1 //===-- UncheckedOptionalAccessModel.cpp ------------------------*- C++ -*-===// 2 // 3 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. 4 // See https://llvm.org/LICENSE.txt for license information. 5 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception 6 // 7 //===----------------------------------------------------------------------===// 8 // 9 // This file defines a dataflow analysis that detects unsafe uses of optional 10 // values. 11 // 12 //===----------------------------------------------------------------------===// 13 14 #include "clang/Analysis/FlowSensitive/Models/UncheckedOptionalAccessModel.h" 15 #include "clang/AST/ASTContext.h" 16 #include "clang/AST/DeclCXX.h" 17 #include "clang/AST/Expr.h" 18 #include "clang/AST/ExprCXX.h" 19 #include "clang/AST/Stmt.h" 20 #include "clang/ASTMatchers/ASTMatchers.h" 21 #include "clang/Analysis/FlowSensitive/DataflowEnvironment.h" 22 #include "clang/Analysis/FlowSensitive/MatchSwitch.h" 23 #include "clang/Analysis/FlowSensitive/SourceLocationsLattice.h" 24 #include "clang/Analysis/FlowSensitive/Value.h" 25 #include "llvm/ADT/StringRef.h" 26 #include "llvm/Support/Casting.h" 27 #include <cassert> 28 #include <memory> 29 #include <utility> 30 31 namespace clang { 32 namespace dataflow { 33 namespace { 34 35 using namespace ::clang::ast_matchers; 36 using LatticeTransferState = TransferState<SourceLocationsLattice>; 37 38 DeclarationMatcher optionalClass() { 39 return classTemplateSpecializationDecl( 40 anyOf(hasName("std::optional"), hasName("std::__optional_storage_base"), 41 hasName("__optional_destruct_base"), hasName("absl::optional"), 42 hasName("base::Optional")), 43 hasTemplateArgument(0, refersToType(type().bind("T")))); 44 } 45 46 auto optionalOrAliasType() { 47 return hasUnqualifiedDesugaredType( 48 recordType(hasDeclaration(optionalClass()))); 49 } 50 51 /// Matches any of the spellings of the optional types and sugar, aliases, etc. 52 auto hasOptionalType() { return hasType(optionalOrAliasType()); } 53 54 auto isOptionalMemberCallWithName( 55 llvm::StringRef MemberName, 56 llvm::Optional<StatementMatcher> Ignorable = llvm::None) { 57 auto Exception = unless(Ignorable ? expr(anyOf(*Ignorable, cxxThisExpr())) 58 : cxxThisExpr()); 59 return cxxMemberCallExpr( 60 on(expr(Exception)), 61 callee(cxxMethodDecl(hasName(MemberName), ofClass(optionalClass())))); 62 } 63 64 auto isOptionalOperatorCallWithName( 65 llvm::StringRef operator_name, 66 llvm::Optional<StatementMatcher> Ignorable = llvm::None) { 67 return cxxOperatorCallExpr( 68 hasOverloadedOperatorName(operator_name), 69 callee(cxxMethodDecl(ofClass(optionalClass()))), 70 Ignorable ? callExpr(unless(hasArgument(0, *Ignorable))) : callExpr()); 71 } 72 73 auto isMakeOptionalCall() { 74 return callExpr( 75 callee(functionDecl(hasAnyName( 76 "std::make_optional", "base::make_optional", "absl::make_optional"))), 77 hasOptionalType()); 78 } 79 80 auto hasNulloptType() { 81 return hasType(namedDecl( 82 hasAnyName("std::nullopt_t", "absl::nullopt_t", "base::nullopt_t"))); 83 } 84 85 auto inPlaceClass() { 86 return recordDecl( 87 hasAnyName("std::in_place_t", "absl::in_place_t", "base::in_place_t")); 88 } 89 90 auto isOptionalNulloptConstructor() { 91 return cxxConstructExpr(hasOptionalType(), argumentCountIs(1), 92 hasArgument(0, hasNulloptType())); 93 } 94 95 