#include "clang/StaticAnalyzer/Core/PathSensitive/ExprEngine.h"

Public Types
enum	InliningModes { Inline_Regular = 0 , Inline_Minimal = 0x1 }
	The modes of inlining, which override the default analysis-wide settings. More...

Public Member Functions
	ExprEngine (cross_tu::CrossTranslationUnitContext &CTU, AnalysisManager &mgr, SetOfConstDecls VisitedCalleesIn, FunctionSummariesTy FS, InliningModes HowToInlineIn)
virtual	~ExprEngine ()=default
bool	ExecuteWorkList (const LocationContext *L, unsigned Steps=150000)
	Returns true if there is still simulation state on the worklist.
ASTContext &	getContext () const
	getContext - Return the ASTContext associated with this analysis.
AnalysisManager &	getAnalysisManager ()
const AnalysisManager &	getAnalysisManager () const
AnalysisDeclContextManager &	getAnalysisDeclContextManager ()
CheckerManager &	getCheckerManager () const
SValBuilder &	getSValBuilder ()
const SValBuilder &	getSValBuilder () const
BugReporter &	getBugReporter ()
const BugReporter &	getBugReporter () const
cross_tu::CrossTranslationUnitContext *	getCrossTranslationUnitContext ()
const NodeBuilderContext &	getBuilderContext ()
const Stmt *	getStmt () const
const LocationContext *	getRootLocationContext () const
ConstCFGElementRef	getCFGElementRef () const
std::string	DumpGraph (bool trim=false, StringRef Filename="")
	Dump graph to the specified filename.
std::string	DumpGraph (ArrayRef< const ExplodedNode * > Nodes, StringRef Filename="")
	Dump the graph consisting of the given nodes to a specified filename.
void	ViewGraph (bool trim=false)
	Visualize the ExplodedGraph created by executing the simulation.
void	ViewGraph (ArrayRef< const ExplodedNode * > Nodes)
	Visualize a trimmed ExplodedGraph that only contains paths to the given nodes.
ProgramStateRef	getInitialState (const LocationContext *InitLoc)
	getInitialState - Return the initial state used for the root vertex in the ExplodedGraph.
ExplodedGraph &	getGraph ()
const ExplodedGraph &	getGraph () const
void	removeDead (ExplodedNode Node, ExplodedNodeSet &Out, const Stmt ReferenceStmt, const LocationContext LC, const Stmt DiagnosticStmt=nullptr, ProgramPoint::Kind K=ProgramPoint::PreStmtPurgeDeadSymbolsKind)
	Run the analyzer's garbage collection - remove dead symbols and bindings from the state.
void	processCFGElement (const CFGElement E, ExplodedNode Pred, unsigned StmtIdx, NodeBuilderContext Ctx)
	processCFGElement - Called by CoreEngine.
void	ProcessStmt (const Stmt S, ExplodedNode Pred)
void	ProcessLoopExit (const Stmt S, ExplodedNode Pred)
void	ProcessInitializer (const CFGInitializer I, ExplodedNode *Pred)
void	ProcessImplicitDtor (const CFGImplicitDtor D, ExplodedNode *Pred)
void	ProcessNewAllocator (const CXXNewExpr NE, ExplodedNode Pred)
void	ProcessAutomaticObjDtor (const CFGAutomaticObjDtor D, ExplodedNode *Pred, ExplodedNodeSet &Dst)
void	ProcessDeleteDtor (const CFGDeleteDtor D, ExplodedNode *Pred, ExplodedNodeSet &Dst)
void	ProcessBaseDtor (const CFGBaseDtor D, ExplodedNode *Pred, ExplodedNodeSet &Dst)
void	ProcessMemberDtor (const CFGMemberDtor D, ExplodedNode *Pred, ExplodedNodeSet &Dst)
void	ProcessTemporaryDtor (const CFGTemporaryDtor D, ExplodedNode *Pred, ExplodedNodeSet &Dst)
void	processCFGBlockEntrance (const BlockEdge &L, NodeBuilderWithSinks &nodeBuilder, ExplodedNode *Pred)
	Called by CoreEngine when processing the entrance of a CFGBlock.
void	runCheckersForBlockEntrance (const NodeBuilderContext &BldCtx, const BlockEntrance &Entrance, ExplodedNode *Pred, ExplodedNodeSet &Dst)
void	processBranch (const Stmt Condition, NodeBuilderContext &BuilderCtx, ExplodedNode Pred, ExplodedNodeSet &Dst, const CFGBlock DstT, const CFGBlock DstF, std::optional< unsigned > IterationsCompletedInLoop)
	ProcessBranch - Called by CoreEngine.
void	processCleanupTemporaryBranch (const CXXBindTemporaryExpr BTE, NodeBuilderContext &BldCtx, ExplodedNode Pred, ExplodedNodeSet &Dst, const CFGBlock DstT, const CFGBlock DstF)
	Called by CoreEngine.
void	processStaticInitializer (const DeclStmt DS, NodeBuilderContext &BuilderCtx, ExplodedNode Pred, ExplodedNodeSet &Dst, const CFGBlock DstT, const CFGBlock DstF)
	Called by CoreEngine.
void	processIndirectGoto (IndirectGotoNodeBuilder &builder)
	processIndirectGoto - Called by CoreEngine.
void	processSwitch (SwitchNodeBuilder &builder)
	ProcessSwitch - Called by CoreEngine.
void	processBeginOfFunction (NodeBuilderContext &BC, ExplodedNode *Pred, ExplodedNodeSet &Dst, const BlockEdge &L)
	Called by CoreEngine.
void	processEndOfFunction (NodeBuilderContext &BC, ExplodedNode Pred, const ReturnStmt RS=nullptr)
	Called by CoreEngine.
void	removeDeadOnEndOfFunction (NodeBuilderContext &BC, ExplodedNode *Pred, ExplodedNodeSet &Dst)
	Remove dead bindings/symbols before exiting a function.
void	processCallEnter (NodeBuilderContext &BC, CallEnter CE, ExplodedNode *Pred)
	Generate the entry node of the callee.
void	processCallExit (ExplodedNode *Pred)
	Generate the sequence of nodes that simulate the call exit and the post visit for CallExpr.
void	processEndWorklist ()
	Called by CoreEngine when the analysis worklist has terminated.
ProgramStateRef	processAssume (ProgramStateRef state, SVal cond, bool assumption)
	evalAssume - Callback function invoked by the ConstraintManager when making assumptions about state values.
ProgramStateRef	processRegionChanges (ProgramStateRef state, const InvalidatedSymbols invalidated, ArrayRef< const MemRegion > ExplicitRegions, ArrayRef< const MemRegion * > Regions, const LocationContext LCtx, const CallEvent Call)
	processRegionChanges - Called by ProgramStateManager whenever a change is made to the store.
ProgramStateRef	processRegionChange (ProgramStateRef state, const MemRegion MR, const LocationContext LCtx)
void	printJson (raw_ostream &Out, ProgramStateRef State, const LocationContext LCtx, const char NL, unsigned int Space, bool IsDot) const
	printJson - Called by ProgramStateManager to print checker-specific data.
ProgramStateManager &	getStateManager ()
const ProgramStateManager &	getStateManager () const
StoreManager &	getStoreManager ()
const StoreManager &	getStoreManager () const
ConstraintManager &	getConstraintManager ()
const ConstraintManager &	getConstraintManager () const
BasicValueFactory &	getBasicVals ()
SymbolManager &	getSymbolManager ()
const SymbolManager &	getSymbolManager () const
MemRegionManager &	getRegionManager ()
DataTag::Factory &	getDataTags ()
bool	wasBlocksExhausted () const
bool	hasEmptyWorkList () const
bool	hasWorkRemaining () const
const CoreEngine &	getCoreEngine () const
void	Visit (const Stmt S, ExplodedNode Pred, ExplodedNodeSet &Dst)
	Visit - Transfer function logic for all statements.
void	VisitArrayInitLoopExpr (const ArrayInitLoopExpr Ex, ExplodedNode Pred, ExplodedNodeSet &Dst)
	VisitArrayInitLoopExpr - Transfer function for array init loop.
void	VisitArraySubscriptExpr (const ArraySubscriptExpr Ex, ExplodedNode Pred, ExplodedNodeSet &Dst)
	VisitArraySubscriptExpr - Transfer function for array accesses.
void	VisitGCCAsmStmt (const GCCAsmStmt A, ExplodedNode Pred, ExplodedNodeSet &Dst)
	VisitGCCAsmStmt - Transfer function logic for inline asm.
void	VisitMSAsmStmt (const MSAsmStmt A, ExplodedNode Pred, ExplodedNodeSet &Dst)
	VisitMSAsmStmt - Transfer function logic for MS inline asm.
void	VisitBlockExpr (const BlockExpr BE, ExplodedNode Pred, ExplodedNodeSet &Dst)
	VisitBlockExpr - Transfer function logic for BlockExprs.
void	VisitLambdaExpr (const LambdaExpr LE, ExplodedNode Pred, ExplodedNodeSet &Dst)
	VisitLambdaExpr - Transfer function logic for LambdaExprs.
void	VisitBinaryOperator (const BinaryOperator B, ExplodedNode Pred, ExplodedNodeSet &Dst)
	VisitBinaryOperator - Transfer function logic for binary operators.
void	VisitCallExpr (const CallExpr CE, ExplodedNode Pred, ExplodedNodeSet &Dst)
	VisitCall - Transfer function for function calls.
void	VisitCast (const CastExpr CastE, const Expr Ex, ExplodedNode *Pred, ExplodedNodeSet &Dst)
	VisitCast - Transfer function logic for all casts (implicit and explicit).
void	VisitCompoundLiteralExpr (const CompoundLiteralExpr CL, ExplodedNode Pred, ExplodedNodeSet &Dst)
	VisitCompoundLiteralExpr - Transfer function logic for compound literals.
void	VisitCommonDeclRefExpr (const Expr DR, const NamedDecl D, ExplodedNode *Pred, ExplodedNodeSet &Dst)
	Transfer function logic for DeclRefExprs and BlockDeclRefExprs.
void	VisitDeclStmt (const DeclStmt DS, ExplodedNode Pred, ExplodedNodeSet &Dst)
	VisitDeclStmt - Transfer function logic for DeclStmts.
void	VisitGuardedExpr (const Expr Ex, const Expr L, const Expr R, ExplodedNode Pred, ExplodedNodeSet &Dst)
	VisitGuardedExpr - Transfer function logic for ?, __builtin_choose.
void	VisitAttributedStmt (const AttributedStmt A, ExplodedNode Pred, ExplodedNodeSet &Dst)
	VisitAttributedStmt - Transfer function logic for AttributedStmt.
void	VisitLogicalExpr (const BinaryOperator B, ExplodedNode Pred, ExplodedNodeSet &Dst)
	VisitLogicalExpr - Transfer function logic for '&&', '\|\|'.
void	VisitMemberExpr (const MemberExpr M, ExplodedNode Pred, ExplodedNodeSet &Dst)
	VisitMemberExpr - Transfer function for member expressions.
void	VisitAtomicExpr (const AtomicExpr E, ExplodedNode Pred, ExplodedNodeSet &Dst)
	VisitAtomicExpr - Transfer function for builtin atomic expressions.
void	VisitObjCAtSynchronizedStmt (const ObjCAtSynchronizedStmt S, ExplodedNode Pred, ExplodedNodeSet &Dst)
	Transfer function logic for ObjCAtSynchronizedStmts.
void	VisitLvalObjCIvarRefExpr (const ObjCIvarRefExpr DR, ExplodedNode Pred, ExplodedNodeSet &Dst)
	Transfer function logic for computing the lvalue of an Objective-C ivar.
void	VisitObjCForCollectionStmt (const ObjCForCollectionStmt S, ExplodedNode Pred, ExplodedNodeSet &Dst)
	VisitObjCForCollectionStmt - Transfer function logic for ObjCForCollectionStmt.
void	VisitObjCMessage (const ObjCMessageExpr ME, ExplodedNode Pred, ExplodedNodeSet &Dst)
void	VisitReturnStmt (const ReturnStmt R, ExplodedNode Pred, ExplodedNodeSet &Dst)
	VisitReturnStmt - Transfer function logic for return statements.
void	VisitOffsetOfExpr (const OffsetOfExpr Ex, ExplodedNode Pred, ExplodedNodeSet &Dst)
	VisitOffsetOfExpr - Transfer function for offsetof.
void	VisitUnaryExprOrTypeTraitExpr (const UnaryExprOrTypeTraitExpr Ex, ExplodedNode Pred, ExplodedNodeSet &Dst)
	VisitUnaryExprOrTypeTraitExpr - Transfer function for sizeof.
void	VisitUnaryOperator (const UnaryOperator B, ExplodedNode Pred, ExplodedNodeSet &Dst)
	VisitUnaryOperator - Transfer function logic for unary operators.
void	VisitIncrementDecrementOperator (const UnaryOperator U, ExplodedNode Pred, ExplodedNodeSet &Dst)
	Handle ++ and – (both pre- and post-increment).
void	VisitCXXBindTemporaryExpr (const CXXBindTemporaryExpr *BTE, ExplodedNodeSet &PreVisit, ExplodedNodeSet &Dst)
void	VisitCXXCatchStmt (const CXXCatchStmt CS, ExplodedNode Pred, ExplodedNodeSet &Dst)
void	VisitCXXThisExpr (const CXXThisExpr TE, ExplodedNode Pred, ExplodedNodeSet &Dst)
void	VisitCXXConstructExpr (const CXXConstructExpr E, ExplodedNode Pred, ExplodedNodeSet &Dst)
void	VisitCXXInheritedCtorInitExpr (const CXXInheritedCtorInitExpr E, ExplodedNode Pred, ExplodedNodeSet &Dst)
void	VisitCXXDestructor (QualType ObjectType, const MemRegion Dest, const Stmt S, bool IsBaseDtor, ExplodedNode *Pred, ExplodedNodeSet &Dst, EvalCallOptions &Options)
void	VisitCXXNewAllocatorCall (const CXXNewExpr CNE, ExplodedNode Pred, ExplodedNodeSet &Dst)
void	VisitCXXNewExpr (const CXXNewExpr CNE, ExplodedNode Pred, ExplodedNodeSet &Dst)
void	VisitCXXDeleteExpr (const CXXDeleteExpr CDE, ExplodedNode Pred, ExplodedNodeSet &Dst)
void	CreateCXXTemporaryObject (const MaterializeTemporaryExpr ME, ExplodedNode Pred, ExplodedNodeSet &Dst)
	Create a C++ temporary object for an rvalue.
void	ConstructInitList (const Expr Source, ArrayRef< Expr > Args, bool IsTransparent, ExplodedNode *Pred, ExplodedNodeSet &Dst)
void	evalEagerlyAssumeBifurcation (ExplodedNodeSet &Dst, ExplodedNodeSet &Src, const Expr *Ex)
	evalEagerlyAssumeBifurcation - Given the nodes in 'Src', eagerly assume concrete boolean values for 'Ex', storing the resulting nodes in 'Dst'.
bool	didEagerlyAssumeBifurcateAt (ProgramStateRef State, const Expr *Ex) const
ProgramStateRef	handleLValueBitCast (ProgramStateRef state, const Expr Ex, const LocationContext LCtx, QualType T, QualType ExTy, const CastExpr CastE, StmtNodeBuilder &Bldr, ExplodedNode Pred)
void	handleUOExtension (ExplodedNode N, const UnaryOperator U, StmtNodeBuilder &Bldr)
SVal	evalBinOp (ProgramStateRef ST, BinaryOperator::Opcode Op, SVal LHS, SVal RHS, QualType T)
ProgramStateRef	processPointerEscapedOnBind (ProgramStateRef State, ArrayRef< std::pair< SVal, SVal > > LocAndVals, const LocationContext LCtx, PointerEscapeKind Kind, const CallEvent Call)
	Call PointerEscape callback when a value escapes as a result of bind.
ProgramStateRef	notifyCheckersOfPointerEscape (ProgramStateRef State, const InvalidatedSymbols Invalidated, ArrayRef< const MemRegion > ExplicitRegions, const CallEvent *Call, RegionAndSymbolInvalidationTraits &ITraits)
	Call PointerEscape callback when a value escapes as a result of region invalidation.
ProgramStateRef	escapeValues (ProgramStateRef State, ArrayRef< SVal > Vs, PointerEscapeKind K, const CallEvent *Call=nullptr) const
	A simple wrapper when you only need to notify checkers of pointer-escape of some values.
void	evalLoad (ExplodedNodeSet &Dst, const Expr NodeEx, const Expr BoundExpr, ExplodedNode Pred, ProgramStateRef St, SVal location, const ProgramPointTag tag=nullptr, QualType LoadTy=QualType())
	Simulate a read of the result of Ex.
void	evalStore (ExplodedNodeSet &Dst, const Expr AssignE, const Expr StoreE, ExplodedNode Pred, ProgramStateRef St, SVal TargetLV, SVal Val, const ProgramPointTag tag=nullptr)
	evalStore - Handle the semantics of a store via an assignment.
CFGElement	getCurrentCFGElement ()
	Return the CFG element corresponding to the worklist element that is currently being processed by ExprEngine.
ProgramStateRef	bindReturnValue (const CallEvent &Call, const LocationContext *LCtx, ProgramStateRef State)
	Create a new state in which the call return value is binded to the call origin expression.
void	evalCall (ExplodedNodeSet &Dst, ExplodedNode *Pred, const CallEvent &Call)
	Evaluate a call, running pre- and post-call checkers and allowing checkers to be responsible for handling the evaluation of the call itself.
void	defaultEvalCall (NodeBuilder &B, ExplodedNode *Pred, const CallEvent &Call, const EvalCallOptions &CallOpts={})
	Default implementation of call evaluation.
SVal	computeObjectUnderConstruction (const Expr E, ProgramStateRef State, const NodeBuilderContext BldrCtx, const LocationContext LCtx, const ConstructionContext CC, EvalCallOptions &CallOpts, unsigned Idx=0)
	Find location of the object that is being constructed by a given constructor.
ProgramStateRef	updateObjectsUnderConstruction (SVal V, const Expr E, ProgramStateRef State, const LocationContext LCtx, const ConstructionContext *CC, const EvalCallOptions &CallOpts)
	Update the program state with all the path-sensitive information that's necessary to perform construction of an object with a given syntactic construction context.
std::pair< ProgramStateRef, SVal >	handleConstructionContext (const Expr E, ProgramStateRef State, const NodeBuilderContext BldrCtx, const LocationContext LCtx, const ConstructionContext CC, EvalCallOptions &CallOpts, unsigned Idx=0)
	A convenient wrapper around computeObjectUnderConstruction and updateObjectsUnderConstruction.

