Analysis/FlowSensitive/DataflowAnalysisContext.h

0001 //===-- DataflowAnalysisContext.h -------------------------------*- C++ -*-===//
0002 //
0003 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
0004 // See https://llvm.org/LICENSE.txt for license information.
0005 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
0006 //
0007 //===----------------------------------------------------------------------===//
0008 //
0009 //  This file defines a DataflowAnalysisContext class that owns objects that
0010 //  encompass the state of a program and stores context that is used during
0011 //  dataflow analysis.
0012 //
0013 //===----------------------------------------------------------------------===//
0014
0015 #ifndef LLVM_CLANG_ANALYSIS_FLOWSENSITIVE_DATAFLOWANALYSISCONTEXT_H
0016 #define LLVM_CLANG_ANALYSIS_FLOWSENSITIVE_DATAFLOWANALYSISCONTEXT_H
0017
0018 #include "clang/AST/Decl.h"
0019 #include "clang/AST/Expr.h"
0020 #include "clang/AST/TypeOrdering.h"
0021 #include "clang/Analysis/FlowSensitive/ASTOps.h"
0022 #include "clang/Analysis/FlowSensitive/AdornedCFG.h"
0023 #include "clang/Analysis/FlowSensitive/Arena.h"
0024 #include "clang/Analysis/FlowSensitive/Solver.h"
0025 #include "clang/Analysis/FlowSensitive/StorageLocation.h"
0026 #include "clang/Analysis/FlowSensitive/Value.h"
0027 #include "llvm/ADT/DenseMap.h"
0028 #include "llvm/ADT/DenseSet.h"
0029 #include "llvm/ADT/SetVector.h"
0030 #include "llvm/Support/Compiler.h"
0031 #include <cassert>
0032 #include <memory>
0033 #include <optional>
0034
0035 namespace clang {
0036 namespace dataflow {
0037 class Logger;
0038
0039 struct ContextSensitiveOptions {
0040   /// The maximum depth to analyze. A value of zero is equivalent to disabling
0041   /// context-sensitive analysis entirely.
0042   unsigned Depth = 2;
0043 };
0044
0045 /// Owns objects that encompass the state of a program and stores context that
0046 /// is used during dataflow analysis.
0047 class DataflowAnalysisContext {
0048 public:
0049   struct Options {
0050     /// Options for analyzing function bodies when present in the translation
0051     /// unit, or empty to disable context-sensitive analysis. Note that this is
0052     /// fundamentally limited: some constructs, such as recursion, are
0053     /// explicitly unsupported.
0054     std::optional<ContextSensitiveOptions> ContextSensitiveOpts;
0055
0056     /// If provided, analysis details will be recorded here.
0057     /// (This is always non-null within an AnalysisContext, the framework
0058     /// provides a fallback no-op logger).
0059     Logger *Log = nullptr;
0060   };
0061
0062   /// Constructs a dataflow analysis context.
0063   ///
0064   /// Requirements:
0065   ///
0066   ///  `S` must not be null.
0067   DataflowAnalysisContext(std::unique_ptr<Solver> S,
0068                           Options Opts = Options{
0069                               /*ContextSensitiveOpts=*/std::nullopt,
0070                               /*Logger=*/nullptr})
0071       : DataflowAnalysisContext(*S, std::move(S), Opts) {}
0072
0073   /// Constructs a dataflow analysis context.
0074   ///
0075   /// Requirements:
0076   ///
0077   ///  `S` must outlive the `DataflowAnalysisContext`.
0078   DataflowAnalysisContext(Solver &S, Options Opts = Options{
0079                                          /*ContextSensitiveOpts=*/std::nullopt,
0080                                          /*Logger=*/nullptr})
0081       : DataflowAnalysisContext(S, nullptr, Opts) {}
0082
0083   ~DataflowAnalysisContext();
0084
0085   /// Sets a callback that returns the names and types of the synthetic fields
0086   /// to add to a `RecordStorageLocation` of a given type.
0087   /// Typically, this is called from the constructor of a `DataflowAnalysis`
0088   ///
0089   /// The field types returned by the callback may not have reference type.
0090   ///
0091   /// To maintain the invariant that all `RecordStorageLocation`s of a given
0092   /// type have the same fields:
0093   /// *  The callback must always return the same result for a given type
0094   /// *  `setSyntheticFieldCallback()` must be called before any
0095   //     `RecordStorageLocation`s are created.
0096   void setSyntheticFieldCallback(
0097       std::function<llvm::StringMap<QualType>(QualType)> CB) {
0098     assert(!RecordStorageLocationCreated);
0099     SyntheticFieldCallback = CB;
0100   }
0101
0102   /// Returns a new storage location appropriate for `Type`.
0103   ///
0104   /// A null `Type` is interpreted as the pointee type of `std::nullptr_t`.
0105   StorageLocation &createStorageLocation(QualType Type);
0106
0107   /// Creates a `RecordStorageLocation` for the given type and with the given
0108   /// fields.
