clang 23.0.0git
ExprEngineCallAndReturn.cpp
Go to the documentation of this file.
1//=-- ExprEngineCallAndReturn.cpp - Support for call/return -----*- C++ -*-===//
2//
3// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4// See https://llvm.org/LICENSE.txt for license information.
5// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6//
7//===----------------------------------------------------------------------===//
8//
9// This file defines ExprEngine's support for calls and returns.
10//
11//===----------------------------------------------------------------------===//
12
14#include "clang/AST/Decl.h"
15#include "clang/AST/DeclCXX.h"
23#include "llvm/Support/Casting.h"
24#include "llvm/Support/Compiler.h"
25#include "llvm/Support/SaveAndRestore.h"
26#include <optional>
27
28using namespace clang;
29using namespace ento;
30
31#define DEBUG_TYPE "ExprEngine"
32
34 NumOfDynamicDispatchPathSplits,
35 "The # of times we split the path due to imprecise dynamic dispatch info");
36
37STAT_COUNTER(NumInlinedCalls, "The # of times we inlined a call");
38
39STAT_COUNTER(NumReachedInlineCountMax,
40 "The # of times we reached inline count maximum");
41
43 // Get the entry block in the CFG of the callee.
44 const CFGBlock *Entry = CE.getEntry();
45
46 // Validate the CFG.
47 assert(Entry->empty());
48 assert(Entry->succ_size() == 1);
49
50 // Get the solitary successor.
51 const CFGBlock *Succ = *(Entry->succ_begin());
52
53 // Construct an edge representing the starting location in the callee.
54 BlockEdge Loc(Entry, Succ, CE.getCalleeStackFrame());
55
56 ProgramStateRef state = Pred->getState();
57
58 // Construct a new node, notify checkers that analysis of the function has
59 // begun, and add the resultant nodes to the worklist.
60 bool isNew;
61 ExplodedNode *Node = G.getNode(Loc, state, false, &isNew);
62 Node->addPredecessor(Pred, G);
63 if (isNew) {
64 // FIXME: In the `processBeginOfFunction` callback
65 // `ExprEngine::getCurrStackFrame()` can be different from the
66 // `StackFrame` queried from e.g. the `ExplodedNode`s. I'm not
67 // touching this now because this commit is NFC; but in the future it would
68 // be nice to avoid this inconsistency.
69 ExplodedNodeSet DstBegin;
70 processBeginOfFunction(Node, DstBegin, Loc);
71 Engine.enqueue(DstBegin);
72 }
73}
74
75// Find the last statement on the path to the exploded node and the
76// corresponding Block.
77static std::pair<const Stmt*,
78 const CFGBlock*> getLastStmt(const ExplodedNode *Node) {
79 const Stmt *S = nullptr;
80 const CFGBlock *Blk = nullptr;
81 const StackFrame *SF = Node->getStackFrame();
82
83 // Back up through the ExplodedGraph until we reach a statement node in this
84 // stack frame.
85 while (Node) {
86 const ProgramPoint &PP = Node->getLocation();
87
88 if (PP.getStackFrame() == SF) {
89 if (std::optional<StmtPoint> SP = PP.getAs<StmtPoint>()) {
90 S = SP->getStmt();
91 break;
92 } else if (std::optional<CallExitEnd> CEE = PP.getAs<CallExitEnd>()) {
93 S = CEE->getCalleeStackFrame()->getCallSite();
94 if (S)
95 break;
96
97 // If there is no statement, this is an implicitly-generated call.
98 // We'll walk backwards over it and then continue the loop to find
99 // an actual statement.
100 std::optional<CallEnter> CE;
101 do {
102 Node = Node->getFirstPred();
103 CE = Node->getLocationAs<CallEnter>();
104 } while (!CE ||
105 CE->getCalleeStackFrame() != CEE->getCalleeStackFrame());
106
107 // Continue searching the graph.
108 } else if (std::optional<BlockEdge> BE = PP.getAs<BlockEdge>()) {
109 Blk = BE->getSrc();
110 }
111 } else if (std::optional<CallEnter> CE = PP.getAs<CallEnter>()) {
112 // If we reached the CallEnter for this function, it has no statements.
113 if (CE->getCalleeStackFrame() == SF)
114 break;
115 }
116
117 if (Node->pred_empty())
118 return std::make_pair(nullptr, nullptr);
119
120 Node = *Node->pred_begin();
121 }
122
123 return std::make_pair(S, Blk);
124}
125
126/// Adjusts a return value when the called function's return type does not
127/// match the caller's expression type. This can happen when a dynamic call
128/// is devirtualized, and the overriding method has a covariant (more specific)
129/// return type than the parent's method. For C++ objects, this means we need
130/// to add base casts.
131static SVal adjustReturnValue(SVal V, QualType ExpectedTy, QualType ActualTy,
132 StoreManager &StoreMgr) {
133 // For now, the only adjustments we handle apply only to locations.
134 if (!isa<Loc>(V))
135 return V;
136
137 // If the types already match, don't do any unnecessary work.
138 ExpectedTy = ExpectedTy.getCanonicalType();
139 ActualTy = ActualTy.getCanonicalType();
140 if (ExpectedTy == ActualTy)
141 return V;
142
143 // No adjustment is needed between Objective-C pointer types.
144 if (ExpectedTy->isObjCObjectPointerType() &&
145 ActualTy->isObjCObjectPointerType())
146 return V;
147
148 // C++ object pointers may need "derived-to-base" casts.
150 const CXXRecordDecl *ActualClass = ActualTy->getPointeeCXXRecordDecl();
151 if (ExpectedClass && ActualClass) {
152 CXXBasePaths Paths(/*FindAmbiguities=*/true, /*RecordPaths=*/true,
153 /*DetectVirtual=*/false);
154 if (ActualClass->isDerivedFrom(ExpectedClass, Paths) &&
155 !Paths.isAmbiguous(ActualTy->getCanonicalTypeUnqualified())) {
156 return StoreMgr.evalDerivedToBase(V, Paths.front());
157 }
158 }
159
160 // Unfortunately, Objective-C does not enforce that overridden methods have
161 // covariant return types, so we can't assert that that never happens.
162 // Be safe and return UnknownVal().
163 return UnknownVal();
164}
165
167 ExplodedNodeSet &Dst) {
168 // Find the last statement in the function and the corresponding basic block.
169 const Stmt *LastSt = nullptr;
170 const CFGBlock *Blk = nullptr;
171 std::tie(LastSt, Blk) = getLastStmt(Pred);
172 if (!Blk || !LastSt) {
173 Dst.insert(Pred);
174 return;
175 }
176
177 // Here, we destroy the current stack frame. We use the current function's
178 // entire body as a diagnostic statement, with which the program point
179 // will be associated. However, we only want to use LastStmt as a reference
180 // for what to clean up if it's a ReturnStmt; otherwise, everything is dead.
181 const StackFrame *SF = Pred->getStackFrame();
182 removeDead(Pred, Dst, dyn_cast<ReturnStmt>(LastSt), SF,
185}
186
188 const StackFrame *calleeCtx) {
189 const Decl *RuntimeCallee = calleeCtx->getDecl();
190 const Decl *StaticDecl = Call->getDecl();
191 assert(RuntimeCallee);
192 if (!StaticDecl)
193 return true;
194 return RuntimeCallee->getCanonicalDecl() != StaticDecl->getCanonicalDecl();
195}
196
197// Returns the number of elements in the array currently being destructed.
198// If the element count is not found 0 will be returned.
200 const CallEvent &Call, const ProgramStateRef State, SValBuilder &SVB) {
202 "The call event is not a destructor call!");
203
204 const auto &DtorCall = cast<CXXDestructorCall>(Call);
205
206 auto ThisVal = DtorCall.getCXXThisVal();
207
208 if (auto ThisElementRegion = dyn_cast<ElementRegion>(ThisVal.getAsRegion())) {
209 auto ArrayRegion = ThisElementRegion->getAsArrayOffset().getRegion();
210 auto ElementType = ThisElementRegion->getElementType();
211
212 auto ElementCount =
213 getDynamicElementCount(State, ArrayRegion, SVB, ElementType);
214
215 if (!ElementCount.isConstant())
216 return 0;
217
218 return ElementCount.getAsInteger()->getLimitedValue();
219 }
220
221 return 0;
222}
223
224ProgramStateRef ExprEngine::removeStateTraitsUsedForArrayEvaluation(
225 ProgramStateRef State, const CXXConstructExpr *E, const StackFrame *SF) {
226
227 assert(SF && "Stack frame must be provided!");
228
229 if (E) {
230 if (getPendingInitLoop(State, E, SF))
231 State = removePendingInitLoop(State, E, SF);
232
233 if (getIndexOfElementToConstruct(State, E, SF))
234 State = removeIndexOfElementToConstruct(State, E, SF);
235 }
236
237 if (getPendingArrayDestruction(State, SF))
238 State = removePendingArrayDestruction(State, SF);
239
240 return State;
241}
242
243/// The call exit is simulated with a sequence of nodes, which occur between
244/// CallExitBegin and CallExitEnd. The following operations occur between the
245/// two program points:
246/// 1. CallExitBegin (triggers the start of call exit sequence)
247/// 2. Bind the return value
248/// 3. Run Remove dead bindings to clean up the dead symbols from the callee.
249/// 4. CallExitEnd
250/// 5. PostStmt<CallExpr>
251/// Steps 1-3. happen in the callee stack frame; but there is a stack frame
252/// switch and steps 4-5. happen in the caller stack frame.
