[analyzer] Add bool operator modeling for unque_ptr

Summary: Implemented boolean conversion operator for unique_ptr

Reviewers: NoQ, Szelethus, vsavchenko, xazax.hun

Reviewed By: NoQ, xazax.hun

Subscribers: martong, cfe-commits
Tags: #clang
Differential Revision: https://reviews.llvm.org/D86027

Author: vrnithinkumar

clang/lib/StaticAnalyzer/Checkers/SmartPtrModeling.cpp

@@ -15,6 +15,7 @@
 #include "SmartPtr.h"
 
 #include "clang/AST/DeclCXX.h"
+#include "clang/AST/DeclarationName.h"
 #include "clang/AST/ExprCXX.h"
 #include "clang/AST/Type.h"
 #include "clang/Basic/LLVM.h"
@@ -35,9 +36,10 @@ using namespace ento;
 
 namespace {
 class SmartPtrModeling
-    : public Checker<eval::Call, check::DeadSymbols, check::RegionChanges> {
+    : public Checker<eval::Call, check::DeadSymbols, check::RegionChanges,
+                     check::LiveSymbols> {
 
-  bool isAssignOpMethod(const CallEvent &Call) const;
+  bool isBoolConversionMethod(const CallEvent &Call) const;
 
 public:
   // Whether the checker should model for null dereferences of smart pointers.
@@ -51,6 +53,9 @@ class SmartPtrModeling
                      ArrayRef<const MemRegion *> ExplicitRegions,
                      ArrayRef<const MemRegion *> Regions,
                      const LocationContext *LCtx, const CallEvent *Call) const;
+  void printState(raw_ostream &Out, ProgramStateRef State, const char *NL,
+                  const char *Sep) const;
+  void checkLiveSymbols(ProgramStateRef State, SymbolReaper &SR) const;
 
 private:
   void handleReset(const CallEvent &Call, CheckerContext &C) const;
@@ -62,6 +67,7 @@ class SmartPtrModeling
                      const MemRegion *ThisRegion) const;
   bool updateMovedSmartPointers(CheckerContext &C, const MemRegion *ThisRegion,
                                 const MemRegion *OtherSmartPtrRegion) const;
+  void handleBoolConversion(const CallEvent &Call, CheckerContext &C) const;
 
   using SmartPtrMethodHandlerFn =
       void (SmartPtrModeling::*)(const CallEvent &Call, CheckerContext &) const;
@@ -128,7 +134,38 @@ static ProgramStateRef updateSwappedRegion(ProgramStateRef State,
   return State;
 }
 
-bool SmartPtrModeling::isAssignOpMethod(const CallEvent &Call) const {
+// Helper method to get the inner pointer type of specialized smart pointer
+// Returns empty type if not found valid inner pointer type.
+static QualType getInnerPointerType(const CallEvent &Call, CheckerContext &C) {
+  const auto *MethodDecl = dyn_cast_or_null<CXXMethodDecl>(Call.getDecl());
+  if (!MethodDecl || !MethodDecl->getParent())
+    return {};
+
+  const auto *RecordDecl = MethodDecl->getParent();
+  if (!RecordDecl || !RecordDecl->isInStdNamespace())
+    return {};
+
+  const auto *TSD = dyn_cast<ClassTemplateSpecializationDecl>(RecordDecl);
+  if (!TSD)
+    return {};
+
+  auto TemplateArgs = TSD->getTemplateArgs().asArray();
+  if (TemplateArgs.size() == 0)
+    return {};
+  auto InnerValueType = TemplateArgs[0].getAsType();
+  return C.getASTContext().getPointerType(InnerValueType.getCanonicalType());
+}
+
+// Helper method to pretty print region and avoid extra spacing.
+static void checkAndPrettyPrintRegion(llvm::raw_ostream &OS,
+                                      const MemRegion *Region) {
+  if (Region->canPrintPretty()) {
+    OS << " ";
+    Region->printPretty(OS);
+  }
+}
+
+bool SmartPtrModeling::isBoolConversionMethod(const CallEvent &Call) const {
   // TODO: Update CallDescription to support anonymous calls?
   // TODO: Handle other methods, such as .get() or .release().
   // But once we do, we'd need a visitor to explain null dereferences
@@ -143,21 +180,31 @@ bool SmartPtrModeling::evalCall(const CallEvent &Call,
   if (!smartptr::isStdSmartPtrCall(Call))
     return false;
 
