doxygen/StackAddrEscapeChecker_8cpp_source.html

//=== StackAddrEscapeChecker.cpp ----------------------------------*- C++ -*--//

//

// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.

// See https://llvm.org/LICENSE.txt for license information.

// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception

//

//===----------------------------------------------------------------------===//

//

// This file defines stack address leak checker, which checks if an invalid

// stack address is stored into a global or heap location. See CERT DCL30-C.

//

//===----------------------------------------------------------------------===//


#include "clang/AST/ExprCXX.h"

#include "clang/Basic/SourceManager.h"

#include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"

#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"

#include "clang/StaticAnalyzer/Core/Checker.h"

#include "clang/StaticAnalyzer/Core/CheckerManager.h"

#include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h"

#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"

#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h"

#include "llvm/ADT/SmallString.h"

#include "llvm/Support/raw_ostream.h"

using namespace clang;

using namespace ento;


namespace {

class StackAddrEscapeChecker

    : public Checker<check::PreCall, check::PreStmt<ReturnStmt>,

                     check::EndFunction> {

  mutable IdentifierInfo *dispatch_semaphore_tII;

  mutable std::unique_ptr<BuiltinBug> BT_stackleak;

  mutable std::unique_ptr<BuiltinBug> BT_returnstack;

  mutable std::unique_ptr<BuiltinBug> BT_capturedstackasync;

  mutable std::unique_ptr<BuiltinBug> BT_capturedstackret;


public:

  enum CheckKind {

    CK_StackAddrEscapeChecker,

    CK_StackAddrAsyncEscapeChecker,

    CK_NumCheckKinds

  };


  bool ChecksEnabled[CK_NumCheckKinds] = {false};

  CheckerNameRef CheckNames[CK_NumCheckKinds];


  void checkPreCall(const CallEvent &Call, CheckerContext &C) const;

  void checkPreStmt(const ReturnStmt *RS, CheckerContext &C) const;

  void checkEndFunction(const ReturnStmt *RS, CheckerContext &Ctx) const;


private:

  void checkReturnedBlockCaptures(const BlockDataRegion &B,

                                  CheckerContext &C) const;

  void checkAsyncExecutedBlockCaptures(const BlockDataRegion &B,

                                       CheckerContext &C) const;

  void EmitStackError(CheckerContext &C, const MemRegion *R,

                      const Expr *RetE) const;

  bool isSemaphoreCaptured(const BlockDecl &B) const;

  static SourceRange genName(raw_ostream &os, const MemRegion *R,

                             ASTContext &Ctx);

  static SmallVector<const MemRegion *, 4>

  getCapturedStackRegions(const BlockDataRegion &B, CheckerContext &C);

  static bool isNotInCurrentFrame(const MemRegion *R, CheckerContext &C);

};

} // namespace


SourceRange StackAddrEscapeChecker::genName(raw_ostream &os, const MemRegion *R,

                                            ASTContext &Ctx) {

  // Get the base region, stripping away fields and elements.

  R = R->getBaseRegion();

  SourceManager &SM = Ctx.getSourceManager();

  SourceRange range;

  os << "Address of ";


  // Check if the region is a compound literal.

  if (const auto *CR = dyn_cast<CompoundLiteralRegion>(R)) {

    const CompoundLiteralExpr *CL = CR->getLiteralExpr();

    os << "stack memory associated with a compound literal "

          "declared on line "

       << SM.getExpansionLineNumber(CL->getBeginLoc()) << " returned to caller";

    range = CL->getSourceRange();

  } else if (const auto *AR = dyn_cast<AllocaRegion>(R)) {

    const Expr *ARE = AR->getExpr();

    SourceLocation L = ARE->getBeginLoc();

    range = ARE->getSourceRange();

    os << "stack memory allocated by call to alloca() on line "

       << SM.getExpansionLineNumber(L);

  } else if (const auto *BR = dyn_cast<BlockDataRegion>(R)) {

    const BlockDecl *BD = BR->getCodeRegion()->getDecl();

