FunctionDecl>(getDecl()); 106 if (!FD) 107 return false; 108 109 return CheckerContext::isCLibraryFunction(FD, FunctionName); 110} 111 112/// \brief Returns true if a type is a pointer-to-const or reference-to-const 113/// with no further indirection. 114static bool isPointerToConst(QualType Ty) { 115 QualType PointeeTy = Ty->getPointeeType(); 116 if (PointeeTy == QualType()) 117 return false; 118 if (!PointeeTy.isConstQualified()) 119 return false; 120 if (PointeeTy->isAnyPointerType()) 121 return false; 122 return true; 123} 124 125// Try to retrieve the function declaration and find the function parameter 126// types which are pointers/references to a non-pointer const. 127// We will not invalidate the corresponding argument regions. 128static void findPtrToConstParams(llvm::SmallSet<unsigned, 4> &PreserveArgs, 129 const CallEvent &Call) { 130 unsigned Idx = 0; 131 for (CallEvent::param_type_iterator I = Call.param_type_begin(), 132 E = Call.param_type_end(); 133 I != E; ++I, ++Idx) { 134 if (isPointerToConst(*I)) 135 PreserveArgs.insert(Idx); 136 } 137} 138 139ProgramStateRef CallEvent::invalidateRegions(unsigned BlockCount, 140 ProgramStateRef Orig) const { 141 ProgramStateRef Result = (Orig ? Orig : getState()); 142 143 SmallVector<SVal, 8> ConstValues; 144 SmallVector<SVal, 8> ValuesToInvalidate; 145 146 getExtraInvalidatedValues(ValuesToInvalidate); 147 148 // Indexes of arguments whose values will be preserved by the call. 149 llvm::SmallSet<unsigned, 4> PreserveArgs; 150 if (!argumentsMayEscape()) 151 findPtrToConstParams(PreserveArgs, *this); 152 153 for (unsigned Idx = 0, Count = getNumArgs(); Idx != Count; ++Idx) { 154 // Mark this region for invalidation. We batch invalidate regions 155 // below for efficiency. 156 if (PreserveArgs.count(Idx)) 157 ConstValues.push_back(getArgSVal(Idx)); 158 else 159 ValuesToInvalidate.push_back(getArgSVal(Idx)); 160 } 161 162 // Invalidate designated regions using the batch invalidation API. 163 // NOTE: Even if RegionsToInvalidate is empty, we may still invalidate 164 // global variables. 165 return Result->invalidateRegions(ValuesToInvalidate, getOriginExpr(), 166 BlockCount, getLocationContext(), 167 /*CausedByPointerEscape*/ true, 168 /*Symbols=*/0, this, ConstValues); 169} 170 171ProgramPoint CallEvent::getProgramPoint(bool IsPreVisit, 172 const ProgramPointTag *Tag) const { 173 if (const Expr *E = getOriginExpr()) { 174 if (IsPreVisit) 175 return PreStmt(E, getLocationContext(), Tag); 176 return PostStmt(E, getLocationContext(), Tag); 177 } 178 179 const Decl *D = getDecl(); 180 assert(D && "Cannot get a program point without a statement or decl"); 181 182 SourceLocation Loc = getSourceRange().getBegin(); 183 if (IsPreVisit) 184 return PreImplicitCall(D, Loc, getLocationContext(), Tag); 185 return PostImplicitCall(D, Loc, getLocationContext(), Tag); 186} 187 188SVal CallEvent::getArgSVal(unsigned Index) const { 189 const Expr *ArgE = getArgExpr(Index); 190 if (!ArgE) 191 return UnknownVal(); 192 return getSVal(ArgE); 193} 194 195SourceRange CallEvent::getArgSourceRange(unsigned Index) const { 196 const Expr *ArgE = getArgExpr(Index); 197 if (!ArgE) 198 return SourceRange(); 199 return ArgE->getSourceRange(); 200} 201 202SVal CallEvent::getReturnValue() const { 203 const Expr *E = getOriginExpr(); 204 if (!E) 205 return UndefinedVal(); 206 return getSVal(E); 207} 208 209void CallEvent::dump() const { 210 dump(llvm::errs()); 211} 212 213void CallEvent::dump(raw_ostream &Out) const { 214 ASTContext &Ctx = getState()->getStateManager().getContext(); 215 if (const Expr *E = getOriginExpr()) { 216 E->printPretty(Out, 0, Ctx.getPrintingPolicy()); 217 