CallEvent.h revision 7c99aa385178c630e29f671299cdd9c104f1c885
1//===- CallEvent.h - Wrapper for all function and method calls ----*- C++ -*--// 2// 3// The LLVM Compiler Infrastructure 4// 5// This file is distributed under the University of Illinois Open Source 6// License. See LICENSE.TXT for details. 7// 8//===----------------------------------------------------------------------===// 9// 10/// \file This file defines CallEvent and its subclasses, which represent path- 11/// sensitive instances of different kinds of function and method calls 12/// (C, C++, and Objective-C). 13// 14//===----------------------------------------------------------------------===// 15 16#ifndef LLVM_CLANG_STATICANALYZER_PATHSENSITIVE_CALL 17#define LLVM_CLANG_STATICANALYZER_PATHSENSITIVE_CALL 18 19#include "clang/Basic/SourceManager.h" 20#include "clang/AST/DeclCXX.h" 21#include "clang/AST/ExprCXX.h" 22#include "clang/AST/ExprObjC.h" 23#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h" 24#include "clang/StaticAnalyzer/Core/PathSensitive/SVals.h" 25#include "llvm/ADT/PointerIntPair.h" 26 27namespace clang { 28class ProgramPoint; 29class ProgramPointTag; 30 31namespace ento { 32 33enum CallEventKind { 34 CE_Function, 35 CE_CXXMember, 36 CE_CXXMemberOperator, 37 CE_BEG_CXX_INSTANCE_CALLS = CE_CXXMember, 38 CE_END_CXX_INSTANCE_CALLS = CE_CXXMemberOperator, 39 CE_Block, 40 CE_BEG_SIMPLE_CALLS = CE_Function, 41 CE_END_SIMPLE_CALLS = CE_Block, 42 CE_CXXConstructor, 43 CE_CXXDestructor, 44 CE_CXXAllocator, 45 CE_BEG_FUNCTION_CALLS = CE_Function, 46 CE_END_FUNCTION_CALLS = CE_CXXAllocator, 47 CE_ObjCMessage 48}; 49 50 51/// \brief Represents an abstract call to a function or method along a 52/// particular path. 53class CallEvent { 54public: 55 typedef CallEventKind Kind; 56 57private: 58 ProgramStateRef State; 59 const LocationContext *LCtx; 60 llvm::PointerUnion<const Expr *, const Decl *> Origin; 61 62 // DO NOT IMPLEMENT! CallEvents should not be copied. 63 CallEvent(const CallEvent &); 64 CallEvent &operator=(const CallEvent &); 65 66protected: 67 // This is user data for subclasses. 68 const void *Data; 69 SourceLocation Location; 70 71 CallEvent(const Expr *E, ProgramStateRef state, const LocationContext *lctx) 72 : State(state), LCtx(lctx), Origin(E) {} 73 74 CallEvent(const Decl *D, ProgramStateRef state, const LocationContext *lctx) 75 : State(state), LCtx(lctx), Origin(D) {} 76 77 ProgramStateRef getState() const { 78 return State; 79 } 80 81 const LocationContext *getLocationContext() const { 82 return LCtx; 83 } 84 85 86 /// \brief Get the value of arbitrary expressions at this point in the path. 87 SVal getSVal(const Stmt *S) const { 88 return getState()->getSVal(S, getLocationContext()); 89 } 90 91 typedef SmallVectorImpl<const MemRegion *> RegionList; 92 93 /// \brief Used to specify non-argument regions that will be invalidated as a 94 /// result of this call. 95 virtual void getExtraInvalidatedRegions(RegionList &Regions) const {} 96 97 virtual QualType getDeclaredResultType() const = 0; 98 99public: 100 virtual ~CallEvent() {} 101 102 /// \brief Returns the kind of call this is. 103 virtual Kind getKind() const = 0; 104 105 /// \brief Returns the declaration of the function or method that will be 106 /// called. May be null. 107 virtual const Decl *getDecl() const { 108 return Origin.dyn_cast<const Decl *>(); 109 } 110 111 /// \brief Returns the definition of the function or method that will be 112 /// called. Returns NULL if the definition cannot be found; ex: due to 113 /// dynamic dispatch in ObjC methods. 114 virtual const Decl *getRuntimeDefinition() const = 0; 115 116 /// \brief Returns the expression whose value will be the result of this call. 117 /// May be null. 118 const Expr *getOriginExpr() const { 119 return Origin.dyn_cast<const Expr *>(); 120 } 121 122 /// \brief Returns the number of arguments (explicit and implicit). 