Path: blob/main/contrib/llvm-project/clang/lib/StaticAnalyzer/Checkers/BuiltinFunctionChecker.cpp
35266 views
//=== BuiltinFunctionChecker.cpp --------------------------------*- C++ -*-===//1//2// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.3// See https://llvm.org/LICENSE.txt for license information.4// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception5//6//===----------------------------------------------------------------------===//7//8// This checker evaluates "standalone" clang builtin functions that are not9// just special-cased variants of well-known non-builtin functions.10// Builtin functions like __builtin_memcpy and __builtin_alloca should be11// evaluated by the same checker that handles their non-builtin variant to12// ensure that the two variants are handled consistently.13//14//===----------------------------------------------------------------------===//1516#include "clang/Basic/Builtins.h"17#include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"18#include "clang/StaticAnalyzer/Core/Checker.h"19#include "clang/StaticAnalyzer/Core/CheckerManager.h"20#include "clang/StaticAnalyzer/Core/PathSensitive/CallDescription.h"21#include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h"22#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"23#include "clang/StaticAnalyzer/Core/PathSensitive/DynamicExtent.h"2425using namespace clang;26using namespace ento;2728namespace {2930class BuiltinFunctionChecker : public Checker<eval::Call> {31public:32bool evalCall(const CallEvent &Call, CheckerContext &C) const;3334private:35// From: clang/include/clang/Basic/Builtins.def36// C++ standard library builtins in namespace 'std'.37const CallDescriptionSet BuiltinLikeStdFunctions{38{CDM::SimpleFunc, {"std", "addressof"}}, //39{CDM::SimpleFunc, {"std", "__addressof"}}, //40{CDM::SimpleFunc, {"std", "as_const"}}, //41{CDM::SimpleFunc, {"std", "forward"}}, //42{CDM::SimpleFunc, {"std", "forward_like"}}, //43{CDM::SimpleFunc, {"std", "move"}}, //44{CDM::SimpleFunc, {"std", "move_if_noexcept"}}, //45};4647bool isBuiltinLikeFunction(const CallEvent &Call) const;48};4950} // namespace5152bool BuiltinFunctionChecker::isBuiltinLikeFunction(53const CallEvent &Call) const {54const auto *FD = llvm::dyn_cast_or_null<FunctionDecl>(Call.getDecl());55if (!FD || FD->getNumParams() != 1)56return false;5758if (QualType RetTy = FD->getReturnType();59!RetTy->isPointerType() && !RetTy->isReferenceType())60return false;6162if (QualType ParmTy = FD->getParamDecl(0)->getType();63!ParmTy->isPointerType() && !ParmTy->isReferenceType())64return false;6566return BuiltinLikeStdFunctions.contains(Call);67}6869bool BuiltinFunctionChecker::evalCall(const CallEvent &Call,70CheckerContext &C) const {71ProgramStateRef state = C.getState();72const auto *FD = dyn_cast_or_null<FunctionDecl>(Call.getDecl());73if (!FD)74return false;7576const LocationContext *LCtx = C.getLocationContext();77const Expr *CE = Call.getOriginExpr();7879if (isBuiltinLikeFunction(Call)) {80C.addTransition(state->BindExpr(CE, LCtx, Call.getArgSVal(0)));81return true;82}8384switch (FD->getBuiltinID()) {85default:86return false;8788case Builtin::BI__builtin_assume:89case Builtin::BI__assume: {90assert (Call.getNumArgs() > 0);91SVal Arg = Call.getArgSVal(0);92if (Arg.isUndef())93return true; // Return true to model purity.9495state = state->assume(Arg.castAs<DefinedOrUnknownSVal>(), true);96// FIXME: do we want to warn here? Not right now. The most reports might97// come from infeasible paths, thus being false positives.98if (!state) {99C.generateSink(C.getState(), C.getPredecessor());100return true;101}102103C.addTransition(state);104return true;105}106107case Builtin::BI__builtin_unpredictable:108case Builtin::BI__builtin_expect:109case Builtin::BI__builtin_expect_with_probability:110case Builtin::BI__builtin_assume_aligned:111case Builtin::BI__builtin_addressof:112case Builtin::BI__builtin_function_start: {113// For __builtin_unpredictable, __builtin_expect,114// __builtin_expect_with_probability and __builtin_assume_aligned,115// just return the value of the subexpression.116// __builtin_addressof is going from a reference to a pointer, but those117// are represented the same way in the analyzer.118assert (Call.getNumArgs() > 0);119SVal Arg = Call.getArgSVal(0);120C.addTransition(state->BindExpr(CE, LCtx, Arg));121return true;122}123124case Builtin::BI__builtin_dynamic_object_size:125case Builtin::BI__builtin_object_size:126case Builtin::BI__builtin_constant_p: {127// This must be resolvable at compile time, so we defer to the constant128// evaluator for a value.129SValBuilder &SVB = C.getSValBuilder();130SVal V = UnknownVal();131Expr::EvalResult EVResult;132if (CE->EvaluateAsInt(EVResult, C.getASTContext(), Expr::SE_NoSideEffects)) {133// Make sure the result has the correct type.134llvm::APSInt Result = EVResult.Val.getInt();135BasicValueFactory &BVF = SVB.getBasicValueFactory();136BVF.getAPSIntType(CE->getType()).apply(Result);137V = SVB.makeIntVal(Result);138}139140if (FD->getBuiltinID() == Builtin::BI__builtin_constant_p) {141// If we didn't manage to figure out if the value is constant or not,142// it is safe to assume that it's not constant and unsafe to assume143// that it's constant.144if (V.isUnknown())145V = SVB.makeIntVal(0, CE->getType());146}147148C.addTransition(state->BindExpr(CE, LCtx, V));149return true;150}151}152}153154void ento::registerBuiltinFunctionChecker(CheckerManager &mgr) {155mgr.registerChecker<BuiltinFunctionChecker>();156}157158bool ento::shouldRegisterBuiltinFunctionChecker(const CheckerManager &mgr) {159return true;160}161162163