254 // Step 1 CEBNode was generated before the call.
255 const StackFrame *CalleeSF = CEBNode->getStackFrame();
256
257 const StackFrame *CallerSF = CalleeSF->getParent();
258
259 const Expr *CE = CalleeSF->getCallSite();
260 ProgramStateRef State = CEBNode->getState();
261 // Find the last statement in the function and the corresponding basic block.
262 auto [LastSt, Blk] = getLastStmt(CEBNode);
263
264 const CFGBlock *PrePurgeBlock =
265 isa_and_nonnull<ReturnStmt>(LastSt) ? Blk : &CEBNode->getCFG().getExit();
266 // The first half of this process happens in the callee stack frame:
267 setCurrStackFrameAndBlock(CalleeSF, PrePurgeBlock);
268
269 // Generate a CallEvent /before/ cleaning the State, so that we can get the
270 // correct value for 'this' (if necessary).
272 CallEventRef<> Call = CEMgr.getCaller(CalleeSF, State);
273
274 // Step 2: generate node with bound return value: CEBNode -> BoundRetNode.
275
276 // If this variable is set to 'true' the analyzer will evaluate the call
277 // statement we are about to exit again, instead of continuing the execution
278 // from the statement after the call. This is useful for non-POD type array
279 // construction where the CXXConstructExpr is referenced only once in the CFG,
280 // but we want to evaluate it as many times as many elements the array has.
281 bool ShouldRepeatCall = false;
282
283 if (const auto *DtorDecl =
284 dyn_cast_or_null<CXXDestructorDecl>(Call->getDecl())) {
285 if (auto Idx = getPendingArrayDestruction(State, CallerSF)) {
286 ShouldRepeatCall = *Idx > 0;
287
288 auto ThisVal = svalBuilder.getCXXThis(DtorDecl->getParent(), CalleeSF);
289 State = State->killBinding(ThisVal);
290 }
291 }
292
293 // If the callee returns an expression, bind its value to CallExpr.
294 if (CE) {
295 if (const ReturnStmt *RS = dyn_cast_or_null<ReturnStmt>(LastSt)) {
296 const StackFrame *SF = CEBNode->getStackFrame();
297
298 SVal V = UndefinedVal();
299 if (RS->getRetValue())
300 V = State->getSVal(RS->getRetValue(), SF);
301
302 // Ensure that the return type matches the type of the returned Expr.
303 if (wasDifferentDeclUsedForInlining(Call, CalleeSF)) {
304 QualType ReturnedTy =
306 if (!ReturnedTy.isNull()) {
307 V = adjustReturnValue(V, CE->getType(), ReturnedTy,
309 }
310 }
311
312 State = State->BindExpr(CE, CallerSF, V);
313 }
314
315 // Bind the constructed object value to CXXConstructExpr.
316 if (const CXXConstructExpr *CCE = dyn_cast<CXXConstructExpr>(CE)) {
318 svalBuilder.getCXXThis(CCE->getConstructor()->getParent(), CalleeSF);
319 SVal ThisV = State->getSVal(This);
320 ThisV = State->getSVal(ThisV.castAs<Loc>());
321 State = State->BindExpr(CCE, CallerSF, ThisV);
322
323 ShouldRepeatCall = shouldRepeatCtorCall(State, CCE, CallerSF);
324 }
325
326 if (const auto *CNE = dyn_cast<CXXNewExpr>(CE)) {
327 // We are currently evaluating a CXXNewAllocator CFGElement. It takes a
328 // while to reach the actual CXXNewExpr element from here, so keep the
329 // region for later use.
330 // Additionally cast the return value of the inlined operator new
331 // (which is of type 'void *') to the correct object type.
332 SVal AllocV = State->getSVal(CNE, CallerSF);
333 AllocV = svalBuilder.evalCast(
334 AllocV, CNE->getType(),
335 getContext().getPointerType(getContext().VoidTy));
336
337 State =
338 addObjectUnderConstruction(State, CNE, CalleeSF->getParent(), AllocV);
339 }
340 }
341
342 if (!ShouldRepeatCall) {
343 State = removeStateTraitsUsedForArrayEvaluation(
344 State, dyn_cast_or_null<CXXConstructExpr>(CE), CallerSF);
345 }
346
347 // Step 3: BoundRetNode -> CleanedNodes
348 // If we can find a statement and a block in the inlined function, run remove
349 // dead bindings before returning from the call. This is important to ensure
350 // that we report the issues such as leaks in the stack frames in which
351 // they occurred.
352 ExplodedNodeSet CleanedNodes;
353 if (LastSt && Blk && AMgr.options.AnalysisPurgeOpt != PurgeNone) {
354 static SimpleProgramPointTag RetValBind("ExprEngine", "Bind Return Value");
355 auto Loc = isa<ReturnStmt>(LastSt)
356 ? ProgramPoint{PostStmt(LastSt, CalleeSF, &RetValBind)}
357 : ProgramPoint{EpsilonPoint(CalleeSF, /*Data1=*/nullptr,
358 /*Data2=*/nullptr, &RetValBind)};
359
360 ExplodedNode *BoundRetNode = Engine.makeNode(Loc, State, CEBNode);
361 if (!BoundRetNode)
362 return;
363
364 // We call removeDead in the stack frame of the callee.
365 removeDead(BoundRetNode, CleanedNodes, /*ReferenceStmt=*/nullptr, CalleeSF,
366 /*DiagnosticStmt=*/CalleeSF->getAnalysisDeclContext()->getBody(),
368 } else {
369 CleanedNodes.insert(CEBNode);
370 }
371
372 // The second half of this process happens in the caller stack frame. This is
373 // an exception to the general rule that the current StackFrame and Block
374 // stay the same within a single call to dispatchWorkItem.
376 setCurrStackFrameAndBlock(CallerSF, CalleeSF->getCallSiteBlock());
377 SaveAndRestore CBISave(currStmtIdx, CalleeSF->getIndex());
378
379 for (ExplodedNode *N : CleanedNodes) {
380 // Step 4: Generate the CallExitEnd node.
381 // CleanedNodes -> CEENode
382 CallExitEnd Loc(CalleeSF, CallerSF);
383 ProgramStateRef CEEState = (N == CEBNode) ? State : N->getState();
384
385 ExplodedNode *CEENode = Engine.makeNode(Loc, CEEState, N);
386 if (!CEENode)
387 continue;
388
389 // Step 5: Perform the post-condition check of the CallExpr and enqueue the
390 // result onto the work list.
391 // CEENode -> Dst -> WorkList
392
393 CallEventRef<> UpdatedCall = Call.cloneWithState(CEEState);
394
395 ExplodedNodeSet DstPostPostCallCallback;
396 getCheckerManager().runCheckersForPostCall(DstPostPostCallCallback, CEENode,
397 *UpdatedCall, *this,
398 /*wasInlined=*/true);
399 ExplodedNodeSet DstPostCall;
400 if (llvm::isa_and_nonnull<CXXNewExpr>(CE)) {
401 for (ExplodedNode *I : DstPostPostCallCallback) {
403 cast<CXXAllocatorCall>(*UpdatedCall), DstPostCall, I, *this,
404 /*wasInlined=*/true);
405 }
406 } else {
407 DstPostCall.insert(DstPostPostCallCallback);
408 }
409
410 ExplodedNodeSet Dst;
411 if (const ObjCMethodCall *Msg = dyn_cast<ObjCMethodCall>(Call)) {
412 getCheckerManager().runCheckersForPostObjCMessage(Dst, DstPostCall, *Msg,
413 *this,
414 /*wasInlined=*/true);
415 } else if (CE &&
416 !(isa<CXXNewExpr>(CE) && // Called when visiting CXXNewExpr.
417 AMgr.getAnalyzerOptions().MayInlineCXXAllocator)) {
418 getCheckerManager().runCheckersForPostStmt(Dst, DstPostCall, CE,
419 *this, /*wasInlined=*/true);
420 } else {
421 Dst.insert(DstPostCall);
422 }
423
424 // Enqueue the next element in the block.
425 for (ExplodedNode *DstNode : Dst) {
426 unsigned Idx = CalleeSF->getIndex() + (ShouldRepeatCall ? 0 : 1);
427
428 Engine.getWorkList()->enqueue(DstNode, CalleeSF->getCallSiteBlock(), Idx);
429 }
430 }
431}
432
433bool ExprEngine::isSmall(AnalysisDeclContext *ADC) const {
434 // When there are no branches in the function, it means that there's no
435 // exponential complexity introduced by inlining such function.
436 // Such functions also don't trigger various fundamental problems
437 // with our inlining mechanism, such as the problem of
438 // inlined defensive checks. Hence isLinear().
439 const CFG *Cfg = ADC->getCFG();
440 return Cfg->isLinear() || Cfg->size() <= AMgr.options.AlwaysInlineSize;
441}
442
443bool ExprEngine::isLarge(AnalysisDeclContext *ADC) const {
444 const CFG *Cfg = ADC->getCFG();
445 return Cfg->size() >= AMgr.options.MinCFGSizeTreatFunctionsAsLarge;
446}
447
448bool ExprEngine::isHuge(AnalysisDeclContext *ADC) const {
449 const CFG *Cfg = ADC->getCFG();
450 return Cfg->getNumBlockIDs() > AMgr.options.MaxInlinableSize;
451}
452
453void ExprEngine::examineStackFrames(const Decl *D, const StackFrame *SF,
454 bool &IsRecursive, unsigned &StackDepth) {
455 IsRecursive = false;
456 StackDepth = 0;
457
458 while (SF) {
459 const Decl *DI = SF->getDecl();
460
461 // Mark recursive (and mutually recursive) functions and always count
462 // them when measuring the stack depth.