Out << "\n"; 218 return; 219 } 220 221 if (const Decl *D = getDecl()) { 222 Out << "Call to "; 223 D->print(Out, Ctx.getPrintingPolicy()); 224 return; 225 } 226 227 // FIXME: a string representation of the kind would be nice. 228 Out << "Unknown call (type " << getKind() << ")"; 229} 230 231 232bool CallEvent::isCallStmt(const Stmt *S) { 233 return isa<CallExpr>(S) || isa<ObjCMessageExpr>(S) 234 || isa<CXXConstructExpr>(S) 235 || isa<CXXNewExpr>(S); 236} 237 238QualType CallEvent::getDeclaredResultType(const Decl *D) { 239 assert(D); 240 if (const FunctionDecl* FD = dyn_cast<FunctionDecl>(D)) 241 return FD->getResultType(); 242 if (const ObjCMethodDecl* MD = dyn_cast<ObjCMethodDecl>(D)) 243 return MD->getResultType(); 244 if (const BlockDecl *BD = dyn_cast<BlockDecl>(D)) { 245 // Blocks are difficult because the return type may not be stored in the 246 // BlockDecl itself. The AST should probably be enhanced, but for now we 247 // just do what we can. 248 QualType Ty = BD->getSignatureAsWritten()->getType(); 249 if (const FunctionType *FT = Ty->getAs<FunctionType>()) 250 if (!FT->getResultType()->isDependentType()) 251 return FT->getResultType(); 252 253 return QualType(); 254 } 255 256 return QualType(); 257} 258 259static void addParameterValuesToBindings(const StackFrameContext *CalleeCtx, 260 CallEvent::BindingsTy &Bindings, 261 SValBuilder &SVB, 262 const CallEvent &Call, 263 CallEvent::param_iterator I, 264 CallEvent::param_iterator E) { 265 MemRegionManager &MRMgr = SVB.getRegionManager(); 266 267 unsigned Idx = 0; 268 for (; I != E; ++I, ++Idx) { 269 const ParmVarDecl *ParamDecl = *I; 270 assert(ParamDecl && "Formal parameter has no decl?"); 271 272 SVal ArgVal = Call.getArgSVal(Idx); 273 if (!ArgVal.isUnknown()) { 274 Loc ParamLoc = SVB.makeLoc(MRMgr.getVarRegion(ParamDecl, CalleeCtx)); 275 Bindings.push_back(std::make_pair(ParamLoc, ArgVal)); 276 } 277 } 278 279 // FIXME: Variadic arguments are not handled at all right now. 280} 281 282 283CallEvent::param_iterator AnyFunctionCall::param_begin() const { 284 const FunctionDecl *D = getDecl(); 285 if (!D) 286 return 0; 287 288 return D->param_begin(); 289} 290 291CallEvent::param_iterator AnyFunctionCall::param_end() const { 292 const FunctionDecl *D = getDecl(); 293 if (!D) 294 return 0; 295 296 return D->param_end(); 297} 298 299void AnyFunctionCall::getInitialStackFrameContents( 300 const StackFrameContext *CalleeCtx, 301 BindingsTy &Bindings) const { 302 const FunctionDecl *D = cast<FunctionDecl>(CalleeCtx->getDecl()); 303 SValBuilder &SVB = getState()->getStateManager().getSValBuilder(); 304 addParameterValuesToBindings(CalleeCtx, Bindings, SVB, *this, 305 D->param_begin(), D->param_end()); 306} 307 308bool AnyFunctionCall::argumentsMayEscape() const { 309 if (hasNonZeroCallbackArg()) 310 return true; 311 312 const FunctionDecl *D = getDecl(); 313 if (!D) 314 return true; 315 316 const IdentifierInfo *II = D->getIdentifier(); 317 if (!II) 318 return false; 319 320 // This set of "escaping" APIs is 321 322 // - 'int pthread_setspecific(ptheread_key k, const void *)' stores a 323 // value into thread local storage. The value can later be retrieved with 324 // 'void *ptheread_getspecific(pthread_key)'. So even thought the 325 // parameter is 'const void *', the region escapes through the call. 326 if (II->isStr("pthread_setspecific")) 327 return true; 328 329 // - xpc_connection_set_context stores a value which can be retrieved later 330 // with xpc_connection_get_context. 331 if (II->isStr("xpc_connection_set_context")) 332 return true; 333 334 // - funopen - sets a buffer for future IO calls. 