clang 17.0.0git
ProgramState.cpp
Go to the documentation of this file.
1//= ProgramState.cpp - Path-Sensitive "State" for tracking values --*- C++ -*--=
2//
3// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4// See https://llvm.org/LICENSE.txt for license information.
5// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6//
7//===----------------------------------------------------------------------===//
8//
9// This file implements ProgramState and ProgramStateManager.
10//
11//===----------------------------------------------------------------------===//
12
13#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h"
14#include "clang/Analysis/CFG.h"
15#include "clang/Basic/JsonSupport.h"
16#include "clang/StaticAnalyzer/Core/PathSensitive/AnalysisManager.h"
17#include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h"
18#include "clang/StaticAnalyzer/Core/PathSensitive/DynamicType.h"
19#include "clang/StaticAnalyzer/Core/PathSensitive/ExprEngine.h"
20#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramStateTrait.h"
21#include "llvm/Support/raw_ostream.h"
22#include <optional>
23
24using namespace clang;
25using namespace ento;
26
27namespace clang { namespace ento {
28/// Increments the number of times this state is referenced.
29
30void ProgramStateRetain(const ProgramState *state) {
31 ++const_cast<ProgramState*>(state)->refCount;
32}
33
34/// Decrement the number of times this state is referenced.
35void ProgramStateRelease(const ProgramState *state) {
36 assert(state->refCount > 0);
37 ProgramState *s = const_cast<ProgramState*>(state);
38 if (--s->refCount == 0) {
39 ProgramStateManager &Mgr = s->getStateManager();
40 Mgr.StateSet.RemoveNode(s);
41 s->~ProgramState();
42 Mgr.freeStates.push_back(s);
43 }
44}
45}}
46
47ProgramState::ProgramState(ProgramStateManager *mgr, const Environment& env,
48 StoreRef st, GenericDataMap gdm)
49 : stateMgr(mgr),
50 Env(env),
51 store(st.getStore()),
52 GDM(gdm),
53 refCount(0) {
54 stateMgr->getStoreManager().incrementReferenceCount(store);
55}
56
57ProgramState::ProgramState(const ProgramState &RHS)
58 : stateMgr(RHS.stateMgr), Env(RHS.Env), store(RHS.store), GDM(RHS.GDM),
59 PosteriorlyOverconstrained(RHS.PosteriorlyOverconstrained), refCount(0) {
60 stateMgr->getStoreManager().incrementReferenceCount(store);
61}
62
63ProgramState::~ProgramState() {
64 if (store)
65 stateMgr->getStoreManager().decrementReferenceCount(store);
66}
67
68int64_t ProgramState::getID() const {
69 return getStateManager().Alloc.identifyKnownAlignedObject<ProgramState>(this);
70}
71
72ProgramStateManager::ProgramStateManager(ASTContext &Ctx,
73 StoreManagerCreator CreateSMgr,
74 ConstraintManagerCreator CreateCMgr,
75 llvm::BumpPtrAllocator &alloc,
76 ExprEngine *ExprEng)
77 : Eng(ExprEng), EnvMgr(alloc), GDMFactory(alloc),
78 svalBuilder(createSimpleSValBuilder(alloc, Ctx, *this)),
79 CallEventMgr(new CallEventManager(alloc)), Alloc(alloc) {
80 StoreMgr = (*CreateSMgr)(*this);
81 ConstraintMgr = (*CreateCMgr)(*this, ExprEng);
82}
83
84
85ProgramStateManager::~ProgramStateManager() {
86 for (GDMContextsTy::iterator I=GDMContexts.begin(), E=GDMContexts.end();
87 I!=E; ++I)
88 I->second.second(I->second.first);
89}
90
91ProgramStateRef ProgramStateManager::removeDeadBindingsFromEnvironmentAndStore(
92 ProgramStateRef state, const StackFrameContext *LCtx,
93 SymbolReaper &SymReaper) {
94
95 // This code essentially performs a "mark-and-sweep" of the VariableBindings.
96 // The roots are any Block-level exprs and Decls that our liveness algorithm
97 // tells us are live. We then see what Decls they may reference, and keep
98 // those around. This code more than likely can be made faster, and the
99 // frequency of which this method is called should be experimented with
100 // for optimum performance.
101 ProgramState NewState = *state;
102
103 NewState.Env = EnvMgr.removeDeadBindings(NewState.Env, SymReaper, state);
104
105 // Clean up the store.