0109   ///
0110   /// Requirements:
0111   ///
0112   ///  `FieldLocs` must contain exactly the fields returned by
0113   ///  `getModeledFields(Type)`.
0114   ///  `SyntheticFields` must contain exactly the fields returned by
0115   ///  `getSyntheticFields(Type)`.
0116   RecordStorageLocation &createRecordStorageLocation(
0117       QualType Type, RecordStorageLocation::FieldToLoc FieldLocs,
0118       RecordStorageLocation::SyntheticFieldMap SyntheticFields);
0119
0120   /// Returns a stable storage location for `D`.
0121   StorageLocation &getStableStorageLocation(const ValueDecl &D);
0122
0123   /// Returns a stable storage location for `E`.
0124   StorageLocation &getStableStorageLocation(const Expr &E);
0125
0126   /// Returns a pointer value that represents a null pointer. Calls with
0127   /// `PointeeType` that are canonically equivalent will return the same result.
0128   /// A null `PointeeType` can be used for the pointee of `std::nullptr_t`.
0129   PointerValue &getOrCreateNullPointerValue(QualType PointeeType);
0130
0131   /// Adds `Constraint` to current and future flow conditions in this context.
0132   ///
0133   /// Invariants must contain only flow-insensitive information, i.e. facts that
0134   /// are true on all paths through the program.
0135   /// Information can be added eagerly (when analysis begins), or lazily (e.g.
0136   /// when values are first used). The analysis must be careful that the same
0137   /// information is added regardless of which order blocks are analyzed in.
0138   void addInvariant(const Formula &Constraint);
0139
0140   /// Adds `Constraint` to the flow condition identified by `Token`.
0141   void addFlowConditionConstraint(Atom Token, const Formula &Constraint);
0142
0143   /// Creates a new flow condition with the same constraints as the flow
0144   /// condition identified by `Token` and returns its token.
0145   Atom forkFlowCondition(Atom Token);
0146
0147   /// Creates a new flow condition that represents the disjunction of the flow
0148   /// conditions identified by `FirstToken` and `SecondToken`, and returns its
0149   /// token.
0150   Atom joinFlowConditions(Atom FirstToken, Atom SecondToken);
0151
0152   /// Returns true if the constraints of the flow condition identified by
0153   /// `Token` imply that `F` is true.
0154   /// Returns false if the flow condition does not imply `F` or if the solver
0155   /// times out.
0156   bool flowConditionImplies(Atom Token, const Formula &F);
0157
0158   /// Returns true if the constraints of the flow condition identified by
0159   /// `Token` still allow `F` to be true.
0160   /// Returns false if the flow condition implies that `F` is false or if the
0161   /// solver times out.
0162   bool flowConditionAllows(Atom Token, const Formula &F);
0163
0164   /// Returns true if `Val1` is equivalent to `Val2`.
0165   /// Note: This function doesn't take into account constraints on `Val1` and
0166   /// `Val2` imposed by the flow condition.
0167   bool equivalentFormulas(const Formula &Val1, const Formula &Val2);
0168
0169   LLVM_DUMP_METHOD void dumpFlowCondition(Atom Token,
0170                                           llvm::raw_ostream &OS = llvm::dbgs());
0171
0172   /// Returns the `AdornedCFG` registered for `F`, if any. Otherwise,
0173   /// returns null.
0174   const AdornedCFG *getAdornedCFG(const FunctionDecl *F);
0175
0176   const Options &getOptions() { return Opts; }
0177
0178   Arena &arena() { return *A; }
0179
0180   /// Returns the outcome of satisfiability checking on `Constraints`.
0181   ///
0182   /// Flow conditions are not incorporated, so they may need to be manually
0183   /// included in `Constraints` to provide contextually-accurate results, e.g.
0184   /// if any definitions or relationships of the values in `Constraints` have
0185   /// been stored in flow conditions.
0186   Solver::Result querySolver(llvm::SetVector<const Formula *> Constraints);
0187
0188   /// Returns the fields of `Type`, limited to the set of fields modeled by this
0189   /// context.
0190   FieldSet getModeledFields(QualType Type);
0191
0192   /// Returns the names and types of the synthetic fields for the given record
0193   /// type.
0194   llvm::StringMap<QualType> getSyntheticFields(QualType Type) {
0195     assert(Type->isRecordType());
0196     if (SyntheticFieldCallback) {
0197       llvm::StringMap<QualType> Result = SyntheticFieldCallback(Type);
0198       // Synthetic fields are not allowed to have reference type.
0199       assert([&Result] {
0200         for (const auto &Entry : Result)
0201           if (Entry.getValue()->isReferenceType())
0202             return false;
0203         return true;
0204       }());
0205       return Result;
0206     }
0207     return {};
0208   }
0209
0210 private:
0211   friend class Environment;
0212
0213   struct NullableQualTypeDenseMapInfo : private llvm::DenseMapInfo<QualType> {
0214     static QualType getEmptyKey() {
0215       // Allow a NULL `QualType` by using a different value as the empty key.