auto isOptionalInPlaceConstructor() { 96 return cxxConstructExpr(hasOptionalType(), 97 hasArgument(0, hasType(inPlaceClass()))); 98 } 99 100 auto isOptionalValueOrConversionConstructor() { 101 return cxxConstructExpr( 102 hasOptionalType(), 103 unless(hasDeclaration( 104 cxxConstructorDecl(anyOf(isCopyConstructor(), isMoveConstructor())))), 105 argumentCountIs(1), hasArgument(0, unless(hasNulloptType()))); 106 } 107 108 auto isOptionalValueOrConversionAssignment() { 109 return cxxOperatorCallExpr( 110 hasOverloadedOperatorName("="), 111 callee(cxxMethodDecl(ofClass(optionalClass()))), 112 unless(hasDeclaration(cxxMethodDecl( 113 anyOf(isCopyAssignmentOperator(), isMoveAssignmentOperator())))), 114 argumentCountIs(2), hasArgument(1, unless(hasNulloptType()))); 115 } 116 117 auto isOptionalNulloptAssignment() { 118 return cxxOperatorCallExpr(hasOverloadedOperatorName("="), 119 callee(cxxMethodDecl(ofClass(optionalClass()))), 120 argumentCountIs(2), 121 hasArgument(1, hasNulloptType())); 122 } 123 124 auto isStdSwapCall() { 125 return callExpr(callee(functionDecl(hasName("std::swap"))), 126 argumentCountIs(2), hasArgument(0, hasOptionalType()), 127 hasArgument(1, hasOptionalType())); 128 } 129 130 constexpr llvm::StringLiteral ValueOrCallID = "ValueOrCall"; 131 132 auto isValueOrStringEmptyCall() { 133 // `opt.value_or("").empty()` 134 return cxxMemberCallExpr( 135 callee(cxxMethodDecl(hasName("empty"))), 136 onImplicitObjectArgument(ignoringImplicit( 137 cxxMemberCallExpr(on(expr(unless(cxxThisExpr()))), 138 callee(cxxMethodDecl(hasName("value_or"), 139 ofClass(optionalClass()))), 140 hasArgument(0, stringLiteral(hasSize(0)))) 141 .bind(ValueOrCallID)))); 142 } 143 144 auto isValueOrNotEqX() { 145 auto ComparesToSame = [](ast_matchers::internal::Matcher<Stmt> Arg) { 146 return hasOperands( 147 ignoringImplicit( 148 cxxMemberCallExpr(on(expr(unless(cxxThisExpr()))), 149 callee(cxxMethodDecl(hasName("value_or"), 150 ofClass(optionalClass()))), 151 hasArgument(0, Arg)) 152 .bind(ValueOrCallID)), 153 ignoringImplicit(Arg)); 154 }; 155 156 // `opt.value_or(X) != X`, for X is `nullptr`, `""`, or `0`. Ideally, we'd 157 // support this pattern for any expression, but the AST does not have a 158 // generic expression comparison facility, so we specialize to common cases 159 // seen in practice. FIXME: define a matcher that compares values across 160 // nodes, which would let us generalize this to any `X`. 161 return binaryOperation(hasOperatorName("!="), 162 anyOf(ComparesToSame(cxxNullPtrLiteralExpr()), 163 ComparesToSame(stringLiteral(hasSize(0))), 164 ComparesToSame(integerLiteral(equals(0))))); 165 } 166 167 auto isCallReturningOptional() { 168 return callExpr(hasType(qualType(anyOf( 169 optionalOrAliasType(), referenceType(pointee(optionalOrAliasType())))))); 170 } 171 172 /// Sets `HasValueVal` as the symbolic value that represents the "has_value" 173 /// property of the optional value `OptionalVal`. 174 void setHasValue(Value &OptionalVal, BoolValue &HasValueVal) { 175 OptionalVal.setProperty("has_value", HasValueVal); 176 } 177 178 /// Creates a symbolic value for an `optional` value using `HasValueVal` as the 179 /// symbolic value of its "has_value" property. 