1 //===-- IteratorChecker.cpp ---------------------------------------*- C++ -*--//
3 // The LLVM Compiler Infrastructure
5 // This file is distributed under the University of Illinois Open Source
6 // License. See LICENSE.TXT for details.
8 //===----------------------------------------------------------------------===//
10 // Defines a checker for using iterators outside their range (past end). Usage
11 // means here dereferencing, incrementing etc.
13 //===----------------------------------------------------------------------===//
15 // In the code, iterator can be represented as a:
16 // * type-I: typedef-ed pointer. Operations over such iterator, such as
17 // comparisons or increments, are modeled straightforwardly by the
19 // * type-II: structure with its method bodies available. Operations over such
20 // iterator are inlined by the analyzer, and results of modeling
21 // these operations are exposing implementation details of the
22 // iterators, which is not necessarily helping.
23 // * type-III: completely opaque structure. Operations over such iterator are
24 // modeled conservatively, producing conjured symbols everywhere.
26 // To handle all these types in a common way we introduce a structure called
27 // IteratorPosition which is an abstraction of the position the iterator
28 // represents using symbolic expressions. The checker handles all the
29 // operations on this structure.
31 // Additionally, depending on the circumstances, operators of types II and III
32 // can be represented as:
33 // * type-IIa, type-IIIa: conjured structure symbols - when returned by value
34 // from conservatively evaluated methods such as
36 // * type-IIb, type-IIIb: memory regions of iterator-typed objects, such as
37 // variables or temporaries, when the iterator object is
38 // currently treated as an lvalue.
39 // * type-IIc, type-IIIc: compound values of iterator-typed objects, when the
40 // iterator object is treated as an rvalue taken of a
41 // particular lvalue, eg. a copy of "type-a" iterator
42 // object, or an iterator that existed before the
43 // analysis has started.
45 // To handle any of these three different representations stored in an SVal we
46 // use setter and getters functions which separate the three cases. To store
47 // them we use a pointer union of symbol and memory region.
49 // The checker works the following way: We record the begin and the
50 // past-end iterator for all containers whenever their `.begin()` and `.end()`
51 // are called. Since the Constraint Manager cannot handle such SVals we need
52 // to take over its role. We post-check equality and non-equality comparisons
53 // and record that the two sides are equal if we are in the 'equal' branch
54 // (true-branch for `==` and false-branch for `!=`).
56 // In case of type-I or type-II iterators we get a concrete integer as a result
57 // of the comparison (1 or 0) but in case of type-III we only get a Symbol. In
58 // this latter case we record the symbol and reload it in evalAssume() and do
59 // the propagation there. We also handle (maybe double) negated comparisons
60 // which are represented in the form of (x == 0 or x != 0) where x is the
63 // Since `SimpleConstraintManager` cannot handle complex symbolic expressions
64 // we only use expressions of the format S, S+n or S-n for iterator positions
65 // where S is a conjured symbol and n is an unsigned concrete integer. When
66 // making an assumption e.g. `S1 + n == S2 + m` we store `S1 - S2 == m - n` as
67 // a constraint which we later retrieve when doing an actual comparison.
69 #include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"
70 #include "clang/AST/DeclTemplate.h"
71 #include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
72 #include "clang/StaticAnalyzer/Core/Checker.h"
73 #include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h"
74 #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
75 #include "clang/StaticAnalyzer/Core/PathSensitive/DynamicTypeMap.h"
79 using namespace clang;
84 // Abstract position of an iterator. This helps to handle all three kinds
85 // of operators in a common way by using a symbolic position.
86 struct IteratorPosition {
89 // Container the iterator belongs to
90 const MemRegion *Cont;
92 // Whether iterator is valid
96 const SymbolRef Offset;
98 IteratorPosition(const MemRegion *C, bool V, SymbolRef Of)
99 : Cont(C), Valid(V), Offset(Of) {}
102 const MemRegion *getContainer() const { return Cont; }
103 bool isValid() const { return Valid; }
104 SymbolRef getOffset() const { return Offset; }
106 IteratorPosition invalidate() const {
107 return IteratorPosition(Cont, false, Offset);
110 static IteratorPosition getPosition(const MemRegion *C, SymbolRef Of) {
111 return IteratorPosition(C, true, Of);
114 IteratorPosition setTo(SymbolRef NewOf) const {
115 return IteratorPosition(Cont, Valid, NewOf);
118 IteratorPosition reAssign(const MemRegion *NewCont) const {
119 return IteratorPosition(NewCont, Valid, Offset);
122 bool operator==(const IteratorPosition &X) const {
123 return Cont == X.Cont && Valid == X.Valid && Offset == X.Offset;
126 bool operator!=(const IteratorPosition &X) const {
127 return Cont != X.Cont || Valid != X.Valid || Offset != X.Offset;
130 void Profile(llvm::FoldingSetNodeID &ID) const {
132 ID.AddInteger(Valid);
137 typedef llvm::PointerUnion<const MemRegion *, SymbolRef> RegionOrSymbol;
139 // Structure to record the symbolic begin and end position of a container
140 struct ContainerData {
142 const SymbolRef Begin, End;
144 ContainerData(SymbolRef B, SymbolRef E) : Begin(B), End(E) {}
147 static ContainerData fromBegin(SymbolRef B) {
148 return ContainerData(B, nullptr);
151 static ContainerData fromEnd(SymbolRef E) {
152 return ContainerData(nullptr, E);
155 SymbolRef getBegin() const { return Begin; }
156 SymbolRef getEnd() const { return End; }
158 ContainerData newBegin(SymbolRef B) const { return ContainerData(B, End); }
160 ContainerData newEnd(SymbolRef E) const { return ContainerData(Begin, E); }
162 bool operator==(const ContainerData &X) const {
163 return Begin == X.Begin && End == X.End;
166 bool operator!=(const ContainerData &X) const {
167 return Begin != X.Begin || End != X.End;
170 void Profile(llvm::FoldingSetNodeID &ID) const {
176 // Structure fo recording iterator comparisons. We needed to retrieve the
177 // original comparison expression in assumptions.
178 struct IteratorComparison {
180 RegionOrSymbol Left, Right;
184 IteratorComparison(RegionOrSymbol L, RegionOrSymbol R, bool Eq)
185 : Left(L), Right(R), Equality(Eq) {}
187 RegionOrSymbol getLeft() const { return Left; }
188 RegionOrSymbol getRight() const { return Right; }
189 bool isEquality() const { return Equality; }
190 bool operator==(const IteratorComparison &X) const {
191 return Left == X.Left && Right == X.Right && Equality == X.Equality;
193 bool operator!=(const IteratorComparison &X) const {
194 return Left != X.Left || Right != X.Right || Equality != X.Equality;
196 void Profile(llvm::FoldingSetNodeID &ID) const { ID.AddInteger(Equality); }
199 class IteratorChecker
200 : public Checker<check::PreCall, check::PostCall,
201 check::PostStmt<MaterializeTemporaryExpr>, check::Bind,
202 check::LiveSymbols, check::DeadSymbols,
205 std::unique_ptr<BugType> OutOfRangeBugType;
206 std::unique_ptr<BugType> MismatchedBugType;
207 std::unique_ptr<BugType> InvalidatedBugType;
209 void handleComparison(CheckerContext &C, const SVal &RetVal, const SVal &LVal,
210 const SVal &RVal, OverloadedOperatorKind Op) const;
211 void verifyAccess(CheckerContext &C, const SVal &Val) const;
212 void verifyDereference(CheckerContext &C, const SVal &Val) const;
213 void handleIncrement(CheckerContext &C, const SVal &RetVal, const SVal &Iter,
215 void handleDecrement(CheckerContext &C, const SVal &RetVal, const SVal &Iter,
217 void handleRandomIncrOrDecr(CheckerContext &C, OverloadedOperatorKind Op,
218 const SVal &RetVal, const SVal &LHS,
219 const SVal &RHS) const;
220 void handleBegin(CheckerContext &C, const Expr *CE, const SVal &RetVal,
221 const SVal &Cont) const;
222 void handleEnd(CheckerContext &C, const Expr *CE, const SVal &RetVal,
223 const SVal &Cont) const;
224 void assignToContainer(CheckerContext &C, const Expr *CE, const SVal &RetVal,
225 const MemRegion *Cont) const;
226 void handleAssign(CheckerContext &C, const SVal &Cont,
227 const Expr *CE = nullptr,
228 const SVal &OldCont = UndefinedVal()) const;
229 void handleClear(CheckerContext &C, const SVal &Cont) const;
230 void handlePushBack(CheckerContext &C, const SVal &Cont) const;
231 void handlePopBack(CheckerContext &C, const SVal &Cont) const;
232 void handlePushFront(CheckerContext &C, const SVal &Cont) const;
233 void handlePopFront(CheckerContext &C, const SVal &Cont) const;
234 void handleInsert(CheckerContext &C, const SVal &Iter) const;
235 void handleErase(CheckerContext &C, const SVal &Iter) const;
236 void handleErase(CheckerContext &C, const SVal &Iter1,
237 const SVal &Iter2) const;
238 void handleEraseAfter(CheckerContext &C, const SVal &Iter) const;
239 void handleEraseAfter(CheckerContext &C, const SVal &Iter1,
240 const SVal &Iter2) const;
241 void verifyIncrement(CheckerContext &C, const SVal &Iter) const;
242 void verifyDecrement(CheckerContext &C, const SVal &Iter) const;
243 void verifyRandomIncrOrDecr(CheckerContext &C, OverloadedOperatorKind Op,
244 const SVal &LHS, const SVal &RHS) const;
245 void verifyMatch(CheckerContext &C, const SVal &Iter,
246 const MemRegion *Cont) const;
247 void verifyMatch(CheckerContext &C, const SVal &Iter1,
248 const SVal &Iter2) const;
249 IteratorPosition advancePosition(CheckerContext &C, OverloadedOperatorKind Op,
250 const IteratorPosition &Pos,
251 const SVal &Distance) const;
252 void reportOutOfRangeBug(const StringRef &Message, const SVal &Val,
253 CheckerContext &C, ExplodedNode *ErrNode) const;
254 void reportMismatchedBug(const StringRef &Message, const SVal &Val1,
255 const SVal &Val2, CheckerContext &C,
256 ExplodedNode *ErrNode) const;
257 void reportMismatchedBug(const StringRef &Message, const SVal &Val,
258 const MemRegion *Reg, CheckerContext &C,
259 ExplodedNode *ErrNode) const;
260 void reportInvalidatedBug(const StringRef &Message, const SVal &Val,
261 CheckerContext &C, ExplodedNode *ErrNode) const;
267 CK_IteratorRangeChecker,
268 CK_MismatchedIteratorChecker,
269 CK_InvalidatedIteratorChecker,
273 DefaultBool ChecksEnabled[CK_NumCheckKinds];
274 CheckName CheckNames[CK_NumCheckKinds];
276 void checkPreCall(const CallEvent &Call, CheckerContext &C) const;
