clang 17.0.0git
ExprEngineCallAndReturn.cpp
Go to the documentation of this file.
1//=-- ExprEngineCallAndReturn.cpp - Support for call/return -----*- C++ -*-===//
2//
3// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4// See https://llvm.org/LICENSE.txt for license information.
5// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6//
7//===----------------------------------------------------------------------===//
8//
9// This file defines ExprEngine's support for calls and returns.
10//
11//===----------------------------------------------------------------------===//
12
15#include "clang/AST/Decl.h"
16#include "clang/AST/DeclCXX.h"
23#include "llvm/ADT/SmallSet.h"
24#include "llvm/ADT/Statistic.h"
25#include "llvm/Support/Casting.h"
26#include "llvm/Support/Compiler.h"
27#include "llvm/Support/SaveAndRestore.h"
28#include <optional>
29
30using namespace clang;
31using namespace ento;
32
33#define DEBUG_TYPE "ExprEngine"
34
35STATISTIC(NumOfDynamicDispatchPathSplits,
36 "The # of times we split the path due to imprecise dynamic dispatch info");
37
38STATISTIC(NumInlinedCalls,
39 "The # of times we inlined a call");
40
41STATISTIC(NumReachedInlineCountMax,
42 "The # of times we reached inline count maximum");
43
45 ExplodedNode *Pred) {
46 // Get the entry block in the CFG of the callee.
47 const StackFrameContext *calleeCtx = CE.getCalleeContext();
48 PrettyStackTraceLocationContext CrashInfo(calleeCtx);
49 const CFGBlock *Entry = CE.getEntry();
50
51 // Validate the CFG.
52 assert(Entry->empty());
53 assert(Entry->succ_size() == 1);
54
55 // Get the solitary successor.
56 const CFGBlock *Succ = *(Entry->succ_begin());
57
58 // Construct an edge representing the starting location in the callee.
59 BlockEdge Loc(Entry, Succ, calleeCtx);
60
61 ProgramStateRef state = Pred->getState();
62
63 // Construct a new node, notify checkers that analysis of the function has
64 // begun, and add the resultant nodes to the worklist.
65 bool isNew;
66 ExplodedNode *Node = G.getNode(Loc, state, false, &isNew);
67 Node->addPredecessor(Pred, G);
68 if (isNew) {
69 ExplodedNodeSet DstBegin;
70 processBeginOfFunction(BC, Node, DstBegin, Loc);
71 Engine.enqueue(DstBegin);
72 }
73}
74
75// Find the last statement on the path to the exploded node and the
76// corresponding Block.
77static std::pair<const Stmt*,
79 const Stmt *S = nullptr;
80 const CFGBlock *Blk = nullptr;
81 const StackFrameContext *SF = Node->getStackFrame();
82
83 // Back up through the ExplodedGraph until we reach a statement node in this
84 // stack frame.
85 while (Node) {
86 const ProgramPoint &PP = Node->getLocation();
87
88 if (PP.getStackFrame() == SF) {
89 if (std::optional<StmtPoint> SP = PP.getAs<StmtPoint>()) {
90 S = SP->getStmt();
91 break;
92 } else if (std::optional<CallExitEnd> CEE = PP.getAs<CallExitEnd>()) {
93 S = CEE->getCalleeContext()->getCallSite();
94 if (S)
95 break;
96
97 // If there is no statement, this is an implicitly-generated call.
98 // We'll walk backwards over it and then continue the loop to find
99 // an actual statement.
100 std::optional<CallEnter> CE;
101 do {
102 Node = Node->getFirstPred();
103 CE = Node->getLocationAs<CallEnter>();
104 } while (!CE || CE->getCalleeContext() != CEE->getCalleeContext());
105
106 // Continue searching the graph.
107 } else if (std::optional<BlockEdge> BE = PP.getAs<BlockEdge>()) {
108 Blk = BE->getSrc();
109 }
110 } else if (std::optional<CallEnter> CE = PP.getAs<CallEnter>()) {
111 // If we reached the CallEnter for this function, it has no statements.
112 if (CE->getCalleeContext() == SF)
113 break;
114 }
115
116 if (Node->pred_empty())
117 return std::make_pair(nullptr, nullptr);
118
119 Node = *Node->pred_begin();
120 }
121
122 return std::make_pair(S, Blk);
123}
124
125/// Adjusts a return value when the called function's return type does not
126/// match the caller's expression type. This can happen when a dynamic call
127/// is devirtualized, and the overriding method has a covariant (more specific)
128/// return type than the parent's method. For C++ objects, this means we need
129/// to add base casts.
130static SVal adjustReturnValue(SVal V, QualType ExpectedTy, QualType ActualTy,
131 StoreManager &StoreMgr) {
132 // For now, the only adjustments we handle apply only to locations.
133 if (!isa<Loc>(V))
134 return V;
135
136 // If the types already match, don't do any unnecessary work.
137 ExpectedTy = ExpectedTy.getCanonicalType();
138 ActualTy = ActualTy.getCanonicalType();
139 if (ExpectedTy == ActualTy)
140 return V;
141
142 // No adjustment is needed between Objective-C pointer types.
143 if (ExpectedTy->isObjCObjectPointerType() &&
144 ActualTy->isObjCObjectPointerType())
145 return V;
146
147 // C++ object pointers may need "derived-to-base" casts.
148 const CXXRecordDecl *ExpectedClass = ExpectedTy->getPointeeCXXRecordDecl();
149 const CXXRecordDecl *ActualClass = ActualTy->getPointeeCXXRecordDecl();
150 if (ExpectedClass && ActualClass) {
151 CXXBasePaths Paths(/*FindAmbiguities=*/true, /*RecordPaths=*/true,
152 /*DetectVirtual=*/false);
153 if (ActualClass->isDerivedFrom(ExpectedClass, Paths) &&
154 !Paths.isAmbiguous(ActualTy->getCanonicalTypeUnqualified())) {
155 return StoreMgr.evalDerivedToBase(V, Paths.front());
156 }
157 }
158
159 // Unfortunately, Objective-C does not enforce that overridden methods have
160 // covariant return types, so we can't assert that that never happens.
161 // Be safe and return UnknownVal().
162 return UnknownVal();
163}
164
166 ExplodedNode *Pred,
167 ExplodedNodeSet &Dst) {
168 // Find the last statement in the function and the corresponding basic block.
169 const Stmt *LastSt = nullptr;
170 const CFGBlock *Blk = nullptr;
171 std::tie(LastSt, Blk) = getLastStmt(Pred);
172 if (!Blk || !LastSt) {
173 Dst.Add(Pred);
174 return;
175 }
176
177 // Here, we destroy the current location context. We use the current
178 // function's entire body as a diagnostic statement, with which the program
179 // point will be associated. However, we only want to use LastStmt as a
180 // reference for what to clean up if it's a ReturnStmt; otherwise, everything
181 // is dead.
182 SaveAndRestore<const NodeBuilderContext *> NodeContextRAII(currBldrCtx, &BC);
183 const LocationContext *LCtx = Pred->getLocationContext();
184 removeDead(Pred, Dst, dyn_cast<ReturnStmt>(LastSt), LCtx,
187}
188
190 const StackFrameContext *calleeCtx) {
191 const Decl *RuntimeCallee = calleeCtx->getDecl();
192 const Decl *StaticDecl = Call->getDecl();
193 assert(RuntimeCallee);
194 if (!StaticDecl)
195 return true;
196 return RuntimeCallee->getCanonicalDecl() != StaticDecl->getCanonicalDecl();
197}
198
199// Returns the number of elements in the array currently being destructed.
200// If the element count is not found 0 will be returned.
202 const CallEvent &Call, const ProgramStateRef State, SValBuilder &SVB) {
203 assert(isa<CXXDestructorCall>(Call) &&
204 "The call event is not a destructor call!");
205
206 const auto &DtorCall = cast<CXXDestructorCall>(Call);
207
208 auto ThisVal = DtorCall.getCXXThisVal();
209
210 if (auto ThisElementRegion = dyn_cast<ElementRegion>(ThisVal.getAsRegion())) {
211 auto ArrayRegion = ThisElementRegion->getAsArrayOffset().getRegion();
212 auto ElementType = ThisElementRegion->getElementType();
213
214 auto ElementCount =
215 getDynamicElementCount(State, ArrayRegion, SVB, ElementType);
216
217 if (!ElementCount.isConstant())
218 return 0;
219
220 return ElementCount.getAsInteger()->getLimitedValue();
221 }
222
223 return 0;
224}
225
226ProgramStateRef ExprEngine::removeStateTraitsUsedForArrayEvaluation(
227 ProgramStateRef State, const CXXConstructExpr *E,
228 const LocationContext *LCtx) {
229
230 assert(LCtx && "Location context must be provided!");
231
232 if (E) {
233 if (getPendingInitLoop(State, E, LCtx))
234 State = removePendingInitLoop(State, E, LCtx);
235
236 if (getIndexOfElementToConstruct(State, E, LCtx))
237 State = removeIndexOfElementToConstruct(State, E, LCtx);
238 }
239
240 if (getPendingArrayDestruction(State, LCtx))
241 State = removePendingArrayDestruction(State, LCtx);
242
243 return State;
244}
245
246/// The call exit is simulated with a sequence of nodes, which occur between
247/// CallExitBegin and CallExitEnd. The following operations occur between the
248/// two program points:
249/// 1. CallExitBegin (triggers the start of call exit sequence)
250/// 2. Bind the return value
251/// 3. Run Remove dead bindings to clean up the dead symbols from the callee.
252/// 4. CallExitEnd (switch to the caller context)
253/// 5. PostStmt<CallExpr>
255 // Step 1 CEBNode was generated before the call.
257 const StackFrameContext *calleeCtx = CEBNode->getStackFrame();
258
259 // The parent context might not be a stack frame, so make sure we
260 // look up the first enclosing stack frame.