463 if (DI == D) {
464 IsRecursive = true;
465 ++StackDepth;
466 SF = SF->getParent();
467 continue;
468 }
469
470 // Do not count the small functions when determining the stack depth.
471 AnalysisDeclContext *CalleeADC = AMgr.getAnalysisDeclContext(DI);
472 if (!isSmall(CalleeADC))
473 ++StackDepth;
474 SF = SF->getParent();
475 }
476}
477
478// The GDM component containing the dynamic dispatch bifurcation info. When
479// the exact type of the receiver is not known, we want to explore both paths -
480// one on which we do inline it and the other one on which we don't. This is
481// done to ensure we do not drop coverage.
482// This is the map from the receiver region to a bool, specifying either we
483// consider this region's information precise or not along the given path.
484namespace {
485 enum DynamicDispatchMode {
486 DynamicDispatchModeInlined = 1,
487 DynamicDispatchModeConservative
488 };
489} // end anonymous namespace
490
491REGISTER_MAP_WITH_PROGRAMSTATE(DynamicDispatchBifurcationMap,
492 const MemRegion *, unsigned)
493REGISTER_TRAIT_WITH_PROGRAMSTATE(CTUDispatchBifurcation, bool)
494
495void ExprEngine::ctuBifurcate(const CallEvent &Call, const Decl *D,
496 ExplodedNodeSet &Dst, ExplodedNode *Pred,
497 ProgramStateRef State) {
498 if (Call.isForeign() && !isSecondPhaseCTU()) {
499 const auto IK = AMgr.options.getCTUPhase1Inlining();
500 const bool DoInline = IK == CTUPhase1InliningKind::All ||
502 isSmall(AMgr.getAnalysisDeclContext(D)));
503 if (DoInline) {
504 inlineCall(Engine.getWorkList(), Call, D, Pred, State);
505 return;
506 }
507 const bool BState = State->get<CTUDispatchBifurcation>();
508 if (!BState) { // This is the first time we see this foreign function.
509 // Enqueue it to be analyzed in the second (ctu) phase.
510 inlineCall(Engine.getCTUWorkList(), Call, D, Pred, State);
511 // Conservatively evaluate in the first phase.
512 State = State->set<CTUDispatchBifurcation>(true);
513 }
514 Dst.insert(conservativeEvalCall(Call, Pred, State));
515 return;
516 }
517 inlineCall(Engine.getWorkList(), Call, D, Pred, State);
518}
519
520void ExprEngine::inlineCall(WorkList *WList, const CallEvent &Call,
521 const Decl *D, ExplodedNode *Pred,
522 ProgramStateRef State) {
523 assert(D);
524
525 const StackFrame *CallerSF = Pred->getStackFrame();
526 const BlockDataRegion *BlockInvocationData = nullptr;
527 if (Call.getKind() == CE_Block &&
528 !cast<BlockCall>(Call).isConversionFromLambda()) {
529 BlockInvocationData = cast<BlockCall>(Call).getBlockRegion();
530 assert(BlockInvocationData &&
531 "If we have the block definition we should have its region");
532 }
533
534 // This may be NULL, but that's fine.
535 const Expr *CallE = Call.getOriginExpr();
536
537 // Construct a new stack frame for the callee.
538 AnalysisDeclContext *CalleeADC = AMgr.getAnalysisDeclContext(D);
539 const StackFrame *CalleeSF = CalleeADC->getStackFrame(
540 CallerSF, BlockInvocationData, CallE, getCurrBlock(),
541 getNumVisitedCurrent(), currStmtIdx);
542
543 CallEnter Loc(CallE, CalleeSF, CallerSF);
544
545 // Construct a new state which contains the mapping from actual to
546 // formal arguments.
547 State = State->enterStackFrame(Call, CalleeSF);
548
549 bool isNew;
550 if (ExplodedNode *N = G.getNode(Loc, State, false, &isNew)) {
551 N->addPredecessor(Pred, G);
552 if (isNew)
553 WList->enqueue(N);
554 }
555
556 NumInlinedCalls++;
557 Engine.FunctionSummaries->bumpNumTimesInlined(D);
558
559 // Do not mark as visited in the 2nd run (CTUWList), so the function will
560 // be visited as top-level, this way we won't loose reports in non-ctu
561 // mode. Considering the case when a function in a foreign TU calls back
562 // into the main TU.
563 // Note, during the 1st run, it doesn't matter if we mark the foreign
564 // functions as visited (or not) because they can never appear as a top level
565 // function in the main TU.
566 if (!isSecondPhaseCTU())
567 // Mark the decl as visited.
568 if (VisitedCallees)
569 VisitedCallees->insert(D);
570}
571
573 const Expr *CallE) {
574 const void *ReplayState = State->get<ReplayWithoutInlining>();
575 if (!ReplayState)
576 return nullptr;
577
578 assert(ReplayState == CallE && "Backtracked to the wrong call.");
579 (void)CallE;
580
581 return State->remove<ReplayWithoutInlining>();
582}
583
585 ExplodedNodeSet &dst) {
586 if (const auto *OCE = dyn_cast<CXXOperatorCallExpr>(CE)) {
587 // For instance method operators, make sure the 'this' argument has a
588 // valid region.
589 // FIXME: Why is this only applied for operator calls and not other calls?
590 const Decl *Callee = OCE->getCalleeDecl();
591 if (const auto *MD = dyn_cast_or_null<CXXMethodDecl>(Callee)) {
592 if (MD->isImplicitObjectMemberFunction()) {
593 ProgramStateRef State = Pred->getState();
594 const StackFrame *SF = Pred->getStackFrame();
595 ProgramStateRef NewState =
596 createTemporaryRegionIfNeeded(State, SF, OCE->getArg(0));
597 if (NewState != State) {
598 PreStmt PS(OCE, SF, /*tag=*/nullptr);
599 Pred = Engine.makeNode(PS, NewState, Pred);
600 if (!Pred)
601 return; // Cached out.
602 }
603 }
604 }
605 }
606 // Perform the previsit of the CallExpr.
607 ExplodedNodeSet dstPreVisit;
608 getCheckerManager().runCheckersForPreStmt(dstPreVisit, Pred, CE, *this);
609
610 // Get the call in its initial state. We use this as a template to perform
611 // all the checks.
613 CallEventRef<> CallTemplate = CEMgr.getSimpleCall(
614 CE, Pred->getState(), Pred->getStackFrame(), getCFGElementRef());
615
616 // Evaluate the function call. We try each of the checkers
617 // to see if the can evaluate the function call.
618 ExplodedNodeSet dstCallEvaluated;
619 for (ExplodedNode *N : dstPreVisit) {
620 evalCall(dstCallEvaluated, N, *CallTemplate);
621 }
622
623 // Finally, perform the post-condition check of the CallExpr and store
624 // the created nodes in 'Dst'.
625 // Note that if the call was inlined, dstCallEvaluated will be empty.
626 // The post-CallExpr check will occur in processCallExit.
627 getCheckerManager().runCheckersForPostStmt(dst, dstCallEvaluated, CE,
628 *this);
629}
630
631ProgramStateRef ExprEngine::finishArgumentConstruction(ProgramStateRef State,
632 const CallEvent &Call) {
633 // WARNING: The state attached to 'Call' may be obsolete, do not call any
634 // methods that rely on it!
635 const Expr *E = Call.getOriginExpr();
636 // FIXME: Constructors to placement arguments of operator new
637 // are not supported yet.
638 if (!E || isa<CXXNewExpr>(E))
639 return State;
640
641 const StackFrame *SF = Call.getStackFrame();
642 for (unsigned CallI = 0, CallN = Call.getNumArgs(); CallI != CallN; ++CallI) {
643 unsigned I = Call.getASTArgumentIndex(CallI);
644 if (std::optional<SVal> V = getObjectUnderConstruction(State, {E, I}, SF)) {
645 SVal VV = *V;
646 (void)VV;
648 ->getStackFrame()
649 ->getParent() == SF);
650 State = finishObjectConstruction(State, {E, I}, SF);
651 }
652 }
653
654 return State;
655}
656
657void ExprEngine::finishArgumentConstruction(ExplodedNodeSet &Dst,
658 ExplodedNode *Pred,
659 const CallEvent &Call) {
660 // WARNING: The state attached to 'Call' may be obsolete, do not call any
661 // methods that rely on it!
662 ProgramStateRef State = Pred->getState();
663 ProgramStateRef CleanedState = finishArgumentConstruction(State, Call);
664 if (CleanedState == State) {
665 Dst.insert(Pred);
666 return;
667 }
668
669 const Expr *E = Call.getOriginExpr();
670 const StackFrame *SF = Call.getStackFrame();
671 static SimpleProgramPointTag Tag("ExprEngine",
672 "Finish argument construction");
673 Dst.insert(Engine.makeNode(PreStmt(E, SF, &Tag), CleanedState, Pred));
674}
675
677 const CallEvent &CallTemplate) {
678 // NOTE: CallTemplate is called a "template" because its attached state may
679 // be obsolete (compared to the state of Pred). The state-dependent methods
680 // of CallEvent should be used only after a `cloneWithState` call that
681 // attaches the up-to-date state to this template object.
682
683 // Run any pre-call checks using the generic call interface.