180 StructValue &createOptionalValue(Environment &Env, BoolValue &HasValueVal) { 181 auto OptionalVal = std::make_unique<StructValue>(); 182 setHasValue(*OptionalVal, HasValueVal); 183 return Env.takeOwnership(std::move(OptionalVal)); 184 } 185 186 /// Returns the symbolic value that represents the "has_value" property of the 187 /// optional value `OptionalVal`. Returns null if `OptionalVal` is null. 188 BoolValue *getHasValue(Environment &Env, Value *OptionalVal) { 189 if (OptionalVal != nullptr) { 190 auto *HasValueVal = 191 cast_or_null<BoolValue>(OptionalVal->getProperty("has_value")); 192 if (HasValueVal == nullptr) { 193 HasValueVal = &Env.makeAtomicBoolValue(); 194 OptionalVal->setProperty("has_value", *HasValueVal); 195 } 196 return HasValueVal; 197 } 198 return nullptr; 199 } 200 201 /// If `Type` is a reference type, returns the type of its pointee. Otherwise, 202 /// returns `Type` itself. 203 QualType stripReference(QualType Type) { 204 return Type->isReferenceType() ? Type->getPointeeType() : Type; 205 } 206 207 /// Returns true if and only if `Type` is an optional type. 208 bool IsOptionalType(QualType Type) { 209 if (!Type->isRecordType()) 210 return false; 211 // FIXME: Optimize this by avoiding the `getQualifiedNameAsString` call. 212 auto TypeName = Type->getAsCXXRecordDecl()->getQualifiedNameAsString(); 213 return TypeName == "std::optional" || TypeName == "absl::optional" || 214 TypeName == "base::Optional"; 215 } 216 217 /// Returns the number of optional wrappers in `Type`. 218 /// 219 /// For example, if `Type` is `optional<optional<int>>`, the result of this 220 /// function will be 2. 221 int countOptionalWrappers(const ASTContext &ASTCtx, QualType Type) { 222 if (!IsOptionalType(Type)) 223 return 0; 224 return 1 + countOptionalWrappers( 225 ASTCtx, 226 cast<ClassTemplateSpecializationDecl>(Type->getAsRecordDecl()) 227 ->getTemplateArgs() 228 .get(0) 229 .getAsType() 230 .getDesugaredType(ASTCtx)); 231 } 232 233 /// Tries to initialize the `optional`'s value (that is, contents), and return 234 /// its location. Returns nullptr if the value can't be represented. 235 StorageLocation *maybeInitializeOptionalValueMember(QualType Q, 236 Value &OptionalVal, 237 Environment &Env) { 238 // The "value" property represents a synthetic field. As such, it needs 239 // `StorageLocation`, like normal fields (and other variables). So, we model 240 // it with a `ReferenceValue`, since that includes a storage location. Once 241 // the property is set, it will be shared by all environments that access the 242 // `Value` representing the optional (here, `OptionalVal`). 243 if (auto *ValueProp = OptionalVal.getProperty("value")) { 244 auto *ValueRef = clang::cast<ReferenceValue>(ValueProp); 245 auto &ValueLoc = ValueRef->getReferentLoc(); 246 if (Env.getValue(ValueLoc) == nullptr) { 247 // The property was previously set, but the value has been lost. This can 248 // happen, for example, because of an environment merge (where the two 249 // environments mapped the property to different values, which resulted in 250 // them both being discarded), or when two blocks in the CFG, with neither 251 // a dominator of the other, visit the same optional value, or even when a 252 // block is revisited during testing to collect per-statement state. 