277 void checkPostCall(const CallEvent &Call, CheckerContext &C) const;
278 void checkBind(SVal Loc, SVal Val, const Stmt *S, CheckerContext &C) const;
279 void checkPostStmt(const CXXConstructExpr *CCE, CheckerContext &C) const;
280 void checkPostStmt(const DeclStmt *DS, CheckerContext &C) const;
281 void checkPostStmt(const MaterializeTemporaryExpr *MTE,
282 CheckerContext &C) const;
283 void checkLiveSymbols(ProgramStateRef State, SymbolReaper &SR) const;
284 void checkDeadSymbols(SymbolReaper &SR, CheckerContext &C) const;
285 ProgramStateRef evalAssume(ProgramStateRef State, SVal Cond,
286 bool Assumption) const;
290 REGISTER_MAP_WITH_PROGRAMSTATE(IteratorSymbolMap, SymbolRef, IteratorPosition)
291 REGISTER_MAP_WITH_PROGRAMSTATE(IteratorRegionMap, const MemRegion *,
294 REGISTER_MAP_WITH_PROGRAMSTATE(ContainerMap, const MemRegion *, ContainerData)
296 REGISTER_MAP_WITH_PROGRAMSTATE(IteratorComparisonMap, const SymExpr *,
301 bool isIteratorType(const QualType &Type);
302 bool isIterator(const CXXRecordDecl *CRD);
303 bool isComparisonOperator(OverloadedOperatorKind OK);
304 bool isBeginCall(const FunctionDecl *Func);
305 bool isEndCall(const FunctionDecl *Func);
306 bool isAssignCall(const FunctionDecl *Func);
307 bool isClearCall(const FunctionDecl *Func);
308 bool isPushBackCall(const FunctionDecl *Func);
309 bool isEmplaceBackCall(const FunctionDecl *Func);
310 bool isPopBackCall(const FunctionDecl *Func);
311 bool isPushFrontCall(const FunctionDecl *Func);
312 bool isEmplaceFrontCall(const FunctionDecl *Func);
313 bool isPopFrontCall(const FunctionDecl *Func);
314 bool isInsertCall(const FunctionDecl *Func);
315 bool isEraseCall(const FunctionDecl *Func);
316 bool isEraseAfterCall(const FunctionDecl *Func);
317 bool isEmplaceCall(const FunctionDecl *Func);
318 bool isAssignmentOperator(OverloadedOperatorKind OK);
319 bool isSimpleComparisonOperator(OverloadedOperatorKind OK);
320 bool isAccessOperator(OverloadedOperatorKind OK);
321 bool isDereferenceOperator(OverloadedOperatorKind OK);
322 bool isIncrementOperator(OverloadedOperatorKind OK);
323 bool isDecrementOperator(OverloadedOperatorKind OK);
324 bool isRandomIncrOrDecrOperator(OverloadedOperatorKind OK);
325 bool hasSubscriptOperator(ProgramStateRef State, const MemRegion *Reg);
326 bool frontModifiable(ProgramStateRef State, const MemRegion *Reg);
327 bool backModifiable(ProgramStateRef State, const MemRegion *Reg);
328 BinaryOperator::Opcode getOpcode(const SymExpr *SE);
329 const RegionOrSymbol getRegionOrSymbol(const SVal &Val);
330 const ProgramStateRef processComparison(ProgramStateRef State,
332 RegionOrSymbol RVal, bool Equal);
333 const ProgramStateRef saveComparison(ProgramStateRef State,
334 const SymExpr *Condition, const SVal &LVal,
335 const SVal &RVal, bool Eq);
336 const IteratorComparison *loadComparison(ProgramStateRef State,
337 const SymExpr *Condition);
338 SymbolRef getContainerBegin(ProgramStateRef State, const MemRegion *Cont);
339 SymbolRef getContainerEnd(ProgramStateRef State, const MemRegion *Cont);
340 ProgramStateRef createContainerBegin(ProgramStateRef State,
341 const MemRegion *Cont,
342 const SymbolRef Sym);
343 ProgramStateRef createContainerEnd(ProgramStateRef State, const MemRegion *Cont,
344 const SymbolRef Sym);
345 const IteratorPosition *getIteratorPosition(ProgramStateRef State,
347 const IteratorPosition *getIteratorPosition(ProgramStateRef State,
348 RegionOrSymbol RegOrSym);
349 ProgramStateRef setIteratorPosition(ProgramStateRef State, const SVal &Val,
350 const IteratorPosition &Pos);
351 ProgramStateRef setIteratorPosition(ProgramStateRef State,
352 RegionOrSymbol RegOrSym,
353 const IteratorPosition &Pos);
354 ProgramStateRef removeIteratorPosition(ProgramStateRef State, const SVal &Val);
355 ProgramStateRef adjustIteratorPosition(ProgramStateRef State,
356 RegionOrSymbol RegOrSym,
357 const IteratorPosition &Pos, bool Equal);
358 ProgramStateRef relateIteratorPositions(ProgramStateRef State,
359 const IteratorPosition &Pos1,
360 const IteratorPosition &Pos2,
362 ProgramStateRef invalidateAllIteratorPositions(ProgramStateRef State,
363 const MemRegion *Cont);
365 invalidateAllIteratorPositionsExcept(ProgramStateRef State,
366 const MemRegion *Cont, SymbolRef Offset,
367 BinaryOperator::Opcode Opc);
368 ProgramStateRef invalidateIteratorPositions(ProgramStateRef State,
370 BinaryOperator::Opcode Opc);
371 ProgramStateRef invalidateIteratorPositions(ProgramStateRef State,
373 BinaryOperator::Opcode Opc1,
375 BinaryOperator::Opcode Opc2);
376 ProgramStateRef reassignAllIteratorPositions(ProgramStateRef State,
377 const MemRegion *Cont,
378 const MemRegion *NewCont);
379 ProgramStateRef reassignAllIteratorPositionsUnless(ProgramStateRef State,
380 const MemRegion *Cont,
381 const MemRegion *NewCont,
383 BinaryOperator::Opcode Opc);
384 ProgramStateRef rebaseSymbolInIteratorPositionsIf(
385 ProgramStateRef State, SValBuilder &SVB, SymbolRef OldSym,
386 SymbolRef NewSym, SymbolRef CondSym, BinaryOperator::Opcode Opc);
387 const ContainerData *getContainerData(ProgramStateRef State,
388 const MemRegion *Cont);
389 ProgramStateRef setContainerData(ProgramStateRef State, const MemRegion *Cont,
390 const ContainerData &CData);
391 bool hasLiveIterators(ProgramStateRef State, const MemRegion *Cont);
392 bool isBoundThroughLazyCompoundVal(const Environment &Env,
393 const MemRegion *Reg);
394 bool isPastTheEnd(ProgramStateRef State, const IteratorPosition &Pos);
395 bool isAheadOfRange(ProgramStateRef State, const IteratorPosition &Pos);
396 bool isBehindPastTheEnd(ProgramStateRef State, const IteratorPosition &Pos);
397 bool isZero(ProgramStateRef State, const NonLoc &Val);
400 IteratorChecker::IteratorChecker() {
401 OutOfRangeBugType.reset(
402 new BugType(this, "Iterator out of range", "Misuse of STL APIs"));
403 OutOfRangeBugType->setSuppressOnSink(true);
404 MismatchedBugType.reset(
405 new BugType(this, "Iterator(s) mismatched", "Misuse of STL APIs"));
406 MismatchedBugType->setSuppressOnSink(true);
407 InvalidatedBugType.reset(
408 new BugType(this, "Iterator invalidated", "Misuse of STL APIs"));
409 InvalidatedBugType->setSuppressOnSink(true);
412 void IteratorChecker::checkPreCall(const CallEvent &Call,
413 CheckerContext &C) const {
414 // Check for out of range access or access of invalidated position and
415 // iterator mismatches
416 const auto *Func = dyn_cast_or_null<FunctionDecl>(Call.getDecl());
420 if (Func->isOverloadedOperator()) {
421 if (ChecksEnabled[CK_InvalidatedIteratorChecker] &&
422 isAccessOperator(Func->getOverloadedOperator())) {
423 // Check for any kind of access of invalidated iterator positions
424 if (const auto *InstCall = dyn_cast<CXXInstanceCall>(&Call)) {
425 verifyAccess(C, InstCall->getCXXThisVal());
427 verifyAccess(C, Call.getArgSVal(0));
430 if (ChecksEnabled[CK_IteratorRangeChecker]) {
431 if (isIncrementOperator(Func->getOverloadedOperator())) {
432 // Check for out-of-range incrementions
433 if (const auto *InstCall = dyn_cast<CXXInstanceCall>(&Call)) {
434 verifyIncrement(C, InstCall->getCXXThisVal());
436 if (Call.getNumArgs() >= 1) {
437 verifyIncrement(C, Call.getArgSVal(0));
440 } else if (isDecrementOperator(Func->getOverloadedOperator())) {
441 // Check for out-of-range decrementions
442 if (const auto *InstCall = dyn_cast<CXXInstanceCall>(&Call)) {
443 verifyDecrement(C, InstCall->getCXXThisVal());
445 if (Call.getNumArgs() >= 1) {
446 verifyDecrement(C, Call.getArgSVal(0));
449 } else if (isRandomIncrOrDecrOperator(Func->getOverloadedOperator())) {
450 if (const auto *InstCall = dyn_cast<CXXInstanceCall>(&Call)) {
451 // Check for out-of-range incrementions and decrementions
452 if (Call.getNumArgs() >= 1) {
453 verifyRandomIncrOrDecr(C, Func->getOverloadedOperator(),
454 InstCall->getCXXThisVal(),
458 if (Call.getNumArgs() >= 2) {
459 verifyRandomIncrOrDecr(C, Func->getOverloadedOperator(),
460 Call.getArgSVal(0), Call.getArgSVal(1));
463 } else if (isDereferenceOperator(Func->getOverloadedOperator())) {
464 // Check for dereference of out-of-range iterators
465 if (const auto *InstCall = dyn_cast<CXXInstanceCall>(&Call)) {
466 verifyDereference(C, InstCall->getCXXThisVal());
468 verifyDereference(C, Call.getArgSVal(0));
471 } else if (ChecksEnabled[CK_MismatchedIteratorChecker] &&
472 isComparisonOperator(Func->getOverloadedOperator())) {
473 // Check for comparisons of iterators of different containers
474 if (const auto *InstCall = dyn_cast<CXXInstanceCall>(&Call)) {
475 if (Call.getNumArgs() < 1)
478 if (!isIteratorType(InstCall->getCXXThisExpr()->getType()) ||
479 !isIteratorType(Call.getArgExpr(0)->getType()))
482 verifyMatch(C, InstCall->getCXXThisVal(), Call.getArgSVal(0));
484 if (Call.getNumArgs() < 2)
487 if (!isIteratorType(Call.getArgExpr(0)->getType()) ||
488 !isIteratorType(Call.getArgExpr(1)->getType()))
491 verifyMatch(C, Call.getArgSVal(0), Call.getArgSVal(1));
494 } else if (const auto *InstCall = dyn_cast<CXXInstanceCall>(&Call)) {
495 if (!ChecksEnabled[CK_MismatchedIteratorChecker])
498 const auto *ContReg = InstCall->getCXXThisVal().getAsRegion();
501 // Check for erase, insert and emplace using iterator of another container
502 if (isEraseCall(Func) || isEraseAfterCall(Func)) {
503 verifyMatch(C, Call.getArgSVal(0),
504 InstCall->getCXXThisVal().getAsRegion());
505 if (Call.getNumArgs() == 2) {
506 verifyMatch(C, Call.getArgSVal(1),
507 InstCall->getCXXThisVal().getAsRegion());
509 } else if (isInsertCall(Func)) {
510 verifyMatch(C, Call.getArgSVal(0),
511 InstCall->getCXXThisVal().getAsRegion());
512 if (Call.getNumArgs() == 3 &&
513 isIteratorType(Call.getArgExpr(1)->getType()) &&
514 isIteratorType(Call.getArgExpr(2)->getType())) {
515 verifyMatch(C, Call.getArgSVal(1), Call.getArgSVal(2));
517 } else if (isEmplaceCall(Func)) {
518 verifyMatch(C, Call.getArgSVal(0),
519 InstCall->getCXXThisVal().getAsRegion());
521 } else if (isa<CXXConstructorCall>(&Call)) {
522 // Check match of first-last iterator pair in a constructor of a container
523 if (Call.getNumArgs() < 2)
526 const auto *Ctr = cast<CXXConstructorDecl>(Call.getDecl());
527 if (Ctr->getNumParams() < 2)
530 if (Ctr->getParamDecl(0)->getName() != "first" ||
531 Ctr->getParamDecl(1)->getName() != "last")
534 if (!isIteratorType(Call.getArgExpr(0)->getType()) ||
535 !isIteratorType(Call.getArgExpr(1)->getType()))
538 verifyMatch(C, Call.getArgSVal(0), Call.getArgSVal(1));
540 // The main purpose of iterators is to abstract away from different
541 // containers and provide a (maybe limited) uniform access to them.