123 /// 124 /// Note that this may be greater than the number of parameters in the 125 /// callee's declaration, and that it may include arguments not written in 126 /// the source. 127 virtual unsigned getNumArgs() const = 0; 128 129 /// \brief Returns true if the callee is known to be from a system header. 130 bool isInSystemHeader() const { 131 const Decl *D = getDecl(); 132 if (!D) 133 return false; 134 135 SourceLocation Loc = D->getLocation(); 136 if (Loc.isValid()) { 137 const SourceManager &SM = 138 getState()->getStateManager().getContext().getSourceManager(); 139 return SM.isInSystemHeader(D->getLocation()); 140 } 141 142 // Special case for implicitly-declared global operator new/delete. 143 // These should be considered system functions. 144 if (const FunctionDecl *FD = dyn_cast<FunctionDecl>(D)) 145 return FD->isOverloadedOperator() && FD->isImplicit() && FD->isGlobal(); 146 147 return false; 148 } 149 150 /// \brief Returns a source range for the entire call, suitable for 151 /// outputting in diagnostics. 152 virtual SourceRange getSourceRange() const { 153 return getOriginExpr()->getSourceRange(); 154 } 155 156 /// \brief Returns the value of a given argument at the time of the call. 157 virtual SVal getArgSVal(unsigned Index) const; 158 159 /// \brief Returns the expression associated with a given argument. 160 /// May be null if this expression does not appear in the source. 161 virtual const Expr *getArgExpr(unsigned Index) const { return 0; } 162 163 /// \brief Returns the source range for errors associated with this argument. 164 /// 165 /// May be invalid if the argument is not written in the source. 166 virtual SourceRange getArgSourceRange(unsigned Index) const; 167 168 /// \brief Returns the result type, adjusted for references. 169 QualType getResultType() const; 170 171 /// \brief Returns the value of the implicit 'this' object, or UndefinedVal if 172 /// this is not a C++ member function call. 173 virtual SVal getCXXThisVal() const { 174 return UndefinedVal(); 175 } 176 177 /// \brief Returns true if any of the arguments appear to represent callbacks. 178 bool hasNonZeroCallbackArg() const; 179 180 /// \brief Returns true if any of the arguments are known to escape to long- 181 /// term storage, even if this method will not modify them. 182 // NOTE: The exact semantics of this are still being defined! 183 // We don't really want a list of hardcoded exceptions in the long run, 184 // but we don't want duplicated lists of known APIs in the short term either. 185 virtual bool argumentsMayEscape() const { 186 return hasNonZeroCallbackArg(); 187 } 188 189 /// \brief Returns an appropriate ProgramPoint for this call. 190 ProgramPoint getProgramPoint(bool IsPreVisit = false, 191 const ProgramPointTag *Tag = 0) const; 192 193 /// \brief Returns a new state with all argument regions invalidated. 194 /// 195 /// This accepts an alternate state in case some processing has already 196 /// occurred. 197 ProgramStateRef invalidateRegions(unsigned BlockCount, 198 ProgramStateRef Orig = 0) const; 199 200 /// \brief Returns true if this is a statement that can be considered for 201 /// inlining. 202 /// 203 /// FIXME: This should go away once CallEvents are cheap and easy to 204 /// construct from ExplodedNodes. 205 static bool mayBeInlined(const Stmt *S); 206 207 // Iterator access to formal parameters and their types. 208private: 209 typedef std::const_mem_fun_t<QualType, ParmVarDecl> get_type_fun; 210 211public: 212 typedef const ParmVarDecl * const *param_iterator; 213 214 /// Returns an iterator over the call's formal parameters. 