clang/lib/StaticAnalyzer/Checkers/VirtualCallChecker.cpp

   1 //=======- VirtualCallChecker.cpp --------------------------------*- C++ -*-==//
   2 //
   3 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
   4 // See https://llvm.org/LICENSE.txt for license information.
   5 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
   6 //
   7 //===----------------------------------------------------------------------===//
   8 //
   9 //  This file defines a checker that checks virtual method calls during
  10 //  construction or destruction of C++ objects.
  11 //
  12 //===----------------------------------------------------------------------===//
  13
  14 #include "clang/AST/Attr.h"
  15 #include "clang/AST/DeclCXX.h"
  16 #include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"
  17 #include "clang/StaticAnalyzer/Core/BugReporter/BugReporter.h"
  18 #include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
  19 #include "clang/StaticAnalyzer/Core/Checker.h"
  20 #include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h"
  21 #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
  22 #include "clang/StaticAnalyzer/Core/PathSensitive/ProgramStateTrait.h"
  23 #include "clang/StaticAnalyzer/Core/PathSensitive/SValBuilder.h"
  24
  25 using namespace clang;
  26 using namespace ento;
  27
  28 namespace {
  29 enum class ObjectState : bool { CtorCalled, DtorCalled };
  30 } // end namespace
  31   // FIXME: Ascending over StackFrameContext maybe another method.
  32
  33 namespace llvm {
  34 template <> struct FoldingSetTrait<ObjectState> {
  35   static inline void Profile(ObjectState X, FoldingSetNodeID &ID) {
  36     ID.AddInteger(static_cast<int>(X));
  37   }
  38 };
  39 } // end namespace llvm
  40
  41 namespace {
  42 class VirtualCallChecker
  43     : public Checker<check::BeginFunction, check::EndFunction, check::PreCall> {
  44 public:
  45   // These are going to be null if the respective check is disabled.
  46   mutable std::unique_ptr<BugType> BT_Pure, BT_Impure;
  47   bool ShowFixIts = false;
  48
  49   void checkBeginFunction(CheckerContext &C) const;
  50   void checkEndFunction(const ReturnStmt *RS, CheckerContext &C) const;
  51   void checkPreCall(const CallEvent &Call, CheckerContext &C) const;
  52
  53 private:
  54   void registerCtorDtorCallInState(bool IsBeginFunction,
  55                                    CheckerContext &C) const;
  56 };
  57 } // end namespace
  58
  59 // GDM (generic data map) to the memregion of this for the ctor and dtor.
  60 REGISTER_MAP_WITH_PROGRAMSTATE(CtorDtorMap, const MemRegion *, ObjectState)
  61
  62 // The function to check if a callexpr is a virtual method call.
  63 static bool isVirtualCall(const CallExpr *CE) {
  64   bool CallIsNonVirtual = false;
  65
  66   if (const MemberExpr *CME = dyn_cast<MemberExpr>(CE->getCallee())) {
  67     // The member access is fully qualified (i.e., X::F).
  68     // Treat this as a non-virtual call and do not warn.
  69     if (CME->getQualifier())
  70       CallIsNonVirtual = true;
  71
  72     if (const Expr *Base = CME->getBase()) {
  73       // The most derived class is marked final.
  74       if (Base->getBestDynamicClassType()->hasAttr<FinalAttr>())
  75         CallIsNonVirtual = true;
  76     }
  77   }
  78
  79   const CXXMethodDecl *MD =
  80       dyn_cast_or_null<CXXMethodDecl>(CE->getDirectCallee());
  81   if (MD && MD->isVirtual() && !CallIsNonVirtual && !MD->hasAttr<FinalAttr>() &&
  82       !MD->getParent()->hasAttr<FinalAttr>())
  83     return true;
  84   return false;
  85 }
  86
  87 // The BeginFunction callback when enter a constructor or a destructor.
  88 void VirtualCallChecker::checkBeginFunction(CheckerContext &C) const {
  89   registerCtorDtorCallInState(true, C);
  90 }
  91
  92 // The EndFunction callback when leave a constructor or a destructor.
  93 void VirtualCallChecker::checkEndFunction(const ReturnStmt *RS,
  94                                           CheckerContext &C) const {
  95   registerCtorDtorCallInState(false, C);
  96 }
  97
  98 void VirtualCallChecker::checkPreCall(const CallEvent &Call,
  99                                       CheckerContext &C) const {
 100   const auto MC = dyn_cast<CXXMemberCall>(&Call);
 101   if (!MC)
 102     return;
 103
 104   const CXXMethodDecl *MD = dyn_cast_or_null<CXXMethodDecl>(Call.getDecl());
 105   if (!MD)
 106     return;
 107
 108   ProgramStateRef State = C.getState();
 109   // Member calls are always represented by a call-expression.
 110   const auto *CE = cast<CallExpr>(Call.getOriginExpr());
 111   if (!isVirtualCall(CE))
 112     return;
 113
 114   const MemRegion *Reg = MC->getCXXThisVal().getAsRegion();
 115   const ObjectState *ObState = State->get<CtorDtorMap>(Reg);
 116   if (!ObState)
 117     return;
 118
 119   bool IsPure = MD->isPure();
 120
 121   // At this point we're sure that we're calling a virtual method
 122   // during construction or destruction, so we'll emit a report.
