/Users/buildslave/jenkins/workspace/coverage/llvm-project/clang/lib/StaticAnalyzer/Checkers/InnerPointerChecker.cpp

Source (jump to first uncovered line)
//=== InnerPointerChecker.cpp -------------------------------------*- C++ -*--//
//
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
// See https://llvm.org/LICENSE.txt for license information.
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
//
//===----------------------------------------------------------------------===//
//
// This file defines a check that marks a raw pointer to a C++ container's
// inner buffer released when the object is destroyed. This information can
// be used by MallocChecker to detect use-after-free problems.
//
//===----------------------------------------------------------------------===//

#include "AllocationState.h"
#include "InterCheckerAPI.h"
#include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"
#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
#include "clang/StaticAnalyzer/Core/BugReporter/CommonBugCategories.h"
#include "clang/StaticAnalyzer/Core/Checker.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/CallDescription.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"

using namespace clang;
using namespace ento;

// Associate container objects with a set of raw pointer symbols.
REGISTER_SET_FACTORY_WITH_PROGRAMSTATE(PtrSet, SymbolRef)
REGISTER_MAP_WITH_PROGRAMSTATE(RawPtrMap, const MemRegion *, PtrSet)


namespace {

class InnerPointerChecker
    : public Checker<check::DeadSymbols, check::PostCall> {

  CallDescription AppendFn, AssignFn, AddressofFn, AddressofFn_, ClearFn,
      CStrFn, DataFn, DataMemberFn, EraseFn, InsertFn, PopBackFn, PushBackFn,
      ReplaceFn, ReserveFn, ResizeFn, ShrinkToFitFn, SwapFn;

public:
  class InnerPointerBRVisitor : public BugReporterVisitor {
    SymbolRef PtrToBuf;

  public:
    InnerPointerBRVisitor(SymbolRef Sym) : PtrToBuf(Sym) {}

    static void *getTag() {
      static int Tag = 0;
      return &Tag;
    }

    void Profile(llvm::FoldingSetNodeID &ID) const override {
      ID.AddPointer(getTag());
    }

    PathDiagnosticPieceRef VisitNode(const ExplodedNode *N,
                                     BugReporterContext &BRC,
                                     PathSensitiveBugReport &BR) override;

    // FIXME: Scan the map once in the visitor's constructor and do a direct
    // lookup by region.
    bool isSymbolTracked(ProgramStateRef State, SymbolRef Sym) {
      RawPtrMapTy Map = State->get<RawPtrMap>();
      for (const auto &Entry : Map) {
        if (Entry.second.contains(Sym))
          return true;
      }
      return false;
    }
  };

  InnerPointerChecker()
      : AppendFn({"std", "basic_string", "append"}),
        AssignFn({"std", "basic_string", "assign"}),
        AddressofFn({"std", "addressof"}), AddressofFn_({"std", "__addressof"}),
        ClearFn({"std", "basic_string", "clear"}),
        CStrFn({"std", "basic_string", "c_str"}), DataFn({"std", "data"}, 1),
        DataMemberFn({"std", "basic_string", "data"}),
        EraseFn({"std", "basic_string", "erase"}),
        InsertFn({"std", "basic_string", "insert"}),
        PopBackFn({"std", "basic_string", "pop_back"}),
        PushBackFn({"std", "basic_string", "push_back"}),
        ReplaceFn({"std", "basic_string", "replace"}),
        ReserveFn({"std", "basic_string", "reserve"}),
        ResizeFn({"std", "basic_string", "resize"}),
        ShrinkToFitFn({"std", "basic_string", "shrink_to_fit"}),
        SwapFn({"std", "basic_string", "swap"}) {}

  /// Check whether the called member function potentially invalidates
  /// pointers referring to the container object's inner buffer.
  bool isInvalidatingMemberFunction(const CallEvent &Call) const;

  /// Check whether the called function returns a raw inner pointer.
  bool isInnerPointerAccessFunction(const CallEvent &Call) const;

  /// Mark pointer symbols associated with the given memory region released
  /// in the program state.
  void markPtrSymbolsReleased(const CallEvent &Call, ProgramStateRef State,
                              const MemRegion *ObjRegion,
                              CheckerContext &C) const;

