1*5ffd83dbSDimitry Andric //===-- STLAlgorithmModeling.cpp -----------------------------------*- C++ -*--//
2*5ffd83dbSDimitry Andric //
3*5ffd83dbSDimitry Andric // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4*5ffd83dbSDimitry Andric // See https://llvm.org/LICENSE.txt for license information.
5*5ffd83dbSDimitry Andric // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6*5ffd83dbSDimitry Andric //
7*5ffd83dbSDimitry Andric //===----------------------------------------------------------------------===//
8*5ffd83dbSDimitry Andric //
9*5ffd83dbSDimitry Andric // Models STL algorithms.
10*5ffd83dbSDimitry Andric //
11*5ffd83dbSDimitry Andric //===----------------------------------------------------------------------===//
12*5ffd83dbSDimitry Andric
13*5ffd83dbSDimitry Andric #include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"
14*5ffd83dbSDimitry Andric #include "clang/StaticAnalyzer/Core/Checker.h"
15*5ffd83dbSDimitry Andric #include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h"
16*5ffd83dbSDimitry Andric #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
17*5ffd83dbSDimitry Andric
18*5ffd83dbSDimitry Andric #include "Iterator.h"
19*5ffd83dbSDimitry Andric
20*5ffd83dbSDimitry Andric using namespace clang;
21*5ffd83dbSDimitry Andric using namespace ento;
22*5ffd83dbSDimitry Andric using namespace iterator;
23*5ffd83dbSDimitry Andric
24*5ffd83dbSDimitry Andric namespace {
25*5ffd83dbSDimitry Andric
26*5ffd83dbSDimitry Andric class STLAlgorithmModeling : public Checker<eval::Call> {
27*5ffd83dbSDimitry Andric bool evalFind(CheckerContext &C, const CallExpr *CE) const;
28*5ffd83dbSDimitry Andric
29*5ffd83dbSDimitry Andric void Find(CheckerContext &C, const CallExpr *CE, unsigned paramNum) const;
30*5ffd83dbSDimitry Andric
31*5ffd83dbSDimitry Andric using FnCheck = bool (STLAlgorithmModeling::*)(CheckerContext &,
32*5ffd83dbSDimitry Andric const CallExpr *) const;
33*5ffd83dbSDimitry Andric
34*5ffd83dbSDimitry Andric const CallDescriptionMap<FnCheck> Callbacks = {
35*5ffd83dbSDimitry Andric {{{"std", "find"}, 3}, &STLAlgorithmModeling::evalFind},
36*5ffd83dbSDimitry Andric {{{"std", "find"}, 4}, &STLAlgorithmModeling::evalFind},
37*5ffd83dbSDimitry Andric {{{"std", "find_if"}, 3}, &STLAlgorithmModeling::evalFind},
38*5ffd83dbSDimitry Andric {{{"std", "find_if"}, 4}, &STLAlgorithmModeling::evalFind},
39*5ffd83dbSDimitry Andric {{{"std", "find_if_not"}, 3}, &STLAlgorithmModeling::evalFind},
40*5ffd83dbSDimitry Andric {{{"std", "find_if_not"}, 4}, &STLAlgorithmModeling::evalFind},
41*5ffd83dbSDimitry Andric {{{"std", "find_first_of"}, 4}, &STLAlgorithmModeling::evalFind},
42*5ffd83dbSDimitry Andric {{{"std", "find_first_of"}, 5}, &STLAlgorithmModeling::evalFind},
43*5ffd83dbSDimitry Andric {{{"std", "find_first_of"}, 6}, &STLAlgorithmModeling::evalFind},