542 // This implies that any correctly written template function that
543 // works on multiple containers using iterators takes different
544 // template parameters for different containers. So we can safely
545 // assume that passing iterators of different containers as arguments
546 // whose type replaces the same template parameter is a bug.
549 // template<typename I1, typename I2>
550 // void f(I1 first1, I1 last1, I2 first2, I2 last2);
552 // In this case the first two arguments to f() must be iterators must belong
553 // to the same container and the last to also to the same container but
554 // not necessarily to the same as the first two.
556 if (!ChecksEnabled[CK_MismatchedIteratorChecker])
559 const auto *Templ = Func->getPrimaryTemplate();
563 const auto *TParams = Templ->getTemplateParameters();
564 const auto *TArgs = Func->getTemplateSpecializationArgs();
566 // Iterate over all the template parameters
567 for (size_t I = 0; I < TParams->size(); ++I) {
568 const auto *TPDecl = dyn_cast<TemplateTypeParmDecl>(TParams->getParam(I));
572 if (TPDecl->isParameterPack())
575 const auto TAType = TArgs->get(I).getAsType();
576 if (!isIteratorType(TAType))
579 SVal LHS = UndefinedVal();
581 // For every template parameter which is an iterator type in the
582 // instantiation look for all functions' parameters' type by it and
583 // check whether they belong to the same container
584 for (auto J = 0U; J < Func->getNumParams(); ++J) {
585 const auto *Param = Func->getParamDecl(J);
586 const auto *ParamType =
587 Param->getType()->getAs<SubstTemplateTypeParmType>();
589 ParamType->getReplacedParameter()->getDecl() != TPDecl)
592 LHS = Call.getArgSVal(J);
594 verifyMatch(C, LHS, Call.getArgSVal(J));
601 void IteratorChecker::checkPostCall(const CallEvent &Call,
602 CheckerContext &C) const {
603 // Record new iterator positions and iterator position changes
604 const auto *Func = dyn_cast_or_null<FunctionDecl>(Call.getDecl());
608 if (Func->isOverloadedOperator()) {
609 const auto Op = Func->getOverloadedOperator();
610 if (isAssignmentOperator(Op)) {
611 const auto *InstCall = dyn_cast<CXXInstanceCall>(&Call);
612 if (Func->getParamDecl(0)->getType()->isRValueReferenceType()) {
613 handleAssign(C, InstCall->getCXXThisVal(), Call.getOriginExpr(),
616 handleAssign(C, InstCall->getCXXThisVal());
618 } else if (isSimpleComparisonOperator(Op)) {
619 if (const auto *InstCall = dyn_cast<CXXInstanceCall>(&Call)) {
620 handleComparison(C, Call.getReturnValue(), InstCall->getCXXThisVal(),
621 Call.getArgSVal(0), Op);
623 handleComparison(C, Call.getReturnValue(), Call.getArgSVal(0),
624 Call.getArgSVal(1), Op);
626 } else if (isRandomIncrOrDecrOperator(Func->getOverloadedOperator())) {
627 if (const auto *InstCall = dyn_cast<CXXInstanceCall>(&Call)) {
628 if (Call.getNumArgs() >= 1) {
629 handleRandomIncrOrDecr(C, Func->getOverloadedOperator(),
630 Call.getReturnValue(),
631 InstCall->getCXXThisVal(), Call.getArgSVal(0));
634 if (Call.getNumArgs() >= 2) {
635 handleRandomIncrOrDecr(C, Func->getOverloadedOperator(),
636 Call.getReturnValue(), Call.getArgSVal(0),
640 } else if (isIncrementOperator(Func->getOverloadedOperator())) {
641 if (const auto *InstCall = dyn_cast<CXXInstanceCall>(&Call)) {
642 handleIncrement(C, Call.getReturnValue(), InstCall->getCXXThisVal(),
645 handleIncrement(C, Call.getReturnValue(), Call.getArgSVal(0),
648 } else if (isDecrementOperator(Func->getOverloadedOperator())) {
649 if (const auto *InstCall = dyn_cast<CXXInstanceCall>(&Call)) {
650 handleDecrement(C, Call.getReturnValue(), InstCall->getCXXThisVal(),
653 handleDecrement(C, Call.getReturnValue(), Call.getArgSVal(0),
658 if (const auto *InstCall = dyn_cast<CXXInstanceCall>(&Call)) {
659 if (isAssignCall(Func)) {
660 handleAssign(C, InstCall->getCXXThisVal());
661 } else if (isClearCall(Func)) {
662 handleClear(C, InstCall->getCXXThisVal());
663 } else if (isPushBackCall(Func) || isEmplaceBackCall(Func)) {
664 handlePushBack(C, InstCall->getCXXThisVal());
665 } else if (isPopBackCall(Func)) {
666 handlePopBack(C, InstCall->getCXXThisVal());
667 } else if (isPushFrontCall(Func) || isEmplaceFrontCall(Func)) {
668 handlePushFront(C, InstCall->getCXXThisVal());
669 } else if (isPopFrontCall(Func)) {
670 handlePopFront(C, InstCall->getCXXThisVal());
671 } else if (isInsertCall(Func) || isEmplaceCall(Func)) {
672 handleInsert(C, Call.getArgSVal(0));
673 } else if (isEraseCall(Func)) {
674 if (Call.getNumArgs() == 1) {
675 handleErase(C, Call.getArgSVal(0));
676 } else if (Call.getNumArgs() == 2) {
677 handleErase(C, Call.getArgSVal(0), Call.getArgSVal(1));
679 } else if (isEraseAfterCall(Func)) {
680 if (Call.getNumArgs() == 1) {
681 handleEraseAfter(C, Call.getArgSVal(0));
682 } else if (Call.getNumArgs() == 2) {
683 handleEraseAfter(C, Call.getArgSVal(0), Call.getArgSVal(1));
688 const auto *OrigExpr = Call.getOriginExpr();
692 if (!isIteratorType(Call.getResultType()))
695 auto State = C.getState();
697 if (const auto *InstCall = dyn_cast<CXXInstanceCall>(&Call)) {
698 if (isBeginCall(Func)) {
699 handleBegin(C, OrigExpr, Call.getReturnValue(),
700 InstCall->getCXXThisVal());
703 if (isEndCall(Func)) {
704 handleEnd(C, OrigExpr, Call.getReturnValue(),
705 InstCall->getCXXThisVal());
710 // Already bound to container?
711 if (getIteratorPosition(State, Call.getReturnValue()))
714 // Copy-like and move constructors
715 if (isa<CXXConstructorCall>(&Call) && Call.getNumArgs() == 1) {
716 if (const auto *Pos = getIteratorPosition(State, Call.getArgSVal(0))) {
717 State = setIteratorPosition(State, Call.getReturnValue(), *Pos);
718 if (cast<CXXConstructorDecl>(Func)->isMoveConstructor()) {
719 State = removeIteratorPosition(State, Call.getArgSVal(0));
721 C.addTransition(State);
726 // Assumption: if return value is an iterator which is not yet bound to a
727 // container, then look for the first iterator argument, and
728 // bind the return value to the same container. This approach
729 // works for STL algorithms.
730 // FIXME: Add a more conservative mode
731 for (unsigned i = 0; i < Call.getNumArgs(); ++i) {
732 if (isIteratorType(Call.getArgExpr(i)->getType())) {
733 if (const auto *Pos = getIteratorPosition(State, Call.getArgSVal(i))) {
734 assignToContainer(C, OrigExpr, Call.getReturnValue(),
735 Pos->getContainer());
743 void IteratorChecker::checkBind(SVal Loc, SVal Val, const Stmt *S,
744 CheckerContext &C) const {
745 auto State = C.getState();
746 const auto *Pos = getIteratorPosition(State, Val);
748 State = setIteratorPosition(State, Loc, *Pos);
749 C.addTransition(State);
751 const auto *OldPos = getIteratorPosition(State, Loc);
753 State = removeIteratorPosition(State, Loc);
754 C.addTransition(State);
759 void IteratorChecker::checkPostStmt(const MaterializeTemporaryExpr *MTE,
760 CheckerContext &C) const {
761 /* Transfer iterator state to temporary objects */
762 auto State = C.getState();
764 getIteratorPosition(State, C.getSVal(MTE->GetTemporaryExpr()));
767 State = setIteratorPosition(State, C.getSVal(MTE), *Pos);
768 C.addTransition(State);
771 void IteratorChecker::checkLiveSymbols(ProgramStateRef State,
772 SymbolReaper &SR) const {
773 // Keep symbolic expressions of iterator positions, container begins and ends
775 auto RegionMap = State->get<IteratorRegionMap>();
776 for (const auto Reg : RegionMap) {
777 const auto Offset = Reg.second.getOffset();
778 for (auto i = Offset->symbol_begin(); i != Offset->symbol_end(); ++i)
779 if (isa<SymbolData>(*i))
783 auto SymbolMap = State->get<IteratorSymbolMap>();
784 for (const auto Sym : SymbolMap) {
785 const auto Offset = Sym.second.getOffset();
786 for (auto i = Offset->symbol_begin(); i != Offset->symbol_end(); ++i)
787 if (isa<SymbolData>(*i))
791 auto ContMap = State->get<ContainerMap>();
792 for (const auto Cont : ContMap) {
793 const auto CData = Cont.second;
794 if (CData.getBegin()) {
795 SR.markLive(CData.getBegin());
796 if(const auto *SIE = dyn_cast<SymIntExpr>(CData.getBegin()))
797 SR.markLive(SIE->getLHS());
799 if (CData.getEnd()) {
800 SR.markLive(CData.getEnd());
801 if(const auto *SIE = dyn_cast<SymIntExpr>(CData.getEnd()))
802 SR.markLive(SIE->getLHS());
807 void IteratorChecker::checkDeadSymbols(SymbolReaper &SR,
808 CheckerContext &C) const {
810 auto State = C.getState();
812 auto RegionMap = State->get<IteratorRegionMap>();
813 for (const auto Reg : RegionMap) {
814 if (!SR.isLiveRegion(Reg.first)) {
815 // The region behind the `LazyCompoundVal` is often cleaned up before
816 // the `LazyCompoundVal` itself. If there are iterator positions keyed
817 // by these regions their cleanup must be deferred.
818 if (!isBoundThroughLazyCompoundVal(State->getEnvironment(), Reg.first)) {
819 State = State->remove<IteratorRegionMap>(Reg.first);
824 auto SymbolMap = State->get<IteratorSymbolMap>();
825 for (const auto Sym : SymbolMap) {
826 if (!SR.isLive(Sym.first)) {
827 State = State->remove<IteratorSymbolMap>(Sym.first);
831 auto ContMap = State->get<ContainerMap>();
832 for (const auto Cont : ContMap) {
833 if (!SR.isLiveRegion(Cont.first)) {
834 // We must keep the container data while it has live iterators to be able
835 // to compare them to the begin and the end of the container.
