llvm-for-llvmta/tools/clang/lib/StaticAnalyzer/Checkers/TrustNonnullChecker.cpp

//== TrustNonnullChecker.cpp --------- API nullability modeling -*- C++ -*--==//
//
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
// See https://llvm.org/LICENSE.txt for license information.
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
//
//===----------------------------------------------------------------------===//
//
// This checker adds nullability-related assumptions:
//
// 1. Methods annotated with _Nonnull
// which come from system headers actually return a non-null pointer.
//
// 2. NSDictionary key is non-null after the keyword subscript operation
// on read if and only if the resulting expression is non-null.
//
// 3. NSMutableDictionary index is non-null after a write operation.
//
//===----------------------------------------------------------------------===//

#include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"
#include "clang/Analysis/SelectorExtras.h"
#include "clang/StaticAnalyzer/Core/Checker.h"
#include "clang/StaticAnalyzer/Core/CheckerManager.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerHelpers.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h"

using namespace clang;
using namespace ento;

/// Records implications between symbols.
/// The semantics is:
///    (antecedent != 0) => (consequent != 0)
/// These implications are then read during the evaluation of the assumption,
/// and the appropriate antecedents are applied.
REGISTER_MAP_WITH_PROGRAMSTATE(NonNullImplicationMap, SymbolRef, SymbolRef)

/// The semantics is:
///    (antecedent == 0) => (consequent == 0)
REGISTER_MAP_WITH_PROGRAMSTATE(NullImplicationMap, SymbolRef, SymbolRef)

namespace {

class TrustNonnullChecker : public Checker<check::PostCall,
                                           check::PostObjCMessage,
                                           check::DeadSymbols,
                                           eval::Assume> {
  // Do not try to iterate over symbols with higher complexity.
  static unsigned constexpr ComplexityThreshold = 10;
  Selector ObjectForKeyedSubscriptSel;
  Selector ObjectForKeySel;
  Selector SetObjectForKeyedSubscriptSel;
  Selector SetObjectForKeySel;

public:
  TrustNonnullChecker(ASTContext &Ctx)
      : ObjectForKeyedSubscriptSel(
            getKeywordSelector(Ctx, "objectForKeyedSubscript")),
        ObjectForKeySel(getKeywordSelector(Ctx, "objectForKey")),
        SetObjectForKeyedSubscriptSel(
            getKeywordSelector(Ctx, "setObject", "forKeyedSubscript")),
        SetObjectForKeySel(getKeywordSelector(Ctx, "setObject", "forKey")) {}

  ProgramStateRef evalAssume(ProgramStateRef State,
                             SVal Cond,
                             bool Assumption) const {
    const SymbolRef CondS = Cond.getAsSymbol();
    if (!CondS || CondS->computeComplexity() > ComplexityThreshold)
      return State;

    for (auto B=CondS->symbol_begin(), E=CondS->symbol_end(); B != E; ++B) {
      const SymbolRef Antecedent = *B;
      State = addImplication(Antecedent, State, true);
      State = addImplication(Antecedent, State, false);
    }

    return State;
  }

  void checkPostCall(const CallEvent &Call, CheckerContext &C) const {
    // Only trust annotations for system headers for non-protocols.
    if (!Call.isInSystemHeader())
      return;

    ProgramStateRef State = C.getState();

    if (isNonNullPtr(Call, C))
      if (auto L = Call.getReturnValue().getAs<Loc>())
        State = State->assume(*L, /*assumption=*/true);

    C.addTransition(State);
  }

  void checkPostObjCMessage(const ObjCMethodCall &Msg,
                            CheckerContext &C) const {
    const ObjCInterfaceDecl *ID = Msg.getReceiverInterface();
    if (!ID)
      return;

    ProgramStateRef State = C.getState();

    // Index to setter for NSMutableDictionary is assumed to be non-null,
    // as an exception is thrown otherwise.
    if (interfaceHasSuperclass(ID, "NSMutableDictionary") &&
        (Msg.getSelector() == SetObjectForKeyedSubscriptSel ||
         Msg.getSelector() == SetObjectForKeySel)) {
      if (auto L = Msg.getArgSVal(1).getAs<Loc>())
        State = State->assume(*L, /*assumption=*/true);
    }