    SourceLocation L = BD->getBeginLoc();

    range = BD->getSourceRange();

    os << "stack-allocated block declared on line "

       << SM.getExpansionLineNumber(L);

  } else if (const auto *VR = dyn_cast<VarRegion>(R)) {

    os << "stack memory associated with local variable '" << VR->getString()

       << '\'';

    range = VR->getDecl()->getSourceRange();

  } else if (const auto *TOR = dyn_cast<CXXTempObjectRegion>(R)) {

    QualType Ty = TOR->getValueType().getLocalUnqualifiedType();

    os << "stack memory associated with temporary object of type '";

    Ty.print(os, Ctx.getPrintingPolicy());

    os << "'";

    range = TOR->getExpr()->getSourceRange();

  } else {

    llvm_unreachable("Invalid region in ReturnStackAddressChecker.");

  }


  return range;

}


bool StackAddrEscapeChecker::isNotInCurrentFrame(const MemRegion *R,

                                                 CheckerContext &C) {

  const StackSpaceRegion *S = cast<StackSpaceRegion>(R->getMemorySpace());

  return S->getStackFrame() != C.getStackFrame();

}


bool StackAddrEscapeChecker::isSemaphoreCaptured(const BlockDecl &B) const {

  if (!dispatch_semaphore_tII)

    dispatch_semaphore_tII = &B.getASTContext().Idents.get("dispatch_semaphore_t");

  for (const auto &C : B.captures()) {

    const auto *T = C.getVariable()->getType()->getAs<TypedefType>();

    if (T && T->getDecl()->getIdentifier() == dispatch_semaphore_tII)

      return true;

  }

  return false;

}


SmallVector<const MemRegion *, 4>

StackAddrEscapeChecker::getCapturedStackRegions(const BlockDataRegion &B,

                                                CheckerContext &C) {

  SmallVector<const MemRegion *, 4> Regions;

  BlockDataRegion::referenced_vars_iterator I = B.referenced_vars_begin();

  BlockDataRegion::referenced_vars_iterator E = B.referenced_vars_end();

  for (; I != E; ++I) {

    SVal Val = C.getState()->getSVal(I.getCapturedRegion());

    const MemRegion *Region = Val.getAsRegion();

    if (Region && isa<StackSpaceRegion>(Region->getMemorySpace()))

      Regions.push_back(Region);

  }

  return Regions;

}


void StackAddrEscapeChecker::EmitStackError(CheckerContext &C,

                                            const MemRegion *R,

                                            const Expr *RetE) const {

  ExplodedNode *N = C.generateNonFatalErrorNode();

  if (!N)

    return;

  if (!BT_returnstack)

    BT_returnstack = std::make_unique<BuiltinBug>(

        CheckNames[CK_StackAddrEscapeChecker],

        "Return of address to stack-allocated memory");

  // Generate a report for this bug.

  SmallString<128> buf;

  llvm::raw_svector_ostream os(buf);

  SourceRange range = genName(os, R, C.getASTContext());

  os << " returned to caller";

  auto report =

      std::make_unique<PathSensitiveBugReport>(*BT_returnstack, os.str(), N);

  report->addRange(RetE->getSourceRange());

  if (range.isValid())

    report->addRange(range);

  C.emitReport(std::move(report));

}


void StackAddrEscapeChecker::checkAsyncExecutedBlockCaptures(

    const BlockDataRegion &B, CheckerContext &C) const {

  // There is a not-too-uncommon idiom

  // where a block passed to dispatch_async captures a semaphore

  // and then the thread (which called dispatch_async) is blocked on waiting

  // for the completion of the execution of the block

  // via dispatch_semaphore_wait. To avoid false-positives (for now)

  // we ignore all the blocks which have captured

  // a variable of the type "dispatch_semaphore_t".

  if (isSemaphoreCaptured(*B.getDecl()))

    return;

  for (const MemRegion *Region : getCapturedStackRegions(B, C)) {

    // The block passed to dispatch_async may capture another block

    // created on the stack. However, there is no leak in this situaton,

    // no matter if ARC or no ARC is enabled:

    // dispatch_async copies the passed "outer" block (via Block_copy)

    // and if the block has captured another "inner" block,

    // the "inner" block will be copied as well.

    if (isa<BlockDataRegion>(Region))

      continue;

    ExplodedNode *N = C.generateNonFatalErrorNode();

    if (!N)

      continue;

    if (!BT_capturedstackasync)

      BT_capturedstackasync = std::make_unique<BuiltinBug>(

          CheckNames[CK_StackAddrAsyncEscapeChecker],

          "Address of stack-allocated memory is captured");

    SmallString<128> Buf;

    llvm::raw_svector_ostream Out(Buf);

    SourceRange Range = genName(Out, Region, C.getASTContext());

    Out << " is captured by an asynchronously-executed block";

    auto Report = std::make_unique<PathSensitiveBugReport>(

        *BT_capturedstackasync, Out.str(), N);

    if (Range.isValid())

      Report->addRange(Range);

    C.emitReport(std::move(Report));

  }

}


void StackAddrEscapeChecker::checkReturnedBlockCaptures(

    const BlockDataRegion &B, CheckerContext &C) const {

  for (const MemRegion *Region : getCapturedStackRegions(B, C)) {

    if (isNotInCurrentFrame(Region, C))

      continue;

    ExplodedNode *N = C.generateNonFatalErrorNode();

    if (!N)

      continue;

    if (!BT_capturedstackret)

      BT_capturedstackret = std::make_unique<BuiltinBug>(

          CheckNames[CK_StackAddrEscapeChecker],

          "Address of stack-allocated memory is captured");

    SmallString<128> Buf;

    llvm::raw_svector_ostream Out(Buf);

    SourceRange Range = genName(Out, Region, C.getASTContext());

    Out << " is captured by a returned block";

    auto Report = std::make_unique<PathSensitiveBugReport>(*BT_capturedstackret,

                                                           Out.str(), N);

    if (Range.isValid())

      Report->addRange(Range);

    C.emitReport(std::move(Report));

  }

}


void StackAddrEscapeChecker::checkPreCall(const CallEvent &Call,

                                          CheckerContext &C) const {

  if (!ChecksEnabled[CK_StackAddrAsyncEscapeChecker])

    return;

  if (!Call.isGlobalCFunction("dispatch_after") &&

      !Call.isGlobalCFunction("dispatch_async"))

    return;

  for (unsigned Idx = 0, NumArgs = Call.getNumArgs(); Idx < NumArgs; ++Idx) {

    if (const BlockDataRegion *B = dyn_cast_or_null<BlockDataRegion>(

            Call.getArgSVal(Idx).getAsRegion()))

      checkAsyncExecutedBlockCaptures(*B, C);

  }

}


void StackAddrEscapeChecker::checkPreStmt(const ReturnStmt *RS,

                                          CheckerContext &C) const {

  if (!ChecksEnabled[CK_StackAddrEscapeChecker])

    return;


  const Expr *RetE = RS->getRetValue();

  if (!RetE)

    return;

  RetE = RetE->IgnoreParens();


  SVal V = C.getSVal(RetE);

  const MemRegion *R = V.getAsRegion();

  if (!R)

    return;


  if (const BlockDataRegion *B = dyn_cast<BlockDataRegion>(R))

    checkReturnedBlockCaptures(*B, C);


  if (!isa<StackSpaceRegion>(R->getMemorySpace()) || isNotInCurrentFrame(R, C))

    return;


  // Returning a record by value is fine. (In this case, the returned

  // expression will be a copy-constructor, possibly wrapped in an

  // ExprWithCleanups node.)

  if (const ExprWithCleanups *Cleanup = dyn_cast<ExprWithCleanups>(RetE))

    RetE = Cleanup->getSubExpr();

  if (isa<CXXConstructExpr>(RetE) && RetE->getType()->isRecordType())

    return;