44*5ffd83dbSDimitry Andric {{{"std", "find_end"}, 4}, &STLAlgorithmModeling::evalFind},
45*5ffd83dbSDimitry Andric {{{"std", "find_end"}, 5}, &STLAlgorithmModeling::evalFind},
46*5ffd83dbSDimitry Andric {{{"std", "find_end"}, 6}, &STLAlgorithmModeling::evalFind},
47*5ffd83dbSDimitry Andric {{{"std", "lower_bound"}, 3}, &STLAlgorithmModeling::evalFind},
48*5ffd83dbSDimitry Andric {{{"std", "lower_bound"}, 4}, &STLAlgorithmModeling::evalFind},
49*5ffd83dbSDimitry Andric {{{"std", "upper_bound"}, 3}, &STLAlgorithmModeling::evalFind},
50*5ffd83dbSDimitry Andric {{{"std", "upper_bound"}, 4}, &STLAlgorithmModeling::evalFind},
51*5ffd83dbSDimitry Andric {{{"std", "search"}, 3}, &STLAlgorithmModeling::evalFind},
52*5ffd83dbSDimitry Andric {{{"std", "search"}, 4}, &STLAlgorithmModeling::evalFind},
53*5ffd83dbSDimitry Andric {{{"std", "search"}, 5}, &STLAlgorithmModeling::evalFind},
54*5ffd83dbSDimitry Andric {{{"std", "search"}, 6}, &STLAlgorithmModeling::evalFind},
55*5ffd83dbSDimitry Andric {{{"std", "search_n"}, 4}, &STLAlgorithmModeling::evalFind},
56*5ffd83dbSDimitry Andric {{{"std", "search_n"}, 5}, &STLAlgorithmModeling::evalFind},
57*5ffd83dbSDimitry Andric {{{"std", "search_n"}, 6}, &STLAlgorithmModeling::evalFind},
58*5ffd83dbSDimitry Andric };
59*5ffd83dbSDimitry Andric
60*5ffd83dbSDimitry Andric public:
61*5ffd83dbSDimitry Andric STLAlgorithmModeling() = default;
62*5ffd83dbSDimitry Andric
63*5ffd83dbSDimitry Andric bool AggressiveStdFindModeling;
64*5ffd83dbSDimitry Andric
65*5ffd83dbSDimitry Andric bool evalCall(const CallEvent &Call, CheckerContext &C) const;
66*5ffd83dbSDimitry Andric }; //
67*5ffd83dbSDimitry Andric
evalCall(const CallEvent & Call,CheckerContext & C) const68*5ffd83dbSDimitry Andric bool STLAlgorithmModeling::evalCall(const CallEvent &Call,
69*5ffd83dbSDimitry Andric CheckerContext &C) const {
70*5ffd83dbSDimitry Andric const auto *CE = dyn_cast_or_null<CallExpr>(Call.getOriginExpr());
71*5ffd83dbSDimitry Andric if (!CE)
72*5ffd83dbSDimitry Andric return false;
73*5ffd83dbSDimitry Andric
74*5ffd83dbSDimitry Andric const FnCheck *Handler = Callbacks.lookup(Call);
75*5ffd83dbSDimitry Andric if (!Handler)
76*5ffd83dbSDimitry Andric return false;
77*5ffd83dbSDimitry Andric
78*5ffd83dbSDimitry Andric return (this->**Handler)(C, CE);
79*5ffd83dbSDimitry Andric }
80*5ffd83dbSDimitry Andric
evalFind(CheckerContext & C,const CallExpr * CE) const81*5ffd83dbSDimitry Andric bool STLAlgorithmModeling::evalFind(CheckerContext &C,
82*5ffd83dbSDimitry Andric const CallExpr *CE) const {
83*5ffd83dbSDimitry Andric // std::find()-like functions either take their primary range in the first
84*5ffd83dbSDimitry Andric // two parameters, or if the first parameter is "execution policy" then in
85*5ffd83dbSDimitry Andric // the second and third. This means that the second parameter must always be
86*5ffd83dbSDimitry Andric // an iterator.