    // Record an implication: index is non-null if the output is non-null.
    if (interfaceHasSuperclass(ID, "NSDictionary") &&
        (Msg.getSelector() == ObjectForKeyedSubscriptSel ||
         Msg.getSelector() == ObjectForKeySel)) {
      SymbolRef ArgS = Msg.getArgSVal(0).getAsSymbol();
      SymbolRef RetS = Msg.getReturnValue().getAsSymbol();

      if (ArgS && RetS) {
        // Emulate an implication: the argument is non-null if
        // the return value is non-null.
        State = State->set<NonNullImplicationMap>(RetS, ArgS);

        // Conversely, when the argument is null, the return value
        // is definitely null.
        State = State->set<NullImplicationMap>(ArgS, RetS);
      }
    }

    C.addTransition(State);
  }

  void checkDeadSymbols(SymbolReaper &SymReaper, CheckerContext &C) const {
    ProgramStateRef State = C.getState();

    State = dropDeadFromGDM<NullImplicationMap>(SymReaper, State);
    State = dropDeadFromGDM<NonNullImplicationMap>(SymReaper, State);

    C.addTransition(State);
  }

private:

  /// \returns State with GDM \p MapName where all dead symbols were
  // removed.
  template <typename MapName>
  ProgramStateRef dropDeadFromGDM(SymbolReaper &SymReaper,
                                  ProgramStateRef State) const {
    for (const std::pair<SymbolRef, SymbolRef> &P : State->get<MapName>())
      if (!SymReaper.isLive(P.first) || !SymReaper.isLive(P.second))
        State = State->remove<MapName>(P.first);
    return State;
  }

  /// \returns Whether we trust the result of the method call to be
  /// a non-null pointer.
  bool isNonNullPtr(const CallEvent &Call, CheckerContext &C) const {
    QualType ExprRetType = Call.getResultType();
    if (!ExprRetType->isAnyPointerType())
      return false;

    if (getNullabilityAnnotation(ExprRetType) == Nullability::Nonnull)
      return true;

    // The logic for ObjC instance method calls is more complicated,
    // as the return value is nil when the receiver is nil.
    if (!isa<ObjCMethodCall>(&Call))
      return false;

    const auto *MCall = cast<ObjCMethodCall>(&Call);
    const ObjCMethodDecl *MD = MCall->getDecl();

    // Distrust protocols.
    if (isa<ObjCProtocolDecl>(MD->getDeclContext()))
      return false;

    QualType DeclRetType = MD->getReturnType();
    if (getNullabilityAnnotation(DeclRetType) != Nullability::Nonnull)
      return false;

    // For class messages it is sufficient for the declaration to be
    // annotated _Nonnull.
    if (!MCall->isInstanceMessage())
      return true;

    // Alternatively, the analyzer could know that the receiver is not null.
    SVal Receiver = MCall->getReceiverSVal();
    ConditionTruthVal TV = C.getState()->isNonNull(Receiver);
    if (TV.isConstrainedTrue())
      return true;

    return false;
  }

  /// \return Whether \p ID has a superclass by the name \p ClassName.
  bool interfaceHasSuperclass(const ObjCInterfaceDecl *ID,
                         StringRef ClassName) const {
    if (ID->getIdentifier()->getName() == ClassName)
      return true;

    if (const ObjCInterfaceDecl *Super = ID->getSuperClass())
      return interfaceHasSuperclass(Super, ClassName);

    return false;
  }


  /// \return a state with an optional implication added (if exists)
  /// from a map of recorded implications.
  /// If \p Negated is true, checks NullImplicationMap, and assumes
  /// the negation of \p Antecedent.
  /// Checks NonNullImplicationMap and assumes \p Antecedent otherwise.
  ProgramStateRef addImplication(SymbolRef Antecedent,
                                 ProgramStateRef InputState,
                                 bool Negated) const {
    if (!InputState)
      return nullptr;
    SValBuilder &SVB = InputState->getStateManager().getSValBuilder();
    const SymbolRef *Consequent =
        Negated ? InputState->get<NonNullImplicationMap>(Antecedent)
                : InputState->get<NullImplicationMap>(Antecedent);
    if (!Consequent)
      return InputState;

