1 //===- ExprEngine.cpp - Path-Sensitive Expression-Level Dataflow ----------===// 2 // 3 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. 4 // See https://llvm.org/LICENSE.txt for license information. 5 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception 6 // 7 //===----------------------------------------------------------------------===// 8 // 9 // This file defines a meta-engine for path-sensitive dataflow analysis that 10 // is built on GREngine, but provides the boilerplate to execute transfer 11 // functions and build the ExplodedGraph at the expression level. 12 // 13 //===----------------------------------------------------------------------===// 14 15 #include "clang/StaticAnalyzer/Core/PathSensitive/ExprEngine.h" 16 #include "PrettyStackTraceLocationContext.h" 17 #include "clang/AST/ASTContext.h" 18 #include "clang/AST/Decl.h" 19 #include "clang/AST/DeclBase.h" 20 #include "clang/AST/DeclCXX.h" 21 #include "clang/AST/DeclObjC.h" 22 #include "clang/AST/Expr.h" 23 #include "clang/AST/ExprCXX.h" 24 #include "clang/AST/ExprObjC.h" 25 #include "clang/AST/ParentMap.h" 26 #include "clang/AST/PrettyPrinter.h" 27 #include "clang/AST/Stmt.h" 28 #include "clang/AST/StmtCXX.h" 29 #include "clang/AST/StmtObjC.h" 30 #include "clang/AST/Type.h" 31 #include "clang/Analysis/AnalysisDeclContext.h" 32 #include "clang/Analysis/CFG.h" 33 #include "clang/Analysis/ConstructionContext.h" 34 #include "clang/Analysis/ProgramPoint.h" 35 #include "clang/Basic/IdentifierTable.h" 36 #include "clang/Basic/JsonSupport.h" 37 #include "clang/Basic/LLVM.h" 38 #include "clang/Basic/LangOptions.h" 39 #include "clang/Basic/PrettyStackTrace.h" 40 #include "clang/Basic/SourceLocation.h" 41 #include "clang/Basic/SourceManager.h" 42 #include "clang/Basic/Specifiers.h" 43 #include "clang/StaticAnalyzer/Core/AnalyzerOptions.h" 44 #include "clang/StaticAnalyzer/Core/BugReporter/BugReporter.h" 45 #include "clang/StaticAnalyzer/Core/BugReporter/BugType.h" 46 #include "clang/StaticAnalyzer/Core/CheckerManager.h" 47 #include "clang/StaticAnalyzer/Core/PathSensitive/AnalysisManager.h" 48 #include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h" 49 #include "clang/StaticAnalyzer/Core/PathSensitive/ConstraintManager.h" 50 #include "clang/StaticAnalyzer/Core/PathSensitive/CoreEngine.h" 51 #include "clang/StaticAnalyzer/Core/PathSensitive/ExplodedGraph.h" 52 #include "clang/StaticAnalyzer/Core/PathSensitive/LoopUnrolling.h" 53 #include "clang/StaticAnalyzer/Core/PathSensitive/LoopWidening.h" 54 #include "clang/StaticAnalyzer/Core/PathSensitive/MemRegion.h" 55 #include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h" 56 #include "clang/StaticAnalyzer/Core/PathSensitive/ProgramStateTrait.h" 57 #include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState_Fwd.h" 58 #include "clang/StaticAnalyzer/Core/PathSensitive/SValBuilder.h" 59 #include "clang/StaticAnalyzer/Core/PathSensitive/SVals.h" 60 #include "clang/StaticAnalyzer/Core/PathSensitive/Store.h" 61 #include "clang/StaticAnalyzer/Core/PathSensitive/SymExpr.h" 62 #include "clang/StaticAnalyzer/Core/PathSensitive/SymbolManager.h" 63 #include "llvm/ADT/APSInt.h" 64 #include "llvm/ADT/DenseMap.h" 65 #include "llvm/ADT/ImmutableMap.h" 66 #include "llvm/ADT/ImmutableSet.h" 67 #include "llvm/ADT/Optional.h" 68 #include "llvm/ADT/SmallVector.h" 69 #include "llvm/ADT/Statistic.h" 70 #include "llvm/Support/Casting.h" 71 #include "llvm/Support/Compiler.h" 72 #include "llvm/Support/DOTGraphTraits.h" 73 #include "llvm/Support/ErrorHandling.h" 74 #include "llvm/Support/GraphWriter.h" 75 #include "llvm/Support/SaveAndRestore.h" 76 #include "llvm/Support/raw_ostream.h" 77 #include <cassert> 78 #include <cstdint> 79 #include <memory> 80 #include <string> 81 #include <tuple> 82 #include <utility> 83 #include <vector> 84 85 using namespace clang; 86 using namespace ento; 87 88 #define DEBUG_TYPE "ExprEngine" 89 90 STATISTIC(NumRemoveDeadBindings, 91 "The # of times RemoveDeadBindings is called"); 92 STATISTIC(NumMaxBlockCountReached, 93 "The # of aborted paths due to reaching the maximum block count in " 94 "a top level function"); 95 STATISTIC(NumMaxBlockCountReachedInInlined, 96 "The # of aborted paths due to reaching the maximum block count in " 97 "an inlined function"); 98 STATISTIC(NumTimesRetriedWithoutInlining, 99 "The # of times we re-evaluated a call without inlining"); 100 101 //===----------------------------------------------------------------------===// 102 // Internal program state traits. 103 //===----------------------------------------------------------------------===// 104 105 namespace { 106 107 // When modeling a C++ constructor, for a variety of reasons we need to track 108 // the location of the object for the duration of its ConstructionContext. 109 // ObjectsUnderConstruction maps statements within the construction context 110 // to the object's location, so that on every such statement the location 111 // could have been retrieved. 112 113 /// ConstructedObjectKey is used for being able to find the path-sensitive 114 /// memory region of a freshly constructed object while modeling the AST node 115 /// that syntactically represents the object that is being constructed. 116 /// Semantics of such nodes may sometimes require access to the region that's 117 /// not otherwise present in the program state, or to the very fact that 118 /// the construction context was present and contained references to these 119 /// AST nodes. 120 class ConstructedObjectKey { 121 typedef std::pair<ConstructionContextItem, const LocationContext *> 122 ConstructedObjectKeyImpl; 123 124 const ConstructedObjectKeyImpl Impl; 125 126 const void *getAnyASTNodePtr() const { 127 if (const Stmt *S = getItem().getStmtOrNull()) 128 return S; 129 else 130 return getItem().getCXXCtorInitializer(); 131 } 132 133 public: 134 explicit ConstructedObjectKey(const ConstructionContextItem &Item, 135 const LocationContext *LC) 136 : Impl(Item, LC) {} 137 138 const ConstructionContextItem &getItem() const { return Impl.first; } 139 const LocationContext *getLocationContext() const { return Impl.second; } 140 141 ASTContext &getASTContext() const { 142 return getLocationContext()->getDecl()->getASTContext(); 143 } 144 145 void printJson(llvm::raw_ostream &Out, PrinterHelper *Helper, 146 PrintingPolicy &PP) const { 147 const Stmt *S = getItem().getStmtOrNull(); 148 const CXXCtorInitializer *I = nullptr; 149 if (!S) 150 I = getItem().getCXXCtorInitializer(); 151 152 if (S) 153 Out << "\"stmt_id\": " << S->getID(getASTContext()); 154 else 155 Out << "\"init_id\": " << I->getID(getASTContext()); 156 157 // Kind 158 Out << ", \"kind\": \"" << getItem().getKindAsString() 159 << "\", \"argument_index\": "; 160 161 if (getItem().getKind() == ConstructionContextItem::ArgumentKind) 162 Out << getItem().getIndex(); 163 else 164 Out << "null"; 165 166 // Pretty-print 167 Out << ", \"pretty\": "; 168 169 if (S) { 170 S->printJson(Out, Helper, PP, /*AddQuotes=*/true); 171 } else { 172 Out << '\"' << I->getAnyMember()->getDeclName() << '\"'; 173 } 174 } 175 176 void Profile(llvm::FoldingSetNodeID &ID) const { 177 ID.Add(Impl.first); 178 ID.AddPointer(Impl.second); 179 } 180 181 bool operator==(const ConstructedObjectKey &RHS) const { 182 return Impl == RHS.Impl; 183 } 184 185 bool operator<(const ConstructedObjectKey &RHS) const { 186 return Impl < RHS.Impl; 187 } 188 }; 189 } // namespace 190 191 typedef llvm::ImmutableMap<ConstructedObjectKey, SVal> 192 ObjectsUnderConstructionMap; 193 REGISTER_TRAIT_WITH_PROGRAMSTATE(ObjectsUnderConstruction, 194 ObjectsUnderConstructionMap) 195 196 //===----------------------------------------------------------------------===// 197 // Engine construction and deletion. 198 //===----------------------------------------------------------------------===// 199 200 static const char* TagProviderName = "ExprEngine"; 201 202 ExprEngine::ExprEngine(cross_tu::CrossTranslationUnitContext &CTU, 203 AnalysisManager &mgr, 204 SetOfConstDecls *VisitedCalleesIn, 205 FunctionSummariesTy *FS, 206 InliningModes HowToInlineIn) 207 : CTU(CTU), AMgr(mgr), 208 AnalysisDeclContexts(mgr.getAnalysisDeclContextManager()), 209 Engine(*this, FS, mgr.getAnalyzerOptions()), G(Engine.getGraph()), 210 StateMgr(getContext(), mgr.getStoreManagerCreator(), 211 mgr.getConstraintManagerCreator(), G.getAllocator(), 212 this), 213 SymMgr(StateMgr.getSymbolManager()), 214 MRMgr(StateMgr.getRegionManager()), 215 svalBuilder(StateMgr.getSValBuilder()), 216 ObjCNoRet(mgr.getASTContext()), 217 BR(mgr, *this), 218 VisitedCallees(VisitedCalleesIn), 219 HowToInline(HowToInlineIn) 220 { 221 unsigned TrimInterval = mgr.options.GraphTrimInterval; 222 if (TrimInterval != 0) { 223 // Enable eager node reclamation when constructing the ExplodedGraph. 224 G.enableNodeReclamation(TrimInterval); 225 } 226 } 227 228 //===----------------------------------------------------------------------===// 229 // Utility methods. 230 //===----------------------------------------------------------------------===// 231 232 ProgramStateRef ExprEngine::getInitialState(const LocationContext *InitLoc) { 233 ProgramStateRef state = StateMgr.getInitialState(InitLoc); 234 const Decl *D = InitLoc->getDecl(); 235 236 // Preconditions. 237 // FIXME: It would be nice if we had a more general mechanism to add 238 // such preconditions. Some day. 239 do { 240 if (const auto *FD = dyn_cast<FunctionDecl>(D)) { 241 // Precondition: the first argument of 'main' is an integer guaranteed 242 // to be > 0. 243 const IdentifierInfo *II = FD->getIdentifier(); 244 if (!II || !(II->getName() == "main" && FD->getNumParams() > 0)) 245 break; 246 247 const ParmVarDecl *PD = FD->getParamDecl(0); 248 QualType T = PD->getType(); 249 const auto *BT = dyn_cast<BuiltinType>(T); 250 if (!BT || !BT->isInteger()) 251 break; 252 253 const MemRegion *R = state->getRegion(PD, InitLoc); 254 if (!R) 255 break; 256 257 SVal V = state->getSVal(loc::MemRegionVal(R)); 258 SVal Constraint_untested = evalBinOp(state, BO_GT, V, 259 svalBuilder.makeZeroVal(T), 260 svalBuilder.getConditionType()); 261 262 Optional<DefinedOrUnknownSVal> Constraint = 263 Constraint_untested.getAs<DefinedOrUnknownSVal>(); 264 265 if (!Constraint) 266 break; 267 268 if (ProgramStateRef newState = state->assume(*Constraint, true)) 269 state = newState; 270 } 271 break; 272 } 273 while (false); 274 275 if (const auto *MD = dyn_cast<ObjCMethodDecl>(D)) { 276 // Precondition: 'self' is always non-null upon entry to an Objective-C 277 // method. 278 const ImplicitParamDecl *SelfD = MD->getSelfDecl(); 279 const MemRegion *R = state->getRegion(SelfD, InitLoc); 280 SVal V = state->getSVal(loc::MemRegionVal(R)); 281 282 if (Optional<Loc> LV = V.getAs<Loc>()) { 283 // Assume that the pointer value in 'self' is non-null. 284 state = state->assume(*LV, true); 285 assert(state && "'self' cannot be null"); 286 } 287 } 288 289 if (const auto *MD = dyn_cast<CXXMethodDecl>(D)) { 290 if (!MD->isStatic()) { 291 // Precondition: 'this' is always non-null upon entry to the 292 // top-level function. This is our starting assumption for 293 // analyzing an "open" program. 294 const StackFrameContext *SFC = InitLoc->getStackFrame(); 295 if (SFC->getParent() == nullptr) { 296 loc::MemRegionVal L = svalBuilder.getCXXThis(MD, SFC); 297 SVal V = state->getSVal(L); 298 if (Optional<Loc> LV = V.getAs<Loc>()) { 299 state = state->assume(*LV, true); 300 assert(state && "'this' cannot be null"); 301 } 302 } 303 } 304 } 305 306 return state; 307 } 308 309 ProgramStateRef ExprEngine::createTemporaryRegionIfNeeded( 310 ProgramStateRef State, const LocationContext *LC, 311 const Expr *InitWithAdjustments, const Expr *Result, 312 const SubRegion **OutRegionWithAdjustments) { 313 // FIXME: This function is a hack that works around the quirky AST 314 // we're often having with respect to C++ temporaries. If only we modelled 315 // the actual execution order of statements properly in the CFG, 316 // all the hassle with adjustments would not be necessary, 317 // and perhaps the whole function would be removed. 318 SVal InitValWithAdjustments = State->getSVal(InitWithAdjustments, LC); 319 if (!Result) { 320 // If we don't have an explicit result expression, we're in "if needed" 321 // mode. Only create a region if the current value is a NonLoc. 322 if (!InitValWithAdjustments.getAs<NonLoc>()) { 323 if (OutRegionWithAdjustments) 324 *OutRegionWithAdjustments = nullptr; 325 return State; 326 } 327 Result = InitWithAdjustments; 328 } else { 329 // We need to create a region no matter what. For sanity, make sure we don't 330 // try to stuff a Loc into a non-pointer temporary region. 331 assert(!InitValWithAdjustments.getAs<Loc>() || 332 Loc::isLocType(Result->getType()) || 333 Result->getType()->isMemberPointerType()); 334 } 335 336 ProgramStateManager &StateMgr = State->getStateManager(); 337 MemRegionManager &MRMgr = StateMgr.getRegionManager(); 338 StoreManager &StoreMgr = StateMgr.getStoreManager(); 339 340 // MaterializeTemporaryExpr may appear out of place, after a few field and 341 // base-class accesses have been made to the object, even though semantically 342 // it is the whole object that gets materialized and lifetime-extended. 343 // 344 // For example: 345 // 346 // `-MaterializeTemporaryExpr 347 // `-MemberExpr 348 // `-CXXTemporaryObjectExpr 349 // 350 // instead of the more natural 351 // 352 // `-MemberExpr 353 // `-MaterializeTemporaryExpr 354 // `-CXXTemporaryObjectExpr 355 // 356 // Use the usual methods for obtaining the expression of the base object, 357 // and record the adjustments that we need to make to obtain the sub-object 358 // that the whole expression 'Ex' refers to. This trick is usual, 359 // in the sense that CodeGen takes a similar route. 360 361 SmallVector<const Expr *, 2> CommaLHSs; 362 SmallVector<SubobjectAdjustment, 2> Adjustments; 363 364 const Expr *Init = InitWithAdjustments->skipRValueSubobjectAdjustments( 365 CommaLHSs, Adjustments); 366 367 // Take the region for Init, i.e. for the whole object. If we do not remember 368 // the region in which the object originally was constructed, come up with 369 // a new temporary region out of thin air and copy the contents of the object 370 // (which are currently present in the Environment, because Init is an rvalue) 371 // into that region. This is not correct, but it is better than nothing. 372 const TypedValueRegion *TR = nullptr; 373 if (const auto *MT = dyn_cast<MaterializeTemporaryExpr>(Result)) { 374 if (Optional<SVal> V = getObjectUnderConstruction(State, MT, LC)) { 375 State = finishObjectConstruction(State, MT, LC); 376 State = State->BindExpr(Result, LC, *V); 377 return State; 378 } else { 379 StorageDuration SD = MT->getStorageDuration(); 380 // If this object is bound to a reference with static storage duration, we 381 // put it in a different region to prevent "address leakage" warnings. 382 if (SD == SD_Static || SD == SD_Thread) { 383 TR = MRMgr.getCXXStaticTempObjectRegion(Init); 384 } else { 385 TR = MRMgr.getCXXTempObjectRegion(Init, LC); 386 } 387 } 388 } else { 389 TR = MRMgr.getCXXTempObjectRegion(Init, LC); 390 } 391 392 SVal Reg = loc::MemRegionVal(TR); 393 SVal BaseReg = Reg; 394 395 // Make the necessary adjustments to obtain the sub-object. 