Static Public Member Functions
static const ProgramPointTag *	cleanupNodeTag ()
	A tag to track convenience transitions, which can be removed at cleanup.
static std::pair< const ProgramPointTag , const ProgramPointTag >	getEagerlyAssumeBifurcationTags ()
static std::optional< unsigned >	getIndexOfElementToConstruct (ProgramStateRef State, const CXXConstructExpr E, const LocationContext LCtx)
	Retreives which element is being constructed in a non-POD type array.
static std::optional< unsigned >	getPendingArrayDestruction (ProgramStateRef State, const LocationContext *LCtx)
	Retreives which element is being destructed in a non-POD type array.
static std::optional< unsigned >	getPendingInitLoop (ProgramStateRef State, const CXXConstructExpr E, const LocationContext LCtx)
	Retreives the size of the array in the pending ArrayInitLoopExpr.
static std::optional< SVal >	getObjectUnderConstruction (ProgramStateRef State, const ConstructionContextItem &Item, const LocationContext *LC)
	By looking at a certain item that may be potentially part of an object's ConstructionContext, retrieve such object's location.
static ProgramStateRef	setWhetherHasMoreIteration (ProgramStateRef State, const ObjCForCollectionStmt O, const LocationContext LC, bool HasMoreIteraton)
	Note whether this loop has any more iterations to model. These methods.
static ProgramStateRef	removeIterationState (ProgramStateRef State, const ObjCForCollectionStmt O, const LocationContext LC)
static bool	hasMoreIteration (ProgramStateRef State, const ObjCForCollectionStmt O, const LocationContext LC)

Detailed Description

Definition at line 124 of file ExprEngine.h.

Member Enumeration Documentation

◆ InliningModes

enum clang::ento::ExprEngine::InliningModes

The modes of inlining, which override the default analysis-wide settings.

Enumerator
Inline_Regular	Follow the default settings for inlining callees.
Inline_Minimal	Do minimal inlining of callees.

Definition at line 129 of file ExprEngine.h.

Constructor & Destructor Documentation

◆ ExprEngine()

ExprEngine::ExprEngine	(	cross_tu::CrossTranslationUnitContext &	CTU,
		AnalysisManager &	mgr,
		SetOfConstDecls *	VisitedCalleesIn,
		FunctionSummariesTy *	FS,
		InliningModes	HowToInlineIn )

Definition at line 222 of file ExprEngine.cpp.

References getAnalysisDeclContextManager(), getContext(), getGraph(), getRegionManager(), getSValBuilder(), getSymbolManager(), and clang::ento::AnalysisManager::options.

Referenced by setWhetherHasMoreIteration().

◆ ~ExprEngine()

virtual clang::ento::ExprEngine::~ExprEngine ( )

virtualdefault

Member Function Documentation

◆ bindReturnValue()

ProgramStateRef ExprEngine::bindReturnValue	(	const CallEvent &	Call,
		const LocationContext *	LCtx,
		ProgramStateRef	State )

Create a new state in which the call return value is binded to the call origin expression.

Definition at line 740 of file ExprEngineCallAndReturn.cpp.

References clang::C, clang::Call, clang::ento::SVal::castAs(), clang::ento::SVal::getAsRegion(), getCurrentCFGElement(), clang::ento::getElementExtent(), clang::Expr::getType(), handleConstructionContext(), clang::OMF_autorelease, clang::OMF_retain, clang::OMF_self, clang::ento::setDynamicExtent(), clang::ento::RegionAndSymbolInvalidationTraits::setTrait(), clang::ento::MemRegion::StripCasts(), clang::Target, and clang::ento::RegionAndSymbolInvalidationTraits::TK_DoNotInvalidateSuperRegion.

◆ cleanupNodeTag()

const ProgramPointTag * ExprEngine::cleanupNodeTag ( )

static

A tag to track convenience transitions, which can be removed at cleanup.

This tag applies to a node created after removeDead.

Definition at line 1108 of file ExprEngine.cpp.

Referenced by removeDead().

◆ computeObjectUnderConstruction()

SVal ExprEngine::computeObjectUnderConstruction	(	const Expr *	E,
		ProgramStateRef	State,
		const NodeBuilderContext *	BldrCtx,
		const LocationContext *	LCtx,
		const ConstructionContext *	CC,
		EvalCallOptions &	CallOpts,
		unsigned	Idx = 0 )

Find location of the object that is being constructed by a given constructor.

This should ideally always succeed but due to not being fully implemented it sometimes indicates that it failed via its out-parameter CallOpts; in such cases a fake temporary region is returned, which is better than nothing but does not represent the actual behavior of the program. The Idx parameter is used if we construct an array of objects. In that case it points to the index of the continuous memory region. E.g.: For int arr[4] this index can be 0,1,2,3. For int arr2[3][3] this index can be 0,1,...,7,8. A multi-dimensional array is also a continuous memory location in a row major order, so for arr[0][0] Idx is 0 and for arr[3][3] Idx is 8.

Definition at line 131 of file ExprEngineCXX.cpp.

Referenced by computeObjectUnderConstruction(), clang::ento::CallEvent::getReturnValueUnderConstruction(), and handleConstructionContext().

◆ ConstructInitList()

void ExprEngine::ConstructInitList	(	const Expr *	Source,
		ArrayRef< Expr * >	Args,
		bool	IsTransparent,
		ExplodedNode *	Pred,
		ExplodedNodeSet &	Dst )

Definition at line 4127 of file ExprEngine.cpp.

References clang::ento::StmtNodeBuilder::generateNode(), getBasicVals(), clang::QualType::getCanonicalType(), clang::ento::BasicValueFactory::getEmptySValList(), clang::ento::ExplodedNode::getLocationContext(), clang::ento::ExplodedNode::getState(), getSValBuilder(), clang::Expr::getType(), clang::isa(), clang::Expr::isPRValue(), clang::ento::BasicValueFactory::prependSVal(), and clang::T.

Referenced by Visit().

◆ CreateCXXTemporaryObject()

void ExprEngine::CreateCXXTemporaryObject	(	const MaterializeTemporaryExpr *	ME,
		ExplodedNode *	Pred,
		ExplodedNodeSet &	Dst )

Create a C++ temporary object for an rvalue.

Definition at line 33 of file ExprEngineCXX.cpp.