215 /// 216 /// If UseDefinitionParams is set, this will return the parameter decls 217 /// used in the callee's definition (suitable for inlining). Most of the 218 /// time it is better to use the decl found by name lookup, which likely 219 /// carries more annotations. 220 /// 221 /// Remember that the number of formal parameters may not match the number 222 /// of arguments for all calls. However, the first parameter will always 223 /// correspond with the argument value returned by \c getArgSVal(0). 224 /// 225 /// If the call has no accessible declaration (or definition, if 226 /// \p UseDefinitionParams is set), \c param_begin() will be equal to 227 /// \c param_end(). 228 virtual param_iterator param_begin(bool UseDefinitionParams = false) const =0; 229 /// \sa param_begin() 230 virtual param_iterator param_end(bool UseDefinitionParams = false) const = 0; 231 232 typedef llvm::mapped_iterator<param_iterator, get_type_fun> 233 param_type_iterator; 234 235 /// Returns an iterator over the types of the call's formal parameters. 236 /// 237 /// This uses the callee decl found by default name lookup rather than the 238 /// definition because it represents a public interface, and probably has 239 /// more annotations. 240 param_type_iterator param_type_begin() const { 241 return llvm::map_iterator(param_begin(), 242 get_type_fun(&ParmVarDecl::getType)); 243 } 244 /// \sa param_type_begin() 245 param_type_iterator param_type_end() const { 246 return llvm::map_iterator(param_end(), get_type_fun(&ParmVarDecl::getType)); 247 } 248 249 // For debugging purposes only 250 void dump(raw_ostream &Out) const; 251 LLVM_ATTRIBUTE_USED void dump() const { dump(llvm::errs()); } 252 253 static bool classof(const CallEvent *) { return true; } 254}; 255 256 257/// \brief Represents a call to any sort of function that might have a 258/// FunctionDecl. 259class AnyFunctionCall : public CallEvent { 260protected: 261 AnyFunctionCall(const Expr *E, ProgramStateRef St, 262 const LocationContext *LCtx) 263 : CallEvent(E, St, LCtx) {} 264 AnyFunctionCall(const Decl *D, ProgramStateRef St, 265 const LocationContext *LCtx) 266 : CallEvent(D, St, LCtx) {} 267 268 virtual QualType getDeclaredResultType() const; 269 270public: 271 // This function is overridden by subclasses, but they must return 272 // a FunctionDecl. 273 virtual const FunctionDecl *getDecl() const { 274 return cast<FunctionDecl>(CallEvent::getDecl()); 275 } 276 277 virtual const Decl *getRuntimeDefinition() const { 278 const FunctionDecl *FD = getDecl(); 279 // Note that hasBody() will fill FD with the definition FunctionDecl. 280 if (FD && FD->hasBody(FD)) 281 return FD; 282 return 0; 283 } 284 285 virtual bool argumentsMayEscape() const; 286 287 virtual param_iterator param_begin(bool UseDefinitionParams = false) const; 288 virtual param_iterator param_end(bool UseDefinitionParams = false) const; 289 290 static bool classof(const CallEvent *CA) { 291 return CA->getKind() >= CE_BEG_FUNCTION_CALLS && 292 CA->getKind() <= CE_END_FUNCTION_CALLS; 293 } 294}; 295 296/// \brief Represents a call to a written as a CallExpr. 297class SimpleCall : public AnyFunctionCall { 298protected: 299 SimpleCall(const CallExpr *CE, ProgramStateRef St, 300 const LocationContext *LCtx) 301 : AnyFunctionCall(CE, St, LCtx) { 302 } 303 304public: 305 virtual const CallExpr *getOriginExpr() const { 306 return cast<CallExpr>(AnyFunctionCall::getOriginExpr()); 307 } 308 309 virtual const FunctionDecl *getDecl() const; 310 311 virtual unsigned getNumArgs() const { return getOriginExpr()->getNumArgs(); } 312 313 virtual const Expr *getArgExpr(unsigned Index) const { 314 return getOriginExpr()->getArg(Index); 315 } 316 317 static bool classof(const CallEvent *CA) { 318 return CA->getKind() >= CE_BEG_SIMPLE_CALLS && 319 CA->getKind() <= CE_END_SIMPLE_CALLS; 320 } 321}; 322 323/// \brief Represents a C function or static C++ member function call. 324/// 325/// Example: \c fun() 326class FunctionCall : public SimpleCall { 327public: 328 FunctionCall(const CallExpr *CE, ProgramStateRef St, 329 const LocationContext *LCtx) 330 : SimpleCall(CE, St, LCtx) {} 331 332 virtual Kind getKind() const { return CE_Function; } 333 334 static bool classof(const CallEvent *CA) { 335 return CA->getKind() == CE_Function; 336 } 337}; 338 339/// \brief Represents a non-static C++ member function call, no matter how 340/// it is written. 