This is an archive of the discontinued LLVM Phabricator instance.

Differential D143328

[analyzer] Remove the loop from the exploded graph caused by missing information in program points
ClosedPublic

Authored by isuckatcs on Feb 4 2023, 2:57 PM.
Tokens
"Like" token, awarded by BoYanZh.

Details

Reviewers
xazax.hun
NoQ
Szelethus
steakhal
Commits
rGd65379c8d476: [analyzer] Remove the loop from the exploded graph caused by missing…
Summary

This patch is meant to fix #60412.

When we falled back to conservative evaluation, CallEvent::getProgramPoint() was used to
create a new program point at the location of the call.

If an implicit destructor was invoked, the location of the call was set to the declaration of the
destructor, which lead to a loop in some cases, like the one described in the issue above.

This patch changes the way, the new program points are created and ensures that we no longer
have a loop in the egraph when not needed. This behaviour seems to also increase our coverage,
as the egraph no longer stops at the looped section.

Old egraphNew egraph

Diff Detail

Event Timeline

isuckatcs created this revision.Feb 4 2023, 2:57 PM
Herald added a project: Restricted Project. · View Herald TranscriptFeb 4 2023, 2:57 PM
Herald added subscribers: manas, ASDenysPetrov, martong and 7 others. · View Herald Transcript
isuckatcs requested review of this revision.Feb 4 2023, 2:57 PM
isuckatcs updated this revision to Diff 494859.Feb 4 2023, 3:31 PM

Updated

Harbormaster completed remote builds in B211890: Diff 494859.Feb 4 2023, 4:20 PM
isuckatcs updated this revision to Diff 494862.Feb 4 2023, 4:58 PM

Found a different solution by changing the location of the destructors.

In my oppinion none of these solution are 100% accurate. The previous one gives a local solution on one specific call site,
but doesn't solve the problem globally. This one changes the location of the destructor call, but as you can see it can affect
some checker outputs.

When reviewing please check the history and review the previous solution too (that's only 1 if statement).

Harbormaster completed remote builds in B211893: Diff 494862.Feb 4 2023, 5:40 PM
xazax.hun added a comment.Feb 6 2023, 6:09 PM

I think this patch should also add a test that fails before your changes.

I am not sure if we ever want to make a distinction between program points based on actual source locations. I am not opposed to it as a last resort, but to me it feels a bit fragile. Do we want macro expansion location? Or spelling location? The former can be bad for diagnostic purposes. The latter can be bad when macros are involved (e.g. we can still have the same spelling location for multiple expansions, so we can still end up in a loop.)

The big difference between the automatic destructors is that separate objects are being destroyed. I think it would be great if we could somehow incorporate this knowledge into the program point (e.g., the target region of the dtor).

clang/include/clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h
833

I think we want each \param in new lines.

isuckatcs edited the summary of this revision. (Show Details)Feb 7 2023, 4:06 AM
isuckatcs updated this revision to Diff 495467.Feb 7 2023, 4:13 AM

Added two new program points for destructors.

Harbormaster completed remote builds in B212340: Diff 495467.Feb 7 2023, 4:14 AM
isuckatcs added a comment.EditedFeb 7 2023, 4:25 AM

The big difference between the automatic destructors is that separate objects are being destroyed. I think it would be great if we could somehow incorporate this knowledge into the program point (e.g., the target region of the dtor)

Using the location of the object being destructed instead of the location of the dtor decl was my initial way to incorporate this information to the program point. I just forgot about the different kinds of locations.

xazax.hun accepted this revision.Feb 7 2023, 8:34 AM

Thanks! This is exactly what I had in mind! Let's wait for @NoQ just in case he had something different in mind.

This revision is now accepted and ready to land.Feb 7 2023, 8:34 AM
NoQ added a comment.Feb 7 2023, 4:52 PM

Ooo, this looks amazing.

I think the right extra data to include is the CFGElementRef to the destructor element. This way destructors for different objects still receive different program points, but there's no longer any difference between these program points on different paths. This would also prevent program points from knowing anything about path-sensitive analysis, so they could be useful for building other CFG-based analyses even when path sensitivity is not desired. Also, CFGElementRef can be added to all implicit calls, so you no longer need a special subclass for destructors.

Actually it probably makes perfect sense to include CFGElementRef in most program points, and have getStmt() look up the statement from the CFG instead of storing the statement directly. But that's a much bigger refactoring pass.

clang/include/clang/Analysis/ProgramPoint.h
589–591

This isKind() implementation says that PreDestructorCall is not a sub-class of PreImplicitCall.

NoQ added a comment.Feb 7 2023, 4:59 PM

When reviewing please check the history and review the previous solution too (that's only 1 if statement).

Yeah I think I agree with your assessment, your initial solution probably covers this one test case but it doesn't actually help us discriminate between different destructors. It's really valuable that you found a way to have them have actual different program points.

xazax.hun added a comment.Feb 7 2023, 5:31 PM
In D143328#4111595, @NoQ wrote:

I think the right extra data to include is the CFGElementRef to the destructor element.

Oooh, so the different implicit dtor calls are actually different elements in the CFG. This is even better; I fully agree with this approach.

isuckatcs added a comment.EditedFeb 8 2023, 1:53 PM

I think the right extra data to include is the CFGElementRef to the destructor element.

To construct a CFGElementRef we need the parent CFG block and the index of the element.

using CFGElementRef = ElementRefImpl<false>;

...
ElementRefImpl(CFGBlockPtr Parent, size_t Index)
        : Parent(Parent), Index(Index) {}
...

In ExpressionEngine both of these are stored in members currStmtIdx and currBldrCtx,
however CallEvent doesn't know about this information. CallEvent also needs this information
because CallEvent::getProgramPoint() creates implicit call related program points, so we need to
modify every call site of CallEvent::CallEvent() to pass this information. One of these call sites is
NoStateChangeFuncVisitor::VisitNode(), where at first glance we'll have a hard time to figure
out the element index.

I think that for this solution to work, we need to remove the program point creation from CallEvent
and every other class that does the same (if there's any other).

isuckatcs added a comment.EditedFeb 8 2023, 2:00 PM

Also one more thing I see here is that while implicit destructors are present in the CFG,
the member destructors are not.

struct Test {
  Test() {}
  ~Test();
};

struct A {
  Test m1, m2;
};

int main() {
  A a, b;

  return 0;
}
[B1 (ENTRY)]
   Succs (1): B0

 [B0 (EXIT)]
   Preds (1): B1

int main()
 [B2 (ENTRY)]
   Succs (1): B1

 [B1]
   1:  (CXXConstructExpr, [B1.2], A)
   2: A a;
   3:  (CXXConstructExpr, [B1.4], A)
   4: A b;
   5: 0
   6: return [B1.5];
   7: [B1.4].~A() (Implicit destructor)
   8: [B1.2].~A() (Implicit destructor)
   Preds (1): B2
   Succs (1): B0

 [B0 (EXIT)]
   Preds (1): B1

We have CFG entries for a and b but there are none for m1 and m2. I'm not sure if
it's a CFG dumping issue in debug.DumpCFG, or something else though. ExprEngine
visits CFGElements, so there must be one for both member destructors I just don't know if their lack of presence in the dump will affect the proposed solution or not.

NoQ added a comment.Feb 8 2023, 8:33 PM

CallEvent also needs this information because CallEvent::getProgramPoint() creates implicit call related program points, so we need to modify every call site of CallEvent::CallEvent() to pass this information.