  // The CK_CopyAndAutoreleaseBlockObject cast causes the block to be copied

  // so the stack address is not escaping here.

  if (const auto *ICE = dyn_cast<ImplicitCastExpr>(RetE)) {

    if (isa<BlockDataRegion>(R) &&

        ICE->getCastKind() == CK_CopyAndAutoreleaseBlockObject) {

      return;

    }

  }


  EmitStackError(C, R, RetE);

}


void StackAddrEscapeChecker::checkEndFunction(const ReturnStmt *RS,

                                              CheckerContext &Ctx) const {

  if (!ChecksEnabled[CK_StackAddrEscapeChecker])

    return;


  ProgramStateRef State = Ctx.getState();


  // Iterate over all bindings to global variables and see if it contains

  // a memory region in the stack space.

  class CallBack : public StoreManager::BindingsHandler {

  private:

    CheckerContext &Ctx;

    const StackFrameContext *PoppedFrame;


    /// Look for stack variables referring to popped stack variables.

    /// Returns true only if it found some dangling stack variables

    /// referred by an other stack variable from different stack frame.

    bool checkForDanglingStackVariable(const MemRegion *Referrer,

                                       const MemRegion *Referred) {

      const auto *ReferrerMemSpace =

          Referrer->getMemorySpace()->getAs<StackSpaceRegion>();

      const auto *ReferredMemSpace =

          Referred->getMemorySpace()->getAs<StackSpaceRegion>();


      if (!ReferrerMemSpace || !ReferredMemSpace)

        return false;


      const auto *ReferrerFrame = ReferrerMemSpace->getStackFrame();

      const auto *ReferredFrame = ReferredMemSpace->getStackFrame();


      if (ReferrerMemSpace && ReferredMemSpace) {

        if (ReferredFrame == PoppedFrame &&

            ReferrerFrame->isParentOf(PoppedFrame)) {

          V.emplace_back(Referrer, Referred);

          return true;

        }

      }

      return false;

    }


  public:

    SmallVector<std::pair<const MemRegion *, const MemRegion *>, 10> V;


    CallBack(CheckerContext &CC) : Ctx(CC), PoppedFrame(CC.getStackFrame()) {}


    bool HandleBinding(StoreManager &SMgr, Store S, const MemRegion *Region,

                       SVal Val) override {

      const MemRegion *VR = Val.getAsRegion();

      if (!VR)

        return true;


      if (checkForDanglingStackVariable(Region, VR))

        return true;


      // Check the globals for the same.

      if (!isa<GlobalsSpaceRegion>(Region->getMemorySpace()))

        return true;

      if (VR && VR->hasStackStorage() && !isNotInCurrentFrame(VR, Ctx))

        V.emplace_back(Region, VR);

      return true;

    }

  };


  CallBack Cb(Ctx);

  State->getStateManager().getStoreManager().iterBindings(State->getStore(),

                                                          Cb);


  if (Cb.V.empty())

    return;


  // Generate an error node.

  ExplodedNode *N = Ctx.generateNonFatalErrorNode(State);

  if (!N)

    return;


  if (!BT_stackleak)

    BT_stackleak = std::make_unique<BuiltinBug>(

        CheckNames[CK_StackAddrEscapeChecker],

        "Stack address stored into global variable",

        "Stack address was saved into a global variable. "

        "This is dangerous because the address will become "

        "invalid after returning from the function");


  for (const auto &P : Cb.V) {

    const MemRegion *Referrer = P.first;

    const MemRegion *Referred = P.second;


    // Generate a report for this bug.

    const StringRef CommonSuffix =

        "upon returning to the caller.  This will be a dangling reference";

    SmallString<128> Buf;

    llvm::raw_svector_ostream Out(Buf);

    const SourceRange Range = genName(Out, Referred, Ctx.getASTContext());


    if (isa<CXXTempObjectRegion>(Referrer)) {

      Out << " is still referred to by a temporary object on the stack "

          << CommonSuffix;

      auto Report =

          std::make_unique<PathSensitiveBugReport>(*BT_stackleak, Out.str(), N);