  /// Standard library functions that take a non-const `basic_string` argument by
  /// reference may invalidate its inner pointers. Check for these cases and
  /// mark the pointers released.
  void checkFunctionArguments(const CallEvent &Call, ProgramStateRef State,
                              CheckerContext &C) const;

  /// Record the connection between raw pointers referring to a container
  /// object's inner buffer and the object's memory region in the program state.
  /// Mark potentially invalidated pointers released.
  void checkPostCall(const CallEvent &Call, CheckerContext &C) const;

  /// Clean up the program state map.
  void checkDeadSymbols(SymbolReaper &SymReaper, CheckerContext &C) const;
};

} // end anonymous namespace

bool InnerPointerChecker::isInvalidatingMemberFunction(
        const CallEvent &Call) const {
  if (const auto *MemOpCall = dyn_cast<CXXMemberOperatorCall>(&Call)) {
    OverloadedOperatorKind Opc = MemOpCall->getOriginExpr()->getOperator();
    if (Opc == OO_Equal || Opc == OO_PlusEqual1.27k)
      return true;
    return false;
  }
  return isa<CXXDestructorCall>(Call) ||
         matchesAny(Call, AppendFn, AssignFn, ClearFn, EraseFn, InsertFn,
                    PopBackFn, PushBackFn, ReplaceFn, ReserveFn, ResizeFn,
                    ShrinkToFitFn, SwapFn);
}

bool InnerPointerChecker::isInnerPointerAccessFunction(
    const CallEvent &Call) const {
  return matchesAny(Call, CStrFn, DataFn, DataMemberFn);
}

void InnerPointerChecker::markPtrSymbolsReleased(const CallEvent &Call,
                                                 ProgramStateRef State,
                                                 const MemRegion *MR,
                                                 CheckerContext &C) const {
  if (const PtrSet *PS = State->get<RawPtrMap>(MR)) {
    const Expr *Origin = Call.getOriginExpr();
    for (const auto Symbol : *PS) {
      // NOTE: `Origin` may be null, and will be stored so in the symbol's
      // `RefState` in MallocChecker's `RegionState` program state map.
      State = allocation_state::markReleased(State, Symbol, Origin);
    }
    State = State->remove<RawPtrMap>(MR);
    C.addTransition(State);
    return;
  }
}

void InnerPointerChecker::checkFunctionArguments(const CallEvent &Call,
                                                 ProgramStateRef State,
                                                 CheckerContext &C) const {
  if (const auto *FC = dyn_cast<AnyFunctionCall>(&Call)) {
    const FunctionDecl *FD = FC->getDecl();
    if (!FD || !FD->isInStdNamespace()32.1k)
      return;

    for (unsigned I = 0, E = FD->getNumParams(); 431I != E; ++I1.09k) {
      QualType ParamTy = FD->getParamDecl(I)->getType();
      if (!ParamTy->isReferenceType() ||
          ParamTy->getPointeeType().isConstQualified()287)
        continue;

      // In case of member operator calls, `this` is counted as an
      // argument but not as a parameter.
      bool isaMemberOpCall = isa<CXXMemberOperatorCall>(FC);
      unsigned ArgI = isaMemberOpCall ? I+10 : I;

      SVal Arg = FC->getArgSVal(ArgI);
      const auto *ArgRegion =
          dyn_cast_or_null<TypedValueRegion>(Arg.getAsRegion());
      if (!ArgRegion)
        continue;

      // std::addressof functions accepts a non-const reference as an argument,
      // but doesn't modify it.
      if (matchesAny(Call, AddressofFn, AddressofFn_))
        continue;

      markPtrSymbolsReleased(Call, State, ArgRegion, C);
    }
  }
}

// [string.require]
//
// "References, pointers, and iterators referring to the elements of a
// basic_string sequence may be invalidated by the following uses of that
// basic_string object:
//
// -- As an argument to any standard library function taking a reference
// to non-const basic_string as an argument. For example, as an argument to
// non-member functions swap(), operator>>(), and getline(), or as an argument
// to basic_string::swap().
//
// -- Calling non-const member functions, except operator[], at, front, back,
// begin, rbegin, end, and rend."

void InnerPointerChecker::checkPostCall(const CallEvent &Call,
                                        CheckerContext &C) const {
  ProgramStateRef State = C.getState();