261 const StackFrameContext *callerCtx =
262 calleeCtx->getParent()->getStackFrame();
263
264 const Stmt *CE = calleeCtx->getCallSite();
265 ProgramStateRef state = CEBNode->getState();
266 // Find the last statement in the function and the corresponding basic block.
267 const Stmt *LastSt = nullptr;
268 const CFGBlock *Blk = nullptr;
269 std::tie(LastSt, Blk) = getLastStmt(CEBNode);
270
271 // Generate a CallEvent /before/ cleaning the state, so that we can get the
272 // correct value for 'this' (if necessary).
274 CallEventRef<> Call = CEMgr.getCaller(calleeCtx, state);
275
276 // Step 2: generate node with bound return value: CEBNode -> BindedRetNode.
277
278 // If this variable is set to 'true' the analyzer will evaluate the call
279 // statement we are about to exit again, instead of continuing the execution
280 // from the statement after the call. This is useful for non-POD type array
281 // construction where the CXXConstructExpr is referenced only once in the CFG,
282 // but we want to evaluate it as many times as many elements the array has.
283 bool ShouldRepeatCall = false;
284
285 if (const auto *DtorDecl =
286 dyn_cast_or_null<CXXDestructorDecl>(Call->getDecl())) {
287 if (auto Idx = getPendingArrayDestruction(state, callerCtx)) {
288 ShouldRepeatCall = *Idx > 0;
289
290 auto ThisVal = svalBuilder.getCXXThis(DtorDecl->getParent(), calleeCtx);
291 state = state->killBinding(ThisVal);
292 }
293 }
294
295 // If the callee returns an expression, bind its value to CallExpr.
296 if (CE) {
297 if (const ReturnStmt *RS = dyn_cast_or_null<ReturnStmt>(LastSt)) {
298 const LocationContext *LCtx = CEBNode->getLocationContext();
299 SVal V = state->getSVal(RS, LCtx);
300
301 // Ensure that the return type matches the type of the returned Expr.
302 if (wasDifferentDeclUsedForInlining(Call, calleeCtx)) {
303 QualType ReturnedTy =
305 if (!ReturnedTy.isNull()) {
306 if (const Expr *Ex = dyn_cast<Expr>(CE)) {
307 V = adjustReturnValue(V, Ex->getType(), ReturnedTy,
309 }
310 }
311 }
312
313 state = state->BindExpr(CE, callerCtx, V);
314 }
315
316 // Bind the constructed object value to CXXConstructExpr.
317 if (const CXXConstructExpr *CCE = dyn_cast<CXXConstructExpr>(CE)) {
318 loc::MemRegionVal This =
319 svalBuilder.getCXXThis(CCE->getConstructor()->getParent(), calleeCtx);
320 SVal ThisV = state->getSVal(This);
321 ThisV = state->getSVal(ThisV.castAs<Loc>());
322 state = state->BindExpr(CCE, callerCtx, ThisV);
323
324 ShouldRepeatCall = shouldRepeatCtorCall(state, CCE, callerCtx);
325 }
326
327 if (const auto *CNE = dyn_cast<CXXNewExpr>(CE)) {
328 // We are currently evaluating a CXXNewAllocator CFGElement. It takes a
329 // while to reach the actual CXXNewExpr element from here, so keep the
330 // region for later use.
331 // Additionally cast the return value of the inlined operator new
332 // (which is of type 'void *') to the correct object type.
333 SVal AllocV = state->getSVal(CNE, callerCtx);
334 AllocV = svalBuilder.evalCast(
335 AllocV, CNE->getType(),
336 getContext().getPointerType(getContext().VoidTy));
337
338 state = addObjectUnderConstruction(state, CNE, calleeCtx->getParent(),
339 AllocV);
340 }
341 }
342
343 if (!ShouldRepeatCall) {
344 state = removeStateTraitsUsedForArrayEvaluation(
345 state, dyn_cast_or_null<CXXConstructExpr>(CE), callerCtx);
346 }
347
348 // Step 3: BindedRetNode -> CleanedNodes
349 // If we can find a statement and a block in the inlined function, run remove
350 // dead bindings before returning from the call. This is important to ensure
351 // that we report the issues such as leaks in the stack contexts in which
352 // they occurred.
353 ExplodedNodeSet CleanedNodes;
354 if (LastSt && Blk && AMgr.options.AnalysisPurgeOpt != PurgeNone) {
355 static SimpleProgramPointTag retValBind("ExprEngine", "Bind Return Value");
356 PostStmt Loc(LastSt, calleeCtx, &retValBind);
357 bool isNew;
358 ExplodedNode *BindedRetNode = G.getNode(Loc, state, false, &isNew);
359 BindedRetNode->addPredecessor(CEBNode, G);
360 if (!isNew)
361 return;
362
363 NodeBuilderContext Ctx(getCoreEngine(), Blk, BindedRetNode);
364 currBldrCtx = &Ctx;
365 // Here, we call the Symbol Reaper with 0 statement and callee location
366 // context, telling it to clean up everything in the callee's context
367 // (and its children). We use the callee's function body as a diagnostic
368 // statement, with which the program point will be associated.
369 removeDead(BindedRetNode, CleanedNodes, nullptr, calleeCtx,
370 calleeCtx->getAnalysisDeclContext()->getBody(),
372 currBldrCtx = nullptr;
373 } else {
374 CleanedNodes.Add(CEBNode);
375 }
376
377 for (ExplodedNodeSet::iterator I = CleanedNodes.begin(),
378 E = CleanedNodes.end(); I != E; ++I) {
379
380 // Step 4: Generate the CallExit and leave the callee's context.
381 // CleanedNodes -> CEENode
382 CallExitEnd Loc(calleeCtx, callerCtx);
383 bool isNew;
384 ProgramStateRef CEEState = (*I == CEBNode) ? state : (*I)->getState();
385
386 ExplodedNode *CEENode = G.getNode(Loc, CEEState, false, &isNew);
387 CEENode->addPredecessor(*I, G);
388 if (!isNew)
389 return;
390
391 // Step 5: Perform the post-condition check of the CallExpr and enqueue the
392 // result onto the work list.
393 // CEENode -> Dst -> WorkList
394 NodeBuilderContext Ctx(Engine, calleeCtx->getCallSiteBlock(), CEENode);
395 SaveAndRestore<const NodeBuilderContext *> NBCSave(currBldrCtx, &Ctx);
396 SaveAndRestore CBISave(currStmtIdx, calleeCtx->getIndex());
397
398 CallEventRef<> UpdatedCall = Call.cloneWithState(CEEState);
399
400 ExplodedNodeSet DstPostCall;
401 if (llvm::isa_and_nonnull<CXXNewExpr>(CE)) {
402 ExplodedNodeSet DstPostPostCallCallback;
403 getCheckerManager().runCheckersForPostCall(DstPostPostCallCallback,
404 CEENode, *UpdatedCall, *this,
405 /*wasInlined=*/true);
406 for (ExplodedNode *I : DstPostPostCallCallback) {
408 cast<CXXAllocatorCall>(*UpdatedCall), DstPostCall, I, *this,
409 /*wasInlined=*/true);
410 }
411 } else {
412 getCheckerManager().runCheckersForPostCall(DstPostCall, CEENode,
413 *UpdatedCall, *this,
414 /*wasInlined=*/true);
415 }
416 ExplodedNodeSet Dst;
417 if (const ObjCMethodCall *Msg = dyn_cast<ObjCMethodCall>(Call)) {
418 getCheckerManager().runCheckersForPostObjCMessage(Dst, DstPostCall, *Msg,
419 *this,
420 /*wasInlined=*/true);
421 } else if (CE &&
422 !(isa<CXXNewExpr>(CE) && // Called when visiting CXXNewExpr.
423 AMgr.getAnalyzerOptions().MayInlineCXXAllocator)) {
424 getCheckerManager().runCheckersForPostStmt(Dst, DstPostCall, CE,
425 *this, /*wasInlined=*/true);
426 } else {
427 Dst.insert(DstPostCall);
428 }
429
430 // Enqueue the next element in the block.
431 for (ExplodedNodeSet::iterator PSI = Dst.begin(), PSE = Dst.end();
432 PSI != PSE; ++PSI) {
433 unsigned Idx = calleeCtx->getIndex() + (ShouldRepeatCall ? 0 : 1);
434
435 Engine.getWorkList()->enqueue(*PSI, calleeCtx->getCallSiteBlock(), Idx);
436 }
437 }
438}
439
440bool ExprEngine::isSmall(AnalysisDeclContext *ADC) const {
441 // When there are no branches in the function, it means that there's no
442 // exponential complexity introduced by inlining such function.
443 // Such functions also don't trigger various fundamental problems
444 // with our inlining mechanism, such as the problem of
445 // inlined defensive checks. Hence isLinear().
446 const CFG *Cfg = ADC->getCFG();
447 return Cfg->isLinear() || Cfg->size() <= AMgr.options.AlwaysInlineSize;
448}
449
450bool ExprEngine::isLarge(AnalysisDeclContext *ADC) const {
451 const CFG *Cfg = ADC->getCFG();
452 return Cfg->size() >= AMgr.options.MinCFGSizeTreatFunctionsAsLarge;
453}
454
455bool ExprEngine::isHuge(AnalysisDeclContext *ADC) const {
456 const CFG *Cfg = ADC->getCFG();
457 return Cfg->getNumBlockIDs() > AMgr.options.MaxInlinableSize;
458}
459
460void ExprEngine::examineStackFrames(const Decl *D, const LocationContext *LCtx,
461 bool &IsRecursive, unsigned &StackDepth) {
462 IsRecursive = false;
463 StackDepth = 0;
464
465 while (LCtx) {
466 if (const StackFrameContext *SFC = dyn_cast<StackFrameContext>(LCtx)) {
467 const Decl *DI = SFC->getDecl();
468
469 // Mark recursive (and mutually recursive) functions and always count
470 // them when measuring the stack depth.
471 if (DI == D) {
472 IsRecursive = true;
473 ++StackDepth;
474 LCtx = LCtx->getParent();
475 continue;
476 }
477
478 // Do not count the small functions when determining the stack depth.