    SVal AntecedentV = SVB.makeSymbolVal(Antecedent);
    ProgramStateRef State = InputState;

    if ((Negated && InputState->isNonNull(AntecedentV).isConstrainedTrue())
        || (!Negated && InputState->isNull(AntecedentV).isConstrainedTrue())) {
      SVal ConsequentS = SVB.makeSymbolVal(*Consequent);
      State = InputState->assume(ConsequentS.castAs<DefinedSVal>(), Negated);
      if (!State)
        return nullptr;

      // Drop implications from the map.
      if (Negated) {
        State = State->remove<NonNullImplicationMap>(Antecedent);
        State = State->remove<NullImplicationMap>(*Consequent);
      } else {
        State = State->remove<NullImplicationMap>(Antecedent);
        State = State->remove<NonNullImplicationMap>(*Consequent);
      }
    }

    return State;
  }
};

} // end empty namespace

void ento::registerTrustNonnullChecker(CheckerManager &Mgr) {
  Mgr.registerChecker<TrustNonnullChecker>(Mgr.getASTContext());
}

bool ento::shouldRegisterTrustNonnullChecker(const CheckerManager &mgr) {
  return true;
}
added clang 2022-04-25 13:02:35 +02:00			`//== TrustNonnullChecker.cpp --------- API nullability modeling -- C++ ---==//`
			`//`
			`// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.`
			`// See https://llvm.org/LICENSE.txt for license information.`
			`// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception`
			`//`
			`//===----------------------------------------------------------------------===//`
			`//`
			`// This checker adds nullability-related assumptions:`
			`//`
			`// 1. Methods annotated with _Nonnull`
			`// which come from system headers actually return a non-null pointer.`
			`//`
			`// 2. NSDictionary key is non-null after the keyword subscript operation`
			`// on read if and only if the resulting expression is non-null.`
			`//`
			`// 3. NSMutableDictionary index is non-null after a write operation.`
			`//`
			`//===----------------------------------------------------------------------===//`

			`#include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"`
			`#include "clang/Analysis/SelectorExtras.h"`
			`#include "clang/StaticAnalyzer/Core/Checker.h"`
			`#include "clang/StaticAnalyzer/Core/CheckerManager.h"`
			`#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"`
			`#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerHelpers.h"`
			`#include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h"`

			`using namespace clang;`
			`using namespace ento;`

			`/// Records implications between symbols.`
			`/// The semantics is:`
			`/// (antecedent != 0) => (consequent != 0)`
			`/// These implications are then read during the evaluation of the assumption,`
			`/// and the appropriate antecedents are applied.`
			`REGISTER_MAP_WITH_PROGRAMSTATE(NonNullImplicationMap, SymbolRef, SymbolRef)`

			`/// The semantics is:`
			`/// (antecedent == 0) => (consequent == 0)`
			`REGISTER_MAP_WITH_PROGRAMSTATE(NullImplicationMap, SymbolRef, SymbolRef)`

			`namespace {`

			`class TrustNonnullChecker : public Checker<check::PostCall,`
			`check::PostObjCMessage,`
			`check::DeadSymbols,`
			`eval::Assume> {`
			`// Do not try to iterate over symbols with higher complexity.`
			`static unsigned constexpr ComplexityThreshold = 10;`
			`Selector ObjectForKeyedSubscriptSel;`
			`Selector ObjectForKeySel;`
			`Selector SetObjectForKeyedSubscriptSel;`
			`Selector SetObjectForKeySel;`

			`public:`
			`TrustNonnullChecker(ASTContext &Ctx)`
			`: ObjectForKeyedSubscriptSel(`
			`getKeywordSelector(Ctx, "objectForKeyedSubscript")),`
			`ObjectForKeySel(getKeywordSelector(Ctx, "objectForKey")),`
			`SetObjectForKeyedSubscriptSel(`
			`getKeywordSelector(Ctx, "setObject", "forKeyedSubscript")),`
			`SetObjectForKeySel(getKeywordSelector(Ctx, "setObject", "forKey")) {}`