836 if (!hasLiveIterators(State, Cont.first)) {
837 State = State->remove<ContainerMap>(Cont.first);
842 auto ComparisonMap = State->get<IteratorComparisonMap>();
843 for (const auto Comp : ComparisonMap) {
844 if (!SR.isLive(Comp.first)) {
845 State = State->remove<IteratorComparisonMap>(Comp.first);
849 C.addTransition(State);
852 ProgramStateRef IteratorChecker::evalAssume(ProgramStateRef State, SVal Cond,
853 bool Assumption) const {
854 // Load recorded comparison and transfer iterator state between sides
855 // according to comparison operator and assumption
856 const auto *SE = Cond.getAsSymExpr();
860 auto Opc = getOpcode(SE);
861 if (Opc != BO_EQ && Opc != BO_NE)
864 bool Negated = false;
865 const auto *Comp = loadComparison(State, SE);
867 // Try negated comparison, which is a SymExpr to 0 integer comparison
868 const auto *SIE = dyn_cast<SymIntExpr>(SE);
872 if (SIE->getRHS() != 0)
876 Negated = SIE->getOpcode() == BO_EQ; // Equal to zero means negation
878 if (Opc != BO_EQ && Opc != BO_NE)
881 Comp = loadComparison(State, SE);
886 return processComparison(State, Comp->getLeft(), Comp->getRight(),
887 (Comp->isEquality() == Assumption) != Negated);
890 void IteratorChecker::handleComparison(CheckerContext &C, const SVal &RetVal,
891 const SVal &LVal, const SVal &RVal,
892 OverloadedOperatorKind Op) const {
893 // Record the operands and the operator of the comparison for the next
894 // evalAssume, if the result is a symbolic expression. If it is a concrete
895 // value (only one branch is possible), then transfer the state between
896 // the operands according to the operator and the result
897 auto State = C.getState();
898 if (const auto *Condition = RetVal.getAsSymbolicExpression()) {
899 const auto *LPos = getIteratorPosition(State, LVal);
900 const auto *RPos = getIteratorPosition(State, RVal);
903 State = saveComparison(State, Condition, LVal, RVal, Op == OO_EqualEqual);
904 C.addTransition(State);
905 } else if (const auto TruthVal = RetVal.getAs<nonloc::ConcreteInt>()) {
906 if ((State = processComparison(
907 State, getRegionOrSymbol(LVal), getRegionOrSymbol(RVal),
908 (Op == OO_EqualEqual) == (TruthVal->getValue() != 0)))) {
909 C.addTransition(State);
911 C.generateSink(State, C.getPredecessor());
916 void IteratorChecker::verifyDereference(CheckerContext &C,
917 const SVal &Val) const {
918 auto State = C.getState();
919 const auto *Pos = getIteratorPosition(State, Val);
920 if (Pos && isPastTheEnd(State, *Pos)) {
921 auto *N = C.generateNonFatalErrorNode(State);
924 reportOutOfRangeBug("Past-the-end iterator dereferenced.", Val, C, N);
929 void IteratorChecker::verifyAccess(CheckerContext &C, const SVal &Val) const {
930 auto State = C.getState();
931 const auto *Pos = getIteratorPosition(State, Val);
932 if (Pos && !Pos->isValid()) {
933 auto *N = C.generateNonFatalErrorNode(State);
937 reportInvalidatedBug("Invalidated iterator accessed.", Val, C, N);
941 void IteratorChecker::handleIncrement(CheckerContext &C, const SVal &RetVal,
942 const SVal &Iter, bool Postfix) const {
943 // Increment the symbolic expressions which represents the position of the
945 auto State = C.getState();
946 const auto *Pos = getIteratorPosition(State, Iter);
948 auto &SymMgr = C.getSymbolManager();
949 auto &BVF = SymMgr.getBasicVals();
951 advancePosition(C, OO_Plus, *Pos,
952 nonloc::ConcreteInt(BVF.getValue(llvm::APSInt::get(1))));
953 State = setIteratorPosition(State, Iter, NewPos);
954 State = setIteratorPosition(State, RetVal, Postfix ? *Pos : NewPos);
955 C.addTransition(State);
959 void IteratorChecker::handleDecrement(CheckerContext &C, const SVal &RetVal,
960 const SVal &Iter, bool Postfix) const {
961 // Decrement the symbolic expressions which represents the position of the
963 auto State = C.getState();
964 const auto *Pos = getIteratorPosition(State, Iter);
966 auto &SymMgr = C.getSymbolManager();
967 auto &BVF = SymMgr.getBasicVals();
969 advancePosition(C, OO_Minus, *Pos,
970 nonloc::ConcreteInt(BVF.getValue(llvm::APSInt::get(1))));
971 State = setIteratorPosition(State, Iter, NewPos);
972 State = setIteratorPosition(State, RetVal, Postfix ? *Pos : NewPos);
973 C.addTransition(State);
977 // This function tells the analyzer's engine that symbols produced by our
978 // checker, most notably iterator positions, are relatively small.
979 // A distance between items in the container should not be very large.
980 // By assuming that it is within around 1/8 of the address space,
981 // we can help the analyzer perform operations on these symbols
982 // without being afraid of integer overflows.
983 // FIXME: Should we provide it as an API, so that all checkers could use it?
984 static ProgramStateRef assumeNoOverflow(ProgramStateRef State, SymbolRef Sym,
986 SValBuilder &SVB = State->getStateManager().getSValBuilder();
987 BasicValueFactory &BV = SVB.getBasicValueFactory();
989 QualType T = Sym->getType();
990 assert(T->isSignedIntegerOrEnumerationType());
991 APSIntType AT = BV.getAPSIntType(T);
993 ProgramStateRef NewState = State;
995 llvm::APSInt Max = AT.getMaxValue() / AT.getValue(Scale);
996 SVal IsCappedFromAbove =
997 SVB.evalBinOpNN(State, BO_LE, nonloc::SymbolVal(Sym),
998 nonloc::ConcreteInt(Max), SVB.getConditionType());
999 if (auto DV = IsCappedFromAbove.getAs<DefinedSVal>()) {
1000 NewState = NewState->assume(*DV, true);
1005 llvm::APSInt Min = -Max;
1006 SVal IsCappedFromBelow =
1007 SVB.evalBinOpNN(State, BO_GE, nonloc::SymbolVal(Sym),
1008 nonloc::ConcreteInt(Min), SVB.getConditionType());
1009 if (auto DV = IsCappedFromBelow.getAs<DefinedSVal>()) {
1010 NewState = NewState->assume(*DV, true);
1018 void IteratorChecker::handleRandomIncrOrDecr(CheckerContext &C,
1019 OverloadedOperatorKind Op,
1022 const SVal &RHS) const {
1023 // Increment or decrement the symbolic expressions which represents the
1024 // position of the iterator
1025 auto State = C.getState();
1026 const auto *Pos = getIteratorPosition(State, LHS);
1030 const auto *value = &RHS;
1031 if (auto loc = RHS.getAs<Loc>()) {
1032 const auto val = State->getRawSVal(*loc);
1036 auto &TgtVal = (Op == OO_PlusEqual || Op == OO_MinusEqual) ? LHS : RetVal;
1038 setIteratorPosition(State, TgtVal, advancePosition(C, Op, *Pos, *value));
1039 C.addTransition(State);
1042 void IteratorChecker::verifyIncrement(CheckerContext &C,
1043 const SVal &Iter) const {
1044 auto &BVF = C.getSValBuilder().getBasicValueFactory();
1045 verifyRandomIncrOrDecr(C, OO_Plus, Iter,
1046 nonloc::ConcreteInt(BVF.getValue(llvm::APSInt::get(1))));
1049 void IteratorChecker::verifyDecrement(CheckerContext &C,
1050 const SVal &Iter) const {
1051 auto &BVF = C.getSValBuilder().getBasicValueFactory();
1052 verifyRandomIncrOrDecr(C, OO_Minus, Iter,
1053 nonloc::ConcreteInt(BVF.getValue(llvm::APSInt::get(1))));
1056 void IteratorChecker::verifyRandomIncrOrDecr(CheckerContext &C,
1057 OverloadedOperatorKind Op,
1059 const SVal &RHS) const {
1060 auto State = C.getState();
1062 // If the iterator is initially inside its range, then the operation is valid
1063 const auto *Pos = getIteratorPosition(State, LHS);
1068 if (auto ValAsLoc = RHS.getAs<Loc>()) {
1069 Value = State->getRawSVal(*ValAsLoc);
1072 if (Value.isUnknown())
1075 // Incremention or decremention by 0 is never a bug.
1076 if (isZero(State, Value.castAs<NonLoc>()))
1079 // The result may be the past-end iterator of the container, but any other
1080 // out of range position is undefined behaviour
1081 if (isAheadOfRange(State, advancePosition(C, Op, *Pos, Value))) {
1082 auto *N = C.generateNonFatalErrorNode(State);
1085 reportOutOfRangeBug("Iterator decremented ahead of its valid range.", LHS,
1088 if (isBehindPastTheEnd(State, advancePosition(C, Op, *Pos, Value))) {
1089 auto *N = C.generateNonFatalErrorNode(State);
1092 reportOutOfRangeBug("Iterator incremented behind the past-the-end "
1093 "iterator.", LHS, C, N);
1097 void IteratorChecker::verifyMatch(CheckerContext &C, const SVal &Iter,
1098 const MemRegion *Cont) const {
1099 // Verify match between a container and the container of an iterator
1100 Cont = Cont->getMostDerivedObjectRegion();
1102 auto State = C.getState();
1103 const auto *Pos = getIteratorPosition(State, Iter);
1104 if (Pos && Pos->getContainer() != Cont) {
1105 auto *N = C.generateNonFatalErrorNode(State);
1109 reportMismatchedBug("Container accessed using foreign iterator argument.", Iter, Cont, C, N);
1113 void IteratorChecker::verifyMatch(CheckerContext &C, const SVal &Iter1,
1114 const SVal &Iter2) const {
1115 // Verify match between the containers of two iterators
1116 auto State = C.getState();
1117 const auto *Pos1 = getIteratorPosition(State, Iter1);
1118 const auto *Pos2 = getIteratorPosition(State, Iter2);
1119 if (Pos1 && Pos2 && Pos1->getContainer() != Pos2->getContainer()) {
1120 auto *N = C.generateNonFatalErrorNode(State);
1123 reportMismatchedBug("Iterators of different containers used where the "
1124 "same container is expected.", Iter1, Iter2, C, N);
1128 void IteratorChecker::handleBegin(CheckerContext &C, const Expr *CE,
1129 const SVal &RetVal, const SVal &Cont) const {
1130 const auto *ContReg = Cont.getAsRegion();
1134 ContReg = ContReg->getMostDerivedObjectRegion();
1136 // If the container already has a begin symbol then use it. Otherwise first
1137 // create a new one.
1138 auto State = C.getState();
1139 auto BeginSym = getContainerBegin(State, ContReg);
1141 auto &SymMgr = C.getSymbolManager();
1142 BeginSym = SymMgr.conjureSymbol(CE, C.getLocationContext(),
1143 C.getASTContext().LongTy, C.blockCount());
1144 State = assumeNoOverflow(State, BeginSym, 4);
1145 State = createContainerBegin(State, ContReg, BeginSym);
1147 State = setIteratorPosition(State, RetVal,
1148 IteratorPosition::getPosition(ContReg, BeginSym));
1149 C.addTransition(State);
1152 void IteratorChecker::handleEnd(CheckerContext &C, const Expr *CE,
1153 const SVal &RetVal, const SVal &Cont) const {
1154 const auto *ContReg = Cont.getAsRegion();
1158 ContReg = ContReg->getMostDerivedObjectRegion();
1160 // If the container already has an end symbol then use it. Otherwise first
1161 // create a new one.