106 StoreRef newStore = StoreMgr->removeDeadBindings(NewState.getStore(), LCtx,
107 SymReaper);
108 NewState.setStore(newStore);
109 SymReaper.setReapedStore(newStore);
110
111 return getPersistentState(NewState);
112}
113
114ProgramStateRef ProgramState::bindLoc(Loc LV,
115 SVal V,
116 const LocationContext *LCtx,
117 bool notifyChanges) const {
118 ProgramStateManager &Mgr = getStateManager();
119 ProgramStateRef newState = makeWithStore(Mgr.StoreMgr->Bind(getStore(),
120 LV, V));
121 const MemRegion *MR = LV.getAsRegion();
122 if (MR && notifyChanges)
123 return Mgr.getOwningEngine().processRegionChange(newState, MR, LCtx);
124
125 return newState;
126}
127
128ProgramStateRef
129ProgramState::bindDefaultInitial(SVal loc, SVal V,
130 const LocationContext *LCtx) const {
131 ProgramStateManager &Mgr = getStateManager();
132 const MemRegion *R = loc.castAs<loc::MemRegionVal>().getRegion();
133 const StoreRef &newStore = Mgr.StoreMgr->BindDefaultInitial(getStore(), R, V);
134 ProgramStateRef new_state = makeWithStore(newStore);
135 return Mgr.getOwningEngine().processRegionChange(new_state, R, LCtx);
136}
137
138ProgramStateRef
139ProgramState::bindDefaultZero(SVal loc, const LocationContext *LCtx) const {
140 ProgramStateManager &Mgr = getStateManager();
141 const MemRegion *R = loc.castAs<loc::MemRegionVal>().getRegion();
142 const StoreRef &newStore = Mgr.StoreMgr->BindDefaultZero(getStore(), R);
143 ProgramStateRef new_state = makeWithStore(newStore);
144 return Mgr.getOwningEngine().processRegionChange(new_state, R, LCtx);
145}
146
147typedef ArrayRef<const MemRegion *> RegionList;
148typedef ArrayRef<SVal> ValueList;
149
150ProgramStateRef
151ProgramState::invalidateRegions(RegionList Regions,
152 const Expr *E, unsigned Count,
153 const LocationContext *LCtx,
154 bool CausedByPointerEscape,
155 InvalidatedSymbols *IS,
156 const CallEvent *Call,
157 RegionAndSymbolInvalidationTraits *ITraits) const {
158 SmallVector<SVal, 8> Values;
159 for (RegionList::const_iterator I = Regions.begin(),
160 End = Regions.end(); I != End; ++I)
161 Values.push_back(loc::MemRegionVal(*I));
162
163 return invalidateRegionsImpl(Values, E, Count, LCtx, CausedByPointerEscape,
164 IS, ITraits, Call);
165}
166
167ProgramStateRef
168ProgramState::invalidateRegions(ValueList Values,
169 const Expr *E, unsigned Count,
170 const LocationContext *LCtx,
171 bool CausedByPointerEscape,
172 InvalidatedSymbols *IS,
173 const CallEvent *Call,
174 RegionAndSymbolInvalidationTraits *ITraits) const {
175
176 return invalidateRegionsImpl(Values, E, Count, LCtx, CausedByPointerEscape,
177 IS, ITraits, Call);
178}
179
180ProgramStateRef
181ProgramState::invalidateRegionsImpl(ValueList Values,
182 const Expr *E, unsigned Count,
183 const LocationContext *LCtx,
184 bool CausedByPointerEscape,
185 InvalidatedSymbols *IS,
186 RegionAndSymbolInvalidationTraits *ITraits,
187 const CallEvent *Call) const {
188 ProgramStateManager &Mgr = getStateManager();
189 ExprEngine &Eng = Mgr.getOwningEngine();
190
191 InvalidatedSymbols InvalidatedSyms;
192 if (!IS)
193 IS = &InvalidatedSyms;
194
195 RegionAndSymbolInvalidationTraits ITraitsLocal;
196 if (!ITraits)
197 ITraits = &ITraitsLocal;
198
199 StoreManager::InvalidatedRegions TopLevelInvalidated;
200 StoreManager::InvalidatedRegions Invalidated;
201 const StoreRef &newStore
202 = Mgr.StoreMgr->invalidateRegions(getStore(), Values, E, Count, LCtx, Call,
203 *IS, *ITraits, &TopLevelInvalidated,
204 &Invalidated);
205
206 ProgramStateRef newState = makeWithStore(newStore);
207
208 if (CausedByPointerEscape) {
209 newState = Eng.notifyCheckersOfPointerEscape(newState, IS,
210 TopLevelInvalidated,
211 Call,
212 *ITraits);
213 }
214
215 return Eng.processRegionChanges(newState, IS, TopLevelInvalidated,
216 Invalidated, LCtx, Call);
217}
218
219ProgramStateRef ProgramState::killBinding(Loc LV) const {
220 Store OldStore = getStore();
221 const StoreRef &newStore =
222 getStateManager().StoreMgr->killBinding(OldStore, LV);
223
224 if (newStore.getStore() == OldStore)
225 return this;
226
227 return makeWithStore(newStore);
228}
229
230ProgramStateRef
231ProgramState::enterStackFrame(const CallEvent &Call,
232 const StackFrameContext *CalleeCtx) const {
233 const StoreRef &NewStore =
234 getStateManager().StoreMgr->enterStackFrame(getStore(), Call, CalleeCtx);
235 return makeWithStore(NewStore);
236}
237
238SVal ProgramState::getSelfSVal(const LocationContext *LCtx) const {
239 const ImplicitParamDecl *SelfDecl = LCtx->getSelfDecl();
240 if (!SelfDecl)
241 return SVal();
242 return getSVal(getRegion(SelfDecl, LCtx));
243}
244
245SVal ProgramState::getSValAsScalarOrLoc(const MemRegion *R) const {
246 // We only want to do fetches from regions that we can actually bind
247 // values. For example, SymbolicRegions of type 'id<...>' cannot
248 // have direct bindings (but their can be bindings on their subregions).
249 if (!R->isBoundable())
250 return UnknownVal();
251
252 if (const TypedValueRegion *TR = dyn_cast<TypedValueRegion>(R)) {
253 QualType T = TR->getValueType();
254 if (Loc::isLocType(T) || T->isIntegralOrEnumerationType())
255 return getSVal(R);
256 }
257
258 return UnknownVal();
259}
260
261SVal ProgramState::getSVal(Loc location, QualType T) const {
262 SVal V = getRawSVal(location, T);
263
264 // If 'V' is a symbolic value that is *perfectly* constrained to
265 // be a constant value, use that value instead to lessen the burden
266 // on later analysis stages (so we have less symbolic values to reason
267 // about).
268 // We only go into this branch if we can convert the APSInt value we have
269 // to the type of T, which is not always the case (e.g. for void).
270 if (!T.isNull() && (T->isIntegralOrEnumerationType() || Loc::isLocType(T))) {
271 if (SymbolRef sym = V.getAsSymbol()) {
272 if (const llvm::APSInt *Int = getStateManager()
273 .getConstraintManager()
274 .getSymVal(this, sym)) {
275 // FIXME: Because we don't correctly model (yet) sign-extension
276 // and truncation of symbolic values, we need to convert
277 // the integer value to the correct signedness and bitwidth.
278 //
279 // This shows up in the following:
280 //
281 // char foo();
282 // unsigned x = foo();
283 // if (x == 54)
284 // ...