396 for (auto I = Adjustments.rbegin(), E = Adjustments.rend(); I != E; ++I) { 397 const SubobjectAdjustment &Adj = *I; 398 switch (Adj.Kind) { 399 case SubobjectAdjustment::DerivedToBaseAdjustment: 400 Reg = StoreMgr.evalDerivedToBase(Reg, Adj.DerivedToBase.BasePath); 401 break; 402 case SubobjectAdjustment::FieldAdjustment: 403 Reg = StoreMgr.getLValueField(Adj.Field, Reg); 404 break; 405 case SubobjectAdjustment::MemberPointerAdjustment: 406 // FIXME: Unimplemented. 407 State = State->invalidateRegions(Reg, InitWithAdjustments, 408 currBldrCtx->blockCount(), LC, true, 409 nullptr, nullptr, nullptr); 410 return State; 411 } 412 } 413 414 // What remains is to copy the value of the object to the new region. 415 // FIXME: In other words, what we should always do is copy value of the 416 // Init expression (which corresponds to the bigger object) to the whole 417 // temporary region TR. However, this value is often no longer present 418 // in the Environment. If it has disappeared, we instead invalidate TR. 419 // Still, what we can do is assign the value of expression Ex (which 420 // corresponds to the sub-object) to the TR's sub-region Reg. At least, 421 // values inside Reg would be correct. 422 SVal InitVal = State->getSVal(Init, LC); 423 if (InitVal.isUnknown()) { 424 InitVal = getSValBuilder().conjureSymbolVal(Result, LC, Init->getType(), 425 currBldrCtx->blockCount()); 426 State = State->bindLoc(BaseReg.castAs<Loc>(), InitVal, LC, false); 427 428 // Then we'd need to take the value that certainly exists and bind it 429 // over. 430 if (InitValWithAdjustments.isUnknown()) { 431 // Try to recover some path sensitivity in case we couldn't 432 // compute the value. 433 InitValWithAdjustments = getSValBuilder().conjureSymbolVal( 434 Result, LC, InitWithAdjustments->getType(), 435 currBldrCtx->blockCount()); 436 } 437 State = 438 State->bindLoc(Reg.castAs<Loc>(), InitValWithAdjustments, LC, false); 439 } else { 440 State = State->bindLoc(BaseReg.castAs<Loc>(), InitVal, LC, false); 441 } 442 443 // The result expression would now point to the correct sub-region of the 444 // newly created temporary region. Do this last in order to getSVal of Init 445 // correctly in case (Result == Init). 446 if (Result->isGLValue()) { 447 State = State->BindExpr(Result, LC, Reg); 448 } else { 449 State = State->BindExpr(Result, LC, InitValWithAdjustments); 450 } 451 452 // Notify checkers once for two bindLoc()s. 453 State = processRegionChange(State, TR, LC); 454 455 if (OutRegionWithAdjustments) 456 *OutRegionWithAdjustments = cast<SubRegion>(Reg.getAsRegion()); 457 return State; 458 } 459 460 ProgramStateRef 461 ExprEngine::addObjectUnderConstruction(ProgramStateRef State, 462 const ConstructionContextItem &Item, 463 const LocationContext *LC, SVal V) { 464 ConstructedObjectKey Key(Item, LC->getStackFrame()); 465 // FIXME: Currently the state might already contain the marker due to 466 // incorrect handling of temporaries bound to default parameters. 467 assert(!State->get<ObjectsUnderConstruction>(Key) || 468 Key.getItem().getKind() == 469 ConstructionContextItem::TemporaryDestructorKind); 470 return State->set<ObjectsUnderConstruction>(Key, V); 471 } 472 473 Optional<SVal> 474 ExprEngine::getObjectUnderConstruction(ProgramStateRef State, 475 const ConstructionContextItem &Item, 476 const LocationContext *LC) { 477 ConstructedObjectKey Key(Item, LC->getStackFrame()); 478 return Optional<SVal>::create(State->get<ObjectsUnderConstruction>(Key)); 479 } 480 481 ProgramStateRef 482 ExprEngine::finishObjectConstruction(ProgramStateRef State, 483 const ConstructionContextItem &Item, 484 const LocationContext *LC) { 485 ConstructedObjectKey Key(Item, LC->getStackFrame()); 486 assert(State->contains<ObjectsUnderConstruction>(Key)); 487 return State->remove<ObjectsUnderConstruction>(Key); 488 } 489 490 ProgramStateRef ExprEngine::elideDestructor(ProgramStateRef State, 491 const CXXBindTemporaryExpr *BTE, 492 const LocationContext *LC) { 493 ConstructedObjectKey Key({BTE, /*IsElided=*/true}, LC); 494 // FIXME: Currently the state might already contain the marker due to 495 // incorrect handling of temporaries bound to default parameters. 496 return State->set<ObjectsUnderConstruction>(Key, UnknownVal()); 497 } 498 499 ProgramStateRef 500 ExprEngine::cleanupElidedDestructor(ProgramStateRef State, 501 const CXXBindTemporaryExpr *BTE, 502 const LocationContext *LC) { 503 ConstructedObjectKey Key({BTE, /*IsElided=*/true}, LC); 504 assert(State->contains<ObjectsUnderConstruction>(Key)); 505 return State->remove<ObjectsUnderConstruction>(Key); 506 } 507 508 bool ExprEngine::isDestructorElided(ProgramStateRef State, 509 const CXXBindTemporaryExpr *BTE, 510 const LocationContext *LC) { 511 ConstructedObjectKey Key({BTE, /*IsElided=*/true}, LC); 512 return State->contains<ObjectsUnderConstruction>(Key); 513 } 514 515 bool ExprEngine::areAllObjectsFullyConstructed(ProgramStateRef State, 516 const LocationContext *FromLC, 517 const LocationContext *ToLC) { 518 const LocationContext *LC = FromLC; 519 while (LC != ToLC) { 520 assert(LC && "ToLC must be a parent of FromLC!"); 521 for (auto I : State->get<ObjectsUnderConstruction>()) 522 if (I.first.getLocationContext() == LC) 523 return false; 524 525 LC = LC->getParent(); 526 } 527 return true; 528 } 529 530 531 //===----------------------------------------------------------------------===// 532 // Top-level transfer function logic (Dispatcher). 533 //===----------------------------------------------------------------------===// 534 535 /// evalAssume - Called by ConstraintManager. Used to call checker-specific 536 /// logic for handling assumptions on symbolic values. 537 ProgramStateRef ExprEngine::processAssume(ProgramStateRef state, 538 SVal cond, bool assumption) { 539 return getCheckerManager().runCheckersForEvalAssume(state, cond, assumption); 540 } 541 542 ProgramStateRef 543 ExprEngine::processRegionChanges(ProgramStateRef state, 544 const InvalidatedSymbols *invalidated, 545 ArrayRef<const MemRegion *> Explicits, 546 ArrayRef<const MemRegion *> Regions, 547 const LocationContext *LCtx, 548 const CallEvent *Call) { 549 return getCheckerManager().runCheckersForRegionChanges(state, invalidated, 550 Explicits, Regions, 551 LCtx, Call); 552 } 553 554 static void 555 printObjectsUnderConstructionJson(raw_ostream &Out, ProgramStateRef State, 556 const char *NL, const LocationContext *LCtx, 557 unsigned int Space = 0, bool IsDot = false) { 558 PrintingPolicy PP = 559 LCtx->getAnalysisDeclContext()->getASTContext().getPrintingPolicy(); 560 561 ++Space; 562 bool HasItem = false; 563 564 // Store the last key. 565 const ConstructedObjectKey *LastKey = nullptr; 566 for (const auto &I : State->get<ObjectsUnderConstruction>()) { 567 const ConstructedObjectKey &Key = I.first; 568 if (Key.getLocationContext() != LCtx) 569 continue; 570 571 if (!HasItem) { 572 Out << "[" << NL; 573 HasItem = true; 574 } 575 576 LastKey = &Key; 577 } 578 579 for (const auto &I : State->get<ObjectsUnderConstruction>()) { 580 const ConstructedObjectKey &Key = I.first; 581 SVal Value = I.second; 582 if (Key.getLocationContext() != LCtx) 583 continue; 584 585 Indent(Out, Space, IsDot) << "{ "; 586 Key.printJson(Out, nullptr, PP); 587 Out << ", \"value\": \"" << Value << "\" }"; 588 589 if (&Key != LastKey) 590 Out << ','; 591 Out << NL; 592 } 593 594 if (HasItem) 595 Indent(Out, --Space, IsDot) << ']'; // End of "location_context". 596 else { 597 Out << "null "; 598 } 599 } 600 601 void ExprEngine::printJson(raw_ostream &Out, ProgramStateRef State, 602 const LocationContext *LCtx, const char *NL, 603 unsigned int Space, bool IsDot) const { 604 Indent(Out, Space, IsDot) << "\"constructing_objects\": "; 605 606 if (LCtx && !State->get<ObjectsUnderConstruction>().isEmpty()) { 607 ++Space; 608 Out << '[' << NL; 609 LCtx->printJson(Out, NL, Space, IsDot, [&](const LocationContext *LC) { 610 printObjectsUnderConstructionJson(Out, State, NL, LC, Space, IsDot); 611 }); 612 613 --Space; 614 Indent(Out, Space, IsDot) << "]," << NL; // End of "constructing_objects". 615 } else { 616 Out << "null," << NL; 617 } 618 619 getCheckerManager().runCheckersForPrintStateJson(Out, State, NL, Space, 620 IsDot); 621 } 622 623 void ExprEngine::processEndWorklist() { 624 getCheckerManager().runCheckersForEndAnalysis(G, BR, *this); 625 } 626 627 void ExprEngine::processCFGElement(const CFGElement E, ExplodedNode *Pred, 628 unsigned StmtIdx, NodeBuilderContext *Ctx) { 629 PrettyStackTraceLocationContext CrashInfo(Pred->getLocationContext()); 630 currStmtIdx = StmtIdx; 631 currBldrCtx = Ctx; 632 633 switch (E.getKind()) { 634 case CFGElement::Statement: 635 case CFGElement::Constructor: 636 case CFGElement::CXXRecordTypedCall: 637 ProcessStmt(E.castAs<CFGStmt>().getStmt(), Pred); 638 return; 639 case CFGElement::Initializer: 640 ProcessInitializer(E.castAs<CFGInitializer>(), Pred); 641 return; 642 case CFGElement::NewAllocator: 643 ProcessNewAllocator(E.castAs<CFGNewAllocator>().getAllocatorExpr(), 644 Pred); 645 return; 646 case CFGElement::AutomaticObjectDtor: 647 case CFGElement::DeleteDtor: 648 case CFGElement::BaseDtor: 649 case CFGElement::MemberDtor: 650 case CFGElement::TemporaryDtor: 651 ProcessImplicitDtor(E.castAs<CFGImplicitDtor>(), Pred); 652 return; 653 case CFGElement::LoopExit: 654 ProcessLoopExit(E.castAs<CFGLoopExit>().getLoopStmt(), Pred); 655 return; 656 case CFGElement::LifetimeEnds: 657 case CFGElement::ScopeBegin: 658 case CFGElement::ScopeEnd: 659 return; 660 } 661 } 662 663 static bool shouldRemoveDeadBindings(AnalysisManager &AMgr, 664 const Stmt *S, 665 const ExplodedNode *Pred, 666 const LocationContext *LC) { 667 // Are we never purging state values? 668 if (AMgr.options.AnalysisPurgeOpt == PurgeNone) 669 return false; 670 671 // Is this the beginning of a basic block? 672 if (Pred->getLocation().getAs<BlockEntrance>()) 673 return true; 674 675 // Is this on a non-expression? 676 if (!isa<Expr>(S)) 677 return true; 678 679 // Run before processing a call. 680 if (CallEvent::isCallStmt(S)) 681 return true; 682 683 // Is this an expression that is consumed by another expression? If so, 684 // postpone cleaning out the state. 685 ParentMap &PM = LC->getAnalysisDeclContext()->getParentMap(); 686 return !PM.isConsumedExpr(cast<Expr>(S)); 687 } 688 689 void ExprEngine::removeDead(ExplodedNode *Pred, ExplodedNodeSet &Out, 690 const Stmt *ReferenceStmt, 691 const LocationContext *LC, 692 const Stmt *DiagnosticStmt, 693 ProgramPoint::Kind K) { 694 assert((K == ProgramPoint::PreStmtPurgeDeadSymbolsKind || 695 ReferenceStmt == nullptr || isa<ReturnStmt>(ReferenceStmt)) 696 && "PostStmt is not generally supported by the SymbolReaper yet"); 697 assert(LC && "Must pass the current (or expiring) LocationContext"); 698 699 if (!DiagnosticStmt) { 700 DiagnosticStmt = ReferenceStmt; 701 assert(DiagnosticStmt && "Required for clearing a LocationContext"); 702 } 703 704 NumRemoveDeadBindings++; 705 ProgramStateRef CleanedState = Pred->getState(); 706 707 // LC is the location context being destroyed, but SymbolReaper wants a 708 // location context that is still live. (If this is the top-level stack 709 // frame, this will be null.) 710 if (!ReferenceStmt) { 711 assert(K == ProgramPoint::PostStmtPurgeDeadSymbolsKind && 712 "Use PostStmtPurgeDeadSymbolsKind for clearing a LocationContext"); 713 LC = LC->getParent(); 714 } 715 716 const StackFrameContext *SFC = LC ? LC->getStackFrame() : nullptr; 717 SymbolReaper SymReaper(SFC, ReferenceStmt, SymMgr, getStoreManager()); 718 719 for (auto I : CleanedState->get<ObjectsUnderConstruction>()) { 720 if (SymbolRef Sym = I.second.getAsSymbol()) 721 SymReaper.markLive(Sym); 722 if (const MemRegion *MR = I.second.getAsRegion()) 723 SymReaper.markLive(MR); 724 } 725 726 getCheckerManager().runCheckersForLiveSymbols(CleanedState, SymReaper); 727 728 // Create a state in which dead bindings are removed from the environment 729 // and the store. TODO: The function should just return new env and store, 730 // not a new state. 731 CleanedState = StateMgr.removeDeadBindingsFromEnvironmentAndStore( 732 CleanedState, SFC, SymReaper); 733 734 // Process any special transfer function for dead symbols. 735 // A tag to track convenience transitions, which can be removed at cleanup. 736 static SimpleProgramPointTag cleanupTag(TagProviderName, "Clean Node"); 737 // Call checkers with the non-cleaned state so that they could query the 738 // values of the soon to be dead symbols. 739 ExplodedNodeSet CheckedSet; 740 getCheckerManager().runCheckersForDeadSymbols(CheckedSet, Pred, SymReaper, 741 DiagnosticStmt, *this, K); 742 743 // For each node in CheckedSet, generate CleanedNodes that have the 744 // environment, the store, and the constraints cleaned up but have the 745 // user-supplied states as the predecessors. 746 StmtNodeBuilder Bldr(CheckedSet, Out, *currBldrCtx); 747 for (const auto I : CheckedSet) { 748 ProgramStateRef CheckerState = I->getState(); 749 750 // The constraint manager has not been cleaned up yet, so clean up now. 751 CheckerState = 752 getConstraintManager().removeDeadBindings(CheckerState, SymReaper); 753 754 assert(StateMgr.haveEqualEnvironments(CheckerState, Pred->getState()) && 755 "Checkers are not allowed to modify the Environment as a part of " 756 "checkDeadSymbols processing."); 757 assert(StateMgr.haveEqualStores(CheckerState, Pred->getState()) && 758 "Checkers are not allowed to modify the Store as a part of " 759 "checkDeadSymbols processing."); 760 761 // Create a state based on CleanedState with CheckerState GDM and 762 // generate a transition to that state. 763 ProgramStateRef CleanedCheckerSt = 764 StateMgr.getPersistentStateWithGDM(CleanedState, CheckerState); 765 Bldr.generateNode(DiagnosticStmt, I, CleanedCheckerSt, &cleanupTag, K); 766 } 767 } 768 769 void ExprEngine::ProcessStmt(const Stmt *currStmt, ExplodedNode *Pred) { 770 // Reclaim any unnecessary nodes in the ExplodedGraph. 771 G.reclaimRecentlyAllocatedNodes(); 772 773 PrettyStackTraceLoc CrashInfo(getContext().getSourceManager(), 774 currStmt->getBeginLoc(), 775 "Error evaluating statement"); 776 777 // Remove dead bindings and symbols. 778 ExplodedNodeSet CleanedStates; 779 if (shouldRemoveDeadBindings(AMgr, currStmt, Pred, 780 Pred->getLocationContext())) { 781 removeDead(Pred, CleanedStates, currStmt, 782 Pred->getLocationContext()); 783 } else 784 CleanedStates.Add(Pred); 785 786 // Visit the statement. 787 ExplodedNodeSet Dst; 788 for (const auto I : CleanedStates) { 789 ExplodedNodeSet DstI; 790 // Visit the statement. 