1 //===- ExprEngineCXX.cpp - ExprEngine support for C++ -----------*- C++ -*-===//
2 //
3 //                     The LLVM Compiler Infrastructure
4 //
5 // This file is distributed under the University of Illinois Open Source
6 // License. See LICENSE.TXT for details.
7 //
8 //===----------------------------------------------------------------------===//
9 //
10 //  This file defines the C++ expression evaluation engine.
11 //
12 //===----------------------------------------------------------------------===//
13 
14 #include "clang/StaticAnalyzer/Core/PathSensitive/ExprEngine.h"
15 #include "clang/AST/DeclCXX.h"
16 #include "clang/AST/StmtCXX.h"
17 #include "clang/Basic/PrettyStackTrace.h"
18 #include "clang/StaticAnalyzer/Core/CheckerManager.h"
19 #include "clang/StaticAnalyzer/Core/PathSensitive/AnalysisManager.h"
20 #include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h"
21 
22 using namespace clang;
23 using namespace ento;
24 
25 void ExprEngine::CreateCXXTemporaryObject(const MaterializeTemporaryExpr *ME,
26                                           ExplodedNode *Pred,
27                                           ExplodedNodeSet &Dst) {
28   StmtNodeBuilder Bldr(Pred, Dst, *currBldrCtx);
29   const Expr *tempExpr = ME->GetTemporaryExpr()->IgnoreParens();
30   ProgramStateRef state = Pred->getState();
31   const LocationContext *LCtx = Pred->getLocationContext();
32 
33   SVal V = state->getSVal(tempExpr, LCtx);
34 
35   // If the value is already a CXXTempObjectRegion, it is fine as it is.
36   // Otherwise, create a new CXXTempObjectRegion, and copy the value into it.
37   // This is an optimization for when an rvalue is constructed and then
38   // immediately materialized.
39   const MemRegion *MR = V.getAsRegion();
40   if (const CXXTempObjectRegion *TR =
41         dyn_cast_or_null<CXXTempObjectRegion>(MR)) {
42     if (getContext().hasSameUnqualifiedType(TR->getValueType(), ME->getType()))
43       state = state->BindExpr(ME, LCtx, V);
44   }
45 
46   if (state == Pred->getState())
47     state = createTemporaryRegionIfNeeded(state, LCtx, tempExpr, ME);
48   Bldr.generateNode(ME, Pred, state);
49 }
50 
51 // FIXME: This is the sort of code that should eventually live in a Core
52 // checker rather than as a special case in ExprEngine.
53 void ExprEngine::performTrivialCopy(NodeBuilder &Bldr, ExplodedNode *Pred,
54                                     const CallEvent &Call) {
55   SVal ThisVal;
56   bool AlwaysReturnsLValue;
57   if (const CXXConstructorCall *Ctor = dyn_cast<CXXConstructorCall>(&Call)) {
58     assert(Ctor->getDecl()->isTrivial());
59     assert(Ctor->getDecl()->isCopyOrMoveConstructor());
60     ThisVal = Ctor->getCXXThisVal();
61     AlwaysReturnsLValue = false;
62   } else {
63     assert(cast<CXXMethodDecl>(Call.getDecl())->isTrivial());
64     assert(cast<CXXMethodDecl>(Call.getDecl())->getOverloadedOperator() ==
65            OO_Equal);
66     ThisVal = cast<CXXInstanceCall>(Call).getCXXThisVal();
67     AlwaysReturnsLValue = true;
68   }
69 
70   const LocationContext *LCtx = Pred->getLocationContext();
71 
72   ExplodedNodeSet Dst;
73   Bldr.takeNodes(Pred);
74 
75   SVal V = Call.getArgSVal(0);
76 
77   // If the value being copied is not unknown, load from its location to get
78   // an aggregate rvalue.
79   if (Optional<Loc> L = V.getAs<Loc>())
80     V = Pred->getState()->getSVal(*L);
81   else
82     assert(V.isUnknown());
83 
84   const Expr *CallExpr = Call.getOriginExpr();
85   evalBind(Dst, CallExpr, Pred, ThisVal, V, true);
86 
87   PostStmt PS(CallExpr, LCtx);
88   for (ExplodedNodeSet::iterator I = Dst.begin(), E = Dst.end();
89        I != E; ++I) {
90     ProgramStateRef State = (*I)->getState();
91     if (AlwaysReturnsLValue)
92       State = State->BindExpr(CallExpr, LCtx, ThisVal);
93     else
94       State = bindReturnValue(Call, LCtx, State);
95     Bldr.generateNode(PS, State, *I);
96   }
97 }
98 
99 void ExprEngine::VisitCXXConstructExpr(const CXXConstructExpr *CE,
100                                        ExplodedNode *Pred,
101                                        ExplodedNodeSet &destNodes) {
102   const LocationContext *LCtx = Pred->getLocationContext();
103   ProgramStateRef State = Pred->getState();
104 
105   const MemRegion *Target = 0;
106   bool IsArray = false;
107 
108   switch (CE->getConstructionKind()) {
109   case CXXConstructExpr::CK_Complete: {
110     // See if we're constructing an existing region by looking at the next
111     // element in the CFG.