335 if (II->isStr("funopen")) 336 return true; 337 338 StringRef FName = II->getName(); 339 340 // - CoreFoundation functions that end with "NoCopy" can free a passed-in 341 // buffer even if it is const. 342 if (FName.endswith("NoCopy")) 343 return true; 344 345 // - NSXXInsertXX, for example NSMapInsertIfAbsent, since they can 346 // be deallocated by NSMapRemove. 347 if (FName.startswith("NS") && (FName.find("Insert") != StringRef::npos)) 348 return true; 349 350 // - Many CF containers allow objects to escape through custom 351 // allocators/deallocators upon container construction. (PR12101) 352 if (FName.startswith("CF") || FName.startswith("CG")) { 353 return StrInStrNoCase(FName, "InsertValue") != StringRef::npos || 354 StrInStrNoCase(FName, "AddValue") != StringRef::npos || 355 StrInStrNoCase(FName, "SetValue") != StringRef::npos || 356 StrInStrNoCase(FName, "WithData") != StringRef::npos || 357 StrInStrNoCase(FName, "AppendValue") != StringRef::npos || 358 StrInStrNoCase(FName, "SetAttribute") != StringRef::npos; 359 } 360 361 return false; 362} 363 364 365const FunctionDecl *SimpleCall::getDecl() const { 366 const FunctionDecl *D = getOriginExpr()->getDirectCallee(); 367 if (D) 368 return D; 369 370 return getSVal(getOriginExpr()->getCallee()).getAsFunctionDecl(); 371} 372 373 374const FunctionDecl *CXXInstanceCall::getDecl() const { 375 const CallExpr *CE = cast_or_null<CallExpr>(getOriginExpr()); 376 if (!CE) 377 return AnyFunctionCall::getDecl(); 378 379 const FunctionDecl *D = CE->getDirectCallee(); 380 if (D) 381 return D; 382 383 return getSVal(CE->getCallee()).getAsFunctionDecl(); 384} 385 386void CXXInstanceCall::getExtraInvalidatedValues(ValueList &Values) const { 387 Values.push_back(getCXXThisVal()); 388} 389 390SVal CXXInstanceCall::getCXXThisVal() const { 391 const Expr *Base = getCXXThisExpr(); 392 // FIXME: This doesn't handle an overloaded ->* operator. 393 if (!Base) 394 return UnknownVal(); 395 396 SVal ThisVal = getSVal(Base); 397 assert(ThisVal.isUnknownOrUndef() || ThisVal.getAs<Loc>()); 398 return ThisVal; 399} 400 401 402RuntimeDefinition CXXInstanceCall::getRuntimeDefinition() const { 403 // Do we have a decl at all? 404 const Decl *D = getDecl(); 405 if (!D) 406 return RuntimeDefinition(); 407 408 // If the method is non-virtual, we know we can inline it. 409 const CXXMethodDecl *MD = cast<CXXMethodDecl>(D); 410 if (!MD->isVirtual()) 411 return AnyFunctionCall::getRuntimeDefinition(); 412 413 // Do we know the implicit 'this' object being called? 414 const MemRegion *R = getCXXThisVal().getAsRegion(); 415 if (!R) 416 return RuntimeDefinition(); 417 418 // Do we know anything about the type of 'this'? 419 DynamicTypeInfo DynType = getState()->getDynamicTypeInfo(R); 420 if (!DynType.isValid()) 421 return RuntimeDefinition(); 422 423 // Is the type a C++ class? (This is mostly a defensive check.) 424 QualType RegionType = DynType.getType()->getPointeeType(); 425 assert(!RegionType.isNull() && "DynamicTypeInfo should always be a pointer."); 426 427 const CXXRecordDecl *RD = RegionType->getAsCXXRecordDecl(); 428 if (!RD || !RD->hasDefinition()) 429 return RuntimeDefinition(); 430 431 // Find the decl for this method in that class. 432 const CXXMethodDecl *Result = MD->getCorrespondingMethodInClass(RD, true); 433 if (!Result) { 434 // We might not even get the original statically-resolved method due to 435 // some particularly nasty casting (e.g. casts to sister classes). 