shylie/llvm-project
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
llvm-project/clang/lib/StaticAnalyzer/Checkers/WebKit/RawPtrRefLambdaCapturesChecker.cpp
Kazu Hirata 8d49c64fa2
[StaticAnalyzer] Remove unused includes (NFC) (#141525) 
These are identified by misc-include-cleaner.  I've filtered out those
that break builds.  Also, I'm staying away from llvm-config.h,
config.h, and Compiler.h, which likely cause platform- or
compiler-specific build failures.
2025-05-26 14:57:13 -07:00

521 lines
18 KiB
C++
Raw Blame History

//=======- UncountedLambdaCapturesChecker.cpp --------------------*- C++ -*-==//
//
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
// See https://llvm.org/LICENSE.txt for license information.
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
//
//===----------------------------------------------------------------------===//
#include "ASTUtils.h"
#include "DiagOutputUtils.h"
#include "PtrTypesSemantics.h"
#include "clang/AST/DynamicRecursiveASTVisitor.h"
#include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"
#include "clang/StaticAnalyzer/Core/BugReporter/BugReporter.h"
#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
#include "clang/StaticAnalyzer/Core/Checker.h"
#include <optional>
using namespace clang;
using namespace ento;
namespace {
class RawPtrRefLambdaCapturesChecker
: public Checker<check::ASTDecl<TranslationUnitDecl>> {
private:
BugType Bug;
mutable BugReporter *BR = nullptr;
TrivialFunctionAnalysis TFA;
protected:
mutable std::optional<RetainTypeChecker> RTC;
public:
RawPtrRefLambdaCapturesChecker(const char *description)
: Bug(this, description, "WebKit coding guidelines") {}
virtual std::optional<bool> isUnsafePtr(QualType) const = 0;
virtual bool isPtrType(const std::string &) const = 0;
virtual const char *ptrKind(QualType QT) const = 0;
void checkASTDecl(const TranslationUnitDecl *TUD, AnalysisManager &MGR,
BugReporter &BRArg) const {
BR = &BRArg;
// The calls to checkAST* from AnalysisConsumer don't
// visit template instantiations or lambda classes. We
// want to visit those, so we make our own RecursiveASTVisitor.
struct LocalVisitor : DynamicRecursiveASTVisitor {
const RawPtrRefLambdaCapturesChecker *Checker;
llvm::DenseSet<const DeclRefExpr *> DeclRefExprsToIgnore;
llvm::DenseSet<const LambdaExpr *> LambdasToIgnore;
llvm::DenseSet<const ValueDecl *> ProtectedThisDecls;
llvm::DenseSet<const CXXConstructExpr *> ConstructToIgnore;
QualType ClsType;
explicit LocalVisitor(const RawPtrRefLambdaCapturesChecker *Checker)
: Checker(Checker) {
assert(Checker);
ShouldVisitTemplateInstantiations = true;
ShouldVisitImplicitCode = false;
}
bool TraverseCXXMethodDecl(CXXMethodDecl *CXXMD) override {
llvm::SaveAndRestore SavedDecl(ClsType);
if (CXXMD->isInstance())
ClsType = CXXMD->getThisType();
return DynamicRecursiveASTVisitor::TraverseCXXMethodDecl(CXXMD);
}
bool TraverseObjCMethodDecl(ObjCMethodDecl *OCMD) override {
llvm::SaveAndRestore SavedDecl(ClsType);
if (OCMD && OCMD->isInstanceMethod()) {
if (auto *ImplParamDecl = OCMD->getSelfDecl())
ClsType = ImplParamDecl->getType();
}
return DynamicRecursiveASTVisitor::TraverseObjCMethodDecl(OCMD);
}
bool VisitTypedefDecl(TypedefDecl *TD) override {
if (Checker->RTC)
Checker->RTC->visitTypedef(TD);
return true;
}
bool shouldCheckThis() {
auto result =
!ClsType.isNull() ? Checker->isUnsafePtr(ClsType) : std::nullopt;
return result && *result;
}
bool VisitLambdaExpr(LambdaExpr *L) override {
if (LambdasToIgnore.contains(L))
return true;
Checker->visitLambdaExpr(L, shouldCheckThis() && !hasProtectedThis(L),
ClsType);
return true;
}
bool VisitVarDecl(VarDecl *VD) override {
auto *Init = VD->getInit();
if (!Init)
return true;
auto *L = dyn_cast_or_null<LambdaExpr>(Init->IgnoreParenCasts());
if (!L)
return true;
LambdasToIgnore.insert(L); // Evaluate lambdas in VisitDeclRefExpr.