112     const CFGBlock *B = currBldrCtx->getBlock();
113     if (currStmtIdx + 1 < B->size()) {
114       CFGElement Next = (*B)[currStmtIdx+1];
115 
116       // Is this a constructor for a local variable?
117       if (Optional<CFGStmt> StmtElem = Next.getAs<CFGStmt>()) {
118         if (const DeclStmt *DS = dyn_cast<DeclStmt>(StmtElem->getStmt())) {
119           if (const VarDecl *Var = dyn_cast<VarDecl>(DS->getSingleDecl())) {
120             if (Var->getInit()->IgnoreImplicit() == CE) {
121               QualType Ty = Var->getType();
122               if (const ArrayType *AT = getContext().getAsArrayType(Ty)) {
123                 // FIXME: Handle arrays, which run the same constructor for
124                 // every element. This workaround will just run the first
125                 // constructor (which should still invalidate the entire array).
126                 SVal Base = State->getLValue(Var, LCtx);
127                 Target = State->getLValue(AT->getElementType(),
128                                           getSValBuilder().makeZeroArrayIndex(),
129                                           Base).getAsRegion();
130                 IsArray = true;
131               } else {
132                 Target = State->getLValue(Var, LCtx).getAsRegion();
133               }
134             }
135           }
136         }
137       }
138 
139       // Is this a constructor for a member?
140       if (Optional<CFGInitializer> InitElem = Next.getAs<CFGInitializer>()) {
141         const CXXCtorInitializer *Init = InitElem->getInitializer();
142         assert(Init->isAnyMemberInitializer());
143 
144         const CXXMethodDecl *CurCtor = cast<CXXMethodDecl>(LCtx->getDecl());
145         Loc ThisPtr = getSValBuilder().getCXXThis(CurCtor,
146                                                   LCtx->getCurrentStackFrame());
147         SVal ThisVal = State->getSVal(ThisPtr);
148 
149         if (Init->isIndirectMemberInitializer()) {
150           SVal Field = State->getLValue(Init->getIndirectMember(), ThisVal);
151           Target = Field.getAsRegion();
152         } else {
153           SVal Field = State->getLValue(Init->getMember(), ThisVal);
154           Target = Field.getAsRegion();
155         }
156       }
157 
158       // FIXME: This will eventually need to handle new-expressions as well.
159     }
160 
161     // If we couldn't find an existing region to construct into, assume we're
162     // constructing a temporary.
163     if (!Target) {
164       MemRegionManager &MRMgr = getSValBuilder().getRegionManager();
165       Target = MRMgr.getCXXTempObjectRegion(CE, LCtx);
166     }
167 
168     break;
169   }
170   case CXXConstructExpr::CK_NonVirtualBase:
171   case CXXConstructExpr::CK_VirtualBase:
172   case CXXConstructExpr::CK_Delegating: {
173     const CXXMethodDecl *CurCtor = cast<CXXMethodDecl>(LCtx->getDecl());
174     Loc ThisPtr = getSValBuilder().getCXXThis(CurCtor,
175                                               LCtx->getCurrentStackFrame());
176     SVal ThisVal = State->getSVal(ThisPtr);
177 
178     if (CE->getConstructionKind() == CXXConstructExpr::CK_Delegating) {
179       Target = ThisVal.getAsRegion();
180     } else {
181       // Cast to the base type.
182       bool IsVirtual =
183         (CE->getConstructionKind() == CXXConstructExpr::CK_VirtualBase);
184       SVal BaseVal = getStoreManager().evalDerivedToBase(ThisVal, CE->getType(),
185                                                          IsVirtual);
186       Target = BaseVal.getAsRegion();
187     }
188     break;
189   }
190   }
191 
192   CallEventManager &CEMgr = getStateManager().getCallEventManager();
193   CallEventRef<CXXConstructorCall> Call =
194     CEMgr.getCXXConstructorCall(CE, Target, State, LCtx);
195 
196   ExplodedNodeSet DstPreVisit;
197   getCheckerManager().runCheckersForPreStmt(DstPreVisit, Pred, CE, *this);
198   ExplodedNodeSet DstPreCall;
199   getCheckerManager().runCheckersForPreCall(DstPreCall, DstPreVisit,
200                                             *Call, *this);
201 
202   ExplodedNodeSet DstEvaluated;
203   StmtNodeBuilder Bldr(DstPreCall, DstEvaluated, *currBldrCtx);
204 
205   if (CE->getConstructor()->isTrivial() &&
206       CE->getConstructor()->isCopyOrMoveConstructor() &&
207       !IsArray) {
208     // FIXME: Handle other kinds of trivial constructors as well.