285 //
286 // The symbolic value stored to 'x' is actually the conjured
287 // symbol for the call to foo(); the type of that symbol is 'char',
288 // not unsigned.
289 const llvm::APSInt &NewV = getBasicVals().Convert(T, *Int);
290
291 if (V.getAs<Loc>())
292 return loc::ConcreteInt(NewV);
293 else
294 return nonloc::ConcreteInt(NewV);
295 }
296 }
297 }
298
299 return V;
300}
301
302ProgramStateRef ProgramState::BindExpr(const Stmt *S,
303 const LocationContext *LCtx,
304 SVal V, bool Invalidate) const{
305 Environment NewEnv =
306 getStateManager().EnvMgr.bindExpr(Env, EnvironmentEntry(S, LCtx), V,
307 Invalidate);
308 if (NewEnv == Env)
309 return this;
310
311 ProgramState NewSt = *this;
312 NewSt.Env = NewEnv;
313 return getStateManager().getPersistentState(NewSt);
314}
315
316[[nodiscard]] std::pair<ProgramStateRef, ProgramStateRef>
317ProgramState::assumeInBoundDual(DefinedOrUnknownSVal Idx,
318 DefinedOrUnknownSVal UpperBound,
319 QualType indexTy) const {
320 if (Idx.isUnknown() || UpperBound.isUnknown())
321 return {this, this};
322
323 // Build an expression for 0 <= Idx < UpperBound.
324 // This is the same as Idx + MIN < UpperBound + MIN, if overflow is allowed.
325 // FIXME: This should probably be part of SValBuilder.
326 ProgramStateManager &SM = getStateManager();
327 SValBuilder &svalBuilder = SM.getSValBuilder();
328 ASTContext &Ctx = svalBuilder.getContext();
329
330 // Get the offset: the minimum value of the array index type.
331 BasicValueFactory &BVF = svalBuilder.getBasicValueFactory();
332 if (indexTy.isNull())
333 indexTy = svalBuilder.getArrayIndexType();
334 nonloc::ConcreteInt Min(BVF.getMinValue(indexTy));
335
336 // Adjust the index.
337 SVal newIdx = svalBuilder.evalBinOpNN(this, BO_Add,
338 Idx.castAs<NonLoc>(), Min, indexTy);
339 if (newIdx.isUnknownOrUndef())
340 return {this, this};
341
342 // Adjust the upper bound.
343 SVal newBound =
344 svalBuilder.evalBinOpNN(this, BO_Add, UpperBound.castAs<NonLoc>(),
345 Min, indexTy);
346
347 if (newBound.isUnknownOrUndef())
348 return {this, this};
349
350 // Build the actual comparison.
351 SVal inBound = svalBuilder.evalBinOpNN(this, BO_LT, newIdx.castAs<NonLoc>(),
352 newBound.castAs<NonLoc>(), Ctx.IntTy);
353 if (inBound.isUnknownOrUndef())
354 return {this, this};
355
356 // Finally, let the constraint manager take care of it.
357 ConstraintManager &CM = SM.getConstraintManager();
358 return CM.assumeDual(this, inBound.castAs<DefinedSVal>());
359}
360
361ProgramStateRef ProgramState::assumeInBound(DefinedOrUnknownSVal Idx,
362 DefinedOrUnknownSVal UpperBound,
363 bool Assumption,
364 QualType indexTy) const {
365 std::pair<ProgramStateRef, ProgramStateRef> R =
366 assumeInBoundDual(Idx, UpperBound, indexTy);
367 return Assumption ? R.first : R.second;
368}
369
370ConditionTruthVal ProgramState::isNonNull(SVal V) const {
371 ConditionTruthVal IsNull = isNull(V);
372 if (IsNull.isUnderconstrained())
373 return IsNull;
374 return ConditionTruthVal(!IsNull.getValue());
375}
376
377ConditionTruthVal ProgramState::areEqual(SVal Lhs, SVal Rhs) const {
378 return stateMgr->getSValBuilder().areEqual(this, Lhs, Rhs);
379}
380
381ConditionTruthVal ProgramState::isNull(SVal V) const {
382 if (V.isZeroConstant())
383 return true;
384
385 if (V.isConstant())
386 return false;
387
388 SymbolRef Sym = V.getAsSymbol(/* IncludeBaseRegion */ true);
389 if (!Sym)
390 return ConditionTruthVal();
391
392 return getStateManager().ConstraintMgr->isNull(this, Sym);
393}
394
395ProgramStateRef ProgramStateManager::getInitialState(const LocationContext *InitLoc) {
396 ProgramState State(this,
397 EnvMgr.getInitialEnvironment(),
398 StoreMgr->getInitialStore(InitLoc),
399 GDMFactory.getEmptyMap());
400
401 return getPersistentState(State);
402}
403
404ProgramStateRef ProgramStateManager::getPersistentStateWithGDM(
405 ProgramStateRef FromState,
406 ProgramStateRef GDMState) {
407 ProgramState NewState(*FromState);
408 NewState.GDM = GDMState->GDM;
409 return getPersistentState(NewState);
410}
411
412ProgramStateRef ProgramStateManager::getPersistentState(ProgramState &State) {
413
414 llvm::FoldingSetNodeID ID;
415 State.Profile(ID);
416 void *InsertPos;
417
418 if (ProgramState *I = StateSet.FindNodeOrInsertPos(ID, InsertPos))
419 return I;
420
421 ProgramState *newState = nullptr;
422 if (!freeStates.empty()) {
423 newState = freeStates.back();
424 freeStates.pop_back();
425 }
426 else {
427 newState = (ProgramState*) Alloc.Allocate<ProgramState>();
428 }
429 new (newState) ProgramState(State);
430 StateSet.InsertNode(newState, InsertPos);
431 return newState;
432}
433
434ProgramStateRef ProgramState::makeWithStore(const StoreRef &store) const {
435 ProgramState NewSt(*this);
436 NewSt.setStore(store);
437 return getStateManager().getPersistentState(NewSt);
438}
439
440ProgramStateRef ProgramState::cloneAsPosteriorlyOverconstrained() const {
441 ProgramState NewSt(*this);
442 NewSt.PosteriorlyOverconstrained = true;
443 return getStateManager().getPersistentState(NewSt);
444}
445
446void ProgramState::setStore(const StoreRef &newStore) {
447 Store newStoreStore = newStore.getStore();
448 if (newStoreStore)
449 stateMgr->getStoreManager().incrementReferenceCount(newStoreStore);
450 if (store)
451 stateMgr->getStoreManager().decrementReferenceCount(store);
452 store = newStoreStore;
453}
454
455//===----------------------------------------------------------------------===//
456// State pretty-printing.