return true;
}
bool VisitDeclRefExpr(DeclRefExpr *DRE) override {
if (DeclRefExprsToIgnore.contains(DRE))
return true;
auto *VD = dyn_cast_or_null<VarDecl>(DRE->getDecl());
if (!VD)
return true;
auto *Init = VD->getInit();
if (!Init)
return true;
auto *L = dyn_cast_or_null<LambdaExpr>(Init->IgnoreParenCasts());
if (!L)
return true;
LambdasToIgnore.insert(L);
Checker->visitLambdaExpr(L, shouldCheckThis() && !hasProtectedThis(L),
ClsType);
return true;
}
bool shouldTreatAllArgAsNoEscape(FunctionDecl *Decl) {
auto *NsDecl = Decl->getParent();
if (!NsDecl || !isa<NamespaceDecl>(NsDecl))
return false;
// WTF::switchOn(T, F... f) is a variadic template function and couldn't
// be annotated with NOESCAPE. We hard code it here to workaround that.
if (safeGetName(NsDecl) == "WTF" && safeGetName(Decl) == "switchOn")
return true;
// Treat every argument of functions in std::ranges as noescape.
if (safeGetName(NsDecl) == "ranges") {
if (auto *OuterDecl = NsDecl->getParent();
OuterDecl && isa<NamespaceDecl>(OuterDecl) &&
safeGetName(OuterDecl) == "std")
return true;
}
return false;
}
bool VisitCXXConstructExpr(CXXConstructExpr *CE) override {
if (ConstructToIgnore.contains(CE))
return true;
if (auto *Callee = CE->getConstructor()) {
unsigned ArgIndex = 0;
for (auto *Param : Callee->parameters()) {
if (ArgIndex >= CE->getNumArgs())
return true;
auto *Arg = CE->getArg(ArgIndex)->IgnoreParenCasts();
if (auto *L = findLambdaInArg(Arg)) {
LambdasToIgnore.insert(L);
if (!Param->hasAttr<NoEscapeAttr>())
Checker->visitLambdaExpr(
L, shouldCheckThis() && !hasProtectedThis(L), ClsType);
}
++ArgIndex;
}
}
return true;
}
bool VisitCallExpr(CallExpr *CE) override {
checkCalleeLambda(CE);
if (auto *Callee = CE->getDirectCallee()) {
unsigned ArgIndex = isa<CXXOperatorCallExpr>(CE);
bool TreatAllArgsAsNoEscape = shouldTreatAllArgAsNoEscape(Callee);
for (auto *Param : Callee->parameters()) {
if (ArgIndex >= CE->getNumArgs())
return true;
auto *Arg = CE->getArg(ArgIndex)->IgnoreParenCasts();
if (auto *L = findLambdaInArg(Arg)) {
LambdasToIgnore.insert(L);
if (!Param->hasAttr<NoEscapeAttr>() && !TreatAllArgsAsNoEscape)
Checker->visitLambdaExpr(
L, shouldCheckThis() && !hasProtectedThis(L), ClsType);
}
++ArgIndex;
}
}
return true;
}
LambdaExpr *findLambdaInArg(Expr *E) {
if (auto *Lambda = dyn_cast_or_null<LambdaExpr>(E))
return Lambda;
auto *TempExpr = dyn_cast_or_null<CXXBindTemporaryExpr>(E);
if (!TempExpr)
return nullptr;
E = TempExpr->getSubExpr()->IgnoreParenCasts();
if (!E)
return nullptr;
if (auto *Lambda = dyn_cast<LambdaExpr>(E))
return Lambda;
auto *CE = dyn_cast_or_null<CXXConstructExpr>(E);
if (!CE || !CE->getNumArgs())
return nullptr;
auto *CtorArg = CE->getArg(0)->IgnoreParenCasts();
