Merge clang, llvm, lld, lldb, compiler-rt and libc++ 5.0.0 release.

MFC r309126 (by emaste): Correct lld llvm-tblgen dependency file name MFC r309169: Get rid of separate Subversion mergeinfo properties for llvm-dwarfdump and llvm-lto. The mergeinfo confuses Subversion enormously, and these directories will just use the mergeinfo for llvm itself. MFC r312765: Pull in r276136 from upstream llvm trunk (by Wei Mi): Use ValueOffsetPair to enhance value reuse during SCEV expansion. In D12090, the ExprValueMap was added to reuse existing value during SCEV expansion. However, const folding and sext/zext distribution can make the reuse still difficult. A simplified case is: suppose we know S1 expands to V1 in ExprValueMap, and S1 = S2 + C_a S3 = S2 + C_b where C_a and C_b are different SCEVConstants. Then we'd like to expand S3 as V1 - C_a + C_b instead of expanding S2 literally. It is helpful when S2 is a complex SCEV expr and S2 has no entry in ExprValueMap, which is usually caused by the fact that S3 is generated from S1 after const folding. In order to do that, we represent ExprValueMap as a mapping from SCEV to ValueOffsetPair. We will save both S1->{V1, 0} and S2->{V1, C_a} into the ExprValueMap when we create SCEV for V1. When S3 is expanded, it will first expand S2 to V1 - C_a because of S2->{V1, C_a} in the map, then expand S3 to V1 - C_a + C_b. Differential Revision: https://reviews.llvm.org/D21313 This should fix assertion failures when building OpenCV >= 3.1. PR: 215649 MFC r312831: Revert r312765 for now, since it causes assertions when building lang/spidermonkey24. Reported by: antoine PR: 215649 MFC r316511 (by jhb): Add an implementation of __ffssi2() derived from __ffsdi2(). Newer versions of GCC include an __ffssi2() symbol in libgcc and the compiler can emit calls to it in generated code. This is true for at least GCC 6.2 when compiling world for mips and mips64. Reviewed by: jmallett, dim Sponsored by: DARPA / AFRL Differential Revision: https://reviews.freebsd.org/D10086 MFC r318601 (by adrian): [libcompiler-rt] add bswapdi2/bswapsi2 This is required for mips gcc 6.3 userland to build/run. Reviewed by: emaste, dim Approved by: emaste Differential Revision: https://reviews.freebsd.org/D10838 MFC r318884 (by emaste): lldb: map TRAP_CAP to a trace trap In the absense of a more specific handler for TRAP_CAP (generated by ENOTCAPABLE or ECAPMODE while in capability mode) treat it as a trace trap. Example usage (testing the bug in PR219173): % proccontrol -m trapcap lldb usr.bin/hexdump/obj/hexdump -- -Cv -s 1 /bin/ls ... (lldb) run Process 12980 launching Process 12980 launched: '.../usr.bin/hexdump/obj/hexdump' (x86_64) Process 12980 stopped * thread #1, stop reason = trace frame #0: 0x0000004b80c65f1a libc.so.7`__sys_lseek + 10 ... In the future we should have LLDB control the trapcap procctl itself (as it does with ASLR), as well as report a specific stop reason. This change eliminates an assertion failure from LLDB for now. MFC r319796: Remove a few unneeded files from libllvm, libclang and liblldb. MFC r319885 (by emaste): lld: ELF: Fix ICF crash on absolute symbol relocations. If two sections contained relocations to absolute symbols with the same value we would crash when trying to access their sections. Add a check that both symbols point to sections before accessing their sections, and treat absolute symbols as equal if their values are equal. Obtained from: LLD commit r292578 MFC r319918: Revert r319796 for now, it can cause undefined references when linking in some circumstances. Reported by: Shawn Webb <shawn.webb@hardenedbsd.org> MFC