Oh, yeah, right, they *also* need CFGElements, and they *also* already sometimes carry target memregions instead, as a hack. Yeah this may turn into a massive refactoring pass. I think we can try to land the current approach then.

One of these call sites is NoStateChangeFuncVisitor::VisitNode(), where at first glance we'll have a hard time to figure out the element index.

In this case SCtx is the callee context (that's what getCaller() consumes) which provides getCallSideBlock()/getIndex() to look up the CFG element.

We have CFG entries for a and b but there are none for m1 and m2.

Destructor calls for m1 and m2 aren't in the CFG for main(), they're in the CFG for ~A(). Because ~A() is the default destructor, it's not getting analyzed at top level, so there's no CFG dump for it. You'll see them if you define an explicit destructor for A.

isuckatcs updated this revision to Diff 496510.Feb 10 2023, 9:13 AM
  • Added CFGElementRef to ImplicitCallPoint
  • Added 2 test cases

I only added the element ref as a new field instead of replacing any existing field,
because extracting the Decl out of CFGElementRef requires a lot of boilerplate
code. Similar to what is seen inside ExprEngine::processCFGElement().

I didn't add CFGElementRef to StmtPoint because there are a lot of different
modules that can create them, and each of them needs to be refactored for the
change to properly work.

Harbormaster completed remote builds in B213084: Diff 496510.Feb 10 2023, 9:14 AM
isuckatcs updated this revision to Diff 496522.Feb 10 2023, 9:25 AM

rebased

isuckatcs added inline comments.Feb 10 2023, 9:35 AM
clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp
3450

One currently known drawback is that in situations like this we need to create a dummy element ref.
Here the call event is only created to extract the declaration from the call expression.

Harbormaster completed remote builds in B213091: Diff 496522.Feb 10 2023, 10:36 AM
BoYanZh awarded a token.Feb 15 2023, 12:11 AM
BoYanZh added a subscriber: BoYanZh.
NoQ added a comment.Feb 16 2023, 12:57 PM

Dude, this is beautiful. I have like one nitpick, and I think we can land.

clang/include/clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h
833–834

I suspect that Target isn't necessary anymore, as it can be reconstructed from the CFG element. IIRC this could untie our hands in a few cases. I might be wrong. So I recommend adding a FIXME.

871–872

Same FIXME here, hopefully.

clang/include/clang/StaticAnalyzer/Core/PathSensitive/ExprEngine.h
164

You don't need to track it separately, it can be derived from the two previous member variables:

{currBldrCtx->getBlock(), currStmtIdx}
clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp
3450

Given that there's a statement, we could grep the CFG to find it. But I agree that it looks unnecessary.

isuckatcs marked 3 inline comments as done.Feb 16 2023, 4:41 PM
isuckatcs added inline comments.
clang/include/clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h
833–834

I can add a FIXME, though if I see it correctly, deducing the region from the CFG element is not trivial. The ExprEngine::Process...Dtor() functions are responsible for finding the region, which region will later be passed to the call event. A lot of these functions have a different logic for creating the region and we need to deal with arrays too, where figuring out the current element relies on ProgramStateTraits. So removing the target will also involve some refactoring, and this call event will also need to know about a program state.

clang/include/clang/StaticAnalyzer/Core/PathSensitive/ExprEngine.h
164

This is actually deliberate. We use the CFGElementRef multiple places over ExpressionEngine and I think it's easier and more readable to just use currElementRef instead of using an initializer list. Also this way it's only set once in ExprEngine::processCFGElement() and is harder to misuse it.

clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp
3450

I was thinking about adding one more constructor for these kind of situations, which doesn't take an element ref as parameter, thought I think it would isntead result in forgetting about passing the element ref when they are needed.

isuckatcs marked 2 inline comments as done.Feb 16 2023, 4:42 PM
NoQ added inline comments.Feb 21 2023, 6:37 PM
clang/include/clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h
833–834

Yeah sounds like the array index will need to be supplied separately. But the rest of the procedure can probably be moved into CallEvent and then called back. The worst case is probably the temporary destructor, as it requires looking up object-under-construction for the respective CXXBindTemporaryExpr. In case of constructors it's easier, as it's already almost entirely in getObjectUnderConstruction(). So as long as the objects-under-construction trait and the element-under-construction trait are disconnected from ExprEngine (in a separate header like Taint.h), we can have CallEvents figure them out on their own.

So definitely doable, I still don't remember what I needed that for though. One way or another, I'm glad we're opening up this opportunity.

clang/include/clang/StaticAnalyzer/Core/PathSensitive/ExprEngine.h
164

You can make a method to avoid spelling out curly braces, like getCurrElementRef() or something like that. I think it's even harder to misuse it if it's set zero times.

isuckatcs updated this revision to Diff 499418.Feb 22 2023, 1:56 AM
isuckatcs marked 4 inline comments as done.

Addressed comments

clang/include/clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h
833–834

I actually missed that a ProgramStateRef is already passed to this object in the constructor (on the line below this discussion), so we have access to the state traits. In this case we just need to port the logic from ExprEngine::ProcessImplicitDtor() and somehow separate it from ExprEngine completely.

If I see it correctly, we need to make ExprEngine::prepareStateForArrayDestruction() static and ExprEngine::makeElementRegion() public or accessible from CallEvent some other way. Anyway this will be a huge refactoring patch, so I added the FIXME.

isuckatcs updated this revision to Diff 499426.Feb 22 2023, 2:08 AM

Fixed artifacts cause by git clang-format

Harbormaster completed remote builds in B215196: Diff 499426.Feb 22 2023, 3:17 AM
isuckatcs retitled this revision from [analyzer] Remove the loop from the exploded graph caused by conservative evaluation to [analyzer] Remove the loop from the exploded graph caused by missing information in program points.Feb 22 2023, 5:22 AM
NoQ accepted this revision.Feb 22 2023, 5:23 PM

Looks amazing now! Thank you for getting to the bottom of this and building this elaborate fix for the root cause!

isuckatcs updated this revision to Diff 499992.Feb 23 2023, 3:00 PM

Applied git clang-format

Harbormaster completed remote builds in B215611: Diff 499992.Feb 23 2023, 3:48 PM
isuckatcs updated this revision to Diff 500635.Feb 26 2023, 4:35 PM

Rebased

Harbormaster completed remote builds in B216117: Diff 500635.Feb 26 2023, 5:27 PM
Closed by commit rGd65379c8d476: [analyzer] Remove the loop from the exploded graph caused by missing… (authored by isuckatcs). · Explain WhyMar 3 2023, 5:02 PM
This revision was automatically updated to reflect the committed changes.
isuckatcs added a commit: rGd65379c8d476: [analyzer] Remove the loop from the exploded graph caused by missing….
Herald added a project: Restricted Project. · View Herald TranscriptMar 3 2023, 5:02 PM
Herald added a subscriber: cfe-commits. · View Herald Transcript

Revision Contents

PathSize
clang/
include/
clang/
Analysis/
68 lines
StaticAnalyzer/
Core/
PathSensitive/
165 lines
5 lines
lib/
StaticAnalyzer/
Checkers/
3 lines
RetainCountChecker/
6 lines
Core/
40 lines
25 lines
27 lines
7 lines
4 lines
test/
Analysis/
18 lines
28 lines
unittests/
StaticAnalyzer/
7 lines