479 AnalysisDeclContext *CalleeADC = AMgr.getAnalysisDeclContext(DI);
480 if (!isSmall(CalleeADC))
481 ++StackDepth;
482 }
483 LCtx = LCtx->getParent();
484 }
485}
486
487// The GDM component containing the dynamic dispatch bifurcation info. When
488// the exact type of the receiver is not known, we want to explore both paths -
489// one on which we do inline it and the other one on which we don't. This is
490// done to ensure we do not drop coverage.
491// This is the map from the receiver region to a bool, specifying either we
492// consider this region's information precise or not along the given path.
493namespace {
494 enum DynamicDispatchMode {
495 DynamicDispatchModeInlined = 1,
496 DynamicDispatchModeConservative
497 };
498} // end anonymous namespace
499
500REGISTER_MAP_WITH_PROGRAMSTATE(DynamicDispatchBifurcationMap,
501 const MemRegion *, unsigned)
502REGISTER_TRAIT_WITH_PROGRAMSTATE(CTUDispatchBifurcation, bool)
503
504void ExprEngine::ctuBifurcate(const CallEvent &Call, const Decl *D,
505 NodeBuilder &Bldr, ExplodedNode *Pred,
506 ProgramStateRef State) {
507 ProgramStateRef ConservativeEvalState = nullptr;
508 if (Call.isForeign() && !isSecondPhaseCTU()) {
509 const auto IK = AMgr.options.getCTUPhase1Inlining();
510 const bool DoInline = IK == CTUPhase1InliningKind::All ||
512 isSmall(AMgr.getAnalysisDeclContext(D)));
513 if (DoInline) {
514 inlineCall(Engine.getWorkList(), Call, D, Bldr, Pred, State);
515 return;
516 }
517 const bool BState = State->get<CTUDispatchBifurcation>();
518 if (!BState) { // This is the first time we see this foreign function.
519 // Enqueue it to be analyzed in the second (ctu) phase.
520 inlineCall(Engine.getCTUWorkList(), Call, D, Bldr, Pred, State);
521 // Conservatively evaluate in the first phase.
522 ConservativeEvalState = State->set<CTUDispatchBifurcation>(true);
523 conservativeEvalCall(Call, Bldr, Pred, ConservativeEvalState);
524 } else {
525 conservativeEvalCall(Call, Bldr, Pred, State);
526 }
527 return;
528 }
529 inlineCall(Engine.getWorkList(), Call, D, Bldr, Pred, State);
530}
531
532void ExprEngine::inlineCall(WorkList *WList, const CallEvent &Call,
533 const Decl *D, NodeBuilder &Bldr,
534 ExplodedNode *Pred, ProgramStateRef State) {
535 assert(D);
536
537 const LocationContext *CurLC = Pred->getLocationContext();
538 const StackFrameContext *CallerSFC = CurLC->getStackFrame();
539 const LocationContext *ParentOfCallee = CallerSFC;
540 if (Call.getKind() == CE_Block &&
541 !cast<BlockCall>(Call).isConversionFromLambda()) {
542 const BlockDataRegion *BR = cast<BlockCall>(Call).getBlockRegion();
543 assert(BR && "If we have the block definition we should have its region");
545 ParentOfCallee = BlockCtx->getBlockInvocationContext(CallerSFC,
546 cast<BlockDecl>(D),
547 BR);
548 }
549
550 // This may be NULL, but that's fine.
551 const Expr *CallE = Call.getOriginExpr();
552
553 // Construct a new stack frame for the callee.
554 AnalysisDeclContext *CalleeADC = AMgr.getAnalysisDeclContext(D);
555 const StackFrameContext *CalleeSFC =
556 CalleeADC->getStackFrame(ParentOfCallee, CallE, currBldrCtx->getBlock(),
557 currBldrCtx->blockCount(), currStmtIdx);
558
559 CallEnter Loc(CallE, CalleeSFC, CurLC);
560
561 // Construct a new state which contains the mapping from actual to
562 // formal arguments.
563 State = State->enterStackFrame(Call, CalleeSFC);
564
565 bool isNew;
566 if (ExplodedNode *N = G.getNode(Loc, State, false, &isNew)) {
567 N->addPredecessor(Pred, G);
568 if (isNew)
569 WList->enqueue(N);
570 }
571
572 // If we decided to inline the call, the successor has been manually
573 // added onto the work list so remove it from the node builder.
574 Bldr.takeNodes(Pred);
575
576 NumInlinedCalls++;
577 Engine.FunctionSummaries->bumpNumTimesInlined(D);
578
579 // Do not mark as visited in the 2nd run (CTUWList), so the function will
580 // be visited as top-level, this way we won't loose reports in non-ctu
581 // mode. Considering the case when a function in a foreign TU calls back
582 // into the main TU.
583 // Note, during the 1st run, it doesn't matter if we mark the foreign
584 // functions as visited (or not) because they can never appear as a top level
585 // function in the main TU.
586 if (!isSecondPhaseCTU())
587 // Mark the decl as visited.
588 if (VisitedCallees)
589 VisitedCallees->insert(D);
590}
591
593 const Stmt *CallE) {
594 const void *ReplayState = State->get<ReplayWithoutInlining>();
595 if (!ReplayState)
596 return nullptr;
597
598 assert(ReplayState == CallE && "Backtracked to the wrong call.");
599 (void)CallE;
600
601 return State->remove<ReplayWithoutInlining>();
602}
603
605 ExplodedNodeSet &dst) {
606 // Perform the previsit of the CallExpr.
607 ExplodedNodeSet dstPreVisit;
608 getCheckerManager().runCheckersForPreStmt(dstPreVisit, Pred, CE, *this);
609
610 // Get the call in its initial state. We use this as a template to perform
611 // all the checks.
613 CallEventRef<> CallTemplate = CEMgr.getSimpleCall(
614 CE, Pred->getState(), Pred->getLocationContext(), getCFGElementRef());
615
616 // Evaluate the function call. We try each of the checkers
617 // to see if the can evaluate the function call.
618 ExplodedNodeSet dstCallEvaluated;
619 for (ExplodedNodeSet::iterator I = dstPreVisit.begin(), E = dstPreVisit.end();
620 I != E; ++I) {
621 evalCall(dstCallEvaluated, *I, *CallTemplate);
622 }
623
624 // Finally, perform the post-condition check of the CallExpr and store
625 // the created nodes in 'Dst'.
626 // Note that if the call was inlined, dstCallEvaluated will be empty.
627 // The post-CallExpr check will occur in processCallExit.
628 getCheckerManager().runCheckersForPostStmt(dst, dstCallEvaluated, CE,
629 *this);
630}
631
632ProgramStateRef ExprEngine::finishArgumentConstruction(ProgramStateRef State,
633 const CallEvent &Call) {
634 const Expr *E = Call.getOriginExpr();
635 // FIXME: Constructors to placement arguments of operator new
636 // are not supported yet.
637 if (!E || isa<CXXNewExpr>(E))
638 return State;
639
640 const LocationContext *LC = Call.getLocationContext();
641 for (unsigned CallI = 0, CallN = Call.getNumArgs(); CallI != CallN; ++CallI) {
642 unsigned I = Call.getASTArgumentIndex(CallI);
643 if (std::optional<SVal> V = getObjectUnderConstruction(State, {E, I}, LC)) {
644 SVal VV = *V;
645 (void)VV;
646 assert(cast<VarRegion>(VV.castAs<loc::MemRegionVal>().getRegion())
647 ->getStackFrame()->getParent()
648 ->getStackFrame() == LC->getStackFrame());
649 State = finishObjectConstruction(State, {E, I}, LC);
650 }
651 }
652
653 return State;
654}
655
656void ExprEngine::finishArgumentConstruction(ExplodedNodeSet &Dst,
657 ExplodedNode *Pred,
658 const CallEvent &Call) {
659 ProgramStateRef State = Pred->getState();
660 ProgramStateRef CleanedState = finishArgumentConstruction(State, Call);
661 if (CleanedState == State) {
662 Dst.insert(Pred);
663 return;
664 }
665
666 const Expr *E = Call.getOriginExpr();
667 const LocationContext *LC = Call.getLocationContext();
668 NodeBuilder B(Pred, Dst, *currBldrCtx);
669 static SimpleProgramPointTag Tag("ExprEngine",
670 "Finish argument construction");
671 PreStmt PP(E, LC, &Tag);
672 B.generateNode(PP, CleanedState, Pred);
673}
674
676 const CallEvent &Call) {
677 // WARNING: At this time, the state attached to 'Call' may be older than the
678 // state in 'Pred'. This is a minor optimization since CheckerManager will
679 // use an updated CallEvent instance when calling checkers, but if 'Call' is
680 // ever used directly in this function all callers should be updated to pass
681 // the most recent state. (It is probably not worth doing the work here since
682 // for some callers this will not be necessary.)
683
684 // Run any pre-call checks using the generic call interface.
685 ExplodedNodeSet dstPreVisit;
686 getCheckerManager().runCheckersForPreCall(dstPreVisit, Pred,
687 Call, *this);
688
689 // Actually evaluate the function call. We try each of the checkers
690 // to see if the can evaluate the function call, and get a callback at
691 // defaultEvalCall if all of them fail.
692 ExplodedNodeSet dstCallEvaluated;
693 getCheckerManager().runCheckersForEvalCall(dstCallEvaluated, dstPreVisit,
694 Call, *this, EvalCallOptions());
695
696 // If there were other constructors called for object-type arguments
697 // of this call, clean them up.
698 ExplodedNodeSet dstArgumentCleanup;
699 for (ExplodedNode *I : dstCallEvaluated)
700 finishArgumentConstruction(dstArgumentCleanup, I, Call);
701
702 ExplodedNodeSet dstPostCall;
703 getCheckerManager().runCheckersForPostCall(dstPostCall, dstArgumentCleanup,
704 Call, *this);
705
706 // Escaping symbols conjured during invalidating the regions above.