457//===----------------------------------------------------------------------===//
458
459void ProgramState::printJson(raw_ostream &Out, const LocationContext *LCtx,
460 const char *NL, unsigned int Space,
461 bool IsDot) const {
462 Indent(Out, Space, IsDot) << "\"program_state\": {" << NL;
463 ++Space;
464
465 ProgramStateManager &Mgr = getStateManager();
466
467 // Print the store.
468 Mgr.getStoreManager().printJson(Out, getStore(), NL, Space, IsDot);
469
470 // Print out the environment.
471 Env.printJson(Out, Mgr.getContext(), LCtx, NL, Space, IsDot);
472
473 // Print out the constraints.
474 Mgr.getConstraintManager().printJson(Out, this, NL, Space, IsDot);
475
476 // Print out the tracked dynamic types.
477 printDynamicTypeInfoJson(Out, this, NL, Space, IsDot);
478
479 // Print checker-specific data.
480 Mgr.getOwningEngine().printJson(Out, this, LCtx, NL, Space, IsDot);
481
482 --Space;
483 Indent(Out, Space, IsDot) << '}';
484}
485
486void ProgramState::printDOT(raw_ostream &Out, const LocationContext *LCtx,
487 unsigned int Space) const {
488 printJson(Out, LCtx, /*NL=*/"\\l", Space, /*IsDot=*/true);
489}
490
491LLVM_DUMP_METHOD void ProgramState::dump() const {
492 printJson(llvm::errs());
493}
494
495AnalysisManager& ProgramState::getAnalysisManager() const {
496 return stateMgr->getOwningEngine().getAnalysisManager();
497}
498
499//===----------------------------------------------------------------------===//
500// Generic Data Map.
501//===----------------------------------------------------------------------===//
502
503void *const* ProgramState::FindGDM(void *K) const {
504 return GDM.lookup(K);
505}
506
507void*
508ProgramStateManager::FindGDMContext(void *K,
509 void *(*CreateContext)(llvm::BumpPtrAllocator&),
510 void (*DeleteContext)(void*)) {
511
512 std::pair<void*, void (*)(void*)>& p = GDMContexts[K];
513 if (!p.first) {
514 p.first = CreateContext(Alloc);
515 p.second = DeleteContext;
516 }
517
518 return p.first;
519}
520
521ProgramStateRef ProgramStateManager::addGDM(ProgramStateRef St, void *Key, void *Data){
522 ProgramState::GenericDataMap M1 = St->getGDM();
523 ProgramState::GenericDataMap M2 = GDMFactory.add(M1, Key, Data);
524
525 if (M1 == M2)
526 return St;
527
528 ProgramState NewSt = *St;
529 NewSt.GDM = M2;
530 return getPersistentState(NewSt);
531}
532
533ProgramStateRef ProgramStateManager::removeGDM(ProgramStateRef state, void *Key) {
534 ProgramState::GenericDataMap OldM = state->getGDM();
535 ProgramState::GenericDataMap NewM = GDMFactory.remove(OldM, Key);
536
537 if (NewM == OldM)
538 return state;
539
540 ProgramState NewState = *state;
541 NewState.GDM = NewM;
542 return getPersistentState(NewState);
543}
544
545bool ScanReachableSymbols::scan(nonloc::LazyCompoundVal val) {
546 bool wasVisited = !visited.insert(val.getCVData()).second;
547 if (wasVisited)
548 return true;
549
550 StoreManager &StoreMgr = state->getStateManager().getStoreManager();
551 // FIXME: We don't really want to use getBaseRegion() here because pointer
552 // arithmetic doesn't apply, but scanReachableSymbols only accepts base
553 // regions right now.
554 const MemRegion *R = val.getRegion()->getBaseRegion();
555 return StoreMgr.scanReachableSymbols(val.getStore(), R, *this);
556}
557
558bool ScanReachableSymbols::scan(nonloc::CompoundVal val) {
559 for (nonloc::CompoundVal::iterator I=val.begin(), E=val.end(); I!=E; ++I)
560 if (!scan(*I))
561 return false;
562
563 return true;
564}
565
566bool ScanReachableSymbols::scan(const SymExpr *sym) {
567 for (SymExpr::symbol_iterator SI = sym->symbol_begin(),
568 SE = sym->symbol_end();
569 SI != SE; ++SI) {
570 bool wasVisited = !visited.insert(*SI).second;
571 if (wasVisited)
572 continue;
573
574 if (!visitor.VisitSymbol(*SI))
575 return false;
576 }
577
578 return true;
579}
580
581bool ScanReachableSymbols::scan(SVal val) {
582 if (std::optional<loc::MemRegionVal> X = val.getAs<loc::MemRegionVal>())
583 return scan(X->getRegion());
584
585 if (std::optional<nonloc::LazyCompoundVal> X =
586 val.getAs<nonloc::LazyCompoundVal>())
587 return scan(*X);
588
589 if (std::optional<nonloc::LocAsInteger> X = val.getAs<nonloc::LocAsInteger>())
590 return scan(X->getLoc());
591
592 if (SymbolRef Sym = val.getAsSymbol())
593 return scan(Sym);
594
595 if (std::optional<nonloc::CompoundVal> X = val.getAs<nonloc::CompoundVal>())
596 return scan(*X);
597
598 return true;
599}
600
601bool ScanReachableSymbols::scan(const MemRegion *R) {
602 if (isa<MemSpaceRegion>(R))
603 return true;
604
605 bool wasVisited = !visited.insert(R).second;
606 if (wasVisited)
607 return true;
608
609 if (!visitor.VisitMemRegion(R))
610 return false;
611
612 // If this is a symbolic region, visit the symbol for the region.