Diff 502317

clang/include/clang/Analysis/ProgramPoint.h

Show First 20 LinesShow All 89 Lines▼ Show 20 Linesprivate:
llvm::PointerIntPair<const void *, 2, unsigned> Data2; llvm::PointerIntPair<const void *, 2, unsigned> Data2;
// The LocationContext could be NULL to allow ProgramPoint to be used in // The LocationContext could be NULL to allow ProgramPoint to be used in
// context insensitive analysis. // context insensitive analysis.
llvm::PointerIntPair<const LocationContext *, 2, unsigned> L; llvm::PointerIntPair<const LocationContext *, 2, unsigned> L;
llvm::PointerIntPair<const ProgramPointTag *, 2, unsigned> Tag; llvm::PointerIntPair<const ProgramPointTag *, 2, unsigned> Tag;
CFGBlock::ConstCFGElementRef ElemRef = {nullptr, 0};
protected: protected:
ProgramPoint() = default; ProgramPoint() = default;
ProgramPoint(const void *P, ProgramPoint(const void *P, Kind k, const LocationContext *l,
Kind k, const ProgramPointTag *tag = nullptr,
const LocationContext *l, CFGBlock::ConstCFGElementRef ElemRef = {nullptr, 0})
const ProgramPointTag *tag = nullptr) : Data1(P), Data2(nullptr, (((unsigned)k) >> 0) & 0x3),
: Data1(P), L(l, (((unsigned)k) >> 2) & 0x3), Tag(tag, (((unsigned)k) >> 4) & 0x3),
Data2(nullptr, (((unsigned) k) >> 0) & 0x3), ElemRef(ElemRef) {
L(l, (((unsigned) k) >> 2) & 0x3),
Tag(tag, (((unsigned) k) >> 4) & 0x3) {
assert(getKind() == k); assert(getKind() == k);
assert(getLocationContext() == l); assert(getLocationContext() == l);
assert(getData1() == P); assert(getData1() == P);
} }
ProgramPoint(const void *P1, ProgramPoint(const void *P1, const void *P2, Kind k, const LocationContext *l,
const void *P2, const ProgramPointTag *tag = nullptr,
Kind k, CFGBlock::ConstCFGElementRef ElemRef = {nullptr, 0})
const LocationContext *l, : Data1(P1), Data2(P2, (((unsigned)k) >> 0) & 0x3),
const ProgramPointTag *tag = nullptr) L(l, (((unsigned)k) >> 2) & 0x3), Tag(tag, (((unsigned)k) >> 4) & 0x3),
: Data1(P1), ElemRef(ElemRef) {}
Data2(P2, (((unsigned) k) >> 0) & 0x3),
L(l, (((unsigned) k) >> 2) & 0x3),
Tag(tag, (((unsigned) k) >> 4) & 0x3) {}
protected: protected:
const void *getData1() const { return Data1; } const void *getData1() const { return Data1; }
const void *getData2() const { return Data2.getPointer(); } const void *getData2() const { return Data2.getPointer(); }
void setData2(const void *d) { Data2.setPointer(d); } void setData2(const void *d) { Data2.setPointer(d); }
CFGBlock::ConstCFGElementRef getElementRef() const { return ElemRef; }
public: public:
/// Create a new ProgramPoint object that is the same as the original /// Create a new ProgramPoint object that is the same as the original
/// except for using the specified tag value. /// except for using the specified tag value.
ProgramPoint withTag(const ProgramPointTag *tag) const { ProgramPoint withTag(const ProgramPointTag *tag) const {
return ProgramPoint(getData1(), getData2(), getKind(), return ProgramPoint(getData1(), getData2(), getKind(),
getLocationContext(), tag); getLocationContext(), tag);
} }
▲ Show 20 LinesShow All 50 Lines▼ Show 20 Linespublic:
// For use with DenseMap. This hash is probably slow. // For use with DenseMap. This hash is probably slow.
unsigned getHashValue() const { unsigned getHashValue() const {
llvm::FoldingSetNodeID ID; llvm::FoldingSetNodeID ID;
Profile(ID); Profile(ID);
return ID.ComputeHash(); return ID.ComputeHash();
} }
bool operator==(const ProgramPoint & RHS) const { bool operator==(const ProgramPoint & RHS) const {
return Data1 == RHS.Data1 && return Data1 == RHS.Data1 && Data2 == RHS.Data2 && L == RHS.L &&
Data2 == RHS.Data2 && Tag == RHS.Tag && ElemRef == RHS.ElemRef;
L == RHS.L &&
Tag == RHS.Tag;
} }
bool operator!=(const ProgramPoint &RHS) const { bool operator!=(const ProgramPoint &RHS) const {
return Data1 != RHS.Data1 || return Data1 != RHS.Data1 || Data2 != RHS.Data2 || L != RHS.L ||
Data2 != RHS.Data2 || Tag != RHS.Tag || ElemRef != RHS.ElemRef;
L != RHS.L ||
Tag != RHS.Tag;
} }
void Profile(llvm::FoldingSetNodeID& ID) const { void Profile(llvm::FoldingSetNodeID& ID) const {
ID.AddInteger((unsigned) getKind()); ID.AddInteger((unsigned) getKind());
ID.AddPointer(getData1()); ID.AddPointer(getData1());
ID.AddPointer(getData2()); ID.AddPointer(getData2());
ID.AddPointer(getLocationContext()); ID.AddPointer(getLocationContext());
ID.AddPointer(getTag()); ID.AddPointer(getTag());
ID.AddPointer(ElemRef.getParent());
ID.AddInteger(ElemRef.getIndexInBlock());
} }
void printJson(llvm::raw_ostream &Out, const char *NL = "\n") const; void printJson(llvm::raw_ostream &Out, const char *NL = "\n") const;
LLVM_DUMP_METHOD void dump() const; LLVM_DUMP_METHOD void dump() const;
static ProgramPoint getProgramPoint(const Stmt *S, ProgramPoint::Kind K, static ProgramPoint getProgramPoint(const Stmt *S, ProgramPoint::Kind K,
const LocationContext *LC, const LocationContext *LC,
▲ Show 20 LinesShow All 41 Lines▼ Show 20 Lines
private: private:
friend class ProgramPoint; friend class ProgramPoint;
BlockExit() = default; BlockExit() = default;
static bool isKind(const ProgramPoint &Location) { static bool isKind(const ProgramPoint &Location) {
return Location.getKind() == BlockExitKind; return Location.getKind() == BlockExitKind;
} }
}; };
// FIXME: Eventually we want to take a CFGElementRef as parameter here too.
class StmtPoint : public ProgramPoint { class StmtPoint : public ProgramPoint {
public: public:
StmtPoint(const Stmt *S, const void *p2, Kind k, const LocationContext *L, StmtPoint(const Stmt *S, const void *p2, Kind k, const LocationContext *L,
const ProgramPointTag *tag) const ProgramPointTag *tag)
: ProgramPoint(S, p2, k, L, tag) { : ProgramPoint(S, p2, k, L, tag) {
assert(S); assert(S);
} }
▲ Show 20 LinesShow All 275 Lines▼ Show 20 Lines
}; };
/// Represents an implicit call event. /// Represents an implicit call event.
/// ///
/// The nearest statement is provided for diagnostic purposes. /// The nearest statement is provided for diagnostic purposes.
class ImplicitCallPoint : public ProgramPoint { class ImplicitCallPoint : public ProgramPoint {
public: public:
ImplicitCallPoint(const Decl *D, SourceLocation Loc, Kind K, ImplicitCallPoint(const Decl *D, SourceLocation Loc, Kind K,
const LocationContext *L, const ProgramPointTag *Tag) const LocationContext *L, const ProgramPointTag *Tag,
: ProgramPoint(Loc.getPtrEncoding(), D, K, L, Tag) {} CFGBlock::ConstCFGElementRef ElemRef)
: ProgramPoint(Loc.getPtrEncoding(), D, K, L, Tag, ElemRef) {}
const Decl *getDecl() const { return static_cast<const Decl *>(getData2()); } const Decl *getDecl() const { return static_cast<const Decl *>(getData2()); }
SourceLocation getLocation() const { SourceLocation getLocation() const {
return SourceLocation::getFromPtrEncoding(getData1()); return SourceLocation::getFromPtrEncoding(getData1());
} }
protected: protected:
ImplicitCallPoint() = default; ImplicitCallPoint() = default;
private: private:
friend class ProgramPoint; friend class ProgramPoint;
static bool isKind(const ProgramPoint &Location) { static bool isKind(const ProgramPoint &Location) {
return Location.getKind() >= MinImplicitCallKind && return Location.getKind() >= MinImplicitCallKind &&
Location.getKind() <= MaxImplicitCallKind; Location.getKind() <= MaxImplicitCallKind;
} }
}; };
/// Represents a program point just before an implicit call event. /// Represents a program point just before an implicit call event.
/// ///
/// Explicit calls will appear as PreStmt program points. /// Explicit calls will appear as PreStmt program points.
class PreImplicitCall : public ImplicitCallPoint { class PreImplicitCall : public ImplicitCallPoint {
public: public:
PreImplicitCall(const Decl *D, SourceLocation Loc, const LocationContext *L, PreImplicitCall(const Decl *D, SourceLocation Loc, const LocationContext *L,
CFGBlock::ConstCFGElementRef ElemRef,
const ProgramPointTag *Tag = nullptr) const ProgramPointTag *Tag = nullptr)
: ImplicitCallPoint(D, Loc, PreImplicitCallKind, L, Tag) {} : ImplicitCallPoint(D, Loc, PreImplicitCallKind, L, Tag, ElemRef) {}
private: private:
friend class ProgramPoint; friend class ProgramPoint;
PreImplicitCall() = default; PreImplicitCall() = default;
static bool isKind(const ProgramPoint &Location) { static bool isKind(const ProgramPoint &Location) {
return Location.getKind() == PreImplicitCallKind; return Location.getKind() == PreImplicitCallKind;
} }
NoQUnsubmitted
Not Done
ReplyInline Actions