341class CXXInstanceCall : public SimpleCall { 342protected: 343 virtual void getExtraInvalidatedRegions(RegionList &Regions) const; 344 345 CXXInstanceCall(const CallExpr *CE, ProgramStateRef St, 346 const LocationContext *LCtx) 347 : SimpleCall(CE, St, LCtx) {} 348 349public: 350 virtual const Decl *getRuntimeDefinition() const; 351 352 static bool classof(const CallEvent *CA) { 353 return CA->getKind() >= CE_BEG_CXX_INSTANCE_CALLS && 354 CA->getKind() <= CE_END_CXX_INSTANCE_CALLS; 355 } 356}; 357 358/// \brief Represents a non-static C++ member function call. 359/// 360/// Example: \c obj.fun() 361class CXXMemberCall : public CXXInstanceCall { 362public: 363 CXXMemberCall(const CXXMemberCallExpr *CE, ProgramStateRef St, 364 const LocationContext *LCtx) 365 : CXXInstanceCall(CE, St, LCtx) {} 366 367 virtual const CXXMemberCallExpr *getOriginExpr() const { 368 return cast<CXXMemberCallExpr>(SimpleCall::getOriginExpr()); 369 } 370 371 virtual SVal getCXXThisVal() const; 372 373 virtual Kind getKind() const { return CE_CXXMember; } 374 375 static bool classof(const CallEvent *CA) { 376 return CA->getKind() == CE_CXXMember; 377 } 378}; 379 380/// \brief Represents a C++ overloaded operator call where the operator is 381/// implemented as a non-static member function. 382/// 383/// Example: <tt>iter + 1</tt> 384class CXXMemberOperatorCall : public CXXInstanceCall { 385public: 386 CXXMemberOperatorCall(const CXXOperatorCallExpr *CE, ProgramStateRef St, 387 const LocationContext *LCtx) 388 : CXXInstanceCall(CE, St, LCtx) {} 389 390 virtual const CXXOperatorCallExpr *getOriginExpr() const { 391 return cast<CXXOperatorCallExpr>(SimpleCall::getOriginExpr()); 392 } 393 394 virtual unsigned getNumArgs() const { 395 return getOriginExpr()->getNumArgs() - 1; 396 } 397 virtual const Expr *getArgExpr(unsigned Index) const { 398 return getOriginExpr()->getArg(Index + 1); 399 } 400 401 virtual SVal getCXXThisVal() const; 402 403 virtual Kind getKind() const { return CE_CXXMemberOperator; } 404 405 static bool classof(const CallEvent *CA) { 406 return CA->getKind() == CE_CXXMemberOperator; 407 } 408}; 409 410/// \brief Represents a call to a block. 411/// 412/// Example: <tt>^{ /* ... */ }()</tt> 413class BlockCall : public SimpleCall { 414protected: 415 virtual void getExtraInvalidatedRegions(RegionList &Regions) const; 416 417 virtual QualType getDeclaredResultType() const; 418 419public: 420 BlockCall(const CallExpr *CE, ProgramStateRef St, 421 const LocationContext *LCtx) 422 : SimpleCall(CE, St, LCtx) {} 423 424 /// \brief Returns the region associated with this instance of the block. 425 /// 426 /// This may be NULL if the block's origin is unknown. 427 const BlockDataRegion *getBlockRegion() const; 428 429 /// \brief Gets the declaration of the block. 430 /// 431 /// This is not an override of getDecl() because AnyFunctionCall has already 432 /// assumed that it's a FunctionDecl. 433 const BlockDecl *getBlockDecl() const { 434 const BlockDataRegion *BR = getBlockRegion(); 435 if (!BR) 436 return 0; 437 return BR->getDecl(); 438 } 439 440 virtual const Decl *getRuntimeDefinition() const { 441 return getBlockDecl(); 442 } 443 444 virtual param_iterator param_begin(bool UseDefinitionParams = false) const; 445 virtual param_iterator param_end(bool UseDefinitionParams = false) const; 446 447 virtual Kind getKind() const { return CE_Block; } 448 449 static bool classof(const CallEvent *CA) { 450 return CA->getKind() == CE_Block; 451 } 452}; 453 454/// \brief Represents a call to a C++ constructor. 