253 // FIXME: This situation means that the optional contents are not shared 254 // between branches and the like. Practically, this lack of sharing 255 // reduces the precision of the model when the contents are relevant to 256 // the check, like another optional or a boolean that influences control 257 // flow. 258 auto *ValueVal = Env.createValue(ValueLoc.getType()); 259 if (ValueVal == nullptr) 260 return nullptr; 261 Env.setValue(ValueLoc, *ValueVal); 262 } 263 return &ValueLoc; 264 } 265 266 auto Ty = stripReference(Q); 267 auto *ValueVal = Env.createValue(Ty); 268 if (ValueVal == nullptr) 269 return nullptr; 270 auto &ValueLoc = Env.createStorageLocation(Ty); 271 Env.setValue(ValueLoc, *ValueVal); 272 auto ValueRef = std::make_unique<ReferenceValue>(ValueLoc); 273 OptionalVal.setProperty("value", Env.takeOwnership(std::move(ValueRef))); 274 return &ValueLoc; 275 } 276 277 void initializeOptionalReference(const Expr *OptionalExpr, 278 const MatchFinder::MatchResult &, 279 LatticeTransferState &State) { 280 if (auto *OptionalVal = 281 State.Env.getValue(*OptionalExpr, SkipPast::Reference)) { 282 if (OptionalVal->getProperty("has_value") == nullptr) { 283 setHasValue(*OptionalVal, State.Env.makeAtomicBoolValue()); 284 } 285 } 286 } 287 288 /// Returns true if and only if `OptionalVal` is initialized and known to be 289 /// empty in `Env. 290 bool isEmptyOptional(const Value &OptionalVal, const Environment &Env) { 291 auto *HasValueVal = 292 cast_or_null<BoolValue>(OptionalVal.getProperty("has_value")); 293 return HasValueVal != nullptr && 294 Env.flowConditionImplies(Env.makeNot(*HasValueVal)); 295 } 296 297 /// Returns true if and only if `OptionalVal` is initialized and known to be 298 /// non-empty in `Env. 299 bool isNonEmptyOptional(const Value &OptionalVal, const Environment &Env) { 300 auto *HasValueVal = 301 cast_or_null<BoolValue>(OptionalVal.getProperty("has_value")); 302 return HasValueVal != nullptr && Env.flowConditionImplies(*HasValueVal); 303 } 304 305 void transferUnwrapCall(const Expr *UnwrapExpr, const Expr *ObjectExpr, 306 LatticeTransferState &State) { 307 if (auto *OptionalVal = 308 State.Env.getValue(*ObjectExpr, SkipPast::ReferenceThenPointer)) { 309 if (State.Env.getStorageLocation(*UnwrapExpr, SkipPast::None) == nullptr) 310 if (auto *Loc = maybeInitializeOptionalValueMember( 311 UnwrapExpr->getType(), *OptionalVal, State.Env)) 312 State.Env.setStorageLocation(*UnwrapExpr, *Loc); 313 314 auto *Prop = OptionalVal->getProperty("has_value"); 315 if (auto *HasValueVal = cast_or_null<BoolValue>(Prop)) { 316 if (State.Env.flowConditionImplies(*HasValueVal)) 317 return; 318 } 319 } 320 321 // Record that this unwrap is *not* provably safe. 322 // FIXME: include either the name of the optional (if applicable) or a source 323 // range of the access for easier interpretation of the result. 324 State.Lattice.getSourceLocations().insert(ObjectExpr->getBeginLoc()); 325 } 326 327 void transferMakeOptionalCall(const CallExpr *E, 328 const MatchFinder::MatchResult &, 329 LatticeTransferState &State) { 330 auto &Loc = State.Env.createStorageLocation(*E); 331 State.Env.setStorageLocation(*E, Loc); 332 State.Env.setValue( 333 Loc, createOptionalValue(State.Env, State.Env.getBoolLiteralValue(true))); 334 } 335 336 void transferOptionalHasValueCall(const CXXMemberCallExpr *CallExpr, 337 const MatchFinder::MatchResult &, 338 LatticeTransferState &State) { 339 if (auto *HasValueVal = getHasValue( 340 State.Env, State.Env.getValue(*CallExpr->getImplicitObjectArgument(), 341 SkipPast::ReferenceThenPointer))) { 342 auto &CallExprLoc = State.Env.createStorageLocation(*CallExpr); 343 State.Env.setValue(CallExprLoc, *HasValueVal); 344 State.Env.setStorageLocation(*CallExpr, CallExprLoc); 345 } 346 } 347 348 /// `ModelPred` builds a logical formula relating the predicate in 349 /// `ValueOrPredExpr` to the optional's `has_value` property. 