This isKind() implementation says that PreDestructorCall is not a sub-class of PreImplicitCall.

NoQ: This `isKind()` implementation says that `PreDestructorCall` is not a sub-class of…
}; };
/// Represents a program point just after an implicit call event. /// Represents a program point just after an implicit call event.
/// ///
/// Explicit calls will appear as PostStmt program points. /// Explicit calls will appear as PostStmt program points.
class PostImplicitCall : public ImplicitCallPoint { class PostImplicitCall : public ImplicitCallPoint {
public: public:
PostImplicitCall(const Decl *D, SourceLocation Loc, const LocationContext *L, PostImplicitCall(const Decl *D, SourceLocation Loc, const LocationContext *L,
CFGBlock::ConstCFGElementRef ElemRef,
const ProgramPointTag *Tag = nullptr) const ProgramPointTag *Tag = nullptr)
: ImplicitCallPoint(D, Loc, PostImplicitCallKind, L, Tag) {} : ImplicitCallPoint(D, Loc, PostImplicitCallKind, L, Tag, ElemRef) {}
private: private:
friend class ProgramPoint; friend class ProgramPoint;
PostImplicitCall() = default; PostImplicitCall() = default;
static bool isKind(const ProgramPoint &Location) { static bool isKind(const ProgramPoint &Location) {
return Location.getKind() == PostImplicitCallKind; return Location.getKind() == PostImplicitCallKind;
} }
}; };
▲ Show 20 LinesShow All 169 LinesShow Last 20 Lines