-  if (isAssignOpMethod(Call)) {
+  if (isBoolConversionMethod(Call)) {
     const MemRegion *ThisR =
         cast<CXXInstanceCall>(&Call)->getCXXThisVal().getAsRegion();
 
-    if (!move::isMovedFrom(State, ThisR)) {
-      // TODO: Model this case as well. At least, avoid invalidation of
-      // globals.
-      return false;
+    if (ModelSmartPtrDereference) {
+      // The check for the region is moved is duplicated in handleBoolOperation
+      // method.
+      // FIXME: Once we model std::move for smart pointers clean up this and use
+      // that modeling.
+      handleBoolConversion(Call, C);
+      return true;
+    } else {
+      if (!move::isMovedFrom(State, ThisR)) {
+        // TODO: Model this case as well. At least, avoid invalidation of
+        // globals.
+        return false;
+      }
+
+      // TODO: Add a note to bug reports describing this decision.
+      C.addTransition(State->BindExpr(
+          Call.getOriginExpr(), C.getLocationContext(),
+          C.getSValBuilder().makeZeroVal(Call.getResultType())));
+
+      return true;
     }
-
-    // TODO: Add a note to bug reports describing this decision.
-    C.addTransition(
-        State->BindExpr(Call.getOriginExpr(), C.getLocationContext(),
-                        C.getSValBuilder().makeZeroVal(Call.getResultType())));
-    return true;
   }
 
   if (!ModelSmartPtrDereference)
@@ -184,8 +231,8 @@ bool SmartPtrModeling::evalCall(const CallEvent &Call,
             if (&BR.getBugType() != smartptr::getNullDereferenceBugType() ||
                 !BR.isInteresting(ThisRegion))
               return;
-            OS << "Default constructed smart pointer ";
-            ThisRegion->printPretty(OS);
+            OS << "Default constructed smart pointer";
+            checkAndPrettyPrintRegion(OS, ThisRegion);
             OS << " is null";
           }));
     } else {
@@ -202,8 +249,8 @@ bool SmartPtrModeling::evalCall(const CallEvent &Call,
             !BR.isInteresting(ThisRegion))
           return;
         bugreporter::trackExpressionValue(BR.getErrorNode(), TrackingExpr, BR);
-        OS << "Smart pointer ";
-        ThisRegion->printPretty(OS);
+        OS << "Smart pointer";
+        checkAndPrettyPrintRegion(OS, ThisRegion);
         if (ArgVal.isZeroConstant())
           OS << " is constructed using a null value";
         else
@@ -239,6 +286,23 @@ void SmartPtrModeling::checkDeadSymbols(SymbolReaper &SymReaper,
   C.addTransition(State);
 }
 
+void SmartPtrModeling::printState(raw_ostream &Out, ProgramStateRef State,
+                                  const char *NL, const char *Sep) const {
+  TrackedRegionMapTy RS = State->get<TrackedRegionMap>();
+
+  if (!RS.isEmpty()) {
+    Out << Sep << "Smart ptr regions :" << NL;
+    for (auto I : RS) {
+      I.first->dumpToStream(Out);
+      if (smartptr::isNullSmartPtr(State, I.first))
+        Out << ": Null";
+      else
+        Out << ": Non Null";
+      Out << NL;
+    }
+  }
+}
+
 ProgramStateRef SmartPtrModeling::checkRegionChanges(
     ProgramStateRef State, const InvalidatedSymbols *Invalidated,
     ArrayRef<const MemRegion *> ExplicitRegions,
@@ -253,6 +317,18 @@ ProgramStateRef SmartPtrModeling::checkRegionChanges(
   return State->set<TrackedRegionMap>(RegionMap);
 }
 