791 Visit(currStmt, I, DstI); 792 Dst.insert(DstI); 793 } 794 795 // Enqueue the new nodes onto the work list. 796 Engine.enqueue(Dst, currBldrCtx->getBlock(), currStmtIdx); 797 } 798 799 void ExprEngine::ProcessLoopExit(const Stmt* S, ExplodedNode *Pred) { 800 PrettyStackTraceLoc CrashInfo(getContext().getSourceManager(), 801 S->getBeginLoc(), 802 "Error evaluating end of the loop"); 803 ExplodedNodeSet Dst; 804 Dst.Add(Pred); 805 NodeBuilder Bldr(Pred, Dst, *currBldrCtx); 806 ProgramStateRef NewState = Pred->getState(); 807 808 if(AMgr.options.ShouldUnrollLoops) 809 NewState = processLoopEnd(S, NewState); 810 811 LoopExit PP(S, Pred->getLocationContext()); 812 Bldr.generateNode(PP, NewState, Pred); 813 // Enqueue the new nodes onto the work list. 814 Engine.enqueue(Dst, currBldrCtx->getBlock(), currStmtIdx); 815 } 816 817 void ExprEngine::ProcessInitializer(const CFGInitializer CFGInit, 818 ExplodedNode *Pred) { 819 const CXXCtorInitializer *BMI = CFGInit.getInitializer(); 820 const Expr *Init = BMI->getInit()->IgnoreImplicit(); 821 const LocationContext *LC = Pred->getLocationContext(); 822 823 PrettyStackTraceLoc CrashInfo(getContext().getSourceManager(), 824 BMI->getSourceLocation(), 825 "Error evaluating initializer"); 826 827 // We don't clean up dead bindings here. 828 const auto *stackFrame = cast<StackFrameContext>(Pred->getLocationContext()); 829 const auto *decl = cast<CXXConstructorDecl>(stackFrame->getDecl()); 830 831 ProgramStateRef State = Pred->getState(); 832 SVal thisVal = State->getSVal(svalBuilder.getCXXThis(decl, stackFrame)); 833 834 ExplodedNodeSet Tmp; 835 SVal FieldLoc; 836 837 // Evaluate the initializer, if necessary 838 if (BMI->isAnyMemberInitializer()) { 839 // Constructors build the object directly in the field, 840 // but non-objects must be copied in from the initializer. 841 if (getObjectUnderConstruction(State, BMI, LC)) { 842 // The field was directly constructed, so there is no need to bind. 843 // But we still need to stop tracking the object under construction. 844 State = finishObjectConstruction(State, BMI, LC); 845 NodeBuilder Bldr(Pred, Tmp, *currBldrCtx); 846 PostStore PS(Init, LC, /*Loc*/ nullptr, /*tag*/ nullptr); 847 Bldr.generateNode(PS, State, Pred); 848 } else { 849 const ValueDecl *Field; 850 if (BMI->isIndirectMemberInitializer()) { 851 Field = BMI->getIndirectMember(); 852 FieldLoc = State->getLValue(BMI->getIndirectMember(), thisVal); 853 } else { 854 Field = BMI->getMember(); 855 FieldLoc = State->getLValue(BMI->getMember(), thisVal); 856 } 857 858 SVal InitVal; 859 if (Init->getType()->isArrayType()) { 860 // Handle arrays of trivial type. We can represent this with a 861 // primitive load/copy from the base array region. 862 const ArraySubscriptExpr *ASE; 863 while ((ASE = dyn_cast<ArraySubscriptExpr>(Init))) 864 Init = ASE->getBase()->IgnoreImplicit(); 865 866 SVal LValue = State->getSVal(Init, stackFrame); 867 if (!Field->getType()->isReferenceType()) 868 if (Optional<Loc> LValueLoc = LValue.getAs<Loc>()) 869 InitVal = State->getSVal(*LValueLoc); 870 871 // If we fail to get the value for some reason, use a symbolic value. 872 if (InitVal.isUnknownOrUndef()) { 873 SValBuilder &SVB = getSValBuilder(); 874 InitVal = SVB.conjureSymbolVal(BMI->getInit(), stackFrame, 875 Field->getType(), 876 currBldrCtx->blockCount()); 877 } 878 } else { 879 InitVal = State->getSVal(BMI->getInit(), stackFrame); 880 } 881 882 PostInitializer PP(BMI, FieldLoc.getAsRegion(), stackFrame); 883 evalBind(Tmp, Init, Pred, FieldLoc, InitVal, /*isInit=*/true, &PP); 884 } 885 } else { 886 assert(BMI->isBaseInitializer() || BMI->isDelegatingInitializer()); 887 Tmp.insert(Pred); 888 // We already did all the work when visiting the CXXConstructExpr. 889 } 890 891 // Construct PostInitializer nodes whether the state changed or not, 892 // so that the diagnostics don't get confused. 893 PostInitializer PP(BMI, FieldLoc.getAsRegion(), stackFrame); 894 ExplodedNodeSet Dst; 895 NodeBuilder Bldr(Tmp, Dst, *currBldrCtx); 896 for (const auto I : Tmp) { 897 ProgramStateRef State = I->getState(); 898 Bldr.generateNode(PP, State, I); 899 } 900 901 // Enqueue the new nodes onto the work list. 902 Engine.enqueue(Dst, currBldrCtx->getBlock(), currStmtIdx); 903 } 904 905 void ExprEngine::ProcessImplicitDtor(const CFGImplicitDtor D, 906 ExplodedNode *Pred) { 907 ExplodedNodeSet Dst; 908 switch (D.getKind()) { 909 case CFGElement::AutomaticObjectDtor: 910 ProcessAutomaticObjDtor(D.castAs<CFGAutomaticObjDtor>(), Pred, Dst); 911 break; 912 case CFGElement::BaseDtor: 913 ProcessBaseDtor(D.castAs<CFGBaseDtor>(), Pred, Dst); 914 break; 915 case CFGElement::MemberDtor: 916 ProcessMemberDtor(D.castAs<CFGMemberDtor>(), Pred, Dst); 917 break; 918 case CFGElement::TemporaryDtor: 919 ProcessTemporaryDtor(D.castAs<CFGTemporaryDtor>(), Pred, Dst); 920 break; 921 case CFGElement::DeleteDtor: 922 ProcessDeleteDtor(D.castAs<CFGDeleteDtor>(), Pred, Dst); 923 break; 924 default: 925 llvm_unreachable("Unexpected dtor kind."); 926 } 927 928 // Enqueue the new nodes onto the work list. 929 Engine.enqueue(Dst, currBldrCtx->getBlock(), currStmtIdx); 930 } 931 932 void ExprEngine::ProcessNewAllocator(const CXXNewExpr *NE, 933 ExplodedNode *Pred) { 934 ExplodedNodeSet Dst; 935 AnalysisManager &AMgr = getAnalysisManager(); 936 AnalyzerOptions &Opts = AMgr.options; 937 // TODO: We're not evaluating allocators for all cases just yet as 938 // we're not handling the return value correctly, which causes false 939 // positives when the alpha.cplusplus.NewDeleteLeaks check is on. 940 if (Opts.MayInlineCXXAllocator) 941 VisitCXXNewAllocatorCall(NE, Pred, Dst); 942 else { 943 NodeBuilder Bldr(Pred, Dst, *currBldrCtx); 944 const LocationContext *LCtx = Pred->getLocationContext(); 945 PostImplicitCall PP(NE->getOperatorNew(), NE->getBeginLoc(), LCtx); 946 Bldr.generateNode(PP, Pred->getState(), Pred); 947 } 948 Engine.enqueue(Dst, currBldrCtx->getBlock(), currStmtIdx); 949 } 950 951 void ExprEngine::ProcessAutomaticObjDtor(const CFGAutomaticObjDtor Dtor, 952 ExplodedNode *Pred, 953 ExplodedNodeSet &Dst) { 954 const VarDecl *varDecl = Dtor.getVarDecl(); 955 QualType varType = varDecl->getType(); 956 957 ProgramStateRef state = Pred->getState(); 958 SVal dest = state->getLValue(varDecl, Pred->getLocationContext()); 959 const MemRegion *Region = dest.castAs<loc::MemRegionVal>().getRegion(); 960 961 if (varType->isReferenceType()) { 962 const MemRegion *ValueRegion = state->getSVal(Region).getAsRegion(); 963 if (!ValueRegion) { 964 // FIXME: This should not happen. The language guarantees a presence 965 // of a valid initializer here, so the reference shall not be undefined. 966 // It seems that we're calling destructors over variables that 967 // were not initialized yet. 968 return; 969 } 970 Region = ValueRegion->getBaseRegion(); 971 varType = cast<TypedValueRegion>(Region)->getValueType(); 972 } 973 974 // FIXME: We need to run the same destructor on every element of the array. 975 // This workaround will just run the first destructor (which will still 976 // invalidate the entire array). 977 EvalCallOptions CallOpts; 978 Region = makeZeroElementRegion(state, loc::MemRegionVal(Region), varType, 979 CallOpts.IsArrayCtorOrDtor).getAsRegion(); 980 981 VisitCXXDestructor(varType, Region, Dtor.getTriggerStmt(), 982 /*IsBase=*/false, Pred, Dst, CallOpts); 983 } 984 985 void ExprEngine::ProcessDeleteDtor(const CFGDeleteDtor Dtor, 986 ExplodedNode *Pred, 987 ExplodedNodeSet &Dst) { 988 ProgramStateRef State = Pred->getState(); 989 const LocationContext *LCtx = Pred->getLocationContext(); 990 const CXXDeleteExpr *DE = Dtor.getDeleteExpr(); 991 const Stmt *Arg = DE->getArgument(); 992 QualType DTy = DE->getDestroyedType(); 993 SVal ArgVal = State->getSVal(Arg, LCtx); 994 995 // If the argument to delete is known to be a null value, 996 // don't run destructor. 997 if (State->isNull(ArgVal).isConstrainedTrue()) { 998 QualType BTy = getContext().getBaseElementType(DTy); 999 const CXXRecordDecl *RD = BTy->getAsCXXRecordDecl(); 1000 const CXXDestructorDecl *Dtor = RD->getDestructor(); 1001 1002 PostImplicitCall PP(Dtor, DE->getBeginLoc(), LCtx); 1003 NodeBuilder Bldr(Pred, Dst, *currBldrCtx); 1004 Bldr.generateNode(PP, Pred->getState(), Pred); 1005 return; 1006 } 1007 1008 EvalCallOptions CallOpts; 1009 const MemRegion *ArgR = ArgVal.getAsRegion(); 1010 if (DE->isArrayForm()) { 1011 // FIXME: We need to run the same destructor on every element of the array. 1012 // This workaround will just run the first destructor (which will still 1013 // invalidate the entire array). 1014 CallOpts.IsArrayCtorOrDtor = true; 1015 // Yes, it may even be a multi-dimensional array. 1016 while (const auto *AT = getContext().getAsArrayType(DTy)) 1017 DTy = AT->getElementType(); 1018 if (ArgR) 1019 ArgR = getStoreManager().GetElementZeroRegion(cast<SubRegion>(ArgR), DTy); 1020 } 1021 1022 VisitCXXDestructor(DTy, ArgR, DE, /*IsBase=*/false, Pred, Dst, CallOpts); 1023 } 1024 1025 void ExprEngine::ProcessBaseDtor(const CFGBaseDtor D, 1026 ExplodedNode *Pred, ExplodedNodeSet &Dst) { 1027 const LocationContext *LCtx = Pred->getLocationContext(); 1028 1029 const auto *CurDtor = cast<CXXDestructorDecl>(LCtx->getDecl()); 1030 Loc ThisPtr = getSValBuilder().getCXXThis(CurDtor, 1031 LCtx->getStackFrame()); 1032 SVal ThisVal = Pred->getState()->getSVal(ThisPtr); 1033 1034 // Create the base object region. 1035 const CXXBaseSpecifier *Base = D.getBaseSpecifier(); 1036 QualType BaseTy = Base->getType(); 1037 SVal BaseVal = getStoreManager().evalDerivedToBase(ThisVal, BaseTy, 1038 Base->isVirtual()); 1039 1040 EvalCallOptions CallOpts; 1041 VisitCXXDestructor(BaseTy, BaseVal.getAsRegion(), CurDtor->getBody(), 1042 /*IsBase=*/true, Pred, Dst, CallOpts); 1043 } 1044 1045 void ExprEngine::ProcessMemberDtor(const CFGMemberDtor D, 1046 ExplodedNode *Pred, ExplodedNodeSet &Dst) { 1047 const FieldDecl *Member = D.getFieldDecl(); 1048 QualType T = Member->getType(); 1049 ProgramStateRef State = Pred->getState(); 1050 const LocationContext *LCtx = Pred->getLocationContext(); 1051 1052 const auto *CurDtor = cast<CXXDestructorDecl>(LCtx->getDecl()); 1053 Loc ThisStorageLoc = 1054 getSValBuilder().getCXXThis(CurDtor, LCtx->getStackFrame()); 1055 Loc ThisLoc = State->getSVal(ThisStorageLoc).castAs<Loc>(); 1056 SVal FieldVal = State->getLValue(Member, ThisLoc); 1057 1058 // FIXME: We need to run the same destructor on every element of the array. 1059 // This workaround will just run the first destructor (which will still 1060 // invalidate the entire array). 1061 EvalCallOptions CallOpts; 1062 FieldVal = makeZeroElementRegion(State, FieldVal, T, 1063 CallOpts.IsArrayCtorOrDtor); 1064 1065 VisitCXXDestructor(T, FieldVal.getAsRegion(), CurDtor->getBody(), 1066 /*IsBase=*/false, Pred, Dst, CallOpts); 1067 } 1068 1069 void ExprEngine::ProcessTemporaryDtor(const CFGTemporaryDtor D, 1070 ExplodedNode *Pred, 1071 ExplodedNodeSet &Dst) { 1072 const CXXBindTemporaryExpr *BTE = D.getBindTemporaryExpr(); 1073 ProgramStateRef State = Pred->getState(); 1074 const LocationContext *LC = Pred->getLocationContext(); 1075 const MemRegion *MR = nullptr; 1076 1077 if (Optional<SVal> V = 1078 getObjectUnderConstruction(State, D.getBindTemporaryExpr(), 1079 Pred->getLocationContext())) { 1080 // FIXME: Currently we insert temporary destructors for default parameters, 1081 // but we don't insert the constructors, so the entry in 1082 // ObjectsUnderConstruction may be missing. 1083 State = finishObjectConstruction(State, D.getBindTemporaryExpr(), 1084 Pred->getLocationContext()); 1085 MR = V->getAsRegion(); 1086 } 1087 1088 // If copy elision has occurred, and the constructor corresponding to the 1089 // destructor was elided, we need to skip the destructor as well. 1090 if (isDestructorElided(State, BTE, LC)) { 1091 State = cleanupElidedDestructor(State, BTE, LC); 1092 NodeBuilder Bldr(Pred, Dst, *currBldrCtx); 1093 PostImplicitCall PP(D.getDestructorDecl(getContext()), 1094 D.getBindTemporaryExpr()->getBeginLoc(), 1095 Pred->getLocationContext()); 1096 Bldr.generateNode(PP, State, Pred); 1097 return; 1098 } 1099 1100 ExplodedNodeSet CleanDtorState; 1101 StmtNodeBuilder StmtBldr(Pred, CleanDtorState, *currBldrCtx); 1102 StmtBldr.generateNode(D.getBindTemporaryExpr(), Pred, State); 1103 1104 QualType T = D.getBindTemporaryExpr()->getSubExpr()->getType(); 1105 // FIXME: Currently CleanDtorState can be empty here due to temporaries being 1106 // bound to default parameters. 1107 assert(CleanDtorState.size() <= 1); 1108 ExplodedNode *CleanPred = 1109 CleanDtorState.empty() ? Pred : *CleanDtorState.begin(); 1110 1111 EvalCallOptions CallOpts; 1112 CallOpts.IsTemporaryCtorOrDtor = true; 1113 if (!MR) { 1114 // If we have no MR, we still need to unwrap the array to avoid destroying 1115 // the whole array at once. Regardless, we'd eventually need to model array 1116 // destructors properly, element-by-element. 1117 while (const ArrayType *AT = getContext().getAsArrayType(T)) { 1118 T = AT->getElementType(); 1119 CallOpts.IsArrayCtorOrDtor = true; 1120 } 1121 } else { 1122 // We'd eventually need to makeZeroElementRegion() trick here, 1123 // but for now we don't have the respective construction contexts, 1124 // so MR would always be null in this case. Do nothing for now. 1125 } 1126 VisitCXXDestructor(T, MR, D.getBindTemporaryExpr(), 1127 /*IsBase=*/false, CleanPred, Dst, CallOpts); 1128 } 1129 1130 void ExprEngine::processCleanupTemporaryBranch(const CXXBindTemporaryExpr *BTE, 1131 NodeBuilderContext &BldCtx, 1132 ExplodedNode *Pred, 1133 ExplodedNodeSet &Dst, 1134 const CFGBlock *DstT, 1135 const CFGBlock *DstF) { 1136 BranchNodeBuilder TempDtorBuilder(Pred, Dst, BldCtx, DstT, DstF); 1137 ProgramStateRef State = Pred->getState(); 1138 const LocationContext *LC = Pred->getLocationContext(); 1139 if (getObjectUnderConstruction(State, BTE, LC)) { 1140 TempDtorBuilder.markInfeasible(false); 1141 TempDtorBuilder.generateNode(State, true, Pred); 1142 } else { 1143 TempDtorBuilder.markInfeasible(true); 1144 TempDtorBuilder.generateNode(State, false, Pred); 1145 } 1146 } 1147 1148 void ExprEngine::VisitCXXBindTemporaryExpr(const CXXBindTemporaryExpr *BTE, 1149 ExplodedNodeSet &PreVisit, 1150 ExplodedNodeSet &Dst) { 1151 // This is a fallback solution in case we didn't have a construction 1152 // context when we were constructing the temporary. Otherwise the map should 1153 // have been populated there. 1154 if (!getAnalysisManager().options.ShouldIncludeTemporaryDtorsInCFG) { 1155 // In case we don't have temporary destructors in the CFG, do not mark 1156 // the initialization - we would otherwise never clean it up. 1157 Dst = PreVisit; 1158 return; 1159 } 1160 StmtNodeBuilder StmtBldr(PreVisit, Dst, *currBldrCtx); 1161 for (ExplodedNode *Node : PreVisit) { 1162 ProgramStateRef State = Node->getState(); 1163 const LocationContext *LC = Node->getLocationContext(); 1164 if (!getObjectUnderConstruction(State, BTE, LC)) { 1165 // FIXME: Currently the state might also already contain the marker due to 1166 // incorrect handling of temporaries bound to default parameters; for 1167 // those, we currently skip the CXXBindTemporaryExpr but rely on adding 1168 // temporary destructor nodes. 