436 // However, we should at least be able to search up and down our own class 437 // hierarchy, and some real bugs have been caught by checking this. 438 assert(!RD->isDerivedFrom(MD->getParent()) && "Couldn't find known method"); 439 440 // FIXME: This is checking that our DynamicTypeInfo is at least as good as 441 // the static type. However, because we currently don't update 442 // DynamicTypeInfo when an object is cast, we can't actually be sure the 443 // DynamicTypeInfo is up to date. This assert should be re-enabled once 444 // this is fixed. <rdar://problem/12287087> 445 //assert(!MD->getParent()->isDerivedFrom(RD) && "Bad DynamicTypeInfo"); 446 447 return RuntimeDefinition(); 448 } 449 450 // Does the decl that we found have an implementation? 451 const FunctionDecl *Definition; 452 if (!Result->hasBody(Definition)) 453 return RuntimeDefinition(); 454 455 // We found a definition. If we're not sure that this devirtualization is 456 // actually what will happen at runtime, make sure to provide the region so 457 // that ExprEngine can decide what to do with it. 458 if (DynType.canBeASubClass()) 459 return RuntimeDefinition(Definition, R->StripCasts()); 460 return RuntimeDefinition(Definition, /*DispatchRegion=*/0); 461} 462 463void CXXInstanceCall::getInitialStackFrameContents( 464 const StackFrameContext *CalleeCtx, 465 BindingsTy &Bindings) const { 466 AnyFunctionCall::getInitialStackFrameContents(CalleeCtx, Bindings); 467 468 // Handle the binding of 'this' in the new stack frame. 469 SVal ThisVal = getCXXThisVal(); 470 if (!ThisVal.isUnknown()) { 471 ProgramStateManager &StateMgr = getState()->getStateManager(); 472 SValBuilder &SVB = StateMgr.getSValBuilder(); 473 474 const CXXMethodDecl *MD = cast<CXXMethodDecl>(CalleeCtx->getDecl()); 475 Loc ThisLoc = SVB.getCXXThis(MD, CalleeCtx); 476 477 // If we devirtualized to a different member function, we need to make sure 478 // we have the proper layering of CXXBaseObjectRegions. 479 if (MD->getCanonicalDecl() != getDecl()->getCanonicalDecl()) { 480 ASTContext &Ctx = SVB.getContext(); 481 const CXXRecordDecl *Class = MD->getParent(); 482 QualType Ty = Ctx.getPointerType(Ctx.getRecordType(Class)); 483 484 // FIXME: CallEvent maybe shouldn't be directly accessing StoreManager. 485 bool Failed; 486 ThisVal = StateMgr.getStoreManager().evalDynamicCast(ThisVal, Ty, Failed); 487 assert(!Failed && "Calling an incorrectly devirtualized method"); 488 } 489 490 if (!ThisVal.isUnknown()) 491 Bindings.push_back(std::make_pair(ThisLoc, ThisVal)); 492 } 493} 494 495 496 497const Expr *CXXMemberCall::getCXXThisExpr() const { 498 return getOriginExpr()->getImplicitObjectArgument(); 499} 500 501RuntimeDefinition CXXMemberCall::getRuntimeDefinition() const { 502 // C++11 [expr.call]p1: ...If the selected function is non-virtual, or if the 503 // id-expression in the class member access expression is a qualified-id, 504 // that function is called. Otherwise, its final overrider in the dynamic type 505 // of the object expression is called. 506 if (const MemberExpr *ME = dyn_cast<MemberExpr>(getOriginExpr()->getCallee())) 507 if (ME->hasQualifier()) 508 return AnyFunctionCall::getRuntimeDefinition(); 509 510 return CXXInstanceCall::getRuntimeDefinition(); 511} 512 513 514const Expr *CXXMemberOperatorCall::getCXXThisExpr() const { 515 return getOriginExpr()->getArg(0); 516} 517 518 519const BlockDataRegion *BlockCall::getBlockRegion() const { 520 const Expr *Callee = getOriginExpr()->getCallee(); 521 const MemRegion *DataReg = getSVal(Callee).getAsRegion(); 522 523 return dyn_cast_or_null<BlockDataRegion>(DataReg); 524} 525 526CallEvent::param_iterator BlockCall::param_begin() const { 527 const BlockDecl *D = getBlockDecl(); 528 if (!D) 529 return 0; 530 return D->param_begin(); 531} 532 533CallEvent::param_iterator BlockCall::param_end() const { 534 const BlockDecl *D = getBlockDecl(); 535 if (!D) 536 return 0; 537 return D->param_end(); 538} 539 540void BlockCall::getExtraInvalidatedValues(ValueList &Values) const { 541 // FIXME: This also needs to invalidate captured globals. 