209     for (ExplodedNodeSet::iterator I = DstPreCall.begin(), E = DstPreCall.end();
210          I != E; ++I)
211       performTrivialCopy(Bldr, *I, *Call);
212 
213   } else {
214     for (ExplodedNodeSet::iterator I = DstPreCall.begin(), E = DstPreCall.end();
215          I != E; ++I)
216       defaultEvalCall(Bldr, *I, *Call);
217   }
218 
219   ExplodedNodeSet DstPostCall;
220   getCheckerManager().runCheckersForPostCall(DstPostCall, DstEvaluated,
221                                              *Call, *this);
222   getCheckerManager().runCheckersForPostStmt(destNodes, DstPostCall, CE, *this);
223 }
224 
225 void ExprEngine::VisitCXXDestructor(QualType ObjectType,
226                                     const MemRegion *Dest,
227                                     const Stmt *S,
228                                     bool IsBaseDtor,
229                                     ExplodedNode *Pred,
230                                     ExplodedNodeSet &Dst) {
231   const LocationContext *LCtx = Pred->getLocationContext();
232   ProgramStateRef State = Pred->getState();
233 
234   // FIXME: We need to run the same destructor on every element of the array.
235   // This workaround will just run the first destructor (which will still
236   // invalidate the entire array).
237   // This is a loop because of multidimensional arrays.
238   while (const ArrayType *AT = getContext().getAsArrayType(ObjectType)) {
239     ObjectType = AT->getElementType();
240     Dest = State->getLValue(ObjectType, getSValBuilder().makeZeroArrayIndex(),
241                             loc::MemRegionVal(Dest)).getAsRegion();
242   }
243 
244   const CXXRecordDecl *RecordDecl = ObjectType->getAsCXXRecordDecl();
245   assert(RecordDecl && "Only CXXRecordDecls should have destructors");
246   const CXXDestructorDecl *DtorDecl = RecordDecl->getDestructor();
247 
248   CallEventManager &CEMgr = getStateManager().getCallEventManager();
249   CallEventRef<CXXDestructorCall> Call =
250     CEMgr.getCXXDestructorCall(DtorDecl, S, Dest, IsBaseDtor, State, LCtx);
251 
252   PrettyStackTraceLoc CrashInfo(getContext().getSourceManager(),
253                                 Call->getSourceRange().getBegin(),
254                                 "Error evaluating destructor");
255 
256   ExplodedNodeSet DstPreCall;
257   getCheckerManager().runCheckersForPreCall(DstPreCall, Pred,
258                                             *Call, *this);
259 
260   ExplodedNodeSet DstInvalidated;
261   StmtNodeBuilder Bldr(DstPreCall, DstInvalidated, *currBldrCtx);
262   for (ExplodedNodeSet::iterator I = DstPreCall.begin(), E = DstPreCall.end();
263        I != E; ++I)
264     defaultEvalCall(Bldr, *I, *Call);
265 
266   ExplodedNodeSet DstPostCall;
267   getCheckerManager().runCheckersForPostCall(Dst, DstInvalidated,
268                                              *Call, *this);
269 }
270 
271 void ExprEngine::VisitCXXNewExpr(const CXXNewExpr *CNE, ExplodedNode *Pred,
272                                    ExplodedNodeSet &Dst) {
273   // FIXME: Much of this should eventually migrate to CXXAllocatorCall.
274   // Also, we need to decide how allocators actually work -- they're not
275   // really part of the CXXNewExpr because they happen BEFORE the
276   // CXXConstructExpr subexpression. See PR12014 for some discussion.
277   StmtNodeBuilder Bldr(Pred, Dst, *currBldrCtx);
278 
279   unsigned blockCount = currBldrCtx->blockCount();
280   const LocationContext *LCtx = Pred->getLocationContext();
281   DefinedOrUnknownSVal symVal = svalBuilder.conjureSymbolVal(0, CNE, LCtx,
282                                                              CNE->getType(),
283                                                              blockCount);
284   ProgramStateRef State = Pred->getState();
285 
286   CallEventManager &CEMgr = getStateManager().getCallEventManager();
287   CallEventRef<CXXAllocatorCall> Call =
288     CEMgr.getCXXAllocatorCall(CNE, State, LCtx);
289 
290   // Invalidate placement args.
291   // FIXME: Once we figure out how we want allocators to work,
292   // we should be using the usual pre-/(default-)eval-/post-call checks here.