1169 State = addObjectUnderConstruction(State, BTE, LC, UnknownVal()); 1170 } 1171 StmtBldr.generateNode(BTE, Node, State); 1172 } 1173 } 1174 1175 ProgramStateRef ExprEngine::escapeValues(ProgramStateRef State, 1176 ArrayRef<SVal> Vs, 1177 PointerEscapeKind K, 1178 const CallEvent *Call) const { 1179 class CollectReachableSymbolsCallback final : public SymbolVisitor { 1180 InvalidatedSymbols &Symbols; 1181 1182 public: 1183 explicit CollectReachableSymbolsCallback(InvalidatedSymbols &Symbols) 1184 : Symbols(Symbols) {} 1185 1186 const InvalidatedSymbols &getSymbols() const { return Symbols; } 1187 1188 bool VisitSymbol(SymbolRef Sym) override { 1189 Symbols.insert(Sym); 1190 return true; 1191 } 1192 }; 1193 InvalidatedSymbols Symbols; 1194 CollectReachableSymbolsCallback CallBack(Symbols); 1195 for (SVal V : Vs) 1196 State->scanReachableSymbols(V, CallBack); 1197 1198 return getCheckerManager().runCheckersForPointerEscape( 1199 State, CallBack.getSymbols(), Call, K, nullptr); 1200 } 1201 1202 void ExprEngine::Visit(const Stmt *S, ExplodedNode *Pred, 1203 ExplodedNodeSet &DstTop) { 1204 PrettyStackTraceLoc CrashInfo(getContext().getSourceManager(), 1205 S->getBeginLoc(), "Error evaluating statement"); 1206 ExplodedNodeSet Dst; 1207 StmtNodeBuilder Bldr(Pred, DstTop, *currBldrCtx); 1208 1209 assert(!isa<Expr>(S) || S == cast<Expr>(S)->IgnoreParens()); 1210 1211 switch (S->getStmtClass()) { 1212 // C++, OpenMP and ARC stuff we don't support yet. 1213 case Stmt::CXXDependentScopeMemberExprClass: 1214 case Stmt::CXXTryStmtClass: 1215 case Stmt::CXXTypeidExprClass: 1216 case Stmt::CXXUuidofExprClass: 1217 case Stmt::CXXFoldExprClass: 1218 case Stmt::MSPropertyRefExprClass: 1219 case Stmt::MSPropertySubscriptExprClass: 1220 case Stmt::CXXUnresolvedConstructExprClass: 1221 case Stmt::DependentScopeDeclRefExprClass: 1222 case Stmt::ArrayTypeTraitExprClass: 1223 case Stmt::ExpressionTraitExprClass: 1224 case Stmt::UnresolvedLookupExprClass: 1225 case Stmt::UnresolvedMemberExprClass: 1226 case Stmt::TypoExprClass: 1227 case Stmt::RecoveryExprClass: 1228 case Stmt::CXXNoexceptExprClass: 1229 case Stmt::PackExpansionExprClass: 1230 case Stmt::SubstNonTypeTemplateParmPackExprClass: 1231 case Stmt::FunctionParmPackExprClass: 1232 case Stmt::CoroutineBodyStmtClass: 1233 case Stmt::CoawaitExprClass: 1234 case Stmt::DependentCoawaitExprClass: 1235 case Stmt::CoreturnStmtClass: 1236 case Stmt::CoyieldExprClass: 1237 case Stmt::SEHTryStmtClass: 1238 case Stmt::SEHExceptStmtClass: 1239 case Stmt::SEHLeaveStmtClass: 1240 case Stmt::SEHFinallyStmtClass: 1241 case Stmt::OMPCanonicalLoopClass: 1242 case Stmt::OMPParallelDirectiveClass: 1243 case Stmt::OMPSimdDirectiveClass: 1244 case Stmt::OMPForDirectiveClass: 1245 case Stmt::OMPForSimdDirectiveClass: 1246 case Stmt::OMPSectionsDirectiveClass: 1247 case Stmt::OMPSectionDirectiveClass: 1248 case Stmt::OMPSingleDirectiveClass: 1249 case Stmt::OMPMasterDirectiveClass: 1250 case Stmt::OMPCriticalDirectiveClass: 1251 case Stmt::OMPParallelForDirectiveClass: 1252 case Stmt::OMPParallelForSimdDirectiveClass: 1253 case Stmt::OMPParallelSectionsDirectiveClass: 1254 case Stmt::OMPParallelMasterDirectiveClass: 1255 case Stmt::OMPTaskDirectiveClass: 1256 case Stmt::OMPTaskyieldDirectiveClass: 1257 case Stmt::OMPBarrierDirectiveClass: 1258 case Stmt::OMPTaskwaitDirectiveClass: 1259 case Stmt::OMPTaskgroupDirectiveClass: 1260 case Stmt::OMPFlushDirectiveClass: 1261 case Stmt::OMPDepobjDirectiveClass: 1262 case Stmt::OMPScanDirectiveClass: 1263 case Stmt::OMPOrderedDirectiveClass: 1264 case Stmt::OMPAtomicDirectiveClass: 1265 case Stmt::OMPTargetDirectiveClass: 1266 case Stmt::OMPTargetDataDirectiveClass: 1267 case Stmt::OMPTargetEnterDataDirectiveClass: 1268 case Stmt::OMPTargetExitDataDirectiveClass: 1269 case Stmt::OMPTargetParallelDirectiveClass: 1270 case Stmt::OMPTargetParallelForDirectiveClass: 1271 case Stmt::OMPTargetUpdateDirectiveClass: 1272 case Stmt::OMPTeamsDirectiveClass: 1273 case Stmt::OMPCancellationPointDirectiveClass: 1274 case Stmt::OMPCancelDirectiveClass: 1275 case Stmt::OMPTaskLoopDirectiveClass: 1276 case Stmt::OMPTaskLoopSimdDirectiveClass: 1277 case Stmt::OMPMasterTaskLoopDirectiveClass: 1278 case Stmt::OMPMasterTaskLoopSimdDirectiveClass: 1279 case Stmt::OMPParallelMasterTaskLoopDirectiveClass: 1280 case Stmt::OMPParallelMasterTaskLoopSimdDirectiveClass: 1281 case Stmt::OMPDistributeDirectiveClass: 1282 case Stmt::OMPDistributeParallelForDirectiveClass: 1283 case Stmt::OMPDistributeParallelForSimdDirectiveClass: 1284 case Stmt::OMPDistributeSimdDirectiveClass: 1285 case Stmt::OMPTargetParallelForSimdDirectiveClass: 1286 case Stmt::OMPTargetSimdDirectiveClass: 1287 case Stmt::OMPTeamsDistributeDirectiveClass: 1288 case Stmt::OMPTeamsDistributeSimdDirectiveClass: 1289 case Stmt::OMPTeamsDistributeParallelForSimdDirectiveClass: 1290 case Stmt::OMPTeamsDistributeParallelForDirectiveClass: 1291 case Stmt::OMPTargetTeamsDirectiveClass: 1292 case Stmt::OMPTargetTeamsDistributeDirectiveClass: 1293 case Stmt::OMPTargetTeamsDistributeParallelForDirectiveClass: 1294 case Stmt::OMPTargetTeamsDistributeParallelForSimdDirectiveClass: 1295 case Stmt::OMPTargetTeamsDistributeSimdDirectiveClass: 1296 case Stmt::OMPTileDirectiveClass: 1297 case Stmt::OMPInteropDirectiveClass: 1298 case Stmt::OMPDispatchDirectiveClass: 1299 case Stmt::OMPMaskedDirectiveClass: 1300 case Stmt::CapturedStmtClass: { 1301 const ExplodedNode *node = Bldr.generateSink(S, Pred, Pred->getState()); 1302 Engine.addAbortedBlock(node, currBldrCtx->getBlock()); 1303 break; 1304 } 1305 1306 case Stmt::ParenExprClass: 1307 llvm_unreachable("ParenExprs already handled."); 1308 case Stmt::GenericSelectionExprClass: 1309 llvm_unreachable("GenericSelectionExprs already handled."); 1310 // Cases that should never be evaluated simply because they shouldn't 1311 // appear in the CFG. 1312 case Stmt::BreakStmtClass: 1313 case Stmt::CaseStmtClass: 1314 case Stmt::CompoundStmtClass: 1315 case Stmt::ContinueStmtClass: 1316 case Stmt::CXXForRangeStmtClass: 1317 case Stmt::DefaultStmtClass: 1318 case Stmt::DoStmtClass: 1319 case Stmt::ForStmtClass: 1320 case Stmt::GotoStmtClass: 1321 case Stmt::IfStmtClass: 1322 case Stmt::IndirectGotoStmtClass: 1323 case Stmt::LabelStmtClass: 1324 case Stmt::NoStmtClass: 1325 case Stmt::NullStmtClass: 1326 case Stmt::SwitchStmtClass: 1327 case Stmt::WhileStmtClass: 1328 case Expr::MSDependentExistsStmtClass: 1329 llvm_unreachable("Stmt should not be in analyzer evaluation loop"); 1330 case Stmt::ImplicitValueInitExprClass: 1331 // These nodes are shared in the CFG and would case caching out. 1332 // Moreover, no additional evaluation required for them, the 1333 // analyzer can reconstruct these values from the AST. 1334 llvm_unreachable("Should be pruned from CFG"); 1335 1336 case Stmt::ObjCSubscriptRefExprClass: 1337 case Stmt::ObjCPropertyRefExprClass: 1338 llvm_unreachable("These are handled by PseudoObjectExpr"); 1339 1340 case Stmt::GNUNullExprClass: { 1341 // GNU __null is a pointer-width integer, not an actual pointer. 1342 ProgramStateRef state = Pred->getState(); 1343 state = state->BindExpr(S, Pred->getLocationContext(), 1344 svalBuilder.makeIntValWithPtrWidth(0, false)); 1345 Bldr.generateNode(S, Pred, state); 1346 break; 1347 } 1348 1349 case Stmt::ObjCAtSynchronizedStmtClass: 1350 Bldr.takeNodes(Pred); 1351 VisitObjCAtSynchronizedStmt(cast<ObjCAtSynchronizedStmt>(S), Pred, Dst); 1352 Bldr.addNodes(Dst); 1353 break; 1354 1355 case Expr::ConstantExprClass: 1356 case Stmt::ExprWithCleanupsClass: 1357 // Handled due to fully linearised CFG. 1358 break; 1359 1360 case Stmt::CXXBindTemporaryExprClass: { 1361 Bldr.takeNodes(Pred); 1362 ExplodedNodeSet PreVisit; 1363 getCheckerManager().runCheckersForPreStmt(PreVisit, Pred, S, *this); 1364 ExplodedNodeSet Next; 1365 VisitCXXBindTemporaryExpr(cast<CXXBindTemporaryExpr>(S), PreVisit, Next); 1366 getCheckerManager().runCheckersForPostStmt(Dst, Next, S, *this); 1367 Bldr.addNodes(Dst); 1368 break; 1369 } 1370 1371 // Cases not handled yet; but will handle some day. 1372 case Stmt::DesignatedInitExprClass: 1373 case Stmt::DesignatedInitUpdateExprClass: 1374 case Stmt::ArrayInitLoopExprClass: 1375 case Stmt::ArrayInitIndexExprClass: 1376 case Stmt::ExtVectorElementExprClass: 1377 case Stmt::ImaginaryLiteralClass: 1378 case Stmt::ObjCAtCatchStmtClass: 1379 case Stmt::ObjCAtFinallyStmtClass: 1380 case Stmt::ObjCAtTryStmtClass: 1381 case Stmt::ObjCAutoreleasePoolStmtClass: 1382 case Stmt::ObjCEncodeExprClass: 1383 case Stmt::ObjCIsaExprClass: 1384 case Stmt::ObjCProtocolExprClass: 1385 case Stmt::ObjCSelectorExprClass: 1386 case Stmt::ParenListExprClass: 1387 case Stmt::ShuffleVectorExprClass: 1388 case Stmt::ConvertVectorExprClass: 1389 case Stmt::VAArgExprClass: 1390 case Stmt::CUDAKernelCallExprClass: 1391 case Stmt::OpaqueValueExprClass: 1392 case Stmt::AsTypeExprClass: 1393 case Stmt::ConceptSpecializationExprClass: 1394 case Stmt::CXXRewrittenBinaryOperatorClass: 1395 case Stmt::RequiresExprClass: 1396 // Fall through. 1397 1398 // Cases we intentionally don't evaluate, since they don't need 1399 // to be explicitly evaluated. 1400 case Stmt::PredefinedExprClass: 1401 case Stmt::AddrLabelExprClass: 1402 case Stmt::AttributedStmtClass: 1403 case Stmt::IntegerLiteralClass: 1404 case Stmt::FixedPointLiteralClass: 1405 case Stmt::CharacterLiteralClass: 1406 case Stmt::CXXScalarValueInitExprClass: 1407 case Stmt::CXXBoolLiteralExprClass: 1408 case Stmt::ObjCBoolLiteralExprClass: 1409 case Stmt::ObjCAvailabilityCheckExprClass: 1410 case Stmt::FloatingLiteralClass: 1411 case Stmt::NoInitExprClass: 1412 case Stmt::SizeOfPackExprClass: 1413 case Stmt::StringLiteralClass: 1414 case Stmt::SourceLocExprClass: 1415 case Stmt::ObjCStringLiteralClass: 1416 case Stmt::CXXPseudoDestructorExprClass: 1417 case Stmt::SubstNonTypeTemplateParmExprClass: 1418 case Stmt::CXXNullPtrLiteralExprClass: 1419 case Stmt::OMPArraySectionExprClass: 1420 case Stmt::OMPArrayShapingExprClass: 1421 case Stmt::OMPIteratorExprClass: 1422 case Stmt::TypeTraitExprClass: { 1423 Bldr.takeNodes(Pred); 1424 ExplodedNodeSet preVisit; 1425 getCheckerManager().runCheckersForPreStmt(preVisit, Pred, S, *this); 1426 getCheckerManager().runCheckersForPostStmt(Dst, preVisit, S, *this); 1427 Bldr.addNodes(Dst); 1428 break; 1429 } 1430 1431 case Stmt::CXXDefaultArgExprClass: 1432 case Stmt::CXXDefaultInitExprClass: { 1433 Bldr.takeNodes(Pred); 1434 ExplodedNodeSet PreVisit; 1435 getCheckerManager().runCheckersForPreStmt(PreVisit, Pred, S, *this); 1436 1437 ExplodedNodeSet Tmp; 1438 StmtNodeBuilder Bldr2(PreVisit, Tmp, *currBldrCtx); 1439 1440 const Expr *ArgE; 1441 if (const auto *DefE = dyn_cast<CXXDefaultArgExpr>(S)) 1442 ArgE = DefE->getExpr(); 1443 else if (const auto *DefE = dyn_cast<CXXDefaultInitExpr>(S)) 1444 ArgE = DefE->getExpr(); 1445 else 1446 llvm_unreachable("unknown constant wrapper kind"); 1447 1448 bool IsTemporary = false; 1449 if (const auto *MTE = dyn_cast<MaterializeTemporaryExpr>(ArgE)) { 1450 ArgE = MTE->getSubExpr(); 1451 IsTemporary = true; 1452 } 1453 1454 Optional<SVal> ConstantVal = svalBuilder.getConstantVal(ArgE); 1455 if (!ConstantVal) 1456 ConstantVal = UnknownVal(); 1457 1458 const LocationContext *LCtx = Pred->getLocationContext(); 1459 for (const auto I : PreVisit) { 1460 ProgramStateRef State = I->getState(); 1461 State = State->BindExpr(S, LCtx, *ConstantVal); 1462 if (IsTemporary) 1463 State = createTemporaryRegionIfNeeded(State, LCtx, 1464 cast<Expr>(S), 1465 cast<Expr>(S)); 1466 Bldr2.generateNode(S, I, State); 1467 } 1468 1469 getCheckerManager().runCheckersForPostStmt(Dst, Tmp, S, *this); 1470 Bldr.addNodes(Dst); 1471 break; 1472 } 1473 1474 // Cases we evaluate as opaque expressions, conjuring a symbol. 1475 case Stmt::CXXStdInitializerListExprClass: 1476 case Expr::ObjCArrayLiteralClass: 1477 case Expr::ObjCDictionaryLiteralClass: 1478 case Expr::ObjCBoxedExprClass: { 1479 Bldr.takeNodes(Pred); 1480 1481 ExplodedNodeSet preVisit; 1482 getCheckerManager().runCheckersForPreStmt(preVisit, Pred, S, *this); 1483 1484 ExplodedNodeSet Tmp; 1485 StmtNodeBuilder Bldr2(preVisit, Tmp, *currBldrCtx); 1486 1487 const auto *Ex = cast<Expr>(S); 1488 QualType resultType = Ex->getType(); 1489 1490 for (const auto N : preVisit) { 1491 const LocationContext *LCtx = N->getLocationContext(); 1492 SVal result = svalBuilder.conjureSymbolVal(nullptr, Ex, LCtx, 1493 resultType, 1494 currBldrCtx->blockCount()); 1495 ProgramStateRef State = N->getState()->BindExpr(Ex, LCtx, result); 1496 1497 // Escape pointers passed into the list, unless it's an ObjC boxed 1498 // expression which is not a boxable C structure. 1499 if (!(isa<ObjCBoxedExpr>(Ex) && 1500 !cast<ObjCBoxedExpr>(Ex)->getSubExpr() 1501 ->getType()->isRecordType())) 1502 for (auto Child : Ex->children()) { 1503 assert(Child); 1504 SVal Val = State->getSVal(Child, LCtx); 1505 State = escapeValues(State, Val, PSK_EscapeOther); 1506 } 1507 1508 Bldr2.generateNode(S, N, State); 1509 } 1510 1511 getCheckerManager().runCheckersForPostStmt(Dst, Tmp, S, *this); 1512 Bldr.addNodes(Dst); 1513 break; 1514 } 1515 1516 case Stmt::ArraySubscriptExprClass: 1517 Bldr.takeNodes(Pred); 1518 VisitArraySubscriptExpr(cast<ArraySubscriptExpr>(S), Pred, Dst); 1519 Bldr.addNodes(Dst); 1520 break; 1521 1522 case Stmt::MatrixSubscriptExprClass: 1523 llvm_unreachable("Support for MatrixSubscriptExpr is not implemented."); 1524 break; 1525 1526 case Stmt::GCCAsmStmtClass: 1527 Bldr.takeNodes(Pred); 1528 VisitGCCAsmStmt(cast<GCCAsmStmt>(S), Pred, Dst); 1529 Bldr.addNodes(Dst); 1530 break; 1531 1532 case Stmt::MSAsmStmtClass: 1533 Bldr.takeNodes(Pred); 1534 VisitMSAsmStmt(cast<MSAsmStmt>(S), Pred, Dst); 1535 Bldr.addNodes(Dst); 1536 break; 1537 1538 case Stmt::BlockExprClass: 1539 Bldr.takeNodes(Pred); 1540 VisitBlockExpr(cast<BlockExpr>(S), Pred, Dst); 1541 Bldr.addNodes(Dst); 1542 break; 1543 1544 case Stmt::LambdaExprClass: 1545 if (AMgr.options.ShouldInlineLambdas) { 1546 Bldr.takeNodes(Pred); 1547 VisitLambdaExpr(cast<LambdaExpr>(S), Pred, Dst); 1548 Bldr.addNodes(Dst); 1549 } else { 1550 const ExplodedNode *node = Bldr.generateSink(S, Pred, Pred->getState()); 1551 Engine.addAbortedBlock(node, currBldrCtx->getBlock()); 1552 } 1553 break; 1554 1555 case Stmt::BinaryOperatorClass: { 1556 const auto *B = cast<BinaryOperator>(S); 1557 if (B->isLogicalOp()) { 1558 Bldr.takeNodes(Pred); 1559 VisitLogicalExpr(B, Pred, Dst); 1560 Bldr.addNodes(Dst); 1561 break; 1562 } 1563 else if (B->getOpcode() == BO_Comma) { 1564 ProgramStateRef state = Pred->getState(); 1565 Bldr.generateNode(B, Pred, 1566 state->BindExpr(B, Pred->getLocationContext(), 1567 state->getSVal(B->getRHS(), 1568 Pred->getLocationContext()))); 1569 break; 1570 } 1571 1572 Bldr.takeNodes(Pred); 1573 1574 if (AMgr.options.ShouldEagerlyAssume && 1575 (B->isRelationalOp() || B->isEqualityOp())) { 1576 ExplodedNodeSet Tmp; 1577 VisitBinaryOperator(cast<BinaryOperator>(S), Pred, Tmp); 1578 evalEagerlyAssumeBinOpBifurcation(Dst, Tmp, cast<Expr>(S)); 1579 } 1580 else 1581 VisitBinaryOperator(cast<BinaryOperator>(S), Pred, Dst); 1582 1583 Bldr.addNodes(Dst); 1584 break; 1585 } 1586 1587 case Stmt::CXXOperatorCallExprClass: { 1588 const auto *OCE = cast<CXXOperatorCallExpr>(S); 1589 1590 // For instance method operators, make sure the 'this' argument has a 1591 // valid region. 