613 if (const SymbolicRegion *SR = dyn_cast<SymbolicRegion>(R))
614 if (!visitor.VisitSymbol(SR->getSymbol()))
615 return false;
616
617 // If this is a subregion, also visit the parent regions.
618 if (const SubRegion *SR = dyn_cast<SubRegion>(R)) {
619 const MemRegion *Super = SR->getSuperRegion();
620 if (!scan(Super))
621 return false;
622
623 // When we reach the topmost region, scan all symbols in it.
624 if (isa<MemSpaceRegion>(Super)) {
625 StoreManager &StoreMgr = state->getStateManager().getStoreManager();
626 if (!StoreMgr.scanReachableSymbols(state->getStore(), SR, *this))
627 return false;
628 }
629 }
630
631 // Regions captured by a block are also implicitly reachable.
632 if (const BlockDataRegion *BDR = dyn_cast<BlockDataRegion>(R)) {
633 BlockDataRegion::referenced_vars_iterator I = BDR->referenced_vars_begin(),
634 E = BDR->referenced_vars_end();
635 for ( ; I != E; ++I) {
636 if (!scan(I.getCapturedRegion()))
637 return false;
638 }
639 }
640
641 return true;
642}
643
644bool ProgramState::scanReachableSymbols(SVal val, SymbolVisitor& visitor) const {
645 ScanReachableSymbols S(this, visitor);
646 return S.scan(val);
647}
648
649bool ProgramState::scanReachableSymbols(
650 llvm::iterator_range<region_iterator> Reachable,
651 SymbolVisitor &visitor) const {
652 ScanReachableSymbols S(this, visitor);
653 for (const MemRegion *R : Reachable) {
654 if (!S.scan(R))
655 return false;
656 }
657 return true;
658}
V
#define V(N, I)
Definition: ASTContext.h:3217
SM
#define SM(sm)
Definition: Cuda.cpp:78
X
static CompilationDatabasePluginRegistry::Add< FixedCompilationDatabasePlugin > X("fixed-compilation-database", "Reads plain-text flags file")
RegionList
ArrayRef< const MemRegion * > RegionList
Definition: ProgramState.cpp:147
ValueList
ArrayRef< SVal > ValueList
Definition: ProgramState.cpp:148
Data
const char * Data
Definition: StandardLibrary.cpp:36
s
__device__ __2f16 float bool s
Definition: __clang_hip_libdevice_declares.h:320
clang::ASTContext
Holds long-lived AST nodes (such as types and decls) that can be referred to throughout the semantic ...
Definition: ASTContext.h:182
clang::ASTContext::IntTy
CanQualType IntTy
Definition: ASTContext.h:1087
clang::Expr
This represents one expression.
Definition: Expr.h:110
clang::LocationContext
It wraps the AnalysisDeclContext to represent both the call stack with the help of StackFrameContext ...
Definition: AnalysisDeclContext.h:215
clang::LocationContext::getSelfDecl
const ImplicitParamDecl * getSelfDecl() const
Definition: AnalysisDeclContext.h:260
clang::QualType
A (possibly-)qualified type.
Definition: Type.h:736
clang::QualType::isNull
bool isNull() const
Return true if this QualType doesn't point to a type yet.
Definition: Type.h:803
clang::StackFrameContext
It represents a stack frame of the call stack (based on CallEvent).
Definition: AnalysisDeclContext.h:299
clang::Stmt
Stmt - This represents one statement.
Definition: Stmt.h:72
clang::Type::isIntegralOrEnumerationType
bool isIntegralOrEnumerationType() const
Determine whether this type is an integral or enumeration type.
Definition: Type.h:7321
clang::ento::BasicValueFactory::Convert
const llvm::APSInt & Convert(const llvm::APSInt &To, const llvm::APSInt &From)
Convert - Create a new persistent APSInt with the same value as 'From' but with the bitwidth and sign...
Definition: BasicValueFactory.h:168
clang::ento::BasicValueFactory::getMinValue
const llvm::APSInt & getMinValue(const llvm::APSInt &v)
Definition: BasicValueFactory.h:198
clang::ento::BlockDataRegion::referenced_vars_iterator
Definition: MemRegion.h:708
clang::ento::BlockDataRegion::referenced_vars_iterator::getCapturedRegion
LLVM_ATTRIBUTE_RETURNS_NONNULL const VarRegion * getCapturedRegion() const
Definition: MemRegion.h:718
clang::ento::BlockDataRegion
BlockDataRegion - A region that represents a block instance.
Definition: MemRegion.h:674
clang::ento::CallEventManager
Manages the lifetime of CallEvent objects.
Definition: CallEvent.h:1279
clang::ento::CallEvent
Represents an abstract call to a function or method along a particular path.
Definition: CallEvent.h:149
clang::ento::ConstraintManager::assumeDual
ProgramStatePair assumeDual(ProgramStateRef State, DefinedSVal Cond)
Returns a pair of states (StTrue, StFalse) where the given condition is assumed to be true or false,...
Definition: ConstraintManager.cpp:93
clang::ento::ConstraintManager::printJson
virtual void printJson(raw_ostream &Out, ProgramStateRef State, const char *NL, unsigned int Space, bool IsDot) const =0
clang::ento::EnvironmentEntry
An entry in the environment consists of a Stmt and an LocationContext.
Definition: Environment.h:36
clang::ento::EnvironmentManager::bindExpr
Environment bindExpr(Environment Env, const EnvironmentEntry &E, SVal V, bool Invalidate)
Bind a symbolic value to the given environment entry.