350 void transferValueOrImpl(const clang::Expr *ValueOrPredExpr, 351 const MatchFinder::MatchResult &Result, 352 LatticeTransferState &State, 353 BoolValue &(*ModelPred)(Environment &Env, 354 BoolValue &ExprVal, 355 BoolValue &HasValueVal)) { 356 auto &Env = State.Env; 357 358 const auto *ObjectArgumentExpr = 359 Result.Nodes.getNodeAs<clang::CXXMemberCallExpr>(ValueOrCallID) 360 ->getImplicitObjectArgument(); 361 362 auto *HasValueVal = getHasValue( 363 State.Env, 364 State.Env.getValue(*ObjectArgumentExpr, SkipPast::ReferenceThenPointer)); 365 if (HasValueVal == nullptr) 366 return; 367 368 auto *ExprValue = cast_or_null<BoolValue>( 369 State.Env.getValue(*ValueOrPredExpr, SkipPast::None)); 370 if (ExprValue == nullptr) { 371 auto &ExprLoc = State.Env.createStorageLocation(*ValueOrPredExpr); 372 ExprValue = &State.Env.makeAtomicBoolValue(); 373 State.Env.setValue(ExprLoc, *ExprValue); 374 State.Env.setStorageLocation(*ValueOrPredExpr, ExprLoc); 375 } 376 377 Env.addToFlowCondition(ModelPred(Env, *ExprValue, *HasValueVal)); 378 } 379 380 void transferValueOrStringEmptyCall(const clang::Expr *ComparisonExpr, 381 const MatchFinder::MatchResult &Result, 382 LatticeTransferState &State) { 383 return transferValueOrImpl(ComparisonExpr, Result, State, 384 [](Environment &Env, BoolValue &ExprVal, 385 BoolValue &HasValueVal) -> BoolValue & { 386 // If the result is *not* empty, then we know the 387 // optional must have been holding a value. If 388 // `ExprVal` is true, though, we don't learn 389 // anything definite about `has_value`, so we 390 // don't add any corresponding implications to 391 // the flow condition. 392 return Env.makeImplication(Env.makeNot(ExprVal), 393 HasValueVal); 394 }); 395 } 396 397 void transferValueOrNotEqX(const Expr *ComparisonExpr, 398 const MatchFinder::MatchResult &Result, 399 LatticeTransferState &State) { 400 transferValueOrImpl(ComparisonExpr, Result, State, 401 [](Environment &Env, BoolValue &ExprVal, 402 BoolValue &HasValueVal) -> BoolValue & { 403 // We know that if `(opt.value_or(X) != X)` then 404 // `opt.hasValue()`, even without knowing further 405 // details about the contents of `opt`. 406 return Env.makeImplication(ExprVal, HasValueVal); 407 }); 408 } 409 410 void transferCallReturningOptional(const CallExpr *E, 411 const MatchFinder::MatchResult &Result, 412 LatticeTransferState &State) { 413 if (State.Env.getStorageLocation(*E, SkipPast::None) != nullptr) 414 return; 415 416 auto &Loc = State.Env.createStorageLocation(*E); 417 State.Env.setStorageLocation(*E, Loc); 418 State.Env.setValue( 419 Loc, createOptionalValue(State.Env, State.Env.makeAtomicBoolValue())); 420 } 421 422 void assignOptionalValue(const Expr &E, LatticeTransferState &State, 423 BoolValue &HasValueVal) { 424 if (auto *OptionalLoc = 425 State.Env.getStorageLocation(E, SkipPast::ReferenceThenPointer)) { 426 State.Env.setValue(*OptionalLoc, 427 createOptionalValue(State.Env, HasValueVal)); 428 } 429 } 430 431 /// Returns a symbolic value for the "has_value" property of an `optional<T>` 432 /// value that is constructed/assigned from a value of type `U` or `optional<U>` 433 /// where `T` is constructible from `U`. 