  // TODO: Do we need these to be typed?
  const TypedValueRegion *ObjRegion = nullptr;

  if (const auto *ICall = dyn_cast<CXXInstanceCall>(&Call)) {
    ObjRegion = dyn_cast_or_null<TypedValueRegion>(
        ICall->getCXXThisVal().getAsRegion());

    // Check [string.require] / second point.
    if (isInvalidatingMemberFunction(Call)) {
      markPtrSymbolsReleased(Call, State, ObjRegion, C);
      return;
    }
  }

  if (isInnerPointerAccessFunction(Call)) {

    if (isa<SimpleFunctionCall>(Call)) {
      // NOTE: As of now, we only have one free access function: std::data.
      //       If we add more functions like this in the list, hardcoded
      //       argument index should be changed.
      ObjRegion =
          dyn_cast_or_null<TypedValueRegion>(Call.getArgSVal(0).getAsRegion());
    }

    if (!ObjRegion)
      return;

    SVal RawPtr = Call.getReturnValue();
    if (SymbolRef Sym = RawPtr.getAsSymbol(/*IncludeBaseRegions=*/true)) {
      // Start tracking this raw pointer by adding it to the set of symbols
      // associated with this container object in the program state map.

      PtrSet::Factory &F = State->getStateManager().get_context<PtrSet>();
      const PtrSet *SetPtr = State->get<RawPtrMap>(ObjRegion);
      PtrSet Set = SetPtr ? *SetPtr5 : F.getEmptySet()41;
      assert(C.wasInlined || !Set.contains(Sym));
      Set = F.add(Set, Sym);

      State = State->set<RawPtrMap>(ObjRegion, Set);
      C.addTransition(State);
    }

    return;
  }

  // Check [string.require] / first point.
  checkFunctionArguments(Call, State, C);
}

void InnerPointerChecker::checkDeadSymbols(SymbolReaper &SymReaper,
                                           CheckerContext &C) const {
  ProgramStateRef State = C.getState();
  PtrSet::Factory &F = State->getStateManager().get_context<PtrSet>();
  RawPtrMapTy RPM = State->get<RawPtrMap>();
  for (const auto &Entry : RPM) {
    if (!SymReaper.isLiveRegion(Entry.first)) {
      // Due to incomplete destructor support, some dead regions might
      // remain in the program state map. Clean them up.
      State = State->remove<RawPtrMap>(Entry.first);
    }
    if (const PtrSet *OldSet = State->get<RawPtrMap>(Entry.first)) {
      PtrSet CleanedUpSet = *OldSet;
      for (const auto Symbol : Entry.second) {
        if (!SymReaper.isLive(Symbol))
          CleanedUpSet = F.remove(CleanedUpSet, Symbol);
      }
      State = CleanedUpSet.isEmpty()
                  ? State->remove<RawPtrMap>(Entry.first)9
                  : State->set<RawPtrMap>(Entry.first, CleanedUpSet)98;
    }
  }
  C.addTransition(State);
}

namespace clang {
namespace ento {
namespace allocation_state {

std::unique_ptr<BugReporterVisitor> getInnerPointerBRVisitor(SymbolRef Sym) {
  return std::make_unique<InnerPointerChecker::InnerPointerBRVisitor>(Sym);
}

const MemRegion *getContainerObjRegion(ProgramStateRef State, SymbolRef Sym) {
  RawPtrMapTy Map = State->get<RawPtrMap>();
  for (const auto &Entry : Map) {
    if (Entry.second.contains(Sym)) {
      return Entry.first;
    }
  }
  return nullptr;
}

} // end namespace allocation_state
} // end namespace ento
} // end namespace clang

PathDiagnosticPieceRef InnerPointerChecker::InnerPointerBRVisitor::VisitNode(
    const ExplodedNode *N, BugReporterContext &BRC, PathSensitiveBugReport &) {
  if (!isSymbolTracked(N->getState(), PtrToBuf) ||
      isSymbolTracked(N->getFirstPred()->getState(), PtrToBuf)510)
    return nullptr;

  const Stmt *S = N->getStmtForDiagnostics();
  if (!S)
    return nullptr;

  const MemRegion *ObjRegion =
      allocation_state::getContainerObjRegion(N->getState(), PtrToBuf);
  const auto *TypedRegion = cast<TypedValueRegion>(ObjRegion);
  QualType ObjTy = TypedRegion->getValueType();