707 // Note that, for inlined calls the nodes were put back into the worklist,
708 // so we can assume that every node belongs to a conservative call at this
709 // point.
710
711 // Run pointerEscape callback with the newly conjured symbols.
713 for (ExplodedNode *I : dstPostCall) {
714 NodeBuilder B(I, Dst, *currBldrCtx);
715 ProgramStateRef State = I->getState();
716 Escaped.clear();
717 {
718 unsigned Arg = -1;
719 for (const ParmVarDecl *PVD : Call.parameters()) {
720 ++Arg;
721 QualType ParamTy = PVD->getType();
722 if (ParamTy.isNull() ||
723 (!ParamTy->isPointerType() && !ParamTy->isReferenceType()))
724 continue;
725 QualType Pointee = ParamTy->getPointeeType();
726 if (Pointee.isConstQualified() || Pointee->isVoidType())
727 continue;
728 if (const MemRegion *MR = Call.getArgSVal(Arg).getAsRegion())
729 Escaped.emplace_back(loc::MemRegionVal(MR), State->getSVal(MR, Pointee));
730 }
731 }
732
733 State = processPointerEscapedOnBind(State, Escaped, I->getLocationContext(),
735
736 if (State == I->getState())
737 Dst.insert(I);
738 else
739 B.generateNode(I->getLocation(), State, I);
740 }
741}
742
744 const LocationContext *LCtx,
745 ProgramStateRef State) {
746 const Expr *E = Call.getOriginExpr();
747 if (!E)
748 return State;
749
750 // Some method families have known return values.
751 if (const ObjCMethodCall *Msg = dyn_cast<ObjCMethodCall>(&Call)) {
752 switch (Msg->getMethodFamily()) {
753 default:
754 break;
755 case OMF_autorelease:
756 case OMF_retain:
757 case OMF_self: {
758 // These methods return their receivers.
759 return State->BindExpr(E, LCtx, Msg->getReceiverSVal());
760 }
761 }
762 } else if (const CXXConstructorCall *C = dyn_cast<CXXConstructorCall>(&Call)){
763 SVal ThisV = C->getCXXThisVal();
764 ThisV = State->getSVal(ThisV.castAs<Loc>());
765 return State->BindExpr(E, LCtx, ThisV);
766 }
767
768 SVal R;
769 QualType ResultTy = Call.getResultType();
770 unsigned Count = currBldrCtx->blockCount();
771 if (auto RTC = getCurrentCFGElement().getAs<CFGCXXRecordTypedCall>()) {
772 // Conjure a temporary if the function returns an object by value.
773 SVal Target;
774 assert(RTC->getStmt() == Call.getOriginExpr());
775 EvalCallOptions CallOpts; // FIXME: We won't really need those.
776 std::tie(State, Target) = handleConstructionContext(
777 Call.getOriginExpr(), State, currBldrCtx, LCtx,
778 RTC->getConstructionContext(), CallOpts);
779 const MemRegion *TargetR = Target.getAsRegion();
780 assert(TargetR);
781 // Invalidate the region so that it didn't look uninitialized. If this is
782 // a field or element constructor, we do not want to invalidate
783 // the whole structure. Pointer escape is meaningless because
784 // the structure is a product of conservative evaluation
785 // and therefore contains nothing interesting at this point.
787 ITraits.setTrait(TargetR,
789 State = State->invalidateRegions(TargetR, E, Count, LCtx,
790 /* CausesPointerEscape=*/false, nullptr,
791 &Call, &ITraits);
792
793 R = State->getSVal(Target.castAs<Loc>(), E->getType());
794 } else {
795 // Conjure a symbol if the return value is unknown.
796
797 // See if we need to conjure a heap pointer instead of
798 // a regular unknown pointer.
799 const auto *CNE = dyn_cast<CXXNewExpr>(E);
800 if (CNE && CNE->getOperatorNew()->isReplaceableGlobalAllocationFunction()) {
801 R = svalBuilder.getConjuredHeapSymbolVal(E, LCtx, Count);
802 const MemRegion *MR = R.getAsRegion()->StripCasts();
803
804 // Store the extent of the allocated object(s).
805 SVal ElementCount;
806 if (const Expr *SizeExpr = CNE->getArraySize().value_or(nullptr)) {
807 ElementCount = State->getSVal(SizeExpr, LCtx);
808 } else {
809 ElementCount = svalBuilder.makeIntVal(1, /*IsUnsigned=*/true);
810 }
811
812 SVal ElementSize = getElementExtent(CNE->getAllocatedType(), svalBuilder);
813
814 SVal Size =
815 svalBuilder.evalBinOp(State, BO_Mul, ElementCount, ElementSize,
816 svalBuilder.getArrayIndexType());
817
818 // FIXME: This line is to prevent a crash. For more details please check
819 // issue #56264.
820 if (Size.isUndef())
821 Size = UnknownVal();
822
823 State = setDynamicExtent(State, MR, Size.castAs<DefinedOrUnknownSVal>(),
824 svalBuilder);
825 } else {
826 R = svalBuilder.conjureSymbolVal(nullptr, E, LCtx, ResultTy, Count);
827 }
828 }
829 return State->BindExpr(E, LCtx, R);
830}
831
832// Conservatively evaluate call by invalidating regions and binding
833// a conjured return value.
834void ExprEngine::conservativeEvalCall(const CallEvent &Call, NodeBuilder &Bldr,
835 ExplodedNode *Pred, ProgramStateRef State) {
836 State = Call.invalidateRegions(currBldrCtx->blockCount(), State);
837 State = bindReturnValue(Call, Pred->getLocationContext(), State);
838
839 // And make the result node.
840 static SimpleProgramPointTag PT("ExprEngine", "Conservative eval call");
841 Bldr.generateNode(Call.getProgramPoint(false, &PT), State, Pred);
842}
843
844ExprEngine::CallInlinePolicy
845ExprEngine::mayInlineCallKind(const CallEvent &Call, const ExplodedNode *Pred,
846 AnalyzerOptions &Opts,
847 const EvalCallOptions &CallOpts) {
848 const LocationContext *CurLC = Pred->getLocationContext();
849 const StackFrameContext *CallerSFC = CurLC->getStackFrame();
850 switch (Call.getKind()) {
851 case CE_Function:
852 case CE_Block:
853 break;
854 case CE_CXXMember:
857 return CIP_DisallowedAlways;
858 break;
859 case CE_CXXConstructor: {
861 return CIP_DisallowedAlways;
862
863 const CXXConstructorCall &Ctor = cast<CXXConstructorCall>(Call);
864
865 const CXXConstructExpr *CtorExpr = Ctor.getOriginExpr();
866
868 const ConstructionContext *CC = CCE ? CCE->getConstructionContext()
869 : nullptr;
870
871 if (llvm::isa_and_nonnull<NewAllocatedObjectConstructionContext>(CC) &&
872 !Opts.MayInlineCXXAllocator)
873 return CIP_DisallowedOnce;
874
875 if (CallOpts.IsArrayCtorOrDtor) {
876 if (!shouldInlineArrayConstruction(Pred->getState(), CtorExpr, CurLC))
877 return CIP_DisallowedOnce;
878 }
879
880 // Inlining constructors requires including initializers in the CFG.
881 const AnalysisDeclContext *ADC = CallerSFC->getAnalysisDeclContext();
882 assert(ADC->getCFGBuildOptions().AddInitializers && "No CFG initializers");
883 (void)ADC;
884
885 // If the destructor is trivial, it's always safe to inline the constructor.
886 if (Ctor.getDecl()->getParent()->hasTrivialDestructor())
887 break;
888
889 // For other types, only inline constructors if destructor inlining is
890 // also enabled.
892 return CIP_DisallowedAlways;
893
895 // If we don't handle temporary destructors, we shouldn't inline
896 // their constructors.
897 if (CallOpts.IsTemporaryCtorOrDtor &&
898 !Opts.ShouldIncludeTemporaryDtorsInCFG)
899 return CIP_DisallowedOnce;
900
901 // If we did not find the correct this-region, it would be pointless
902 // to inline the constructor. Instead we will simply invalidate
903 // the fake temporary target.
905 return CIP_DisallowedOnce;
906
907 // If the temporary is lifetime-extended by binding it to a reference-type
908 // field within an aggregate, automatic destructors don't work properly.
910 return CIP_DisallowedOnce;
911 }
912
913 break;
914 }
916 // This doesn't really increase the cost of inlining ever, because
917 // the stack frame of the inherited constructor is trivial.
918 return CIP_Allowed;
919 }
920 case CE_CXXDestructor: {
922 return CIP_DisallowedAlways;
923
924 // Inlining destructors requires building the CFG correctly.
925 const AnalysisDeclContext *ADC = CallerSFC->getAnalysisDeclContext();
926 assert(ADC->getCFGBuildOptions().AddImplicitDtors && "No CFG destructors");
927 (void)ADC;
928
929 if (CallOpts.IsArrayCtorOrDtor) {
930 if (!shouldInlineArrayDestruction(getElementCountOfArrayBeingDestructed(
931 Call, Pred->getState(), svalBuilder))) {
932 return CIP_DisallowedOnce;
933 }
934 }
935
936 // Allow disabling temporary destructor inlining with a separate option.
937 if (CallOpts.IsTemporaryCtorOrDtor &&
938 !Opts.MayInlineCXXTemporaryDtors)
939 return CIP_DisallowedOnce;
940
941 // If we did not find the correct this-region, it would be pointless
942 // to inline the destructor. Instead we will simply invalidate
943 // the fake temporary target.
945 return CIP_DisallowedOnce;
946 break;
947 }
949 [[fallthrough]];
950 case CE_CXXAllocator:
951 if (Opts.MayInlineCXXAllocator)
952 break;
953 // Do not inline allocators until we model deallocators.
954 // This is unfortunate, but basically necessary for smart pointers and such.