434 BoolValue &value_orConversionHasValue(const FunctionDecl &F, const Expr &E, 435 const MatchFinder::MatchResult &MatchRes, 436 LatticeTransferState &State) { 437 assert(F.getTemplateSpecializationArgs()->size() > 0); 438 439 const int TemplateParamOptionalWrappersCount = countOptionalWrappers( 440 *MatchRes.Context, 441 stripReference(F.getTemplateSpecializationArgs()->get(0).getAsType())); 442 const int ArgTypeOptionalWrappersCount = 443 countOptionalWrappers(*MatchRes.Context, stripReference(E.getType())); 444 445 // Check if this is a constructor/assignment call for `optional<T>` with 446 // argument of type `U` such that `T` is constructible from `U`. 447 if (TemplateParamOptionalWrappersCount == ArgTypeOptionalWrappersCount) 448 return State.Env.getBoolLiteralValue(true); 449 450 // This is a constructor/assignment call for `optional<T>` with argument of 451 // type `optional<U>` such that `T` is constructible from `U`. 452 if (auto *HasValueVal = 453 getHasValue(State.Env, State.Env.getValue(E, SkipPast::Reference))) 454 return *HasValueVal; 455 return State.Env.makeAtomicBoolValue(); 456 } 457 458 void transferValueOrConversionConstructor( 459 const CXXConstructExpr *E, const MatchFinder::MatchResult &MatchRes, 460 LatticeTransferState &State) { 461 assert(E->getNumArgs() > 0); 462 463 assignOptionalValue(*E, State, 464 value_orConversionHasValue(*E->getConstructor(), 465 *E->getArg(0), MatchRes, 466 State)); 467 } 468 469 void transferAssignment(const CXXOperatorCallExpr *E, BoolValue &HasValueVal, 470 LatticeTransferState &State) { 471 assert(E->getNumArgs() > 0); 472 473 auto *OptionalLoc = 474 State.Env.getStorageLocation(*E->getArg(0), SkipPast::Reference); 475 if (OptionalLoc == nullptr) 476 return; 477 478 State.Env.setValue(*OptionalLoc, createOptionalValue(State.Env, HasValueVal)); 479 480 // Assign a storage location for the whole expression. 481 State.Env.setStorageLocation(*E, *OptionalLoc); 482 } 483 484 void transferValueOrConversionAssignment( 485 const CXXOperatorCallExpr *E, const MatchFinder::MatchResult &MatchRes, 486 LatticeTransferState &State) { 487 assert(E->getNumArgs() > 1); 488 transferAssignment(E, 489 value_orConversionHasValue(*E->getDirectCallee(), 490 *E->getArg(1), MatchRes, State), 491 State); 492 } 493 494 void transferNulloptAssignment(const CXXOperatorCallExpr *E, 495 const MatchFinder::MatchResult &, 496 LatticeTransferState &State) { 497 transferAssignment(E, State.Env.getBoolLiteralValue(false), State); 498 } 499 500 void transferSwap(const StorageLocation &OptionalLoc1, 501 const StorageLocation &OptionalLoc2, 502 LatticeTransferState &State) { 503 auto *OptionalVal1 = State.Env.getValue(OptionalLoc1); 504 assert(OptionalVal1 != nullptr); 505 506 auto *OptionalVal2 = State.Env.getValue(OptionalLoc2); 507 assert(OptionalVal2 != nullptr); 508 509 State.Env.setValue(OptionalLoc1, *OptionalVal2); 510 State.Env.setValue(OptionalLoc2, *OptionalVal1); 511 } 512 513 void transferSwapCall(const CXXMemberCallExpr *E, 514 const MatchFinder::MatchResult &, 515 LatticeTransferState &State) { 516 