684 ExplodedNodeSet dstPreVisit;
685 getCheckerManager().runCheckersForPreCall(dstPreVisit, Pred, CallTemplate,
686 *this);
687
688 // Actually evaluate the function call. We try each of the checkers
689 // to see if the can evaluate the function call, and get a callback at
690 // defaultEvalCall if all of them fail.
691 ExplodedNodeSet dstCallEvaluated;
693 dstCallEvaluated, dstPreVisit, CallTemplate, *this, EvalCallOptions());
694
695 // If there were other constructors called for object-type arguments
696 // of this call, clean them up.
697 ExplodedNodeSet dstArgumentCleanup;
698 for (ExplodedNode *I : dstCallEvaluated)
699 finishArgumentConstruction(dstArgumentCleanup, I, CallTemplate);
700
701 ExplodedNodeSet dstPostCall;
702 getCheckerManager().runCheckersForPostCall(dstPostCall, dstArgumentCleanup,
703 CallTemplate, *this);
704
705 // Escaping symbols conjured during invalidating the regions above.
706 // Note that, for inlined calls the nodes were put back into the worklist,
707 // so we can assume that every node belongs to a conservative call at this
708 // point.
709
710 // Run pointerEscape callback with the newly conjured symbols.
712 for (ExplodedNode *I : dstPostCall) {
713 ProgramStateRef State = I->getState();
714 CallEventRef<> Call = CallTemplate.cloneWithState(State);
715 Escaped.clear();
716 {
717 unsigned Arg = -1;
718 for (const ParmVarDecl *PVD : Call->parameters()) {
719 ++Arg;
720 QualType ParamTy = PVD->getType();
721 if (ParamTy.isNull() ||
722 (!ParamTy->isPointerType() && !ParamTy->isReferenceType()))
723 continue;
724 QualType Pointee = ParamTy->getPointeeType();
725 if (Pointee.isConstQualified() || Pointee->isVoidType())
726 continue;
727 if (const MemRegion *MR = Call->getArgSVal(Arg).getAsRegion())
728 Escaped.emplace_back(loc::MemRegionVal(MR), State->getSVal(MR, Pointee));
729 }
730 }
731
732 State = processPointerEscapedOnBind(State, Escaped, I->getStackFrame(),
734
735 if (State != I->getState())
736 I = Engine.makeNode(I->getLocation(), State, I);
737
738 Dst.insert(I);
739 }
740}
741
743 const StackFrame *SF,
744 ProgramStateRef State) {
745 const Expr *E = Call.getOriginExpr();
746 const ConstCFGElementRef &Elem = Call.getCFGElementRef();
747 if (!E)
748 return State;
749
750 // Some method families have known return values.
751 if (const ObjCMethodCall *Msg = dyn_cast<ObjCMethodCall>(&Call)) {
752 switch (Msg->getMethodFamily()) {
753 default:
754 break;
755 case OMF_autorelease:
756 case OMF_retain:
757 case OMF_self: {
758 // These methods return their receivers.
759 return State->BindExpr(E, SF, Msg->getReceiverSVal());
760 }
761 }
762 } else if (const CXXConstructorCall *C = dyn_cast<CXXConstructorCall>(&Call)){
763 SVal ThisV = C->getCXXThisVal();
764 ThisV = State->getSVal(ThisV.castAs<Loc>());
765 return State->BindExpr(E, SF, ThisV);
766 }
767
768 SVal R;
769 QualType ResultTy = Call.getResultType();
770 unsigned Count = getNumVisitedCurrent();
771 if (auto RTC = getCurrentCFGElement().getAs<CFGCXXRecordTypedCall>()) {
772 // Conjure a temporary if the function returns an object by value.
773 SVal Target;
774 assert(RTC->getStmt() == Call.getOriginExpr());
775 EvalCallOptions CallOpts; // FIXME: We won't really need those.
776 std::tie(State, Target) =
777 handleConstructionContext(Call.getOriginExpr(), State, currBldrCtx, SF,
778 RTC->getConstructionContext(), CallOpts);
779 const MemRegion *TargetR = Target.getAsRegion();
780 assert(TargetR);
781 // Invalidate the region so that it didn't look uninitialized. If this is
782 // a field or element constructor, we do not want to invalidate
783 // the whole structure. Pointer escape is meaningless because
784 // the structure is a product of conservative evaluation
785 // and therefore contains nothing interesting at this point.
787 ITraits.setTrait(TargetR,
789 State = State->invalidateRegions(TargetR, Elem, Count, SF,
790 /* CausesPointerEscape=*/false, nullptr,
791 &Call, &ITraits);
792
793 R = State->getSVal(Target.castAs<Loc>(), E->getType());
794 } else {
795 // Conjure a symbol if the return value is unknown.
796
797 // See if we need to conjure a heap pointer instead of
798 // a regular unknown pointer.
799 const auto *CNE = dyn_cast<CXXNewExpr>(E);
800 if (CNE && CNE->getOperatorNew()->isReplaceableGlobalAllocationFunction()) {
801 R = svalBuilder.getConjuredHeapSymbolVal(Elem, SF, E->getType(), Count);
802 const MemRegion *MR = R.getAsRegion()->StripCasts();
803
804 // Store the extent of the allocated object(s).
805 SVal ElementCount;
806 if (const Expr *SizeExpr = CNE->getArraySize().value_or(nullptr)) {
807 ElementCount = State->getSVal(SizeExpr, SF);
808 } else {
809 ElementCount = svalBuilder.makeIntVal(1, /*IsUnsigned=*/true);
810 }
811
812 SVal ElementSize = getElementExtent(CNE->getAllocatedType(), svalBuilder);
813
814 SVal Size =
815 svalBuilder.evalBinOp(State, BO_Mul, ElementCount, ElementSize,
816 svalBuilder.getArrayIndexType());
817
818 // FIXME: This line is to prevent a crash. For more details please check
819 // issue #56264.
820 if (Size.isUndef())
821 Size = UnknownVal();
822
823 State = setDynamicExtent(State, MR, Size.castAs<DefinedOrUnknownSVal>());
824 } else {
825 R = svalBuilder.conjureSymbolVal(Elem, SF, ResultTy, Count);
826 }
827 }
828 return State->BindExpr(E, SF, R);
829}
830
831// Conservatively evaluate call by invalidating regions and binding
832// a conjured return value.
833ExplodedNode *ExprEngine::conservativeEvalCall(const CallEvent &Call,
834 ExplodedNode *Pred,
835 ProgramStateRef State) {
836 State = Call.invalidateRegions(getNumVisitedCurrent(), State);
837 State = bindReturnValue(Call, Pred->getStackFrame(), State);
838
839 // And make the result node.
840 static SimpleProgramPointTag PT("ExprEngine", "Conservative eval call");
841 return Engine.makeNode(Call.getProgramPoint(false, &PT), State, Pred);
842}
843
844ExprEngine::CallInlinePolicy
845ExprEngine::mayInlineCallKind(const CallEvent &Call, const ExplodedNode *Pred,
846 AnalyzerOptions &Opts,
847 const EvalCallOptions &CallOpts) {
848 const StackFrame *CallerSF = Pred->getStackFrame();
849 switch (Call.getKind()) {
850 case CE_Function:
852 case CE_Block:
853 break;
854 case CE_CXXMember:
857 return CIP_DisallowedAlways;
858 break;
859 case CE_CXXConstructor: {
861 return CIP_DisallowedAlways;
862
864
865 const CXXConstructExpr *CtorExpr = Ctor.getOriginExpr();
866
868 const ConstructionContext *CC = CCE ? CCE->getConstructionContext()
869 : nullptr;
870
871 if (llvm::isa_and_nonnull<NewAllocatedObjectConstructionContext>(CC) &&
872 !Opts.MayInlineCXXAllocator)
873 return CIP_DisallowedOnce;
874
875 if (CallOpts.IsArrayCtorOrDtor) {
876 if (!shouldInlineArrayConstruction(Pred->getState(), CtorExpr, CallerSF))
877 return CIP_DisallowedOnce;
878 }
879
880 // Inlining constructors requires including initializers in the CFG.
881 const AnalysisDeclContext *ADC = CallerSF->getAnalysisDeclContext();
882 assert(ADC->getCFGBuildOptions().AddInitializers && "No CFG initializers");
883 (void)ADC;
884
885 // If the destructor is trivial, it's always safe to inline the constructor.
886 if (Ctor.getDecl()->getParent()->hasTrivialDestructor())
887 break;
888
889 // For other types, only inline constructors if destructor inlining is
890 // also enabled.
892 return CIP_DisallowedAlways;
893
895 // If we don't handle temporary destructors, we shouldn't inline
896 // their constructors.
897 if (CallOpts.IsTemporaryCtorOrDtor &&
898 !Opts.ShouldIncludeTemporaryDtorsInCFG)
899 return CIP_DisallowedOnce;
900
901 // If we did not find the correct this-region, it would be pointless
902 // to inline the constructor. Instead we will simply invalidate
903 // the fake temporary target.
905 return CIP_DisallowedOnce;
906
907 // If the temporary is lifetime-extended by binding it to a reference-type
908 // field within an aggregate, automatic destructors don't work properly.
910 return CIP_DisallowedOnce;
911 }
912
913 break;
914 }
916 // This doesn't really increase the cost of inlining ever, because
917 // the stack frame of the inherited constructor is trivial.
918 return CIP_Allowed;
919 }
920 case CE_CXXDestructor: {
922 return CIP_DisallowedAlways;
923
924 // Inlining destructors requires building the CFG correctly.