293   State = Call->invalidateRegions(blockCount);
294 
295   // If we're compiling with exceptions enabled, and this allocation function
296   // is not declared as non-throwing, failures /must/ be signalled by
297   // exceptions, and thus the return value will never be NULL.
298   // C++11 [basic.stc.dynamic.allocation]p3.
299   FunctionDecl *FD = CNE->getOperatorNew();
300   if (FD && getContext().getLangOpts().CXXExceptions) {
301     QualType Ty = FD->getType();
302     if (const FunctionProtoType *ProtoType = Ty->getAs<FunctionProtoType>())
303       if (!ProtoType->isNothrow(getContext()))
304         State = State->assume(symVal, true);
305   }
306 
307   if (CNE->isArray()) {
308     // FIXME: allocating an array requires simulating the constructors.
309     // For now, just return a symbolicated region.
310     const MemRegion *NewReg = symVal.castAs<loc::MemRegionVal>().getRegion();
311     QualType ObjTy = CNE->getType()->getAs<PointerType>()->getPointeeType();
312     const ElementRegion *EleReg =
313       getStoreManager().GetElementZeroRegion(NewReg, ObjTy);
314     State = State->BindExpr(CNE, Pred->getLocationContext(),
315                             loc::MemRegionVal(EleReg));
316     Bldr.generateNode(CNE, Pred, State);
317     return;
318   }
319 
320   // FIXME: Once we have proper support for CXXConstructExprs inside
321   // CXXNewExpr, we need to make sure that the constructed object is not
322   // immediately invalidated here. (The placement call should happen before
323   // the constructor call anyway.)
324   if (FD && FD->isReservedGlobalPlacementOperator()) {
325     // Non-array placement new should always return the placement location.
326     SVal PlacementLoc = State->getSVal(CNE->getPlacementArg(0), LCtx);
327     SVal Result = svalBuilder.evalCast(PlacementLoc, CNE->getType(),
328                                        CNE->getPlacementArg(0)->getType());
329     State = State->BindExpr(CNE, LCtx, Result);
330   } else {
331     State = State->BindExpr(CNE, LCtx, symVal);
332   }
333 
334   // If the type is not a record, we won't have a CXXConstructExpr as an
335   // initializer. Copy the value over.
336   if (const Expr *Init = CNE->getInitializer()) {
337     if (!isa<CXXConstructExpr>(Init)) {
338       QualType ObjTy = CNE->getType()->getAs<PointerType>()->getPointeeType();
339       (void)ObjTy;
340       assert(!ObjTy->isRecordType());
341       SVal Location = State->getSVal(CNE, LCtx);
342       if (Optional<Loc> LV = Location.getAs<Loc>())
343         State = State->bindLoc(*LV, State->getSVal(Init, LCtx));
344     }
345   }
346 
347   Bldr.generateNode(CNE, Pred, State);
348 }
349 
350 void ExprEngine::VisitCXXDeleteExpr(const CXXDeleteExpr *CDE,
351                                     ExplodedNode *Pred, ExplodedNodeSet &Dst) {
352   StmtNodeBuilder Bldr(Pred, Dst, *currBldrCtx);
353   ProgramStateRef state = Pred->getState();
354   Bldr.generateNode(CDE, Pred, state);
355 }
356 
357 void ExprEngine::VisitCXXCatchStmt(const CXXCatchStmt *CS,
358                                    ExplodedNode *Pred,
359                                    ExplodedNodeSet &Dst) {
360   const VarDecl *VD = CS->getExceptionDecl();
361   if (!VD) {
362     Dst.Add(Pred);
363     return;
364   }
365 
366   const LocationContext *LCtx = Pred->getLocationContext();
367   SVal V = svalBuilder.conjureSymbolVal(CS, LCtx, VD->getType(),
368                                         currBldrCtx->blockCount());
369   ProgramStateRef state = Pred->getState();
370   state = state->bindLoc(state->getLValue(VD, LCtx), V);
371 
372   StmtNodeBuilder Bldr(Pred, Dst, *currBldrCtx);
373   Bldr.generateNode(CS, Pred, state);
374 }
375 
376 void ExprEngine::VisitCXXThisExpr(const CXXThisExpr *TE, ExplodedNode *Pred,
377                                     ExplodedNodeSet &Dst) {
378   StmtNodeBuilder Bldr(Pred, Dst, *currBldrCtx);
379 
380   // Get the this object region from StoreManager.
381   const LocationContext *LCtx = Pred->getLocationContext();
382   const MemRegion *R =
383     svalBuilder.getRegionManager().getCXXThisRegion(
384                                   getContext().getCanonicalType(TE->getType()),
385                                                     LCtx);
386 
387   ProgramStateRef state = Pred->getState();
388   SVal V = state->getSVal(loc::MemRegionVal(R));
389   Bldr.generateNode(TE, Pred, state->BindExpr(TE, LCtx, V));
390 }
391