1592 const Decl *Callee = OCE->getCalleeDecl(); 1593 if (const auto *MD = dyn_cast_or_null<CXXMethodDecl>(Callee)) { 1594 if (MD->isInstance()) { 1595 ProgramStateRef State = Pred->getState(); 1596 const LocationContext *LCtx = Pred->getLocationContext(); 1597 ProgramStateRef NewState = 1598 createTemporaryRegionIfNeeded(State, LCtx, OCE->getArg(0)); 1599 if (NewState != State) { 1600 Pred = Bldr.generateNode(OCE, Pred, NewState, /*tag=*/nullptr, 1601 ProgramPoint::PreStmtKind); 1602 // Did we cache out? 1603 if (!Pred) 1604 break; 1605 } 1606 } 1607 } 1608 // FALLTHROUGH 1609 LLVM_FALLTHROUGH; 1610 } 1611 1612 case Stmt::CallExprClass: 1613 case Stmt::CXXMemberCallExprClass: 1614 case Stmt::UserDefinedLiteralClass: 1615 Bldr.takeNodes(Pred); 1616 VisitCallExpr(cast<CallExpr>(S), Pred, Dst); 1617 Bldr.addNodes(Dst); 1618 break; 1619 1620 case Stmt::CXXCatchStmtClass: 1621 Bldr.takeNodes(Pred); 1622 VisitCXXCatchStmt(cast<CXXCatchStmt>(S), Pred, Dst); 1623 Bldr.addNodes(Dst); 1624 break; 1625 1626 case Stmt::CXXTemporaryObjectExprClass: 1627 case Stmt::CXXConstructExprClass: 1628 Bldr.takeNodes(Pred); 1629 VisitCXXConstructExpr(cast<CXXConstructExpr>(S), Pred, Dst); 1630 Bldr.addNodes(Dst); 1631 break; 1632 1633 case Stmt::CXXInheritedCtorInitExprClass: 1634 Bldr.takeNodes(Pred); 1635 VisitCXXInheritedCtorInitExpr(cast<CXXInheritedCtorInitExpr>(S), Pred, 1636 Dst); 1637 Bldr.addNodes(Dst); 1638 break; 1639 1640 case Stmt::CXXNewExprClass: { 1641 Bldr.takeNodes(Pred); 1642 1643 ExplodedNodeSet PreVisit; 1644 getCheckerManager().runCheckersForPreStmt(PreVisit, Pred, S, *this); 1645 1646 ExplodedNodeSet PostVisit; 1647 for (const auto i : PreVisit) 1648 VisitCXXNewExpr(cast<CXXNewExpr>(S), i, PostVisit); 1649 1650 getCheckerManager().runCheckersForPostStmt(Dst, PostVisit, S, *this); 1651 Bldr.addNodes(Dst); 1652 break; 1653 } 1654 1655 case Stmt::CXXDeleteExprClass: { 1656 Bldr.takeNodes(Pred); 1657 ExplodedNodeSet PreVisit; 1658 const auto *CDE = cast<CXXDeleteExpr>(S); 1659 getCheckerManager().runCheckersForPreStmt(PreVisit, Pred, S, *this); 1660 ExplodedNodeSet PostVisit; 1661 getCheckerManager().runCheckersForPostStmt(PostVisit, PreVisit, S, *this); 1662 1663 for (const auto i : PostVisit) 1664 VisitCXXDeleteExpr(CDE, i, Dst); 1665 1666 Bldr.addNodes(Dst); 1667 break; 1668 } 1669 // FIXME: ChooseExpr is really a constant. We need to fix 1670 // the CFG do not model them as explicit control-flow. 1671 1672 case Stmt::ChooseExprClass: { // __builtin_choose_expr 1673 Bldr.takeNodes(Pred); 1674 const auto *C = cast<ChooseExpr>(S); 1675 VisitGuardedExpr(C, C->getLHS(), C->getRHS(), Pred, Dst); 1676 Bldr.addNodes(Dst); 1677 break; 1678 } 1679 1680 case Stmt::CompoundAssignOperatorClass: 1681 Bldr.takeNodes(Pred); 1682 VisitBinaryOperator(cast<BinaryOperator>(S), Pred, Dst); 1683 Bldr.addNodes(Dst); 1684 break; 1685 1686 case Stmt::CompoundLiteralExprClass: 1687 Bldr.takeNodes(Pred); 1688 VisitCompoundLiteralExpr(cast<CompoundLiteralExpr>(S), Pred, Dst); 1689 Bldr.addNodes(Dst); 1690 break; 1691 1692 case Stmt::BinaryConditionalOperatorClass: 1693 case Stmt::ConditionalOperatorClass: { // '?' operator 1694 Bldr.takeNodes(Pred); 1695 const auto *C = cast<AbstractConditionalOperator>(S); 1696 VisitGuardedExpr(C, C->getTrueExpr(), C->getFalseExpr(), Pred, Dst); 1697 Bldr.addNodes(Dst); 1698 break; 1699 } 1700 1701 case Stmt::CXXThisExprClass: 1702 Bldr.takeNodes(Pred); 1703 VisitCXXThisExpr(cast<CXXThisExpr>(S), Pred, Dst); 1704 Bldr.addNodes(Dst); 1705 break; 1706 1707 case Stmt::DeclRefExprClass: { 1708 Bldr.takeNodes(Pred); 1709 const auto *DE = cast<DeclRefExpr>(S); 1710 VisitCommonDeclRefExpr(DE, DE->getDecl(), Pred, Dst); 1711 Bldr.addNodes(Dst); 1712 break; 1713 } 1714 1715 case Stmt::DeclStmtClass: 1716 Bldr.takeNodes(Pred); 1717 VisitDeclStmt(cast<DeclStmt>(S), Pred, Dst); 1718 Bldr.addNodes(Dst); 1719 break; 1720 1721 case Stmt::ImplicitCastExprClass: 1722 case Stmt::CStyleCastExprClass: 1723 case Stmt::CXXStaticCastExprClass: 1724 case Stmt::CXXDynamicCastExprClass: 1725 case Stmt::CXXReinterpretCastExprClass: 1726 case Stmt::CXXConstCastExprClass: 1727 case Stmt::CXXFunctionalCastExprClass: 1728 case Stmt::BuiltinBitCastExprClass: 1729 case Stmt::ObjCBridgedCastExprClass: 1730 case Stmt::CXXAddrspaceCastExprClass: { 1731 Bldr.takeNodes(Pred); 1732 const auto *C = cast<CastExpr>(S); 1733 ExplodedNodeSet dstExpr; 1734 VisitCast(C, C->getSubExpr(), Pred, dstExpr); 1735 1736 // Handle the postvisit checks. 1737 getCheckerManager().runCheckersForPostStmt(Dst, dstExpr, C, *this); 1738 Bldr.addNodes(Dst); 1739 break; 1740 } 1741 1742 case Expr::MaterializeTemporaryExprClass: { 1743 Bldr.takeNodes(Pred); 1744 const auto *MTE = cast<MaterializeTemporaryExpr>(S); 1745 ExplodedNodeSet dstPrevisit; 1746 getCheckerManager().runCheckersForPreStmt(dstPrevisit, Pred, MTE, *this); 1747 ExplodedNodeSet dstExpr; 1748 for (const auto i : dstPrevisit) 1749 CreateCXXTemporaryObject(MTE, i, dstExpr); 1750 getCheckerManager().runCheckersForPostStmt(Dst, dstExpr, MTE, *this); 1751 Bldr.addNodes(Dst); 1752 break; 1753 } 1754 1755 case Stmt::InitListExprClass: 1756 Bldr.takeNodes(Pred); 1757 VisitInitListExpr(cast<InitListExpr>(S), Pred, Dst); 1758 Bldr.addNodes(Dst); 1759 break; 1760 1761 case Stmt::MemberExprClass: 1762 Bldr.takeNodes(Pred); 1763 VisitMemberExpr(cast<MemberExpr>(S), Pred, Dst); 1764 Bldr.addNodes(Dst); 1765 break; 1766 1767 case Stmt::AtomicExprClass: 1768 Bldr.takeNodes(Pred); 1769 VisitAtomicExpr(cast<AtomicExpr>(S), Pred, Dst); 1770 Bldr.addNodes(Dst); 1771 break; 1772 1773 case Stmt::ObjCIvarRefExprClass: 1774 Bldr.takeNodes(Pred); 1775 VisitLvalObjCIvarRefExpr(cast<ObjCIvarRefExpr>(S), Pred, Dst); 1776 Bldr.addNodes(Dst); 1777 break; 1778 1779 case Stmt::ObjCForCollectionStmtClass: 1780 Bldr.takeNodes(Pred); 1781 VisitObjCForCollectionStmt(cast<ObjCForCollectionStmt>(S), Pred, Dst); 1782 Bldr.addNodes(Dst); 1783 break; 1784 1785 case Stmt::ObjCMessageExprClass: 1786 Bldr.takeNodes(Pred); 1787 VisitObjCMessage(cast<ObjCMessageExpr>(S), Pred, Dst); 1788 Bldr.addNodes(Dst); 1789 break; 1790 1791 case Stmt::ObjCAtThrowStmtClass: 1792 case Stmt::CXXThrowExprClass: 1793 // FIXME: This is not complete. We basically treat @throw as 1794 // an abort. 1795 Bldr.generateSink(S, Pred, Pred->getState()); 1796 break; 1797 1798 case Stmt::ReturnStmtClass: 1799 Bldr.takeNodes(Pred); 1800 VisitReturnStmt(cast<ReturnStmt>(S), Pred, Dst); 1801 Bldr.addNodes(Dst); 1802 break; 1803 1804 case Stmt::OffsetOfExprClass: { 1805 Bldr.takeNodes(Pred); 1806 ExplodedNodeSet PreVisit; 1807 getCheckerManager().runCheckersForPreStmt(PreVisit, Pred, S, *this); 1808 1809 ExplodedNodeSet PostVisit; 1810 for (const auto Node : PreVisit) 1811 VisitOffsetOfExpr(cast<OffsetOfExpr>(S), Node, PostVisit); 1812 1813 getCheckerManager().runCheckersForPostStmt(Dst, PostVisit, S, *this); 1814 Bldr.addNodes(Dst); 1815 break; 1816 } 1817 1818 case Stmt::UnaryExprOrTypeTraitExprClass: 1819 Bldr.takeNodes(Pred); 1820 VisitUnaryExprOrTypeTraitExpr(cast<UnaryExprOrTypeTraitExpr>(S), 1821 Pred, Dst); 1822 Bldr.addNodes(Dst); 1823 break; 1824 1825 case Stmt::StmtExprClass: { 1826 const auto *SE = cast<StmtExpr>(S); 1827 1828 if (SE->getSubStmt()->body_empty()) { 1829 // Empty statement expression. 1830 assert(SE->getType() == getContext().VoidTy 1831 && "Empty statement expression must have void type."); 1832 break; 1833 } 1834 1835 if (const auto *LastExpr = 1836 dyn_cast<Expr>(*SE->getSubStmt()->body_rbegin())) { 1837 ProgramStateRef state = Pred->getState(); 1838 Bldr.generateNode(SE, Pred, 1839 state->BindExpr(SE, Pred->getLocationContext(), 1840 state->getSVal(LastExpr, 1841 Pred->getLocationContext()))); 1842 } 1843 break; 1844 } 1845 1846 case Stmt::UnaryOperatorClass: { 1847 Bldr.takeNodes(Pred); 1848 const auto *U = cast<UnaryOperator>(S); 1849 if (AMgr.options.ShouldEagerlyAssume && (U->getOpcode() == UO_LNot)) { 1850 ExplodedNodeSet Tmp; 1851 VisitUnaryOperator(U, Pred, Tmp); 1852 evalEagerlyAssumeBinOpBifurcation(Dst, Tmp, U); 1853 } 1854 else 1855 VisitUnaryOperator(U, Pred, Dst); 1856 Bldr.addNodes(Dst); 1857 break; 1858 } 1859 1860 case Stmt::PseudoObjectExprClass: { 1861 Bldr.takeNodes(Pred); 1862 ProgramStateRef state = Pred->getState(); 1863 const auto *PE = cast<PseudoObjectExpr>(S); 1864 if (const Expr *Result = PE->getResultExpr()) { 1865 SVal V = state->getSVal(Result, Pred->getLocationContext()); 1866 Bldr.generateNode(S, Pred, 1867 state->BindExpr(S, Pred->getLocationContext(), V)); 1868 } 1869 else 1870 Bldr.generateNode(S, Pred, 1871 state->BindExpr(S, Pred->getLocationContext(), 1872 UnknownVal())); 1873 1874 Bldr.addNodes(Dst); 1875 break; 1876 } 1877 1878 case Expr::ObjCIndirectCopyRestoreExprClass: { 1879 // ObjCIndirectCopyRestoreExpr implies passing a temporary for 1880 // correctness of lifetime management. Due to limited analysis 1881 // of ARC, this is implemented as direct arg passing. 1882 Bldr.takeNodes(Pred); 1883 ProgramStateRef state = Pred->getState(); 1884 const auto *OIE = cast<ObjCIndirectCopyRestoreExpr>(S); 1885 const Expr *E = OIE->getSubExpr(); 1886 SVal V = state->getSVal(E, Pred->getLocationContext()); 1887 Bldr.generateNode(S, Pred, 1888 state->BindExpr(S, Pred->getLocationContext(), V)); 1889 Bldr.addNodes(Dst); 1890 break; 1891 } 1892 } 1893 } 1894 1895 bool ExprEngine::replayWithoutInlining(ExplodedNode *N, 1896 const LocationContext *CalleeLC) { 1897 const StackFrameContext *CalleeSF = CalleeLC->getStackFrame(); 1898 const StackFrameContext *CallerSF = CalleeSF->getParent()->getStackFrame(); 1899 assert(CalleeSF && CallerSF); 1900 ExplodedNode *BeforeProcessingCall = nullptr; 1901 const Stmt *CE = CalleeSF->getCallSite(); 1902 1903 // Find the first node before we started processing the call expression. 1904 while (N) { 1905 ProgramPoint L = N->getLocation(); 1906 BeforeProcessingCall = N; 1907 N = N->pred_empty() ? nullptr : *(N->pred_begin()); 1908 1909 // Skip the nodes corresponding to the inlined code. 1910 if (L.getStackFrame() != CallerSF) 1911 continue; 1912 // We reached the caller. Find the node right before we started 1913 // processing the call. 1914 if (L.isPurgeKind()) 1915 continue; 1916 if (L.getAs<PreImplicitCall>()) 1917 continue; 1918 if (L.getAs<CallEnter>()) 1919 continue; 1920 if (Optional<StmtPoint> SP = L.getAs<StmtPoint>()) 1921 if (SP->getStmt() == CE) 1922 continue; 1923 break; 1924 } 1925 1926 if (!BeforeProcessingCall) 1927 return false; 1928 1929 // TODO: Clean up the unneeded nodes. 1930 1931 // Build an Epsilon node from which we will restart the analyzes. 1932 // Note that CE is permitted to be NULL! 1933 ProgramPoint NewNodeLoc = 1934 EpsilonPoint(BeforeProcessingCall->getLocationContext(), CE); 1935 // Add the special flag to GDM to signal retrying with no inlining. 1936 // Note, changing the state ensures that we are not going to cache out. 1937 ProgramStateRef NewNodeState = BeforeProcessingCall->getState(); 1938 NewNodeState = 1939 NewNodeState->set<ReplayWithoutInlining>(const_cast<Stmt *>(CE)); 1940 1941 // Make the new node a successor of BeforeProcessingCall. 1942 bool IsNew = false; 1943 ExplodedNode *NewNode = G.getNode(NewNodeLoc, NewNodeState, false, &IsNew); 1944 // We cached out at this point. Caching out is common due to us backtracking 1945 // from the inlined function, which might spawn several paths. 1946 if (!IsNew) 1947 return true; 1948 1949 NewNode->addPredecessor(BeforeProcessingCall, G); 1950 1951 // Add the new node to the work list. 1952 Engine.enqueueStmtNode(NewNode, CalleeSF->getCallSiteBlock(), 1953 CalleeSF->getIndex()); 1954 NumTimesRetriedWithoutInlining++; 1955 return true; 1956 } 1957 1958 /// Block entrance. (Update counters). 1959 void ExprEngine::processCFGBlockEntrance(const BlockEdge &L, 1960 NodeBuilderWithSinks &nodeBuilder, 1961 ExplodedNode *Pred) { 1962 PrettyStackTraceLocationContext CrashInfo(Pred->getLocationContext()); 1963 // If we reach a loop which has a known bound (and meets 1964 // other constraints) then consider completely unrolling it. 1965 if(AMgr.options.ShouldUnrollLoops) { 1966 unsigned maxBlockVisitOnPath = AMgr.options.maxBlockVisitOnPath; 1967 const Stmt *Term = nodeBuilder.getContext().getBlock()->getTerminatorStmt(); 1968 if (Term) { 1969 ProgramStateRef NewState = updateLoopStack(Term, AMgr.getASTContext(), 1970 Pred, maxBlockVisitOnPath); 1971 if (NewState != Pred->getState()) { 1972 ExplodedNode *UpdatedNode = nodeBuilder.generateNode(NewState, Pred); 1973 if (!UpdatedNode) 1974 return; 1975 Pred = UpdatedNode; 1976 } 1977 } 1978 // Is we are inside an unrolled loop then no need the check the counters. 1979 if(isUnrolledState(Pred->getState())) 1980 return; 1981 } 1982 1983 // If this block is terminated by a loop and it has already been visited the 1984 // maximum number of times, widen the loop. 1985 unsigned int BlockCount = nodeBuilder.getContext().blockCount(); 1986 if (BlockCount == AMgr.options.maxBlockVisitOnPath - 1 && 1987 AMgr.options.ShouldWidenLoops) { 1988 const Stmt *Term = nodeBuilder.getContext().getBlock()->getTerminatorStmt(); 1989 if (!(Term && 1990 (isa<ForStmt>(Term) || isa<WhileStmt>(Term) || isa<DoStmt>(Term)))) 1991 return; 1992 // Widen. 1993 const LocationContext *LCtx = Pred->getLocationContext(); 1994 ProgramStateRef WidenedState = 1995 getWidenedLoopState(Pred->getState(), LCtx, BlockCount, Term); 1996 nodeBuilder.generateNode(WidenedState, Pred); 1997 return; 1998 } 1999 2000 // FIXME: Refactor this into a checker. 2001 if (BlockCount >= AMgr.options.maxBlockVisitOnPath) { 2002 static SimpleProgramPointTag tag(TagProviderName, "Block count exceeded"); 2003 const ExplodedNode *Sink = 2004 nodeBuilder.generateSink(Pred->getState(), Pred, &tag); 2005 2006 // Check if we stopped at the top level function or not. 2007 // Root node should have the location context of the top most function. 2008 const LocationContext *CalleeLC = Pred->getLocation().getLocationContext(); 2009 const LocationContext *CalleeSF = CalleeLC->getStackFrame(); 2010 const LocationContext *RootLC = 2011 (*G.roots_begin())->getLocation().getLocationContext(); 2012 if (RootLC->getStackFrame() != CalleeSF) { 2013 Engine.FunctionSummaries->markReachedMaxBlockCount(CalleeSF->getDecl()); 2014 2015 // Re-run the call evaluation without inlining it, by storing the 2016 // no-inlining policy in the state and enqueuing the new work item on 2017 // the list. Replay should almost never fail. Use the stats to catch it 2018 // if it does. 2019 if ((!AMgr.options.NoRetryExhausted && 2020 replayWithoutInlining(Pred, CalleeLC))) 2021 return; 2022 NumMaxBlockCountReachedInInlined++; 2023 } else 2024 NumMaxBlockCountReached++; 2025 2026 // Make sink nodes as exhausted(for stats) only if retry failed. 2027 Engine.blocksExhausted.push_back(std::make_pair(L, Sink)); 2028 } 2029 } 2030 2031 //===----------------------------------------------------------------------===// 2032 // Branch processing. 2033 //===----------------------------------------------------------------------===// 2034 2035 /// RecoverCastedSymbol - A helper function for ProcessBranch that is used 2036 /// to try to recover some path-sensitivity for casts of symbolic 2037 /// integers that promote their values (which are currently not tracked well). 