      Ctx.emitReport(std::move(Report));

      return;

    }


    const StringRef ReferrerMemorySpace = [](const MemSpaceRegion *Space) {

      if (isa<StaticGlobalSpaceRegion>(Space))

        return "static";

      if (isa<GlobalsSpaceRegion>(Space))

        return "global";

      assert(isa<StackSpaceRegion>(Space));

      return "stack";

    }(Referrer->getMemorySpace());


    // This cast supposed to succeed.

    const VarRegion *ReferrerVar = cast<VarRegion>(Referrer->getBaseRegion());

    const std::string ReferrerVarName =

        ReferrerVar->getDecl()->getDeclName().getAsString();


    Out << " is still referred to by the " << ReferrerMemorySpace

        << " variable '" << ReferrerVarName << "' " << CommonSuffix;

    auto Report =

        std::make_unique<PathSensitiveBugReport>(*BT_stackleak, Out.str(), N);

    if (Range.isValid())

      Report->addRange(Range);


    Ctx.emitReport(std::move(Report));

  }

}


void ento::registerStackAddrEscapeBase(CheckerManager &mgr) {

  mgr.registerChecker<StackAddrEscapeChecker>();

}


bool ento::shouldRegisterStackAddrEscapeBase(const CheckerManager &mgr) {

  return true;

}


#define REGISTER_CHECKER(name)                                                 \

  void ento::register##name(CheckerManager &Mgr) {                             \

    StackAddrEscapeChecker *Chk = Mgr.getChecker<StackAddrEscapeChecker>();    \

    Chk->ChecksEnabled[StackAddrEscapeChecker::CK_##name] = true;              \

    Chk->CheckNames[StackAddrEscapeChecker::CK_##name] =                       \

        Mgr.getCurrentCheckerName();                                           \

  }                                                                            \

                                                                               \

  bool ento::shouldRegister##name(const CheckerManager &mgr) { return true; }


REGISTER_CHECKER(StackAddrEscapeChecker)

REGISTER_CHECKER(StackAddrAsyncEscapeChecker)

V
#define V(N, I)
Definition: ASTContext.h:3217

P
StringRef P
Definition: ASTMatchersInternal.cpp:564

SM
#define SM(sm)
Definition: Cuda.cpp:78

BugType.h

BuiltinCheckerRegistration.h

CallEvent.h

CheckerContext.h

CheckerManager.h

Checker.h

ExprCXX.h
Defines the clang::Expr interface and subclasses for C++ expressions.

ProgramState.h

SourceManager.h
Defines the SourceManager interface.

REGISTER_CHECKER
#define REGISTER_CHECKER(name)
Definition: StackAddrEscapeChecker.cpp:421

clang::ASTContext
Holds long-lived AST nodes (such as types and decls) that can be referred to throughout the semantic ...
Definition: ASTContext.h:182

clang::ASTContext::getSourceManager
SourceManager & getSourceManager()
Definition: ASTContext.h:692

clang::ASTContext::Idents
IdentifierTable & Idents
Definition: ASTContext.h:631

clang::ASTContext::getPrintingPolicy
const clang::PrintingPolicy & getPrintingPolicy() const
Definition: ASTContext.h:684

clang::BlockDecl
Represents a block literal declaration, which is like an unnamed FunctionDecl.
Definition: Decl.h:4334

clang::BlockDecl::captures
ArrayRef< Capture > captures() const
Definition: Decl.h:4461

clang::BlockDecl::getSourceRange
SourceRange getSourceRange() const override LLVM_READONLY
Source range that this declaration covers.
Definition: Decl.cpp:4965

clang::CompoundLiteralExpr
CompoundLiteralExpr - [C99 6.5.2.5].
Definition: Expr.h:3412

clang::CompoundLiteralExpr::getBeginLoc
SourceLocation getBeginLoc() const LLVM_READONLY
Definition: Expr.h:3452