1162 auto State = C.getState();
1163 auto EndSym = getContainerEnd(State, ContReg);
1165 auto &SymMgr = C.getSymbolManager();
1166 EndSym = SymMgr.conjureSymbol(CE, C.getLocationContext(),
1167 C.getASTContext().LongTy, C.blockCount());
1168 State = assumeNoOverflow(State, EndSym, 4);
1169 State = createContainerEnd(State, ContReg, EndSym);
1171 State = setIteratorPosition(State, RetVal,
1172 IteratorPosition::getPosition(ContReg, EndSym));
1173 C.addTransition(State);
1176 void IteratorChecker::assignToContainer(CheckerContext &C, const Expr *CE,
1178 const MemRegion *Cont) const {
1179 Cont = Cont->getMostDerivedObjectRegion();
1181 auto State = C.getState();
1182 auto &SymMgr = C.getSymbolManager();
1183 auto Sym = SymMgr.conjureSymbol(CE, C.getLocationContext(),
1184 C.getASTContext().LongTy, C.blockCount());
1185 State = assumeNoOverflow(State, Sym, 4);
1186 State = setIteratorPosition(State, RetVal,
1187 IteratorPosition::getPosition(Cont, Sym));
1188 C.addTransition(State);
1191 void IteratorChecker::handleAssign(CheckerContext &C, const SVal &Cont,
1192 const Expr *CE, const SVal &OldCont) const {
1193 const auto *ContReg = Cont.getAsRegion();
1197 ContReg = ContReg->getMostDerivedObjectRegion();
1199 // Assignment of a new value to a container always invalidates all its
1201 auto State = C.getState();
1202 const auto CData = getContainerData(State, ContReg);
1204 State = invalidateAllIteratorPositions(State, ContReg);
1207 // In case of move, iterators of the old container (except the past-end
1208 // iterators) remain valid but refer to the new container
1209 if (!OldCont.isUndef()) {
1210 const auto *OldContReg = OldCont.getAsRegion();
1212 OldContReg = OldContReg->getMostDerivedObjectRegion();
1213 const auto OldCData = getContainerData(State, OldContReg);
1215 if (const auto OldEndSym = OldCData->getEnd()) {
1216 // If we already assigned an "end" symbol to the old container, then
1217 // first reassign all iterator positions to the new container which
1218 // are not past the container (thus not greater or equal to the
1219 // current "end" symbol).
1220 State = reassignAllIteratorPositionsUnless(State, OldContReg, ContReg,
1222 auto &SymMgr = C.getSymbolManager();
1223 auto &SVB = C.getSValBuilder();
1224 // Then generate and assign a new "end" symbol for the new container.
1226 SymMgr.conjureSymbol(CE, C.getLocationContext(),
1227 C.getASTContext().LongTy, C.blockCount());
1228 State = assumeNoOverflow(State, NewEndSym, 4);
1230 State = setContainerData(State, ContReg, CData->newEnd(NewEndSym));
1232 State = setContainerData(State, ContReg,
1233 ContainerData::fromEnd(NewEndSym));
1235 // Finally, replace the old "end" symbol in the already reassigned
1236 // iterator positions with the new "end" symbol.
1237 State = rebaseSymbolInIteratorPositionsIf(
1238 State, SVB, OldEndSym, NewEndSym, OldEndSym, BO_LT);
1240 // There was no "end" symbol assigned yet to the old container,
1241 // so reassign all iterator positions to the new container.
1242 State = reassignAllIteratorPositions(State, OldContReg, ContReg);
1244 if (const auto OldBeginSym = OldCData->getBegin()) {
1245 // If we already assigned a "begin" symbol to the old container, then
1246 // assign it to the new container and remove it from the old one.
1249 setContainerData(State, ContReg, CData->newBegin(OldBeginSym));
1251 State = setContainerData(State, ContReg,
1252 ContainerData::fromBegin(OldBeginSym));
1255 setContainerData(State, OldContReg, OldCData->newEnd(nullptr));
1258 // There was neither "begin" nor "end" symbol assigned yet to the old
1259 // container, so reassign all iterator positions to the new container.
1260 State = reassignAllIteratorPositions(State, OldContReg, ContReg);
1264 C.addTransition(State);
1267 void IteratorChecker::handleClear(CheckerContext &C, const SVal &Cont) const {
1268 const auto *ContReg = Cont.getAsRegion();
1272 ContReg = ContReg->getMostDerivedObjectRegion();
1274 // The clear() operation invalidates all the iterators, except the past-end
1275 // iterators of list-like containers
1276 auto State = C.getState();
1277 if (!hasSubscriptOperator(State, ContReg) ||
1278 !backModifiable(State, ContReg)) {
1279 const auto CData = getContainerData(State, ContReg);
1281 if (const auto EndSym = CData->getEnd()) {
1283 invalidateAllIteratorPositionsExcept(State, ContReg, EndSym, BO_GE);
1284 C.addTransition(State);
1289 State = invalidateAllIteratorPositions(State, ContReg);
1290 C.addTransition(State);
1293 void IteratorChecker::handlePushBack(CheckerContext &C,
1294 const SVal &Cont) const {
1295 const auto *ContReg = Cont.getAsRegion();
1299 ContReg = ContReg->getMostDerivedObjectRegion();
1301 // For deque-like containers invalidate all iterator positions
1302 auto State = C.getState();
1303 if (hasSubscriptOperator(State, ContReg) && frontModifiable(State, ContReg)) {
1304 State = invalidateAllIteratorPositions(State, ContReg);
1305 C.addTransition(State);
1309 const auto CData = getContainerData(State, ContReg);
1313 // For vector-like containers invalidate the past-end iterator positions
1314 if (const auto EndSym = CData->getEnd()) {
1315 if (hasSubscriptOperator(State, ContReg)) {
1316 State = invalidateIteratorPositions(State, EndSym, BO_GE);
1318 auto &SymMgr = C.getSymbolManager();
1319 auto &BVF = SymMgr.getBasicVals();
1320 auto &SVB = C.getSValBuilder();
1321 const auto newEndSym =
1322 SVB.evalBinOp(State, BO_Add,
1323 nonloc::SymbolVal(EndSym),
1324 nonloc::ConcreteInt(BVF.getValue(llvm::APSInt::get(1))),
1325 SymMgr.getType(EndSym)).getAsSymbol();
1326 State = setContainerData(State, ContReg, CData->newEnd(newEndSym));
1328 C.addTransition(State);
1331 void IteratorChecker::handlePopBack(CheckerContext &C, const SVal &Cont) const {
1332 const auto *ContReg = Cont.getAsRegion();
1336 ContReg = ContReg->getMostDerivedObjectRegion();
1338 auto State = C.getState();
1339 const auto CData = getContainerData(State, ContReg);
1343 if (const auto EndSym = CData->getEnd()) {
1344 auto &SymMgr = C.getSymbolManager();
1345 auto &BVF = SymMgr.getBasicVals();
1346 auto &SVB = C.getSValBuilder();
1347 const auto BackSym =
1348 SVB.evalBinOp(State, BO_Sub,
1349 nonloc::SymbolVal(EndSym),
1350 nonloc::ConcreteInt(BVF.getValue(llvm::APSInt::get(1))),
1351 SymMgr.getType(EndSym)).getAsSymbol();
1352 // For vector-like and deque-like containers invalidate the last and the
1353 // past-end iterator positions. For list-like containers only invalidate
1354 // the last position
1355 if (hasSubscriptOperator(State, ContReg) &&
1356 backModifiable(State, ContReg)) {
1357 State = invalidateIteratorPositions(State, BackSym, BO_GE);
1358 State = setContainerData(State, ContReg, CData->newEnd(nullptr));
1360 State = invalidateIteratorPositions(State, BackSym, BO_EQ);
1362 auto newEndSym = BackSym;
1363 State = setContainerData(State, ContReg, CData->newEnd(newEndSym));
1364 C.addTransition(State);
1368 void IteratorChecker::handlePushFront(CheckerContext &C,
1369 const SVal &Cont) const {
1370 const auto *ContReg = Cont.getAsRegion();
1374 ContReg = ContReg->getMostDerivedObjectRegion();
1376 // For deque-like containers invalidate all iterator positions
1377 auto State = C.getState();
1378 if (hasSubscriptOperator(State, ContReg)) {
1379 State = invalidateAllIteratorPositions(State, ContReg);
1380 C.addTransition(State);
1382 const auto CData = getContainerData(State, ContReg);
1386 if (const auto BeginSym = CData->getBegin()) {
1387 auto &SymMgr = C.getSymbolManager();
1388 auto &BVF = SymMgr.getBasicVals();
1389 auto &SVB = C.getSValBuilder();
1390 const auto newBeginSym =
1391 SVB.evalBinOp(State, BO_Sub,
1392 nonloc::SymbolVal(BeginSym),
1393 nonloc::ConcreteInt(BVF.getValue(llvm::APSInt::get(1))),
1394 SymMgr.getType(BeginSym)).getAsSymbol();
1395 State = setContainerData(State, ContReg, CData->newBegin(newBeginSym));
1396 C.addTransition(State);
1401 void IteratorChecker::handlePopFront(CheckerContext &C,
1402 const SVal &Cont) const {
1403 const auto *ContReg = Cont.getAsRegion();
1407 ContReg = ContReg->getMostDerivedObjectRegion();
1409 auto State = C.getState();
1410 const auto CData = getContainerData(State, ContReg);
1414 // For deque-like containers invalidate all iterator positions. For list-like
1415 // iterators only invalidate the first position
1416 if (const auto BeginSym = CData->getBegin()) {
1417 if (hasSubscriptOperator(State, ContReg)) {
1418 State = invalidateIteratorPositions(State, BeginSym, BO_LE);
1420 State = invalidateIteratorPositions(State, BeginSym, BO_EQ);
1422 auto &SymMgr = C.getSymbolManager();
1423 auto &BVF = SymMgr.getBasicVals();
1424 auto &SVB = C.getSValBuilder();
1425 const auto newBeginSym =
1426 SVB.evalBinOp(State, BO_Add,
1427 nonloc::SymbolVal(BeginSym),
1428 nonloc::ConcreteInt(BVF.getValue(llvm::APSInt::get(1))),
1429 SymMgr.getType(BeginSym)).getAsSymbol();
1430 State = setContainerData(State, ContReg, CData->newBegin(newBeginSym));
1431 C.addTransition(State);
1435 void IteratorChecker::handleInsert(CheckerContext &C, const SVal &Iter) const {
1436 auto State = C.getState();
1437 const auto *Pos = getIteratorPosition(State, Iter);
1441 // For deque-like containers invalidate all iterator positions. For
1442 // vector-like containers invalidate iterator positions after the insertion.
1443 const auto *Cont = Pos->getContainer();
1444 if (hasSubscriptOperator(State, Cont) && backModifiable(State, Cont)) {
1445 if (frontModifiable(State, Cont)) {
1446 State = invalidateAllIteratorPositions(State, Cont);
1448 State = invalidateIteratorPositions(State, Pos->getOffset(), BO_GE);
1450 if (const auto *CData = getContainerData(State, Cont)) {
1451 if (const auto EndSym = CData->getEnd()) {
1452 State = invalidateIteratorPositions(State, EndSym, BO_GE);
1453 State = setContainerData(State, Cont, CData->newEnd(nullptr));
1456 C.addTransition(State);
1460 void IteratorChecker::handleErase(CheckerContext &C, const SVal &Iter) const {
1461 auto State = C.getState();
1462 const auto *Pos = getIteratorPosition(State, Iter);
1466 // For deque-like containers invalidate all iterator positions. For
1467 // vector-like containers invalidate iterator positions at and after the
1468 // deletion. For list-like containers only invalidate the deleted position.