assert(E->getNumArgs() == 1); 517 518 auto *OptionalLoc1 = State.Env.getStorageLocation( 519 *E->getImplicitObjectArgument(), SkipPast::ReferenceThenPointer); 520 assert(OptionalLoc1 != nullptr); 521 522 auto *OptionalLoc2 = 523 State.Env.getStorageLocation(*E->getArg(0), SkipPast::Reference); 524 assert(OptionalLoc2 != nullptr); 525 526 transferSwap(*OptionalLoc1, *OptionalLoc2, State); 527 } 528 529 void transferStdSwapCall(const CallExpr *E, const MatchFinder::MatchResult &, 530 LatticeTransferState &State) { 531 assert(E->getNumArgs() == 2); 532 533 auto *OptionalLoc1 = 534 State.Env.getStorageLocation(*E->getArg(0), SkipPast::Reference); 535 assert(OptionalLoc1 != nullptr); 536 537 auto *OptionalLoc2 = 538 State.Env.getStorageLocation(*E->getArg(1), SkipPast::Reference); 539 assert(OptionalLoc2 != nullptr); 540 541 transferSwap(*OptionalLoc1, *OptionalLoc2, State); 542 } 543 544 llvm::Optional<StatementMatcher> 545 ignorableOptional(const UncheckedOptionalAccessModelOptions &Options) { 546 if (Options.IgnoreSmartPointerDereference) 547 return memberExpr(hasObjectExpression(ignoringParenImpCasts( 548 cxxOperatorCallExpr(anyOf(hasOverloadedOperatorName("->"), 549 hasOverloadedOperatorName("*")), 550 unless(hasArgument(0, expr(hasOptionalType()))))))); 551 return llvm::None; 552 } 553 554 auto buildTransferMatchSwitch( 555 const UncheckedOptionalAccessModelOptions &Options) { 556 // FIXME: Evaluate the efficiency of matchers. If using matchers results in a 557 // lot of duplicated work (e.g. string comparisons), consider providing APIs 558 // that avoid it through memoization. 559 auto IgnorableOptional = ignorableOptional(Options); 560 return MatchSwitchBuilder<LatticeTransferState>() 561 // Attach a symbolic "has_value" state to optional values that we see for 562 // the first time. 563 .CaseOf<Expr>( 564 expr(anyOf(declRefExpr(), memberExpr()), hasOptionalType()), 565 initializeOptionalReference) 566 567 // make_optional 568 .CaseOf<CallExpr>(isMakeOptionalCall(), transferMakeOptionalCall) 569 570 // optional::optional 571 .CaseOf<CXXConstructExpr>( 572 isOptionalInPlaceConstructor(), 573 [](const CXXConstructExpr *E, const MatchFinder::MatchResult &, 574 LatticeTransferState &State) { 575 assignOptionalValue(*E, State, State.Env.getBoolLiteralValue(true)); 576 }) 577 .CaseOf<CXXConstructExpr>( 578 isOptionalNulloptConstructor(), 579 [](const CXXConstructExpr *E, const MatchFinder::MatchResult &, 580 LatticeTransferState &State) { 581 assignOptionalValue(*E, State, 582 State.Env.getBoolLiteralValue(false)); 583 }) 584 .CaseOf<CXXConstructExpr>(isOptionalValueOrConversionConstructor(), 585 transferValueOrConversionConstructor) 586 587 // optional::operator= 588 .CaseOf<CXXOperatorCallExpr>(isOptionalValueOrConversionAssignment(), 589 transferValueOrConversionAssignment) 590 .CaseOf<CXXOperatorCallExpr>(isOptionalNulloptAssignment(), 591 transferNulloptAssignment) 592 593 // optional::value 594 .CaseOf<CXXMemberCallExpr>( 595 isOptionalMemberCallWithName("value", IgnorableOptional), 596 [](const CXXMemberCallExpr *E, const MatchFinder::MatchResult &, 597 LatticeTransferState &State) { 598 transferUnwrapCall(E, E->getImplicitObjectArgument(), State); 599 }) 600 601 // optional::operator*, optional::operator-> 602 .CaseOf<CallExpr>( 603 expr(anyOf(isOptionalOperatorCallWithName("*", IgnorableOptional), 