r319957 (by emaste): lld: Add armelf emulation mode Obtained from: LLD r305375 MFC r321369: Upgrade our copies of clang, llvm, lld, lldb, compiler-rt and libc++ to 5.0.0 (trunk r308421). Upstream has branched for the 5.0.0 release, which should be in about a month. Please report bugs and regressions, so we can get them into the release. Please note that from 3.5.0 onwards, clang, llvm and lldb require C++11 support to build; see UPDATING for more information. MFC r321420: Add a few more object files to liblldb, which should solve errors when linking the lldb executable in some cases. In particular, when the -ffunction-sections -fdata-sections options are turned off, or ineffective. Reported by: Shawn Webb, Mark Millard MFC r321433: Cleanup stale Options.inc files from the previous libllvm build for clang 4.0.0. Otherwise, these can get included before the two newly generated ones (which are different) for clang 5.0.0. Reported by: Mark Millard MFC r321439 (by bdrewery): Move llvm Options.inc hack from r321433 for NO_CLEAN to lib/clang/libllvm. The files are only ever generated to .OBJDIR, not to WORLDTMP (as a sysroot) and are only ever included from a compilation. So using a beforebuild target here removes the file before the compilation tries to include it. MFC r321664: Pull in r308891 from upstream llvm trunk (by Benjamin Kramer): [CodeGenPrepare] Cut off FindAllMemoryUses if there are too many uses. This avoids excessive compile time. The case I'm looking at is Function.cpp from an old version of LLVM that still had the giant memcmp string matcher in it. Before r308322 this compiled in about 2 minutes, after it, clang takes infinite* time to compile it. With this patch we're at 5 min, which is still bad but this is a pathological case. The cut off at 20 uses was chosen by looking at other cut-offs in LLVM for user scanning. It's probably too high, but does the job and is very unlikely to regress anything. Fixes PR33900. * I'm impatient and aborted after 15 minutes, on the bug report it was killed after 2h. Pull in r308986 from upstream llvm trunk (by Simon Pilgrim): [X86][CGP] Reduce memcmp() expansion to 2 load pairs (PR33914) D35067/rL308322 attempted to support up to 4 load pairs for memcmp inlining which resulted in regressions for some optimized libc memcmp implementations (PR33914). Until we can match these more optimal cases, this patch reduces the memcmp expansion to a maximum of 2 load pairs (which matches what we do for -Os). This patch should be considered for the 5.0.0 release branch as well Differential Revision: https://reviews.llvm.org/D35830 These fix a hang (or extremely long compile time) when building older LLVM ports. Reported by: antoine PR: 219139 MFC r321719: Pull in r309503 from upstream clang trunk (by Richard Smith): PR33902: Invalidate line number cache when adding more text to existing buffer. This led to crashes as the line number cache would report a bogus line number for a line of code, and we'd try to find a nonexistent column within the line when printing diagnostics. This fixes an assertion when building the graphics/champlain port. Reported by: antoine, kwm PR: 219139 MFC r321723: Upgrade our copies of clang, llvm, lld and lldb to r309439 from the upstream release_50 branch. This is just after upstream's 5.0.0-rc1. MFC r322320: Upgrade our copies of clang, llvm and libc++ to r310316 from the upstream release_50 branch. MFC r322326 (by emaste): lldb: Make i386-*-freebsd expression work on JIT path * Enable i386 ABI creation for freebsd * Added an extra argument in ABISysV_i386::PrepareTrivialCall