1469 const auto *Cont = Pos->getContainer();
1470 if (hasSubscriptOperator(State, Cont) && backModifiable(State, Cont)) {
1471 if (frontModifiable(State, Cont)) {
1472 State = invalidateAllIteratorPositions(State, Cont);
1474 State = invalidateIteratorPositions(State, Pos->getOffset(), BO_GE);
1476 if (const auto *CData = getContainerData(State, Cont)) {
1477 if (const auto EndSym = CData->getEnd()) {
1478 State = invalidateIteratorPositions(State, EndSym, BO_GE);
1479 State = setContainerData(State, Cont, CData->newEnd(nullptr));
1483 State = invalidateIteratorPositions(State, Pos->getOffset(), BO_EQ);
1485 C.addTransition(State);
1488 void IteratorChecker::handleErase(CheckerContext &C, const SVal &Iter1,
1489 const SVal &Iter2) const {
1490 auto State = C.getState();
1491 const auto *Pos1 = getIteratorPosition(State, Iter1);
1492 const auto *Pos2 = getIteratorPosition(State, Iter2);
1496 // For deque-like containers invalidate all iterator positions. For
1497 // vector-like containers invalidate iterator positions at and after the
1498 // deletion range. For list-like containers only invalidate the deleted
1499 // position range [first..last].
1500 const auto *Cont = Pos1->getContainer();
1501 if (hasSubscriptOperator(State, Cont) && backModifiable(State, Cont)) {
1502 if (frontModifiable(State, Cont)) {
1503 State = invalidateAllIteratorPositions(State, Cont);
1505 State = invalidateIteratorPositions(State, Pos1->getOffset(), BO_GE);
1507 if (const auto *CData = getContainerData(State, Cont)) {
1508 if (const auto EndSym = CData->getEnd()) {
1509 State = invalidateIteratorPositions(State, EndSym, BO_GE);
1510 State = setContainerData(State, Cont, CData->newEnd(nullptr));
1514 State = invalidateIteratorPositions(State, Pos1->getOffset(), BO_GE,
1515 Pos2->getOffset(), BO_LT);
1517 C.addTransition(State);
1520 void IteratorChecker::handleEraseAfter(CheckerContext &C,
1521 const SVal &Iter) const {
1522 auto State = C.getState();
1523 const auto *Pos = getIteratorPosition(State, Iter);
1527 // Invalidate the deleted iterator position, which is the position of the
1528 // parameter plus one.
1529 auto &SymMgr = C.getSymbolManager();
1530 auto &BVF = SymMgr.getBasicVals();
1531 auto &SVB = C.getSValBuilder();
1532 const auto NextSym =
1533 SVB.evalBinOp(State, BO_Add,
1534 nonloc::SymbolVal(Pos->getOffset()),
1535 nonloc::ConcreteInt(BVF.getValue(llvm::APSInt::get(1))),
1536 SymMgr.getType(Pos->getOffset())).getAsSymbol();
1537 State = invalidateIteratorPositions(State, NextSym, BO_EQ);
1538 C.addTransition(State);
1541 void IteratorChecker::handleEraseAfter(CheckerContext &C, const SVal &Iter1,
1542 const SVal &Iter2) const {
1543 auto State = C.getState();
1544 const auto *Pos1 = getIteratorPosition(State, Iter1);
1545 const auto *Pos2 = getIteratorPosition(State, Iter2);
1549 // Invalidate the deleted iterator position range (first..last)
1550 State = invalidateIteratorPositions(State, Pos1->getOffset(), BO_GT,
1551 Pos2->getOffset(), BO_LT);
1552 C.addTransition(State);
1555 IteratorPosition IteratorChecker::advancePosition(CheckerContext &C,
1556 OverloadedOperatorKind Op,
1557 const IteratorPosition &Pos,
1558 const SVal &Distance) const {
1559 auto State = C.getState();
1560 auto &SymMgr = C.getSymbolManager();
1561 auto &SVB = C.getSValBuilder();
1563 assert ((Op == OO_Plus || Op == OO_PlusEqual ||
1564 Op == OO_Minus || Op == OO_MinusEqual) &&
1565 "Advance operator must be one of +, -, += and -=.");
1566 auto BinOp = (Op == OO_Plus || Op == OO_PlusEqual) ? BO_Add : BO_Sub;
1567 if (const auto IntDist = Distance.getAs<nonloc::ConcreteInt>()) {
1568 // For concrete integers we can calculate the new position
1569 return Pos.setTo(SVB.evalBinOp(State, BinOp,
1570 nonloc::SymbolVal(Pos.getOffset()), *IntDist,
1571 SymMgr.getType(Pos.getOffset()))
1574 // For other symbols create a new symbol to keep expressions simple
1575 const auto &LCtx = C.getLocationContext();
1576 const auto NewPosSym = SymMgr.conjureSymbol(nullptr, LCtx,
1577 SymMgr.getType(Pos.getOffset()),
1579 State = assumeNoOverflow(State, NewPosSym, 4);
1580 return Pos.setTo(NewPosSym);
1584 void IteratorChecker::reportOutOfRangeBug(const StringRef &Message,
1585 const SVal &Val, CheckerContext &C,
1586 ExplodedNode *ErrNode) const {
1587 auto R = llvm::make_unique<BugReport>(*OutOfRangeBugType, Message, ErrNode);
1588 R->markInteresting(Val);
1589 C.emitReport(std::move(R));
1592 void IteratorChecker::reportMismatchedBug(const StringRef &Message,
1593 const SVal &Val1, const SVal &Val2,
1595 ExplodedNode *ErrNode) const {
1596 auto R = llvm::make_unique<BugReport>(*MismatchedBugType, Message, ErrNode);
1597 R->markInteresting(Val1);
1598 R->markInteresting(Val2);
1599 C.emitReport(std::move(R));
1602 void IteratorChecker::reportMismatchedBug(const StringRef &Message,
1603 const SVal &Val, const MemRegion *Reg,
1605 ExplodedNode *ErrNode) const {
1606 auto R = llvm::make_unique<BugReport>(*MismatchedBugType, Message, ErrNode);
1607 R->markInteresting(Val);
1608 R->markInteresting(Reg);
1609 C.emitReport(std::move(R));
1612 void IteratorChecker::reportInvalidatedBug(const StringRef &Message,
1613 const SVal &Val, CheckerContext &C,
1614 ExplodedNode *ErrNode) const {
1615 auto R = llvm::make_unique<BugReport>(*InvalidatedBugType, Message, ErrNode);
1616 R->markInteresting(Val);
1617 C.emitReport(std::move(R));
1622 bool isLess(ProgramStateRef State, SymbolRef Sym1, SymbolRef Sym2);
1623 bool isGreater(ProgramStateRef State, SymbolRef Sym1, SymbolRef Sym2);
1624 bool isEqual(ProgramStateRef State, SymbolRef Sym1, SymbolRef Sym2);
1625 bool compare(ProgramStateRef State, SymbolRef Sym1, SymbolRef Sym2,
1626 BinaryOperator::Opcode Opc);
1627 bool compare(ProgramStateRef State, NonLoc NL1, NonLoc NL2,
1628 BinaryOperator::Opcode Opc);
1629 const CXXRecordDecl *getCXXRecordDecl(ProgramStateRef State,
1630 const MemRegion *Reg);
1631 SymbolRef rebaseSymbol(ProgramStateRef State, SValBuilder &SVB, SymbolRef Expr,
1632 SymbolRef OldSym, SymbolRef NewSym);
1634 bool isIteratorType(const QualType &Type) {
1635 if (Type->isPointerType())
1638 const auto *CRD = Type->getUnqualifiedDesugaredType()->getAsCXXRecordDecl();
1639 return isIterator(CRD);
1642 bool isIterator(const CXXRecordDecl *CRD) {
1646 const auto Name = CRD->getName();
1647 if (!(Name.endswith_lower("iterator") || Name.endswith_lower("iter") ||
1648 Name.endswith_lower("it")))
1651 bool HasCopyCtor = false, HasCopyAssign = true, HasDtor = false,
1652 HasPreIncrOp = false, HasPostIncrOp = false, HasDerefOp = false;
1653 for (const auto *Method : CRD->methods()) {
1654 if (const auto *Ctor = dyn_cast<CXXConstructorDecl>(Method)) {
1655 if (Ctor->isCopyConstructor()) {
1656 HasCopyCtor = !Ctor->isDeleted() && Ctor->getAccess() == AS_public;
1660 if (const auto *Dtor = dyn_cast<CXXDestructorDecl>(Method)) {
1661 HasDtor = !Dtor->isDeleted() && Dtor->getAccess() == AS_public;
1664 if (Method->isCopyAssignmentOperator()) {
1665 HasCopyAssign = !Method->isDeleted() && Method->getAccess() == AS_public;
1668 if (!Method->isOverloadedOperator())
1670 const auto OPK = Method->getOverloadedOperator();
1671 if (OPK == OO_PlusPlus) {
1672 HasPreIncrOp = HasPreIncrOp || (Method->getNumParams() == 0);
1673 HasPostIncrOp = HasPostIncrOp || (Method->getNumParams() == 1);
1676 if (OPK == OO_Star) {
1677 HasDerefOp = (Method->getNumParams() == 0);
1682 return HasCopyCtor && HasCopyAssign && HasDtor && HasPreIncrOp &&
1683 HasPostIncrOp && HasDerefOp;
1686 bool isComparisonOperator(OverloadedOperatorKind OK) {
1687 return OK == OO_EqualEqual || OK == OO_ExclaimEqual || OK == OO_Less ||
1688 OK == OO_LessEqual || OK == OO_Greater || OK == OO_GreaterEqual;
1691 bool isBeginCall(const FunctionDecl *Func) {
1692 const auto *IdInfo = Func->getIdentifier();
1695 return IdInfo->getName().endswith_lower("begin");
1698 bool isEndCall(const FunctionDecl *Func) {
1699 const auto *IdInfo = Func->getIdentifier();
1702 return IdInfo->getName().endswith_lower("end");
1705 bool isAssignCall(const FunctionDecl *Func) {
1706 const auto *IdInfo = Func->getIdentifier();
1709 if (Func->getNumParams() > 2)
1711 return IdInfo->getName() == "assign";
1714 bool isClearCall(const FunctionDecl *Func) {
1715 const auto *IdInfo = Func->getIdentifier();
1718 if (Func->getNumParams() > 0)
1720 return IdInfo->getName() == "clear";
1723 bool isPushBackCall(const FunctionDecl *Func) {
1724 const auto *IdInfo = Func->getIdentifier();
1727 if (Func->getNumParams() != 1)
1729 return IdInfo->getName() == "push_back";
1732 bool isEmplaceBackCall(const FunctionDecl *Func) {
1733 const auto *IdInfo = Func->getIdentifier();
1736 if (Func->getNumParams() < 1)
1738 return IdInfo->getName() == "emplace_back";
1741 bool isPopBackCall(const FunctionDecl *Func) {
1742 const auto *IdInfo = Func->getIdentifier();
1745 if (Func->getNumParams() > 0)
1747 return IdInfo->getName() == "pop_back";
1750 bool isPushFrontCall(const FunctionDecl *Func) {
1751 const auto *IdInfo = Func->getIdentifier();
1754 if (Func->getNumParams() != 1)
1756 return IdInfo->getName() == "push_front";
1759 bool isEmplaceFrontCall(const FunctionDecl *Func) {
1760 const auto *IdInfo = Func->getIdentifier();
1763 if (Func->getNumParams() < 1)
1765 return IdInfo->getName() == "emplace_front";
1768 bool isPopFrontCall(const FunctionDecl *Func) {
1769 const auto *IdInfo = Func->getIdentifier();
1772 if (Func->getNumParams() > 0)
1774 return IdInfo->getName() == "pop_front";
1777 bool isInsertCall(const FunctionDecl *Func) {