87*5ffd83dbSDimitry Andric if (!isIteratorType(CE->getArg(1)->getType()))
88*5ffd83dbSDimitry Andric return false;
89*5ffd83dbSDimitry Andric
90*5ffd83dbSDimitry Andric // If no "execution policy" parameter is used then the first argument is the
91*5ffd83dbSDimitry Andric // beginning of the range.
92*5ffd83dbSDimitry Andric if (isIteratorType(CE->getArg(0)->getType())) {
93*5ffd83dbSDimitry Andric Find(C, CE, 0);
94*5ffd83dbSDimitry Andric return true;
95*5ffd83dbSDimitry Andric }
96*5ffd83dbSDimitry Andric
97*5ffd83dbSDimitry Andric // If "execution policy" parameter is used then the second argument is the
98*5ffd83dbSDimitry Andric // beginning of the range.
99*5ffd83dbSDimitry Andric if (isIteratorType(CE->getArg(2)->getType())) {
100*5ffd83dbSDimitry Andric Find(C, CE, 1);
101*5ffd83dbSDimitry Andric return true;
102*5ffd83dbSDimitry Andric }
103*5ffd83dbSDimitry Andric
104*5ffd83dbSDimitry Andric return false;
105*5ffd83dbSDimitry Andric }
106*5ffd83dbSDimitry Andric
Find(CheckerContext & C,const CallExpr * CE,unsigned paramNum) const107*5ffd83dbSDimitry Andric void STLAlgorithmModeling::Find(CheckerContext &C, const CallExpr *CE,
108*5ffd83dbSDimitry Andric unsigned paramNum) const {
109*5ffd83dbSDimitry Andric auto State = C.getState();
110*5ffd83dbSDimitry Andric auto &SVB = C.getSValBuilder();
111*5ffd83dbSDimitry Andric const auto *LCtx = C.getLocationContext();
112*5ffd83dbSDimitry Andric
113*5ffd83dbSDimitry Andric SVal RetVal = SVB.conjureSymbolVal(nullptr, CE, LCtx, C.blockCount());
114*5ffd83dbSDimitry Andric SVal Param = State->getSVal(CE->getArg(paramNum), LCtx);
115*5ffd83dbSDimitry Andric
116*5ffd83dbSDimitry Andric auto StateFound = State->BindExpr(CE, LCtx, RetVal);
117*5ffd83dbSDimitry Andric
118*5ffd83dbSDimitry Andric // If we have an iterator position for the range-begin argument then we can
119*5ffd83dbSDimitry Andric // assume that in case of successful search the position of the found element
120*5ffd83dbSDimitry Andric // is not ahead of it.
121*5ffd83dbSDimitry Andric // FIXME: Reverse iterators
122*5ffd83dbSDimitry Andric const auto *Pos = getIteratorPosition(State, Param);
123*5ffd83dbSDimitry Andric if (Pos) {
124*5ffd83dbSDimitry Andric StateFound = createIteratorPosition(StateFound, RetVal, Pos->getContainer(),
125*5ffd83dbSDimitry Andric CE, LCtx, C.blockCount());
126*5ffd83dbSDimitry Andric const auto *NewPos = getIteratorPosition(StateFound, RetVal);
127*5ffd83dbSDimitry Andric assert(NewPos && "Failed to create new iterator position.");
128*5ffd83dbSDimitry Andric
129*5ffd83dbSDimitry Andric SVal GreaterOrEqual = SVB.evalBinOp(StateFound, BO_GE,
130*5ffd83dbSDimitry Andric nonloc::SymbolVal(NewPos->getOffset()),
131*5ffd83dbSDimitry Andric nonloc::SymbolVal(Pos->getOffset()),
132*5ffd83dbSDimitry Andric SVB.getConditionType());
133*5ffd83dbSDimitry Andric assert(GreaterOrEqual.getAs<DefinedSVal>() &&
134*5ffd83dbSDimitry Andric "Symbol comparison must be a `DefinedSVal`");
135*5ffd83dbSDimitry Andric StateFound = StateFound->assume(GreaterOrEqual.castAs<DefinedSVal>(), true);
136*5ffd83dbSDimitry Andric }
137*5ffd83dbSDimitry Andric
138*5ffd83dbSDimitry Andric Param = State->getSVal(CE->getArg(paramNum + 1), LCtx);
139*5ffd83dbSDimitry Andric
140*5ffd83dbSDimitry Andric // If we have an iterator position for the range-end argument then we can
141*5ffd83dbSDimitry Andric // assume that in case of successful search the position of the found element
142*5ffd83dbSDimitry Andric // is ahead of it.