for mmap syscall * Unlike linux, the last argument of mmap is actually 64-bit(off_t). This requires us to push an additional word for the higher order bits. * Prior to this change, ktrace dump will show mmap failures due to invalid argument coming from the 6th mmap argument. Submitted by: Karnajit Wangkhem Differential Revision: https://reviews.llvm.org/D34776 MFC r322360 (by emaste): lldb: Report inferior signals as signals, not exceptions, on FreeBSD This is the FreeBSD equivalent of LLVM r238549. This serves 2 purposes: * LLDB should handle inferior process signals SIGSEGV/SIGILL/SIGBUS/ SIGFPE the way it is suppose to be handled. Prior to this fix these signals will neither create a coredump, nor exit from the debugger or work for signal handling scenario. * eInvalidCrashReason need not report "unknown crash reason" if we have a valid si_signo llvm.org/pr23699 Patch by Karnajit Wangkhem Differential Revision: https://reviews.llvm.org/D35223 Submitted by: Karnajit Wangkhem Obtained from: LLVM r310591 MFC r322474 (by emaste): lld: Add `-z muldefs` option. Obtained from: LLVM r310757 MFC r322740: Upgrade our copies of clang, llvm, lld and libc++ to r311219 from the upstream release_50 branch. MFC r322855: Upgrade our copies of clang, llvm, lldb and compiler-rt to r311606 from the upstream release_50 branch. As of this version, lib/msun's trig test should also work correctly again (see bug 220989 for more information). PR: 220989 MFC r323112: Upgrade our copies of clang, llvm, lldb and compiler-rt to r312293 from the upstream release_50 branch. This corresponds to 5.0.0 rc4. As of this version, the cad/stepcode port should now compile in a more reasonable time on i386 (see bug 221836 for more information). PR: 221836 MFC r323245: Upgrade our copies of clang, llvm, lld, lldb, compiler-rt and libc++ to 5.0.0 release (upstream r312559). Release notes for llvm, clang and lld will be available here soon: <http://releases.llvm.org/5.0.0/docs/ReleaseNotes.html> <http://releases.llvm.org/5.0.0/tools/clang/docs/ReleaseNotes.html> <http://releases.llvm.org/5.0.0/tools/lld/docs/ReleaseNotes.html> Relnotes: yes (cherry picked from commit 12cd91cf4c6b96a24427c0de5374916f2808d263)
author: dim <dim@FreeBSD.org> 2017-09-26 19:56:36 +0000
committer: Luiz Souza <luiz@netgate.com> 2018-02-21 15:12:19 -0300
commit: 1dcd2e8d24b295bc73e513acec2ed1514bb66be4 (patch)
tree: 4bd13a34c251e980e1a6b13584ca1f63b0dfe670 /contrib/llvm/tools/clang/lib/StaticAnalyzer/Checkers/MisusedMovedObjectChecker.cpp
parent: f45541ca2a56a1ba1202f94c080b04e96c1fa239 (diff)
download: FreeBSD-src-1dcd2e8d24b295bc73e513acec2ed1514bb66be4.zip
FreeBSD-src-1dcd2e8d24b295bc73e513acec2ed1514bb66be4.tar.gz
1 files changed, 481 insertions, 0 deletions
diff --git a/contrib/llvm/tools/clang/lib/StaticAnalyzer/Checkers/MisusedMovedObjectChecker.cpp b/contrib/llvm/tools/clang/lib/StaticAnalyzer/Checkers/MisusedMovedObjectChecker.cpp
new file mode 100644
index 0000000..decc552
--- /dev/null
+++ b/contrib/llvm/tools/clang/lib/StaticAnalyzer/Checkers/MisusedMovedObjectChecker.cpp
@@ -0,0 +1,481 @@
+// MisusedMovedObjectChecker.cpp - Check use of moved-from objects. - C++ -===//
+//
+//                     The LLVM Compiler Infrastructure
+//
+// This file is distributed under the University of Illinois Open Source
+// License. See LICENSE.TXT for details.
+//
+//===----------------------------------------------------------------------===//
+//
+// This defines checker which checks for potential misuses of a moved-from
+// object. That means method calls on the object or copying it in moved-from
+// state.