2038 /// This function returns the SVal bound to Condition->IgnoreCasts if all the 2039 // cast(s) did was sign-extend the original value. 2040 static SVal RecoverCastedSymbol(ProgramStateRef state, 2041 const Stmt *Condition, 2042 const LocationContext *LCtx, 2043 ASTContext &Ctx) { 2044 2045 const auto *Ex = dyn_cast<Expr>(Condition); 2046 if (!Ex) 2047 return UnknownVal(); 2048 2049 uint64_t bits = 0; 2050 bool bitsInit = false; 2051 2052 while (const auto *CE = dyn_cast<CastExpr>(Ex)) { 2053 QualType T = CE->getType(); 2054 2055 if (!T->isIntegralOrEnumerationType()) 2056 return UnknownVal(); 2057 2058 uint64_t newBits = Ctx.getTypeSize(T); 2059 if (!bitsInit || newBits < bits) { 2060 bitsInit = true; 2061 bits = newBits; 2062 } 2063 2064 Ex = CE->getSubExpr(); 2065 } 2066 2067 // We reached a non-cast. Is it a symbolic value? 2068 QualType T = Ex->getType(); 2069 2070 if (!bitsInit || !T->isIntegralOrEnumerationType() || 2071 Ctx.getTypeSize(T) > bits) 2072 return UnknownVal(); 2073 2074 return state->getSVal(Ex, LCtx); 2075 } 2076 2077 #ifndef NDEBUG 2078 static const Stmt *getRightmostLeaf(const Stmt *Condition) { 2079 while (Condition) { 2080 const auto *BO = dyn_cast<BinaryOperator>(Condition); 2081 if (!BO || !BO->isLogicalOp()) { 2082 return Condition; 2083 } 2084 Condition = BO->getRHS()->IgnoreParens(); 2085 } 2086 return nullptr; 2087 } 2088 #endif 2089 2090 // Returns the condition the branch at the end of 'B' depends on and whose value 2091 // has been evaluated within 'B'. 2092 // In most cases, the terminator condition of 'B' will be evaluated fully in 2093 // the last statement of 'B'; in those cases, the resolved condition is the 2094 // given 'Condition'. 2095 // If the condition of the branch is a logical binary operator tree, the CFG is 2096 // optimized: in that case, we know that the expression formed by all but the 2097 // rightmost leaf of the logical binary operator tree must be true, and thus 2098 // the branch condition is at this point equivalent to the truth value of that 2099 // rightmost leaf; the CFG block thus only evaluates this rightmost leaf 2100 // expression in its final statement. As the full condition in that case was 2101 // not evaluated, and is thus not in the SVal cache, we need to use that leaf 2102 // expression to evaluate the truth value of the condition in the current state 2103 // space. 2104 static const Stmt *ResolveCondition(const Stmt *Condition, 2105 const CFGBlock *B) { 2106 if (const auto *Ex = dyn_cast<Expr>(Condition)) 2107 Condition = Ex->IgnoreParens(); 2108 2109 const auto *BO = dyn_cast<BinaryOperator>(Condition); 2110 if (!BO || !BO->isLogicalOp()) 2111 return Condition; 2112 2113 assert(B->getTerminator().isStmtBranch() && 2114 "Other kinds of branches are handled separately!"); 2115 2116 // For logical operations, we still have the case where some branches 2117 // use the traditional "merge" approach and others sink the branch 2118 // directly into the basic blocks representing the logical operation. 2119 // We need to distinguish between those two cases here. 2120 2121 // The invariants are still shifting, but it is possible that the 2122 // last element in a CFGBlock is not a CFGStmt. Look for the last 2123 // CFGStmt as the value of the condition. 2124 CFGBlock::const_reverse_iterator I = B->rbegin(), E = B->rend(); 2125 for (; I != E; ++I) { 2126 CFGElement Elem = *I; 2127 Optional<CFGStmt> CS = Elem.getAs<CFGStmt>(); 2128 if (!CS) 2129 continue; 2130 const Stmt *LastStmt = CS->getStmt(); 2131 assert(LastStmt == Condition || LastStmt == getRightmostLeaf(Condition)); 2132 return LastStmt; 2133 } 2134 llvm_unreachable("could not resolve condition"); 2135 } 2136 2137 using ObjCForLctxPair = 2138 std::pair<const ObjCForCollectionStmt *, const LocationContext *>; 2139 2140 REGISTER_MAP_WITH_PROGRAMSTATE(ObjCForHasMoreIterations, ObjCForLctxPair, bool) 2141 2142 ProgramStateRef ExprEngine::setWhetherHasMoreIteration( 2143 ProgramStateRef State, const ObjCForCollectionStmt *O, 2144 const LocationContext *LC, bool HasMoreIteraton) { 2145 assert(!State->contains<ObjCForHasMoreIterations>({O, LC})); 2146 return State->set<ObjCForHasMoreIterations>({O, LC}, HasMoreIteraton); 2147 } 2148 2149 ProgramStateRef 2150 ExprEngine::removeIterationState(ProgramStateRef State, 2151 const ObjCForCollectionStmt *O, 2152 const LocationContext *LC) { 2153 assert(State->contains<ObjCForHasMoreIterations>({O, LC})); 2154 return State->remove<ObjCForHasMoreIterations>({O, LC}); 2155 } 2156 2157 bool ExprEngine::hasMoreIteration(ProgramStateRef State, 2158 const ObjCForCollectionStmt *O, 2159 const LocationContext *LC) { 2160 assert(State->contains<ObjCForHasMoreIterations>({O, LC})); 2161 return *State->get<ObjCForHasMoreIterations>({O, LC}); 2162 } 2163 2164 /// Split the state on whether there are any more iterations left for this loop. 2165 /// Returns a (HasMoreIteration, HasNoMoreIteration) pair, or None when the 2166 /// acquisition of the loop condition value failed. 2167 static Optional<std::pair<ProgramStateRef, ProgramStateRef>> 2168 assumeCondition(const Stmt *Condition, ExplodedNode *N) { 2169 ProgramStateRef State = N->getState(); 2170 if (const auto *ObjCFor = dyn_cast<ObjCForCollectionStmt>(Condition)) { 2171 bool HasMoreIteraton = 2172 ExprEngine::hasMoreIteration(State, ObjCFor, N->getLocationContext()); 2173 // Checkers have already ran on branch conditions, so the current 2174 // information as to whether the loop has more iteration becomes outdated 2175 // after this point. 2176 State = ExprEngine::removeIterationState(State, ObjCFor, 2177 N->getLocationContext()); 2178 if (HasMoreIteraton) 2179 return std::pair<ProgramStateRef, ProgramStateRef>{State, nullptr}; 2180 else 2181 return std::pair<ProgramStateRef, ProgramStateRef>{nullptr, State}; 2182 } 2183 SVal X = State->getSVal(Condition, N->getLocationContext()); 2184 2185 if (X.isUnknownOrUndef()) { 2186 // Give it a chance to recover from unknown. 2187 if (const auto *Ex = dyn_cast<Expr>(Condition)) { 2188 if (Ex->getType()->isIntegralOrEnumerationType()) { 2189 // Try to recover some path-sensitivity. Right now casts of symbolic 2190 // integers that promote their values are currently not tracked well. 2191 // If 'Condition' is such an expression, try and recover the 2192 // underlying value and use that instead. 2193 SVal recovered = 2194 RecoverCastedSymbol(State, Condition, N->getLocationContext(), 2195 N->getState()->getStateManager().getContext()); 2196 2197 if (!recovered.isUnknown()) { 2198 X = recovered; 2199 } 2200 } 2201 } 2202 } 2203 2204 // If the condition is still unknown, give up. 2205 if (X.isUnknownOrUndef()) 2206 return None; 2207 2208 DefinedSVal V = X.castAs<DefinedSVal>(); 2209 2210 ProgramStateRef StTrue, StFalse; 2211 return State->assume(V); 2212 } 2213 2214 void ExprEngine::processBranch(const Stmt *Condition, 2215 NodeBuilderContext& BldCtx, 2216 ExplodedNode *Pred, 2217 ExplodedNodeSet &Dst, 2218 const CFGBlock *DstT, 2219 const CFGBlock *DstF) { 2220 assert((!Condition || !isa<CXXBindTemporaryExpr>(Condition)) && 2221 "CXXBindTemporaryExprs are handled by processBindTemporary."); 2222 const LocationContext *LCtx = Pred->getLocationContext(); 2223 PrettyStackTraceLocationContext StackCrashInfo(LCtx); 2224 currBldrCtx = &BldCtx; 2225 2226 // Check for NULL conditions; e.g. "for(;;)" 2227 if (!Condition) { 2228 BranchNodeBuilder NullCondBldr(Pred, Dst, BldCtx, DstT, DstF); 2229 NullCondBldr.markInfeasible(false); 2230 NullCondBldr.generateNode(Pred->getState(), true, Pred); 2231 return; 2232 } 2233 2234 if (const auto *Ex = dyn_cast<Expr>(Condition)) 2235 Condition = Ex->IgnoreParens(); 2236 2237 Condition = ResolveCondition(Condition, BldCtx.getBlock()); 2238 PrettyStackTraceLoc CrashInfo(getContext().getSourceManager(), 2239 Condition->getBeginLoc(), 2240 "Error evaluating branch"); 2241 2242 ExplodedNodeSet CheckersOutSet; 2243 getCheckerManager().runCheckersForBranchCondition(Condition, CheckersOutSet, 2244 Pred, *this); 2245 // We generated only sinks. 2246 if (CheckersOutSet.empty()) 2247 return; 2248 2249 BranchNodeBuilder builder(CheckersOutSet, Dst, BldCtx, DstT, DstF); 2250 for (ExplodedNode *PredN : CheckersOutSet) { 2251 if (PredN->isSink()) 2252 continue; 2253 2254 ProgramStateRef PrevState = PredN->getState(); 2255 2256 ProgramStateRef StTrue, StFalse; 2257 if (const auto KnownCondValueAssumption = assumeCondition(Condition, PredN)) 2258 std::tie(StTrue, StFalse) = *KnownCondValueAssumption; 2259 else { 2260 assert(!isa<ObjCForCollectionStmt>(Condition)); 2261 builder.generateNode(PrevState, true, PredN); 2262 builder.generateNode(PrevState, false, PredN); 2263 continue; 2264 } 2265 if (StTrue && StFalse) 2266 assert(!isa<ObjCForCollectionStmt>(Condition));; 2267 2268 // Process the true branch. 2269 if (builder.isFeasible(true)) { 2270 if (StTrue) 2271 builder.generateNode(StTrue, true, PredN); 2272 else 2273 builder.markInfeasible(true); 2274 } 2275 2276 // Process the false branch. 2277 if (builder.isFeasible(false)) { 2278 if (StFalse) 2279 builder.generateNode(StFalse, false, PredN); 2280 else 2281 builder.markInfeasible(false); 2282 } 2283 } 2284 currBldrCtx = nullptr; 2285 } 2286 2287 /// The GDM component containing the set of global variables which have been 2288 /// previously initialized with explicit initializers. 2289 REGISTER_TRAIT_WITH_PROGRAMSTATE(InitializedGlobalsSet, 2290 llvm::ImmutableSet<const VarDecl *>) 2291 2292 void ExprEngine::processStaticInitializer(const DeclStmt *DS, 2293 NodeBuilderContext &BuilderCtx, 2294 ExplodedNode *Pred, 2295 ExplodedNodeSet &Dst, 2296 const CFGBlock *DstT, 2297 const CFGBlock *DstF) { 2298 PrettyStackTraceLocationContext CrashInfo(Pred->getLocationContext()); 2299 currBldrCtx = &BuilderCtx; 2300 2301 const auto *VD = cast<VarDecl>(DS->getSingleDecl()); 2302 ProgramStateRef state = Pred->getState(); 2303 bool initHasRun = state->contains<InitializedGlobalsSet>(VD); 2304 BranchNodeBuilder builder(Pred, Dst, BuilderCtx, DstT, DstF); 2305 2306 if (!initHasRun) { 2307 state = state->add<InitializedGlobalsSet>(VD); 2308 } 2309 2310 builder.generateNode(state, initHasRun, Pred); 2311 builder.markInfeasible(!initHasRun); 2312 2313 currBldrCtx = nullptr; 2314 } 2315 2316 /// processIndirectGoto - Called by CoreEngine. Used to generate successor 2317 /// nodes by processing the 'effects' of a computed goto jump. 2318 void ExprEngine::processIndirectGoto(IndirectGotoNodeBuilder &builder) { 2319 ProgramStateRef state = builder.getState(); 2320 SVal V = state->getSVal(builder.getTarget(), builder.getLocationContext()); 2321 2322 // Three possibilities: 2323 // 2324 // (1) We know the computed label. 2325 // (2) The label is NULL (or some other constant), or Undefined. 2326 // (3) We have no clue about the label. Dispatch to all targets. 2327 // 2328 2329 using iterator = IndirectGotoNodeBuilder::iterator; 2330 2331 if (Optional<loc::GotoLabel> LV = V.getAs<loc::GotoLabel>()) { 2332 const LabelDecl *L = LV->getLabel(); 2333 2334 for (iterator I = builder.begin(), E = builder.end(); I != E; ++I) { 2335 if (I.getLabel() == L) { 2336 builder.generateNode(I, state); 2337 return; 2338 } 2339 } 2340 2341 llvm_unreachable("No block with label."); 2342 } 2343 2344 if (V.getAs<loc::ConcreteInt>() || V.getAs<UndefinedVal>()) { 2345 // Dispatch to the first target and mark it as a sink. 2346 //ExplodedNode* N = builder.generateNode(builder.begin(), state, true); 2347 // FIXME: add checker visit. 2348 // UndefBranches.insert(N); 2349 return; 2350 } 2351 2352 // This is really a catch-all. We don't support symbolics yet. 2353 // FIXME: Implement dispatch for symbolic pointers. 2354 2355 for (iterator I = builder.begin(), E = builder.end(); I != E; ++I) 2356 builder.generateNode(I, state); 2357 } 2358 2359 void ExprEngine::processBeginOfFunction(NodeBuilderContext &BC, 2360 ExplodedNode *Pred, 2361 ExplodedNodeSet &Dst, 2362 const BlockEdge &L) { 2363 SaveAndRestore<const NodeBuilderContext *> NodeContextRAII(currBldrCtx, &BC); 2364 getCheckerManager().runCheckersForBeginFunction(Dst, L, Pred, *this); 2365 } 2366 2367 /// ProcessEndPath - Called by CoreEngine. Used to generate end-of-path 2368 /// nodes when the control reaches the end of a function. 2369 void ExprEngine::processEndOfFunction(NodeBuilderContext& BC, 2370 ExplodedNode *Pred, 2371 const ReturnStmt *RS) { 2372 ProgramStateRef State = Pred->getState(); 2373 2374 if (!Pred->getStackFrame()->inTopFrame()) 2375 State = finishArgumentConstruction( 2376 State, *getStateManager().getCallEventManager().getCaller( 2377 Pred->getStackFrame(), Pred->getState())); 2378 2379 // FIXME: We currently cannot assert that temporaries are clear, because 2380 // lifetime extended temporaries are not always modelled correctly. In some 2381 // cases when we materialize the temporary, we do 2382 // createTemporaryRegionIfNeeded(), and the region changes, and also the 2383 // respective destructor becomes automatic from temporary. So for now clean up 2384 // the state manually before asserting. Ideally, this braced block of code 2385 // should go away. 2386 { 2387 const LocationContext *FromLC = Pred->getLocationContext(); 2388 const LocationContext *ToLC = FromLC->getStackFrame()->getParent(); 2389 const LocationContext *LC = FromLC; 2390 while (LC != ToLC) { 2391 assert(LC && "ToLC must be a parent of FromLC!"); 2392 for (auto I : State->get<ObjectsUnderConstruction>()) 2393 if (I.first.getLocationContext() == LC) { 2394 // The comment above only pardons us for not cleaning up a 2395 // temporary destructor. If any other statements are found here, 2396 // it must be a separate problem. 2397 assert(I.first.getItem().getKind() == 2398 ConstructionContextItem::TemporaryDestructorKind || 2399 I.first.getItem().getKind() == 2400 ConstructionContextItem::ElidedDestructorKind); 2401 State = State->remove<ObjectsUnderConstruction>(I.first); 2402 } 2403 LC = LC->getParent(); 2404 } 2405 } 2406 2407 // Perform the transition with cleanups. 2408 if (State != Pred->getState()) { 2409 ExplodedNodeSet PostCleanup; 2410 NodeBuilder Bldr(Pred, PostCleanup, BC); 2411 Pred = Bldr.generateNode(Pred->getLocation(), State, Pred); 2412 if (!Pred) { 2413 // The node with clean temporaries already exists. We might have reached 2414 // it on a path on which we initialize different temporaries. 2415 return; 2416 } 2417 } 2418 2419 assert(areAllObjectsFullyConstructed(Pred->getState(), 2420 Pred->getLocationContext(), 2421 Pred->getStackFrame()->getParent())); 2422 2423 PrettyStackTraceLocationContext CrashInfo(Pred->getLocationContext()); 2424 2425 ExplodedNodeSet Dst; 2426 if (Pred->getLocationContext()->inTopFrame()) { 2427 // Remove dead symbols. 2428 ExplodedNodeSet AfterRemovedDead; 2429 removeDeadOnEndOfFunction(BC, Pred, AfterRemovedDead); 2430 2431 // Notify checkers. 2432 for (const auto I : AfterRemovedDead) 2433 getCheckerManager().runCheckersForEndFunction(BC, Dst, I, *this, RS); 2434 } else { 2435 getCheckerManager().runCheckersForEndFunction(BC, Dst, Pred, *this, RS); 2436 } 2437 2438 Engine.enqueueEndOfFunction(Dst, RS); 2439 } 2440 2441 /// ProcessSwitch - Called by CoreEngine. Used to generate successor 2442 /// nodes by processing the 'effects' of a switch statement. 