clang/include/clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h

Show First 20 LinesShow All 148 Lines▼ Show 20 Lines
class CallEvent { class CallEvent {
public: public:
using Kind = CallEventKind; using Kind = CallEventKind;
private: private:
ProgramStateRef State; ProgramStateRef State;
const LocationContext *LCtx; const LocationContext *LCtx;
llvm::PointerUnion<const Expr *, const Decl *> Origin; llvm::PointerUnion<const Expr *, const Decl *> Origin;
CFGBlock::ConstCFGElementRef ElemRef = {nullptr, 0};
mutable std::optional<bool> Foreign; // Set by CTU analysis. mutable std::optional<bool> Foreign; // Set by CTU analysis.
protected: protected:
// This is user data for subclasses. // This is user data for subclasses.
const void *Data; const void *Data;
// This is user data for subclasses. // This is user data for subclasses.
// This should come right before RefCount, so that the two fields can be // This should come right before RefCount, so that the two fields can be
// packed together on LP64 platforms. // packed together on LP64 platforms.
SourceLocation Location; SourceLocation Location;
private: private:
template <typename T> friend struct llvm::IntrusiveRefCntPtrInfo; template <typename T> friend struct llvm::IntrusiveRefCntPtrInfo;
mutable unsigned RefCount = 0; mutable unsigned RefCount = 0;
void Retain() const { ++RefCount; } void Retain() const { ++RefCount; }
void Release() const; void Release() const;
protected: protected:
friend class CallEventManager; friend class CallEventManager;
CallEvent(const Expr *E, ProgramStateRef state, const LocationContext *lctx) CallEvent(const Expr *E, ProgramStateRef state, const LocationContext *lctx,
: State(std::move(state)), LCtx(lctx), Origin(E) {} CFGBlock::ConstCFGElementRef ElemRef)
: State(std::move(state)), LCtx(lctx), Origin(E), ElemRef(ElemRef) {}
CallEvent(const Decl *D, ProgramStateRef state, const LocationContext *lctx)
: State(std::move(state)), LCtx(lctx), Origin(D) {} CallEvent(const Decl *D, ProgramStateRef state, const LocationContext *lctx,
CFGBlock::ConstCFGElementRef ElemRef)
: State(std::move(state)), LCtx(lctx), Origin(D), ElemRef(ElemRef) {}
// DO NOT MAKE PUBLIC // DO NOT MAKE PUBLIC
CallEvent(const CallEvent &Original) CallEvent(const CallEvent &Original)
: State(Original.State), LCtx(Original.LCtx), Origin(Original.Origin), : State(Original.State), LCtx(Original.LCtx), Origin(Original.Origin),
Data(Original.Data), Location(Original.Location) {} ElemRef(Original.ElemRef), Data(Original.Data),
Location(Original.Location) {}
/// Copies this CallEvent, with vtable intact, into a new block of memory. /// Copies this CallEvent, with vtable intact, into a new block of memory.
virtual void cloneTo(void *Dest) const = 0; virtual void cloneTo(void *Dest) const = 0;
/// Get the value of arbitrary expressions at this point in the path. /// Get the value of arbitrary expressions at this point in the path.
SVal getSVal(const Stmt *S) const { SVal getSVal(const Stmt *S) const {
return getState()->getSVal(S, getLocationContext()); return getState()->getSVal(S, getLocationContext());
} }
Show All 30 Lines const ProgramStateRef &getState() const {
return State; return State;
} }
/// The context in which the call is being evaluated. /// The context in which the call is being evaluated.
const LocationContext *getLocationContext() const { const LocationContext *getLocationContext() const {
return LCtx; return LCtx;
} }
const CFGBlock::ConstCFGElementRef &getCFGElementRef() const {
return ElemRef;
}
/// Returns the definition of the function or method that will be /// Returns the definition of the function or method that will be
/// called. /// called.
virtual RuntimeDefinition getRuntimeDefinition() const = 0; virtual RuntimeDefinition getRuntimeDefinition() const = 0;
/// Returns the expression whose value will be the result of this call. /// Returns the expression whose value will be the result of this call.
/// May be null. /// May be null.
virtual const Expr *getOriginExpr() const { virtual const Expr *getOriginExpr() const {
return Origin.dyn_cast<const Expr *>(); return Origin.dyn_cast<const Expr *>();
▲ Show 20 LinesShow All 236 Lines▼ Show 20 Linespublic:
void dump() const; void dump() const;
}; };
/// Represents a call to any sort of function that might have a /// Represents a call to any sort of function that might have a
/// FunctionDecl. /// FunctionDecl.
class AnyFunctionCall : public CallEvent { class AnyFunctionCall : public CallEvent {
protected: protected:
AnyFunctionCall(const Expr *E, ProgramStateRef St, AnyFunctionCall(const Expr *E, ProgramStateRef St,
const LocationContext *LCtx) const LocationContext *LCtx,
: CallEvent(E, St, LCtx) {} CFGBlock::ConstCFGElementRef ElemRef)
: CallEvent(E, St, LCtx, ElemRef) {}
AnyFunctionCall(const Decl *D, ProgramStateRef St, AnyFunctionCall(const Decl *D, ProgramStateRef St,
const LocationContext *LCtx) const LocationContext *LCtx,
: CallEvent(D, St, LCtx) {} CFGBlock::ConstCFGElementRef ElemRef)
: CallEvent(D, St, LCtx, ElemRef) {}
AnyFunctionCall(const AnyFunctionCall &Other) = default; AnyFunctionCall(const AnyFunctionCall &Other) = default;
public: public:
// This function is overridden by subclasses, but they must return // This function is overridden by subclasses, but they must return
// a FunctionDecl. // a FunctionDecl.
const FunctionDecl *getDecl() const override { const FunctionDecl *getDecl() const override {
return cast<FunctionDecl>(CallEvent::getDecl()); return cast<FunctionDecl>(CallEvent::getDecl());
} }
Show All 16 Lines
/// Represents a C function or static C++ member function call. /// Represents a C function or static C++ member function call.
/// ///
/// Example: \c fun() /// Example: \c fun()
class SimpleFunctionCall : public AnyFunctionCall { class SimpleFunctionCall : public AnyFunctionCall {
friend class CallEventManager; friend class CallEventManager;
protected: protected:
SimpleFunctionCall(const CallExpr *CE, ProgramStateRef St, SimpleFunctionCall(const CallExpr *CE, ProgramStateRef St,
const LocationContext *LCtx) const LocationContext *LCtx,
: AnyFunctionCall(CE, St, LCtx) {} CFGBlock::ConstCFGElementRef ElemRef)
: AnyFunctionCall(CE, St, LCtx, ElemRef) {}
SimpleFunctionCall(const SimpleFunctionCall &Other) = default; SimpleFunctionCall(const SimpleFunctionCall &Other) = default;
void cloneTo(void *Dest) const override { void cloneTo(void *Dest) const override {
new (Dest) SimpleFunctionCall(*this); new (Dest) SimpleFunctionCall(*this);
} }
public: public:
const CallExpr *getOriginExpr() const override { const CallExpr *getOriginExpr() const override {
Show All 18 Lines
/// Represents a call to a block. /// Represents a call to a block.
/// ///
/// Example: <tt>^{ statement-body }()</tt> /// Example: <tt>^{ statement-body }()</tt>
class BlockCall : public CallEvent { class BlockCall : public CallEvent {
friend class CallEventManager; friend class CallEventManager;
protected: protected:
BlockCall(const CallExpr *CE, ProgramStateRef St, BlockCall(const CallExpr *CE, ProgramStateRef St, const LocationContext *LCtx,
const LocationContext *LCtx) CFGBlock::ConstCFGElementRef ElemRef)
: CallEvent(CE, St, LCtx) {} : CallEvent(CE, St, LCtx, ElemRef) {}
BlockCall(const BlockCall &Other) = default; BlockCall(const BlockCall &Other) = default;
void cloneTo(void *Dest) const override { new (Dest) BlockCall(*this); } void cloneTo(void *Dest) const override { new (Dest) BlockCall(*this); }
void getExtraInvalidatedValues(ValueList &Values, void getExtraInvalidatedValues(ValueList &Values,
RegionAndSymbolInvalidationTraits *ETraits) const override; RegionAndSymbolInvalidationTraits *ETraits) const override;
public: public:
▲ Show 20 LinesShow All 85 Lines▼ Show 20 Linespublic:
static bool classof(const CallEvent *CA) { return CA->getKind() == CE_Block; } static bool classof(const CallEvent *CA) { return CA->getKind() == CE_Block; }
}; };
/// Represents a non-static C++ member function call, no matter how /// Represents a non-static C++ member function call, no matter how
/// it is written. /// it is written.
class CXXInstanceCall : public AnyFunctionCall { class CXXInstanceCall : public AnyFunctionCall {
protected: protected:
CXXInstanceCall(const CallExpr *CE, ProgramStateRef St, CXXInstanceCall(const CallExpr *CE, ProgramStateRef St,
const LocationContext *LCtx) const LocationContext *LCtx,
: AnyFunctionCall(CE, St, LCtx) {} CFGBlock::ConstCFGElementRef ElemRef)
: AnyFunctionCall(CE, St, LCtx, ElemRef) {}
CXXInstanceCall(const FunctionDecl *D, ProgramStateRef St, CXXInstanceCall(const FunctionDecl *D, ProgramStateRef St,
const LocationContext *LCtx) const LocationContext *LCtx,
: AnyFunctionCall(D, St, LCtx) {} CFGBlock::ConstCFGElementRef ElemRef)
: AnyFunctionCall(D, St, LCtx, ElemRef) {}
CXXInstanceCall(const CXXInstanceCall &Other) = default; CXXInstanceCall(const CXXInstanceCall &Other) = default;
void getExtraInvalidatedValues(ValueList &Values, void getExtraInvalidatedValues(ValueList &Values,
RegionAndSymbolInvalidationTraits *ETraits) const override; RegionAndSymbolInvalidationTraits *ETraits) const override;
public: public:
/// Returns the expression representing the implicit 'this' object. /// Returns the expression representing the implicit 'this' object.
virtual const Expr *getCXXThisExpr() const { return nullptr; } virtual const Expr *getCXXThisExpr() const { return nullptr; }
Show All 17 Lines
/// Represents a non-static C++ member function call. /// Represents a non-static C++ member function call.
/// ///
/// Example: \c obj.fun() /// Example: \c obj.fun()
class CXXMemberCall : public CXXInstanceCall { class CXXMemberCall : public CXXInstanceCall {
friend class CallEventManager; friend class CallEventManager;
protected: protected:
CXXMemberCall(const CXXMemberCallExpr *CE, ProgramStateRef St, CXXMemberCall(const CXXMemberCallExpr *CE, ProgramStateRef St,
const LocationContext *LCtx) const LocationContext *LCtx,
: CXXInstanceCall(CE, St, LCtx) {} CFGBlock::ConstCFGElementRef ElemRef)
: CXXInstanceCall(CE, St, LCtx, ElemRef) {}
CXXMemberCall(const CXXMemberCall &Other) = default; CXXMemberCall(const CXXMemberCall &Other) = default;
void cloneTo(void *Dest) const override { new (Dest) CXXMemberCall(*this); } void cloneTo(void *Dest) const override { new (Dest) CXXMemberCall(*this); }
public: public:
const CXXMemberCallExpr *getOriginExpr() const override { const CXXMemberCallExpr *getOriginExpr() const override {
return cast<CXXMemberCallExpr>(CXXInstanceCall::getOriginExpr()); return cast<CXXMemberCallExpr>(CXXInstanceCall::getOriginExpr());
} }
Show All 24 Lines
/// implemented as a non-static member function. /// implemented as a non-static member function.
/// ///
/// Example: <tt>iter + 1</tt> /// Example: <tt>iter + 1</tt>
class CXXMemberOperatorCall : public CXXInstanceCall { class CXXMemberOperatorCall : public CXXInstanceCall {
friend class CallEventManager; friend class CallEventManager;
protected: protected:
CXXMemberOperatorCall(const CXXOperatorCallExpr *CE, ProgramStateRef St, CXXMemberOperatorCall(const CXXOperatorCallExpr *CE, ProgramStateRef St,
const LocationContext *LCtx) const LocationContext *LCtx,
: CXXInstanceCall(CE, St, LCtx) {} CFGBlock::ConstCFGElementRef ElemRef)
: CXXInstanceCall(CE, St, LCtx, ElemRef) {}
CXXMemberOperatorCall(const CXXMemberOperatorCall &Other) = default; CXXMemberOperatorCall(const CXXMemberOperatorCall &Other) = default;
void cloneTo(void *Dest) const override { void cloneTo(void *Dest) const override {
new (Dest) CXXMemberOperatorCall(*this); new (Dest) CXXMemberOperatorCall(*this);
} }
public: public:
const CXXOperatorCallExpr *getOriginExpr() const override { const CXXOperatorCallExpr *getOriginExpr() const override {
▲ Show 20 LinesShow All 49 Lines▼ Show 20 Linesprotected:
/// Creates an implicit destructor. /// Creates an implicit destructor.
/// ///
/// \param DD The destructor that will be called. /// \param DD The destructor that will be called.
/// \param Trigger The statement whose completion causes this destructor call. /// \param Trigger The statement whose completion causes this destructor call.
/// \param Target The object region to be destructed. /// \param Target The object region to be destructed.
/// \param St The path-sensitive state at this point in the program. /// \param St The path-sensitive state at this point in the program.
/// \param LCtx The location context at this point in the program. /// \param LCtx The location context at this point in the program.
/// \param ElemRef The reference to this destructor in the CFG.
///
/// FIXME: Eventually we want to drop \param Target and deduce it from
/// \param ElemRef. To do that we need to migrate the logic for target
/// region lookup from ExprEngine::ProcessImplicitDtor() and make it
/// independent from ExprEngine.
CXXDestructorCall(const CXXDestructorDecl *DD, const Stmt *Trigger, CXXDestructorCall(const CXXDestructorDecl *DD, const Stmt *Trigger,
const MemRegion *Target, bool IsBaseDestructor, const MemRegion *Target, bool IsBaseDestructor,
xazax.hunUnsubmitted
Done
ReplyInline Actions