+//
+//===----------------------------------------------------------------------===//
+
+#include "ClangSACheckers.h"
+#include "clang/AST/ExprCXX.h"
+#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
+#include "clang/StaticAnalyzer/Core/Checker.h"
+#include "clang/StaticAnalyzer/Core/CheckerManager.h"
+#include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h"
+#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
+
+using namespace clang;
+using namespace ento;
+
+namespace {
+
+struct RegionState {
+private:
+  enum Kind { Moved, Reported } K;
+  RegionState(Kind InK) : K(InK) {}
+
+public:
+  bool isReported() const { return K == Reported; }
+  bool isMoved() const { return K == Moved; }
+
+  static RegionState getReported() { return RegionState(Reported); }
+  static RegionState getMoved() { return RegionState(Moved); }
+
+  bool operator==(const RegionState &X) const { return K == X.K; }
+  void Profile(llvm::FoldingSetNodeID &ID) const { ID.AddInteger(K); }
+};
+
+class MisusedMovedObjectChecker
+    : public Checker<check::PreCall, check::PostCall, check::EndFunction,
+                     check::DeadSymbols, check::RegionChanges> {
+public:
+  void checkEndFunction(CheckerContext &C) const;
+  void checkPreCall(const CallEvent &MC, CheckerContext &C) const;
+  void checkPostCall(const CallEvent &MC, CheckerContext &C) const;
+  void checkDeadSymbols(SymbolReaper &SR, CheckerContext &C) const;
+  ProgramStateRef
+  checkRegionChanges(ProgramStateRef State,
+                     const InvalidatedSymbols *Invalidated,
+                     ArrayRef<const MemRegion *> ExplicitRegions,
+                     ArrayRef<const MemRegion *> Regions,
+                     const LocationContext *LCtx, const CallEvent *Call) const;
+
+private:
+  class MovedBugVisitor : public BugReporterVisitorImpl<MovedBugVisitor> {
+  public:
+    MovedBugVisitor(const MemRegion *R) : Region(R), Found(false) {}
+
+    void Profile(llvm::FoldingSetNodeID &ID) const override {
+      static int X = 0;
+      ID.AddPointer(&X);
+      ID.AddPointer(Region);
+    }
+
+    std::shared_ptr<PathDiagnosticPiece> VisitNode(const ExplodedNode *N,
+                                                   const ExplodedNode *PrevN,
+                                                   BugReporterContext &BRC,
+                                                   BugReport &BR) override;
+
+  private:
+    // The tracked region.
+    const MemRegion *Region;
+    bool Found;
+  };
+
+  mutable std::unique_ptr<BugType> BT;
+  ExplodedNode *reportBug(const MemRegion *Region, const CallEvent &Call,
+                          CheckerContext &C, bool isCopy) const;
+  bool isInMoveSafeContext(const LocationContext *LC) const;
+  bool isStateResetMethod(const CXXMethodDecl *MethodDec) const;
+  bool isMoveSafeMethod(const CXXMethodDecl *MethodDec) const;
+  const ExplodedNode *getMoveLocation(const ExplodedNode *N,
+                                      const MemRegion *Region,
+                                      CheckerContext &C) const;
+};
+} // end anonymous namespace
+
+REGISTER_MAP_WITH_PROGRAMSTATE(TrackedRegionMap, const MemRegion *, RegionState)
+
+// If a region is removed all of the subregions needs to be removed too.
+static ProgramStateRef removeFromState(ProgramStateRef State,
+                                       const MemRegion *Region) {
+  if (!Region)
+    return State;
+  // Note: The isSubRegionOf function is not reflexive.
+  State = State->remove<TrackedRegionMap>(Region);
+  for (auto &E : State->get<TrackedRegionMap>()) {
+    if (E.first->isSubRegionOf(Region))
+      State = State->remove<TrackedRegionMap>(E.first);
+  }
+  return State;
+}
+
+static bool isAnyBaseRegionReported(ProgramStateRef State,
+                                    const MemRegion *Region) {
+  for (auto &E : State->get<TrackedRegionMap>()) {
+    if (Region->isSubRegionOf(E.first) && E.second.isReported())
+      return true;
+  }
+  return false;
+}
+
+std::shared_ptr<PathDiagnosticPiece>
+MisusedMovedObjectChecker::MovedBugVisitor::VisitNode(const ExplodedNode *N,
+                                                      const ExplodedNode *PrevN,
+                                                      BugReporterContext &BRC,
+                                                      BugReport &BR) {
+  // We need only the last move of the reported object's region.
+  // The visitor walks the ExplodedGraph backwards.