2443 void ExprEngine::processSwitch(SwitchNodeBuilder& builder) { 2444 using iterator = SwitchNodeBuilder::iterator; 2445 2446 ProgramStateRef state = builder.getState(); 2447 const Expr *CondE = builder.getCondition(); 2448 SVal CondV_untested = state->getSVal(CondE, builder.getLocationContext()); 2449 2450 if (CondV_untested.isUndef()) { 2451 //ExplodedNode* N = builder.generateDefaultCaseNode(state, true); 2452 // FIXME: add checker 2453 //UndefBranches.insert(N); 2454 2455 return; 2456 } 2457 DefinedOrUnknownSVal CondV = CondV_untested.castAs<DefinedOrUnknownSVal>(); 2458 2459 ProgramStateRef DefaultSt = state; 2460 2461 iterator I = builder.begin(), EI = builder.end(); 2462 bool defaultIsFeasible = I == EI; 2463 2464 for ( ; I != EI; ++I) { 2465 // Successor may be pruned out during CFG construction. 2466 if (!I.getBlock()) 2467 continue; 2468 2469 const CaseStmt *Case = I.getCase(); 2470 2471 // Evaluate the LHS of the case value. 2472 llvm::APSInt V1 = Case->getLHS()->EvaluateKnownConstInt(getContext()); 2473 assert(V1.getBitWidth() == getContext().getIntWidth(CondE->getType())); 2474 2475 // Get the RHS of the case, if it exists. 2476 llvm::APSInt V2; 2477 if (const Expr *E = Case->getRHS()) 2478 V2 = E->EvaluateKnownConstInt(getContext()); 2479 else 2480 V2 = V1; 2481 2482 ProgramStateRef StateCase; 2483 if (Optional<NonLoc> NL = CondV.getAs<NonLoc>()) 2484 std::tie(StateCase, DefaultSt) = 2485 DefaultSt->assumeInclusiveRange(*NL, V1, V2); 2486 else // UnknownVal 2487 StateCase = DefaultSt; 2488 2489 if (StateCase) 2490 builder.generateCaseStmtNode(I, StateCase); 2491 2492 // Now "assume" that the case doesn't match. Add this state 2493 // to the default state (if it is feasible). 2494 if (DefaultSt) 2495 defaultIsFeasible = true; 2496 else { 2497 defaultIsFeasible = false; 2498 break; 2499 } 2500 } 2501 2502 if (!defaultIsFeasible) 2503 return; 2504 2505 // If we have switch(enum value), the default branch is not 2506 // feasible if all of the enum constants not covered by 'case:' statements 2507 // are not feasible values for the switch condition. 2508 // 2509 // Note that this isn't as accurate as it could be. Even if there isn't 2510 // a case for a particular enum value as long as that enum value isn't 2511 // feasible then it shouldn't be considered for making 'default:' reachable. 2512 const SwitchStmt *SS = builder.getSwitch(); 2513 const Expr *CondExpr = SS->getCond()->IgnoreParenImpCasts(); 2514 if (CondExpr->getType()->getAs<EnumType>()) { 2515 if (SS->isAllEnumCasesCovered()) 2516 return; 2517 } 2518 2519 builder.generateDefaultCaseNode(DefaultSt); 2520 } 2521 2522 //===----------------------------------------------------------------------===// 2523 // Transfer functions: Loads and stores. 2524 //===----------------------------------------------------------------------===// 2525 2526 void ExprEngine::VisitCommonDeclRefExpr(const Expr *Ex, const NamedDecl *D, 2527 ExplodedNode *Pred, 2528 ExplodedNodeSet &Dst) { 2529 StmtNodeBuilder Bldr(Pred, Dst, *currBldrCtx); 2530 2531 ProgramStateRef state = Pred->getState(); 2532 const LocationContext *LCtx = Pred->getLocationContext(); 2533 2534 if (const auto *VD = dyn_cast<VarDecl>(D)) { 2535 // C permits "extern void v", and if you cast the address to a valid type, 2536 // you can even do things with it. We simply pretend 2537 assert(Ex->isGLValue() || VD->getType()->isVoidType()); 2538 const LocationContext *LocCtxt = Pred->getLocationContext(); 2539 const Decl *D = LocCtxt->getDecl(); 2540 const auto *MD = dyn_cast_or_null<CXXMethodDecl>(D); 2541 const auto *DeclRefEx = dyn_cast<DeclRefExpr>(Ex); 2542 Optional<std::pair<SVal, QualType>> VInfo; 2543 2544 if (AMgr.options.ShouldInlineLambdas && DeclRefEx && 2545 DeclRefEx->refersToEnclosingVariableOrCapture() && MD && 2546 MD->getParent()->isLambda()) { 2547 // Lookup the field of the lambda. 2548 const CXXRecordDecl *CXXRec = MD->getParent(); 2549 llvm::DenseMap<const VarDecl *, FieldDecl *> LambdaCaptureFields; 2550 FieldDecl *LambdaThisCaptureField; 2551 CXXRec->getCaptureFields(LambdaCaptureFields, LambdaThisCaptureField); 2552 2553 // Sema follows a sequence of complex rules to determine whether the 2554 // variable should be captured. 2555 if (const FieldDecl *FD = LambdaCaptureFields[VD]) { 2556 Loc CXXThis = 2557 svalBuilder.getCXXThis(MD, LocCtxt->getStackFrame()); 2558 SVal CXXThisVal = state->getSVal(CXXThis); 2559 VInfo = std::make_pair(state->getLValue(FD, CXXThisVal), FD->getType()); 2560 } 2561 } 2562 2563 if (!VInfo) 2564 VInfo = std::make_pair(state->getLValue(VD, LocCtxt), VD->getType()); 2565 2566 SVal V = VInfo->first; 2567 bool IsReference = VInfo->second->isReferenceType(); 2568 2569 // For references, the 'lvalue' is the pointer address stored in the 2570 // reference region. 2571 if (IsReference) { 2572 if (const MemRegion *R = V.getAsRegion()) 2573 V = state->getSVal(R); 2574 else 2575 V = UnknownVal(); 2576 } 2577 2578 Bldr.generateNode(Ex, Pred, state->BindExpr(Ex, LCtx, V), nullptr, 2579 ProgramPoint::PostLValueKind); 2580 return; 2581 } 2582 if (const auto *ED = dyn_cast<EnumConstantDecl>(D)) { 2583 assert(!Ex->isGLValue()); 2584 SVal V = svalBuilder.makeIntVal(ED->getInitVal()); 2585 Bldr.generateNode(Ex, Pred, state->BindExpr(Ex, LCtx, V)); 2586 return; 2587 } 2588 if (const auto *FD = dyn_cast<FunctionDecl>(D)) { 2589 SVal V = svalBuilder.getFunctionPointer(FD); 2590 Bldr.generateNode(Ex, Pred, state->BindExpr(Ex, LCtx, V), nullptr, 2591 ProgramPoint::PostLValueKind); 2592 return; 2593 } 2594 if (isa<FieldDecl>(D) || isa<IndirectFieldDecl>(D)) { 2595 // Delegate all work related to pointer to members to the surrounding 2596 // operator&. 2597 return; 2598 } 2599 if (isa<BindingDecl>(D)) { 2600 // FIXME: proper support for bound declarations. 2601 // For now, let's just prevent crashing. 2602 return; 2603 } 2604 2605 llvm_unreachable("Support for this Decl not implemented."); 2606 } 2607 2608 /// VisitArraySubscriptExpr - Transfer function for array accesses 2609 void ExprEngine::VisitArraySubscriptExpr(const ArraySubscriptExpr *A, 2610 ExplodedNode *Pred, 2611 ExplodedNodeSet &Dst){ 2612 const Expr *Base = A->getBase()->IgnoreParens(); 2613 const Expr *Idx = A->getIdx()->IgnoreParens(); 2614 2615 ExplodedNodeSet CheckerPreStmt; 2616 getCheckerManager().runCheckersForPreStmt(CheckerPreStmt, Pred, A, *this); 2617 2618 ExplodedNodeSet EvalSet; 2619 StmtNodeBuilder Bldr(CheckerPreStmt, EvalSet, *currBldrCtx); 2620 2621 bool IsVectorType = A->getBase()->getType()->isVectorType(); 2622 2623 // The "like" case is for situations where C standard prohibits the type to 2624 // be an lvalue, e.g. taking the address of a subscript of an expression of 2625 // type "void *". 2626 bool IsGLValueLike = A->isGLValue() || 2627 (A->getType().isCForbiddenLValueType() && !AMgr.getLangOpts().CPlusPlus); 2628 2629 for (auto *Node : CheckerPreStmt) { 2630 const LocationContext *LCtx = Node->getLocationContext(); 2631 ProgramStateRef state = Node->getState(); 2632 2633 if (IsGLValueLike) { 2634 QualType T = A->getType(); 2635 2636 // One of the forbidden LValue types! We still need to have sensible 2637 // symbolic locations to represent this stuff. Note that arithmetic on 2638 // void pointers is a GCC extension. 2639 if (T->isVoidType()) 2640 T = getContext().CharTy; 2641 2642 SVal V = state->getLValue(T, 2643 state->getSVal(Idx, LCtx), 2644 state->getSVal(Base, LCtx)); 2645 Bldr.generateNode(A, Node, state->BindExpr(A, LCtx, V), nullptr, 2646 ProgramPoint::PostLValueKind); 2647 } else if (IsVectorType) { 2648 // FIXME: non-glvalue vector reads are not modelled. 2649 Bldr.generateNode(A, Node, state, nullptr); 2650 } else { 2651 llvm_unreachable("Array subscript should be an lValue when not \ 2652 a vector and not a forbidden lvalue type"); 2653 } 2654 } 2655 2656 getCheckerManager().runCheckersForPostStmt(Dst, EvalSet, A, *this); 2657 } 2658 2659 /// VisitMemberExpr - Transfer function for member expressions. 2660 void ExprEngine::VisitMemberExpr(const MemberExpr *M, ExplodedNode *Pred, 2661 ExplodedNodeSet &Dst) { 2662 // FIXME: Prechecks eventually go in ::Visit(). 2663 ExplodedNodeSet CheckedSet; 2664 getCheckerManager().runCheckersForPreStmt(CheckedSet, Pred, M, *this); 2665 2666 ExplodedNodeSet EvalSet; 2667 ValueDecl *Member = M->getMemberDecl(); 2668 2669 // Handle static member variables and enum constants accessed via 2670 // member syntax. 2671 if (isa<VarDecl>(Member) || isa<EnumConstantDecl>(Member)) { 2672 for (const auto I : CheckedSet) 2673 VisitCommonDeclRefExpr(M, Member, I, EvalSet); 2674 } else { 2675 StmtNodeBuilder Bldr(CheckedSet, EvalSet, *currBldrCtx); 2676 ExplodedNodeSet Tmp; 2677 2678 for (const auto I : CheckedSet) { 2679 ProgramStateRef state = I->getState(); 2680 const LocationContext *LCtx = I->getLocationContext(); 2681 Expr *BaseExpr = M->getBase(); 2682 2683 // Handle C++ method calls. 2684 if (const auto *MD = dyn_cast<CXXMethodDecl>(Member)) { 2685 if (MD->isInstance()) 2686 state = createTemporaryRegionIfNeeded(state, LCtx, BaseExpr); 2687 2688 SVal MDVal = svalBuilder.getFunctionPointer(MD); 2689 state = state->BindExpr(M, LCtx, MDVal); 2690 2691 Bldr.generateNode(M, I, state); 2692 continue; 2693 } 2694 2695 // Handle regular struct fields / member variables. 2696 const SubRegion *MR = nullptr; 2697 state = createTemporaryRegionIfNeeded(state, LCtx, BaseExpr, 2698 /*Result=*/nullptr, 2699 /*OutRegionWithAdjustments=*/&MR); 2700 SVal baseExprVal = 2701 MR ? loc::MemRegionVal(MR) : state->getSVal(BaseExpr, LCtx); 2702 2703 const auto *field = cast<FieldDecl>(Member); 2704 SVal L = state->getLValue(field, baseExprVal); 2705 2706 if (M->isGLValue() || M->getType()->isArrayType()) { 2707 // We special-case rvalues of array type because the analyzer cannot 2708 // reason about them, since we expect all regions to be wrapped in Locs. 2709 // We instead treat these as lvalues and assume that they will decay to 2710 // pointers as soon as they are used. 2711 if (!M->isGLValue()) { 2712 assert(M->getType()->isArrayType()); 2713 const auto *PE = 2714 dyn_cast<ImplicitCastExpr>(I->getParentMap().getParentIgnoreParens(M)); 2715 if (!PE || PE->getCastKind() != CK_ArrayToPointerDecay) { 2716 llvm_unreachable("should always be wrapped in ArrayToPointerDecay"); 2717 } 2718 } 2719 2720 if (field->getType()->isReferenceType()) { 2721 if (const MemRegion *R = L.getAsRegion()) 2722 L = state->getSVal(R); 2723 else 2724 L = UnknownVal(); 2725 } 2726 2727 Bldr.generateNode(M, I, state->BindExpr(M, LCtx, L), nullptr, 2728 ProgramPoint::PostLValueKind); 2729 } else { 2730 Bldr.takeNodes(I); 2731 evalLoad(Tmp, M, M, I, state, L); 2732 Bldr.addNodes(Tmp); 2733 } 2734 } 2735 } 2736 2737 getCheckerManager().runCheckersForPostStmt(Dst, EvalSet, M, *this); 2738 } 2739 2740 void ExprEngine::VisitAtomicExpr(const AtomicExpr *AE, ExplodedNode *Pred, 2741 ExplodedNodeSet &Dst) { 2742 ExplodedNodeSet AfterPreSet; 2743 getCheckerManager().runCheckersForPreStmt(AfterPreSet, Pred, AE, *this); 2744 2745 // For now, treat all the arguments to C11 atomics as escaping. 2746 // FIXME: Ideally we should model the behavior of the atomics precisely here. 2747 2748 ExplodedNodeSet AfterInvalidateSet; 2749 StmtNodeBuilder Bldr(AfterPreSet, AfterInvalidateSet, *currBldrCtx); 2750 2751 for (const auto I : AfterPreSet) { 2752 ProgramStateRef State = I->getState(); 2753 const LocationContext *LCtx = I->getLocationContext(); 2754 2755 SmallVector<SVal, 8> ValuesToInvalidate; 2756 for (unsigned SI = 0, Count = AE->getNumSubExprs(); SI != Count; SI++) { 2757 const Expr *SubExpr = AE->getSubExprs()[SI]; 2758 SVal SubExprVal = State->getSVal(SubExpr, LCtx); 2759 ValuesToInvalidate.push_back(SubExprVal); 2760 } 2761 2762 State = State->invalidateRegions(ValuesToInvalidate, AE, 2763 currBldrCtx->blockCount(), 2764 LCtx, 2765 /*CausedByPointerEscape*/true, 2766 /*Symbols=*/nullptr); 2767 2768 SVal ResultVal = UnknownVal(); 2769 State = State->BindExpr(AE, LCtx, ResultVal); 2770 Bldr.generateNode(AE, I, State, nullptr, 2771 ProgramPoint::PostStmtKind); 2772 } 2773 2774 getCheckerManager().runCheckersForPostStmt(Dst, AfterInvalidateSet, AE, *this); 2775 } 2776 2777 // A value escapes in four possible cases: 2778 // (1) We are binding to something that is not a memory region. 2779 // (2) We are binding to a MemRegion that does not have stack storage. 2780 // (3) We are binding to a top-level parameter region with a non-trivial 2781 // destructor. We won't see the destructor during analysis, but it's there. 2782 // (4) We are binding to a MemRegion with stack storage that the store 2783 // does not understand. 2784 ProgramStateRef ExprEngine::processPointerEscapedOnBind( 2785 ProgramStateRef State, ArrayRef<std::pair<SVal, SVal>> LocAndVals, 2786 const LocationContext *LCtx, PointerEscapeKind Kind, 2787 const CallEvent *Call) { 2788 SmallVector<SVal, 8> Escaped; 2789 for (const std::pair<SVal, SVal> &LocAndVal : LocAndVals) { 2790 // Cases (1) and (2). 2791 const MemRegion *MR = LocAndVal.first.getAsRegion(); 2792 if (!MR || !MR->hasStackStorage()) { 2793 Escaped.push_back(LocAndVal.second); 2794 continue; 2795 } 2796 2797 // Case (3). 2798 if (const auto *VR = dyn_cast<VarRegion>(MR->getBaseRegion())) 2799 if (VR->hasStackParametersStorage() && VR->getStackFrame()->inTopFrame()) 2800 if (const auto *RD = VR->getValueType()->getAsCXXRecordDecl()) 2801 if (!RD->hasTrivialDestructor()) { 2802 Escaped.push_back(LocAndVal.second); 2803 continue; 2804 } 2805 2806 // Case (4): in order to test that, generate a new state with the binding 2807 // added. If it is the same state, then it escapes (since the store cannot 2808 // represent the binding). 2809 // Do this only if we know that the store is not supposed to generate the 2810 // same state. 2811 SVal StoredVal = State->getSVal(MR); 2812 if (StoredVal != LocAndVal.second) 2813 if (State == 2814 (State->bindLoc(loc::MemRegionVal(MR), LocAndVal.second, LCtx))) 2815 Escaped.push_back(LocAndVal.second); 2816 } 2817 2818 if (Escaped.empty()) 2819 return State; 2820 2821 return escapeValues(State, Escaped, Kind, Call); 2822 } 2823 2824 ProgramStateRef 2825 ExprEngine::processPointerEscapedOnBind(ProgramStateRef State, SVal Loc, 2826 SVal Val, const LocationContext *LCtx) { 2827 std::pair<SVal, SVal> LocAndVal(Loc, Val); 2828 return processPointerEscapedOnBind(State, LocAndVal, LCtx, PSK_EscapeOnBind, 2829 nullptr); 2830 } 2831 2832 ProgramStateRef 2833 ExprEngine::notifyCheckersOfPointerEscape(ProgramStateRef State, 2834 const InvalidatedSymbols *Invalidated, 2835 ArrayRef<const MemRegion *> ExplicitRegions, 2836 const CallEvent *Call, 2837 RegionAndSymbolInvalidationTraits &ITraits) { 2838 if (!Invalidated || Invalidated->empty()) 2839 return State; 2840 2841 if (!Call) 2842 return getCheckerManager().runCheckersForPointerEscape(State, 2843 *Invalidated, 2844 nullptr, 2845 PSK_EscapeOther, 2846 &ITraits); 2847 2848 // If the symbols were invalidated by a call, we want to find out which ones 2849 // were invalidated directly due to being arguments to the call. 2850 InvalidatedSymbols SymbolsDirectlyInvalidated; 2851 for (const auto I : ExplicitRegions) { 2852 if (const SymbolicRegion *R = I->StripCasts()->getAs<SymbolicRegion>()) 2853 SymbolsDirectlyInvalidated.insert(R->getSymbol()); 2854 } 2855 2856 InvalidatedSymbols SymbolsIndirectlyInvalidated; 2857 for (const auto &sym : *Invalidated) { 2858 if (SymbolsDirectlyInvalidated.count(sym)) 2859 continue; 2860 SymbolsIndirectlyInvalidated.insert(sym); 2861 } 2862 2863 if (!SymbolsDirectlyInvalidated.empty()) 2864 State = getCheckerManager().runCheckersForPointerEscape(State, 2865 SymbolsDirectlyInvalidated, Call, PSK_DirectEscapeOnCall, &ITraits); 2866 2867 // Notify about the symbols that get indirectly invalidated by the call. 2868 if (!SymbolsIndirectlyInvalidated.empty()) 2869 State = getCheckerManager().runCheckersForPointerEscape(State, 2870 SymbolsIndirectlyInvalidated, Call, PSK_IndirectEscapeOnCall, &ITraits); 2871 2872 return State; 2873 } 2874 2875 /// evalBind - Handle the semantics of binding a value to a specific location. 