I think we want each \param in new lines.

xazax.hun: I think we want each `\param` in new lines.
ProgramStateRef St, const LocationContext *LCtx) ProgramStateRef St, const LocationContext *LCtx,
NoQUnsubmitted
Done
ReplyInline Actions

I suspect that Target isn't necessary anymore, as it can be reconstructed from the CFG element. IIRC this could untie our hands in a few cases. I might be wrong. So I recommend adding a FIXME.

NoQ: I suspect that `Target` isn't necessary anymore, as it can be reconstructed from the CFG…
isuckatcsAuthorUnsubmitted
Done
ReplyInline Actions

I can add a FIXME, though if I see it correctly, deducing the region from the CFG element is not trivial. The ExprEngine::Process...Dtor() functions are responsible for finding the region, which region will later be passed to the call event. A lot of these functions have a different logic for creating the region and we need to deal with arrays too, where figuring out the current element relies on ProgramStateTraits. So removing the target will also involve some refactoring, and this call event will also need to know about a program state.

isuckatcs: I can add a FIXME, though if I see it correctly, deducing the region from the CFG element is…
NoQUnsubmitted
Done
ReplyInline Actions

Yeah sounds like the array index will need to be supplied separately. But the rest of the procedure can probably be moved into CallEvent and then called back. The worst case is probably the temporary destructor, as it requires looking up object-under-construction for the respective CXXBindTemporaryExpr. In case of constructors it's easier, as it's already almost entirely in getObjectUnderConstruction(). So as long as the objects-under-construction trait and the element-under-construction trait are disconnected from ExprEngine (in a separate header like Taint.h), we can have CallEvents figure them out on their own.

So definitely doable, I still don't remember what I needed that for though. One way or another, I'm glad we're opening up this opportunity.

NoQ: Yeah sounds like the array index will need to be supplied separately. But the rest of the…
isuckatcsAuthorUnsubmitted
Done
ReplyInline Actions

I actually missed that a ProgramStateRef is already passed to this object in the constructor (on the line below this discussion), so we have access to the state traits. In this case we just need to port the logic from ExprEngine::ProcessImplicitDtor() and somehow separate it from ExprEngine completely.

If I see it correctly, we need to make ExprEngine::prepareStateForArrayDestruction() static and ExprEngine::makeElementRegion() public or accessible from CallEvent some other way. Anyway this will be a huge refactoring patch, so I added the FIXME.

isuckatcs: I actually missed that a `ProgramStateRef` is already passed to this object in the constructor…
: CXXInstanceCall(DD, St, LCtx) { CFGBlock::ConstCFGElementRef ElemRef)
: CXXInstanceCall(DD, St, LCtx, ElemRef) {
Data = DtorDataTy(Target, IsBaseDestructor).getOpaqueValue(); Data = DtorDataTy(Target, IsBaseDestructor).getOpaqueValue();
Location = Trigger->getEndLoc(); Location = Trigger->getEndLoc();
} }
CXXDestructorCall(const CXXDestructorCall &Other) = default; CXXDestructorCall(const CXXDestructorCall &Other) = default;
void cloneTo(void *Dest) const override {new (Dest) CXXDestructorCall(*this);} void cloneTo(void *Dest) const override {new (Dest) CXXDestructorCall(*this);}
Show All 18 Lines static bool classof(const CallEvent *CA) {
return CA->getKind() == CE_CXXDestructor; return CA->getKind() == CE_CXXDestructor;
} }
}; };
/// Represents any constructor invocation. This includes regular constructors /// Represents any constructor invocation. This includes regular constructors
/// and inherited constructors. /// and inherited constructors.
class AnyCXXConstructorCall : public AnyFunctionCall { class AnyCXXConstructorCall : public AnyFunctionCall {
protected: protected:
AnyCXXConstructorCall(const Expr *E, const MemRegion *Target, AnyCXXConstructorCall(const Expr *E, const MemRegion *Target,
ProgramStateRef St, const LocationContext *LCtx) ProgramStateRef St, const LocationContext *LCtx,
NoQUnsubmitted
Done
ReplyInline Actions

Same FIXME here, hopefully.