Definition: Environment.cpp:136
clang::ento::EnvironmentManager::removeDeadBindings
Environment removeDeadBindings(Environment Env, SymbolReaper &SymReaper, ProgramStateRef state)
Definition: Environment.cpp:178
clang::ento::Environment
An immutable map from EnvironemntEntries to SVals.
Definition: Environment.h:56
clang::ento::Environment::printJson
void printJson(raw_ostream &Out, const ASTContext &Ctx, const LocationContext *LCtx=nullptr, const char *NL="\n", unsigned int Space=0, bool IsDot=false) const
Definition: Environment.cpp:215
clang::ento::ExprEngine::processRegionChange
ProgramStateRef processRegionChange(ProgramStateRef state, const MemRegion *MR, const LocationContext *LCtx)
Definition: ExprEngine.h:412
clang::ento::ExprEngine::printJson
void printJson(raw_ostream &Out, ProgramStateRef State, const LocationContext *LCtx, const char *NL, unsigned int Space, bool IsDot) const
printJson - Called by ProgramStateManager to print checker-specific data.
Definition: ExprEngine.cpp:934
clang::ento::ExprEngine::processRegionChanges
ProgramStateRef processRegionChanges(ProgramStateRef state, const InvalidatedSymbols *invalidated, ArrayRef< const MemRegion * > ExplicitRegions, ArrayRef< const MemRegion * > Regions, const LocationContext *LCtx, const CallEvent *Call)
processRegionChanges - Called by ProgramStateManager whenever a change is made to the store.
Definition: ExprEngine.cpp:668
clang::ento::ExprEngine::notifyCheckersOfPointerEscape
ProgramStateRef notifyCheckersOfPointerEscape(ProgramStateRef State, const InvalidatedSymbols *Invalidated, ArrayRef< const MemRegion * > ExplicitRegions, const CallEvent *Call, RegionAndSymbolInvalidationTraits &ITraits)
Call PointerEscape callback when a value escapes as a result of region invalidation.
Definition: ExprEngine.cpp:3513
clang::ento::ExprEngine::getAnalysisManager
AnalysisManager & getAnalysisManager()
Definition: ExprEngine.h:206
clang::ento::Loc::isLocType
static bool isLocType(QualType T)
Definition: SVals.h:289
clang::ento::MemRegion
MemRegion - The root abstract class for all memory regions.
Definition: MemRegion.h:95
clang::ento::MemRegion::isBoundable
virtual bool isBoundable() const
Definition: MemRegion.h:179
clang::ento::MemRegion::getBaseRegion
LLVM_ATTRIBUTE_RETURNS_NONNULL const MemRegion * getBaseRegion() const
Definition: MemRegion.cpp:1307
clang::ento::ProgramStateManager::removeDeadBindingsFromEnvironmentAndStore
ProgramStateRef removeDeadBindingsFromEnvironmentAndStore(ProgramStateRef St, const StackFrameContext *LCtx, SymbolReaper &SymReaper)
Definition: ProgramState.cpp:91
clang::ento::ProgramStateManager::removeGDM
ProgramStateRef removeGDM(ProgramStateRef state, void *Key)
Definition: ProgramState.cpp:533
clang::ento::ProgramStateManager::FindGDMContext
void * FindGDMContext(void *index, void *(*CreateContext)(llvm::BumpPtrAllocator &), void(*DeleteContext)(void *))
Definition: ProgramState.cpp:508
clang::ento::ProgramStateManager::getPersistentStateWithGDM
ProgramStateRef getPersistentStateWithGDM(ProgramStateRef FromState, ProgramStateRef GDMState)
Definition: ProgramState.cpp:404
clang::ento::ProgramStateManager::addGDM
ProgramStateRef addGDM(ProgramStateRef St, void *Key, void *Data)
Definition: ProgramState.cpp:521
clang::ento::ProgramStateManager::getPersistentState
ProgramStateRef getPersistentState(ProgramState &Impl)
Definition: ProgramState.cpp:412
clang::ento::ProgramStateManager::getInitialState
ProgramStateRef getInitialState(const LocationContext *InitLoc)
Definition: ProgramState.cpp:395
clang::ento::ProgramStateManager::ProgramStateManager
ProgramStateManager(ASTContext &Ctx, StoreManagerCreator CreateStoreManager, ConstraintManagerCreator CreateConstraintManager, llvm::BumpPtrAllocator &alloc, ExprEngine *expreng)
Definition: ProgramState.cpp:72
clang::ento::ProgramStateManager::getConstraintManager
ConstraintManager & getConstraintManager()
Definition: ProgramState.h:580
clang::ento::ProgramState
ProgramState - This class encapsulates:
Definition: ProgramState.h:71
clang::ento::ProgramState::scanReachableSymbols
bool scanReachableSymbols(SVal val, SymbolVisitor &visitor) const
Visits the symbols reachable from the given SVal using the provided SymbolVisitor.
Definition: ProgramState.cpp:644
clang::ento::ProgramState::bindDefaultZero
ProgramStateRef bindDefaultZero(SVal loc, const LocationContext *LCtx) const
Performs C++ zero-initialization procedure on the region of memory represented by loc.
Definition: ProgramState.cpp:139
clang::ento::ProgramState::GenericDataMap
llvm::ImmutableMap< void *, void * > GenericDataMap
Definition: ProgramState.h:74
clang::ento::ProgramState::BindExpr
ProgramStateRef BindExpr(const Stmt *S, const LocationContext *LCtx, SVal V, bool Invalidate=true) const
Create a new state by binding the value 'V' to the statement 'S' in the state's environment.
Definition: ProgramState.cpp:302
clang::ento::ProgramState::printJson
void printJson(raw_ostream &Out, const LocationContext *LCtx=nullptr, const char *NL="\n", unsigned int Space=0, bool IsDot=false) const
Definition: ProgramState.cpp:459
clang::ento::ProgramState::bindDefaultInitial
ProgramStateRef bindDefaultInitial(SVal loc, SVal V, const LocationContext *LCtx) const
Initializes the region of memory represented by loc with an initial value.