References clang::ento::StmtNodeBuilder::generateNode(), clang::ento::ExplodedNode::getLocationContext(), clang::ento::ExplodedNode::getState(), clang::MaterializeTemporaryExpr::getSubExpr(), and clang::Expr::IgnoreParens().

Referenced by Visit().

◆ defaultEvalCall()

void ExprEngine::defaultEvalCall	(	NodeBuilder &	B,
		ExplodedNode *	Pred,
		const CallEvent &	Call,
		const EvalCallOptions &	CallOpts = {} )

◆ didEagerlyAssumeBifurcateAt()

bool ExprEngine::didEagerlyAssumeBifurcateAt	(	ProgramStateRef	State,
		const Expr *	Ex ) const

Definition at line 3927 of file ExprEngine.cpp.

Referenced by processBranch().

◆ DumpGraph() [1/2]

std::string ExprEngine::DumpGraph	(	ArrayRef< const ExplodedNode * >	Nodes,
		StringRef	Filename = "" )

Dump the graph consisting of the given nodes to a specified filename.

Generate a temporary filename if it's not provided.

Returns: The filename the graph is written into.

Definition at line 4105 of file ExprEngine.cpp.

◆ DumpGraph() [2/2]

std::string ExprEngine::DumpGraph	(	bool	trim = false,
		StringRef	Filename = "" )

Dump graph to the specified filename.

If filename is empty, generate a temporary one.

Returns: The filename the graph is written into.

Definition at line 4084 of file ExprEngine.cpp.

References clang::Class, and DumpGraph().

Referenced by DumpGraph(), ViewGraph(), and ViewGraph().

◆ escapeValues()

ProgramStateRef ExprEngine::escapeValues	(	ProgramStateRef	State,
		ArrayRef< SVal >	Vs,
		PointerEscapeKind	K,
		const CallEvent *	Call = nullptr ) const

A simple wrapper when you only need to notify checkers of pointer-escape of some values.

Definition at line 1684 of file ExprEngine.cpp.

References clang::Call, getCheckerManager(), clang::ento::CheckerManager::runCheckersForPointerEscape(), and V.

Referenced by handleLValueBitCast(), processPointerEscapedOnBind(), Visit(), and VisitBinaryOperator().

◆ evalBinOp()

SVal clang::ento::ExprEngine::evalBinOp	(	ProgramStateRef	ST,
		BinaryOperator::Opcode	Op,
		SVal	LHS,
		SVal	RHS,
		QualType	T )

inline

Definition at line 626 of file ExprEngine.h.

References clang::T.

Referenced by getInitialState(), VisitBinaryOperator(), VisitIncrementDecrementOperator(), VisitLogicalExpr(), and VisitUnaryOperator().

◆ evalCall()

void ExprEngine::evalCall	(	ExplodedNodeSet &	Dst,
		ExplodedNode *	Pred,
		const CallEvent &	Call )

Evaluate a call, running pre- and post-call checkers and allowing checkers to be responsible for handling the evaluation of the call itself.

Definition at line 672 of file ExprEngineCallAndReturn.cpp.

References clang::Call, clang::ento::NodeBuilder::generateNode(), getCheckerManager(), clang::Type::getPointeeType(), clang::ento::ExplodedNodeSet::insert(), clang::QualType::isConstQualified(), clang::QualType::isNull(), clang::Type::isPointerType(), clang::Type::isReferenceType(), clang::Type::isVoidType(), processPointerEscapedOnBind(), clang::ento::PSK_EscapeOutParameters, clang::ento::CheckerManager::runCheckersForEvalCall(), clang::ento::CheckerManager::runCheckersForPostCall(), and clang::ento::CheckerManager::runCheckersForPreCall().

Referenced by VisitCallExpr().

◆ evalEagerlyAssumeBifurcation()

void clang::ento::ExprEngine::evalEagerlyAssumeBifurcation	(	ExplodedNodeSet &	Dst,
		ExplodedNodeSet &	Src,
		const Expr *	Ex )

evalEagerlyAssumeBifurcation - Given the nodes in 'Src', eagerly assume concrete boolean values for 'Ex', storing the resulting nodes in 'Dst'.

References clang::T.

Referenced by Visit().

◆ evalLoad()

void ExprEngine::evalLoad	(	ExplodedNodeSet &	Dst,
		const Expr *	NodeEx,
		const Expr *	BoundExpr,
		ExplodedNode *	Pred,
		ProgramStateRef	St,
		SVal	location,
		const ProgramPointTag *	tag = nullptr,
		QualType	LoadTy = QualType() )

Simulate a read of the result of Ex.

Definition at line 3795 of file ExprEngine.cpp.

References clang::ento::SVal::castAs(), clang::ento::ExplodedNodeSet::empty(), clang::ento::StmtNodeBuilder::generateNode(), clang::Expr::getType(), clang::isa(), clang::QualType::isNull(), clang::ento::SVal::isUndef(), clang::ento::SVal::isValid(), clang::ProgramPoint::PostLoadKind, and V.

Referenced by VisitBinaryOperator(), VisitCast(), VisitIncrementDecrementOperator(), and VisitMemberExpr().

◆ evalStore()

void ExprEngine::evalStore	(	ExplodedNodeSet &	Dst,
		const Expr *	AssignE,
		const Expr *	LocationE,
		ExplodedNode *	Pred,
		ProgramStateRef	state,
		SVal	location,
		SVal	Val,
		const ProgramPointTag *	tag = nullptr )

evalStore - Handle the semantics of a store via an assignment.

Parameters

Dst	The node set to store generated state nodes
AssignE	The assignment expression if the store happens in an assignment.
LocationE	The location expression that is stored to.
state	The current simulation state
location	The location to store the value
Val	The value to be stored

Definition at line 3772 of file ExprEngine.cpp.

References clang::ento::ExplodedNodeSet::empty(), and clang::ento::SVal::isUndef().

Referenced by VisitBinaryOperator(), and VisitIncrementDecrementOperator().

◆ ExecuteWorkList()

bool clang::ento::ExprEngine::ExecuteWorkList	(	const LocationContext *	L,
		unsigned	Steps = 150000 )

inline

Returns true if there is still simulation state on the worklist.

Definition at line 189 of file ExprEngine.h.

References clang::LocationContext::getDecl(), and clang::LocationContext::inTopFrame().

◆ getAnalysisDeclContextManager()

AnalysisDeclContextManager & clang::ento::ExprEngine::getAnalysisDeclContextManager ( )

inline

Definition at line 201 of file ExprEngine.h.

Referenced by ExprEngine().

◆ getAnalysisManager() [1/2]

AnalysisManager & clang::ento::ExprEngine::getAnalysisManager ( )

inline

Definition at line 198 of file ExprEngine.h.

Referenced by defaultEvalCall(), ProcessNewAllocator(), and VisitCXXBindTemporaryExpr().

◆ getAnalysisManager() [2/2]

const AnalysisManager & clang::ento::ExprEngine::getAnalysisManager ( ) const

inline

Definition at line 199 of file ExprEngine.h.

◆ getBasicVals()

BasicValueFactory & clang::ento::ExprEngine::getBasicVals ( )

inline

Definition at line 437 of file ExprEngine.h.

Referenced by ConstructInitList(), VisitCast(), VisitLogicalExpr(), and VisitUnaryOperator().

◆ getBugReporter() [1/2]

BugReporter & clang::ento::ExprEngine::getBugReporter ( )

inline

Definition at line 212 of file ExprEngine.h.

Referenced by llvm::DOTGraphTraits< ExplodedGraph * >::nodeHasBugReport().

◆ getBugReporter() [2/2]

const BugReporter & clang::ento::ExprEngine::getBugReporter ( ) const

inline

Definition at line 213 of file ExprEngine.h.

◆ getBuilderContext()

const NodeBuilderContext & clang::ento::ExprEngine::getBuilderContext ( )

inline

Definition at line 220 of file ExprEngine.h.

Referenced by clang::ento::CallEvent::getReturnValueUnderConstruction(), ProcessAutomaticObjDtor(), ProcessDeleteDtor(), ProcessMemberDtor(), and clang::ento::CheckerManager::runCheckersForEvalCall().

◆ getCFGElementRef()

ConstCFGElementRef clang::ento::ExprEngine::getCFGElementRef ( ) const

inline

◆ getCheckerManager()

CheckerManager & clang::ento::ExprEngine::getCheckerManager ( ) const

inline

◆ getConstraintManager() [1/2]

ConstraintManager & clang::ento::ExprEngine::getConstraintManager ( )

inline

Definition at line 429 of file ExprEngine.h.

Referenced by removeDead().

◆ getConstraintManager() [2/2]

const ConstraintManager & clang::ento::ExprEngine::getConstraintManager ( ) const

inline

Definition at line 432 of file ExprEngine.h.

◆ getContext()

ASTContext & clang::ento::ExprEngine::getContext ( ) const

inline

getContext - Return the ASTContext associated with this analysis.

Definition at line 196 of file ExprEngine.h.

Referenced by computeObjectUnderConstruction(), ExprEngine(), handleLValueBitCast(), ProcessAutomaticObjDtor(), processBranch(), processCallExit(), ProcessDeleteDtor(), ProcessInitializer(), ProcessLoopExit(), ProcessMemberDtor(), ProcessStmt(), processSwitch(), ProcessTemporaryDtor(), Visit(), VisitArraySubscriptExpr(), VisitBinaryOperator(), VisitBlockExpr(), VisitCast(), VisitCXXDestructor(), VisitCXXNewAllocatorCall(), VisitCXXThisExpr(), VisitDeclStmt(), VisitLambdaExpr(), VisitOffsetOfExpr(), and VisitUnaryExprOrTypeTraitExpr().

◆ getCoreEngine()

const CoreEngine & clang::ento::ExprEngine::getCoreEngine ( ) const

inline

Definition at line 452 of file ExprEngine.h.

Referenced by computeObjectUnderConstruction(), and processCallExit().

◆ getCrossTranslationUnitContext()

cross_tu::CrossTranslationUnitContext * clang::ento::ExprEngine::getCrossTranslationUnitContext ( )

inline

Definition at line 216 of file ExprEngine.h.

◆ getCurrentCFGElement()

CFGElement clang::ento::ExprEngine::getCurrentCFGElement ( )

inline

Return the CFG element corresponding to the worklist element that is currently being processed by ExprEngine.

Definition at line 712 of file ExprEngine.h.

Referenced by bindReturnValue().

◆ getDataTags()

DataTag::Factory & clang::ento::ExprEngine::getDataTags ( )

inline

Definition at line 445 of file ExprEngine.h.

◆ getEagerlyAssumeBifurcationTags()

std::pair< const ProgramPointTag *, const ProgramPointTag * > ExprEngine::getEagerlyAssumeBifurcationTags ( )

static

Definition at line 3869 of file ExprEngine.cpp.

Referenced by REGISTER_TRAIT_WITH_PROGRAMSTATE(), and clang::ento::ConditionBRVisitor::VisitNodeImpl().

◆ getGraph() [1/2]

ExplodedGraph & clang::ento::ExprEngine::getGraph ( )

inline

Definition at line 259 of file ExprEngine.h.

Referenced by ExprEngine().

◆ getGraph() [2/2]

const ExplodedGraph & clang::ento::ExprEngine::getGraph ( ) const

inline

Definition at line 260 of file ExprEngine.h.

◆ getIndexOfElementToConstruct()

std::optional< unsigned > ExprEngine::getIndexOfElementToConstruct	(	ProgramStateRef	State,
		const CXXConstructExpr *	E,
		const LocationContext *	LCtx )

static

Retreives which element is being constructed in a non-POD type array.

Definition at line 514 of file ExprEngine.cpp.

References clang::LocationContext::getStackFrame(), and V.

Referenced by computeObjectUnderConstruction().

◆ getInitialState()

ProgramStateRef ExprEngine::getInitialState ( const LocationContext * InitLoc )

getInitialState - Return the initial state used for the root vertex in the ExplodedGraph.

Definition at line 245 of file ExprEngine.cpp.

References evalBinOp(), clang::ento::SVal::getAs(), clang::LocationContext::getDecl(), clang::IdentifierInfo::getName(), clang::LocationContext::getParent(), clang::LocationContext::getStackFrame(), clang::ValueDecl::getType(), clang::T, and V.

◆ getObjectUnderConstruction()

std::optional< SVal > ExprEngine::getObjectUnderConstruction	(	ProgramStateRef	State,
		const ConstructionContextItem &	Item,
		const LocationContext *	LC )

static

By looking at a certain item that may be potentially part of an object's ConstructionContext, retrieve such object's location.