+  if (Found)
+    return nullptr;
+  ProgramStateRef State = N->getState();
+  ProgramStateRef StatePrev = PrevN->getState();
+  const RegionState *TrackedObject = State->get<TrackedRegionMap>(Region);
+  const RegionState *TrackedObjectPrev =
+      StatePrev->get<TrackedRegionMap>(Region);
+  if (!TrackedObject)
+    return nullptr;
+  if (TrackedObjectPrev && TrackedObject)
+    return nullptr;
+
+  // Retrieve the associated statement.
+  const Stmt *S = PathDiagnosticLocation::getStmt(N);
+  if (!S)
+    return nullptr;
+  Found = true;
+
+  std::string ObjectName;
+  if (const auto DecReg = Region->getAs<DeclRegion>()) {
+    const auto *RegionDecl = dyn_cast<NamedDecl>(DecReg->getDecl());
+    ObjectName = RegionDecl->getNameAsString();
+  }
+  std::string InfoText;
+  if (ObjectName != "")
+    InfoText = "'" + ObjectName + "' became 'moved-from' here";
+  else
+    InfoText = "Became 'moved-from' here";
+
+  // Generate the extra diagnostic.
+  PathDiagnosticLocation Pos(S, BRC.getSourceManager(),
+                             N->getLocationContext());
+  return std::make_shared<PathDiagnosticEventPiece>(Pos, InfoText, true);
+}
+
+const ExplodedNode *MisusedMovedObjectChecker::getMoveLocation(
+    const ExplodedNode *N, const MemRegion *Region, CheckerContext &C) const {
+  // Walk the ExplodedGraph backwards and find the first node that referred to
+  // the tracked region.
+  const ExplodedNode *MoveNode = N;
+
+  while (N) {
+    ProgramStateRef State = N->getState();
+    if (!State->get<TrackedRegionMap>(Region))
+      break;
+    MoveNode = N;
+    N = N->pred_empty() ? nullptr : *(N->pred_begin());
+  }
+  return MoveNode;
+}
+
+ExplodedNode *MisusedMovedObjectChecker::reportBug(const MemRegion *Region,
+                                                   const CallEvent &Call,
+                                                   CheckerContext &C,
+                                                   bool isCopy = false) const {
+  if (ExplodedNode *N = C.generateNonFatalErrorNode()) {
+    if (!BT)
+      BT.reset(new BugType(this, "Usage of a 'moved-from' object",
+                           "C++ move semantics"));
+
+    // Uniqueing report to the same object.
+    PathDiagnosticLocation LocUsedForUniqueing;
+    const ExplodedNode *MoveNode = getMoveLocation(N, Region, C);
+
+    if (const Stmt *MoveStmt = PathDiagnosticLocation::getStmt(MoveNode))
+      LocUsedForUniqueing = PathDiagnosticLocation::createBegin(
+          MoveStmt, C.getSourceManager(), MoveNode->getLocationContext());
+
+    // Creating the error message.
+    std::string ErrorMessage;
+    if (isCopy)
+      ErrorMessage = "Copying a 'moved-from' object";
+    else
+      ErrorMessage = "Method call on a 'moved-from' object";
+    if (const auto DecReg = Region->getAs<DeclRegion>()) {
+      const auto *RegionDecl = dyn_cast<NamedDecl>(DecReg->getDecl());
+      ErrorMessage += " '" + RegionDecl->getNameAsString() + "'";
+    }
+
+    auto R =
+        llvm::make_unique<BugReport>(*BT, ErrorMessage, N, LocUsedForUniqueing,
+                                     MoveNode->getLocationContext()->getDecl());
+    R->addVisitor(llvm::make_unique<MovedBugVisitor>(Region));
+    C.emitReport(std::move(R));
+    return N;
+  }
+  return nullptr;
+}
+
+// Removing the function parameters' MemRegion from the state. This is needed
+// for PODs where the trivial destructor does not even created nor executed.