Definition: ProgramState.cpp:129
clang::ento::ProgramState::getConstraintManager
ConstraintManager & getConstraintManager() const
Return the ConstraintManager.
Definition: ProgramState.h:696
clang::ento::ProgramState::getSValAsScalarOrLoc
SVal getSValAsScalarOrLoc(const Stmt *Ex, const LocationContext *LCtx) const
Definition: ProgramState.h:812
clang::ento::ProgramState::getSelfSVal
SVal getSelfSVal(const LocationContext *LC) const
Return the value of 'self' if available in the given context.
Definition: ProgramState.cpp:238
clang::ento::ProgramState::getRawSVal
SVal getRawSVal(Loc LV, QualType T=QualType()) const
Returns the "raw" SVal bound to LV before any value simplfication.
Definition: ProgramState.h:824
clang::ento::ProgramState::isNull
ConditionTruthVal isNull(SVal V) const
Check if the given SVal is constrained to zero or is a zero constant.
Definition: ProgramState.cpp:381
clang::ento::ProgramState::getStateManager
ProgramStateManager & getStateManager() const
Return the ProgramStateManager associated with this state.
Definition: ProgramState.h:147
clang::ento::ProgramState::killBinding
ProgramStateRef killBinding(Loc LV) const
Definition: ProgramState.cpp:219
clang::ento::ProgramState::ProgramState
ProgramState(ProgramStateManager *mgr, const Environment &env, StoreRef st, GenericDataMap gdm)
This ctor is used when creating the first ProgramState object.
Definition: ProgramState.cpp:47
clang::ento::ProgramState::getStore
Store getStore() const
Return the store associated with this state.
Definition: ProgramState.h:162
clang::ento::ProgramState::invalidateRegions
ProgramStateRef invalidateRegions(ArrayRef< const MemRegion * > Regions, const Expr *E, unsigned BlockCount, const LocationContext *LCtx, bool CausesPointerEscape, InvalidatedSymbols *IS=nullptr, const CallEvent *Call=nullptr, RegionAndSymbolInvalidationTraits *ITraits=nullptr) const
Returns the state with bindings for the given regions cleared from the store.
clang::ento::ProgramState::areEqual
ConditionTruthVal areEqual(SVal Lhs, SVal Rhs) const
Definition: ProgramState.cpp:377
clang::ento::ProgramState::printDOT
void printDOT(raw_ostream &Out, const LocationContext *LCtx=nullptr, unsigned int Space=0) const
Definition: ProgramState.cpp:486
clang::ento::ProgramState::isNonNull
ConditionTruthVal isNonNull(SVal V) const
Check if the given SVal is not constrained to zero and is not a zero constant.
Definition: ProgramState.cpp:370
clang::ento::ProgramState::assumeInBound
ProgramStateRef assumeInBound(DefinedOrUnknownSVal idx, DefinedOrUnknownSVal upperBound, bool assumption, QualType IndexType=QualType()) const
Definition: ProgramState.cpp:361
clang::ento::ProgramState::enterStackFrame
ProgramStateRef enterStackFrame(const CallEvent &Call, const StackFrameContext *CalleeCtx) const
enterStackFrame - Returns the state for entry to the given stack frame, preserving the current state.
Definition: ProgramState.cpp:231
clang::ento::ProgramState::getRegion
LLVM_ATTRIBUTE_RETURNS_NONNULL const VarRegion * getRegion(const VarDecl *D, const LocationContext *LC) const
Utility method for getting regions.
Definition: ProgramState.h:700
clang::ento::ProgramState::getSVal
SVal getSVal(const Stmt *S, const LocationContext *LCtx) const
Returns the SVal bound to the statement 'S' in the state's environment.
Definition: ProgramState.h:805
clang::ento::ProgramState::bindLoc
ProgramStateRef bindLoc(Loc location, SVal V, const LocationContext *LCtx, bool notifyChanges=true) const
Definition: ProgramState.cpp:114
clang::ento::ProgramState::getBasicVals
BasicValueFactory & getBasicVals() const
Definition: ProgramState.h:834
clang::ento::ProgramState::assumeInBoundDual
std::pair< ProgramStateRef, ProgramStateRef > assumeInBoundDual(DefinedOrUnknownSVal idx, DefinedOrUnknownSVal upperBound, QualType IndexType=QualType()) const
Definition: ProgramState.cpp:317
clang::ento::ProgramState::getAnalysisManager
AnalysisManager & getAnalysisManager() const
Definition: ProgramState.cpp:495
clang::ento::ProgramState::FindGDM
void *const * FindGDM(void *K) const
Definition: ProgramState.cpp:503
clang::ento::RegionAndSymbolInvalidationTraits
Information about invalidation for a particular region/symbol.
Definition: MemRegion.h:1570
clang::ento::SValBuilder::getBasicValueFactory
BasicValueFactory & getBasicValueFactory()
Definition: SValBuilder.h:149
clang::ento::SValBuilder::getContext
ASTContext & getContext()
Definition: SValBuilder.h:136
clang::ento::SValBuilder::getArrayIndexType
QualType getArrayIndexType() const
Definition: SValBuilder.h:145
clang::ento::SValBuilder::evalBinOpNN
virtual SVal evalBinOpNN(ProgramStateRef state, BinaryOperator::Opcode op, NonLoc lhs, NonLoc rhs, QualType resultTy)=0
Create a new value which represents a binary expression with two non- location operands.
clang::ento::SValBuilder::areEqual
ConditionTruthVal areEqual(ProgramStateRef state, SVal lhs, SVal rhs)
Definition: SValBuilder.cpp:536
clang::ento::SVal
SVal - This represents a symbolic expression, which can be either an L-value or an R-value.