			`ProgramStateRef evalAssume(ProgramStateRef State,`
			`SVal Cond,`
			`bool Assumption) const {`
			`const SymbolRef CondS = Cond.getAsSymbol();`
			`if (!CondS \|\| CondS->computeComplexity() > ComplexityThreshold)`
			`return State;`

			`for (auto B=CondS->symbol_begin(), E=CondS->symbol_end(); B != E; ++B) {`
			`const SymbolRef Antecedent = *B;`
			`State = addImplication(Antecedent, State, true);`
			`State = addImplication(Antecedent, State, false);`
			`}`

			`return State;`
			`}`

			`void checkPostCall(const CallEvent &Call, CheckerContext &C) const {`
			`// Only trust annotations for system headers for non-protocols.`
			`if (!Call.isInSystemHeader())`
			`return;`

			`ProgramStateRef State = C.getState();`

			`if (isNonNullPtr(Call, C))`
			`if (auto L = Call.getReturnValue().getAs<Loc>())`
			`State = State->assume(L, /assumption=*/true);`

			`C.addTransition(State);`
			`}`

			`void checkPostObjCMessage(const ObjCMethodCall &Msg,`
			`CheckerContext &C) const {`
			`const ObjCInterfaceDecl *ID = Msg.getReceiverInterface();`
			`if (!ID)`
			`return;`

			`ProgramStateRef State = C.getState();`

			`// Index to setter for NSMutableDictionary is assumed to be non-null,`
			`// as an exception is thrown otherwise.`
			`if (interfaceHasSuperclass(ID, "NSMutableDictionary") &&`
			`(Msg.getSelector() == SetObjectForKeyedSubscriptSel \|\|`
			`Msg.getSelector() == SetObjectForKeySel)) {`
			`if (auto L = Msg.getArgSVal(1).getAs<Loc>())`
			`State = State->assume(L, /assumption=*/true);`
			`}`

			`// Record an implication: index is non-null if the output is non-null.`
			`if (interfaceHasSuperclass(ID, "NSDictionary") &&`
			`(Msg.getSelector() == ObjectForKeyedSubscriptSel \|\|`
			`Msg.getSelector() == ObjectForKeySel)) {`
			`SymbolRef ArgS = Msg.getArgSVal(0).getAsSymbol();`
			`SymbolRef RetS = Msg.getReturnValue().getAsSymbol();`

			`if (ArgS && RetS) {`
			`// Emulate an implication: the argument is non-null if`
			`// the return value is non-null.`
			`State = State->set<NonNullImplicationMap>(RetS, ArgS);`

			`// Conversely, when the argument is null, the return value`
			`// is definitely null.`
			`State = State->set<NullImplicationMap>(ArgS, RetS);`
			`}`
			`}`

			`C.addTransition(State);`
			`}`

			`void checkDeadSymbols(SymbolReaper &SymReaper, CheckerContext &C) const {`
			`ProgramStateRef State = C.getState();`

			`State = dropDeadFromGDM<NullImplicationMap>(SymReaper, State);`
			`State = dropDeadFromGDM<NonNullImplicationMap>(SymReaper, State);`

			`C.addTransition(State);`
			`}`

			`private:`

			`/// \returns State with GDM \p MapName where all dead symbols were`
			`// removed.`
			`template <typename MapName>`
			`ProgramStateRef dropDeadFromGDM(SymbolReaper &SymReaper,`
			`ProgramStateRef State) const {`
			`for (const std::pair<SymbolRef, SymbolRef> &P : State->get<MapName>())`
			`if (!SymReaper.isLive(P.first) \|\| !SymReaper.isLive(P.second))`
			`State = State->remove<MapName>(P.first);`
			`return State;`
			`}`