 123   SmallString<128> Msg;
 124   llvm::raw_svector_ostream OS(Msg);
 125   OS << "Call to ";
 126   if (IsPure)
 127     OS << "pure ";
 128   OS << "virtual method '" << MD->getParent()->getDeclName()
 129      << "::" << MD->getDeclName() << "' during ";
 130   if (*ObState == ObjectState::CtorCalled)
 131     OS << "construction ";
 132   else
 133     OS << "destruction ";
 134   if (IsPure)
 135     OS << "has undefined behavior";
 136   else
 137     OS << "bypasses virtual dispatch";
 138
 139   ExplodedNode *N =
 140       IsPure ? C.generateErrorNode() : C.generateNonFatalErrorNode();
 141   if (!N)
 142     return;
 143
 144   const std::unique_ptr<BugType> &BT = IsPure ? BT_Pure : BT_Impure;
 145   if (!BT) {
 146     // The respective check is disabled.
 147     return;
 148   }
 149
 150   auto Report = std::make_unique<PathSensitiveBugReport>(*BT, OS.str(), N);
 151
 152   if (ShowFixIts && !IsPure) {
 153     // FIXME: These hints are valid only when the virtual call is made
 154     // directly from the constructor/destructor. Otherwise the dispatch
 155     // will work just fine from other callees, and the fix may break
 156     // the otherwise correct program.
 157     FixItHint Fixit = FixItHint::CreateInsertion(
 158         CE->getBeginLoc(), MD->getParent()->getNameAsString() + "::");
 159     Report->addFixItHint(Fixit);
 160   }
 161
 162   C.emitReport(std::move(Report));
 163 }
 164
 165 void VirtualCallChecker::registerCtorDtorCallInState(bool IsBeginFunction,
 166                                                      CheckerContext &C) const {
 167   const auto *LCtx = C.getLocationContext();
 168   const auto *MD = dyn_cast_or_null<CXXMethodDecl>(LCtx->getDecl());
 169   if (!MD)
 170     return;
 171
 172   ProgramStateRef State = C.getState();
 173   auto &SVB = C.getSValBuilder();
 174
 175   // Enter a constructor, set the corresponding memregion be true.
 176   if (isa<CXXConstructorDecl>(MD)) {
 177     auto ThiSVal =
 178         State->getSVal(SVB.getCXXThis(MD, LCtx->getStackFrame()));
 179     const MemRegion *Reg = ThiSVal.getAsRegion();
 180     if (IsBeginFunction)
 181       State = State->set<CtorDtorMap>(Reg, ObjectState::CtorCalled);
 182     else
 183       State = State->remove<CtorDtorMap>(Reg);
 184
 185     C.addTransition(State);
 186     return;
 187   }
 188
 189   // Enter a Destructor, set the corresponding memregion be true.
 190   if (isa<CXXDestructorDecl>(MD)) {
 191     auto ThiSVal =
 192         State->getSVal(SVB.getCXXThis(MD, LCtx->getStackFrame()));
 193     const MemRegion *Reg = ThiSVal.getAsRegion();
 194     if (IsBeginFunction)
 195       State = State->set<CtorDtorMap>(Reg, ObjectState::DtorCalled);
 196     else
 197       State = State->remove<CtorDtorMap>(Reg);
 198
 199     C.addTransition(State);
 200     return;
 201   }
 202 }
 203
 204 void ento::registerVirtualCallModeling(CheckerManager &Mgr) {
 205   Mgr.registerChecker<VirtualCallChecker>();
 206 }
 207
 208 void ento::registerPureVirtualCallChecker(CheckerManager &Mgr) {
 209   auto *Chk = Mgr.getChecker<VirtualCallChecker>();
 210   Chk->BT_Pure = std::make_unique<BugType>(Mgr.getCurrentCheckerName(),
 211                                            "Pure virtual method call",
 212                                            categories::CXXObjectLifecycle);
 213 }
 214
 215 void ento::registerVirtualCallChecker(CheckerManager &Mgr) {
 216   auto *Chk = Mgr.getChecker<VirtualCallChecker>();
 217   if (!Mgr.getAnalyzerOptions().getCheckerBooleanOption(
 218           Mgr.getCurrentCheckerName(), "PureOnly")) {
 219     Chk->BT_Impure = std::make_unique<BugType>(
 220         Mgr.getCurrentCheckerName(), "Unexpected loss of virtual dispatch",
 221         categories::CXXObjectLifecycle);
 222     Chk->ShowFixIts = Mgr.getAnalyzerOptions().getCheckerBooleanOption(
 223         Mgr.getCurrentCheckerName(), "ShowFixIts");
 224   }
 225 }
 226
 227 bool ento::shouldRegisterVirtualCallModeling(const CheckerManager &mgr) {
 228   const LangOptions &LO = mgr.getLangOpts();
 229   return LO.CPlusPlus;
 230 }
 231
 232 bool ento::shouldRegisterPureVirtualCallChecker(const CheckerManager &mgr) {
 233   const LangOptions &LO = mgr.getLangOpts();
 234   return LO.CPlusPlus;
 235 }
 236
 237 bool ento::shouldRegisterVirtualCallChecker(const CheckerManager &mgr) {
 238   const LangOptions &LO = mgr.getLangOpts();
 239   return LO.CPlusPlus;
 240 }