+void MisusedMovedObjectChecker::checkEndFunction(CheckerContext &C) const {
+  auto State = C.getState();
+  TrackedRegionMapTy Objects = State->get<TrackedRegionMap>();
+  if (Objects.isEmpty())
+    return;
+
+  auto LC = C.getLocationContext();
+
+  const auto LD = dyn_cast_or_null<FunctionDecl>(LC->getDecl());
+  if (!LD)
+    return;
+  llvm::SmallSet<const MemRegion *, 8> InvalidRegions;
+
+  for (auto Param : LD->parameters()) {
+    auto Type = Param->getType().getTypePtrOrNull();
+    if (!Type)
+      continue;
+    if (!Type->isPointerType() && !Type->isReferenceType()) {
+      InvalidRegions.insert(State->getLValue(Param, LC).getAsRegion());
+    }
+  }
+
+  if (InvalidRegions.empty())
+    return;
+
+  for (const auto &E : State->get<TrackedRegionMap>()) {
+    if (InvalidRegions.count(E.first->getBaseRegion()))
+      State = State->remove<TrackedRegionMap>(E.first);
+  }
+
+  C.addTransition(State);
+}
+
+void MisusedMovedObjectChecker::checkPostCall(const CallEvent &Call,
+                                              CheckerContext &C) const {
+  const auto *AFC = dyn_cast<AnyFunctionCall>(&Call);
+  if (!AFC)
+    return;
+
+  ProgramStateRef State = C.getState();
+  const auto MethodDecl = dyn_cast_or_null<CXXMethodDecl>(AFC->getDecl());
+  if (!MethodDecl)
+    return;
+
+  const auto *ConstructorDecl = dyn_cast<CXXConstructorDecl>(MethodDecl);
+
+  const auto *CC = dyn_cast_or_null<CXXConstructorCall>(&Call);
+  // Check if an object became moved-from.
+  // Object can become moved from after a call to move assignment operator or
+  // move constructor .
+  if (ConstructorDecl && !ConstructorDecl->isMoveConstructor())
+    return;
+
+  if (!ConstructorDecl && !MethodDecl->isMoveAssignmentOperator())
+    return;
+
+  const auto ArgRegion = AFC->getArgSVal(0).getAsRegion();
+  if (!ArgRegion)
+    return;
+
+  // Skip moving the object to itself.
+  if (CC && CC->getCXXThisVal().getAsRegion() == ArgRegion)
+    return;
+  if (const auto *IC = dyn_cast<CXXInstanceCall>(AFC))
+    if (IC->getCXXThisVal().getAsRegion() == ArgRegion)
+      return;
+
+  const MemRegion *BaseRegion = ArgRegion->getBaseRegion();
+  // Skip temp objects because of their short lifetime.
+  if (BaseRegion->getAs<CXXTempObjectRegion>() ||
+      AFC->getArgExpr(0)->isRValue())
+    return;
+  // If it has already been reported do not need to modify the state.
+
+  if (State->get<TrackedRegionMap>(ArgRegion))
+    return;
+  // Mark object as moved-from.
+  State = State->set<TrackedRegionMap>(ArgRegion, RegionState::getMoved());
+  C.addTransition(State);
+}
+
+bool MisusedMovedObjectChecker::isMoveSafeMethod(
+    const CXXMethodDecl *MethodDec) const {
+  // We abandon the cases where bool/void/void* conversion happens.
+  if (const auto *ConversionDec =
+          dyn_cast_or_null<CXXConversionDecl>(MethodDec)) {
+    const Type *Tp = ConversionDec->getConversionType().getTypePtrOrNull();
+    if (!Tp)
+      return false;
+    if (Tp->isBooleanType() || Tp->isVoidType() || Tp->isVoidPointerType())
+      return true;
+  }
+  // Function call `empty` can be skipped.