925 const AnalysisDeclContext *ADC = CallerSF->getAnalysisDeclContext();
926 assert(ADC->getCFGBuildOptions().AddImplicitDtors && "No CFG destructors");
927 (void)ADC;
928
929 if (CallOpts.IsArrayCtorOrDtor) {
930 if (!shouldInlineArrayDestruction(getElementCountOfArrayBeingDestructed(
931 Call, Pred->getState(), svalBuilder))) {
932 return CIP_DisallowedOnce;
933 }
934 }
935
936 // Allow disabling temporary destructor inlining with a separate option.
937 if (CallOpts.IsTemporaryCtorOrDtor &&
938 !Opts.MayInlineCXXTemporaryDtors)
939 return CIP_DisallowedOnce;
940
941 // If we did not find the correct this-region, it would be pointless
942 // to inline the destructor. Instead we will simply invalidate
943 // the fake temporary target.
945 return CIP_DisallowedOnce;
946 break;
947 }
949 [[fallthrough]];
950 case CE_CXXAllocator:
951 if (Opts.MayInlineCXXAllocator)
952 break;
953 // Do not inline allocators until we model deallocators.
954 // This is unfortunate, but basically necessary for smart pointers and such.
955 return CIP_DisallowedAlways;
956 case CE_ObjCMessage:
957 if (!Opts.MayInlineObjCMethod)
958 return CIP_DisallowedAlways;
959 if (!(Opts.getIPAMode() == IPAK_DynamicDispatch ||
961 return CIP_DisallowedAlways;
962 break;
963 }
964
965 return CIP_Allowed;
966}
967
968/// Returns true if the given C++ class contains a member with the given name.
969static bool hasMember(const ASTContext &Ctx, const CXXRecordDecl *RD,
970 StringRef Name) {
971 const IdentifierInfo &II = Ctx.Idents.get(Name);
972 return RD->hasMemberName(Ctx.DeclarationNames.getIdentifier(&II));
973}
974
975/// Returns true if the given C++ class is a container or iterator.
976///
977/// Our heuristic for this is whether it contains a method named 'begin()' or a
978/// nested type named 'iterator' or 'iterator_category'.
979static bool isContainerClass(const ASTContext &Ctx, const CXXRecordDecl *RD) {
980 return hasMember(Ctx, RD, "begin") ||
981 hasMember(Ctx, RD, "iterator") ||
982 hasMember(Ctx, RD, "iterator_category");
983}
984
985/// Returns true if the given function refers to a method of a C++ container
986/// or iterator.
987///
988/// We generally do a poor job modeling most containers right now, and might
989/// prefer not to inline their methods.
990static bool isContainerMethod(const ASTContext &Ctx,
991 const FunctionDecl *FD) {
992 if (const CXXMethodDecl *MD = dyn_cast<CXXMethodDecl>(FD))
993 return isContainerClass(Ctx, MD->getParent());
994 return false;
995}
996
997/// Returns true if the given function is the destructor of a class named
998/// "shared_ptr".
999static bool isCXXSharedPtrDtor(const FunctionDecl *FD) {
1000 const CXXDestructorDecl *Dtor = dyn_cast<CXXDestructorDecl>(FD);
1001 if (!Dtor)
1002 return false;
1003
1004 const CXXRecordDecl *RD = Dtor->getParent();
1005 if (const IdentifierInfo *II = RD->getDeclName().getAsIdentifierInfo())
1006 if (II->isStr("shared_ptr"))
1007 return true;
1008
1009 return false;
1010}
1011
1012/// Returns true if the function in \p CalleeADC may be inlined in general.
1013///
1014/// This checks static properties of the function, such as its signature and
1015/// CFG, to determine whether the analyzer should ever consider inlining it,
1016/// in any context.
1017bool ExprEngine::mayInlineDecl(AnalysisDeclContext *CalleeADC) const {
1018 AnalyzerOptions &Opts = AMgr.getAnalyzerOptions();
1019 // FIXME: Do not inline variadic calls.
1020 if (CallEvent::isVariadic(CalleeADC->getDecl()))
1021 return false;
1022
1023 // Check certain C++-related inlining policies.
1024 ASTContext &Ctx = CalleeADC->getASTContext();
1025 if (Ctx.getLangOpts().CPlusPlus) {
1026 if (const FunctionDecl *FD = dyn_cast<FunctionDecl>(CalleeADC->getDecl())) {
1027 // Conditionally control the inlining of template functions.
1028 if (!Opts.MayInlineTemplateFunctions)
1029 if (FD->getTemplatedKind() != FunctionDecl::TK_NonTemplate)
1030 return false;
1031
1032 // Conditionally control the inlining of C++ standard library functions.
1033 if (!Opts.MayInlineCXXStandardLibrary)
1034 if (Ctx.getSourceManager().isInSystemHeader(FD->getLocation()))
1036 return false;
1037
1038 // Conditionally control the inlining of methods on objects that look
1039 // like C++ containers.
1040 if (!Opts.MayInlineCXXContainerMethods)
1041 if (!AMgr.isInCodeFile(FD->getLocation()))
1042 if (isContainerMethod(Ctx, FD))
1043 return false;
1044
1045 // Conditionally control the inlining of the destructor of C++ shared_ptr.
1046 // We don't currently do a good job modeling shared_ptr because we can't
1047 // see the reference count, so treating as opaque is probably the best
1048 // idea.
1049 if (!Opts.MayInlineCXXSharedPtrDtor)
1050 if (isCXXSharedPtrDtor(FD))
1051 return false;
1052 }
1053 }
1054
1055 // It is possible that the CFG cannot be constructed.
1056 // Be safe, and check if the CalleeCFG is valid.
1057 const CFG *CalleeCFG = CalleeADC->getCFG();
1058 if (!CalleeCFG)
1059 return false;
1060
1061 // Do not inline large functions.
1062 if (isHuge(CalleeADC))
1063 return false;
1064
1065 // It is possible that the live variables analysis cannot be
1066 // run. If so, bail out.
1067 if (!CalleeADC->getAnalysis<RelaxedLiveVariables>())
1068 return false;
1069
1070 return true;
1071}
1072
1073bool ExprEngine::shouldInlineCall(const CallEvent &Call, const Decl *D,
1074 const ExplodedNode *Pred,
1075 const EvalCallOptions &CallOpts) {
1076 if (!D)
1077 return false;
1078
1079 AnalysisManager &AMgr = getAnalysisManager();
1080 AnalyzerOptions &Opts = AMgr.options;
1081 AnalysisDeclContextManager &ADCMgr = AMgr.getAnalysisDeclContextManager();
1082 AnalysisDeclContext *CalleeADC = ADCMgr.getContext(D);
1083
1084 // The auto-synthesized bodies are essential to inline as they are
1085 // usually small and commonly used. Note: we should do this check early on to
1086 // ensure we always inline these calls.
1087 if (CalleeADC->isBodyAutosynthesized())
1088 return true;
1089
1090 if (!AMgr.shouldInlineCall())
1091 return false;
1092
1093 // Check if this function has been marked as non-inlinable.
1094 std::optional<bool> MayInline = Engine.FunctionSummaries->mayInline(D);
1095 if (MayInline) {
1096 if (!*MayInline)
1097 return false;
1098
1099 } else {
1100 // We haven't actually checked the static properties of this function yet.
1101 // Do that now, and record our decision in the function summaries.
1102 if (mayInlineDecl(CalleeADC)) {
1103 Engine.FunctionSummaries->markMayInline(D);
1104 } else {
1105 Engine.FunctionSummaries->markShouldNotInline(D);
1106 return false;
1107 }
1108 }
1109
1110 // Check if we should inline a call based on its kind.
1111 // FIXME: this checks both static and dynamic properties of the call, which
1112 // means we're redoing a bit of work that could be cached in the function
1113 // summary.
1114 CallInlinePolicy CIP = mayInlineCallKind(Call, Pred, Opts, CallOpts);
1115 if (CIP != CIP_Allowed) {
1116 if (CIP == CIP_DisallowedAlways) {
1117 assert(!MayInline || *MayInline);
1118 Engine.FunctionSummaries->markShouldNotInline(D);
1119 }
1120 return false;
1121 }
1122
1123 // Do not inline if recursive or we've reached max stack frame count.
1124 bool IsRecursive = false;
1125 unsigned StackDepth = 0;
1126 examineStackFrames(D, Pred->getStackFrame(), IsRecursive, StackDepth);
1127 if ((StackDepth >= Opts.InlineMaxStackDepth) &&
1128 (!isSmall(CalleeADC) || IsRecursive))
1129 return false;
1130
1131 // Do not inline large functions too many times.
1132 if ((Engine.FunctionSummaries->getNumTimesInlined(D) >
1133 Opts.MaxTimesInlineLarge) &&
1134 isLarge(CalleeADC)) {
1135 NumReachedInlineCountMax++;
1136 return false;
1137 }
1138
1139 if (HowToInline == Inline_Minimal && (!isSmall(CalleeADC) || IsRecursive))
1140 return false;
1141
1142 return true;
1143}
1144
1145bool ExprEngine::shouldInlineArrayConstruction(const ProgramStateRef State,
1146 const CXXConstructExpr *CE,
1147 const StackFrame *SF) {
1148 if (!CE)
1149 return false;
1150
1151 // FIXME: Handle other arrays types.