955 return CIP_DisallowedAlways;
956 case CE_ObjCMessage:
957 if (!Opts.MayInlineObjCMethod)
958 return CIP_DisallowedAlways;
959 if (!(Opts.getIPAMode() == IPAK_DynamicDispatch ||
961 return CIP_DisallowedAlways;
962 break;
963 }
964
965 return CIP_Allowed;
966}
967
968/// Returns true if the given C++ class contains a member with the given name.
969static bool hasMember(const ASTContext &Ctx, const CXXRecordDecl *RD,
970 StringRef Name) {
971 const IdentifierInfo &II = Ctx.Idents.get(Name);
972 return RD->hasMemberName(Ctx.DeclarationNames.getIdentifier(&II));
973}
974
975/// Returns true if the given C++ class is a container or iterator.
976///
977/// Our heuristic for this is whether it contains a method named 'begin()' or a
978/// nested type named 'iterator' or 'iterator_category'.
979static bool isContainerClass(const ASTContext &Ctx, const CXXRecordDecl *RD) {
980 return hasMember(Ctx, RD, "begin") ||
981 hasMember(Ctx, RD, "iterator") ||
982 hasMember(Ctx, RD, "iterator_category");
983}
984
985/// Returns true if the given function refers to a method of a C++ container
986/// or iterator.
987///
988/// We generally do a poor job modeling most containers right now, and might
989/// prefer not to inline their methods.
990static bool isContainerMethod(const ASTContext &Ctx,
991 const FunctionDecl *FD) {
992 if (const CXXMethodDecl *MD = dyn_cast<CXXMethodDecl>(FD))
993 return isContainerClass(Ctx, MD->getParent());
994 return false;
995}
996
997/// Returns true if the given function is the destructor of a class named
998/// "shared_ptr".
999static bool isCXXSharedPtrDtor(const FunctionDecl *FD) {
1000 const CXXDestructorDecl *Dtor = dyn_cast<CXXDestructorDecl>(FD);
1001 if (!Dtor)
1002 return false;
1003
1004 const CXXRecordDecl *RD = Dtor->getParent();
1005 if (const IdentifierInfo *II = RD->getDeclName().getAsIdentifierInfo())
1006 if (II->isStr("shared_ptr"))
1007 return true;
1008
1009 return false;
1010}
1011
1012/// Returns true if the function in \p CalleeADC may be inlined in general.
1013///
1014/// This checks static properties of the function, such as its signature and
1015/// CFG, to determine whether the analyzer should ever consider inlining it,
1016/// in any context.
1017bool ExprEngine::mayInlineDecl(AnalysisDeclContext *CalleeADC) const {
1018 AnalyzerOptions &Opts = AMgr.getAnalyzerOptions();
1019 // FIXME: Do not inline variadic calls.
1020 if (CallEvent::isVariadic(CalleeADC->getDecl()))
1021 return false;
1022
1023 // Check certain C++-related inlining policies.
1024 ASTContext &Ctx = CalleeADC->getASTContext();
1025 if (Ctx.getLangOpts().CPlusPlus) {
1026 if (const FunctionDecl *FD = dyn_cast<FunctionDecl>(CalleeADC->getDecl())) {
1027 // Conditionally control the inlining of template functions.
1028 if (!Opts.MayInlineTemplateFunctions)
1029 if (FD->getTemplatedKind() != FunctionDecl::TK_NonTemplate)
1030 return false;
1031
1032 // Conditionally control the inlining of C++ standard library functions.
1033 if (!Opts.MayInlineCXXStandardLibrary)
1034 if (Ctx.getSourceManager().isInSystemHeader(FD->getLocation()))
1036 return false;
1037
1038 // Conditionally control the inlining of methods on objects that look
1039 // like C++ containers.
1040 if (!Opts.MayInlineCXXContainerMethods)
1041 if (!AMgr.isInCodeFile(FD->getLocation()))
1042 if (isContainerMethod(Ctx, FD))
1043 return false;
1044
1045 // Conditionally control the inlining of the destructor of C++ shared_ptr.
1046 // We don't currently do a good job modeling shared_ptr because we can't
1047 // see the reference count, so treating as opaque is probably the best
1048 // idea.
1049 if (!Opts.MayInlineCXXSharedPtrDtor)
1050 if (isCXXSharedPtrDtor(FD))
1051 return false;
1052 }
1053 }
1054
1055 // It is possible that the CFG cannot be constructed.
1056 // Be safe, and check if the CalleeCFG is valid.
1057 const CFG *CalleeCFG = CalleeADC->getCFG();
1058 if (!CalleeCFG)
1059 return false;
1060
1061 // Do not inline large functions.
1062 if (isHuge(CalleeADC))
1063 return false;
1064
1065 // It is possible that the live variables analysis cannot be
1066 // run. If so, bail out.
1067 if (!CalleeADC->getAnalysis<RelaxedLiveVariables>())
1068 return false;
1069
1070 return true;
1071}
1072
1073bool ExprEngine::shouldInlineCall(const CallEvent &Call, const Decl *D,
1074 const ExplodedNode *Pred,
1075 const EvalCallOptions &CallOpts) {
1076 if (!D)
1077 return false;
1078
1080 AnalyzerOptions &Opts = AMgr.options;
1082 AnalysisDeclContext *CalleeADC = ADCMgr.getContext(D);
1083
1084 // The auto-synthesized bodies are essential to inline as they are
1085 // usually small and commonly used. Note: we should do this check early on to
1086 // ensure we always inline these calls.
1087 if (CalleeADC->isBodyAutosynthesized())
1088 return true;
1089
1090 if (!AMgr.shouldInlineCall())
1091 return false;
1092
1093 // Check if this function has been marked as non-inlinable.
1094 std::optional<bool> MayInline = Engine.FunctionSummaries->mayInline(D);
1095 if (MayInline) {
1096 if (!*MayInline)
1097 return false;
1098
1099 } else {
1100 // We haven't actually checked the static properties of this function yet.
1101 // Do that now, and record our decision in the function summaries.
1102 if (mayInlineDecl(CalleeADC)) {
1103 Engine.FunctionSummaries->markMayInline(D);
1104 } else {
1105 Engine.FunctionSummaries->markShouldNotInline(D);
1106 return false;
1107 }
1108 }
1109
1110 // Check if we should inline a call based on its kind.
1111 // FIXME: this checks both static and dynamic properties of the call, which
1112 // means we're redoing a bit of work that could be cached in the function
1113 // summary.
1114 CallInlinePolicy CIP = mayInlineCallKind(Call, Pred, Opts, CallOpts);
1115 if (CIP != CIP_Allowed) {
1116 if (CIP == CIP_DisallowedAlways) {
1117 assert(!MayInline || *MayInline);
1118 Engine.FunctionSummaries->markShouldNotInline(D);
1119 }
1120 return false;
1121 }
1122
1123 // Do not inline if recursive or we've reached max stack frame count.
1124 bool IsRecursive = false;
1125 unsigned StackDepth = 0;
1126 examineStackFrames(D, Pred->getLocationContext(), IsRecursive, StackDepth);
1127 if ((StackDepth >= Opts.InlineMaxStackDepth) &&
1128 (!isSmall(CalleeADC) || IsRecursive))
1129 return false;
1130
1131 // Do not inline large functions too many times.
1132 if ((Engine.FunctionSummaries->getNumTimesInlined(D) >
1133 Opts.MaxTimesInlineLarge) &&
1134 isLarge(CalleeADC)) {
1135 NumReachedInlineCountMax++;
1136 return false;
1137 }
1138
1139 if (HowToInline == Inline_Minimal && (!isSmall(CalleeADC) || IsRecursive))
1140 return false;
1141
1142 return true;
1143}
1144
1145bool ExprEngine::shouldInlineArrayConstruction(const ProgramStateRef State,
1146 const CXXConstructExpr *CE,
1147 const LocationContext *LCtx) {
1148 if (!CE)
1149 return false;
1150
1151 // FIXME: Handle other arrays types.
1152 if (const auto *CAT = dyn_cast<ConstantArrayType>(CE->getType())) {
1153 unsigned ArrSize = getContext().getConstantArrayElementCount(CAT);
1154
1155 // This might seem conter-intuitive at first glance, but the functions are
1156 // closely related. Reasoning about destructors depends only on the type
1157 // of the expression that initialized the memory region, which is the
1158 // CXXConstructExpr. So to avoid code repetition, the work is delegated
1159 // to the function that reasons about destructor inlining. Also note that
1160 // if the constructors of the array elements are inlined, the destructors
1161 // can also be inlined and if the destructors can be inline, it's safe to
1162 // inline the constructors.
1163 return shouldInlineArrayDestruction(ArrSize);
1164 }
1165
1166 // Check if we're inside an ArrayInitLoopExpr, and it's sufficiently small.
1167 if (auto Size = getPendingInitLoop(State, CE, LCtx))
1168 return shouldInlineArrayDestruction(*Size);
1169
1170 return false;
1171}
1172
1173bool ExprEngine::shouldInlineArrayDestruction(uint64_t Size) {
1174
1175 uint64_t maxAllowedSize = AMgr.options.maxBlockVisitOnPath;
1176
1177 // Declaring a 0 element array is also possible.
1178 return Size <= maxAllowedSize && Size > 0;
1179}
1180
1181bool ExprEngine::shouldRepeatCtorCall(ProgramStateRef State,
1182 const CXXConstructExpr *E,
1183 const LocationContext *LCtx) {
1184
1185 if (!E)
1186 return false;
1187
1188 auto Ty = E->getType();
1189
1190 // FIXME: Handle non constant array types
1191 if (const auto *CAT = dyn_cast<ConstantArrayType>(Ty)) {
1193 return Size > getIndexOfElementToConstruct(State, E, LCtx);
1194 }
1195
1196 if (auto Size = getPendingInitLoop(State, E, LCtx))
1197 return Size > getIndexOfElementToConstruct(State, E, LCtx);
1198
1199 return false;
1200}
1201
1202static bool isTrivialObjectAssignment(const CallEvent &Call) {
1203 const CXXInstanceCall *ICall = dyn_cast<CXXInstanceCall>(&Call);
1204 if (!ICall)
1205 return false;
1206
1207 const CXXMethodDecl *MD = dyn_cast_or_null<CXXMethodDecl>(ICall->getDecl());
1208 if (!MD)
1209 return false;
1211 return false;
1212
1213 return MD->isTrivial();
1214}
1215
1217 const CallEvent &CallTemplate,
1218 const EvalCallOptions &CallOpts) {
1219 // Make sure we have the most recent state attached to the call.