604 isOptionalOperatorCallWithName("->", IgnorableOptional))), 605 [](const CallExpr *E, const MatchFinder::MatchResult &, 606 LatticeTransferState &State) { 607 transferUnwrapCall(E, E->getArg(0), State); 608 }) 609 610 // optional::has_value 611 .CaseOf<CXXMemberCallExpr>(isOptionalMemberCallWithName("has_value"), 612 transferOptionalHasValueCall) 613 614 // optional::operator bool 615 .CaseOf<CXXMemberCallExpr>(isOptionalMemberCallWithName("operator bool"), 616 transferOptionalHasValueCall) 617 618 // optional::emplace 619 .CaseOf<CXXMemberCallExpr>( 620 isOptionalMemberCallWithName("emplace"), 621 [](const CXXMemberCallExpr *E, const MatchFinder::MatchResult &, 622 LatticeTransferState &State) { 623 assignOptionalValue(*E->getImplicitObjectArgument(), State, 624 State.Env.getBoolLiteralValue(true)); 625 }) 626 627 // optional::reset 628 .CaseOf<CXXMemberCallExpr>( 629 isOptionalMemberCallWithName("reset"), 630 [](const CXXMemberCallExpr *E, const MatchFinder::MatchResult &, 631 LatticeTransferState &State) { 632 assignOptionalValue(*E->getImplicitObjectArgument(), State, 633 State.Env.getBoolLiteralValue(false)); 634 }) 635 636 // optional::swap 637 .CaseOf<CXXMemberCallExpr>(isOptionalMemberCallWithName("swap"), 638 transferSwapCall) 639 640 // std::swap 641 .CaseOf<CallExpr>(isStdSwapCall(), transferStdSwapCall) 642 643 // opt.value_or("").empty() 644 .CaseOf<Expr>(isValueOrStringEmptyCall(), transferValueOrStringEmptyCall) 645 646 // opt.value_or(X) != X 647 .CaseOf<Expr>(isValueOrNotEqX(), transferValueOrNotEqX) 648 649 // returns optional 650 .CaseOf<CallExpr>(isCallReturningOptional(), 651 transferCallReturningOptional) 652 653 .Build(); 654 } 655 656 } // namespace 657 658 ast_matchers::DeclarationMatcher 659 UncheckedOptionalAccessModel::optionalClassDecl() { 660 return optionalClass(); 661 } 662 663 UncheckedOptionalAccessModel::UncheckedOptionalAccessModel( 664 ASTContext &Ctx, UncheckedOptionalAccessModelOptions Options) 665 : DataflowAnalysis<UncheckedOptionalAccessModel, SourceLocationsLattice>( 666 Ctx), 667 TransferMatchSwitch(buildTransferMatchSwitch(Options)) {} 668 669 void UncheckedOptionalAccessModel::transfer(const Stmt *S, 670 SourceLocationsLattice &L, 671 Environment &Env) { 672 LatticeTransferState State(L, Env); 673 TransferMatchSwitch(*S, getASTContext(), State); 674 } 675 676 bool UncheckedOptionalAccessModel::compareEquivalent(QualType Type, 677 const Value &Val1, 678 const Environment &Env1, 679 const Value &Val2, 680 const Environment &Env2) { 681 return isNonEmptyOptional(Val1, Env1) == isNonEmptyOptional(Val2, Env2); 682 } 683 684 bool UncheckedOptionalAccessModel::merge(QualType Type, const Value &Val1, 685 const Environment &Env1, 686 const Value &Val2, 687 const Environment &Env2, 688 Value &MergedVal, 689 Environment &MergedEnv) { 690 if (!IsOptionalType(Type)) 691 return true; 692 693 auto &HasValueVal = MergedEnv.makeAtomicBoolValue(); 694 if (isNonEmptyOptional(Val1, Env1) && isNonEmptyOptional(Val2, Env2)) 695 MergedEnv.addToFlowCondition(HasValueVal); 696 else if (isEmptyOptional(Val1, Env1) && isEmptyOptional(Val2, Env2)) 697 MergedEnv.addToFlowCondition(MergedEnv.makeNot(HasValueVal)); 698 setHasValue(MergedVal, HasValueVal); 699 return true; 700 } 701 702 } // namespace dataflow 703 } // namespace clang 704