if (!CtorArg)
return nullptr;
auto *InnerCE = dyn_cast_or_null<CXXConstructExpr>(CtorArg);
if (InnerCE && InnerCE->getNumArgs())
CtorArg = InnerCE->getArg(0)->IgnoreParenCasts();
auto updateIgnoreList = [&] {
ConstructToIgnore.insert(CE);
if (InnerCE)
ConstructToIgnore.insert(InnerCE);
};
if (auto *Lambda = dyn_cast<LambdaExpr>(CtorArg)) {
updateIgnoreList();
return Lambda;
}
if (auto *TempExpr = dyn_cast<CXXBindTemporaryExpr>(CtorArg)) {
E = TempExpr->getSubExpr()->IgnoreParenCasts();
if (auto *Lambda = dyn_cast<LambdaExpr>(E)) {
updateIgnoreList();
return Lambda;
}
}
auto *DRE = dyn_cast<DeclRefExpr>(CtorArg);
if (!DRE)
return nullptr;
auto *VD = dyn_cast_or_null<VarDecl>(DRE->getDecl());
if (!VD)
return nullptr;
auto *Init = VD->getInit();
if (!Init)
return nullptr;
if (auto *Lambda = dyn_cast<LambdaExpr>(Init)) {
updateIgnoreList();
return Lambda;
}
TempExpr = dyn_cast<CXXBindTemporaryExpr>(Init->IgnoreParenCasts());
if (!TempExpr)
return nullptr;
updateIgnoreList();
return dyn_cast_or_null<LambdaExpr>(TempExpr->getSubExpr());
}
void checkCalleeLambda(CallExpr *CE) {
auto *Callee = CE->getCallee();
if (!Callee)
return;
auto *DRE = dyn_cast<DeclRefExpr>(Callee->IgnoreParenCasts());
if (!DRE)
return;
auto *MD = dyn_cast_or_null<CXXMethodDecl>(DRE->getDecl());
if (!MD || CE->getNumArgs() < 1)
return;
auto *Arg = CE->getArg(0)->IgnoreParenCasts();
if (auto *L = dyn_cast_or_null<LambdaExpr>(Arg)) {
LambdasToIgnore.insert(L); // Calling a lambda upon creation is safe.
return;
}
auto *ArgRef = dyn_cast<DeclRefExpr>(Arg);
if (!ArgRef)
return;
auto *VD = dyn_cast_or_null<VarDecl>(ArgRef->getDecl());
if (!VD)
return;
auto *Init = VD->getInit();
if (!Init)
return;
auto *L = dyn_cast_or_null<LambdaExpr>(Init->IgnoreParenCasts());
if (!L)
return;
DeclRefExprsToIgnore.insert(ArgRef);
LambdasToIgnore.insert(L);
}
bool hasProtectedThis(LambdaExpr *L) {
for (const LambdaCapture &OtherCapture : L->captures()) {
if (!OtherCapture.capturesVariable())
continue;
if (auto *ValueDecl = OtherCapture.getCapturedVar()) {
if (declProtectsThis(ValueDecl)) {
ProtectedThisDecls.insert(ValueDecl);
return true;
}
}
}
return false;
}
bool declProtectsThis(const ValueDecl *ValueDecl) const {
auto *VD = dyn_cast<VarDecl>(ValueDecl);
if (!VD)
return false;
auto *Init = VD->getInit();
if (!Init)
return false;
const Expr *Arg = Init->IgnoreParenCasts();
do {
if (auto *BTE = dyn_cast<CXXBindTemporaryExpr>(Arg))
Arg = BTE->getSubExpr()->IgnoreParenCasts();
if (auto *CE = dyn_cast<CXXConstructExpr>(Arg)) {
auto *Ctor = CE->getConstructor();
if (!Ctor)
return false;
auto clsName = safeGetName(Ctor->getParent());
if (Checker->isPtrType(clsName) && CE->getNumArgs()) {