A particular statement can be transparently passed as Item in most cases.

Definition at line 604 of file ExprEngine.cpp.

References clang::LocationContext::getStackFrame(), and V.

Referenced by computeObjectUnderConstruction(), clang::ento::CXXAllocatorCall::getObjectUnderConstruction(), clang::ento::CallEvent::isArgumentConstructedDirectly(), processCleanupTemporaryBranch(), ProcessInitializer(), ProcessTemporaryDtor(), VisitCXXBindTemporaryExpr(), VisitCXXNewExpr(), VisitDeclStmt(), and VisitLambdaExpr().

◆ getPendingArrayDestruction()

std::optional< unsigned > ExprEngine::getPendingArrayDestruction	(	ProgramStateRef	State,
		const LocationContext *	LCtx )

static

Retreives which element is being destructed in a non-POD type array.

Definition at line 533 of file ExprEngine.cpp.

References clang::LocationContext::getStackFrame(), and V.

Referenced by processCallExit().

◆ getPendingInitLoop()

std::optional< unsigned > ExprEngine::getPendingInitLoop	(	ProgramStateRef	State,
		const CXXConstructExpr *	E,
		const LocationContext *	LCtx )

static

Retreives the size of the array in the pending ArrayInitLoopExpr.

Definition at line 487 of file ExprEngine.cpp.

References clang::LocationContext::getStackFrame(), and V.

◆ getRegionManager()

MemRegionManager & clang::ento::ExprEngine::getRegionManager ( )

inline

Definition at line 443 of file ExprEngine.h.

Referenced by ExprEngine().

◆ getRootLocationContext()

const LocationContext * clang::ento::ExprEngine::getRootLocationContext ( ) const

inline

Definition at line 227 of file ExprEngine.h.

Referenced by processEndWorklist().

◆ getStateManager() [1/2]

ProgramStateManager & clang::ento::ExprEngine::getStateManager ( )

inline

Definition at line 421 of file ExprEngine.h.

Referenced by computeObjectUnderConstruction(), processCallExit(), processEndOfFunction(), VisitCallExpr(), VisitCXXDeleteExpr(), VisitCXXDestructor(), VisitCXXNewAllocatorCall(), VisitCXXNewExpr(), and VisitObjCMessage().

◆ getStateManager() [2/2]

const ProgramStateManager & clang::ento::ExprEngine::getStateManager ( ) const

inline

Definition at line 422 of file ExprEngine.h.

◆ getStmt()

const Stmt * clang::ento::ExprEngine::getStmt ( ) const

◆ getStoreManager() [1/2]

StoreManager & clang::ento::ExprEngine::getStoreManager ( )

inline

Definition at line 424 of file ExprEngine.h.

Referenced by ProcessBaseDtor(), processCallExit(), ProcessInitializer(), removeDead(), VisitCast(), and VisitMemberExpr().

◆ getStoreManager() [2/2]

const StoreManager & clang::ento::ExprEngine::getStoreManager ( ) const

inline

Definition at line 425 of file ExprEngine.h.

◆ getSValBuilder() [1/2]

SValBuilder & clang::ento::ExprEngine::getSValBuilder ( )

inline

Definition at line 209 of file ExprEngine.h.

Referenced by computeObjectUnderConstruction(), ConstructInitList(), ExprEngine(), ProcessBaseDtor(), ProcessInitializer(), and ProcessMemberDtor().

◆ getSValBuilder() [2/2]

const SValBuilder & clang::ento::ExprEngine::getSValBuilder ( ) const

inline

Definition at line 210 of file ExprEngine.h.

◆ getSymbolManager() [1/2]

SymbolManager & clang::ento::ExprEngine::getSymbolManager ( )

inline

Definition at line 441 of file ExprEngine.h.

Referenced by ExprEngine().

◆ getSymbolManager() [2/2]

const SymbolManager & clang::ento::ExprEngine::getSymbolManager ( ) const

inline

Definition at line 442 of file ExprEngine.h.

◆ handleConstructionContext()

std::pair< ProgramStateRef, SVal > clang::ento::ExprEngine::handleConstructionContext	(	const Expr *	E,
		ProgramStateRef	State,
		const NodeBuilderContext *	BldrCtx,
		const LocationContext *	LCtx,
		const ConstructionContext *	CC,
		EvalCallOptions &	CallOpts,
		unsigned	Idx = 0 )

inline

A convenient wrapper around computeObjectUnderConstruction and updateObjectsUnderConstruction.

Definition at line 763 of file ExprEngine.h.

References computeObjectUnderConstruction(), updateObjectsUnderConstruction(), and V.

Referenced by bindReturnValue().

◆ handleLValueBitCast()

ProgramStateRef ExprEngine::handleLValueBitCast	(	ProgramStateRef	state,
		const Expr *	Ex,
		const LocationContext *	LCtx,
		QualType	T,
		QualType	ExTy,
		const CastExpr *	CastE,
		StmtNodeBuilder &	Bldr,
		ExplodedNode *	Pred )

Definition at line 258 of file ExprEngineC.cpp.

References escapeValues(), clang::ento::StmtNodeBuilder::generateNode(), clang::CastExpr::getCastKind(), getContext(), clang::ASTContext::getLValueReferenceType(), clang::ASTContext::getRValueReferenceType(), clang::Expr::getType(), clang::Type::isLValueReferenceType(), clang::Type::isRValueReferenceType(), clang::ento::SVal::isUnknown(), clang::ento::PSK_EscapeOther, clang::T, and V.

Referenced by VisitCast().

◆ handleUOExtension()

void ExprEngine::handleUOExtension	(	ExplodedNode *	N,
		const UnaryOperator *	U,
		StmtNodeBuilder &	Bldr )

Definition at line 900 of file ExprEngineC.cpp.

References clang::ento::StmtNodeBuilder::generateNode(), clang::ento::ExplodedNode::getLocationContext(), and clang::ento::ExplodedNode::getState().

Referenced by VisitUnaryOperator().

◆ hasEmptyWorkList()

bool clang::ento::ExprEngine::hasEmptyWorkList ( ) const

inline

Definition at line 449 of file ExprEngine.h.

◆ hasMoreIteration()

bool ExprEngine::hasMoreIteration	(	ProgramStateRef	State,
		const ObjCForCollectionStmt *	O,
		const LocationContext *	LC )

staticnodiscard

Definition at line 2766 of file ExprEngine.cpp.

Referenced by assumeCondition().

◆ hasWorkRemaining()

bool clang::ento::ExprEngine::hasWorkRemaining ( ) const

inline

Definition at line 450 of file ExprEngine.h.

◆ notifyCheckersOfPointerEscape()

ProgramStateRef ExprEngine::notifyCheckersOfPointerEscape	(	ProgramStateRef	State,
		const InvalidatedSymbols *	Invalidated,
		ArrayRef< const MemRegion * >	ExplicitRegions,
		const CallEvent *	Call,
		RegionAndSymbolInvalidationTraits &	ITraits )

Call PointerEscape callback when a value escapes as a result of region invalidation.

Parameters

[in] ITraits Specifies invalidation traits for regions/symbols.

Definition at line 3672 of file ExprEngine.cpp.

References clang::Call, getCheckerManager(), clang::ento::PSK_DirectEscapeOnCall, clang::ento::PSK_EscapeOther, clang::ento::PSK_IndirectEscapeOnCall, and clang::ento::CheckerManager::runCheckersForPointerEscape().

◆ printJson()

void ExprEngine::printJson	(	raw_ostream &	Out,
		ProgramStateRef	State,
		const LocationContext *	LCtx,
		const char *	NL,
		unsigned int	Space,
		bool	IsDot ) const

printJson - Called by ProgramStateManager to print checker-specific data.

Definition at line 940 of file ExprEngine.cpp.

References getCheckerManager(), printIndicesOfElementsToConstructJson(), printObjectsUnderConstructionJson(), printPendingArrayDestructionsJson(), printPendingInitLoopJson(), printStateTraitWithLocationContextJson(), and clang::ento::CheckerManager::runCheckersForPrintStateJson().

Referenced by clang::ento::ProgramState::printJson().

◆ processAssume()

ProgramStateRef ExprEngine::processAssume	(	ProgramStateRef	state,
		SVal	cond,
		bool	assumption )

evalAssume - Callback function invoked by the ConstraintManager when making assumptions about state values.

evalAssume - Called by ConstraintManager.

Used to call checker-specific logic for handling assumptions on symbolic values.

Definition at line 668 of file ExprEngine.cpp.

References getCheckerManager(), and clang::ento::CheckerManager::runCheckersForEvalAssume().

◆ ProcessAutomaticObjDtor()

void ExprEngine::ProcessAutomaticObjDtor	(	const CFGAutomaticObjDtor	D,
		ExplodedNode *	Pred,
		ExplodedNodeSet &	Dst )

◆ ProcessBaseDtor()

void ExprEngine::ProcessBaseDtor	(	const CFGBaseDtor	D,
		ExplodedNode *	Pred,
		ExplodedNodeSet &	Dst )

Definition at line 1486 of file ExprEngine.cpp.

References clang::cast(), clang::ento::StoreManager::evalDerivedToBase(), clang::ento::SVal::getAsRegion(), clang::CFGBaseDtor::getBaseSpecifier(), clang::ento::SValBuilder::getCXXThis(), clang::LocationContext::getDecl(), clang::ento::ExplodedNode::getLocationContext(), clang::LocationContext::getStackFrame(), clang::ento::ExplodedNode::getState(), getStoreManager(), getSValBuilder(), and VisitCXXDestructor().

Referenced by ProcessImplicitDtor().

◆ processBeginOfFunction()

void ExprEngine::processBeginOfFunction	(	NodeBuilderContext &	BC,
		ExplodedNode *	Pred,
		ExplodedNodeSet &	Dst,
		const BlockEdge &	L )

Called by CoreEngine.

Used to notify checkers that processing a function has begun. Called for both inlined and top-level functions.

Definition at line 3016 of file ExprEngine.cpp.

References getCheckerManager(), and clang::ento::CheckerManager::runCheckersForBeginFunction().

Referenced by processCallEnter().

◆ processBranch()

void ExprEngine::processBranch	(	const Stmt *	Condition,
		NodeBuilderContext &	BuilderCtx,
		ExplodedNode *	Pred,
		ExplodedNodeSet &	Dst,
		const CFGBlock *	DstT,
		const CFGBlock *	DstF,
		std::optional< unsigned >	IterationsCompletedInLoop )

ProcessBranch - Called by CoreEngine.

Used to generate successor nodes by processing the 'effects' of a branch condition. If the branch condition is a loop condition, IterationsCompletedInLoop is the number of completed iterations (otherwise it's std::nullopt).

Definition at line 2823 of file ExprEngine.cpp.

References assumeCondition(), clang::Condition, didEagerlyAssumeBifurcateAt(), clang::ento::ExplodedNodeSet::empty(), clang::ento::BranchNodeBuilder::generateNode(), clang::ento::NodeBuilderContext::getBlock(), getCheckerManager(), getContext(), clang::LocationContext::getDecl(), getInlinedLocationContext(), clang::LocationContext::getStackFrame(), clang::ento::ExplodedNode::getState(), clang::isa(), ResolveCondition(), and clang::ento::CheckerManager::runCheckersForBranchCondition().

◆ processCallEnter()

void ExprEngine::processCallEnter	(	NodeBuilderContext &	BC,
		CallEnter	CE,
		ExplodedNode *	Pred )

Generate the entry node of the callee.

Definition at line 42 of file ExprEngineCallAndReturn.cpp.

References clang::ento::ExplodedNode::addPredecessor(), clang::CFGBlock::empty(), clang::CallEnter::getCalleeContext(), clang::CallEnter::getEntry(), clang::ento::ExplodedNode::getState(), processBeginOfFunction(), clang::CFGBlock::succ_begin(), and clang::CFGBlock::succ_size().

◆ processCallExit()

void ExprEngine::processCallExit ( ExplodedNode * CEBNode )

Generate the sequence of nodes that simulate the call exit and the post visit for CallExpr.

The call exit is simulated with a sequence of nodes, which occur between CallExitBegin and CallExitEnd.

The following operations occur between the two program points:

CallExitBegin (triggers the start of call exit sequence)
Bind the return value
Run Remove dead bindings to clean up the dead symbols from the callee.
CallExitEnd (switch to the caller context)
PostStmt<CallExpr>

Definition at line 250 of file ExprEngineCallAndReturn.cpp.