542 if (const MemRegion *R = getBlockRegion()) 543 Values.push_back(loc::MemRegionVal(R)); 544} 545 546void BlockCall::getInitialStackFrameContents(const StackFrameContext *CalleeCtx, 547 BindingsTy &Bindings) const { 548 const BlockDecl *D = cast<BlockDecl>(CalleeCtx->getDecl()); 549 SValBuilder &SVB = getState()->getStateManager().getSValBuilder(); 550 addParameterValuesToBindings(CalleeCtx, Bindings, SVB, *this, 551 D->param_begin(), D->param_end()); 552} 553 554 555SVal CXXConstructorCall::getCXXThisVal() const { 556 if (Data) 557 return loc::MemRegionVal(static_cast<const MemRegion *>(Data)); 558 return UnknownVal(); 559} 560 561void CXXConstructorCall::getExtraInvalidatedValues(ValueList &Values) const { 562 if (Data) 563 Values.push_back(loc::MemRegionVal(static_cast<const MemRegion *>(Data))); 564} 565 566void CXXConstructorCall::getInitialStackFrameContents( 567 const StackFrameContext *CalleeCtx, 568 BindingsTy &Bindings) const { 569 AnyFunctionCall::getInitialStackFrameContents(CalleeCtx, Bindings); 570 571 SVal ThisVal = getCXXThisVal(); 572 if (!ThisVal.isUnknown()) { 573 SValBuilder &SVB = getState()->getStateManager().getSValBuilder(); 574 const CXXMethodDecl *MD = cast<CXXMethodDecl>(CalleeCtx->getDecl()); 575 Loc ThisLoc = SVB.getCXXThis(MD, CalleeCtx); 576 Bindings.push_back(std::make_pair(ThisLoc, ThisVal)); 577 } 578} 579 580 581 582SVal CXXDestructorCall::getCXXThisVal() const { 583 if (Data) 584 return loc::MemRegionVal(DtorDataTy::getFromOpaqueValue(Data).getPointer()); 585 return UnknownVal(); 586} 587 588RuntimeDefinition CXXDestructorCall::getRuntimeDefinition() const { 589 // Base destructors are always called non-virtually. 590 // Skip CXXInstanceCall's devirtualization logic in this case. 591 if (isBaseDestructor()) 592 return AnyFunctionCall::getRuntimeDefinition(); 593 594 return CXXInstanceCall::getRuntimeDefinition(); 595} 596 597 598CallEvent::param_iterator ObjCMethodCall::param_begin() const { 599 const ObjCMethodDecl *D = getDecl(); 600 if (!D) 601 return 0; 602 603 return D->param_begin(); 604} 605 606CallEvent::param_iterator ObjCMethodCall::param_end() const { 607 const ObjCMethodDecl *D = getDecl(); 608 if (!D) 609 return 0; 610 611 return D->param_end(); 612} 613 614void 615ObjCMethodCall::getExtraInvalidatedValues(ValueList &Values) const { 616 Values.push_back(getReceiverSVal()); 617} 618 619SVal ObjCMethodCall::getSelfSVal() const { 620 const LocationContext *LCtx = getLocationContext(); 621 const ImplicitParamDecl *SelfDecl = LCtx->getSelfDecl(); 622 if (!SelfDecl) 623 return SVal(); 624 return getState()->getSVal(getState()->getRegion(SelfDecl, LCtx)); 625} 626 627SVal ObjCMethodCall::getReceiverSVal() const { 628 // FIXME: Is this the best way to handle class receivers? 629 if (!isInstanceMessage()) 630 return UnknownVal(); 631 632 if (const Expr *RecE = getOriginExpr()->getInstanceReceiver()) 633 return getSVal(RecE); 634 635 // An instance message with no expression means we are sending to super. 636 // In this case the object reference is the same as 'self'. 