1220 ProgramStateRef State = Pred->getState();
1221 CallEventRef<> Call = CallTemplate.cloneWithState(State);
1222
1223 // Special-case trivial assignment operators.
1224 if (isTrivialObjectAssignment(*Call)) {
1225 performTrivialCopy(Bldr, Pred, *Call);
1226 return;
1227 }
1228
1229 // Try to inline the call.
1230 // The origin expression here is just used as a kind of checksum;
1231 // this should still be safe even for CallEvents that don't come from exprs.
1232 const Expr *E = Call->getOriginExpr();
1233
1234 ProgramStateRef InlinedFailedState = getInlineFailedState(State, E);
1235 if (InlinedFailedState) {
1236 // If we already tried once and failed, make sure we don't retry later.
1237 State = InlinedFailedState;
1238 } else {
1239 RuntimeDefinition RD = Call->getRuntimeDefinition();
1240 Call->setForeign(RD.isForeign());
1241 const Decl *D = RD.getDecl();
1242 if (shouldInlineCall(*Call, D, Pred, CallOpts)) {
1243 if (RD.mayHaveOtherDefinitions()) {
1245
1246 // Explore with and without inlining the call.
1247 if (Options.getIPAMode() == IPAK_DynamicDispatchBifurcate) {
1248 BifurcateCall(RD.getDispatchRegion(), *Call, D, Bldr, Pred);
1249 return;
1250 }
1251
1252 // Don't inline if we're not in any dynamic dispatch mode.
1253 if (Options.getIPAMode() != IPAK_DynamicDispatch) {
1254 conservativeEvalCall(*Call, Bldr, Pred, State);
1255 return;
1256 }
1257 }
1258 ctuBifurcate(*Call, D, Bldr, Pred, State);
1259 return;
1260 }
1261 }
1262
1263 // If we can't inline it, clean up the state traits used only if the function
1264 // is inlined.
1265 State = removeStateTraitsUsedForArrayEvaluation(
1266 State, dyn_cast_or_null<CXXConstructExpr>(E), Call->getLocationContext());
1267
1268 // Also handle the return value and invalidate the regions.
1269 conservativeEvalCall(*Call, Bldr, Pred, State);
1270}
1271
1272void ExprEngine::BifurcateCall(const MemRegion *BifurReg,
1273 const CallEvent &Call, const Decl *D,
1274 NodeBuilder &Bldr, ExplodedNode *Pred) {
1275 assert(BifurReg);
1276 BifurReg = BifurReg->StripCasts();
1277
1278 // Check if we've performed the split already - note, we only want
1279 // to split the path once per memory region.
1280 ProgramStateRef State = Pred->getState();
1281 const unsigned *BState =
1282 State->get<DynamicDispatchBifurcationMap>(BifurReg);
1283 if (BState) {
1284 // If we are on "inline path", keep inlining if possible.
1285 if (*BState == DynamicDispatchModeInlined)
1286 ctuBifurcate(Call, D, Bldr, Pred, State);
1287 // If inline failed, or we are on the path where we assume we
1288 // don't have enough info about the receiver to inline, conjure the
1289 // return value and invalidate the regions.
1290 conservativeEvalCall(Call, Bldr, Pred, State);
1291 return;
1292 }
1293
1294 // If we got here, this is the first time we process a message to this
1295 // region, so split the path.
1296 ProgramStateRef IState =
1297 State->set<DynamicDispatchBifurcationMap>(BifurReg,
1298 DynamicDispatchModeInlined);
1299 ctuBifurcate(Call, D, Bldr, Pred, IState);
1300
1301 ProgramStateRef NoIState =
1302 State->set<DynamicDispatchBifurcationMap>(BifurReg,
1303 DynamicDispatchModeConservative);
1304 conservativeEvalCall(Call, Bldr, Pred, NoIState);
1305
1306 NumOfDynamicDispatchPathSplits++;
1307}
1308
1310 ExplodedNodeSet &Dst) {
1311 ExplodedNodeSet dstPreVisit;
1312 getCheckerManager().runCheckersForPreStmt(dstPreVisit, Pred, RS, *this);
1313
1314 StmtNodeBuilder B(dstPreVisit, Dst, *currBldrCtx);
1315
1316 if (RS->getRetValue()) {
1317 for (ExplodedNodeSet::iterator it = dstPreVisit.begin(),
1318 ei = dstPreVisit.end(); it != ei; ++it) {
1319 B.generateNode(RS, *it, (*it)->getState());
1320 }
1321 }
1322}
#define V(N, I)
Definition: ASTContext.h:3217
DynTypedNode Node
Defines the C++ Decl subclasses, other than those for templates (found in DeclTemplate....
static bool isContainerClass(const ASTContext &Ctx, const CXXRecordDecl *RD)
Returns true if the given C++ class is a container or iterator.
static ProgramStateRef getInlineFailedState(ProgramStateRef State, const Stmt *CallE)
static std::pair< const Stmt *, const CFGBlock * > getLastStmt(const ExplodedNode *Node)
static bool isTrivialObjectAssignment(const CallEvent &Call)
static bool isCXXSharedPtrDtor(const FunctionDecl *FD)
Returns true if the given function is the destructor of a class named "shared_ptr".
static bool hasMember(const ASTContext &Ctx, const CXXRecordDecl *RD, StringRef Name)
Returns true if the given C++ class contains a member with the given name.
static bool wasDifferentDeclUsedForInlining(CallEventRef<> Call, const StackFrameContext *calleeCtx)
STATISTIC(NumOfDynamicDispatchPathSplits, "The # of times we split the path due to imprecise dynamic dispatch info")
static SVal adjustReturnValue(SVal V, QualType ExpectedTy, QualType ActualTy, StoreManager &StoreMgr)
Adjusts a return value when the called function's return type does not match the caller's expression ...
static bool isContainerMethod(const ASTContext &Ctx, const FunctionDecl *FD)
Returns true if the given function refers to a method of a C++ container or iterator.
static unsigned getElementCountOfArrayBeingDestructed(const CallEvent &Call, const ProgramStateRef State, SValBuilder &SVB)
#define REGISTER_MAP_WITH_PROGRAMSTATE(Name, Key, Value)
Declares an immutable map of type NameTy, suitable for placement into the ProgramState.
#define REGISTER_TRAIT_WITH_PROGRAMSTATE(Name, Type)
Declares a program state trait for type Type called Name, and introduce a type named NameTy.
Holds long-lived AST nodes (such as types and decls) that can be referred to throughout the semantic ...
Definition: ASTContext.h:182
SourceManager & getSourceManager()
Definition: ASTContext.h:692
DeclarationNameTable DeclarationNames
Definition: ASTContext.h:635
IdentifierTable & Idents
Definition: ASTContext.h:631
const LangOptions & getLangOpts() const
Definition: ASTContext.h:762
uint64_t getConstantArrayElementCount(const ConstantArrayType *CA) const
Return number of constant array elements.
AnalysisDeclContext * getContext(const Decl *D)
AnalysisDeclContext contains the context data for the function, method or block under analysis.
const BlockInvocationContext * getBlockInvocationContext(const LocationContext *ParentLC, const BlockDecl *BD, const void *Data)
Obtain a context of the block invocation using its parent context.
const Decl * getDecl() const
static bool isInStdNamespace(const Decl *D)
const StackFrameContext * getStackFrame(LocationContext const *ParentLC, const Stmt *S, const CFGBlock *Blk, unsigned BlockCount, unsigned Index)
Obtain a context of the call stack using its parent context.
ASTContext & getASTContext() const
CFG::BuildOptions & getCFGBuildOptions()
Stores options for the analyzer from the command line.
bool mayInlineCXXMemberFunction(CXXInlineableMemberKind K) const
Returns the option controlling which C++ member functions will be considered for inlining.
unsigned maxBlockVisitOnPath
The maximum number of times the analyzer visits a block.
IPAKind getIPAMode() const
Returns the inter-procedural analysis mode.
CTUPhase1InliningKind getCTUPhase1Inlining() const
AnalysisPurgeMode AnalysisPurgeOpt
unsigned InlineMaxStackDepth
The inlining stack depth limit.
Represents a single basic block in a source-level CFG.
Definition: CFG.h:576
bool empty() const
Definition: CFG.h:918
succ_iterator succ_begin()
Definition: CFG.h:955
unsigned succ_size() const
Definition: CFG.h:973
Represents C++ constructor call.
Definition: CFG.h:154
std::optional< T > getAs() const
Convert to the specified CFGElement type, returning std::nullopt if this CFGElement is not of the des...
Definition: CFG.h:107
Represents a source-level, intra-procedural CFG that represents the control-flow of a Stmt.
Definition: CFG.h:1225
unsigned size() const
Return the total number of CFGBlocks within the CFG This is simply a renaming of the getNumBlockIDs()...
Definition: CFG.h:1416
bool isLinear() const
Returns true if the CFG has no branches.
Definition: CFG.cpp:5236
unsigned getNumBlockIDs() const
Returns the total number of BlockIDs allocated (which start at 0).
Definition: CFG.h:1411
BasePaths - Represents the set of paths from a derived class to one of its (direct or indirect) bases...
Represents a call to a C++ constructor.
Definition: ExprCXX.h:1518
ConstructionKind getConstructionKind() const
Determine whether this constructor is actually constructing a base class (rather than a complete obje...
Definition: ExprCXX.h:1638
Represents a C++ destructor within a class.
Definition: DeclCXX.h:2738
Represents a static or instance method of a struct/union/class.