+  if (MethodDec && MethodDec->getDeclName().isIdentifier() &&
+      (MethodDec->getName().lower() == "empty" ||
+       MethodDec->getName().lower() == "isempty"))
+    return true;
+
+  return false;
+}
+
+bool MisusedMovedObjectChecker::isStateResetMethod(
+    const CXXMethodDecl *MethodDec) const {
+  if (MethodDec && MethodDec->getDeclName().isIdentifier()) {
+    std::string MethodName = MethodDec->getName().lower();
+    if (MethodName == "reset" || MethodName == "clear" ||
+        MethodName == "destroy")
+      return true;
+  }
+  return false;
+}
+
+// Don't report an error inside a move related operation.
+// We assume that the programmer knows what she does.
+bool MisusedMovedObjectChecker::isInMoveSafeContext(
+    const LocationContext *LC) const {
+  do {
+    const auto *CtxDec = LC->getDecl();
+    auto *CtorDec = dyn_cast_or_null<CXXConstructorDecl>(CtxDec);
+    auto *DtorDec = dyn_cast_or_null<CXXDestructorDecl>(CtxDec);
+    auto *MethodDec = dyn_cast_or_null<CXXMethodDecl>(CtxDec);
+    if (DtorDec || (CtorDec && CtorDec->isCopyOrMoveConstructor()) ||
+        (MethodDec && MethodDec->isOverloadedOperator() &&
+         MethodDec->getOverloadedOperator() == OO_Equal) ||
+        isStateResetMethod(MethodDec) || isMoveSafeMethod(MethodDec))
+      return true;
+  } while ((LC = LC->getParent()));
+  return false;
+}
+
+void MisusedMovedObjectChecker::checkPreCall(const CallEvent &Call,
+                                             CheckerContext &C) const {
+  ProgramStateRef State = C.getState();
+  const LocationContext *LC = C.getLocationContext();
+  ExplodedNode *N = nullptr;
+
+  // Remove the MemRegions from the map on which a ctor/dtor call or assignement
+  // happened.
+
+  // Checking constructor calls.
+  if (const auto *CC = dyn_cast<CXXConstructorCall>(&Call)) {
+    State = removeFromState(State, CC->getCXXThisVal().getAsRegion());
+    auto CtorDec = CC->getDecl();
+    // Check for copying a moved-from object and report the bug.
+    if (CtorDec && CtorDec->isCopyOrMoveConstructor()) {
+      const MemRegion *ArgRegion = CC->getArgSVal(0).getAsRegion();
+      const RegionState *ArgState = State->get<TrackedRegionMap>(ArgRegion);
+      if (ArgState && ArgState->isMoved()) {
+        if (!isInMoveSafeContext(LC)) {
+          N = reportBug(ArgRegion, Call, C, /*isCopy=*/true);
+          State = State->set<TrackedRegionMap>(ArgRegion,
+                                               RegionState::getReported());
+        }
+      }
+    }
+    C.addTransition(State, N);
+    return;
+  }
+
+  const auto IC = dyn_cast<CXXInstanceCall>(&Call);
+  if (!IC)
+    return;
+  // In case of destructor call we do not track the object anymore.
+  const MemRegion *ThisRegion = IC->getCXXThisVal().getAsRegion();
+  if (dyn_cast_or_null<CXXDestructorDecl>(Call.getDecl())) {
+    State = removeFromState(State, IC->getCXXThisVal().getAsRegion());
+    C.addTransition(State);
+    return;
+  }
+
+  const auto MethodDecl = dyn_cast_or_null<CXXMethodDecl>(IC->getDecl());
+  if (!MethodDecl)
+    return;
+  // Checking assignment operators.
+  bool OperatorEq = MethodDecl->isOverloadedOperator() &&
+                    MethodDecl->getOverloadedOperator() == OO_Equal;
+  // Remove the tracked object for every assignment operator, but report bug
+  // only for move or copy assignment's argument.