Arg = CE->getArg(0)->IgnoreParenCasts();
continue;
}
if (auto *Type = ClsType.getTypePtrOrNull()) {
if (auto *CXXR = Type->getPointeeCXXRecordDecl()) {
if (CXXR == Ctor->getParent() && Ctor->isMoveConstructor() &&
CE->getNumArgs() == 1) {
Arg = CE->getArg(0)->IgnoreParenCasts();
continue;
}
}
}
return false;
}
if (auto *CE = dyn_cast<CallExpr>(Arg)) {
if (CE->isCallToStdMove() && CE->getNumArgs() == 1) {
Arg = CE->getArg(0)->IgnoreParenCasts();
continue;
}
if (auto *Callee = CE->getDirectCallee()) {
if (isCtorOfSafePtr(Callee) && CE->getNumArgs() == 1) {
Arg = CE->getArg(0)->IgnoreParenCasts();
continue;
}
}
}
if (auto *OpCE = dyn_cast<CXXOperatorCallExpr>(Arg)) {
auto OpCode = OpCE->getOperator();
if (OpCode == OO_Star || OpCode == OO_Amp) {
auto *Callee = OpCE->getDirectCallee();
if (!Callee)
return false;
auto clsName = safeGetName(Callee->getParent());
if (!Checker->isPtrType(clsName) || !OpCE->getNumArgs())
return false;
Arg = OpCE->getArg(0)->IgnoreParenCasts();
continue;
}
}
if (auto *UO = dyn_cast<UnaryOperator>(Arg)) {
auto OpCode = UO->getOpcode();
if (OpCode == UO_Deref || OpCode == UO_AddrOf) {
Arg = UO->getSubExpr()->IgnoreParenCasts();
continue;
}
}
break;
} while (Arg);
if (auto *DRE = dyn_cast<DeclRefExpr>(Arg)) {
auto *Decl = DRE->getDecl();
if (auto *ImplicitParam = dyn_cast<ImplicitParamDecl>(Decl)) {
auto kind = ImplicitParam->getParameterKind();
return kind == ImplicitParamKind::ObjCSelf ||
kind == ImplicitParamKind::CXXThis;
}
return ProtectedThisDecls.contains(Decl);
}
return isa<CXXThisExpr>(Arg);
}
};
LocalVisitor visitor(this);
if (RTC)
RTC->visitTranslationUnitDecl(TUD);
visitor.TraverseDecl(const_cast<TranslationUnitDecl *>(TUD));
}
void visitLambdaExpr(LambdaExpr *L, bool shouldCheckThis, const QualType T,
bool ignoreParamVarDecl = false) const {
if (TFA.isTrivial(L->getBody()))
return;
for (const LambdaCapture &C : L->captures()) {
if (C.capturesVariable()) {
ValueDecl *CapturedVar = C.getCapturedVar();
if (ignoreParamVarDecl && isa<ParmVarDecl>(CapturedVar))
continue;
if (auto *ImplicitParam = dyn_cast<ImplicitParamDecl>(CapturedVar)) {
auto kind = ImplicitParam->getParameterKind();
if ((kind == ImplicitParamKind::ObjCSelf ||
kind == ImplicitParamKind::CXXThis) &&
!shouldCheckThis)
continue;
}
QualType CapturedVarQualType = CapturedVar->getType();
auto IsUncountedPtr = isUnsafePtr(CapturedVar->getType());
if (C.getCaptureKind() == LCK_ByCopy &&
CapturedVarQualType->isReferenceType())
continue;
if (IsUncountedPtr && *IsUncountedPtr)
reportBug(C, CapturedVar, CapturedVarQualType, L);
} else if (C.capturesThis() && shouldCheckThis) {
if (ignoreParamVarDecl) // this is always a parameter to this function.