◆ processCFGBlockEntrance()

void ExprEngine::processCFGBlockEntrance	(	const BlockEdge &	L,
		NodeBuilderWithSinks &	nodeBuilder,
		ExplodedNode *	Pred )

Called by CoreEngine when processing the entrance of a CFGBlock.

Block entrance. (Update counters).

Definition at line 2547 of file ExprEngine.cpp.

References clang::ento::NodeBuilderContext::blockCount(), clang::ento::NodeBuilderWithSinks::generateNode(), clang::ento::NodeBuilderWithSinks::generateSink(), clang::ento::NodeBuilderContext::getBlock(), clang::ento::NodeBuilder::getContext(), clang::LocationContext::getDecl(), getInlinedLocationContext(), clang::ento::ExplodedNode::getLocationContext(), clang::LocationContext::getStackFrame(), clang::ento::ExplodedNode::getState(), clang::CFGBlock::getTerminatorStmt(), clang::ento::getWidenedLoopState(), clang::ento::isUnrolledState(), clang::CFGBlock::ref_begin(), and clang::ento::updateLoopStack().

◆ processCFGElement()

void ExprEngine::processCFGElement	(	const CFGElement	E,
		ExplodedNode *	Pred,
		unsigned	StmtIdx,
		NodeBuilderContext *	Ctx )

processCFGElement - Called by CoreEngine.

Used to generate new successor nodes by processing the 'effects' of a CFG element.

Definition at line 967 of file ExprEngine.cpp.

◆ processCleanupTemporaryBranch()

void ExprEngine::processCleanupTemporaryBranch	(	const CXXBindTemporaryExpr *	BTE,
		NodeBuilderContext &	BldCtx,
		ExplodedNode *	Pred,
		ExplodedNodeSet &	Dst,
		const CFGBlock *	DstT,
		const CFGBlock *	DstF )

Called by CoreEngine.

Used to generate successor nodes for temporary destructors depending on whether the corresponding constructor was visited.

Definition at line 1641 of file ExprEngine.cpp.

References clang::ento::BranchNodeBuilder::generateNode(), clang::ento::ExplodedNode::getLocationContext(), getObjectUnderConstruction(), and clang::ento::ExplodedNode::getState().

◆ ProcessDeleteDtor()

void ExprEngine::ProcessDeleteDtor	(	const CFGDeleteDtor	D,
		ExplodedNode *	Pred,
		ExplodedNodeSet &	Dst )

◆ processEndOfFunction()

void ExprEngine::processEndOfFunction	(	NodeBuilderContext &	BC,
		ExplodedNode *	Pred,
		const ReturnStmt *	RS = nullptr )

Called by CoreEngine.

ProcessEndPath - Called by CoreEngine.

Used to notify checkers that processing a function has ended. Called for both inlined and top-level functions.

Used to generate end-of-path nodes when the control reaches the end of a function.

Definition at line 3026 of file ExprEngine.cpp.

References clang::ConstructionContextItem::ElidedDestructorKind, clang::ento::NodeBuilder::generateNode(), getCheckerManager(), clang::ento::ExplodedNode::getLocation(), clang::ento::ExplodedNode::getLocationContext(), clang::LocationContext::getParent(), clang::ento::ExplodedNode::getStackFrame(), clang::LocationContext::getStackFrame(), clang::ento::ExplodedNode::getState(), getStateManager(), clang::LocationContext::inTopFrame(), clang::StackFrameContext::inTopFrame(), removeDeadOnEndOfFunction(), clang::ento::CheckerManager::runCheckersForEndFunction(), and clang::ConstructionContextItem::TemporaryDestructorKind.

◆ processEndWorklist()

void ExprEngine::processEndWorklist ( )

Called by CoreEngine when the analysis worklist has terminated.

Definition at line 961 of file ExprEngine.cpp.

References getCheckerManager(), getRootLocationContext(), and clang::ento::CheckerManager::runCheckersForEndAnalysis().

◆ ProcessImplicitDtor()

void ExprEngine::ProcessImplicitDtor	(	const CFGImplicitDtor	D,
		ExplodedNode *	Pred )

Definition at line 1291 of file ExprEngine.cpp.

References clang::CFGElement::AutomaticObjectDtor, clang::CFGElement::BaseDtor, clang::CFGElement::castAs(), clang::CFGElement::DeleteDtor, clang::CFGElement::getKind(), clang::CFGElement::MemberDtor, ProcessAutomaticObjDtor(), ProcessBaseDtor(), ProcessDeleteDtor(), ProcessMemberDtor(), ProcessTemporaryDtor(), and clang::CFGElement::TemporaryDtor.

Referenced by processCFGElement().

◆ processIndirectGoto()

void ExprEngine::processIndirectGoto ( IndirectGotoNodeBuilder & builder )

processIndirectGoto - Called by CoreEngine.

Used to generate successor nodes by processing the 'effects' of a computed goto jump.

Definition at line 2975 of file ExprEngine.cpp.

References clang::ento::IndirectGotoNodeBuilder::generateNode(), clang::ento::IndirectGotoNodeBuilder::getLocationContext(), clang::ento::IndirectGotoNodeBuilder::getState(), clang::ento::IndirectGotoNodeBuilder::getTarget(), clang::isa(), and V.

◆ ProcessInitializer()

void ExprEngine::ProcessInitializer	(	const CFGInitializer	I,
		ExplodedNode *	Pred )

Definition at line 1161 of file ExprEngine.cpp.

Referenced by processCFGElement().

◆ ProcessLoopExit()

void ExprEngine::ProcessLoopExit	(	const Stmt *	S,
		ExplodedNode *	Pred )

Definition at line 1143 of file ExprEngine.cpp.

References clang::ento::ExplodedNodeSet::Add(), clang::ento::NodeBuilder::generateNode(), clang::Stmt::getBeginLoc(), getContext(), clang::ento::ExplodedNode::getLocationContext(), clang::ento::ExplodedNode::getState(), and clang::ento::processLoopEnd().

Referenced by processCFGElement().

◆ ProcessMemberDtor()

void ExprEngine::ProcessMemberDtor	(	const CFGMemberDtor	D,
		ExplodedNode *	Pred,
		ExplodedNodeSet &	Dst )

◆ ProcessNewAllocator()

void ExprEngine::ProcessNewAllocator	(	const CXXNewExpr *	NE,
		ExplodedNode *	Pred )

Definition at line 1318 of file ExprEngine.cpp.

References clang::ento::NodeBuilder::generateNode(), getAnalysisManager(), getCFGElementRef(), clang::ento::ExplodedNode::getLocationContext(), clang::ento::ExplodedNode::getState(), and VisitCXXNewAllocatorCall().

Referenced by processCFGElement().

◆ processPointerEscapedOnBind()

ProgramStateRef ExprEngine::processPointerEscapedOnBind	(	ProgramStateRef	State,
		ArrayRef< std::pair< SVal, SVal > >	LocAndVals,
		const LocationContext *	LCtx,
		PointerEscapeKind	Kind,
		const CallEvent *	Call )

Call PointerEscape callback when a value escapes as a result of bind.

Definition at line 3621 of file ExprEngine.cpp.

References clang::Call, escapeValues(), clang::ento::MemRegion::getBaseRegion(), clang::ento::MemRegion::getMemorySpace(), and clang::isa().

Referenced by evalCall().

◆ processRegionChange()

ProgramStateRef clang::ento::ExprEngine::processRegionChange	(	ProgramStateRef	state,
		const MemRegion *	MR,
		const LocationContext *	LCtx )

inline

Definition at line 410 of file ExprEngine.h.

References processRegionChanges().

Referenced by clang::ento::ProgramState::bindDefaultInitial(), clang::ento::ProgramState::bindDefaultZero(), and clang::ento::ProgramState::bindLoc().

◆ processRegionChanges()

ProgramStateRef ExprEngine::processRegionChanges	(	ProgramStateRef	state,
		const InvalidatedSymbols *	invalidated,
		ArrayRef< const MemRegion * >	ExplicitRegions,
		ArrayRef< const MemRegion * >	Regions,
		const LocationContext *	LCtx,
		const CallEvent *	Call )

processRegionChanges - Called by ProgramStateManager whenever a change is made to the store.

Used to update checkers that track region values.

Definition at line 674 of file ExprEngine.cpp.

References clang::Call, getCheckerManager(), and clang::ento::CheckerManager::runCheckersForRegionChanges().

Referenced by processRegionChange().

◆ processStaticInitializer()

void clang::ento::ExprEngine::processStaticInitializer	(	const DeclStmt *	DS,
		NodeBuilderContext &	BuilderCtx,
		ExplodedNode *	Pred,
		ExplodedNodeSet &	Dst,
		const CFGBlock *	DstT,
		const CFGBlock *	DstF )

Called by CoreEngine.

Used to processing branching behavior at static initializers.

References clang::Call.

◆ ProcessStmt()

void ExprEngine::ProcessStmt	(	const Stmt *	S,
		ExplodedNode *	Pred )

Definition at line 1113 of file ExprEngine.cpp.

References clang::ento::ExplodedNodeSet::Add(), clang::Stmt::getBeginLoc(), getContext(), clang::ento::ExplodedNode::getLocationContext(), clang::ento::ExplodedNodeSet::insert(), removeDead(), shouldRemoveDeadBindings(), and Visit().

Referenced by processCFGElement().

◆ processSwitch()

void ExprEngine::processSwitch ( SwitchNodeBuilder & builder )

ProcessSwitch - Called by CoreEngine.

Used to generate successor nodes by processing the 'effects' of a switch statement.

Definition at line 3097 of file ExprEngine.cpp.

◆ ProcessTemporaryDtor()

void ExprEngine::ProcessTemporaryDtor	(	const CFGTemporaryDtor	D,
		ExplodedNode *	Pred,
		ExplodedNodeSet &	Dst )

◆ removeDead()

void ExprEngine::removeDead	(	ExplodedNode *	Node,
		ExplodedNodeSet &	Out,
		const Stmt *	ReferenceStmt,
		const LocationContext *	LC,
		const Stmt *	DiagnosticStmt = nullptr,
		ProgramPoint::Kind	K = ProgramPoint::PreStmtPurgeDeadSymbolsKind )

Run the analyzer's garbage collection - remove dead symbols and bindings from the state.

Checkers can participate in this process with two callbacks: checkLiveSymbols and checkDeadSymbols. See the CheckerDocumentation class for more information.

Parameters

Node	The predecessor node, from which the processing should start.
Out	The returned set of output nodes.
ReferenceStmt	The statement which is about to be processed. Everything needed for this statement should be considered live. A null statement means that everything in child LocationContexts is dead.
LC	The location context of the `ReferenceStmt`. A null location context means that we have reached the end of analysis and that all statements and local variables should be considered dead.
DiagnosticStmt	Used as a location for any warnings that should occur while removing the dead (e.g. leaks). By default, the `ReferenceStmt` is used.
K	Denotes whether this is a pre- or post-statement purge. This must only be ProgramPoint::PostStmtPurgeDeadSymbolsKind if an entire location context is being cleared, in which case the `ReferenceStmt` must either be a ReturnStmt or `NULL`. Otherwise, it must be ProgramPoint::PreStmtPurgeDeadSymbolsKind (the default) and `ReferenceStmt` must be valid (non-null).

Definition at line 1029 of file ExprEngine.cpp.

References cleanupNodeTag(), clang::ento::StmtNodeBuilder::generateNode(), getCheckerManager(), getConstraintManager(), clang::LocationContext::getParent(), clang::LocationContext::getStackFrame(), clang::ento::ExplodedNode::getState(), getStoreManager(), clang::isa(), clang::ento::SymbolReaper::markLive(), clang::ProgramPoint::PostStmtPurgeDeadSymbolsKind, clang::ProgramPoint::PreStmtPurgeDeadSymbolsKind, clang::ento::ConstraintManager::removeDeadBindings(), clang::ento::CheckerManager::runCheckersForDeadSymbols(), and clang::ento::CheckerManager::runCheckersForLiveSymbols().

Referenced by processCallExit(), ProcessStmt(), and removeDeadOnEndOfFunction().

◆ removeDeadOnEndOfFunction()

void ExprEngine::removeDeadOnEndOfFunction	(	NodeBuilderContext &	BC,
		ExplodedNode *	Pred,
		ExplodedNodeSet &	Dst )

Remove dead bindings/symbols before exiting a function.

Definition at line 161 of file ExprEngineCallAndReturn.cpp.

References clang::ento::ExplodedNodeSet::Add(), clang::LocationContext::getAnalysisDeclContext(), clang::AnalysisDeclContext::getBody(), getLastStmt(), clang::ento::ExplodedNode::getLocationContext(), clang::ProgramPoint::PostStmtPurgeDeadSymbolsKind, and removeDead().