+void SmartPtrModeling::checkLiveSymbols(ProgramStateRef State,
+                                        SymbolReaper &SR) const {
+  // Marking tracked symbols alive
+  TrackedRegionMapTy TrackedRegions = State->get<TrackedRegionMap>();
+  for (auto I = TrackedRegions.begin(), E = TrackedRegions.end(); I != E; ++I) {
+    SVal Val = I->second;
+    for (auto si = Val.symbol_begin(), se = Val.symbol_end(); si != se; ++si) {
+      SR.markLive(*si);
+    }
+  }
+}
+
 void SmartPtrModeling::handleReset(const CallEvent &Call,
                                    CheckerContext &C) const {
   ProgramStateRef State = C.getState();
@@ -275,8 +351,8 @@ void SmartPtrModeling::handleReset(const CallEvent &Call,
             !BR.isInteresting(ThisRegion))
           return;
         bugreporter::trackExpressionValue(BR.getErrorNode(), TrackingExpr, BR);
-        OS << "Smart pointer ";
-        ThisRegion->printPretty(OS);
+        OS << "Smart pointer";
+        checkAndPrettyPrintRegion(OS, ThisRegion);
         OS << " reset using a null value";
       }));
   // TODO: Make sure to ivalidate the region in the Store if we don't have
@@ -310,8 +386,8 @@ void SmartPtrModeling::handleRelease(const CallEvent &Call,
         !BR.isInteresting(ThisRegion))
       return;
 
-    OS << "Smart pointer ";
-    ThisRegion->printPretty(OS);
+    OS << "Smart pointer";
+    checkAndPrettyPrintRegion(OS, ThisRegion);
     OS << " is released and set to null";
   }));
   // TODO: Add support to enable MallocChecker to start tracking the raw
@@ -350,10 +426,10 @@ void SmartPtrModeling::handleSwap(const CallEvent &Call,
             !BR.isInteresting(ThisRegion))
           return;
         BR.markInteresting(ArgRegion);
-        OS << "Swapped null smart pointer ";
-        ArgRegion->printPretty(OS);
-        OS << " with smart pointer ";
-        ThisRegion->printPretty(OS);
+        OS << "Swapped null smart pointer";
+        checkAndPrettyPrintRegion(OS, ArgRegion);
+        OS << " with smart pointer";
+        checkAndPrettyPrintRegion(OS, ThisRegion);
       }));
 }
 
@@ -410,8 +486,8 @@ bool SmartPtrModeling::handleAssignOp(const CallEvent &Call,
       if (&BR.getBugType() != smartptr::getNullDereferenceBugType() ||
           !BR.isInteresting(ThisRegion))
         return;
-      OS << "Smart pointer ";
-      ThisRegion->printPretty(OS);
+      OS << "Smart pointer";
+      checkAndPrettyPrintRegion(OS, ThisRegion);
       OS << " is assigned to null";
     }));
     return true;
@@ -447,14 +523,14 @@ bool SmartPtrModeling::updateMovedSmartPointers(
           if (&BR.getBugType() != smartptr::getNullDereferenceBugType())
             return;
           if (BR.isInteresting(OtherSmartPtrRegion)) {
-            OS << "Smart pointer ";
-            OtherSmartPtrRegion->printPretty(OS);
-            OS << " is null after being moved to ";
-            ThisRegion->printPretty(OS);
+            OS << "Smart pointer";
+            checkAndPrettyPrintRegion(OS, OtherSmartPtrRegion);
+            OS << " is null after being moved to";
+            checkAndPrettyPrintRegion(OS, ThisRegion);
           }
           if (BR.isInteresting(ThisRegion) && IsArgValNull) {
-            OS << "A null pointer value is moved to ";
-            ThisRegion->printPretty(OS);
+            OS << "A null pointer value is moved to";
+            checkAndPrettyPrintRegion(OS, ThisRegion);
             BR.markInteresting(OtherSmartPtrRegion);
           }
         }));
@@ -471,16 +547,92 @@ bool SmartPtrModeling::updateMovedSmartPointers(
       if (&BR.getBugType() != smartptr::getNullDereferenceBugType() ||
           !BR.isInteresting(OtherSmartPtrRegion))
         return;
-      OS << "Smart pointer ";
-      OtherSmartPtrRegion->printPretty(OS);
-      OS << " is null after; previous value moved to ";
-      ThisRegion->printPretty(OS);
+      OS << "Smart pointer";
+      checkAndPrettyPrintRegion(OS, OtherSmartPtrRegion);
+      OS << " is null after; previous value moved to";
+      checkAndPrettyPrintRegion(OS, ThisRegion);
     }));
     return true;
   }
   return false;
 }
 