1778 const auto *IdInfo = Func->getIdentifier();
1781 if (Func->getNumParams() < 2 || Func->getNumParams() > 3)
1783 if (!isIteratorType(Func->getParamDecl(0)->getType()))
1785 return IdInfo->getName() == "insert";
1788 bool isEmplaceCall(const FunctionDecl *Func) {
1789 const auto *IdInfo = Func->getIdentifier();
1792 if (Func->getNumParams() < 2)
1794 if (!isIteratorType(Func->getParamDecl(0)->getType()))
1796 return IdInfo->getName() == "emplace";
1799 bool isEraseCall(const FunctionDecl *Func) {
1800 const auto *IdInfo = Func->getIdentifier();
1803 if (Func->getNumParams() < 1 || Func->getNumParams() > 2)
1805 if (!isIteratorType(Func->getParamDecl(0)->getType()))
1807 if (Func->getNumParams() == 2 &&
1808 !isIteratorType(Func->getParamDecl(1)->getType()))
1810 return IdInfo->getName() == "erase";
1813 bool isEraseAfterCall(const FunctionDecl *Func) {
1814 const auto *IdInfo = Func->getIdentifier();
1817 if (Func->getNumParams() < 1 || Func->getNumParams() > 2)
1819 if (!isIteratorType(Func->getParamDecl(0)->getType()))
1821 if (Func->getNumParams() == 2 &&
1822 !isIteratorType(Func->getParamDecl(1)->getType()))
1824 return IdInfo->getName() == "erase_after";
1827 bool isAssignmentOperator(OverloadedOperatorKind OK) { return OK == OO_Equal; }
1829 bool isSimpleComparisonOperator(OverloadedOperatorKind OK) {
1830 return OK == OO_EqualEqual || OK == OO_ExclaimEqual;
1833 bool isAccessOperator(OverloadedOperatorKind OK) {
1834 return isDereferenceOperator(OK) || isIncrementOperator(OK) ||
1835 isDecrementOperator(OK) || isRandomIncrOrDecrOperator(OK);
1838 bool isDereferenceOperator(OverloadedOperatorKind OK) {
1839 return OK == OO_Star || OK == OO_Arrow || OK == OO_ArrowStar ||
1843 bool isIncrementOperator(OverloadedOperatorKind OK) {
1844 return OK == OO_PlusPlus;
1847 bool isDecrementOperator(OverloadedOperatorKind OK) {
1848 return OK == OO_MinusMinus;
1851 bool isRandomIncrOrDecrOperator(OverloadedOperatorKind OK) {
1852 return OK == OO_Plus || OK == OO_PlusEqual || OK == OO_Minus ||
1853 OK == OO_MinusEqual;
1856 BinaryOperator::Opcode getOpcode(const SymExpr *SE) {
1857 if (const auto *BSE = dyn_cast<BinarySymExpr>(SE)) {
1858 return BSE->getOpcode();
1859 } else if (const auto *SC = dyn_cast<SymbolConjured>(SE)) {
1860 const auto *COE = dyn_cast_or_null<CXXOperatorCallExpr>(SC->getStmt());
1862 return BO_Comma; // Extremal value, neither EQ nor NE
1863 if (COE->getOperator() == OO_EqualEqual) {
1865 } else if (COE->getOperator() == OO_ExclaimEqual) {
1868 return BO_Comma; // Extremal value, neither EQ nor NE
1870 return BO_Comma; // Extremal value, neither EQ nor NE
1873 bool hasSubscriptOperator(ProgramStateRef State, const MemRegion *Reg) {
1874 const auto *CRD = getCXXRecordDecl(State, Reg);
1878 for (const auto *Method : CRD->methods()) {
1879 if (!Method->isOverloadedOperator())
1881 const auto OPK = Method->getOverloadedOperator();
1882 if (OPK == OO_Subscript) {
1889 bool frontModifiable(ProgramStateRef State, const MemRegion *Reg) {
1890 const auto *CRD = getCXXRecordDecl(State, Reg);
1894 for (const auto *Method : CRD->methods()) {
1895 if (!Method->getDeclName().isIdentifier())
1897 if (Method->getName() == "push_front" || Method->getName() == "pop_front") {
1904 bool backModifiable(ProgramStateRef State, const MemRegion *Reg) {
1905 const auto *CRD = getCXXRecordDecl(State, Reg);
1909 for (const auto *Method : CRD->methods()) {
1910 if (!Method->getDeclName().isIdentifier())
1912 if (Method->getName() == "push_back" || Method->getName() == "pop_back") {
1919 const CXXRecordDecl *getCXXRecordDecl(ProgramStateRef State,
1920 const MemRegion *Reg) {
1921 auto TI = getDynamicTypeInfo(State, Reg);
1925 auto Type = TI.getType();
1926 if (const auto *RefT = Type->getAs<ReferenceType>()) {
1927 Type = RefT->getPointeeType();
1930 return Type->getUnqualifiedDesugaredType()->getAsCXXRecordDecl();
1933 const RegionOrSymbol getRegionOrSymbol(const SVal &Val) {
1934 if (const auto Reg = Val.getAsRegion()) {
1936 } else if (const auto Sym = Val.getAsSymbol()) {
1938 } else if (const auto LCVal = Val.getAs<nonloc::LazyCompoundVal>()) {
1939 return LCVal->getRegion();
1941 return RegionOrSymbol();
1944 const ProgramStateRef processComparison(ProgramStateRef State,
1945 RegionOrSymbol LVal,
1946 RegionOrSymbol RVal, bool Equal) {
1947 const auto *LPos = getIteratorPosition(State, LVal);
1948 const auto *RPos = getIteratorPosition(State, RVal);
1949 if (LPos && !RPos) {
1950 State = adjustIteratorPosition(State, RVal, *LPos, Equal);
1951 } else if (!LPos && RPos) {
1952 State = adjustIteratorPosition(State, LVal, *RPos, Equal);
1953 } else if (LPos && RPos) {
1954 State = relateIteratorPositions(State, *LPos, *RPos, Equal);
1959 const ProgramStateRef saveComparison(ProgramStateRef State,
1960 const SymExpr *Condition, const SVal &LVal,
1961 const SVal &RVal, bool Eq) {
1962 const auto Left = getRegionOrSymbol(LVal);
1963 const auto Right = getRegionOrSymbol(RVal);
1964 if (!Left || !Right)
1966 return State->set<IteratorComparisonMap>(Condition,
1967 IteratorComparison(Left, Right, Eq));
1970 const IteratorComparison *loadComparison(ProgramStateRef State,
1971 const SymExpr *Condition) {
1972 return State->get<IteratorComparisonMap>(Condition);
1975 SymbolRef getContainerBegin(ProgramStateRef State, const MemRegion *Cont) {
1976 const auto *CDataPtr = getContainerData(State, Cont);
1980 return CDataPtr->getBegin();
1983 SymbolRef getContainerEnd(ProgramStateRef State, const MemRegion *Cont) {
1984 const auto *CDataPtr = getContainerData(State, Cont);
1988 return CDataPtr->getEnd();
1991 ProgramStateRef createContainerBegin(ProgramStateRef State,
1992 const MemRegion *Cont,
1993 const SymbolRef Sym) {
1994 // Only create if it does not exist
1995 const auto *CDataPtr = getContainerData(State, Cont);
1997 if (CDataPtr->getBegin()) {
2000 const auto CData = CDataPtr->newBegin(Sym);
2001 return setContainerData(State, Cont, CData);
2003 const auto CData = ContainerData::fromBegin(Sym);
2004 return setContainerData(State, Cont, CData);
2007 ProgramStateRef createContainerEnd(ProgramStateRef State, const MemRegion *Cont,
2008 const SymbolRef Sym) {
2009 // Only create if it does not exist
2010 const auto *CDataPtr = getContainerData(State, Cont);
2012 if (CDataPtr->getEnd()) {
2015 const auto CData = CDataPtr->newEnd(Sym);
2016 return setContainerData(State, Cont, CData);
2018 const auto CData = ContainerData::fromEnd(Sym);
2019 return setContainerData(State, Cont, CData);
2022 const ContainerData *getContainerData(ProgramStateRef State,
2023 const MemRegion *Cont) {
2024 return State->get<ContainerMap>(Cont);
2027 ProgramStateRef setContainerData(ProgramStateRef State, const MemRegion *Cont,
2028 const ContainerData &CData) {
2029 return State->set<ContainerMap>(Cont, CData);
2032 const IteratorPosition *getIteratorPosition(ProgramStateRef State,
2034 if (auto Reg = Val.getAsRegion()) {
2035 Reg = Reg->getMostDerivedObjectRegion();
2036 return State->get<IteratorRegionMap>(Reg);
2037 } else if (const auto Sym = Val.getAsSymbol()) {
2038 return State->get<IteratorSymbolMap>(Sym);
2039 } else if (const auto LCVal = Val.getAs<nonloc::LazyCompoundVal>()) {
2040 return State->get<IteratorRegionMap>(LCVal->getRegion());
2045 const IteratorPosition *getIteratorPosition(ProgramStateRef State,
2046 RegionOrSymbol RegOrSym) {
2047 if (RegOrSym.is<const MemRegion *>()) {
2048 auto Reg = RegOrSym.get<const MemRegion *>()->getMostDerivedObjectRegion();
2049 return State->get<IteratorRegionMap>(Reg);
2050 } else if (RegOrSym.is<SymbolRef>()) {
2051 return State->get<IteratorSymbolMap>(RegOrSym.get<SymbolRef>());
2056 ProgramStateRef setIteratorPosition(ProgramStateRef State, const SVal &Val,
2057 const IteratorPosition &Pos) {
2058 if (auto Reg = Val.getAsRegion()) {
2059 Reg = Reg->getMostDerivedObjectRegion();
2060 return State->set<IteratorRegionMap>(Reg, Pos);
2061 } else if (const auto Sym = Val.getAsSymbol()) {
2062 return State->set<IteratorSymbolMap>(Sym, Pos);
2063 } else if (const auto LCVal = Val.getAs<nonloc::LazyCompoundVal>()) {
2064 return State->set<IteratorRegionMap>(LCVal->getRegion(), Pos);
2069 ProgramStateRef setIteratorPosition(ProgramStateRef State,
2070 RegionOrSymbol RegOrSym,
2071 const IteratorPosition &Pos) {
2072 if (RegOrSym.is<const MemRegion *>()) {
2073 auto Reg = RegOrSym.get<const MemRegion *>()->getMostDerivedObjectRegion();
2074 return State->set<IteratorRegionMap>(Reg, Pos);
2075 } else if (RegOrSym.is<SymbolRef>()) {
2076 return State->set<IteratorSymbolMap>(RegOrSym.get<SymbolRef>(), Pos);
2081 ProgramStateRef removeIteratorPosition(ProgramStateRef State, const SVal &Val) {
2082 if (auto Reg = Val.getAsRegion()) {
2083 Reg = Reg->getMostDerivedObjectRegion();
2084 return State->remove<IteratorRegionMap>(Reg);
2085 } else if (const auto Sym = Val.getAsSymbol()) {
2086 return State->remove<IteratorSymbolMap>(Sym);
2087 } else if (const auto LCVal = Val.getAs<nonloc::LazyCompoundVal>()) {
2088 return State->remove<IteratorRegionMap>(LCVal->getRegion());
2093 ProgramStateRef adjustIteratorPosition(ProgramStateRef State,
2094 RegionOrSymbol RegOrSym,
2095 const IteratorPosition &Pos,
2098 return setIteratorPosition(State, RegOrSym, Pos);
2104 ProgramStateRef relateIteratorPositions(ProgramStateRef State,
2105 const IteratorPosition &Pos1,
2106 const IteratorPosition &Pos2,
2108 auto &SVB = State->getStateManager().getSValBuilder();
2110 // FIXME: This code should be reworked as follows:
2111 // 1. Subtract the operands using evalBinOp().