2876 /// This method is used by evalStore and (soon) VisitDeclStmt, and others. 2877 void ExprEngine::evalBind(ExplodedNodeSet &Dst, const Stmt *StoreE, 2878 ExplodedNode *Pred, 2879 SVal location, SVal Val, 2880 bool atDeclInit, const ProgramPoint *PP) { 2881 const LocationContext *LC = Pred->getLocationContext(); 2882 PostStmt PS(StoreE, LC); 2883 if (!PP) 2884 PP = &PS; 2885 2886 // Do a previsit of the bind. 2887 ExplodedNodeSet CheckedSet; 2888 getCheckerManager().runCheckersForBind(CheckedSet, Pred, location, Val, 2889 StoreE, *this, *PP); 2890 2891 StmtNodeBuilder Bldr(CheckedSet, Dst, *currBldrCtx); 2892 2893 // If the location is not a 'Loc', it will already be handled by 2894 // the checkers. There is nothing left to do. 2895 if (!location.getAs<Loc>()) { 2896 const ProgramPoint L = PostStore(StoreE, LC, /*Loc*/nullptr, 2897 /*tag*/nullptr); 2898 ProgramStateRef state = Pred->getState(); 2899 state = processPointerEscapedOnBind(state, location, Val, LC); 2900 Bldr.generateNode(L, state, Pred); 2901 return; 2902 } 2903 2904 for (const auto PredI : CheckedSet) { 2905 ProgramStateRef state = PredI->getState(); 2906 2907 state = processPointerEscapedOnBind(state, location, Val, LC); 2908 2909 // When binding the value, pass on the hint that this is a initialization. 2910 // For initializations, we do not need to inform clients of region 2911 // changes. 2912 state = state->bindLoc(location.castAs<Loc>(), 2913 Val, LC, /* notifyChanges = */ !atDeclInit); 2914 2915 const MemRegion *LocReg = nullptr; 2916 if (Optional<loc::MemRegionVal> LocRegVal = 2917 location.getAs<loc::MemRegionVal>()) { 2918 LocReg = LocRegVal->getRegion(); 2919 } 2920 2921 const ProgramPoint L = PostStore(StoreE, LC, LocReg, nullptr); 2922 Bldr.generateNode(L, state, PredI); 2923 } 2924 } 2925 2926 /// evalStore - Handle the semantics of a store via an assignment. 2927 /// @param Dst The node set to store generated state nodes 2928 /// @param AssignE The assignment expression if the store happens in an 2929 /// assignment. 2930 /// @param LocationE The location expression that is stored to. 2931 /// @param state The current simulation state 2932 /// @param location The location to store the value 2933 /// @param Val The value to be stored 2934 void ExprEngine::evalStore(ExplodedNodeSet &Dst, const Expr *AssignE, 2935 const Expr *LocationE, 2936 ExplodedNode *Pred, 2937 ProgramStateRef state, SVal location, SVal Val, 2938 const ProgramPointTag *tag) { 2939 // Proceed with the store. We use AssignE as the anchor for the PostStore 2940 // ProgramPoint if it is non-NULL, and LocationE otherwise. 2941 const Expr *StoreE = AssignE ? AssignE : LocationE; 2942 2943 // Evaluate the location (checks for bad dereferences). 2944 ExplodedNodeSet Tmp; 2945 evalLocation(Tmp, AssignE, LocationE, Pred, state, location, false); 2946 2947 if (Tmp.empty()) 2948 return; 2949 2950 if (location.isUndef()) 2951 return; 2952 2953 for (const auto I : Tmp) 2954 evalBind(Dst, StoreE, I, location, Val, false); 2955 } 2956 2957 void ExprEngine::evalLoad(ExplodedNodeSet &Dst, 2958 const Expr *NodeEx, 2959 const Expr *BoundEx, 2960 ExplodedNode *Pred, 2961 ProgramStateRef state, 2962 SVal location, 2963 const ProgramPointTag *tag, 2964 QualType LoadTy) { 2965 assert(!location.getAs<NonLoc>() && "location cannot be a NonLoc."); 2966 assert(NodeEx); 2967 assert(BoundEx); 2968 // Evaluate the location (checks for bad dereferences). 2969 ExplodedNodeSet Tmp; 2970 evalLocation(Tmp, NodeEx, BoundEx, Pred, state, location, true); 2971 if (Tmp.empty()) 2972 return; 2973 2974 StmtNodeBuilder Bldr(Tmp, Dst, *currBldrCtx); 2975 if (location.isUndef()) 2976 return; 2977 2978 // Proceed with the load. 2979 for (const auto I : Tmp) { 2980 state = I->getState(); 2981 const LocationContext *LCtx = I->getLocationContext(); 2982 2983 SVal V = UnknownVal(); 2984 if (location.isValid()) { 2985 if (LoadTy.isNull()) 2986 LoadTy = BoundEx->getType(); 2987 V = state->getSVal(location.castAs<Loc>(), LoadTy); 2988 } 2989 2990 Bldr.generateNode(NodeEx, I, state->BindExpr(BoundEx, LCtx, V), tag, 2991 ProgramPoint::PostLoadKind); 2992 } 2993 } 2994 2995 void ExprEngine::evalLocation(ExplodedNodeSet &Dst, 2996 const Stmt *NodeEx, 2997 const Stmt *BoundEx, 2998 ExplodedNode *Pred, 2999 ProgramStateRef state, 3000 SVal location, 3001 bool isLoad) { 3002 StmtNodeBuilder BldrTop(Pred, Dst, *currBldrCtx); 3003 // Early checks for performance reason. 3004 if (location.isUnknown()) { 3005 return; 3006 } 3007 3008 ExplodedNodeSet Src; 3009 BldrTop.takeNodes(Pred); 3010 StmtNodeBuilder Bldr(Pred, Src, *currBldrCtx); 3011 if (Pred->getState() != state) { 3012 // Associate this new state with an ExplodedNode. 3013 // FIXME: If I pass null tag, the graph is incorrect, e.g for 3014 // int *p; 3015 // p = 0; 3016 // *p = 0xDEADBEEF; 3017 // "p = 0" is not noted as "Null pointer value stored to 'p'" but 3018 // instead "int *p" is noted as 3019 // "Variable 'p' initialized to a null pointer value" 3020 3021 static SimpleProgramPointTag tag(TagProviderName, "Location"); 3022 Bldr.generateNode(NodeEx, Pred, state, &tag); 3023 } 3024 ExplodedNodeSet Tmp; 3025 getCheckerManager().runCheckersForLocation(Tmp, Src, location, isLoad, 3026 NodeEx, BoundEx, *this); 3027 BldrTop.addNodes(Tmp); 3028 } 3029 3030 std::pair<const ProgramPointTag *, const ProgramPointTag*> 3031 ExprEngine::geteagerlyAssumeBinOpBifurcationTags() { 3032 static SimpleProgramPointTag 3033 eagerlyAssumeBinOpBifurcationTrue(TagProviderName, 3034 "Eagerly Assume True"), 3035 eagerlyAssumeBinOpBifurcationFalse(TagProviderName, 3036 "Eagerly Assume False"); 3037 return std::make_pair(&eagerlyAssumeBinOpBifurcationTrue, 3038 &eagerlyAssumeBinOpBifurcationFalse); 3039 } 3040 3041 void ExprEngine::evalEagerlyAssumeBinOpBifurcation(ExplodedNodeSet &Dst, 3042 ExplodedNodeSet &Src, 3043 const Expr *Ex) { 3044 StmtNodeBuilder Bldr(Src, Dst, *currBldrCtx); 3045 3046 for (const auto Pred : Src) { 3047 // Test if the previous node was as the same expression. This can happen 3048 // when the expression fails to evaluate to anything meaningful and 3049 // (as an optimization) we don't generate a node. 3050 ProgramPoint P = Pred->getLocation(); 3051 if (!P.getAs<PostStmt>() || P.castAs<PostStmt>().getStmt() != Ex) { 3052 continue; 3053 } 3054 3055 ProgramStateRef state = Pred->getState(); 3056 SVal V = state->getSVal(Ex, Pred->getLocationContext()); 3057 Optional<nonloc::SymbolVal> SEV = V.getAs<nonloc::SymbolVal>(); 3058 if (SEV && SEV->isExpression()) { 3059 const std::pair<const ProgramPointTag *, const ProgramPointTag*> &tags = 3060 geteagerlyAssumeBinOpBifurcationTags(); 3061 3062 ProgramStateRef StateTrue, StateFalse; 3063 std::tie(StateTrue, StateFalse) = state->assume(*SEV); 3064 3065 // First assume that the condition is true. 3066 if (StateTrue) { 3067 SVal Val = svalBuilder.makeIntVal(1U, Ex->getType()); 3068 StateTrue = StateTrue->BindExpr(Ex, Pred->getLocationContext(), Val); 3069 Bldr.generateNode(Ex, Pred, StateTrue, tags.first); 3070 } 3071 3072 // Next, assume that the condition is false. 3073 if (StateFalse) { 3074 SVal Val = svalBuilder.makeIntVal(0U, Ex->getType()); 3075 StateFalse = StateFalse->BindExpr(Ex, Pred->getLocationContext(), Val); 3076 Bldr.generateNode(Ex, Pred, StateFalse, tags.second); 3077 } 3078 } 3079 } 3080 } 3081 3082 void ExprEngine::VisitGCCAsmStmt(const GCCAsmStmt *A, ExplodedNode *Pred, 3083 ExplodedNodeSet &Dst) { 3084 StmtNodeBuilder Bldr(Pred, Dst, *currBldrCtx); 3085 // We have processed both the inputs and the outputs. All of the outputs 3086 // should evaluate to Locs. Nuke all of their values. 3087 3088 // FIXME: Some day in the future it would be nice to allow a "plug-in" 3089 // which interprets the inline asm and stores proper results in the 3090 // outputs. 3091 3092 ProgramStateRef state = Pred->getState(); 3093 3094 for (const Expr *O : A->outputs()) { 3095 SVal X = state->getSVal(O, Pred->getLocationContext()); 3096 assert(!X.getAs<NonLoc>()); // Should be an Lval, or unknown, undef. 3097 3098 if (Optional<Loc> LV = X.getAs<Loc>()) 3099 state = state->bindLoc(*LV, UnknownVal(), Pred->getLocationContext()); 3100 } 3101 3102 Bldr.generateNode(A, Pred, state); 3103 } 3104 3105 void ExprEngine::VisitMSAsmStmt(const MSAsmStmt *A, ExplodedNode *Pred, 3106 ExplodedNodeSet &Dst) { 3107 StmtNodeBuilder Bldr(Pred, Dst, *currBldrCtx); 3108 Bldr.generateNode(A, Pred, Pred->getState()); 3109 } 3110 3111 //===----------------------------------------------------------------------===// 3112 // Visualization. 3113 //===----------------------------------------------------------------------===// 3114 3115 #ifndef NDEBUG 3116 namespace llvm { 3117 3118 template<> 3119 struct DOTGraphTraits<ExplodedGraph*> : public DefaultDOTGraphTraits { 3120 DOTGraphTraits (bool isSimple = false) : DefaultDOTGraphTraits(isSimple) {} 3121 3122 static bool nodeHasBugReport(const ExplodedNode *N) { 3123 BugReporter &BR = static_cast<ExprEngine &>( 3124 N->getState()->getStateManager().getOwningEngine()).getBugReporter(); 3125 3126 const auto EQClasses = 3127 llvm::make_range(BR.EQClasses_begin(), BR.EQClasses_end()); 3128 3129 for (const auto &EQ : EQClasses) { 3130 for (const auto &I : EQ.getReports()) { 3131 const auto *PR = dyn_cast<PathSensitiveBugReport>(I.get()); 3132 if (!PR) 3133 continue; 3134 const ExplodedNode *EN = PR->getErrorNode(); 3135 if (EN->getState() == N->getState() && 3136 EN->getLocation() == N->getLocation()) 3137 return true; 3138 } 3139 } 3140 return false; 3141 } 3142 3143 /// \p PreCallback: callback before break. 3144 /// \p PostCallback: callback after break. 3145 /// \p Stop: stop iteration if returns @c true 3146 /// \return Whether @c Stop ever returned @c true. 3147 static bool traverseHiddenNodes( 3148 const ExplodedNode *N, 3149 llvm::function_ref<void(const ExplodedNode *)> PreCallback, 3150 llvm::function_ref<void(const ExplodedNode *)> PostCallback, 3151 llvm::function_ref<bool(const ExplodedNode *)> Stop) { 3152 while (true) { 3153 PreCallback(N); 3154 if (Stop(N)) 3155 return true; 3156 3157 if (N->succ_size() != 1 || !isNodeHidden(N->getFirstSucc(), nullptr)) 3158 break; 3159 PostCallback(N); 3160 3161 N = N->getFirstSucc(); 3162 } 3163 return false; 3164 } 3165 3166 static bool isNodeHidden(const ExplodedNode *N, const ExplodedGraph *G) { 3167 return N->isTrivial(); 3168 } 3169 3170 static std::string getNodeLabel(const ExplodedNode *N, ExplodedGraph *G){ 3171 std::string Buf; 3172 llvm::raw_string_ostream Out(Buf); 3173 3174 const bool IsDot = true; 3175 const unsigned int Space = 1; 3176 ProgramStateRef State = N->getState(); 3177 3178 Out << "{ \"state_id\": " << State->getID() 3179 << ",\\l"; 3180 3181 Indent(Out, Space, IsDot) << "\"program_points\": [\\l"; 3182 3183 // Dump program point for all the previously skipped nodes. 3184 traverseHiddenNodes( 3185 N, 3186 [&](const ExplodedNode *OtherNode) { 3187 Indent(Out, Space + 1, IsDot) << "{ "; 3188 OtherNode->getLocation().printJson(Out, /*NL=*/"\\l"); 3189 Out << ", \"tag\": "; 3190 if (const ProgramPointTag *Tag = OtherNode->getLocation().getTag()) 3191 Out << '\"' << Tag->getTagDescription() << "\""; 3192 else 3193 Out << "null"; 3194 Out << ", \"node_id\": " << OtherNode->getID() << 3195 ", \"is_sink\": " << OtherNode->isSink() << 3196 ", \"has_report\": " << nodeHasBugReport(OtherNode) << " }"; 3197 }, 3198 // Adds a comma and a new-line between each program point. 3199 [&](const ExplodedNode *) { Out << ",\\l"; }, 3200 [&](const ExplodedNode *) { return false; }); 3201 3202 Out << "\\l"; // Adds a new-line to the last program point. 3203 Indent(Out, Space, IsDot) << "],\\l"; 3204 3205 State->printDOT(Out, N->getLocationContext(), Space); 3206 3207 Out << "\\l}\\l"; 3208 return Out.str(); 3209 } 3210 }; 3211 3212 } // namespace llvm 3213 #endif 3214 3215 void ExprEngine::ViewGraph(bool trim) { 3216 #ifndef NDEBUG 3217 std::string Filename = DumpGraph(trim); 3218 llvm::DisplayGraph(Filename, false, llvm::GraphProgram::DOT); 3219 #else 3220 llvm::errs() << "Warning: viewing graph requires assertions" << "\n"; 3221 #endif 3222 } 3223 3224 3225 void ExprEngine::ViewGraph(ArrayRef<const ExplodedNode*> Nodes) { 3226 #ifndef NDEBUG 3227 std::string Filename = DumpGraph(Nodes); 3228 llvm::DisplayGraph(Filename, false, llvm::GraphProgram::DOT); 3229 #else 3230 llvm::errs() << "Warning: viewing graph requires assertions" << "\n"; 3231 #endif 3232 } 3233 3234 std::string ExprEngine::DumpGraph(bool trim, StringRef Filename) { 3235 #ifndef NDEBUG 3236 if (trim) { 3237 std::vector<const ExplodedNode *> Src; 3238 3239 // Iterate through the reports and get their nodes. 3240 for (BugReporter::EQClasses_iterator 3241 EI = BR.EQClasses_begin(), EE = BR.EQClasses_end(); EI != EE; ++EI) { 3242 const auto *R = 3243 dyn_cast<PathSensitiveBugReport>(EI->getReports()[0].get()); 3244 if (!R) 3245 continue; 3246 const auto *N = const_cast<ExplodedNode *>(R->getErrorNode()); 3247 Src.push_back(N); 3248 } 3249 return DumpGraph(Src, Filename); 3250 } else { 3251 return llvm::WriteGraph(&G, "ExprEngine", /*ShortNames=*/false, 3252 /*Title=*/"Exploded Graph", 3253 /*Filename=*/std::string(Filename)); 3254 } 3255 #else 3256 llvm::errs() << "Warning: dumping graph requires assertions" << "\n"; 3257 return ""; 3258 #endif 3259 } 3260 3261 std::string ExprEngine::DumpGraph(ArrayRef<const ExplodedNode*> Nodes, 3262 StringRef Filename) { 3263 #ifndef NDEBUG 3264 std::unique_ptr<ExplodedGraph> TrimmedG(G.trim(Nodes)); 3265 3266 if (!TrimmedG.get()) { 3267 llvm::errs() << "warning: Trimmed ExplodedGraph is empty.\n"; 3268 return ""; 3269 } else { 3270 return llvm::WriteGraph(TrimmedG.get(), "TrimmedExprEngine", 3271 /*ShortNames=*/false, 3272 /*Title=*/"Trimmed Exploded Graph", 3273 /*Filename=*/std::string(Filename)); 3274 } 3275 #else 3276 llvm::errs() << "Warning: dumping graph requires assertions" << "\n"; 3277 return ""; 3278 #endif 3279 } 3280 3281 void *ProgramStateTrait<ReplayWithoutInlining>::GDMIndex() { 3282 static int index = 0; 3283 return &index; 3284 } 3285 3286 void ExprEngine::anchor() { } 3287
Indexes created Tue Feb 24 08:35:24 UTC 2026