+  if (OperatorEq) {
+    State = removeFromState(State, ThisRegion);
+    if (MethodDecl->isCopyAssignmentOperator() ||
+        MethodDecl->isMoveAssignmentOperator()) {
+      const RegionState *ArgState =
+          State->get<TrackedRegionMap>(IC->getArgSVal(0).getAsRegion());
+      if (ArgState && ArgState->isMoved() && !isInMoveSafeContext(LC)) {
+        const MemRegion *ArgRegion = IC->getArgSVal(0).getAsRegion();
+        N = reportBug(ArgRegion, Call, C, /*isCopy=*/true);
+        State =
+            State->set<TrackedRegionMap>(ArgRegion, RegionState::getReported());
+      }
+    }
+    C.addTransition(State, N);
+    return;
+  }
+
+  // The remaining part is check only for method call on a moved-from object.
+  if (isMoveSafeMethod(MethodDecl))
+    return;
+
+  if (isStateResetMethod(MethodDecl)) {
+    State = State->remove<TrackedRegionMap>(ThisRegion);
+    C.addTransition(State);
+    return;
+  }
+
+  // If it is already reported then we dont report the bug again.
+  const RegionState *ThisState = State->get<TrackedRegionMap>(ThisRegion);
+  if (!(ThisState && ThisState->isMoved()))
+    return;
+
+  // Dont report it in case if any base region is already reported
+  if (isAnyBaseRegionReported(State, ThisRegion))
+    return;
+
+  if (isInMoveSafeContext(LC))
+    return;
+
+  N = reportBug(ThisRegion, Call, C);
+  State = State->set<TrackedRegionMap>(ThisRegion, RegionState::getReported());
+  C.addTransition(State, N);
+}
+
+void MisusedMovedObjectChecker::checkDeadSymbols(SymbolReaper &SymReaper,
+                                                 CheckerContext &C) const {
+  ProgramStateRef State = C.getState();
+  TrackedRegionMapTy TrackedRegions = State->get<TrackedRegionMap>();
+  for (TrackedRegionMapTy::value_type E : TrackedRegions) {
+    const MemRegion *Region = E.first;
+    bool IsRegDead = !SymReaper.isLiveRegion(Region);
+
+    // Remove the dead regions from the region map.
+    if (IsRegDead) {
+      State = State->remove<TrackedRegionMap>(Region);
+    }
+  }
+  C.addTransition(State);
+}
+
+ProgramStateRef MisusedMovedObjectChecker::checkRegionChanges(
+    ProgramStateRef State, const InvalidatedSymbols *Invalidated,
+    ArrayRef<const MemRegion *> ExplicitRegions,
+    ArrayRef<const MemRegion *> Regions, const LocationContext *LCtx,
+    const CallEvent *Call) const {
+  // In case of an InstanceCall don't remove the ThisRegion from the GDM since
+  // it is handled in checkPreCall and checkPostCall.
+  const MemRegion *ThisRegion = nullptr;
+  if (const auto *IC = dyn_cast_or_null<CXXInstanceCall>(Call)) {
+    ThisRegion = IC->getCXXThisVal().getAsRegion();
+  }
+
+  for (ArrayRef<const MemRegion *>::iterator I = ExplicitRegions.begin(),
+                                             E = ExplicitRegions.end();
+       I != E; ++I) {
+    const auto *Region = *I;
+    if (ThisRegion != Region) {
+      State = removeFromState(State, Region);
+    }
+  }
+
+  return State;
+}
+
+void ento::registerMisusedMovedObjectChecker(CheckerManager &mgr) {
+  mgr.registerChecker<MisusedMovedObjectChecker>();
+}
author	dim <dim@FreeBSD.org>	2017-09-26 19:56:36 +0000
committer	Luiz Souza <luiz@netgate.com>	2018-02-21 15:12:19 -0300
commit	1dcd2e8d24b295bc73e513acec2ed1514bb66be4 (patch)
tree	4bd13a34c251e980e1a6b13584ca1f63b0dfe670 /contrib/llvm/tools/clang/lib/StaticAnalyzer/Checkers/MisusedMovedObjectChecker.cpp
parent	f45541ca2a56a1ba1202f94c080b04e96c1fa239 (diff)
download	FreeBSD-src-1dcd2e8d24b295bc73e513acec2ed1514bb66be4.zip FreeBSD-src-1dcd2e8d24b295bc73e513acec2ed1514bb66be4.tar.gz