637 assert(getOriginExpr()->getReceiverKind() == ObjCMessageExpr::SuperInstance); 638 SVal SelfVal = getSelfSVal(); 639 assert(SelfVal.isValid() && "Calling super but not in ObjC method"); 640 return SelfVal; 641} 642 643bool ObjCMethodCall::isReceiverSelfOrSuper() const { 644 if (getOriginExpr()->getReceiverKind() == ObjCMessageExpr::SuperInstance || 645 getOriginExpr()->getReceiverKind() == ObjCMessageExpr::SuperClass) 646 return true; 647 648 if (!isInstanceMessage()) 649 return false; 650 651 SVal RecVal = getSVal(getOriginExpr()->getInstanceReceiver()); 652 653 return (RecVal == getSelfSVal()); 654} 655 656SourceRange ObjCMethodCall::getSourceRange() const { 657 switch (getMessageKind()) { 658 case OCM_Message: 659 return getOriginExpr()->getSourceRange(); 660 case OCM_PropertyAccess: 661 case OCM_Subscript: 662 return getContainingPseudoObjectExpr()->getSourceRange(); 663 } 664 llvm_unreachable("unknown message kind"); 665} 666 667typedef llvm::PointerIntPair<const PseudoObjectExpr *, 2> ObjCMessageDataTy; 668 669const PseudoObjectExpr *ObjCMethodCall::getContainingPseudoObjectExpr() const { 670 assert(Data != 0 && "Lazy lookup not yet performed."); 671 assert(getMessageKind() != OCM_Message && "Explicit message send."); 672 return ObjCMessageDataTy::getFromOpaqueValue(Data).getPointer(); 673} 674 675ObjCMessageKind ObjCMethodCall::getMessageKind() const { 676 if (Data == 0) { 677 ParentMap &PM = getLocationContext()->getParentMap(); 678 const Stmt *S = PM.getParent(getOriginExpr()); 679 if (const PseudoObjectExpr *POE = dyn_cast_or_null<PseudoObjectExpr>(S)) { 680 const Expr *Syntactic = POE->getSyntacticForm(); 681 682 // This handles the funny case of assigning to the result of a getter. 683 // This can happen if the getter returns a non-const reference. 684 if (const BinaryOperator *BO = dyn_cast<BinaryOperator>(Syntactic)) 685 Syntactic = BO->getLHS(); 686 687 ObjCMessageKind K; 688 switch (Syntactic->getStmtClass()) { 689 case Stmt::ObjCPropertyRefExprClass: 690 K = OCM_PropertyAccess; 691 break; 692 case Stmt::ObjCSubscriptRefExprClass: 693 K = OCM_Subscript; 694 break; 695 default: 696 // FIXME: Can this ever happen? 697 K = OCM_Message; 698 break; 699 } 700 701 if (K != OCM_Message) { 702 const_cast<ObjCMethodCall *>(this)->Data 703 = ObjCMessageDataTy(POE, K).getOpaqueValue(); 704 assert(getMessageKind() == K); 705 return K; 706 } 707 } 708 709 const_cast<ObjCMethodCall *>(this)->Data 710 = ObjCMessageDataTy(0, 1).getOpaqueValue(); 711 assert(getMessageKind() == OCM_Message); 712 return OCM_Message; 713 } 714 715 ObjCMessageDataTy Info = ObjCMessageDataTy::getFromOpaqueValue(Data); 716 if (!Info.getPointer()) 717 return OCM_Message; 718 return static_cast<ObjCMessageKind>(Info.getInt()); 719} 720 721 722bool ObjCMethodCall::canBeOverridenInSubclass(ObjCInterfaceDecl *IDecl, 723 Selector Sel) const { 724 assert(IDecl); 725 const SourceManager &SM = 726 getState()->getStateManager().getContext().getSourceManager(); 727 728 // If the class interface is declared inside the main file, assume it is not 729 // subcassed. 730 // TODO: It could actually be subclassed if the subclass is private as well. 731 // This is probably very rare. 732 SourceLocation InterfLoc = IDecl->getEndOfDefinitionLoc(); 733 if (InterfLoc.isValid() && SM.isFromMainFile(InterfLoc)) 734 return false; 735 736 // Assume that property accessors are not overridden. 737 if (getMessageKind() == OCM_PropertyAccess) 738 return false; 739 740 // We assume that if the method is public (declared outside of main file) or 741 // has a parent which publicly declares the method, the method could be 742 // overridden in a subclass. 743 744 // Find the first declaration in the class hierarchy that declares 745 // the selector. 746 ObjCMethodDecl *D = 0; 747 while (true) { 748 D = IDecl->lookupMethod(Sel, true); 749 750 // Cannot find a public definition. 751 if (!D) 752 return false; 753 754 // If outside the main file, 755 if (D->getLocation().isValid() && !SM.isFromMainFile(D->getLocation())) 756 return true; 757 758 if (D->isOverriding()) { 759 // Search in the superclass on the next iteration. 