0216       return QualType::getFromOpaquePtr(reinterpret_cast<Type *>(1));
0217     }
0218
0219     using DenseMapInfo::getHashValue;
0220     using DenseMapInfo::getTombstoneKey;
0221     using DenseMapInfo::isEqual;
0222   };
0223
0224   /// `S` is the solver to use. `OwnedSolver` may be:
0225   /// *  Null (in which case `S` is non-onwed and must outlive this object), or
0226   /// *  Non-null (in which case it must refer to `S`, and the
0227   ///    `DataflowAnalysisContext will take ownership of `OwnedSolver`).
0228   DataflowAnalysisContext(Solver &S, std::unique_ptr<Solver> &&OwnedSolver,
0229                           Options Opts);
0230
0231   // Extends the set of modeled field declarations.
0232   void addModeledFields(const FieldSet &Fields);
0233
0234   /// Adds all constraints of the flow condition identified by `Token` and all
0235   /// of its transitive dependencies to `Constraints`.
0236   void
0237   addTransitiveFlowConditionConstraints(Atom Token,
0238                                         llvm::SetVector<const Formula *> &Out);
0239
0240   /// Returns true if the solver is able to prove that there is a satisfying
0241   /// assignment for `Constraints`.
0242   bool isSatisfiable(llvm::SetVector<const Formula *> Constraints) {
0243     return querySolver(std::move(Constraints)).getStatus() ==
0244            Solver::Result::Status::Satisfiable;
0245   }
0246
0247   /// Returns true if the solver is able to prove that there is no satisfying
0248   /// assignment for `Constraints`
0249   bool isUnsatisfiable(llvm::SetVector<const Formula *> Constraints) {
0250     return querySolver(std::move(Constraints)).getStatus() ==
0251            Solver::Result::Status::Unsatisfiable;
0252   }
0253
0254   Solver &S;
0255   std::unique_ptr<Solver> OwnedSolver;
0256   std::unique_ptr<Arena> A;
0257
0258   // Maps from program declarations and statements to storage locations that are
0259   // assigned to them. These assignments are global (aggregated across all basic
0260   // blocks) and are used to produce stable storage locations when the same
0261   // basic blocks are evaluated multiple times. The storage locations that are
0262   // in scope for a particular basic block are stored in `Environment`.
0263   llvm::DenseMap<const ValueDecl *, StorageLocation *> DeclToLoc;
0264   llvm::DenseMap<const Expr *, StorageLocation *> ExprToLoc;
0265
0266   // Null pointer values, keyed by the canonical pointee type.
0267   //
0268   // FIXME: The pointer values are indexed by the pointee types which are
0269   // required to initialize the `PointeeLoc` field in `PointerValue`. Consider
0270   // creating a type-independent `NullPointerValue` without a `PointeeLoc`
0271   // field.
0272   llvm::DenseMap<QualType, PointerValue *, NullableQualTypeDenseMapInfo>
0273       NullPointerVals;
0274
0275   Options Opts;
0276
0277   // Flow conditions are tracked symbolically: each unique flow condition is
0278   // associated with a fresh symbolic variable (token), bound to the clause that
0279   // defines the flow condition. Conceptually, each binding corresponds to an
0280   // "iff" of the form `FC <=> (C1 ^ C2 ^ ...)` where `FC` is a flow condition
0281   // token (an atomic boolean) and `Ci`s are the set of constraints in the flow
0282   // flow condition clause. The set of constraints (C1 ^ C2 ^ ...) are stored in
0283   // the `FlowConditionConstraints` map, keyed by the token of the flow
0284   // condition.
0285   //
0286   // Flow conditions depend on other flow conditions if they are created using
0287   // `forkFlowCondition` or `joinFlowConditions`. The graph of flow condition
0288   // dependencies is stored in the `FlowConditionDeps` map.
0289   llvm::DenseMap<Atom, llvm::DenseSet<Atom>> FlowConditionDeps;
0290   llvm::DenseMap<Atom, const Formula *> FlowConditionConstraints;
0291   const Formula *Invariant = nullptr;
0292
0293   llvm::DenseMap<const FunctionDecl *, AdornedCFG> FunctionContexts;
0294
0295   // Fields modeled by environments covered by this context.
0296   FieldSet ModeledFields;
0297
0298   std::unique_ptr<Logger> LogOwner; // If created via flags.
0299
0300   std::function<llvm::StringMap<QualType>(QualType)> SyntheticFieldCallback;
0301
0302   /// Has any `RecordStorageLocation` been created yet?
0303   bool RecordStorageLocationCreated = false;
0304 };
0305
0306 } // namespace dataflow
0307 } // namespace clang
0308
0309 #endif // LLVM_CLANG_ANALYSIS_FLOWSENSITIVE_DATAFLOWANALYSISCONTEXT_H