  SmallString<256> Buf;
  llvm::raw_svector_ostream OS(Buf);
  OS << "Pointer to inner buffer of '" << ObjTy << "' obtained here";
  PathDiagnosticLocation Pos(S, BRC.getSourceManager(),
                             N->getLocationContext());
  return std::make_shared<PathDiagnosticEventPiece>(Pos, OS.str(), true);
}

void ento::registerInnerPointerChecker(CheckerManager &Mgr) {
  registerInnerPointerCheckerAux(Mgr);
  Mgr.registerChecker<InnerPointerChecker>();
}

bool ento::shouldRegisterInnerPointerChecker(const CheckerManager &mgr) {
  return true;
}

Coverage Report

Created: 2023-09-21 18:56

Line	Count	Source (jump to first uncovered line)
1		//=== InnerPointerChecker.cpp -------------------------------------- C++ ---//
2		//
3		// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4		// See https://llvm.org/LICENSE.txt for license information.
5		// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6		//
7		//===----------------------------------------------------------------------===//
8		//
9		// This file defines a check that marks a raw pointer to a C++ container's
10		// inner buffer released when the object is destroyed. This information can
11		// be used by MallocChecker to detect use-after-free problems.
12		//
13		//===----------------------------------------------------------------------===//
14
15		#include "AllocationState.h"
16		#include "InterCheckerAPI.h"
17		#include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"
18		#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
19		#include "clang/StaticAnalyzer/Core/BugReporter/CommonBugCategories.h"
20		#include "clang/StaticAnalyzer/Core/Checker.h"
21		#include "clang/StaticAnalyzer/Core/PathSensitive/CallDescription.h"
22		#include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h"
23		#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
24
25		using namespace clang;
26		using namespace ento;
27
28		// Associate container objects with a set of raw pointer symbols.
29		REGISTER_SET_FACTORY_WITH_PROGRAMSTATE(PtrSet, SymbolRef)
30		REGISTER_MAP_WITH_PROGRAMSTATE(RawPtrMap, const MemRegion *, PtrSet)
31
32
33		namespace {
34
35		class InnerPointerChecker
36		: public Checker<check::DeadSymbols, check::PostCall> {
37
38		CallDescription AppendFn, AssignFn, AddressofFn, AddressofFn_, ClearFn,
39		CStrFn, DataFn, DataMemberFn, EraseFn, InsertFn, PopBackFn, PushBackFn,
40		ReplaceFn, ReserveFn, ResizeFn, ShrinkToFitFn, SwapFn;
41
42		public:
43		class InnerPointerBRVisitor : public BugReporterVisitor {
44		SymbolRef PtrToBuf;
45
46		public:
47	31	InnerPointerBRVisitor(SymbolRef Sym) : PtrToBuf(Sym) {}
48
49	31	static void *getTag() {
50	31	static int Tag = 0;
51	31	return &Tag;
52	31	}
53
54	31	void Profile(llvm::FoldingSetNodeID &ID) const override {
55	31	ID.AddPointer(getTag());
56	31	}
57
58		PathDiagnosticPieceRef VisitNode(const ExplodedNode *N,
59		BugReporterContext &BRC,
60		PathSensitiveBugReport &BR) override;
61
62		// FIXME: Scan the map once in the visitor's constructor and do a direct
63		// lookup by region.
64	2.14k	bool isSymbolTracked(ProgramStateRef State, SymbolRef Sym) {
65	2.14k	RawPtrMapTy Map = State->get<RawPtrMap>();
66	2.14k	for (const auto &Entry : Map) {
67	1.12k	if (Entry.second.contains(Sym))
68	989	return true;
69	1.12k	}
70	1.15k	return false;
71	2.14k	}
72		};
73
74		InnerPointerChecker()
75	66	: AppendFn({"std", "basic_string", "append"}),
76	66	AssignFn({"std", "basic_string", "assign"}),