Definition: DeclCXX.h:2018
const CXXRecordDecl * getParent() const
Return the parent of this method declaration, which is the class in which this method is defined.
Definition: DeclCXX.h:2133
bool isMoveAssignmentOperator() const
Determine whether this is a move assignment operator.
Definition: DeclCXX.cpp:2431
bool isCopyAssignmentOperator() const
Determine whether this is a copy-assignment operator, regardless of whether it was declared implicitl...
Definition: DeclCXX.cpp:2410
Represents a C++ struct/union/class.
Definition: DeclCXX.h:254
bool hasTrivialDestructor() const
Determine whether this class has a trivial destructor (C++ [class.dtor]p3)
Definition: DeclCXX.h:1344
bool hasMemberName(DeclarationName N) const
Determine whether this class has a member with the given name, possibly in a non-dependent base class...
bool isDerivedFrom(const CXXRecordDecl *Base) const
Determine whether this class is derived from the class Base.
Represents a point when we begin processing an inlined call.
Definition: ProgramPoint.h:628
const CFGBlock * getEntry() const
Returns the entry block in the CFG for the entered function.
Definition: ProgramPoint.h:643
const StackFrameContext * getCalleeContext() const
Definition: ProgramPoint.h:638
Represents a point when we finish the call exit sequence (for inlined call).
Definition: ProgramPoint.h:686
CallExpr - Represents a function call (C99 6.5.2.2, C++ [expr.call]).
Definition: Expr.h:2812
ConstructionContext's subclasses describe different ways of constructing an object in C++.
Decl - This represents one declaration (or definition), e.g.
Definition: DeclBase.h:83
virtual Decl * getCanonicalDecl()
Retrieves the "canonical" declaration of the given declaration.
Definition: DeclBase.h:943
DeclarationName getIdentifier(const IdentifierInfo *ID)
Create a declaration name that is a simple identifier.
IdentifierInfo * getAsIdentifierInfo() const
Retrieve the IdentifierInfo * stored in this declaration name, or null if this declaration name isn't...
This represents one expression.
Definition: Expr.h:110
QualType getType() const
Definition: Expr.h:142
Represents a function declaration or definition.
Definition: Decl.h:1917
bool isTrivial() const
Whether this function is "trivial" in some specialized C++ senses.
Definition: Decl.h:2272
One of these records is kept for each identifier that is lexed.
IdentifierInfo & get(StringRef Name)
Return the identifier token info for the specified named identifier.
It wraps the AnalysisDeclContext to represent both the call stack with the help of StackFrameContext ...
const Decl * getDecl() const
LLVM_ATTRIBUTE_RETURNS_NONNULL AnalysisDeclContext * getAnalysisDeclContext() const
const LocationContext * getParent() const
It might return null.
const StackFrameContext * getStackFrame() const
DeclarationName getDeclName() const
Get the actual, stored name of the declaration, which may be a special name.
Definition: Decl.h:313
Represents a parameter to a function.
Definition: Decl.h:1722
const StackFrameContext * getStackFrame() const
Definition: ProgramPoint.h:179
std::optional< T > getAs() const
Convert to the specified ProgramPoint type, returning std::nullopt if this ProgramPoint is not of the...
Definition: ProgramPoint.h:147
A (possibly-)qualified type.
Definition: Type.h:736
bool isNull() const
Return true if this QualType doesn't point to a type yet.
Definition: Type.h:803
QualType getCanonicalType() const
Definition: Type.h:6701
bool isConstQualified() const
Determine whether this type is const-qualified.
Definition: Type.h:6721
ReturnStmt - This represents a return, optionally of an expression: return; return 4;.
Definition: Stmt.h:2806
Expr * getRetValue()
Definition: Stmt.h:2837
bool isInSystemHeader(SourceLocation Loc) const
Returns if a SourceLocation is in a system header.
It represents a stack frame of the call stack (based on CallEvent).
const Stmt * getCallSite() const
const CFGBlock * getCallSiteBlock() const
Stmt - This represents one statement.
Definition: Stmt.h:72
bool isVoidType() const
Definition: Type.h:7218
bool isPointerType() const
Definition: Type.h:6910
CanQualType getCanonicalTypeUnqualified() const
bool isReferenceType() const
Definition: Type.h:6922
const CXXRecordDecl * getPointeeCXXRecordDecl() const
If this is a pointer or reference to a RecordType, return the CXXRecordDecl that the type refers to.
Definition: Type.cpp:1768
QualType getPointeeType() const
If this is a pointer, ObjC object pointer, or block pointer, this returns the respective pointee.
Definition: Type.cpp:629
bool isObjCObjectPointerType() const
Definition: Type.h:7038
static bool isInCodeFile(SourceLocation SL, const SourceManager &SM)
AnalysisDeclContext * getAnalysisDeclContext(const Decl *D)
AnalysisDeclContextManager & getAnalysisDeclContextManager()
AnalyzerOptions & getAnalyzerOptions() override
BlockDataRegion - A region that represents a block instance.
Definition: MemRegion.h:674
Represents a call to a C++ constructor.
Definition: CallEvent.h:899
const CXXConstructorDecl * getDecl() const override
Returns the declaration of the function or method that will be called.
Definition: CallEvent.h:928
const CXXConstructExpr * getOriginExpr() const override
Returns the expression whose value will be the result of this call.
Definition: CallEvent.h:924
Represents a non-static C++ member function call, no matter how it is written.
Definition: CallEvent.h:672
const FunctionDecl * getDecl() const override
Returns the declaration of the function or method that will be called.
Definition: CallEvent.cpp:672
Manages the lifetime of CallEvent objects.
Definition: CallEvent.h:1279
CallEventRef getSimpleCall(const CallExpr *E, ProgramStateRef State, const LocationContext *LCtx, CFGBlock::ConstCFGElementRef ElemRef)
Definition: CallEvent.cpp:1378
CallEventRef getCaller(const StackFrameContext *CalleeCtx, ProgramStateRef State)
Gets an outside caller given a callee context.
Definition: CallEvent.cpp:1400
Represents an abstract call to a function or method along a particular path.
Definition: CallEvent.h:149
CallEventRef< T > cloneWithState(ProgramStateRef NewState) const
Returns a copy of this CallEvent, but using the given state.
Definition: CallEvent.h:1396
static QualType getDeclaredResultType(const Decl *D)
Returns the result type of a function or method declaration.
Definition: CallEvent.cpp:351
static bool isVariadic(const Decl *D)
Returns true if the given decl is known to be variadic.
Definition: CallEvent.cpp:380
void runCheckersForPreCall(ExplodedNodeSet &Dst, const ExplodedNodeSet &Src, const CallEvent &Call, ExprEngine &Eng)
Run checkers for pre-visiting obj-c messages.
void runCheckersForEvalCall(ExplodedNodeSet &Dst, const ExplodedNodeSet &Src, const CallEvent &CE, ExprEngine &Eng, const EvalCallOptions &CallOpts)
Run checkers for evaluating a call.
void runCheckersForPostObjCMessage(ExplodedNodeSet &Dst, const ExplodedNodeSet &Src, const ObjCMethodCall &msg, ExprEngine &Eng, bool wasInlined=false)
Run checkers for post-visiting obj-c messages.
void runCheckersForPostStmt(ExplodedNodeSet &Dst, const ExplodedNodeSet &Src, const Stmt *S, ExprEngine &Eng, bool wasInlined=false)
Run checkers for post-visiting Stmts.
void runCheckersForNewAllocator(const CXXAllocatorCall &Call, ExplodedNodeSet &Dst, ExplodedNode *Pred, ExprEngine &Eng, bool wasInlined=false)
Run checkers between C++ operator new and constructor calls.
void runCheckersForPreStmt(ExplodedNodeSet &Dst, const ExplodedNodeSet &Src, const Stmt *S, ExprEngine &Eng)
Run checkers for pre-visiting Stmts.
void runCheckersForPostCall(ExplodedNodeSet &Dst, const ExplodedNodeSet &Src, const CallEvent &Call, ExprEngine &Eng, bool wasInlined=false)
Run checkers for post-visiting obj-c messages.
WorkList * getCTUWorkList() const
Definition: CoreEngine.h:176
WorkList * getWorkList() const
Definition: CoreEngine.h:175
void enqueue(ExplodedNodeSet &Set)
Enqueue the given set of nodes onto the work list.
Definition: CoreEngine.cpp:606
ExplodedNode * getNode(const ProgramPoint &L, ProgramStateRef State, bool IsSink=false, bool *IsNew=nullptr)
Retrieve the node associated with a (Location,State) pair, where the 'Location' is a ProgramPoint in ...
void insert(const ExplodedNodeSet &S)
void Add(ExplodedNode *N)
const ProgramStateRef & getState() const
void addPredecessor(ExplodedNode *V, ExplodedGraph &G)
addPredeccessor - Adds a predecessor to the current node, and in tandem add this node as a successor ...
const StackFrameContext * getStackFrame() const
const LocationContext * getLocationContext() const
ProgramStateManager & getStateManager()
Definition: ExprEngine.h:423
void processCallEnter(NodeBuilderContext &BC, CallEnter CE, ExplodedNode *Pred)
Generate the entry node of the callee.
void processBeginOfFunction(NodeBuilderContext &BC, ExplodedNode *Pred, ExplodedNodeSet &Dst, const BlockEdge &L)
Called by CoreEngine.
void removeDead(ExplodedNode *Node, ExplodedNodeSet &Out, const Stmt *ReferenceStmt, const LocationContext *LC, const Stmt *DiagnosticStmt=nullptr, ProgramPoint::Kind K=ProgramPoint::PreStmtPurgeDeadSymbolsKind)
Run the analyzer's garbage collection - remove dead symbols and bindings from the state.
std::pair< ProgramStateRef, SVal > handleConstructionContext(const Expr *E, ProgramStateRef State, const NodeBuilderContext *BldrCtx, const LocationContext *LCtx, const ConstructionContext *CC, EvalCallOptions &CallOpts, unsigned Idx=0)
A convenient wrapper around computeObjectUnderConstruction and updateObjectsUnderConstruction.