Referenced by processEndOfFunction().

◆ removeIterationState()

ProgramStateRef ExprEngine::removeIterationState	(	ProgramStateRef	State,
		const ObjCForCollectionStmt *	O,
		const LocationContext *	LC )

staticnodiscard

Definition at line 2759 of file ExprEngine.cpp.

Referenced by assumeCondition().

◆ runCheckersForBlockEntrance()

void ExprEngine::runCheckersForBlockEntrance	(	const NodeBuilderContext &	BldCtx,
		const BlockEntrance &	Entrance,
		ExplodedNode *	Pred,
		ExplodedNodeSet &	Dst )

Definition at line 2629 of file ExprEngine.cpp.

References clang::BlockEntrance::getBlock(), clang::CFGBlock::getBlockID(), getCheckerManager(), clang::BlockEntrance::getPreviousBlock(), and clang::ento::CheckerManager::runCheckersForBlockEntrance().

◆ setWhetherHasMoreIteration()

ProgramStateRef ExprEngine::setWhetherHasMoreIteration	(	ProgramStateRef	State,
		const ObjCForCollectionStmt *	O,
		const LocationContext *	LC,
		bool	HasMoreIteraton )

staticnodiscard

Note whether this loop has any more iterations to model. These methods.

ExprEngine::VisitObjCForCollectionStmt().

Definition at line 2751 of file ExprEngine.cpp.

References ExprEngine(), and setWhetherHasMoreIteration().

Referenced by populateObjCForDestinationSet(), and setWhetherHasMoreIteration().

◆ updateObjectsUnderConstruction()

ProgramStateRef ExprEngine::updateObjectsUnderConstruction	(	SVal	V,
		const Expr *	E,
		ProgramStateRef	State,
		const LocationContext *	LCtx,
		const ConstructionContext *	CC,
		const EvalCallOptions &	CallOpts )

Update the program state with all the path-sensitive information that's necessary to perform construction of an object with a given syntactic construction context.

V and CallOpts have to be obtained from computeObjectUnderConstruction() invoked with the same set of the remaining arguments (E, State, LCtx, CC).

Definition at line 409 of file ExprEngineCXX.cpp.

Referenced by handleConstructionContext(), and updateObjectsUnderConstruction().

◆ ViewGraph() [1/2]

void ExprEngine::ViewGraph ( ArrayRef< const ExplodedNode * > Nodes )

Visualize a trimmed ExplodedGraph that only contains paths to the given nodes.

Definition at line 4079 of file ExprEngine.cpp.

References DumpGraph().

◆ ViewGraph() [2/2]

void ExprEngine::ViewGraph ( bool trim = false )

Visualize the ExplodedGraph created by executing the simulation.

Definition at line 4074 of file ExprEngine.cpp.

References DumpGraph().

◆ Visit()

void ExprEngine::Visit	(	const Stmt *	S,
		ExplodedNode *	Pred,
		ExplodedNodeSet &	Dst )

Visit - Transfer function logic for all statements.

Dispatches to other functions that handle specific kinds of statements.

Definition at line 1711 of file ExprEngine.cpp.

References clang::ento::NodeBuilder::addNodes(), clang::C, clang::cast(), ConstructInitList(), CreateCXXTemporaryObject(), escapeValues(), evalEagerlyAssumeBifurcation(), clang::ento::StmtNodeBuilder::generateNode(), clang::ento::StmtNodeBuilder::generateSink(), clang::Stmt::getBeginLoc(), getCFGElementRef(), getCheckerManager(), getContext(), clang::CXXParenListInitExpr::getInitExprs(), clang::ento::ExplodedNode::getLocationContext(), clang::ento::ExplodedNode::getState(), clang::Stmt::getStmtClass(), getType(), clang::InitListExpr::inits(), clang::isa(), isRecordType(), clang::InitListExpr::isTransparent(), Next, clang::Stmt::NoStmtClass, clang::ProgramPoint::PreStmtKind, clang::ento::PSK_EscapeOther, clang::Result, clang::ento::CheckerManager::runCheckersForPostStmt(), clang::ento::CheckerManager::runCheckersForPreStmt(), clang::ento::NodeBuilder::takeNodes(), V, VisitArrayInitLoopExpr(), VisitArraySubscriptExpr(), VisitAtomicExpr(), VisitAttributedStmt(), VisitBinaryOperator(), VisitBlockExpr(), VisitCallExpr(), VisitCast(), VisitCommonDeclRefExpr(), VisitCompoundLiteralExpr(), VisitCXXBindTemporaryExpr(), VisitCXXCatchStmt(), VisitCXXConstructExpr(), VisitCXXDeleteExpr(), VisitCXXInheritedCtorInitExpr(), VisitCXXNewExpr(), VisitCXXThisExpr(), VisitDeclStmt(), VisitGCCAsmStmt(), VisitGuardedExpr(), VisitLambdaExpr(), VisitLogicalExpr(), VisitLvalObjCIvarRefExpr(), VisitMemberExpr(), VisitMSAsmStmt(), VisitObjCAtSynchronizedStmt(), VisitObjCForCollectionStmt(), VisitObjCMessage(), VisitOffsetOfExpr(), VisitReturnStmt(), VisitUnaryExprOrTypeTraitExpr(), and VisitUnaryOperator().

Referenced by ProcessStmt(), and VisitAttributedStmt().

◆ VisitArrayInitLoopExpr()

void ExprEngine::VisitArrayInitLoopExpr	(	const ArrayInitLoopExpr *	Ex,
		ExplodedNode *	Pred,
		ExplodedNodeSet &	Dst )

VisitArrayInitLoopExpr - Transfer function for array init loop.

Definition at line 3341 of file ExprEngine.cpp.

References clang::cast(), clang::ento::StmtNodeBuilder::generateNode(), getCheckerManager(), clang::ArrayInitLoopExpr::getCommonExpr(), clang::OpaqueValueExpr::getSourceExpr(), clang::ArrayInitLoopExpr::getSubExpr(), clang::isa(), clang::ento::CheckerManager::runCheckersForPostStmt(), and clang::ento::CheckerManager::runCheckersForPreStmt().

Referenced by Visit().

◆ VisitArraySubscriptExpr()

void ExprEngine::VisitArraySubscriptExpr	(	const ArraySubscriptExpr *	Ex,
		ExplodedNode *	Pred,
		ExplodedNodeSet &	Dst )

VisitArraySubscriptExpr - Transfer function for array accesses.

Definition at line 3439 of file ExprEngine.cpp.

References clang::ASTContext::CharTy, clang::ento::StmtNodeBuilder::generateNode(), clang::ArraySubscriptExpr::getBase(), getCheckerManager(), getContext(), clang::ArraySubscriptExpr::getIdx(), clang::Expr::getType(), clang::Expr::IgnoreParens(), clang::Expr::isGLValue(), clang::Type::isVectorType(), clang::ProgramPoint::PostLValueKind, clang::ento::CheckerManager::runCheckersForPostStmt(), clang::ento::CheckerManager::runCheckersForPreStmt(), clang::T, and V.

Referenced by Visit().

◆ VisitAtomicExpr()

void ExprEngine::VisitAtomicExpr	(	const AtomicExpr *	E,
		ExplodedNode *	Pred,
		ExplodedNodeSet &	Dst )

VisitAtomicExpr - Transfer function for builtin atomic expressions.

Definition at line 3578 of file ExprEngine.cpp.

References clang::ento::StmtNodeBuilder::generateNode(), getCFGElementRef(), getCheckerManager(), clang::AtomicExpr::getNumSubExprs(), clang::AtomicExpr::getSubExprs(), clang::ProgramPoint::PostStmtKind, clang::ento::CheckerManager::runCheckersForPostStmt(), and clang::ento::CheckerManager::runCheckersForPreStmt().

Referenced by Visit().

◆ VisitAttributedStmt()

void ExprEngine::VisitAttributedStmt	(	const AttributedStmt *	A,
		ExplodedNode *	Pred,
		ExplodedNodeSet &	Dst )

VisitAttributedStmt - Transfer function logic for AttributedStmt.

Definition at line 1229 of file ExprEngineCXX.cpp.

References clang::AttributedStmt::getAttrs(), getCheckerManager(), clang::getSpecificAttrs(), clang::ento::CheckerManager::runCheckersForPostStmt(), clang::ento::CheckerManager::runCheckersForPreStmt(), and Visit().

Referenced by Visit().

◆ VisitBinaryOperator()

void ExprEngine::VisitBinaryOperator	(	const BinaryOperator *	B,
		ExplodedNode *	Pred,
		ExplodedNodeSet &	Dst )

VisitBinaryOperator - Transfer function logic for binary operators.

Definition at line 41 of file ExprEngineC.cpp.

References clang::ento::ExplodedNodeSet::begin(), clang::cast(), conjureOffsetSymbolOnLocation(), clang::ento::ExplodedNodeSet::end(), escapeValues(), evalBinOp(), evalLoad(), evalStore(), clang::ento::StmtNodeBuilder::generateNode(), clang::ASTContext::getCanonicalType(), getCFGElementRef(), getCheckerManager(), getContext(), clang::BinaryOperator::getLHS(), clang::BinaryOperator::getOpcode(), clang::BinaryOperator::getRHS(), clang::Expr::getType(), clang::Expr::IgnoreParens(), clang::BinaryOperator::isAdditiveOp(), clang::BinaryOperator::isAssignmentOp(), clang::BinaryOperator::isCompoundAssignmentOp(), clang::Expr::isGLValue(), clang::ento::SVal::isUnknown(), clang::ento::PSK_EscapeOther, clang::Result, clang::ento::CheckerManager::runCheckersForPostStmt(), clang::ento::CheckerManager::runCheckersForPreStmt(), and V.

Referenced by Visit().

◆ VisitBlockExpr()

void ExprEngine::VisitBlockExpr	(	const BlockExpr *	BE,
		ExplodedNode *	Pred,
		ExplodedNodeSet &	Dst )

VisitBlockExpr - Transfer function logic for BlockExprs.

Definition at line 197 of file ExprEngineC.cpp.

References clang::BlockDecl::capture_begin(), clang::BlockDecl::capture_end(), clang::ento::StmtNodeBuilder::generateNode(), clang::BlockExpr::getBlockDecl(), clang::ASTContext::getCanonicalType(), getCheckerManager(), getContext(), clang::ento::VarRegion::getDecl(), clang::ento::ExplodedNode::getLocationContext(), clang::ento::ExplodedNode::getState(), clang::Expr::getType(), clang::ProgramPoint::PostLValueKind, clang::ento::CheckerManager::runCheckersForPostStmt(), clang::T, and V.

Referenced by Visit().

◆ VisitCallExpr()

void ExprEngine::VisitCallExpr	(	const CallExpr *	CE,
		ExplodedNode *	Pred,
		ExplodedNodeSet &	Dst )

VisitCall - Transfer function for function calls.

Definition at line 602 of file ExprEngineCallAndReturn.cpp.

References evalCall(), clang::ento::ProgramStateManager::getCallEventManager(), getCFGElementRef(), getCheckerManager(), clang::ento::ExplodedNode::getLocationContext(), clang::ento::CallEventManager::getSimpleCall(), clang::ento::ExplodedNode::getState(), getStateManager(), clang::ento::CheckerManager::runCheckersForPostStmt(), and clang::ento::CheckerManager::runCheckersForPreStmt().

Referenced by Visit().

◆ VisitCast()

void ExprEngine::VisitCast	(	const CastExpr *	CastE,
		const Expr *	Ex,
		ExplodedNode *	Pred,
		ExplodedNodeSet &	Dst )

VisitCast - Transfer function logic for all casts (implicit and explicit).

Definition at line 286 of file ExprEngineC.cpp.

References clang::ento::StoreManager::evalBaseToDerived(), clang::ento::StoreManager::evalDerivedToBase(), evalLoad(), clang::ento::StmtNodeBuilder::generateNode(), clang::ento::StmtNodeBuilder::generateSink(), getBasicVals(), clang::CastExpr::getCastKind(), getCFGElementRef(), getCheckerManager(), getContext(), clang::ento::ExplodedNode::getLocationContext(), clang::ASTContext::getPointerType(), clang::ento::ExplodedNode::getState(), getStoreManager(), clang::Expr::getType(), handleLValueBitCast(), clang::isa(), clang::ento::SVal::isConstant(), clang::Expr::isGLValue(), clang::ento::SVal::isUnknown(), clang::ento::SVal::isZeroConstant(), clang::CastExpr::path(), clang::ento::CheckerManager::runCheckersForPreStmt(), clang::T, and V.