1152 if (const auto *CAT = dyn_cast<ConstantArrayType>(CE->getType())) {
1153 unsigned ArrSize = getContext().getConstantArrayElementCount(CAT);
1154
1155 // This might seem conter-intuitive at first glance, but the functions are
1156 // closely related. Reasoning about destructors depends only on the type
1157 // of the expression that initialized the memory region, which is the
1158 // CXXConstructExpr. So to avoid code repetition, the work is delegated
1159 // to the function that reasons about destructor inlining. Also note that
1160 // if the constructors of the array elements are inlined, the destructors
1161 // can also be inlined and if the destructors can be inline, it's safe to
1162 // inline the constructors.
1163 return shouldInlineArrayDestruction(ArrSize);
1164 }
1165
1166 // Check if we're inside an ArrayInitLoopExpr, and it's sufficiently small.
1167 if (auto Size = getPendingInitLoop(State, CE, SF))
1168 return shouldInlineArrayDestruction(*Size);
1169
1170 return false;
1171}
1172
1173bool ExprEngine::shouldInlineArrayDestruction(uint64_t Size) {
1174
1175 uint64_t maxAllowedSize = AMgr.options.maxBlockVisitOnPath;
1176
1177 // Declaring a 0 element array is also possible.
1178 return Size <= maxAllowedSize && Size > 0;
1179}
1180
1181bool ExprEngine::shouldRepeatCtorCall(ProgramStateRef State,
1182 const CXXConstructExpr *E,
1183 const StackFrame *SF) {
1184
1185 if (!E)
1186 return false;
1187
1188 auto Ty = E->getType();
1189
1190 // FIXME: Handle non constant array types
1191 if (const auto *CAT = dyn_cast<ConstantArrayType>(Ty)) {
1193 return Size > getIndexOfElementToConstruct(State, E, SF);
1194 }
1195
1196 if (auto Size = getPendingInitLoop(State, E, SF))
1197 return Size > getIndexOfElementToConstruct(State, E, SF);
1198
1199 return false;
1200}
1201
1203 const CXXInstanceCall *ICall = dyn_cast<CXXInstanceCall>(&Call);
1204 if (!ICall)
1205 return false;
1206
1207 const CXXMethodDecl *MD = dyn_cast_or_null<CXXMethodDecl>(ICall->getDecl());
1208 if (!MD)
1209 return false;
1211 return false;
1212
1213 return MD->isTrivial();
1214}
1215
1217 const CallEvent &Call,
1218 const EvalCallOptions &CallOpts) {
1219 // Make sure we have the most recent state attached to the call.
1220 ProgramStateRef State = Pred->getState();
1221
1222 // Special-case trivial assignment operators.
1224 performTrivialCopy(Dst, Pred, Call);
1225 return;
1226 }
1227
1228 const Expr *E = Call.getOriginExpr();
1229
1230 ProgramStateRef InlinedFailedState = getInlineFailedState(State, E);
1231 if (InlinedFailedState) {
1232 // If we already tried once and failed, make sure we don't retry later.
1233 State = InlinedFailedState;
1234 } else {
1235 RuntimeDefinition RD = Call.getRuntimeDefinition();
1236 Call.setForeign(RD.isForeign());
1237 const Decl *D = RD.getDecl();
1238 if (shouldInlineCall(Call, D, Pred, CallOpts)) {
1239 if (RD.mayHaveOtherDefinitions()) {
1241
1242 // Explore with and without inlining the call.
1243 if (Options.getIPAMode() == IPAK_DynamicDispatchBifurcate) {
1244 dynDispatchBifurcate(RD.getDispatchRegion(), Call, D, Dst, Pred);
1245 return;
1246 }
1247
1248 // Don't inline if we're not in any dynamic dispatch mode.
1249 if (Options.getIPAMode() != IPAK_DynamicDispatch) {
1250 Dst.insert(conservativeEvalCall(Call, Pred, State));
1251 return;
1252 }
1253 }
1254 ctuBifurcate(Call, D, Dst, Pred, State);
1255 return;
1256 }
1257 }
1258
1259 // If we can't inline it, clean up the state traits used only if the function
1260 // is inlined.
1261 State = removeStateTraitsUsedForArrayEvaluation(
1262 State, dyn_cast_or_null<CXXConstructExpr>(E), Call.getStackFrame());
1263
1264 // Also handle the return value and invalidate the regions.
1265 Dst.insert(conservativeEvalCall(Call, Pred, State));
1266}
1267
1268void ExprEngine::dynDispatchBifurcate(const MemRegion *BifurReg,
1269 const CallEvent &Call, const Decl *D,
1270 ExplodedNodeSet &Dst,
1271 ExplodedNode *Pred) {
1272 assert(BifurReg);
1273 BifurReg = BifurReg->StripCasts();
1274
1275 // Check if we've performed the split already - note, we only want
1276 // to split the path once per memory region.
1277 ProgramStateRef State = Pred->getState();
1278 const unsigned *BState =
1279 State->get<DynamicDispatchBifurcationMap>(BifurReg);
1280 if (BState) {
1281 // If we are on "inline path", keep inlining if possible.
1282 if (*BState == DynamicDispatchModeInlined)
1283 ctuBifurcate(Call, D, Dst, Pred, State);
1284 // If inline failed, or we are on the path where we assume we
1285 // don't have enough info about the receiver to inline, conjure the
1286 // return value and invalidate the regions.
1287 Dst.insert(conservativeEvalCall(Call, Pred, State));
1288 return;
1289 }
1290
1291 // If we got here, this is the first time we process a message to this
1292 // region, so split the path.
1293 ProgramStateRef IState =
1294 State->set<DynamicDispatchBifurcationMap>(BifurReg,
1295 DynamicDispatchModeInlined);
1296 ctuBifurcate(Call, D, Dst, Pred, IState);
1297
1298 ProgramStateRef NoIState =
1299 State->set<DynamicDispatchBifurcationMap>(BifurReg,
1300 DynamicDispatchModeConservative);
1301 Dst.insert(conservativeEvalCall(Call, Pred, NoIState));
1302
1303 NumOfDynamicDispatchPathSplits++;
1304}
1305
1307 ExplodedNodeSet &Dst) {
1308 ExplodedNodeSet DstPreVisit;
1309 getCheckerManager().runCheckersForPreStmt(DstPreVisit, Pred, RS, *this);
1310
1311 if (RS->getRetValue()) {
1312 for (ExplodedNode *N : DstPreVisit) {
1313 Dst.insert(Engine.makePostStmtNode(RS, N->getState(), N));
1314 }
1315 } else {
1316 Dst.insert(DstPreVisit);
1317 }
1318}
#define V(N, I)
Defines the C++ Decl subclasses, other than those for templates (found in DeclTemplate....
#define STAT_COUNTER(VARNAME, DESC)
static bool isContainerClass(const ASTContext &Ctx, const CXXRecordDecl *RD)
Returns true if the given C++ class is a container or iterator.
static bool wasDifferentDeclUsedForInlining(CallEventRef<> Call, const StackFrame *calleeCtx)
static std::pair< const Stmt *, const CFGBlock * > getLastStmt(const ExplodedNode *Node)
static bool isTrivialObjectAssignment(const CallEvent &Call)
static bool isCXXSharedPtrDtor(const FunctionDecl *FD)
Returns true if the given function is the destructor of a class named "shared_ptr".
static bool hasMember(const ASTContext &Ctx, const CXXRecordDecl *RD, StringRef Name)
Returns true if the given C++ class contains a member with the given name.
static SVal adjustReturnValue(SVal V, QualType ExpectedTy, QualType ActualTy, StoreManager &StoreMgr)
Adjusts a return value when the called function's return type does not match the caller's expression ...
static bool isContainerMethod(const ASTContext &Ctx, const FunctionDecl *FD)
Returns true if the given function refers to a method of a C++ container or iterator.
static unsigned getElementCountOfArrayBeingDestructed(const CallEvent &Call, const ProgramStateRef State, SValBuilder &SVB)
static ProgramStateRef getInlineFailedState(ProgramStateRef State, const Expr *CallE)
#define REGISTER_MAP_WITH_PROGRAMSTATE(Name, Key, Value)
Declares an immutable map of type NameTy, suitable for placement into the ProgramState.
#define REGISTER_TRAIT_WITH_PROGRAMSTATE(Name, Type)
Declares a program state trait for type Type called Name, and introduce a type named NameTy.
a trap message and trap category.
Holds long-lived AST nodes (such as types and decls) that can be referred to throughout the semantic ...
Definition ASTContext.h:223
SourceManager & getSourceManager()
Definition ASTContext.h:863
DeclarationNameTable DeclarationNames
Definition ASTContext.h:806
IdentifierTable & Idents
Definition ASTContext.h:802
const LangOptions & getLangOpts() const
Definition ASTContext.h:959
uint64_t getConstantArrayElementCount(const ConstantArrayType *CA) const
Return number of constant array elements.
AnalysisDeclContext * getContext(const Decl *D)
AnalysisDeclContext contains the context data for the function, method or block under analysis.
static bool isInStdNamespace(const Decl *D)
ASTContext & getASTContext() const
const StackFrame * getStackFrame(const StackFrame *ParentSF, const void *Data, const Expr *E, const CFGBlock *Blk, unsigned BlockCount, unsigned Index)
Obtain a context of the call stack using its parent context.
CFG::BuildOptions & getCFGBuildOptions()
Stores options for the analyzer from the command line.
bool mayInlineCXXMemberFunction(CXXInlineableMemberKind K) const
Returns the option controlling which C++ member functions will be considered for inlining.