Definition: SVals.h:72
clang::ento::SVal::isUnknownOrUndef
bool isUnknownOrUndef() const
Definition: SVals.h:132
clang::ento::SVal::getAsSymbol
SymbolRef getAsSymbol(bool IncludeBaseRegions=false) const
If this SVal wraps a symbol return that SymbolRef.
Definition: SVals.cpp:104
clang::ento::SVal::getAs
std::optional< T > getAs() const
Convert to the specified SVal type, returning std::nullopt if this SVal is not of the desired type.
Definition: SVals.h:103
clang::ento::SVal::getAsRegion
const MemRegion * getAsRegion() const
Definition: SVals.cpp:120
clang::ento::SVal::castAs
T castAs() const
Convert to the specified SVal type, asserting that this SVal is of the desired type.
Definition: SVals.h:99
clang::ento::SVal::isUnknown
bool isUnknown() const
Definition: SVals.h:124
clang::ento::ScanReachableSymbols
A utility class that visits the reachable symbols using a custom SymbolVisitor.
Definition: ProgramState.h:905
clang::ento::ScanReachableSymbols::scan
bool scan(nonloc::LazyCompoundVal val)
Definition: ProgramState.cpp:545
clang::ento::StoreManager::scanReachableSymbols
virtual bool scanReachableSymbols(Store S, const MemRegion *R, ScanReachableSymbols &Visitor)=0
Finds the transitive closure of symbols within the given region.
clang::ento::StoreManager::decrementReferenceCount
virtual void decrementReferenceCount(Store store)
If the StoreManager supports it, decrement the reference count of the specified Store object.
Definition: Store.h:201
clang::ento::StoreManager::incrementReferenceCount
virtual void incrementReferenceCount(Store store)
If the StoreManager supports it, increment the reference count of the specified Store object.
Definition: Store.h:196
clang::ento::StoreManager::printJson
virtual void printJson(raw_ostream &Out, Store S, const char *NL, unsigned int Space, bool IsDot) const =0
clang::ento::StoreRef::getStore
Store getStore() const
Definition: StoreRef.h:46
clang::ento::SubRegion
SubRegion - A region that subsets another larger region.
Definition: MemRegion.h:442
clang::ento::SymExpr::symbol_iterator
Iterator over symbols that the current symbol depends on.
Definition: SymExpr.h:70
clang::ento::SymExpr
Symbolic value.
Definition: SymExpr.h:29
clang::ento::SymExpr::symbol_end
static symbol_iterator symbol_end()
Definition: SymExpr.h:87
clang::ento::SymExpr::symbol_begin
symbol_iterator symbol_begin() const
Definition: SymExpr.h:86
clang::ento::SymbolReaper
A class responsible for cleaning up unused symbols.
Definition: SymbolManager.h:572
clang::ento::SymbolReaper::setReapedStore
void setReapedStore(StoreRef st)
Set to the value of the symbolic store after StoreManager::removeDeadBindings has been called.
Definition: SymbolManager.h:653
clang::ento::SymbolVisitor::VisitMemRegion
virtual bool VisitMemRegion(const MemRegion *)
Definition: SymbolManager.h:680
clang::ento::SymbolVisitor::VisitSymbol
virtual bool VisitSymbol(SymbolRef sym)=0
A visitor method invoked by ProgramStateManager::scanReachableSymbols.
clang::ento::SymbolicRegion
SymbolicRegion - A special, "non-concrete" region.
Definition: MemRegion.h:770
clang::ento::TypedValueRegion
TypedValueRegion - An abstract class representing regions having a typed value.
Definition: MemRegion.h:531
clang::ento::nonloc::CompoundVal::iterator
llvm::ImmutableList< SVal >::iterator iterator
Definition: SVals.h:389
clang::ento::nonloc::ConcreteInt
Value representing integer constant.
Definition: SVals.h:329
clang::ento::nonloc::LazyCompoundVal::getCVData
LLVM_ATTRIBUTE_RETURNS_NONNULL const LazyCompoundValData * getCVData() const
Definition: SVals.h:411
clang::ento::nonloc::LazyCompoundVal::getRegion
LLVM_ATTRIBUTE_RETURNS_NONNULL const TypedValueRegion * getRegion() const
Definition: SVals.cpp:197
clang::ento::nonloc::LazyCompoundVal::getStore
const void * getStore() const
It might return null.
Definition: SVals.cpp:193
clang::ento::createSimpleSValBuilder
SValBuilder * createSimpleSValBuilder(llvm::BumpPtrAllocator &alloc, ASTContext &context, ProgramStateManager &stateMgr)
Definition: SimpleSValBuilder.cpp:86
clang::ento::printDynamicTypeInfoJson
void printDynamicTypeInfoJson(raw_ostream &Out, ProgramStateRef State, const char *NL="\n", unsigned int Space=0, bool IsDot=false)
clang::ento::ConstraintManagerCreator
std::unique_ptr< ConstraintManager >(* ConstraintManagerCreator)(ProgramStateManager &, ExprEngine *)
Definition: ProgramState.h:42
clang::ento::StoreManagerCreator
std::unique_ptr< StoreManager >(* StoreManagerCreator)(ProgramStateManager &)
Definition: ProgramState.h:44
clang::ento::Store
const void * Store
Store - This opaque type encapsulates an immutable mapping from locations to values.
Definition: StoreRef.h:27
clang::ento::ProgramStateRetain
void ProgramStateRetain(const ProgramState *state)
Increments the number of times this state is referenced.
Definition: ProgramState.cpp:30
clang::ento::ProgramStateRelease
void ProgramStateRelease(const ProgramState *state)
Decrement the number of times this state is referenced.
Definition: ProgramState.cpp:35
clang::if
if(T->getSizeExpr()) TRY_TO(TraverseStmt(T -> getSizeExpr()))
Definition: RecursiveASTVisitor.h:1081
Generated on Mon Mar 20 2023 18:06:36 for clang by doxygen 1.9.6