455/// 456/// Example: \c T(1) 457class CXXConstructorCall : public AnyFunctionCall { 458protected: 459 virtual void getExtraInvalidatedRegions(RegionList &Regions) const; 460 461public: 462 /// Represents a constructor call to a new or unknown region. 463 CXXConstructorCall(const CXXConstructExpr *CE, ProgramStateRef St, 464 const LocationContext *LCtx) 465 : AnyFunctionCall(CE, St, LCtx) { 466 Data = 0; 467 } 468 469 /// Represents a constructor call on an existing object region. 470 CXXConstructorCall(const CXXConstructExpr *CE, const MemRegion *target, 471 ProgramStateRef St, const LocationContext *LCtx) 472 : AnyFunctionCall(CE, St, LCtx) { 473 Data = target; 474 } 475 476 virtual const CXXConstructExpr *getOriginExpr() const { 477 return cast<CXXConstructExpr>(AnyFunctionCall::getOriginExpr()); 478 } 479 480 virtual const CXXConstructorDecl *getDecl() const { 481 return getOriginExpr()->getConstructor(); 482 } 483 484 virtual unsigned getNumArgs() const { return getOriginExpr()->getNumArgs(); } 485 486 virtual const Expr *getArgExpr(unsigned Index) const { 487 return getOriginExpr()->getArg(Index); 488 } 489 490 virtual SVal getCXXThisVal() const; 491 492 virtual Kind getKind() const { return CE_CXXConstructor; } 493 494 static bool classof(const CallEvent *CA) { 495 return CA->getKind() == CE_CXXConstructor; 496 } 497}; 498 499/// \brief Represents an implicit call to a C++ destructor. 500/// 501/// This can occur at the end of a scope (for automatic objects), at the end 502/// of a full-expression (for temporaries), or as part of a delete. 503class CXXDestructorCall : public AnyFunctionCall { 504protected: 505 virtual void getExtraInvalidatedRegions(RegionList &Regions) const; 506 507public: 508 /// Creates an implicit destructor. 509 /// 510 /// \param DD The destructor that will be called. 511 /// \param Trigger The statement whose completion causes this destructor call. 512 /// \param Target The object region to be destructed. 513 /// \param St The path-sensitive state at this point in the program. 514 /// \param LCtx The location context at this point in the program. 515 CXXDestructorCall(const CXXDestructorDecl *DD, const Stmt *Trigger, 516 const MemRegion *Target, ProgramStateRef St, 517 const LocationContext *LCtx) 518 : AnyFunctionCall(DD, St, LCtx) { 519 Data = Target; 520 Location = Trigger->getLocEnd(); 521 } 522 523 virtual SourceRange getSourceRange() const { return Location; } 524 virtual unsigned getNumArgs() const { return 0; } 525 526 virtual SVal getCXXThisVal() const; 527 virtual const Decl *getRuntimeDefinition() const; 528 529 virtual Kind getKind() const { return CE_CXXDestructor; } 530 531 static bool classof(const CallEvent *CA) { 532 return CA->getKind() == CE_CXXDestructor; 533 } 534}; 535 536/// \brief Represents the memory allocation call in a C++ new-expression. 537/// 538/// This is a call to "operator new". 539class CXXAllocatorCall : public AnyFunctionCall { 540public: 541 CXXAllocatorCall(const CXXNewExpr *E, ProgramStateRef St, 542 const LocationContext *LCtx) 543 : AnyFunctionCall(E, St, LCtx) {} 544 545 virtual const CXXNewExpr *getOriginExpr() const { 546 return cast<CXXNewExpr>(AnyFunctionCall::getOriginExpr()); 547 } 548 549 virtual const FunctionDecl *getDecl() const { 550 return getOriginExpr()->getOperatorNew(); 551 } 552 553 virtual unsigned getNumArgs() const { 554 return getOriginExpr()->getNumPlacementArgs() + 1; 555 } 556 557 virtual const Expr *getArgExpr(unsigned Index) const { 558 // The first argument of an allocator call is the size of the allocation. 