Definition: ExprEngine.h:758
void VisitReturnStmt(const ReturnStmt *R, ExplodedNode *Pred, ExplodedNodeSet &Dst)
VisitReturnStmt - Transfer function logic for return statements.
const CoreEngine & getCoreEngine() const
Definition: ExprEngine.h:446
void processCallExit(ExplodedNode *Pred)
Generate the sequence of nodes that simulate the call exit and the post visit for CallExpr.
static std::optional< SVal > getObjectUnderConstruction(ProgramStateRef State, const ConstructionContextItem &Item, const LocationContext *LC)
By looking at a certain item that may be potentially part of an object's ConstructionContext,...
Definition: ExprEngine.cpp:598
CFGElement getCurrentCFGElement()
Return the CFG element corresponding to the worklist element that is currently being processed by Exp...
Definition: ExprEngine.h:707
@ Inline_Minimal
Do minimal inlining of callees.
Definition: ExprEngine.h:134
ProgramStateRef processPointerEscapedOnBind(ProgramStateRef State, ArrayRef< std::pair< SVal, SVal > > LocAndVals, const LocationContext *LCtx, PointerEscapeKind Kind, const CallEvent *Call)
Call PointerEscape callback when a value escapes as a result of bind.
static std::optional< unsigned > getIndexOfElementToConstruct(ProgramStateRef State, const CXXConstructExpr *E, const LocationContext *LCtx)
Retreives which element is being constructed in a non-POD type array.
Definition: ExprEngine.cpp:508
void VisitCallExpr(const CallExpr *CE, ExplodedNode *Pred, ExplodedNodeSet &Dst)
VisitCall - Transfer function for function calls.
ASTContext & getContext() const
getContext - Return the ASTContext associated with this analysis.
Definition: ExprEngine.h:204
StoreManager & getStoreManager()
Definition: ExprEngine.h:425
CFGBlock::ConstCFGElementRef getCFGElementRef() const
Definition: ExprEngine.h:237
void evalCall(ExplodedNodeSet &Dst, ExplodedNode *Pred, const CallEvent &Call)
Evaluate a call, running pre- and post-call checkers and allowing checkers to be responsible for hand...
static std::optional< unsigned > getPendingArrayDestruction(ProgramStateRef State, const LocationContext *LCtx)
Retreives which element is being destructed in a non-POD type array.
Definition: ExprEngine.cpp:527
CheckerManager & getCheckerManager() const
Definition: ExprEngine.h:212
ProgramStateRef bindReturnValue(const CallEvent &Call, const LocationContext *LCtx, ProgramStateRef State)
Create a new state in which the call return value is binded to the call origin expression.
void removeDeadOnEndOfFunction(NodeBuilderContext &BC, ExplodedNode *Pred, ExplodedNodeSet &Dst)
Remove dead bindings/symbols before exiting a function.
void defaultEvalCall(NodeBuilder &B, ExplodedNode *Pred, const CallEvent &Call, const EvalCallOptions &CallOpts={})
Default implementation of call evaluation.
AnalysisManager & getAnalysisManager()
Definition: ExprEngine.h:206
static std::optional< unsigned > getPendingInitLoop(ProgramStateRef State, const CXXConstructExpr *E, const LocationContext *LCtx)
Retreives the size of the array in the pending ArrayInitLoopExpr.
Definition: ExprEngine.cpp:481
std::optional< bool > mayInline(const Decl *D)
void markMayInline(const Decl *D)
unsigned getNumTimesInlined(const Decl *D)
void markShouldNotInline(const Decl *D)
void bumpNumTimesInlined(const Decl *D)
MemRegion - The root abstract class for all memory regions.
Definition: MemRegion.h:95
LLVM_ATTRIBUTE_RETURNS_NONNULL const MemRegion * StripCasts(bool StripBaseAndDerivedCasts=true) const
Definition: MemRegion.cpp:1342
This is the simplest builder which generates nodes in the ExplodedGraph.
Definition: CoreEngine.h:247
ExplodedNode * generateNode(const ProgramPoint &PP, ProgramStateRef State, ExplodedNode *Pred)
Generates a node in the ExplodedGraph.
Definition: CoreEngine.h:300
void takeNodes(const ExplodedNodeSet &S)
Definition: CoreEngine.h:342
Represents any expression that calls an Objective-C method.
Definition: CallEvent.h:1163
While alive, includes the current analysis stack in a crash trace.
CallEventManager & getCallEventManager()
Definition: ProgramState.h:577
Information about invalidation for a particular region/symbol.
Definition: MemRegion.h:1570
void setTrait(SymbolRef Sym, InvalidationKinds IK)
Definition: MemRegion.cpp:1732
Defines the runtime definition of the called function.
Definition: CallEvent.h:106
const MemRegion * getDispatchRegion()
When other definitions are possible, returns the region whose runtime type determines the method defi...
Definition: CallEvent.h:137
bool mayHaveOtherDefinitions()
Check if the definition we have is precise.
Definition: CallEvent.h:133
nonloc::ConcreteInt makeIntVal(const IntegerLiteral *integer)
Definition: SValBuilder.h:269
QualType getArrayIndexType() const
Definition: SValBuilder.h:145
SVal evalCast(SVal V, QualType CastTy, QualType OriginalTy)
Cast a given SVal to another SVal using given QualType's.
DefinedOrUnknownSVal conjureSymbolVal(const void *symbolTag, const Expr *expr, const LocationContext *LCtx, unsigned count)
Create a new symbol with a unique 'name'.
loc::MemRegionVal getCXXThis(const CXXMethodDecl *D, const StackFrameContext *SFC)
Return a memory region for the 'this' object reference.
SVal evalBinOp(ProgramStateRef state, BinaryOperator::Opcode op, SVal lhs, SVal rhs, QualType type)
DefinedOrUnknownSVal getConjuredHeapSymbolVal(const Expr *E, const LocationContext *LCtx, unsigned Count)
Conjure a symbol representing heap allocated memory region.
SVal - This represents a symbolic expression, which can be either an L-value or an R-value.
Definition: SVals.h:72
QualType getType(const ASTContext &) const
Try to get a reasonable type for the given value.
Definition: SVals.cpp:184
const MemRegion * getAsRegion() const
Definition: SVals.cpp:120
T castAs() const
Convert to the specified SVal type, asserting that this SVal is of the desired type.
Definition: SVals.h:99
This builder class is useful for generating nodes that resulted from visiting a statement.
Definition: CoreEngine.h:391
ExplodedNode * generateNode(const Stmt *S, ExplodedNode *Pred, ProgramStateRef St, const ProgramPointTag *tag=nullptr, ProgramPoint::Kind K=ProgramPoint::PostStmtKind)
Definition: CoreEngine.h:420
SVal evalDerivedToBase(SVal Derived, const CastExpr *Cast)
Evaluates a chain of derived-to-base casts through the path specified in Cast.
Definition: Store.cpp:251
virtual void enqueue(const WorkListUnit &U)=0
const MemRegion * getRegion() const
Get the underlining region.
Definition: SVals.h:512
@ PSK_EscapeOutParameters
Escape for a new symbol that was generated into a region that the analyzer cannot follow during a con...
DefinedOrUnknownSVal getDynamicElementCount(ProgramStateRef State, const MemRegion *MR, SValBuilder &SVB, QualType Ty)
@ CE_CXXMember
Definition: CallEvent.h:62
@ CE_ObjCMessage
Definition: CallEvent.h:76
@ CE_CXXInheritedConstructor
Definition: CallEvent.h:68
@ CE_CXXDestructor
Definition: CallEvent.h:64
@ CE_CXXDeallocator
Definition: CallEvent.h:72
@ CE_CXXAllocator
Definition: CallEvent.h:71
@ CE_CXXConstructor
Definition: CallEvent.h:67
@ CE_CXXMemberOperator
Definition: CallEvent.h:63
DefinedOrUnknownSVal getElementExtent(QualType Ty, SValBuilder &SVB)
ProgramStateRef setDynamicExtent(ProgramStateRef State, const MemRegion *MR, DefinedOrUnknownSVal Extent, SValBuilder &SVB)
Set the dynamic extent Extent of the region MR.
bool Call(InterpState &S, CodePtr &PC, const Function *Func)
Definition: Interp.h:1493
@ IPAK_DynamicDispatch
Enable inlining of dynamically dispatched methods.
@ IPAK_DynamicDispatchBifurcate
Enable inlining of dynamically dispatched methods, bifurcate paths when exact type info is unavailabl...
@ OMF_autorelease
@ C
Languages that the frontend can parse and compile.
@ CIMK_Destructors
Refers to destructors (implicit or explicit).
@ CIMK_MemberFunctions
Refers to regular member function and operator calls.
@ CIMK_Constructors
Refers to constructors (implicit or explicit).
unsigned long uint64_t
Hints for figuring out of a call should be inlined during evalCall().
Definition: ExprEngine.h:97
bool IsTemporaryLifetimeExtendedViaAggregate
This call is a constructor for a temporary that is lifetime-extended by binding it to a reference-typ...
Definition: ExprEngine.h:112
bool IsTemporaryCtorOrDtor
This call is a constructor or a destructor of a temporary value.
Definition: ExprEngine.h:107
bool IsArrayCtorOrDtor
This call is a constructor or a destructor for a single element within an array, a part of array cons...
Definition: ExprEngine.h:104
bool IsCtorOrDtorWithImproperlyModeledTargetRegion
This call is a constructor or a destructor for which we do not currently compute the this-region corr...
Definition: ExprEngine.h:100
const CFGBlock * getBlock() const
Return the CFGBlock associated with this builder.
Definition: CoreEngine.h:227
unsigned blockCount() const
Returns the number of times the current basic block has been visited on the exploded graph path.
Definition: CoreEngine.h:231
Traits for storing the call processing policy inside GDM.
Definition: ExprEngine.h:1037