Referenced by Visit().

◆ VisitCommonDeclRefExpr()

void ExprEngine::VisitCommonDeclRefExpr	(	const Expr *	DR,
		const NamedDecl *	D,
		ExplodedNode *	Pred,
		ExplodedNodeSet &	Dst )

Transfer function logic for DeclRefExprs and BlockDeclRefExprs.

Definition at line 3180 of file ExprEngine.cpp.

References clang::cast(), clang::CXXThis, clang::ento::StmtNodeBuilder::generateNode(), clang::CXXRecordDecl::getCaptureFields(), clang::LocationContext::getDecl(), clang::ento::ExplodedNode::getLocationContext(), clang::DeclContext::getParent(), clang::LocationContext::getStackFrame(), clang::ento::ExplodedNode::getState(), clang::isa(), clang::ento::SVal::isConstant(), clang::Expr::isGLValue(), clang::ProgramPoint::PostLValueKind, clang::T, and V.

Referenced by Visit(), and VisitMemberExpr().

◆ VisitCompoundLiteralExpr()

void ExprEngine::VisitCompoundLiteralExpr	(	const CompoundLiteralExpr *	CL,
		ExplodedNode *	Pred,
		ExplodedNodeSet &	Dst )

VisitCompoundLiteralExpr - Transfer function logic for compound literals.

Definition at line 578 of file ExprEngineC.cpp.

References clang::ento::StmtNodeBuilder::generateNode(), clang::ento::ExplodedNode::getLocationContext(), clang::ento::ExplodedNode::getState(), clang::Init, clang::isa(), and V.

Referenced by Visit().

◆ VisitCXXBindTemporaryExpr()

void ExprEngine::VisitCXXBindTemporaryExpr	(	const CXXBindTemporaryExpr *	BTE,
		ExplodedNodeSet &	PreVisit,
		ExplodedNodeSet &	Dst )

Definition at line 1657 of file ExprEngine.cpp.

References clang::ento::StmtNodeBuilder::generateNode(), getAnalysisManager(), and getObjectUnderConstruction().

Referenced by Visit().

◆ VisitCXXCatchStmt()

void ExprEngine::VisitCXXCatchStmt	(	const CXXCatchStmt *	CS,
		ExplodedNode *	Pred,
		ExplodedNodeSet &	Dst )

Definition at line 1121 of file ExprEngineCXX.cpp.

References clang::ento::ExplodedNodeSet::Add(), clang::ento::StmtNodeBuilder::generateNode(), getCFGElementRef(), clang::CXXCatchStmt::getExceptionDecl(), clang::ento::ExplodedNode::getLocationContext(), clang::ento::ExplodedNode::getState(), clang::ValueDecl::getType(), and V.

Referenced by Visit().

◆ VisitCXXConstructExpr()

void ExprEngine::VisitCXXConstructExpr	(	const CXXConstructExpr *	E,
		ExplodedNode *	Pred,
		ExplodedNodeSet &	Dst )

Definition at line 814 of file ExprEngineCXX.cpp.

Referenced by Visit().

◆ VisitCXXDeleteExpr()

void ExprEngine::VisitCXXDeleteExpr	(	const CXXDeleteExpr *	CDE,
		ExplodedNode *	Pred,
		ExplodedNodeSet &	Dst )

Definition at line 1099 of file ExprEngineCXX.cpp.

References clang::Call, defaultEvalCall(), clang::ento::ProgramStateManager::getCallEventManager(), getCFGElementRef(), getCheckerManager(), clang::ento::CallEventManager::getCXXDeallocatorCall(), clang::ento::ExplodedNode::getLocationContext(), clang::ento::ExplodedNode::getState(), getStateManager(), clang::ento::CheckerManager::runCheckersForPostCall(), and clang::ento::CheckerManager::runCheckersForPreCall().

Referenced by Visit().

◆ VisitCXXDestructor()

void ExprEngine::VisitCXXDestructor	(	QualType	ObjectType,
		const MemRegion *	Dest,
		const Stmt *	S,
		bool	IsBaseDtor,
		ExplodedNode *	Pred,
		ExplodedNodeSet &	Dst,
		EvalCallOptions &	Options )

Definition at line 826 of file ExprEngineCXX.cpp.

References clang::Call, defaultEvalCall(), clang::ento::NodeBuilder::generateNode(), clang::ento::NodeBuilder::generateSink(), clang::Type::getAsCXXRecordDecl(), clang::ento::ProgramStateManager::getCallEventManager(), getCFGElementRef(), getCheckerManager(), getContext(), clang::ento::CallEventManager::getCXXDestructorCall(), clang::Stmt::getEndLoc(), clang::ento::ExplodedNode::getLocation(), clang::ento::ExplodedNode::getLocationContext(), clang::ento::ExplodedNode::getState(), getStateManager(), clang::ento::EvalCallOptions::IsCtorOrDtorWithImproperlyModeledTargetRegion, clang::ento::CheckerManager::runCheckersForPostCall(), clang::ento::CheckerManager::runCheckersForPreCall(), clang::T, and clang::ProgramPoint::withTag().

Referenced by ProcessAutomaticObjDtor(), ProcessBaseDtor(), ProcessDeleteDtor(), ProcessMemberDtor(), and ProcessTemporaryDtor().

◆ VisitCXXInheritedCtorInitExpr()

void ExprEngine::VisitCXXInheritedCtorInitExpr	(	const CXXInheritedCtorInitExpr *	E,
		ExplodedNode *	Pred,
		ExplodedNodeSet &	Dst )

Definition at line 820 of file ExprEngineCXX.cpp.

Referenced by Visit().

◆ VisitCXXNewAllocatorCall()

void ExprEngine::VisitCXXNewAllocatorCall	(	const CXXNewExpr *	CNE,
		ExplodedNode *	Pred,
		ExplodedNodeSet &	Dst )

◆ VisitCXXNewExpr()

void ExprEngine::VisitCXXNewExpr	(	const CXXNewExpr *	CNE,
		ExplodedNode *	Pred,
		ExplodedNodeSet &	Dst )

Definition at line 965 of file ExprEngineCXX.cpp.

References clang::ento::NodeBuilder::addNodes(), clang::ento::ExplodedNodeSet::begin(), clang::Call, clang::ento::StmtNodeBuilder::generateNode(), clang::ento::SVal::getAs(), clang::Type::getAs(), clang::ento::SVal::getAsRegion(), clang::ento::ProgramStateManager::getCallEventManager(), getCFGElementRef(), clang::ento::CallEventManager::getCXXAllocatorCall(), clang::CXXNewExpr::getInitializer(), clang::ento::ExplodedNode::getLocationContext(), getObjectUnderConstruction(), clang::CXXNewExpr::getOperatorNew(), clang::CXXNewExpr::getPlacementArg(), clang::Type::getPointeeType(), clang::ento::NodeBuilder::getResults(), clang::ento::ExplodedNode::getState(), getStateManager(), clang::Expr::getType(), clang::ValueDecl::getType(), clang::Init, clang::isa(), clang::CXXNewExpr::isArray(), clang::FunctionDecl::isReplaceableGlobalAllocationFunction(), clang::FunctionDecl::isReservedGlobalPlacementOperator(), clang::ento::SVal::isUnknown(), clang::Result, clang::ento::ExplodedNodeSet::size(), clang::ento::NodeBuilder::takeNodes(), and V.

Referenced by Visit().

◆ VisitCXXThisExpr()

void ExprEngine::VisitCXXThisExpr	(	const CXXThisExpr *	TE,
		ExplodedNode *	Pred,
		ExplodedNodeSet &	Dst )

Definition at line 1139 of file ExprEngineCXX.cpp.

References clang::ento::StmtNodeBuilder::generateNode(), getContext(), clang::ento::ExplodedNode::getLocationContext(), clang::ento::ExplodedNode::getState(), clang::Expr::getType(), and V.

Referenced by Visit().

◆ VisitDeclStmt()

void ExprEngine::VisitDeclStmt	(	const DeclStmt *	DS,
		ExplodedNode *	Pred,
		ExplodedNodeSet &	Dst )

VisitDeclStmt - Transfer function logic for DeclStmts.

Definition at line 603 of file ExprEngineC.cpp.

References clang::ento::NodeBuilder::addNodes(), clang::ento::ExplodedNodeSet::begin(), clang::DeclStmt::decl_begin(), clang::ento::ExplodedNodeSet::end(), clang::ento::StmtNodeBuilder::generateNode(), getCFGElementRef(), getCheckerManager(), getContext(), clang::VarDecl::getInit(), clang::ento::ExplodedNode::getLocationContext(), getObjectUnderConstruction(), clang::ASTContext::getPointerType(), clang::ento::NodeBuilder::getResults(), clang::ento::ExplodedNode::getState(), clang::ento::ExplodedNodeSet::insert(), clang::isa(), clang::DeclStmt::isSingleDecl(), clang::ento::SVal::isUnknown(), clang::ento::CheckerManager::runCheckersForPostStmt(), clang::ento::CheckerManager::runCheckersForPreStmt(), and clang::ento::NodeBuilder::takeNodes().

Referenced by Visit().

◆ VisitGCCAsmStmt()

void ExprEngine::VisitGCCAsmStmt	(	const GCCAsmStmt *	A,
		ExplodedNode *	Pred,
		ExplodedNodeSet &	Dst )

VisitGCCAsmStmt - Transfer function logic for inline asm.

Definition at line 3932 of file ExprEngine.cpp.

References clang::ento::StmtNodeBuilder::generateNode(), getCFGElementRef(), clang::ento::ExplodedNode::getLocationContext(), clang::ento::ExplodedNode::getState(), clang::AsmStmt::inputs(), clang::isa(), clang::AsmStmt::outputs(), and X.

Referenced by Visit().

◆ VisitGuardedExpr()

void ExprEngine::VisitGuardedExpr	(	const Expr *	Ex,
		const Expr *	L,
		const Expr *	R,
		ExplodedNode *	Pred,
		ExplodedNodeSet &	Dst )

VisitGuardedExpr - Transfer function logic for ?, __builtin_choose.

Definition at line 774 of file ExprEngineC.cpp.

References clang::cast(), clang::ento::StmtNodeBuilder::generateNode(), getCFGElementRef(), clang::ento::ExplodedNode::getLocationContext(), clang::ento::ExplodedNode::getState(), clang::Expr::IgnoreParens(), clang::ento::ExplodedNode::pred_begin(), and V.

Referenced by Visit().

◆ VisitIncrementDecrementOperator()

void ExprEngine::VisitIncrementDecrementOperator	(	const UnaryOperator *	U,
		ExplodedNode *	Pred,
		ExplodedNodeSet &	Dst )

Handle ++ and – (both pre- and post-increment).

Definition at line 1051 of file ExprEngineC.cpp.

References clang::ento::NodeBuilder::addNodes(), clang::ento::SVal::castAs(), evalBinOp(), evalLoad(), evalStore(), getCFGElementRef(), clang::ento::ExplodedNode::getLocationContext(), clang::ento::ExplodedNode::getState(), clang::ento::ExplodedNodeSet::insert(), clang::ento::Loc::isLocType(), clang::ento::SVal::isUnknownOrUndef(), clang::Result, and clang::ento::NodeBuilder::takeNodes().

Referenced by VisitUnaryOperator().

◆ VisitLambdaExpr()

void ExprEngine::VisitLambdaExpr	(	const LambdaExpr *	LE,
		ExplodedNode *	Pred,
		ExplodedNodeSet &	Dst )

VisitLambdaExpr - Transfer function logic for LambdaExprs.

Definition at line 1155 of file ExprEngineCXX.cpp.

References clang::ento::StmtNodeBuilder::generateNode(), getCheckerManager(), getContext(), clang::ento::ExplodedNode::getLocationContext(), getObjectUnderConstruction(), clang::ento::ExplodedNode::getState(), clang::ProgramPoint::PostLValueKind, clang::ento::CheckerManager::runCheckersForPostStmt(), and V.

Referenced by Visit().

◆ VisitLogicalExpr()

void ExprEngine::VisitLogicalExpr	(	const BinaryOperator *	B,
		ExplodedNode *	Pred,
		ExplodedNodeSet &	Dst )

VisitLogicalExpr - Transfer function logic for '&&', '||'.

Definition at line 680 of file ExprEngineC.cpp.