760 IDecl = D->getClassInterface(); 761 if (!IDecl) 762 return false; 763 764 IDecl = IDecl->getSuperClass(); 765 if (!IDecl) 766 return false; 767 768 continue; 769 } 770 771 return false; 772 }; 773 774 llvm_unreachable("The while loop should always terminate."); 775} 776 777RuntimeDefinition ObjCMethodCall::getRuntimeDefinition() const { 778 const ObjCMessageExpr *E = getOriginExpr(); 779 assert(E); 780 Selector Sel = E->getSelector(); 781 782 if (E->isInstanceMessage()) { 783 784 // Find the the receiver type. 785 const ObjCObjectPointerType *ReceiverT = 0; 786 bool CanBeSubClassed = false; 787 QualType SupersType = E->getSuperType(); 788 const MemRegion *Receiver = 0; 789 790 if (!SupersType.isNull()) { 791 // Super always means the type of immediate predecessor to the method 792 // where the call occurs. 793 ReceiverT = cast<ObjCObjectPointerType>(SupersType); 794 } else { 795 Receiver = getReceiverSVal().getAsRegion(); 796 if (!Receiver) 797 return RuntimeDefinition(); 798 799 DynamicTypeInfo DTI = getState()->getDynamicTypeInfo(Receiver); 800 QualType DynType = DTI.getType(); 801 CanBeSubClassed = DTI.canBeASubClass(); 802 ReceiverT = dyn_cast<ObjCObjectPointerType>(DynType); 803 804 if (ReceiverT && CanBeSubClassed) 805 if (ObjCInterfaceDecl *IDecl = ReceiverT->getInterfaceDecl()) 806 if (!canBeOverridenInSubclass(IDecl, Sel)) 807 CanBeSubClassed = false; 808 } 809 810 // Lookup the method implementation. 811 if (ReceiverT) 812 if (ObjCInterfaceDecl *IDecl = ReceiverT->getInterfaceDecl()) { 813 // Repeatedly calling lookupPrivateMethod() is expensive, especially 814 // when in many cases it returns null. We cache the results so 815 // that repeated queries on the same ObjCIntefaceDecl and Selector 816 // don't incur the same cost. On some test cases, we can see the 817 // same query being issued thousands of times. 818 // 819 // NOTE: This cache is essentially a "global" variable, but it 820 // only gets lazily created when we get here. The value of the 821 // cache probably comes from it being global across ExprEngines, 822 // where the same queries may get issued. If we are worried about 823 // concurrency, or possibly loading/unloading ASTs, etc., we may 824 // need to revisit this someday. In terms of memory, this table 825 // stays around until clang quits, which also may be bad if we 826 // need to release memory. 827 typedef std::pair<const ObjCInterfaceDecl*, Selector> 828 PrivateMethodKey; 829 typedef llvm::DenseMap<PrivateMethodKey, 830 Optional<const ObjCMethodDecl *> > 831 PrivateMethodCache; 832 833 static PrivateMethodCache PMC; 834 Optional<const ObjCMethodDecl *> &Val = PMC[std::make_pair(IDecl, Sel)]; 835 836 // Query lookupPrivateMethod() if the cache does not hit. 837 if (!Val.hasValue()) 838 Val = IDecl->lookupPrivateMethod(Sel); 839 840 const ObjCMethodDecl *MD = Val.getValue(); 841 if (CanBeSubClassed) 842 return RuntimeDefinition(MD, Receiver); 843 else 844 return RuntimeDefinition(MD, 0); 845 } 846 847 } else { 848 // This is a class method. 849 // If we have type info for the receiver class, we are calling via 850 // class name. 851 if (ObjCInterfaceDecl *IDecl = E->getReceiverInterface()) { 852 // Find/Return the method implementation. 