77	66	AddressofFn({"std", "addressof"}), AddressofFn_({"std", "__addressof"}),
78	66	ClearFn({"std", "basic_string", "clear"}),
79	66	CStrFn({"std", "basic_string", "c_str"}), DataFn({"std", "data"}, 1),
80	66	DataMemberFn({"std", "basic_string", "data"}),
81	66	EraseFn({"std", "basic_string", "erase"}),
82	66	InsertFn({"std", "basic_string", "insert"}),
83	66	PopBackFn({"std", "basic_string", "pop_back"}),
84	66	PushBackFn({"std", "basic_string", "push_back"}),
85	66	ReplaceFn({"std", "basic_string", "replace"}),
86	66	ReserveFn({"std", "basic_string", "reserve"}),
87	66	ResizeFn({"std", "basic_string", "resize"}),
88	66	ShrinkToFitFn({"std", "basic_string", "shrink_to_fit"}),
89	66	SwapFn({"std", "basic_string", "swap"}) {}
90
91		/// Check whether the called member function potentially invalidates
92		/// pointers referring to the container object's inner buffer.
93		bool isInvalidatingMemberFunction(const CallEvent &Call) const;
94
95		/// Check whether the called function returns a raw inner pointer.
96		bool isInnerPointerAccessFunction(const CallEvent &Call) const;
97
98		/// Mark pointer symbols associated with the given memory region released
99		/// in the program state.
100		void markPtrSymbolsReleased(const CallEvent &Call, ProgramStateRef State,
101		const MemRegion *ObjRegion,
102		CheckerContext &C) const;
103
104		/// Standard library functions that take a non-const `basic_string` argument by
105		/// reference may invalidate its inner pointers. Check for these cases and
106		/// mark the pointers released.
107		void checkFunctionArguments(const CallEvent &Call, ProgramStateRef State,
108		CheckerContext &C) const;
109
110		/// Record the connection between raw pointers referring to a container
111		/// object's inner buffer and the object's memory region in the program state.
112		/// Mark potentially invalidated pointers released.
113		void checkPostCall(const CallEvent &Call, CheckerContext &C) const;
114
115		/// Clean up the program state map.
116		void checkDeadSymbols(SymbolReaper &SymReaper, CheckerContext &C) const;
117		};
118
119		} // end anonymous namespace
120
121		bool InnerPointerChecker::isInvalidatingMemberFunction(
122	5.35k	const CallEvent &Call) const {
123	5.35k	if (const auto *MemOpCall = dyn_cast<CXXMemberOperatorCall>(&Call)) {
124	1.33k	OverloadedOperatorKind Opc = MemOpCall->getOriginExpr()->getOperator();
125	1.33k	if (Opc == OO_Equal \|\| Opc == OO_PlusEqual1.27k )
126	218	return true;
127	1.11k	return false;
128	1.33k	}
129	4.01k	return isa<CXXDestructorCall>(Call) \|\|
130	4.01k	matchesAny(Call, AppendFn, AssignFn, ClearFn, EraseFn, InsertFn,
131	3.60k	PopBackFn, PushBackFn, ReplaceFn, ReserveFn, ResizeFn,
132	3.60k	ShrinkToFitFn, SwapFn);
133	5.35k	}
134
135		bool InnerPointerChecker::isInnerPointerAccessFunction(
136	32.1k	const CallEvent &Call) const {
137	32.1k	return matchesAny(Call, CStrFn, DataFn, DataMemberFn);
138	32.1k	}
139
140		void InnerPointerChecker::markPtrSymbolsReleased(const CallEvent &Call,
141		ProgramStateRef State,
142		const MemRegion *MR,
143	833	CheckerContext &C) const {
144	833	if (const PtrSet *PS = State->get<RawPtrMap>(MR)) {
145	36	const Expr *Origin = Call.getOriginExpr();
146	40	for (const auto Symbol : *PS) {
147		// NOTE: `Origin` may be null, and will be stored so in the symbol's
148		// `RefState` in MallocChecker's `RegionState` program state map.
149	40	State = allocation_state::markReleased(State, Symbol, Origin);