IPAKind getIPAMode() const
Returns the inter-procedural analysis mode.
CTUPhase1InliningKind getCTUPhase1Inlining() const
unsigned InlineMaxStackDepth
The inlining stack depth limit.
Represents a single basic block in a source-level CFG.
Definition CFG.h:652
bool empty() const
Definition CFG.h:1000
succ_iterator succ_begin()
Definition CFG.h:1037
unsigned succ_size() const
Definition CFG.h:1055
Represents C++ constructor call.
Definition CFG.h:161
std::optional< T > getAs() const
Convert to the specified CFGElement type, returning std::nullopt if this CFGElement is not of the des...
Definition CFG.h:113
Represents a source-level, intra-procedural CFG that represents the control-flow of a Stmt.
Definition CFG.h:1271
unsigned size() const
Return the total number of CFGBlocks within the CFG This is simply a renaming of the getNumBlockIDs()...
Definition CFG.h:1469
bool isLinear() const
Returns true if the CFG has no branches.
Definition CFG.cpp:5465
CFGBlock & getExit()
Definition CFG.h:1387
unsigned getNumBlockIDs() const
Returns the total number of BlockIDs allocated (which start at 0).
Definition CFG.h:1464
BasePaths - Represents the set of paths from a derived class to one of its (direct or indirect) bases...
CXXBasePath & front()
bool isAmbiguous(CanQualType BaseType) const
Determine whether the path from the most-derived type to the given base type is ambiguous (i....
Represents a call to a C++ constructor.
Definition ExprCXX.h:1552
CXXConstructionKind getConstructionKind() const
Determine whether this constructor is actually constructing a base class (rather than a complete obje...
Definition ExprCXX.h:1663
Represents a C++ destructor within a class.
Definition DeclCXX.h:2895
Represents a static or instance method of a struct/union/class.
Definition DeclCXX.h:2145
const CXXRecordDecl * getParent() const
Return the parent of this method declaration, which is the class in which this method is defined.
Definition DeclCXX.h:2284
bool isMoveAssignmentOperator() const
Determine whether this is a move assignment operator.
Definition DeclCXX.cpp:2749
bool isCopyAssignmentOperator() const
Determine whether this is a copy-assignment operator, regardless of whether it was declared implicitl...
Definition DeclCXX.cpp:2728
Represents a C++ struct/union/class.
Definition DeclCXX.h:258
bool hasTrivialDestructor() const
Determine whether this class has a trivial destructor (C++ [class.dtor]p3)
Definition DeclCXX.h:1377
bool hasMemberName(DeclarationName N) const
Determine whether this class has a member with the given name, possibly in a non-dependent base class...
bool isDerivedFrom(const CXXRecordDecl *Base) const
Determine whether this class is derived from the class Base.
Represents a point when we begin processing an inlined call.
const StackFrame * getCalleeStackFrame() const
const CFGBlock * getEntry() const
Returns the entry block in the CFG for the entered function.
Represents a point when we finish the call exit sequence (for inlined call).
CallExpr - Represents a function call (C99 6.5.2.2, C++ [expr.call]).
Definition Expr.h:2949
ConstructionContext's subclasses describe different ways of constructing an object in C++.
Decl - This represents one declaration (or definition), e.g.
Definition DeclBase.h:86
virtual Decl * getCanonicalDecl()
Retrieves the "canonical" declaration of the given declaration.
Definition DeclBase.h:995
DeclarationName getIdentifier(const IdentifierInfo *ID)
Create a declaration name that is a simple identifier.
IdentifierInfo * getAsIdentifierInfo() const
Retrieve the IdentifierInfo * stored in this declaration name, or null if this declaration name isn't...
This is a meta program point, which should be skipped by all the diagnostic reasoning etc.
This represents one expression.
Definition Expr.h:112
QualType getType() const
Definition Expr.h:144
Represents a function declaration or definition.
Definition Decl.h:2027
bool isTrivial() const
Whether this function is "trivial" in some specialized C++ senses.
Definition Decl.h:2404
One of these records is kept for each identifier that is lexed.
IdentifierInfo & get(StringRef Name)
Return the identifier token info for the specified named identifier.
DeclarationName getDeclName() const
Get the actual, stored name of the declaration, which may be a special name.
Definition Decl.h:340
Represents a parameter to a function.
Definition Decl.h:1817
const StackFrame * getStackFrame() const
std::optional< T > getAs() const
Convert to the specified ProgramPoint type, returning std::nullopt if this ProgramPoint is not of the...
A (possibly-)qualified type.
Definition TypeBase.h:937
bool isNull() const
Return true if this QualType doesn't point to a type yet.
Definition TypeBase.h:1004
QualType getCanonicalType() const
Definition TypeBase.h:8499
bool isConstQualified() const
Determine whether this type is const-qualified.
Definition TypeBase.h:8520
ReturnStmt - This represents a return, optionally of an expression: return; return 4;.
Definition Stmt.h:3170
Expr * getRetValue()
Definition Stmt.h:3197
bool isInSystemHeader(SourceLocation Loc) const
Returns if a SourceLocation is in a system header.
It represents a stack frame of the call stack.
unsigned getIndex() const
LLVM_ATTRIBUTE_RETURNS_NONNULL AnalysisDeclContext * getAnalysisDeclContext() const
const Expr * getCallSite() const
const Decl * getDecl() const
const StackFrame * getParent() const
It might return null.
const CFGBlock * getCallSiteBlock() const
Stmt - This represents one statement.
Definition Stmt.h:86
bool isVoidType() const
Definition TypeBase.h:9050
bool isPointerType() const
Definition TypeBase.h:8684
CanQualType getCanonicalTypeUnqualified() const
bool isReferenceType() const
Definition TypeBase.h:8708
QualType getPointeeType() const
If this is a pointer, ObjC object pointer, or block pointer, this returns the respective pointee.
Definition Type.cpp:789
CXXRecordDecl * getPointeeCXXRecordDecl() const
If this is a pointer or reference to a RecordType, return the CXXRecordDecl that the type refers to.
Definition Type.cpp:1958
bool isObjCObjectPointerType() const
Definition TypeBase.h:8863
AnalysisDeclContext * getAnalysisDeclContext(const Decl *D)
Represents a call to a C++ constructor.
Definition CallEvent.h:990
const CXXConstructorDecl * getDecl() const override
Returns the declaration of the function or method that will be called.
Definition CallEvent.h:1021
const CXXConstructExpr * getOriginExpr() const override
Returns the expression whose value will be the result of this call.
Definition CallEvent.h:1017
Represents a non-static C++ member function call, no matter how it is written.
Definition CallEvent.h:686
const FunctionDecl * getDecl() const override
Returns the declaration of the function or method that will be called.
Manages the lifetime of CallEvent objects.
Definition CallEvent.h:1363
CallEventRef getCaller(const StackFrame *CalleeSF, ProgramStateRef State)
Gets an outside caller given a callee context.
CallEventRef getSimpleCall(const CallExpr *E, ProgramStateRef State, const StackFrame *SF, CFGBlock::ConstCFGElementRef ElemRef)
Represents an abstract call to a function or method along a particular path.
Definition CallEvent.h:152
CallEventRef< T > cloneWithState(ProgramStateRef NewState) const
Returns a copy of this CallEvent, but using the given state.
Definition CallEvent.h:1479
static QualType getDeclaredResultType(const Decl *D)
Returns the result type of a function or method declaration.
static bool isVariadic(const Decl *D)
Returns true if the given decl is known to be variadic.
void runCheckersForPreCall(ExplodedNodeSet &Dst, const ExplodedNodeSet &Src, const CallEvent &Call, ExprEngine &Eng)
Run checkers for pre-visiting function calls (including methods, constructors, destructors etc.
void runCheckersForEvalCall(ExplodedNodeSet &Dst, const ExplodedNodeSet &Src, const CallEvent &CE, ExprEngine &Eng, const EvalCallOptions &CallOpts)
Run checkers for evaluating a call.
void runCheckersForPostObjCMessage(ExplodedNodeSet &Dst, const ExplodedNodeSet &Src, const ObjCMethodCall &msg, ExprEngine &Eng, bool wasInlined=false)
Run checkers for post-visiting obj-c messages.
void runCheckersForPostStmt(ExplodedNodeSet &Dst, const ExplodedNodeSet &Src, const Stmt *S, ExprEngine &Eng, bool wasInlined=false)
Run checkers for post-visiting Stmts.
void runCheckersForNewAllocator(const CXXAllocatorCall &Call, ExplodedNodeSet &Dst, ExplodedNode *Pred, ExprEngine &Eng, bool wasInlined=false)
Run checkers between C++ operator new and constructor calls.
void runCheckersForPreStmt(ExplodedNodeSet &Dst, const ExplodedNodeSet &Src, const Stmt *S, ExprEngine &Eng)
Run checkers for pre-visiting Stmts.
void runCheckersForPostCall(ExplodedNodeSet &Dst, const ExplodedNodeSet &Src, const CallEvent &Call, ExprEngine &Eng, bool wasInlined=false)
Run checkers for post-visiting function calls (including methods, constructors, destructors etc.