continue;
reportBugOnThisPtr(C, T);
}
}
}
void reportBug(const LambdaCapture &Capture, ValueDecl *CapturedVar,
const QualType T, LambdaExpr *L) const {
assert(CapturedVar);
auto Location = Capture.getLocation();
if (isa<ImplicitParamDecl>(CapturedVar) && !Location.isValid())
Location = L->getBeginLoc();
SmallString<100> Buf;
llvm::raw_svector_ostream Os(Buf);
if (Capture.isExplicit()) {
Os << "Captured ";
} else {
Os << "Implicitly captured ";
}
if (isa<PointerType>(T) || isa<ObjCObjectPointerType>(T)) {
Os << "raw-pointer ";
} else {
Os << "reference ";
}
printQuotedQualifiedName(Os, CapturedVar);
Os << " to " << ptrKind(T) << " type is unsafe.";
PathDiagnosticLocation BSLoc(Location, BR->getSourceManager());
auto Report = std::make_unique<BasicBugReport>(Bug, Os.str(), BSLoc);
BR->emitReport(std::move(Report));
}
void reportBugOnThisPtr(const LambdaCapture &Capture,
const QualType T) const {
SmallString<100> Buf;
llvm::raw_svector_ostream Os(Buf);
if (Capture.isExplicit()) {
Os << "Captured ";
} else {
Os << "Implicitly captured ";
}
Os << "raw-pointer 'this' to " << ptrKind(T) << " type is unsafe.";
PathDiagnosticLocation BSLoc(Capture.getLocation(), BR->getSourceManager());
auto Report = std::make_unique<BasicBugReport>(Bug, Os.str(), BSLoc);
BR->emitReport(std::move(Report));
}
};
class UncountedLambdaCapturesChecker : public RawPtrRefLambdaCapturesChecker {
public:
UncountedLambdaCapturesChecker()
: RawPtrRefLambdaCapturesChecker("Lambda capture of uncounted or "
"unchecked variable") {}
std::optional<bool> isUnsafePtr(QualType QT) const final {
auto result1 = isUncountedPtr(QT);
auto result2 = isUncheckedPtr(QT);
if (result1 && *result1)
return true;
if (result2 && *result2)
return true;
if (result1)
return *result1;
return result2;
}
virtual bool isPtrType(const std::string &Name) const final {
return isRefType(Name) || isCheckedPtr(Name);
}
const char *ptrKind(QualType QT) const final {
if (isUncounted(QT))
return "uncounted";
return "unchecked";
}
};
class UnretainedLambdaCapturesChecker : public RawPtrRefLambdaCapturesChecker {
public:
UnretainedLambdaCapturesChecker()
: RawPtrRefLambdaCapturesChecker("Lambda capture of unretained "
"variables") {
RTC = RetainTypeChecker();
}
std::optional<bool> isUnsafePtr(QualType QT) const final {
return RTC->isUnretained(QT);
}
virtual bool isPtrType(const std::string &Name) const final {
return isRetainPtr(Name);
}
const char *ptrKind(QualType QT) const final { return "unretained"; }
};
} // namespace
void ento::registerUncountedLambdaCapturesChecker(CheckerManager &Mgr) {
Mgr.registerChecker<UncountedLambdaCapturesChecker>();
}
bool ento::shouldRegisterUncountedLambdaCapturesChecker(
const CheckerManager &mgr) {
return true;
}
void ento::registerUnretainedLambdaCapturesChecker(CheckerManager &Mgr) {
Mgr.registerChecker<UnretainedLambdaCapturesChecker>();
}
bool ento::shouldRegisterUnretainedLambdaCapturesChecker(
const CheckerManager &mgr) {
return true;
}
Reference in New Issue View Git Blame Copy Permalink