150	40	}
151	36	State = State->remove<RawPtrMap>(MR);
152	36	C.addTransition(State);
153	36	return;
154	36	}
155	833	}
156
157		void InnerPointerChecker::checkFunctionArguments(const CallEvent &Call,
158		ProgramStateRef State,
159	32.1k	CheckerContext &C) const {
160	32.1k	if (const auto *FC = dyn_cast<AnyFunctionCall>(&Call)) {
161	32.1k	const FunctionDecl *FD = FC->getDecl();
162	32.1k	if (!FD \|\| !FD->isInStdNamespace()32.1k )
163	31.6k	return;
164
165	1.52k	for (unsigned I = 0, E = FD->getNumParams(); 431 I != E; ++I1.09k ) {
166	1.09k	QualType ParamTy = FD->getParamDecl(I)->getType();
167	1.09k	if (!ParamTy->isReferenceType() \|\|
168	1.09k	ParamTy->getPointeeType().isConstQualified()287 )
169	881	continue;
170
171		// In case of member operator calls, `this` is counted as an
172		// argument but not as a parameter.
173	212	bool isaMemberOpCall = isa<CXXMemberOperatorCall>(FC);
174	212	unsigned ArgI = isaMemberOpCall ? I+10 : I;
175
176	212	SVal Arg = FC->getArgSVal(ArgI);
177	212	const auto *ArgRegion =
178	212	dyn_cast_or_null<TypedValueRegion>(Arg.getAsRegion());
179	212	if (!ArgRegion)
180	27	continue;
181
182		// std::addressof functions accepts a non-const reference as an argument,
183		// but doesn't modify it.
184	185	if (matchesAny(Call, AddressofFn, AddressofFn_))
185	2	continue;
186
187	183	markPtrSymbolsReleased(Call, State, ArgRegion, C);
188	183	}
189	431	}
190	32.1k	}
191
192		// [string.require]
193		//
194		// "References, pointers, and iterators referring to the elements of a
195		// basic_string sequence may be invalidated by the following uses of that
196		// basic_string object:
197		//
198		// -- As an argument to any standard library function taking a reference
199		// to non-const basic_string as an argument. For example, as an argument to
200		// non-member functions swap(), operator>>(), and getline(), or as an argument
201		// to basic_string::swap().
202		//
203		// -- Calling non-const member functions, except operator[], at, front, back,
204		// begin, rbegin, end, and rend."
205
206		void InnerPointerChecker::checkPostCall(const CallEvent &Call,
207	32.8k	CheckerContext &C) const {
208	32.8k	ProgramStateRef State = C.getState();
209
210		// TODO: Do we need these to be typed?
211	32.8k	const TypedValueRegion *ObjRegion = nullptr;
212
213	32.8k	if (const auto *ICall = dyn_cast<CXXInstanceCall>(&Call)) {
214	5.35k	ObjRegion = dyn_cast_or_null<TypedValueRegion>(
215	5.35k	ICall->getCXXThisVal().getAsRegion());
216
217		// Check [string.require] / second point.
218	5.35k	if (isInvalidatingMemberFunction(Call)) {
219	650	markPtrSymbolsReleased(Call, State, ObjRegion, C);
220	650	return;
221	650	}
222	5.35k	}
223
224	32.1k	if (isInnerPointerAccessFunction(Call)) {
225
226	47	if (isa<SimpleFunctionCall>(Call)) {
227		// NOTE: As of now, we only have one free access function: std::data.
228		// If we add more functions like this in the list, hardcoded
229		// argument index should be changed.
230	2	ObjRegion =
231	2	dyn_cast_or_null<TypedValueRegion>(Call.getArgSVal(0).getAsRegion());
232	2	}
233
234	47	if (!ObjRegion)
235	1	return;
236
237	46	SVal RawPtr = Call.getReturnValue();
238	46	if (SymbolRef Sym = RawPtr.getAsSymbol(/IncludeBaseRegions=/true)) {
239		// Start tracking this raw pointer by adding it to the set of symbols
240		// associated with this container object in the program state map.
241
242	46	PtrSet::Factory &F = State->getStateManager().get_context<PtrSet>();