WorkList * getCTUWorkList() const
Definition CoreEngine.h:162
WorkList * getWorkList() const
Definition CoreEngine.h:161
ExplodedNode * makeNode(const ProgramPoint &Loc, ProgramStateRef State, ExplodedNode *Pred, bool MarkAsSink=false) const
ExplodedNodeSet is a set of ExplodedNode * elements with the invariant that its elements cannot be nu...
void insert(ExplodedNode *N)
const ProgramStateRef & getState() const
ProgramPoint getLocation() const
getLocation - Returns the edge associated with the given node.
void addPredecessor(ExplodedNode *V, ExplodedGraph &G)
addPredeccessor - Adds a predecessor to the current node, and in tandem add this node as a successor ...
std::optional< T > getLocationAs() const &
ExplodedNode * getFirstPred()
const StackFrame * getStackFrame() const
ProgramStateManager & getStateManager()
Definition ExprEngine.h:476
void removeDead(ExplodedNode *Node, ExplodedNodeSet &Out, const Stmt *ReferenceStmt, const StackFrame *SF, const Stmt *DiagnosticStmt=nullptr, ProgramPoint::Kind K=ProgramPoint::PreStmtPurgeDeadSymbolsKind)
Run the analyzer's garbage collection - remove dead symbols and bindings from the state.
void removeDeadOnEndOfFunction(ExplodedNode *Pred, ExplodedNodeSet &Dst)
Remove dead bindings/symbols before exiting a function.
void VisitReturnStmt(const ReturnStmt *R, ExplodedNode *Pred, ExplodedNodeSet &Dst)
VisitReturnStmt - Transfer function logic for return statements.
void processCallEnter(CallEnter CE, ExplodedNode *Pred)
Generate the entry node of the callee.
void processCallExit(ExplodedNode *Pred)
Generate the sequence of nodes that simulate the call exit and the post visit for CallExpr.
CFGElement getCurrentCFGElement()
Return the CFG element corresponding to the worklist element that is currently being processed by Exp...
Definition ExprEngine.h:770
static std::optional< unsigned > getIndexOfElementToConstruct(ProgramStateRef State, const CXXConstructExpr *E, const StackFrame *SF)
Retrieves which element is being constructed in a non-POD type array.
@ Inline_Minimal
Do minimal inlining of callees.
Definition ExprEngine.h:130
ProgramStateRef bindReturnValue(const CallEvent &Call, const StackFrame *SF, ProgramStateRef State)
Create a new state in which the call return value is binded to the call origin expression.
static std::optional< unsigned > getPendingInitLoop(ProgramStateRef State, const CXXConstructExpr *E, const StackFrame *SF)
Retrieves the size of the array in the pending ArrayInitLoopExpr.
void setCurrStackFrameAndBlock(const StackFrame *SF, const CFGBlock *B)
Definition ExprEngine.h:244
void VisitCallExpr(const CallExpr *CE, ExplodedNode *Pred, ExplodedNodeSet &Dst)
VisitCall - Transfer function for function calls.
ASTContext & getContext() const
getContext - Return the ASTContext associated with this analysis.
Definition ExprEngine.h:214
StoreManager & getStoreManager()
Definition ExprEngine.h:479
void evalCall(ExplodedNodeSet &Dst, ExplodedNode *Pred, const CallEvent &Call)
Evaluate a call, running pre- and post-call checkers and allowing checkers to be responsible for hand...
void defaultEvalCall(ExplodedNodeSet &Dst, ExplodedNode *Pred, const CallEvent &Call, const EvalCallOptions &CallOpts={})
Default implementation of call evaluation.
ConstCFGElementRef getCFGElementRef() const
Definition ExprEngine.h:290
static std::optional< unsigned > getPendingArrayDestruction(ProgramStateRef State, const StackFrame *SF)
Retrieves which element is being destructed in a non-POD type array.
ProgramStateRef processPointerEscapedOnBind(ProgramStateRef State, ArrayRef< std::pair< SVal, SVal > > LocAndVals, const StackFrame *SF, PointerEscapeKind Kind, const CallEvent *Call)
Call PointerEscape callback when a value escapes as a result of bind.
CheckerManager & getCheckerManager() const
Definition ExprEngine.h:223
static std::optional< SVal > getObjectUnderConstruction(ProgramStateRef State, const ConstructionContextItem &Item, const StackFrame *SF)
By looking at a certain item that may be potentially part of an object's ConstructionContext,...
void processBeginOfFunction(ExplodedNode *Pred, ExplodedNodeSet &Dst, const BlockEdge &L)
Called by CoreEngine.
unsigned getNumVisitedCurrent() const
Definition ExprEngine.h:299
AnalysisManager & getAnalysisManager()
Definition ExprEngine.h:216
std::pair< ProgramStateRef, SVal > handleConstructionContext(const Expr *E, ProgramStateRef State, const NodeBuilderContext *BldrCtx, const StackFrame *SF, const ConstructionContext *CC, EvalCallOptions &CallOpts, unsigned Idx=0)
A convenient wrapper around computeObjectUnderConstruction and updateObjectsUnderConstruction.
Definition ExprEngine.h:819
const CFGBlock * getCurrBlock() const
Get the 'current' CFGBlock corresponding to the current work item (elementary analysis step handled b...
Definition ExprEngine.h:286
MemRegion - The root abstract class for all memory regions.
Definition MemRegion.h:97
LLVM_ATTRIBUTE_RETURNS_NONNULL const MemRegion * StripCasts(bool StripBaseAndDerivedCasts=true) const
Represents any expression that calls an Objective-C method.
Definition CallEvent.h:1251
CallEventManager & getCallEventManager()
Information about invalidation for a particular region/symbol.
Definition MemRegion.h:1656
void setTrait(SymbolRef Sym, InvalidationKinds IK)
Defines the runtime definition of the called function.
Definition CallEvent.h:109
const MemRegion * getDispatchRegion()
When other definitions are possible, returns the region whose runtime type determines the method defi...
Definition CallEvent.h:140
bool mayHaveOtherDefinitions()
Check if the definition we have is precise.
Definition CallEvent.h:136
SVal - This represents a symbolic expression, which can be either an L-value or an R-value.
Definition SVals.h:57
QualType getType(const ASTContext &) const
Try to get a reasonable type for the given value.
Definition SVals.cpp:180
T castAs() const
Convert to the specified SVal type, asserting that this SVal is of the desired type.
Definition SVals.h:84
SVal evalDerivedToBase(SVal Derived, const CastExpr *Cast)
Evaluates a chain of derived-to-base casts through the path specified in Cast.
Definition Store.cpp:254
virtual void enqueue(const WorkListUnit &U)=0
LLVM_ATTRIBUTE_RETURNS_NONNULL const MemRegion * getRegion() const
Get the underlining region.
Definition SVals.h:499
@ PSK_EscapeOutParameters
Escape for a new symbol that was generated into a region that the analyzer cannot follow during a con...
DefinedOrUnknownSVal getDynamicElementCount(ProgramStateRef State, const MemRegion *MR, SValBuilder &SVB, QualType Ty)
IntrusiveRefCntPtr< const ProgramState > ProgramStateRef
ProgramStateRef setDynamicExtent(ProgramStateRef State, const MemRegion *MR, DefinedOrUnknownSVal Extent)
Set the dynamic extent Extent of the region MR.
@ CE_CXXInheritedConstructor
Definition CallEvent.h:68
@ CE_CXXStaticOperator
Definition CallEvent.h:61
@ CE_CXXDestructor
Definition CallEvent.h:64
@ CE_CXXDeallocator
Definition CallEvent.h:72
@ CE_CXXAllocator
Definition CallEvent.h:71
@ CE_CXXConstructor
Definition CallEvent.h:67
@ CE_CXXMemberOperator
Definition CallEvent.h:63
DefinedOrUnknownSVal getElementExtent(QualType Ty, SValBuilder &SVB)
std::variant< struct RequiresDecl, struct HeaderDecl, struct UmbrellaDirDecl, struct ModuleDecl, struct ExcludeDecl, struct ExportDecl, struct ExportAsDecl, struct ExternModuleDecl, struct UseDecl, struct LinkDecl, struct ConfigMacrosDecl, struct ConflictDecl > Decl
All declarations that can appear in a module declaration.
The JSON file list parser is used to communicate input to InstallAPI.
bool isa(CodeGen::Address addr)
Definition Address.h:330
CFGBlock::ConstCFGElementRef ConstCFGElementRef
Definition CFG.h:1248
@ ExpectedClass
@ IPAK_DynamicDispatch
Enable inlining of dynamically dispatched methods.
@ IPAK_DynamicDispatchBifurcate
Enable inlining of dynamically dispatched methods, bifurcate paths when exact type info is unavailabl...
@ CIMK_Destructors
Refers to destructors (implicit or explicit).
@ CIMK_MemberFunctions
Refers to regular member function and operator calls.
@ CIMK_Constructors
Refers to constructors (implicit or explicit).
U cast(CodeGen::Address addr)
Definition Address.h:327
unsigned long uint64_t
Hints for figuring out if a call should be inlined during evalCall().
Definition ExprEngine.h:93
bool IsTemporaryLifetimeExtendedViaAggregate
This call is a constructor for a temporary that is lifetime-extended by binding it to a reference-typ...
Definition ExprEngine.h:108
bool IsTemporaryCtorOrDtor
This call is a constructor or a destructor of a temporary value.
Definition ExprEngine.h:103
bool IsArrayCtorOrDtor
This call is a constructor or a destructor for a single element within an array, a part of array cons...
Definition ExprEngine.h:100
bool IsCtorOrDtorWithImproperlyModeledTargetRegion
This call is a constructor or a destructor for which we do not currently compute the this-region corr...
Definition ExprEngine.h:96
Traits for storing the call processing policy inside GDM.