1//= CheckerDocumentation.cpp - Documentation checker ---------------*- C++ -*-// 2// 3// The LLVM Compiler Infrastructure 4// 5// This file is distributed under the University of Illinois Open Source 6// License. See LICENSE.TXT for details. 7// 8//===----------------------------------------------------------------------===// 9// 10// This checker lists all the checker callbacks and provides documentation for 11// checker writers. 12// 13//===----------------------------------------------------------------------===// 14 15#include "ClangSACheckers.h" 16#include "clang/StaticAnalyzer/Core/Checker.h" 17#include "clang/StaticAnalyzer/Core/CheckerManager.h" 18#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h" 19#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h" 20#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramStateTrait.h" 21 22using namespace clang; 23using namespace ento; 24 25// All checkers should be placed into anonymous namespace. 26// We place the CheckerDocumentation inside ento namespace to make the 27// it visible in doxygen. 28namespace ento { 29 30/// This checker documents the callback functions checkers can use to implement 31/// the custom handling of the specific events during path exploration as well 32/// as reporting bugs. Most of the callbacks are targeted at path-sensitive 33/// checking. 34/// 35/// \sa CheckerContext 36class CheckerDocumentation : public Checker< check::PreStmt<DeclStmt>, 37 check::PostStmt<CallExpr>, 38 check::PreObjCMessage, 39 check::PostObjCMessage, 40 check::BranchCondition, 41 check::Location, 42 check::Bind, 43 check::DeadSymbols, 44 check::EndPath, 45 check::EndAnalysis, 46 check::EndOfTranslationUnit, 47 eval::Call, 48 eval::Assume, 49 check::LiveSymbols, 50 check::RegionChanges, 51 check::Event<ImplicitNullDerefEvent>, 52 check::ASTDecl<FunctionDecl> > { 53public: 54 55 /// \brief Pre-visit the Statement. 56 /// 57 /// The method will be called before the analyzer core processes the 58 /// statement. The notification is performed for every explored CFGElement, 59 /// which does not include the control flow statements such as IfStmt. The 60 /// callback can be specialized to be called with any subclass of Stmt. 61 /// 62 /// See checkBranchCondition() callback for performing custom processing of 63 /// the branching statements. 64 /// 65 /// check::PreStmt<DeclStmt> 66 void checkPreStmt(const DeclStmt *DS, CheckerContext &C) const {} 67 68 /// \brief Post-visit the Statement. 69 /// 70 /// The method will be called after the analyzer core processes the 71 /// statement. The notification is performed for every explored CFGElement, 72 /// which does not include the control flow statements such as IfStmt. The 73 /// callback can be specialized to be called with any subclass of Stmt. 74 /// 75 /// check::PostStmt<DeclStmt> 76 void checkPostStmt(const CallExpr *DS, CheckerContext &C) const; 77 78 /// \brief Pre-visit the Objective C messages. 79 void checkPreObjCMessage(const ObjCMessage &Msg, CheckerContext &C) const {} 80 81 /// \brief Post-visit the Objective C messages. 82 void checkPostObjCMessage(const ObjCMessage &Msg, CheckerContext &C) const {} 83 84 /// \brief Pre-visit of the condition statement of a branch (such as IfStmt). 85 void checkBranchCondition(const Stmt *Condition, CheckerContext &Ctx) const {} 86 87 /// \brief Called on a load from and a store to a location. 88 /// 89 /// The method will be called each time a location (pointer) value is 90 /// accessed. 91 /// \param Loc The value of the location (pointer). 92 /// \param IsLoad The flag specifying if the location is a store or a load. 93 /// \param S The load is performed while processing the statement. 94 /// 95 /// check::Location 96 void checkLocation(SVal Loc, bool IsLoad, const Stmt *S, 97 CheckerContext &C) const {} 98 99 /// \brief Called on binding of a value to a location. 100 /// 101 /// \param Loc The value of the location (pointer). 102 /// \param Val The value which will be stored at the location Loc. 103 /// \param S The bind is performed while processing the statement S. 104 /// 105 /// check::Bind 106 void checkBind(SVal Loc, SVal Val, const Stmt *S, CheckerContext &C) const {} 107 108 109 /// \brief Called whenever a symbol becomes dead. 110 /// 111 /// This callback should be used by the checkers to aggressively clean 112 /// up/reduce the checker state, which is important for reducing the overall 113 /// memory usage. Specifically, if a checker keeps symbol specific information 114 /// in the sate, it can and should be dropped after the symbol becomes dead. 115 /// In addition, reporting a bug as soon as the checker becomes dead leads to 116 /// more precise diagnostics. (For example, one should report that a malloced 117 /// variable is not freed right after it goes out of scope.) 