References clang::cast(), clang::CFGElement::castAs(), clang::ProgramPoint::castAs(), clang::CFGBlock::empty(), evalBinOp(), clang::ento::StmtNodeBuilder::generateNode(), clang::ProgramPoint::getAs(), getBasicVals(), clang::BlockEdge::getDst(), clang::ento::ExplodedNode::getLocation(), clang::ento::ExplodedNode::getLocationContext(), clang::BinaryOperator::getOpcode(), clang::BlockEdge::getSrc(), clang::ento::ExplodedNode::getState(), clang::CFGStmt::getStmt(), clang::CFGBlock::getTerminator(), clang::Expr::getType(), clang::ento::SVal::isUndef(), clang::Type::isVectorType(), clang::ento::ExplodedNode::pred_begin(), clang::ento::ExplodedNode::pred_size(), clang::CFGBlock::rbegin(), clang::CFGBlock::succ_begin(), clang::CFGBlock::succ_size(), clang::T, X, and clang::Zero.

Referenced by Visit().

◆ VisitLvalObjCIvarRefExpr()

void ExprEngine::VisitLvalObjCIvarRefExpr	(	const ObjCIvarRefExpr *	DR,
		ExplodedNode *	Pred,
		ExplodedNodeSet &	Dst )

Transfer function logic for computing the lvalue of an Objective-C ivar.

Definition at line 21 of file ExprEngineObjC.cpp.

References clang::ento::StmtNodeBuilder::generateNode(), clang::ObjCIvarRefExpr::getBase(), getCheckerManager(), clang::ObjCIvarRefExpr::getDecl(), clang::ento::ExplodedNode::getLocationContext(), clang::ento::ExplodedNode::getState(), and clang::ento::CheckerManager::runCheckersForPostStmt().

Referenced by Visit().

◆ VisitMemberExpr()

void ExprEngine::VisitMemberExpr	(	const MemberExpr *	M,
		ExplodedNode *	Pred,
		ExplodedNodeSet &	Dst )

VisitMemberExpr - Transfer function for member expressions.

Definition at line 3490 of file ExprEngine.cpp.

References clang::ento::NodeBuilder::addNodes(), clang::cast(), evalLoad(), clang::ento::StmtNodeBuilder::generateNode(), clang::ento::SVal::getAsRegion(), clang::MemberExpr::getBase(), getCheckerManager(), clang::MemberExpr::getMemberDecl(), getStoreManager(), clang::Expr::getType(), clang::isa(), clang::Type::isArrayType(), clang::Expr::isGLValue(), clang::Member, clang::ProgramPoint::PostLValueKind, clang::ento::CheckerManager::runCheckersForPostStmt(), clang::ento::CheckerManager::runCheckersForPreStmt(), clang::T, clang::ento::NodeBuilder::takeNodes(), and VisitCommonDeclRefExpr().

Referenced by Visit().

◆ VisitMSAsmStmt()

void ExprEngine::VisitMSAsmStmt	(	const MSAsmStmt *	A,
		ExplodedNode *	Pred,
		ExplodedNodeSet &	Dst )

VisitMSAsmStmt - Transfer function logic for MS inline asm.

Definition at line 3969 of file ExprEngine.cpp.

References clang::ento::StmtNodeBuilder::generateNode(), and clang::ento::ExplodedNode::getState().

Referenced by Visit().

◆ VisitObjCAtSynchronizedStmt()

void ExprEngine::VisitObjCAtSynchronizedStmt	(	const ObjCAtSynchronizedStmt *	S,
		ExplodedNode *	Pred,
		ExplodedNodeSet &	Dst )

Transfer function logic for ObjCAtSynchronizedStmts.

Definition at line 38 of file ExprEngineObjC.cpp.

References getCheckerManager(), and clang::ento::CheckerManager::runCheckersForPreStmt().

Referenced by Visit().

◆ VisitObjCForCollectionStmt()

void ExprEngine::VisitObjCForCollectionStmt	(	const ObjCForCollectionStmt *	S,
		ExplodedNode *	Pred,
		ExplodedNodeSet &	Dst )

VisitObjCForCollectionStmt - Transfer function logic for ObjCForCollectionStmt.

Definition at line 83 of file ExprEngineObjC.cpp.

References clang::cast(), getCFGElementRef(), getCheckerManager(), clang::ObjCForCollectionStmt::getCollection(), clang::ObjCForCollectionStmt::getElement(), clang::VarDecl::getInit(), clang::ento::ExplodedNode::getLocationContext(), clang::ento::ExplodedNode::getState(), populateObjCForDestinationSet(), and clang::ento::CheckerManager::runCheckersForPostStmt().

Referenced by Visit().

◆ VisitObjCMessage()

void ExprEngine::VisitObjCMessage	(	const ObjCMessageExpr *	ME,
		ExplodedNode *	Pred,
		ExplodedNodeSet &	Dst )

Definition at line 151 of file ExprEngineObjC.cpp.

References clang::ento::ExplodedNodeSet::begin(), clang::ento::SVal::castAs(), clang::ento::CallEventRef< T >::cloneWithState(), defaultEvalCall(), clang::ento::ExplodedNodeSet::end(), clang::ento::StmtNodeBuilder::generateNode(), clang::ento::StmtNodeBuilder::generateSink(), clang::ento::ProgramStateManager::getCallEventManager(), getCFGElementRef(), getCheckerManager(), clang::ento::ExplodedNode::getLocation(), clang::ento::ExplodedNode::getLocationContext(), clang::ento::CallEventManager::getObjCMethodCall(), clang::ento::ExplodedNode::getState(), getStateManager(), clang::ProgramPoint::getTag(), clang::ento::SVal::isUndef(), clang::ProgramPoint::PreStmtKind, clang::ento::CheckerManager::runCheckersForObjCMessageNil(), clang::ento::CheckerManager::runCheckersForPostCall(), clang::ento::CheckerManager::runCheckersForPostObjCMessage(), clang::ento::CheckerManager::runCheckersForPreCall(), and clang::ento::CheckerManager::runCheckersForPreObjCMessage().

Referenced by Visit().

◆ VisitOffsetOfExpr()

void ExprEngine::VisitOffsetOfExpr	(	const OffsetOfExpr *	Ex,
		ExplodedNode *	Pred,
		ExplodedNodeSet &	Dst )

VisitOffsetOfExpr - Transfer function for offsetof.

Definition at line 838 of file ExprEngineC.cpp.

References clang::Type::castAs(), clang::Expr::EvaluateAsInt(), clang::ento::StmtNodeBuilder::generateNode(), getContext(), clang::ento::ExplodedNode::getLocationContext(), clang::ento::ExplodedNode::getState(), clang::Expr::getType(), clang::BuiltinType::isInteger(), clang::Type::isSignedIntegerType(), clang::Result, and X.

Referenced by Visit().

◆ VisitReturnStmt()

void ExprEngine::VisitReturnStmt	(	const ReturnStmt *	R,
		ExplodedNode *	Pred,
		ExplodedNodeSet &	Dst )

VisitReturnStmt - Transfer function logic for return statements.

Definition at line 1307 of file ExprEngineCallAndReturn.cpp.

References clang::ento::ExplodedNodeSet::begin(), clang::ento::ExplodedNodeSet::end(), clang::ento::StmtNodeBuilder::generateNode(), getCheckerManager(), clang::ReturnStmt::getRetValue(), and clang::ento::CheckerManager::runCheckersForPreStmt().

Referenced by Visit().

◆ VisitUnaryExprOrTypeTraitExpr()

void ExprEngine::VisitUnaryExprOrTypeTraitExpr	(	const UnaryExprOrTypeTraitExpr *	Ex,
		ExplodedNode *	Pred,
		ExplodedNodeSet &	Dst )

VisitUnaryExprOrTypeTraitExpr - Transfer function for sizeof.

Definition at line 857 of file ExprEngineC.cpp.

References clang::Expr::EvaluateKnownConstInt(), clang::CharUnits::fromQuantity(), clang::ento::StmtNodeBuilder::generateNode(), getCheckerManager(), getContext(), clang::UnaryExprOrTypeTraitExpr::getKind(), clang::CharUnits::getQuantity(), clang::Expr::getType(), clang::UnaryExprOrTypeTraitExpr::getTypeOfArgument(), clang::ento::CheckerManager::runCheckersForPostStmt(), clang::ento::CheckerManager::runCheckersForPreStmt(), and clang::T.

Referenced by Visit().

◆ VisitUnaryOperator()

void ExprEngine::VisitUnaryOperator	(	const UnaryOperator *	B,
		ExplodedNode *	Pred,
		ExplodedNodeSet &	Dst )

VisitUnaryOperator - Transfer function logic for unary operators.

Definition at line 915 of file ExprEngineC.cpp.

References clang::ento::NodeBuilder::addNodes(), clang::cast(), evalBinOp(), clang::ento::StmtNodeBuilder::generateNode(), getBasicVals(), getCheckerManager(), clang::Expr::getType(), handleUOExtension(), clang::isa(), clang::Type::isAnyComplexType(), clang::Type::isFloatingType(), clang::Result, clang::ento::CheckerManager::runCheckersForPostStmt(), clang::ento::CheckerManager::runCheckersForPreStmt(), clang::ento::NodeBuilder::takeNodes(), V, VisitIncrementDecrementOperator(), and X.

Referenced by Visit().

◆ wasBlocksExhausted()

bool clang::ento::ExprEngine::wasBlocksExhausted ( ) const

inline

Definition at line 448 of file ExprEngine.h.

The documentation for this class was generated from the following files:

include/clang/StaticAnalyzer/Core/PathSensitive/ExprEngine.h
lib/StaticAnalyzer/Core/ExprEngine.cpp
lib/StaticAnalyzer/Core/ExprEngineC.cpp
lib/StaticAnalyzer/Core/ExprEngineCallAndReturn.cpp
lib/StaticAnalyzer/Core/ExprEngineCXX.cpp
lib/StaticAnalyzer/Core/ExprEngineObjC.cpp

Public Types

Public Member Functions

Static Public Member Functions

Detailed Description

Member Enumeration Documentation

◆ InliningModes

Constructor & Destructor Documentation

◆ ExprEngine()

◆ ~ExprEngine()

Member Function Documentation

◆ bindReturnValue()

◆ cleanupNodeTag()

◆ computeObjectUnderConstruction()

◆ ConstructInitList()

◆ CreateCXXTemporaryObject()

◆ defaultEvalCall()

◆ didEagerlyAssumeBifurcateAt()

◆ DumpGraph() [1/2]

◆ DumpGraph() [2/2]

◆ escapeValues()

◆ evalBinOp()

◆ evalCall()

◆ evalEagerlyAssumeBifurcation()

◆ evalLoad()

◆ evalStore()

◆ ExecuteWorkList()

◆ getAnalysisDeclContextManager()

◆ getAnalysisManager() [1/2]

◆ getAnalysisManager() [2/2]

◆ getBasicVals()

◆ getBugReporter() [1/2]

◆ getBugReporter() [2/2]

◆ getBuilderContext()

◆ getCFGElementRef()

◆ getCheckerManager()

◆ getConstraintManager() [1/2]

◆ getConstraintManager() [2/2]

◆ getContext()

◆ getCoreEngine()

◆ getCrossTranslationUnitContext()

◆ getCurrentCFGElement()

◆ getDataTags()

◆ getEagerlyAssumeBifurcationTags()

◆ getGraph() [1/2]

◆ getGraph() [2/2]

◆ getIndexOfElementToConstruct()

◆ getInitialState()

◆ getObjectUnderConstruction()

◆ getPendingArrayDestruction()

◆ getPendingInitLoop()

◆ getRegionManager()

◆ getRootLocationContext()

◆ getStateManager() [1/2]

◆ getStateManager() [2/2]

◆ getStmt()

◆ getStoreManager() [1/2]

◆ getStoreManager() [2/2]

◆ getSValBuilder() [1/2]

◆ getSValBuilder() [2/2]

◆ getSymbolManager() [1/2]

◆ getSymbolManager() [2/2]

◆ handleConstructionContext()

◆ handleLValueBitCast()

◆ handleUOExtension()

◆ hasEmptyWorkList()

◆ hasMoreIteration()

◆ hasWorkRemaining()

◆ notifyCheckersOfPointerEscape()

◆ printJson()

◆ processAssume()

◆ ProcessAutomaticObjDtor()

◆ ProcessBaseDtor()

◆ processBeginOfFunction()

◆ processBranch()

◆ processCallEnter()

◆ processCallExit()

◆ processCFGBlockEntrance()

◆ processCFGElement()

◆ processCleanupTemporaryBranch()

◆ ProcessDeleteDtor()