143*5ffd83dbSDimitry Andric // FIXME: Reverse iterators
144*5ffd83dbSDimitry Andric Pos = getIteratorPosition(State, Param);
145*5ffd83dbSDimitry Andric if (Pos) {
146*5ffd83dbSDimitry Andric StateFound = createIteratorPosition(StateFound, RetVal, Pos->getContainer(),
147*5ffd83dbSDimitry Andric CE, LCtx, C.blockCount());
148*5ffd83dbSDimitry Andric const auto *NewPos = getIteratorPosition(StateFound, RetVal);
149*5ffd83dbSDimitry Andric assert(NewPos && "Failed to create new iterator position.");
150*5ffd83dbSDimitry Andric
151*5ffd83dbSDimitry Andric SVal Less = SVB.evalBinOp(StateFound, BO_LT,
152*5ffd83dbSDimitry Andric nonloc::SymbolVal(NewPos->getOffset()),
153*5ffd83dbSDimitry Andric nonloc::SymbolVal(Pos->getOffset()),
154*5ffd83dbSDimitry Andric SVB.getConditionType());
155*5ffd83dbSDimitry Andric assert(Less.getAs<DefinedSVal>() &&
156*5ffd83dbSDimitry Andric "Symbol comparison must be a `DefinedSVal`");
157*5ffd83dbSDimitry Andric StateFound = StateFound->assume(Less.castAs<DefinedSVal>(), true);
158*5ffd83dbSDimitry Andric }
159*5ffd83dbSDimitry Andric
160*5ffd83dbSDimitry Andric C.addTransition(StateFound);
161*5ffd83dbSDimitry Andric
162*5ffd83dbSDimitry Andric if (AggressiveStdFindModeling) {
163*5ffd83dbSDimitry Andric auto StateNotFound = State->BindExpr(CE, LCtx, Param);
164*5ffd83dbSDimitry Andric C.addTransition(StateNotFound);
165*5ffd83dbSDimitry Andric }
166*5ffd83dbSDimitry Andric }
167*5ffd83dbSDimitry Andric
168*5ffd83dbSDimitry Andric } // namespace
169*5ffd83dbSDimitry Andric
registerSTLAlgorithmModeling(CheckerManager & Mgr)170*5ffd83dbSDimitry Andric void ento::registerSTLAlgorithmModeling(CheckerManager &Mgr) {
171*5ffd83dbSDimitry Andric auto *Checker = Mgr.registerChecker<STLAlgorithmModeling>();
172*5ffd83dbSDimitry Andric Checker->AggressiveStdFindModeling =
173*5ffd83dbSDimitry Andric Mgr.getAnalyzerOptions().getCheckerBooleanOption(Checker,
174*5ffd83dbSDimitry Andric "AggressiveStdFindModeling");
175*5ffd83dbSDimitry Andric }
176*5ffd83dbSDimitry Andric
shouldRegisterSTLAlgorithmModeling(const CheckerManager & mgr)177*5ffd83dbSDimitry Andric bool ento::shouldRegisterSTLAlgorithmModeling(const CheckerManager &mgr) {
178*5ffd83dbSDimitry Andric return true;
179*5ffd83dbSDimitry Andric }
180*5ffd83dbSDimitry Andric
181