118 /// 119 /// \param SR The SymbolReaper object can be queried to determine which 120 /// symbols are dead. 121 /// 122 /// check::DeadSymbols 123 void checkDeadSymbols(SymbolReaper &SR, CheckerContext &C) const {} 124 125 /// \brief Called when an end of path is reached in the ExplodedGraph. 126 /// 127 /// This callback should be used to check if the allocated resources are freed. 128 /// 129 /// check::EndPath 130 void checkEndPath(CheckerContext &Ctx) const {} 131 132 /// \brief Called after all the paths in the ExplodedGraph reach end of path 133 /// - the symbolic execution graph is fully explored. 134 /// 135 /// This callback should be used in cases when a checker needs to have a 136 /// global view of the information generated on all paths. For example, to 137 /// compare execution summary/result several paths. 138 /// See IdempotentOperationChecker for a usage example. 139 /// 140 /// check::EndAnalysis 141 void checkEndAnalysis(ExplodedGraph &G, 142 BugReporter &BR, 143 ExprEngine &Eng) const {} 144 145 /// \brief Called after analysis of a TranslationUnit is complete. 146 /// 147 /// check::EndOfTranslationUnit 148 void checkEndOfTranslationUnit(const TranslationUnitDecl *TU, 149 AnalysisManager &Mgr, 150 BugReporter &BR) const {} 151 152 153 /// \brief Evaluates function call. 154 /// 155 /// The analysis core threats all function calls in the same way. However, some 156 /// functions have special meaning, which should be reflected in the program 157 /// state. This callback allows a checker to provide domain specific knowledge 158 /// about the particular functions it knows about. 159 /// 160 /// \returns true if the call has been successfully evaluated 161 /// and false otherwise. Note, that only one checker can evaluate a call. If 162 /// more then one checker claim that they can evaluate the same call the 163 /// first one wins. 164 /// 165 /// eval::Call 166 bool evalCall(const CallExpr *CE, CheckerContext &C) const { return true; } 167 168 /// \brief Handles assumptions on symbolic values. 169 /// 170 /// This method is called when a symbolic expression is assumed to be true or 171 /// false. For example, the assumptions are performed when evaluating a 172 /// condition at a branch. The callback allows checkers track the assumptions 173 /// performed on the symbols of interest and change the state accordingly. 174 /// 175 /// eval::Assume 176 ProgramStateRef evalAssume(ProgramStateRef State, 177 SVal Cond, 178 bool Assumption) const { return State; } 179 180 /// Allows modifying SymbolReaper object. For example, checkers can explicitly 181 /// register symbols of interest as live. These symbols will not be marked 182 /// dead and removed. 183 /// 184 /// check::LiveSymbols 185 void checkLiveSymbols(ProgramStateRef State, SymbolReaper &SR) const {} 186 187 188 bool wantsRegionChangeUpdate(ProgramStateRef St) const { return true; } 189 190 /// check::RegionChanges 191 /// Allows tracking regions which get invalidated. 192 /// \param state The current program state. 193 /// \param invalidated A set of all symbols potentially touched by the change. 194 /// \param ExplicitRegions The regions explicitly requested for invalidation. 195 /// For example, in the case of a function call, these would be arguments. 196 /// \param Regions The transitive closure of accessible regions, 197 /// i.e. all regions that may have been touched by this change. 198 /// \param The call expression wrapper if the regions are invalidated by a 199 /// call, 0 otherwise. 200 /// Note, in order to be notified, the checker should also implement 201 /// wantsRegionChangeUpdate callback. 202 ProgramStateRef 203 checkRegionChanges(ProgramStateRef State, 204 const StoreManager::InvalidatedSymbols *, 205 ArrayRef<const MemRegion *> ExplicitRegions, 206 ArrayRef<const MemRegion *> Regions, 207 const CallOrObjCMessage *Call) const { 208 return State; 209 } 210 211 /// check::Event<ImplicitNullDerefEvent> 212 void checkEvent(ImplicitNullDerefEvent Event) const {} 213 214 /// \brief Check every declaration in the AST. 215 /// 216 /// An AST traversal callback, which should only be used when the checker is 217 /// not path sensitive. It will be called for every Declaration in the AST and 218 /// can be specialized to only be called on subclasses of Decl, for example, 219 /// FunctionDecl. 220 /// 221 /// check::ASTDecl<FunctionDecl> 222 void checkASTDecl(const FunctionDecl *D, 223 AnalysisManager &Mgr, 224 BugReporter &BR) const {} 225 226}; 227 228void CheckerDocumentation::checkPostStmt(const CallExpr *DS, 229 CheckerContext &C) const { 230 return; 231} 232 233} // end namespace 234