1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
| //===- DynamicType.cpp - Dynamic type related APIs --------------*- C++ -*-===//
//
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
// See https://llvm.org/LICENSE.txt for license information.
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
//
//===----------------------------------------------------------------------===//
//
// This file defines APIs that track and query dynamic type information. This
// information can be used to devirtualize calls during the symbolic execution
// or do type checking.
//
//===----------------------------------------------------------------------===//
#include "clang/StaticAnalyzer/Core/PathSensitive/DynamicType.h"
#include "clang/Basic/JsonSupport.h"
#include "clang/Basic/LLVM.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/MemRegion.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/SymExpr.h"
#include "llvm/Support/Casting.h"
#include "llvm/Support/raw_ostream.h"
#include <cassert>
/// The GDM component containing the dynamic type info. This is a map from a
/// symbol to its most likely type.
REGISTER_MAP_WITH_PROGRAMSTATE(DynamicTypeMap, const clang::ento::MemRegion *,
clang::ento::DynamicTypeInfo)
/// A set factory of dynamic cast informations.
REGISTER_SET_FACTORY_WITH_PROGRAMSTATE(CastSet, clang::ento::DynamicCastInfo)
/// A map from symbols to cast informations.
REGISTER_MAP_WITH_PROGRAMSTATE(DynamicCastMap, const clang::ento::MemRegion *,
CastSet)
namespace clang {
namespace ento {
DynamicTypeInfo getDynamicTypeInfo(ProgramStateRef State, const MemRegion *MR) {
MR = MR->StripCasts();
// Look up the dynamic type in the GDM.
if (const DynamicTypeInfo *DTI = State->get<DynamicTypeMap>(MR))
return *DTI;
// Otherwise, fall back to what we know about the region.
if (const auto *TR = dyn_cast<TypedRegion>(MR))
return DynamicTypeInfo(TR->getLocationType(), /*CanBeSub=*/false);
if (const auto *SR = dyn_cast<SymbolicRegion>(MR)) {
SymbolRef Sym = SR->getSymbol();
return DynamicTypeInfo(Sym->getType());
}
return {};
}
const DynamicTypeInfo *getRawDynamicTypeInfo(ProgramStateRef State,
const MemRegion *MR) {
return State->get<DynamicTypeMap>(MR);
}
const DynamicCastInfo *getDynamicCastInfo(ProgramStateRef State,
const MemRegion *MR,
QualType CastFromTy,
QualType CastToTy) {
const auto *Lookup = State->get<DynamicCastMap>().lookup(MR);
if (!Lookup)
return nullptr;
for (const DynamicCastInfo &Cast : *Lookup)
if (Cast.equals(CastFromTy, CastToTy))
return &Cast;
return nullptr;
}
ProgramStateRef setDynamicTypeInfo(ProgramStateRef State, const MemRegion *MR,
DynamicTypeInfo NewTy) {
State = State->set<DynamicTypeMap>(MR->StripCasts(), NewTy);
assert(State);
return State;
}
ProgramStateRef setDynamicTypeInfo(ProgramStateRef State, const MemRegion *MR,
QualType NewTy, bool CanBeSubClassed) {
return setDynamicTypeInfo(State, MR, DynamicTypeInfo(NewTy, CanBeSubClassed));
}
ProgramStateRef setDynamicTypeAndCastInfo(ProgramStateRef State,
const MemRegion *MR,
QualType CastFromTy,
QualType CastToTy,
bool CastSucceeds) {
if (!MR)
return State;
if (CastSucceeds) {
assert((CastToTy->isAnyPointerType() || CastToTy->isReferenceType()) &&
"DynamicTypeInfo should always be a pointer.");