243	46	const PtrSet *SetPtr = State->get<RawPtrMap>(ObjRegion);
244	46	PtrSet Set = SetPtr ? *SetPtr5 : F.getEmptySet()41 ;
245	46	assert(C.wasInlined \|\| !Set.contains(Sym));
246	46	Set = F.add(Set, Sym);
247
248	46	State = State->set<RawPtrMap>(ObjRegion, Set);
249	46	C.addTransition(State);
250	46	}
251
252	46	return;
253	46	}
254
255		// Check [string.require] / first point.
256	32.1k	checkFunctionArguments(Call, State, C);
257	32.1k	}
258
259		void InnerPointerChecker::checkDeadSymbols(SymbolReaper &SymReaper,
260	97.0k	CheckerContext &C) const {
261	97.0k	ProgramStateRef State = C.getState();
262	97.0k	PtrSet::Factory &F = State->getStateManager().get_context<PtrSet>();
263	97.0k	RawPtrMapTy RPM = State->get<RawPtrMap>();
264	97.0k	for (const auto &Entry : RPM) {
265	107	if (!SymReaper.isLiveRegion(Entry.first)) {
266		// Due to incomplete destructor support, some dead regions might
267		// remain in the program state map. Clean them up.
268	0	State = State->remove<RawPtrMap>(Entry.first);
269	0	}
270	107	if (const PtrSet *OldSet = State->get<RawPtrMap>(Entry.first)) {
271	107	PtrSet CleanedUpSet = *OldSet;
272	118	for (const auto Symbol : Entry.second) {
273	118	if (!SymReaper.isLive(Symbol))
274	11	CleanedUpSet = F.remove(CleanedUpSet, Symbol);
275	118	}
276	107	State = CleanedUpSet.isEmpty()
277	107	? State->remove<RawPtrMap>(Entry.first)9
278	107	: State->set<RawPtrMap>(Entry.first, CleanedUpSet)98 ;
279	107	}
280	107	}
281	97.0k	C.addTransition(State);
282	97.0k	}
283
284		namespace clang {
285		namespace ento {
286		namespace allocation_state {
287
288	31	std::unique_ptr<BugReporterVisitor> getInnerPointerBRVisitor(SymbolRef Sym) {
289	31	return std::make_unique<InnerPointerChecker::InnerPointerBRVisitor>(Sym);
290	31	}
291
292	62	const MemRegion *getContainerObjRegion(ProgramStateRef State, SymbolRef Sym) {
293	62	RawPtrMapTy Map = State->get<RawPtrMap>();
294	62	for (const auto &Entry : Map) {
295	62	if (Entry.second.contains(Sym)) {
296	62	return Entry.first;
297	62	}
298	62	}
299	0	return nullptr;
300	62	}
301
302		} // end namespace allocation_state
303		} // end namespace ento
304		} // end namespace clang
305
306		PathDiagnosticPieceRef InnerPointerChecker::InnerPointerBRVisitor::VisitNode(
307	1.63k	const ExplodedNode *N, BugReporterContext &BRC, PathSensitiveBugReport &) {
308	1.63k	if (!isSymbolTracked(N->getState(), PtrToBuf) \|\|
309	1.63k	isSymbolTracked(N->getFirstPred()->getState(), PtrToBuf)510 )
310	1.60k	return nullptr;
311
312	31	const Stmt *S = N->getStmtForDiagnostics();
313	31	if (!S)
314	0	return nullptr;
315
316	31	const MemRegion *ObjRegion =
317	31	allocation_state::getContainerObjRegion(N->getState(), PtrToBuf);
318	31	const auto *TypedRegion = cast<TypedValueRegion>(ObjRegion);
319	31	QualType ObjTy = TypedRegion->getValueType();
320
321	31	SmallString<256> Buf;
322	31	llvm::raw_svector_ostream OS(Buf);
323	31	OS << "Pointer to inner buffer of '" << ObjTy << "' obtained here";
324	31	PathDiagnosticLocation Pos(S, BRC.getSourceManager(),
325	31	N->getLocationContext());
326	31	return std::make_shared<PathDiagnosticEventPiece>(Pos, OS.str(), true);
327	31	}
328
329	66	void ento::registerInnerPointerChecker(CheckerManager &Mgr) {
330	66	registerInnerPointerCheckerAux(Mgr);
331	66	Mgr.registerChecker<InnerPointerChecker>();
332	66	}
333
334	132	bool ento::shouldRegisterInnerPointerChecker(const CheckerManager &mgr) {
335	132	return true;
336	132	}