853 return RuntimeDefinition(IDecl->lookupPrivateClassMethod(Sel)); 854 } 855 } 856 857 return RuntimeDefinition(); 858} 859 860void ObjCMethodCall::getInitialStackFrameContents( 861 const StackFrameContext *CalleeCtx, 862 BindingsTy &Bindings) const { 863 const ObjCMethodDecl *D = cast<ObjCMethodDecl>(CalleeCtx->getDecl()); 864 SValBuilder &SVB = getState()->getStateManager().getSValBuilder(); 865 addParameterValuesToBindings(CalleeCtx, Bindings, SVB, *this, 866 D->param_begin(), D->param_end()); 867 868 SVal SelfVal = getReceiverSVal(); 869 if (!SelfVal.isUnknown()) { 870 const VarDecl *SelfD = CalleeCtx->getAnalysisDeclContext()->getSelfDecl(); 871 MemRegionManager &MRMgr = SVB.getRegionManager(); 872 Loc SelfLoc = SVB.makeLoc(MRMgr.getVarRegion(SelfD, CalleeCtx)); 873 Bindings.push_back(std::make_pair(SelfLoc, SelfVal)); 874 } 875} 876 877CallEventRef<> 878CallEventManager::getSimpleCall(const CallExpr *CE, ProgramStateRef State, 879 const LocationContext *LCtx) { 880 if (const CXXMemberCallExpr *MCE = dyn_cast<CXXMemberCallExpr>(CE)) 881 return create<CXXMemberCall>(MCE, State, LCtx); 882 883 if (const CXXOperatorCallExpr *OpCE = dyn_cast<CXXOperatorCallExpr>(CE)) { 884 const FunctionDecl *DirectCallee = OpCE->getDirectCallee(); 885 if (const CXXMethodDecl *MD = dyn_cast<CXXMethodDecl>(DirectCallee)) 886 if (MD->isInstance()) 887 return create<CXXMemberOperatorCall>(OpCE, State, LCtx); 888 889 } else if (CE->getCallee()->getType()->isBlockPointerType()) { 890 return create<BlockCall>(CE, State, LCtx); 891 } 892 893 // Otherwise, it's a normal function call, static member function call, or 894 // something we can't reason about. 895 return create<FunctionCall>(CE, State, LCtx); 896} 897 898 899CallEventRef<> 900CallEventManager::getCaller(const StackFrameContext *CalleeCtx, 901 ProgramStateRef State) { 902 const LocationContext *ParentCtx = CalleeCtx->getParent(); 903 const LocationContext *CallerCtx = ParentCtx->getCurrentStackFrame(); 904 assert(CallerCtx && "This should not be used for top-level stack frames"); 905 906 const Stmt *CallSite = CalleeCtx->getCallSite(); 907 908 if (CallSite) { 909 if (const CallExpr *CE = dyn_cast<CallExpr>(CallSite)) 910 return getSimpleCall(CE, State, CallerCtx); 911 912 switch (CallSite->getStmtClass()) { 913 case Stmt::CXXConstructExprClass: 914 case Stmt::CXXTemporaryObjectExprClass: { 915 SValBuilder &SVB = State->getStateManager().getSValBuilder(); 916 const CXXMethodDecl *Ctor = cast<CXXMethodDecl>(CalleeCtx->getDecl()); 917 Loc ThisPtr = SVB.getCXXThis(Ctor, CalleeCtx); 918 SVal ThisVal = State->getSVal(ThisPtr); 919 920 return getCXXConstructorCall(cast<CXXConstructExpr>(CallSite), 921 ThisVal.getAsRegion(), State, CallerCtx); 922 } 923 case Stmt::CXXNewExprClass: 924 return getCXXAllocatorCall(cast<CXXNewExpr>(CallSite), State, CallerCtx); 925 case Stmt::ObjCMessageExprClass: 926 return getObjCMethodCall(cast<ObjCMessageExpr>(CallSite), 927 State, CallerCtx); 928 default: 929 llvm_unreachable("This is not an inlineable statement."); 930 } 931 } 932 933 // Fall back to the CFG. The only thing we haven't handled yet is 934 // destructors, though this could change in the future. 935 const CFGBlock *B = CalleeCtx->getCallSiteBlock(); 936 CFGElement E = (*B)[CalleeCtx->getIndex()]; 937 assert(E.getAs<CFGImplicitDtor>() && 938 "All other CFG elements should have exprs"); 939 assert(!E.getAs<CFGTemporaryDtor>() && "We don't handle temporaries yet"); 940 941 SValBuilder &SVB = State->getStateManager().getSValBuilder(); 942 const CXXDestructorDecl *Dtor = cast<CXXDestructorDecl>(CalleeCtx->getDecl()); 943 Loc ThisPtr = SVB.getCXXThis(Dtor, CalleeCtx); 944 SVal ThisVal = State->getSVal(ThisPtr); 945 946 const Stmt *Trigger; 947 if (Optional<CFGAutomaticObjDtor> AutoDtor = E.getAs<CFGAutomaticObjDtor>()) 948 Trigger = AutoDtor->getTriggerStmt(); 949 else 950 Trigger = Dtor->getBody(); 951 952 return getCXXDestructorCall(Dtor, Trigger, ThisVal.getAsRegion(), 953 E.getAs<CFGBaseDtor>().hasValue(), State, 954 CallerCtx); 955} 956