559 if (Index == 0) 560 return 0; 561 return getOriginExpr()->getPlacementArg(Index - 1); 562 } 563 564 virtual Kind getKind() const { return CE_CXXAllocator; } 565 566 static bool classof(const CallEvent *CE) { 567 return CE->getKind() == CE_CXXAllocator; 568 } 569}; 570 571/// \brief Represents the ways an Objective-C message send can occur. 572// 573// Note to maintainers: OCM_Message should always be last, since it does not 574// need to fit in the Data field's low bits. 575enum ObjCMessageKind { 576 OCM_PropertyAccess, 577 OCM_Subscript, 578 OCM_Message 579}; 580 581/// \brief Represents any expression that calls an Objective-C method. 582/// 583/// This includes all of the kinds listed in ObjCMessageKind. 584class ObjCMethodCall : public CallEvent { 585 const PseudoObjectExpr *getContainingPseudoObjectExpr() const; 586 587protected: 588 virtual void getExtraInvalidatedRegions(RegionList &Regions) const; 589 590 virtual QualType getDeclaredResultType() const; 591 ObjCMethodDecl *LookupClassMethodDefinition(Selector Sel, 592 ObjCInterfaceDecl *ClassDecl) const; 593 594public: 595 ObjCMethodCall(const ObjCMessageExpr *Msg, ProgramStateRef St, 596 const LocationContext *LCtx) 597 : CallEvent(Msg, St, LCtx) { 598 Data = 0; 599 } 600 601 virtual const ObjCMessageExpr *getOriginExpr() const { 602 return cast<ObjCMessageExpr>(CallEvent::getOriginExpr()); 603 } 604 virtual const ObjCMethodDecl *getDecl() const { 605 return getOriginExpr()->getMethodDecl(); 606 } 607 virtual unsigned getNumArgs() const { 608 return getOriginExpr()->getNumArgs(); 609 } 610 virtual const Expr *getArgExpr(unsigned Index) const { 611 return getOriginExpr()->getArg(Index); 612 } 613 614 bool isInstanceMessage() const { 615 return getOriginExpr()->isInstanceMessage(); 616 } 617 ObjCMethodFamily getMethodFamily() const { 618 return getOriginExpr()->getMethodFamily(); 619 } 620 Selector getSelector() const { 621 return getOriginExpr()->getSelector(); 622 } 623 624 virtual SourceRange getSourceRange() const; 625 626 /// \brief Returns the value of the receiver at the time of this call. 627 SVal getReceiverSVal() const; 628 629 /// \brief Get the interface for the receiver. 630 /// 631 /// This works whether this is an instance message or a class message. 632 /// However, it currently just uses the static type of the receiver. 633 const ObjCInterfaceDecl *getReceiverInterface() const { 634 return getOriginExpr()->getReceiverInterface(); 635 } 636 637 ObjCMessageKind getMessageKind() const; 638 639 bool isSetter() const { 640 switch (getMessageKind()) { 641 case OCM_Message: 642 llvm_unreachable("This is not a pseudo-object access!"); 643 case OCM_PropertyAccess: 644 return getNumArgs() > 0; 645 case OCM_Subscript: 646 return getNumArgs() > 1; 647 } 648 llvm_unreachable("Unknown message kind"); 649 } 650 651 // TODO: We might want to only compute this once (or change the API for 652 // getting the parameters). Currently, this gets called 3 times during 653 // inlining. 654 virtual const Decl *getRuntimeDefinition() const { 655 656 const ObjCMessageExpr *E = getOriginExpr(); 657 if (E->isInstanceMessage()) { 658 return 0; 659 } else { 660 // This is a calss method. 661 // If we have type info for the receiver class, we are calling via 662 // class name. 663 if (ObjCInterfaceDecl *IDecl = E->getReceiverInterface()) { 664 return LookupClassMethodDefinition(E->getSelector(), IDecl); 665 } 666 } 667 668 return 0; 669 } 670 671 virtual param_iterator param_begin(bool UseDefinitionParams = false) const; 672 virtual param_iterator param_end(bool UseDefinitionParams = false) const; 673 674 virtual Kind getKind() const { return CE_ObjCMessage; } 675 676 static bool classof(const CallEvent *CA) { 677 return CA->getKind() == CE_ObjCMessage; 678 } 679}; 680 681} // end namespace ento 682} // end namespace clang 683 684#endif 685