+void SmartPtrModeling::handleBoolConversion(const CallEvent &Call,
+                                            CheckerContext &C) const {
+  // To model unique_ptr::operator bool
+  ProgramStateRef State = C.getState();
+  const Expr *CallExpr = Call.getOriginExpr();
+  const MemRegion *ThisRegion =
+      cast<CXXInstanceCall>(&Call)->getCXXThisVal().getAsRegion();
+
+  SVal InnerPointerVal;
+  if (const auto *InnerValPtr = State->get<TrackedRegionMap>(ThisRegion)) {
+    InnerPointerVal = *InnerValPtr;
+  } else {
+    // In case of inner pointer SVal is not available we create
+    // conjureSymbolVal for inner pointer value.
+    auto InnerPointerType = getInnerPointerType(Call, C);
+    if (InnerPointerType.isNull())
+      return;
+
+    const LocationContext *LC = C.getLocationContext();
+    InnerPointerVal = C.getSValBuilder().conjureSymbolVal(
+        CallExpr, LC, InnerPointerType, C.blockCount());
+    State = State->set<TrackedRegionMap>(ThisRegion, InnerPointerVal);
+  }
+
+  if (State->isNull(InnerPointerVal).isConstrainedTrue()) {
+    State = State->BindExpr(CallExpr, C.getLocationContext(),
+                            C.getSValBuilder().makeTruthVal(false));
+
+    C.addTransition(State);
+    return;
+  } else if (State->isNonNull(InnerPointerVal).isConstrainedTrue()) {
+    State = State->BindExpr(CallExpr, C.getLocationContext(),
+                            C.getSValBuilder().makeTruthVal(true));
+
+    C.addTransition(State);
+    return;
+  } else if (move::isMovedFrom(State, ThisRegion)) {
+    C.addTransition(
+        State->BindExpr(CallExpr, C.getLocationContext(),
+                        C.getSValBuilder().makeZeroVal(Call.getResultType())));
+    return;
+  } else {
+    ProgramStateRef NotNullState, NullState;
+    std::tie(NotNullState, NullState) =
+        State->assume(InnerPointerVal.castAs<DefinedOrUnknownSVal>());
+
+    auto NullVal = C.getSValBuilder().makeNull();
+    // Explicitly tracking the region as null.
+    NullState = NullState->set<TrackedRegionMap>(ThisRegion, NullVal);
+
+    NullState = NullState->BindExpr(CallExpr, C.getLocationContext(),
+                                    C.getSValBuilder().makeTruthVal(false));
+    C.addTransition(NullState, C.getNoteTag(
+                                   [ThisRegion](PathSensitiveBugReport &BR,
+                                                llvm::raw_ostream &OS) {
+                                     OS << "Assuming smart pointer";
+                                     checkAndPrettyPrintRegion(OS, ThisRegion);
+                                     OS << " is null";
+                                   },
+                                   /*IsPrunable=*/true));
+    NotNullState =
+        NotNullState->BindExpr(CallExpr, C.getLocationContext(),
+                               C.getSValBuilder().makeTruthVal(true));
+    C.addTransition(
+        NotNullState,
+        C.getNoteTag(
+            [ThisRegion](PathSensitiveBugReport &BR, llvm::raw_ostream &OS) {
+              OS << "Assuming smart pointer";
+              checkAndPrettyPrintRegion(OS, ThisRegion);
+              OS << " is non-null";
+            },
+            /*IsPrunable=*/true));
+    return;
+  }
+}
+
 void ento::registerSmartPtrModeling(CheckerManager &Mgr) {
   auto *Checker = Mgr.registerChecker<SmartPtrModeling>();
   Checker->ModelSmartPtrDereference =