2112 // 2. Assume that the result doesn't overflow.
2113 // 3. Compare the result to 0.
2114 // 4. Assume the result of the comparison.
2115 const auto comparison =
2116 SVB.evalBinOp(State, BO_EQ, nonloc::SymbolVal(Pos1.getOffset()),
2117 nonloc::SymbolVal(Pos2.getOffset()),
2118 SVB.getConditionType());
2120 assert(comparison.getAs<DefinedSVal>() &&
2121 "Symbol comparison must be a `DefinedSVal`");
2123 auto NewState = State->assume(comparison.castAs<DefinedSVal>(), Equal);
2124 if (const auto CompSym = comparison.getAsSymbol()) {
2125 assert(isa<SymIntExpr>(CompSym) &&
2126 "Symbol comparison must be a `SymIntExpr`");
2127 assert(BinaryOperator::isComparisonOp(
2128 cast<SymIntExpr>(CompSym)->getOpcode()) &&
2129 "Symbol comparison must be a comparison");
2130 return assumeNoOverflow(NewState, cast<SymIntExpr>(CompSym)->getLHS(), 2);
2136 bool hasLiveIterators(ProgramStateRef State, const MemRegion *Cont) {
2137 auto RegionMap = State->get<IteratorRegionMap>();
2138 for (const auto Reg : RegionMap) {
2139 if (Reg.second.getContainer() == Cont)
2143 auto SymbolMap = State->get<IteratorSymbolMap>();
2144 for (const auto Sym : SymbolMap) {
2145 if (Sym.second.getContainer() == Cont)
2152 bool isBoundThroughLazyCompoundVal(const Environment &Env,
2153 const MemRegion *Reg) {
2154 for (const auto Binding: Env) {
2155 if (const auto LCVal = Binding.second.getAs<nonloc::LazyCompoundVal>()) {
2156 if (LCVal->getRegion() == Reg)
2164 template <typename Condition, typename Process>
2165 ProgramStateRef processIteratorPositions(ProgramStateRef State, Condition Cond,
2167 auto &RegionMapFactory = State->get_context<IteratorRegionMap>();
2168 auto RegionMap = State->get<IteratorRegionMap>();
2169 bool Changed = false;
2170 for (const auto Reg : RegionMap) {
2171 if (Cond(Reg.second)) {
2172 RegionMap = RegionMapFactory.add(RegionMap, Reg.first, Proc(Reg.second));
2178 State = State->set<IteratorRegionMap>(RegionMap);
2180 auto &SymbolMapFactory = State->get_context<IteratorSymbolMap>();
2181 auto SymbolMap = State->get<IteratorSymbolMap>();
2183 for (const auto Sym : SymbolMap) {
2184 if (Cond(Sym.second)) {
2185 SymbolMap = SymbolMapFactory.add(SymbolMap, Sym.first, Proc(Sym.second));
2191 State = State->set<IteratorSymbolMap>(SymbolMap);
2196 ProgramStateRef invalidateAllIteratorPositions(ProgramStateRef State,
2197 const MemRegion *Cont) {
2198 auto MatchCont = [&](const IteratorPosition &Pos) {
2199 return Pos.getContainer() == Cont;
2201 auto Invalidate = [&](const IteratorPosition &Pos) {
2202 return Pos.invalidate();
2204 return processIteratorPositions(State, MatchCont, Invalidate);
2208 invalidateAllIteratorPositionsExcept(ProgramStateRef State,
2209 const MemRegion *Cont, SymbolRef Offset,
2210 BinaryOperator::Opcode Opc) {
2211 auto MatchContAndCompare = [&](const IteratorPosition &Pos) {
2212 return Pos.getContainer() == Cont &&
2213 !compare(State, Pos.getOffset(), Offset, Opc);
2215 auto Invalidate = [&](const IteratorPosition &Pos) {
2216 return Pos.invalidate();
2218 return processIteratorPositions(State, MatchContAndCompare, Invalidate);
2221 ProgramStateRef invalidateIteratorPositions(ProgramStateRef State,
2223 BinaryOperator::Opcode Opc) {
2224 auto Compare = [&](const IteratorPosition &Pos) {
2225 return compare(State, Pos.getOffset(), Offset, Opc);
2227 auto Invalidate = [&](const IteratorPosition &Pos) {
2228 return Pos.invalidate();
2230 return processIteratorPositions(State, Compare, Invalidate);
2233 ProgramStateRef invalidateIteratorPositions(ProgramStateRef State,
2235 BinaryOperator::Opcode Opc1,
2237 BinaryOperator::Opcode Opc2) {
2238 auto Compare = [&](const IteratorPosition &Pos) {
2239 return compare(State, Pos.getOffset(), Offset1, Opc1) &&
2240 compare(State, Pos.getOffset(), Offset2, Opc2);
2242 auto Invalidate = [&](const IteratorPosition &Pos) {
2243 return Pos.invalidate();
2245 return processIteratorPositions(State, Compare, Invalidate);
2248 ProgramStateRef reassignAllIteratorPositions(ProgramStateRef State,
2249 const MemRegion *Cont,
2250 const MemRegion *NewCont) {
2251 auto MatchCont = [&](const IteratorPosition &Pos) {
2252 return Pos.getContainer() == Cont;
2254 auto ReAssign = [&](const IteratorPosition &Pos) {
2255 return Pos.reAssign(NewCont);
2257 return processIteratorPositions(State, MatchCont, ReAssign);
2260 ProgramStateRef reassignAllIteratorPositionsUnless(ProgramStateRef State,
2261 const MemRegion *Cont,
2262 const MemRegion *NewCont,
2264 BinaryOperator::Opcode Opc) {
2265 auto MatchContAndCompare = [&](const IteratorPosition &Pos) {
2266 return Pos.getContainer() == Cont &&
2267 !compare(State, Pos.getOffset(), Offset, Opc);
2269 auto ReAssign = [&](const IteratorPosition &Pos) {
2270 return Pos.reAssign(NewCont);
2272 return processIteratorPositions(State, MatchContAndCompare, ReAssign);
2275 // This function rebases symbolic expression `OldSym + Int` to `NewSym + Int`,
2276 // `OldSym - Int` to `NewSym - Int` and `OldSym` to `NewSym` in any iterator
2277 // position offsets where `CondSym` is true.
2278 ProgramStateRef rebaseSymbolInIteratorPositionsIf(
2279 ProgramStateRef State, SValBuilder &SVB, SymbolRef OldSym,
2280 SymbolRef NewSym, SymbolRef CondSym, BinaryOperator::Opcode Opc) {
2281 auto LessThanEnd = [&](const IteratorPosition &Pos) {
2282 return compare(State, Pos.getOffset(), CondSym, Opc);
2284 auto RebaseSymbol = [&](const IteratorPosition &Pos) {
2285 return Pos.setTo(rebaseSymbol(State, SVB, Pos.getOffset(), OldSym,
2288 return processIteratorPositions(State, LessThanEnd, RebaseSymbol);
2291 // This function rebases symbolic expression `OldExpr + Int` to `NewExpr + Int`,
2292 // `OldExpr - Int` to `NewExpr - Int` and `OldExpr` to `NewExpr` in expression
2294 SymbolRef rebaseSymbol(ProgramStateRef State, SValBuilder &SVB,
2295 SymbolRef OrigExpr, SymbolRef OldExpr,
2297 auto &SymMgr = SVB.getSymbolManager();
2298 auto Diff = SVB.evalBinOpNN(State, BO_Sub, nonloc::SymbolVal(OrigExpr),
2299 nonloc::SymbolVal(OldExpr),
2300 SymMgr.getType(OrigExpr));
2302 const auto DiffInt = Diff.getAs<nonloc::ConcreteInt>();
2306 return SVB.evalBinOpNN(State, BO_Add, *DiffInt, nonloc::SymbolVal(NewSym),
2307 SymMgr.getType(OrigExpr)).getAsSymbol();
2310 bool isZero(ProgramStateRef State, const NonLoc &Val) {
2311 auto &BVF = State->getBasicVals();
2312 return compare(State, Val,
2313 nonloc::ConcreteInt(BVF.getValue(llvm::APSInt::get(0))),
2317 bool isPastTheEnd(ProgramStateRef State, const IteratorPosition &Pos) {
2318 const auto *Cont = Pos.getContainer();
2319 const auto *CData = getContainerData(State, Cont);
2323 const auto End = CData->getEnd();
2325 if (isEqual(State, Pos.getOffset(), End)) {
2333 bool isAheadOfRange(ProgramStateRef State, const IteratorPosition &Pos) {
2334 const auto *Cont = Pos.getContainer();
2335 const auto *CData = getContainerData(State, Cont);
2339 const auto Beg = CData->getBegin();
2341 if (isLess(State, Pos.getOffset(), Beg)) {
2349 bool isBehindPastTheEnd(ProgramStateRef State, const IteratorPosition &Pos) {
2350 const auto *Cont = Pos.getContainer();
2351 const auto *CData = getContainerData(State, Cont);
2355 const auto End = CData->getEnd();
2357 if (isGreater(State, Pos.getOffset(), End)) {
2365 bool isLess(ProgramStateRef State, SymbolRef Sym1, SymbolRef Sym2) {
2366 return compare(State, Sym1, Sym2, BO_LT);
2369 bool isGreater(ProgramStateRef State, SymbolRef Sym1, SymbolRef Sym2) {
2370 return compare(State, Sym1, Sym2, BO_GT);
2373 bool isEqual(ProgramStateRef State, SymbolRef Sym1, SymbolRef Sym2) {
2374 return compare(State, Sym1, Sym2, BO_EQ);
2377 bool compare(ProgramStateRef State, SymbolRef Sym1, SymbolRef Sym2,
2378 BinaryOperator::Opcode Opc) {
2379 return compare(State, nonloc::SymbolVal(Sym1), nonloc::SymbolVal(Sym2), Opc);
2383 bool compare(ProgramStateRef State, NonLoc NL1, NonLoc NL2,
2384 BinaryOperator::Opcode Opc) {
2385 auto &SVB = State->getStateManager().getSValBuilder();
2387 const auto comparison =
2388 SVB.evalBinOp(State, Opc, NL1, NL2, SVB.getConditionType());
2390 assert(comparison.getAs<DefinedSVal>() &&
2391 "Symbol comparison must be a `DefinedSVal`");
2393 return !State->assume(comparison.castAs<DefinedSVal>(), false);
2398 #define REGISTER_CHECKER(name) \
2399 void ento::register##name(CheckerManager &Mgr) { \
2400 auto *checker = Mgr.registerChecker<IteratorChecker>(); \
2401 checker->ChecksEnabled[IteratorChecker::CK_##name] = true; \
2402 checker->CheckNames[IteratorChecker::CK_##name] = \
2403 Mgr.getCurrentCheckName(); \
2406 REGISTER_CHECKER(IteratorRangeChecker)
2407 REGISTER_CHECKER(MismatchedIteratorChecker)
2408 REGISTER_CHECKER(InvalidatedIteratorChecker)
projects / FreeBSD / FreeBSD.git / blob