			`/// \returns Whether we trust the result of the method call to be`
			`/// a non-null pointer.`
			`bool isNonNullPtr(const CallEvent &Call, CheckerContext &C) const {`
			`QualType ExprRetType = Call.getResultType();`
			`if (!ExprRetType->isAnyPointerType())`
			`return false;`

			`if (getNullabilityAnnotation(ExprRetType) == Nullability::Nonnull)`
			`return true;`

			`// The logic for ObjC instance method calls is more complicated,`
			`// as the return value is nil when the receiver is nil.`
			`if (!isa<ObjCMethodCall>(&Call))`
			`return false;`

			`const auto *MCall = cast<ObjCMethodCall>(&Call);`
			`const ObjCMethodDecl *MD = MCall->getDecl();`

			`// Distrust protocols.`
			`if (isa<ObjCProtocolDecl>(MD->getDeclContext()))`
			`return false;`

			`QualType DeclRetType = MD->getReturnType();`
			`if (getNullabilityAnnotation(DeclRetType) != Nullability::Nonnull)`
			`return false;`

			`// For class messages it is sufficient for the declaration to be`
			`// annotated _Nonnull.`
			`if (!MCall->isInstanceMessage())`
			`return true;`

			`// Alternatively, the analyzer could know that the receiver is not null.`
			`SVal Receiver = MCall->getReceiverSVal();`
			`ConditionTruthVal TV = C.getState()->isNonNull(Receiver);`
			`if (TV.isConstrainedTrue())`
			`return true;`

			`return false;`
			`}`

			`/// \return Whether \p ID has a superclass by the name \p ClassName.`
			`bool interfaceHasSuperclass(const ObjCInterfaceDecl *ID,`
			`StringRef ClassName) const {`
			`if (ID->getIdentifier()->getName() == ClassName)`
			`return true;`

			`if (const ObjCInterfaceDecl *Super = ID->getSuperClass())`
			`return interfaceHasSuperclass(Super, ClassName);`

			`return false;`
			`}`


			`/// \return a state with an optional implication added (if exists)`
			`/// from a map of recorded implications.`
			`/// If \p Negated is true, checks NullImplicationMap, and assumes`
			`/// the negation of \p Antecedent.`
			`/// Checks NonNullImplicationMap and assumes \p Antecedent otherwise.`
			`ProgramStateRef addImplication(SymbolRef Antecedent,`
			`ProgramStateRef InputState,`
			`bool Negated) const {`
			`if (!InputState)`
			`return nullptr;`
			`SValBuilder &SVB = InputState->getStateManager().getSValBuilder();`
			`const SymbolRef *Consequent =`
			`Negated ? InputState->get<NonNullImplicationMap>(Antecedent)`
			`: InputState->get<NullImplicationMap>(Antecedent);`
			`if (!Consequent)`
			`return InputState;`

			`SVal AntecedentV = SVB.makeSymbolVal(Antecedent);`
			`ProgramStateRef State = InputState;`

			`if ((Negated && InputState->isNonNull(AntecedentV).isConstrainedTrue())`
			`\|\| (!Negated && InputState->isNull(AntecedentV).isConstrainedTrue())) {`
			`SVal ConsequentS = SVB.makeSymbolVal(*Consequent);`
			`State = InputState->assume(ConsequentS.castAs<DefinedSVal>(), Negated);`
			`if (!State)`
			`return nullptr;`

			`// Drop implications from the map.`
			`if (Negated) {`
			`State = State->remove<NonNullImplicationMap>(Antecedent);`
			`State = State->remove<NullImplicationMap>(*Consequent);`
			`} else {`
			`State = State->remove<NullImplicationMap>(Antecedent);`
			`State = State->remove<NonNullImplicationMap>(*Consequent);`
			`}`
			`}`

			`return State;`
			`}`
			`};`

			`} // end empty namespace`

			`void ento::registerTrustNonnullChecker(CheckerManager &Mgr) {`
			`Mgr.registerChecker<TrustNonnullChecker>(Mgr.getASTContext());`
			`}`

			`bool ento::shouldRegisterTrustNonnullChecker(const CheckerManager &mgr) {`
			`return true;`
			`}`