clang::Decl::getASTContext
ASTContext & getASTContext() const LLVM_READONLY
Definition: DeclBase.cpp:428

clang::Decl::getBeginLoc
SourceLocation getBeginLoc() const LLVM_READONLY
Definition: DeclBase.h:424

clang::DeclarationName::getAsString
std::string getAsString() const
Retrieve the human-readable string for this name.
Definition: DeclarationName.cpp:229

clang::ExprWithCleanups
Represents an expression – generally a full-expression – that introduces cleanups to be run at the en...
Definition: ExprCXX.h:3420

clang::Expr
This represents one expression.
Definition: Expr.h:110

clang::Expr::IgnoreParens
Expr * IgnoreParens() LLVM_READONLY
Skip past any parentheses which might surround this expression until reaching a fixed point.
Definition: Expr.cpp:3042

clang::Expr::getType
QualType getType() const
Definition: Expr.h:142

clang::IdentifierInfo
One of these records is kept for each identifier that is lexed.
Definition: IdentifierTable.h:85

clang::IdentifierTable::get
IdentifierInfo & get(StringRef Name)
Return the identifier token info for the specified named identifier.
Definition: IdentifierTable.h:597

clang::NamedDecl::getDeclName
DeclarationName getDeclName() const
Get the actual, stored name of the declaration, which may be a special name.
Definition: Decl.h:313

clang::QualType
A (possibly-)qualified type.
Definition: Type.h:736

clang::QualType::print
void print(raw_ostream &OS, const PrintingPolicy &Policy, const Twine &PlaceHolder=Twine(), unsigned Indentation=0) const
Definition: TypePrinter.cpp:2355

clang::ReturnStmt
ReturnStmt - This represents a return, optionally of an expression: return; return 4;.
Definition: Stmt.h:2806

clang::ReturnStmt::getRetValue
Expr * getRetValue()
Definition: Stmt.h:2837

clang::SourceLocation
Encodes a location in the source.
Definition: SourceLocation.h:86

clang::SourceManager
This class handles loading and caching of source files into memory.
Definition: SourceManager.h:638

clang::SourceRange
A trivial tuple used to represent a source range.
Definition: SourceLocation.h:210

clang::StackFrameContext
It represents a stack frame of the call stack (based on CallEvent).
Definition: AnalysisDeclContext.h:299

clang::Stmt::getSourceRange
SourceRange getSourceRange() const LLVM_READONLY
SourceLocation tokens are not useful in isolation - they are low level value objects created/interpre...
Definition: Stmt.cpp:325

clang::Stmt::getBeginLoc
SourceLocation getBeginLoc() const LLVM_READONLY
Definition: Stmt.cpp:337

clang::Type::isRecordType
bool isRecordType() const
Definition: Type.h:7000

clang::TypedefType
Definition: Type.h:4556

clang::ento::BlockDataRegion::referenced_vars_iterator
Definition: MemRegion.h:708

clang::ento::BlockDataRegion::referenced_vars_iterator::getCapturedRegion
LLVM_ATTRIBUTE_RETURNS_NONNULL const VarRegion * getCapturedRegion() const
Definition: MemRegion.h:718

clang::ento::BlockDataRegion
BlockDataRegion - A region that represents a block instance.
Definition: MemRegion.h:674

clang::ento::BlockDataRegion::getDecl
LLVM_ATTRIBUTE_RETURNS_NONNULL const BlockDecl * getDecl() const
Definition: MemRegion.h:704

clang::ento::BlockDataRegion::referenced_vars_begin
referenced_vars_iterator referenced_vars_begin() const
Definition: MemRegion.cpp:1687

clang::ento::BlockDataRegion::referenced_vars_end
referenced_vars_iterator referenced_vars_end() const
Definition: MemRegion.cpp:1703

clang::ento::CallEvent
Represents an abstract call to a function or method along a particular path.
Definition: CallEvent.h:149

clang::ento::CheckerContext
Definition: CheckerContext.h:24

clang::ento::CheckerContext::getASTContext
ASTContext & getASTContext()
Definition: CheckerContext.h:84

