1 //===-- STLAlgorithmModeling.cpp -----------------------------------*- C++ -*--//
3 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4 // See https://llvm.org/LICENSE.txt for license information.
5 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
7 //===----------------------------------------------------------------------===//
9 // Models STL algorithms.
11 //===----------------------------------------------------------------------===//
13 #include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"
14 #include "clang/StaticAnalyzer/Core/Checker.h"
15 #include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h"
16 #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
20 using namespace clang;
22 using namespace iterator;
26 class STLAlgorithmModeling : public Checker<eval::Call> {
27 bool evalFind(CheckerContext &C, const CallExpr *CE) const;
29 void Find(CheckerContext &C, const CallExpr *CE, unsigned paramNum) const;
31 using FnCheck = bool (STLAlgorithmModeling::*)(CheckerContext &,
32 const CallExpr *) const;
34 const CallDescriptionMap<FnCheck> Callbacks = {
35 {{{"std", "find"}, 3}, &STLAlgorithmModeling::evalFind},
36 {{{"std", "find"}, 4}, &STLAlgorithmModeling::evalFind},
37 {{{"std", "find_if"}, 3}, &STLAlgorithmModeling::evalFind},
38 {{{"std", "find_if"}, 4}, &STLAlgorithmModeling::evalFind},
39 {{{"std", "find_if_not"}, 3}, &STLAlgorithmModeling::evalFind},
40 {{{"std", "find_if_not"}, 4}, &STLAlgorithmModeling::evalFind},
41 {{{"std", "find_first_of"}, 4}, &STLAlgorithmModeling::evalFind},
42 {{{"std", "find_first_of"}, 5}, &STLAlgorithmModeling::evalFind},
43 {{{"std", "find_first_of"}, 6}, &STLAlgorithmModeling::evalFind},
44 {{{"std", "find_end"}, 4}, &STLAlgorithmModeling::evalFind},
45 {{{"std", "find_end"}, 5}, &STLAlgorithmModeling::evalFind},
46 {{{"std", "find_end"}, 6}, &STLAlgorithmModeling::evalFind},
47 {{{"std", "lower_bound"}, 3}, &STLAlgorithmModeling::evalFind},
48 {{{"std", "lower_bound"}, 4}, &STLAlgorithmModeling::evalFind},
49 {{{"std", "upper_bound"}, 3}, &STLAlgorithmModeling::evalFind},
50 {{{"std", "upper_bound"}, 4}, &STLAlgorithmModeling::evalFind},
51 {{{"std", "search"}, 3}, &STLAlgorithmModeling::evalFind},
52 {{{"std", "search"}, 4}, &STLAlgorithmModeling::evalFind},
53 {{{"std", "search"}, 5}, &STLAlgorithmModeling::evalFind},
54 {{{"std", "search"}, 6}, &STLAlgorithmModeling::evalFind},
55 {{{"std", "search_n"}, 4}, &STLAlgorithmModeling::evalFind},
56 {{{"std", "search_n"}, 5}, &STLAlgorithmModeling::evalFind},
57 {{{"std", "search_n"}, 6}, &STLAlgorithmModeling::evalFind},
61 STLAlgorithmModeling() = default;
63 bool AggressiveStdFindModeling;
65 bool evalCall(const CallEvent &Call, CheckerContext &C) const;
68 bool STLAlgorithmModeling::evalCall(const CallEvent &Call,
69 CheckerContext &C) const {
70 const auto *CE = dyn_cast_or_null<CallExpr>(Call.getOriginExpr());
74 const FnCheck *Handler = Callbacks.lookup(Call);
78 return (this->**Handler)(C, CE);
81 bool STLAlgorithmModeling::evalFind(CheckerContext &C,
82 const CallExpr *CE) const {
83 // std::find()-like functions either take their primary range in the first
84 // two parameters, or if the first parameter is "execution policy" then in
85 // the second and third. This means that the second parameter must always be
87 if (!isIteratorType(CE->getArg(1)->getType()))
90 // If no "execution policy" parameter is used then the first argument is the
91 // beginning of the range.
92 if (isIteratorType(CE->getArg(0)->getType())) {
97 // If "execution policy" parameter is used then the second argument is the
98 // beginning of the range.
99 if (isIteratorType(CE->getArg(2)->getType())) {
107 void STLAlgorithmModeling::Find(CheckerContext &C, const CallExpr *CE,
108 unsigned paramNum) const {
109 auto State = C.getState();
110 auto &SVB = C.getSValBuilder();
111 const auto *LCtx = C.getLocationContext();
113 SVal RetVal = SVB.conjureSymbolVal(nullptr, CE, LCtx, C.blockCount());
114 SVal Param = State->getSVal(CE->getArg(paramNum), LCtx);
116 auto StateFound = State->BindExpr(CE, LCtx, RetVal);
118 // If we have an iterator position for the range-begin argument then we can
119 // assume that in case of successful search the position of the found element
120 // is not ahead of it.
121 // FIXME: Reverse iterators
122 const auto *Pos = getIteratorPosition(State, Param);
124 StateFound = createIteratorPosition(StateFound, RetVal, Pos->getContainer(),
125 CE, LCtx, C.blockCount());
126 const auto *NewPos = getIteratorPosition(StateFound, RetVal);
127 assert(NewPos && "Failed to create new iterator position.");
129 SVal GreaterOrEqual = SVB.evalBinOp(StateFound, BO_GE,
130 nonloc::SymbolVal(NewPos->getOffset()),
131 nonloc::SymbolVal(Pos->getOffset()),
132 SVB.getConditionType());
133 assert(GreaterOrEqual.getAs<DefinedSVal>() &&
134 "Symbol comparison must be a `DefinedSVal`");
135 StateFound = StateFound->assume(GreaterOrEqual.castAs<DefinedSVal>(), true);
138 Param = State->getSVal(CE->getArg(paramNum + 1), LCtx);
140 // If we have an iterator position for the range-end argument then we can
141 // assume that in case of successful search the position of the found element
143 // FIXME: Reverse iterators
144 Pos = getIteratorPosition(State, Param);
146 StateFound = createIteratorPosition(StateFound, RetVal, Pos->getContainer(),
147 CE, LCtx, C.blockCount());
148 const auto *NewPos = getIteratorPosition(StateFound, RetVal);
149 assert(NewPos && "Failed to create new iterator position.");
151 SVal Less = SVB.evalBinOp(StateFound, BO_LT,
152 nonloc::SymbolVal(NewPos->getOffset()),
153 nonloc::SymbolVal(Pos->getOffset()),
154 SVB.getConditionType());
155 assert(Less.getAs<DefinedSVal>() &&
156 "Symbol comparison must be a `DefinedSVal`");
157 StateFound = StateFound->assume(Less.castAs<DefinedSVal>(), true);
160 C.addTransition(StateFound);
162 if (AggressiveStdFindModeling) {
163 auto StateNotFound = State->BindExpr(CE, LCtx, Param);
164 C.addTransition(StateNotFound);
170 void ento::registerSTLAlgorithmModeling(CheckerManager &Mgr) {
171 auto *Checker = Mgr.registerChecker<STLAlgorithmModeling>();
172 Checker->AggressiveStdFindModeling =
173 Mgr.getAnalyzerOptions().getCheckerBooleanOption(Checker,
174 "AggressiveStdFindModeling");
177 bool ento::shouldRegisterSTLAlgorithmModeling(const CheckerManager &mgr) {