State = State->set<DynamicTypeMap>(MR, CastToTy);
}
DynamicCastInfo::CastResult ResultKind =
CastSucceeds ? DynamicCastInfo::CastResult::Success
: DynamicCastInfo::CastResult::Failure;
CastSet::Factory &F = State->get_context<CastSet>();
const CastSet *TempSet = State->get<DynamicCastMap>(MR);
CastSet Set = TempSet ? *TempSet : F.getEmptySet();
Set = F.add(Set, {CastFromTy, CastToTy, ResultKind});
State = State->set<DynamicCastMap>(MR, Set);
assert(State);
return State;
}
template <typename MapTy>
ProgramStateRef removeDead(ProgramStateRef State, const MapTy &Map,
SymbolReaper &SR) {
for (const auto &Elem : Map)
if (!SR.isLiveRegion(Elem.first))
State = State->remove<DynamicCastMap>(Elem.first);
return State;
}
ProgramStateRef removeDeadTypes(ProgramStateRef State, SymbolReaper &SR) {
return removeDead(State, State->get<DynamicTypeMap>(), SR);
}
ProgramStateRef removeDeadCasts(ProgramStateRef State, SymbolReaper &SR) {
return removeDead(State, State->get<DynamicCastMap>(), SR);
}
static void printDynamicTypesJson(raw_ostream &Out, ProgramStateRef State,
const char *NL, unsigned int Space,
bool IsDot) {
Indent(Out, Space, IsDot) << "\"dynamic_types\": ";
const DynamicTypeMapTy &Map = State->get<DynamicTypeMap>();
if (Map.isEmpty()) {
Out << "null," << NL;
return;
}
++Space;
Out << '[' << NL;
for (DynamicTypeMapTy::iterator I = Map.begin(); I != Map.end(); ++I) {
const MemRegion *MR = I->first;
const DynamicTypeInfo &DTI = I->second;
Indent(Out, Space, IsDot)
<< "{ \"region\": \"" << MR << "\", \"dyn_type\": ";
if (!DTI.isValid()) {
Out << "null";
} else {
Out << '\"' << DTI.getType()->getPointeeType().getAsString()
<< "\", \"sub_classable\": "
<< (DTI.canBeASubClass() ? "true" : "false");
}
Out << " }";
if (std::next(I) != Map.end())
Out << ',';
Out << NL;
}
--Space;
Indent(Out, Space, IsDot) << "]," << NL;
}
static void printDynamicCastsJson(raw_ostream &Out, ProgramStateRef State,
const char *NL, unsigned int Space,
bool IsDot) {
Indent(Out, Space, IsDot) << "\"dynamic_casts\": ";
const DynamicCastMapTy &Map = State->get<DynamicCastMap>();
if (Map.isEmpty()) {
Out << "null," << NL;
return;
}
++Space;
Out << '[' << NL;
for (DynamicCastMapTy::iterator I = Map.begin(); I != Map.end(); ++I) {
const MemRegion *MR = I->first;
const CastSet &Set = I->second;
Indent(Out, Space, IsDot) << "{ \"region\": \"" << MR << "\", \"casts\": ";
if (Set.isEmpty()) {
Out << "null ";
} else {
++Space;
Out << '[' << NL;
for (CastSet::iterator SI = Set.begin(); SI != Set.end(); ++SI) {
Indent(Out, Space, IsDot)
<< "{ \"from\": \"" << SI->from().getAsString() << "\", \"to\": \""
<< SI->to().getAsString() << "\", \"kind\": \""
<< (SI->succeeds() ? "success" : "fail") << "\" }";
if (std::next(SI) != Set.end())
Out << ',';
Out << NL;
}
--Space;
Indent(Out, Space, IsDot) << ']';
}
Out << '}';
if (std::next(I) != Map.end())
Out << ',';
Out << NL;
}
--Space;
Indent(Out, Space, IsDot) << "]," << NL;
}
void printDynamicTypeInfoJson(raw_ostream &Out, ProgramStateRef State,
const char *NL, unsigned int Space, bool IsDot) {
printDynamicTypesJson(Out, State, NL, Space, IsDot);
printDynamicCastsJson(Out, State, NL, Space, IsDot);
}
} // namespace ento
} // namespace clang
|