clang::ento::CheckerContext::getState
const ProgramStateRef & getState() const
Definition: CheckerContext.h:72

clang::ento::CheckerContext::generateNonFatalErrorNode
ExplodedNode * generateNonFatalErrorNode(ProgramStateRef State=nullptr, const ProgramPointTag *Tag=nullptr)
Generate a transition to a node that will be used to report an error.
Definition: CheckerContext.h:239

clang::ento::CheckerContext::emitReport
void emitReport(std::unique_ptr< BugReport > R)
Emit the diagnostics report.
Definition: CheckerContext.h:261

clang::ento::CheckerManager
Definition: CheckerManager.h:126

clang::ento::CheckerManager::registerChecker
CHECKER * registerChecker(AT &&... Args)
Used to register checkers.
Definition: CheckerManager.h:204

clang::ento::CheckerNameRef
This wrapper is used to ensure that only StringRefs originating from the CheckerRegistry are used as ...
Definition: CheckerManager.h:106

clang::ento::Checker
Definition: Checker.h:517

clang::ento::ExplodedNode
Definition: ExplodedGraph.h:65

clang::ento::MemRegion
MemRegion - The root abstract class for all memory regions.
Definition: MemRegion.h:95

clang::ento::MemRegion::getMemorySpace
LLVM_ATTRIBUTE_RETURNS_NONNULL const MemSpaceRegion * getMemorySpace() const
Definition: MemRegion.cpp:1277

clang::ento::MemRegion::hasStackStorage
bool hasStackStorage() const
Definition: MemRegion.cpp:1289

clang::ento::MemRegion::getBaseRegion
LLVM_ATTRIBUTE_RETURNS_NONNULL const MemRegion * getBaseRegion() const
Definition: MemRegion.cpp:1307

clang::ento::MemRegion::getAs
const RegionTy * getAs() const
Definition: MemRegion.h:1337

clang::ento::MemSpaceRegion
MemSpaceRegion - A memory region that represents a "memory space"; for example, the set of global var...
Definition: MemRegion.h:204

clang::ento::Range
A Range represents the closed range [from, to].
Definition: RangedConstraintManager.h:29

clang::ento::SVal
SVal - This represents a symbolic expression, which can be either an L-value or an R-value.
Definition: SVals.h:72

clang::ento::SVal::getAsRegion
const MemRegion * getAsRegion() const
Definition: SVals.cpp:120

clang::ento::StackSpaceRegion
Definition: MemRegion.h:387

clang::ento::StackSpaceRegion::getStackFrame
LLVM_ATTRIBUTE_RETURNS_NONNULL const StackFrameContext * getStackFrame() const
Definition: MemRegion.h:401

clang::ento::StoreManager::BindingsHandler
Definition: Store.h:253

clang::ento::StoreManager::BindingsHandler::HandleBinding
virtual bool HandleBinding(StoreManager &SMgr, Store store, const MemRegion *region, SVal val)=0

clang::ento::StoreManager
Definition: Store.h:53

clang::ento::StoreManager::Ctx
ASTContext & Ctx
Definition: Store.h:60

clang::ento::VarRegion
Definition: MemRegion.h:940

clang::ento::VarRegion::getDecl
const VarDecl * getDecl() const override=0

llvm::IntrusiveRefCntPtr< const ProgramState >

llvm::SmallString
Definition: LLVM.h:34

llvm::SmallVector
Definition: LLVM.h:35

clang::ento::Store
const void * Store
Store - This opaque type encapsulates an immutable mapping from locations to values.
Definition: StoreRef.h:27

clang::interp::Call
bool Call(InterpState &S, CodePtr &PC, const Function *Func)
Definition: Interp.h:1493

clang::transformer::range
RangeSelector range(RangeSelector Begin, RangeSelector End)
DEPRECATED. Use enclose.
Definition: RangeSelector.h:41

clang
Definition: CalledOnceCheck.h:17

clang::Language::C
@ C
Languages that the frontend can parse and compile.