NoQ: Same FIXME here, hopefully.
: AnyFunctionCall(E, St, LCtx) { CFGBlock::ConstCFGElementRef ElemRef)
: AnyFunctionCall(E, St, LCtx, ElemRef) {
assert(E && (isa<CXXConstructExpr>(E) || isa<CXXInheritedCtorInitExpr>(E))); assert(E && (isa<CXXConstructExpr>(E) || isa<CXXInheritedCtorInitExpr>(E)));
// Target may be null when the region is unknown. // Target may be null when the region is unknown.
Data = Target; Data = Target;
} }
void getExtraInvalidatedValues(ValueList &Values, void getExtraInvalidatedValues(ValueList &Values,
RegionAndSymbolInvalidationTraits *ETraits) const override; RegionAndSymbolInvalidationTraits *ETraits) const override;
Show All 19 Lines
protected: protected:
/// Creates a constructor call. /// Creates a constructor call.
/// ///
/// \param CE The constructor expression as written in the source. /// \param CE The constructor expression as written in the source.
/// \param Target The region where the object should be constructed. If NULL, /// \param Target The region where the object should be constructed. If NULL,
/// a new symbolic region will be used. /// a new symbolic region will be used.
/// \param St The path-sensitive state at this point in the program. /// \param St The path-sensitive state at this point in the program.
/// \param LCtx The location context at this point in the program. /// \param LCtx The location context at this point in the program.
/// \param ElemRef The reference to this constructor in the CFG.
///
/// FIXME: Eventually we want to drop \param Target and deduce it from
/// \param ElemRef.
CXXConstructorCall(const CXXConstructExpr *CE, const MemRegion *Target, CXXConstructorCall(const CXXConstructExpr *CE, const MemRegion *Target,
ProgramStateRef St, const LocationContext *LCtx) ProgramStateRef St, const LocationContext *LCtx,
: AnyCXXConstructorCall(CE, Target, St, LCtx) {} CFGBlock::ConstCFGElementRef ElemRef)
: AnyCXXConstructorCall(CE, Target, St, LCtx, ElemRef) {}
CXXConstructorCall(const CXXConstructorCall &Other) = default; CXXConstructorCall(const CXXConstructorCall &Other) = default;
void cloneTo(void *Dest) const override { new (Dest) CXXConstructorCall(*this); } void cloneTo(void *Dest) const override { new (Dest) CXXConstructorCall(*this); }
public: public:
const CXXConstructExpr *getOriginExpr() const override { const CXXConstructExpr *getOriginExpr() const override {
return cast<CXXConstructExpr>(AnyFunctionCall::getOriginExpr()); return cast<CXXConstructExpr>(AnyFunctionCall::getOriginExpr());
Show All 38 Lines
/// ///
/// ... b.b is initialized to true. /// ... b.b is initialized to true.
class CXXInheritedConstructorCall : public AnyCXXConstructorCall { class CXXInheritedConstructorCall : public AnyCXXConstructorCall {
friend class CallEventManager; friend class CallEventManager;
protected: protected:
CXXInheritedConstructorCall(const CXXInheritedCtorInitExpr *CE, CXXInheritedConstructorCall(const CXXInheritedCtorInitExpr *CE,
const MemRegion *Target, ProgramStateRef St, const MemRegion *Target, ProgramStateRef St,
const LocationContext *LCtx) const LocationContext *LCtx,
: AnyCXXConstructorCall(CE, Target, St, LCtx) {} CFGBlock::ConstCFGElementRef ElemRef)
: AnyCXXConstructorCall(CE, Target, St, LCtx, ElemRef) {}
CXXInheritedConstructorCall(const CXXInheritedConstructorCall &Other) = CXXInheritedConstructorCall(const CXXInheritedConstructorCall &Other) =
default; default;
void cloneTo(void *Dest) const override { void cloneTo(void *Dest) const override {
new (Dest) CXXInheritedConstructorCall(*this); new (Dest) CXXInheritedConstructorCall(*this);
} }
▲ Show 20 LinesShow All 44 Lines▼ Show 20 Lines
/// Represents the memory allocation call in a C++ new-expression. /// Represents the memory allocation call in a C++ new-expression.
/// ///
/// This is a call to "operator new". /// This is a call to "operator new".
class CXXAllocatorCall : public AnyFunctionCall { class CXXAllocatorCall : public AnyFunctionCall {
friend class CallEventManager; friend class CallEventManager;
protected: protected:
CXXAllocatorCall(const CXXNewExpr *E, ProgramStateRef St, CXXAllocatorCall(const CXXNewExpr *E, ProgramStateRef St,
const LocationContext *LCtx) const LocationContext *LCtx,
: AnyFunctionCall(E, St, LCtx) {} CFGBlock::ConstCFGElementRef ElemRef)
: AnyFunctionCall(E, St, LCtx, ElemRef) {}
CXXAllocatorCall(const CXXAllocatorCall &Other) = default; CXXAllocatorCall(const CXXAllocatorCall &Other) = default;
void cloneTo(void *Dest) const override { new (Dest) CXXAllocatorCall(*this); } void cloneTo(void *Dest) const override { new (Dest) CXXAllocatorCall(*this); }
public: public:
const CXXNewExpr *getOriginExpr() const override { const CXXNewExpr *getOriginExpr() const override {
return cast<CXXNewExpr>(AnyFunctionCall::getOriginExpr()); return cast<CXXNewExpr>(AnyFunctionCall::getOriginExpr());
} }
▲ Show 20 LinesShow All 63 Lines▼ Show 20 Lines
// http://lists.llvm.org/pipermail/cfe-dev/2020-April/065080.html // http://lists.llvm.org/pipermail/cfe-dev/2020-April/065080.html
// clang/test/Analysis/cxx-dynamic-memory-analysis-order.cpp // clang/test/Analysis/cxx-dynamic-memory-analysis-order.cpp
// clang/unittests/StaticAnalyzer/CallEventTest.cpp // clang/unittests/StaticAnalyzer/CallEventTest.cpp
class CXXDeallocatorCall : public AnyFunctionCall { class CXXDeallocatorCall : public AnyFunctionCall {
friend class CallEventManager; friend class CallEventManager;
protected: protected:
CXXDeallocatorCall(const CXXDeleteExpr *E, ProgramStateRef St, CXXDeallocatorCall(const CXXDeleteExpr *E, ProgramStateRef St,
const LocationContext *LCtx) const LocationContext *LCtx,
: AnyFunctionCall(E, St, LCtx) {} CFGBlock::ConstCFGElementRef ElemRef)
: AnyFunctionCall(E, St, LCtx, ElemRef) {}
CXXDeallocatorCall(const CXXDeallocatorCall &Other) = default; CXXDeallocatorCall(const CXXDeallocatorCall &Other) = default;
void cloneTo(void *Dest) const override { void cloneTo(void *Dest) const override {
new (Dest) CXXDeallocatorCall(*this); new (Dest) CXXDeallocatorCall(*this);
} }
public: public:
const CXXDeleteExpr *getOriginExpr() const override { const CXXDeleteExpr *getOriginExpr() const override {
Show All 34 Lines
/// This includes all of the kinds listed in ObjCMessageKind. /// This includes all of the kinds listed in ObjCMessageKind.
class ObjCMethodCall : public CallEvent { class ObjCMethodCall : public CallEvent {
friend class CallEventManager; friend class CallEventManager;
const PseudoObjectExpr *getContainingPseudoObjectExpr() const; const PseudoObjectExpr *getContainingPseudoObjectExpr() const;
protected: protected:
ObjCMethodCall(const ObjCMessageExpr *Msg, ProgramStateRef St, ObjCMethodCall(const ObjCMessageExpr *Msg, ProgramStateRef St,
const LocationContext *LCtx) const LocationContext *LCtx,
: CallEvent(Msg, St, LCtx) { CFGBlock::ConstCFGElementRef ElemRef)
: CallEvent(Msg, St, LCtx, ElemRef) {
Data = nullptr; Data = nullptr;
} }
ObjCMethodCall(const ObjCMethodCall &Other) = default; ObjCMethodCall(const ObjCMethodCall &Other) = default;
void cloneTo(void *Dest) const override { new (Dest) ObjCMethodCall(*this); } void cloneTo(void *Dest) const override { new (Dest) ObjCMethodCall(*this); }
void getExtraInvalidatedValues(ValueList &Values, void getExtraInvalidatedValues(ValueList &Values,
▲ Show 20 LinesShow All 111 Lines▼ Show 20 Linesclass CallEventManager {
void *allocate() { void *allocate() {
if (Cache.empty()) if (Cache.empty())
return Alloc.Allocate<CallEventTemplateTy>(); return Alloc.Allocate<CallEventTemplateTy>();
else else
return Cache.pop_back_val(); return Cache.pop_back_val();
} }
template <typename T, typename Arg> template <typename T, typename Arg>
T *create(Arg A, ProgramStateRef St, const LocationContext *LCtx) { T *create(Arg A, ProgramStateRef St, const LocationContext *LCtx,
CFGBlock::ConstCFGElementRef ElemRef) {
static_assert(sizeof(T) == sizeof(CallEventTemplateTy), static_assert(sizeof(T) == sizeof(CallEventTemplateTy),
"CallEvent subclasses are not all the same size"); "CallEvent subclasses are not all the same size");
return new (allocate()) T(A, St, LCtx); return new (allocate()) T(A, St, LCtx, ElemRef);
} }
template <typename T, typename Arg1, typename Arg2> template <typename T, typename Arg1, typename Arg2>
T *create(Arg1 A1, Arg2 A2, ProgramStateRef St, const LocationContext *LCtx) { T *create(Arg1 A1, Arg2 A2, ProgramStateRef St, const LocationContext *LCtx,
CFGBlock::ConstCFGElementRef ElemRef) {
static_assert(sizeof(T) == sizeof(CallEventTemplateTy), static_assert(sizeof(T) == sizeof(CallEventTemplateTy),
"CallEvent subclasses are not all the same size"); "CallEvent subclasses are not all the same size");
return new (allocate()) T(A1, A2, St, LCtx); return new (allocate()) T(A1, A2, St, LCtx, ElemRef);
} }
template <typename T, typename Arg1, typename Arg2, typename Arg3> template <typename T, typename Arg1, typename Arg2, typename Arg3>
T *create(Arg1 A1, Arg2 A2, Arg3 A3, ProgramStateRef St, T *create(Arg1 A1, Arg2 A2, Arg3 A3, ProgramStateRef St,
const LocationContext *LCtx) { const LocationContext *LCtx, CFGBlock::ConstCFGElementRef ElemRef) {
static_assert(sizeof(T) == sizeof(CallEventTemplateTy), static_assert(sizeof(T) == sizeof(CallEventTemplateTy),
"CallEvent subclasses are not all the same size"); "CallEvent subclasses are not all the same size");
return new (allocate()) T(A1, A2, A3, St, LCtx); return new (allocate()) T(A1, A2, A3, St, LCtx, ElemRef);
} }
template <typename T, typename Arg1, typename Arg2, typename Arg3, template <typename T, typename Arg1, typename Arg2, typename Arg3,
typename Arg4> typename Arg4>
T *create(Arg1 A1, Arg2 A2, Arg3 A3, Arg4 A4, ProgramStateRef St, T *create(Arg1 A1, Arg2 A2, Arg3 A3, Arg4 A4, ProgramStateRef St,
const LocationContext *LCtx) { const LocationContext *LCtx, CFGBlock::ConstCFGElementRef ElemRef) {
static_assert(sizeof(T) == sizeof(CallEventTemplateTy), static_assert(sizeof(T) == sizeof(CallEventTemplateTy),
"CallEvent subclasses are not all the same size"); "CallEvent subclasses are not all the same size");
return new (allocate()) T(A1, A2, A3, A4, St, LCtx); return new (allocate()) T(A1, A2, A3, A4, St, LCtx, ElemRef);
} }
public: public:
CallEventManager(llvm::BumpPtrAllocator &alloc) : Alloc(alloc) {} CallEventManager(llvm::BumpPtrAllocator &alloc) : Alloc(alloc) {}
/// Gets an outside caller given a callee context. /// Gets an outside caller given a callee context.
CallEventRef<> CallEventRef<>
getCaller(const StackFrameContext *CalleeCtx, ProgramStateRef State); getCaller(const StackFrameContext *CalleeCtx, ProgramStateRef State);
/// Gets a call event for a function call, Objective-C method call, /// Gets a call event for a function call, Objective-C method call,
/// a 'new', or a 'delete' call. /// a 'new', or a 'delete' call.
CallEventRef<> CallEventRef<> getCall(const Stmt *S, ProgramStateRef State,
getCall(const Stmt *S, ProgramStateRef State, const LocationContext *LC,
const LocationContext *LC); CFGBlock::ConstCFGElementRef ElemRef);
CallEventRef<> CallEventRef<> getSimpleCall(const CallExpr *E, ProgramStateRef State,
getSimpleCall(const CallExpr *E, ProgramStateRef State, const LocationContext *LCtx,
const LocationContext *LCtx); CFGBlock::ConstCFGElementRef ElemRef);
CallEventRef<ObjCMethodCall> CallEventRef<ObjCMethodCall>
getObjCMethodCall(const ObjCMessageExpr *E, ProgramStateRef State, getObjCMethodCall(const ObjCMessageExpr *E, ProgramStateRef State,
const LocationContext *LCtx) { const LocationContext *LCtx,
return create<ObjCMethodCall>(E, State, LCtx); CFGBlock::ConstCFGElementRef ElemRef) {
return create<ObjCMethodCall>(E, State, LCtx, ElemRef);
} }
CallEventRef<CXXConstructorCall> CallEventRef<CXXConstructorCall>
getCXXConstructorCall(const CXXConstructExpr *E, const MemRegion *Target, getCXXConstructorCall(const CXXConstructExpr *E, const MemRegion *Target,
ProgramStateRef State, const LocationContext *LCtx) { ProgramStateRef State, const LocationContext *LCtx,
return create<CXXConstructorCall>(E, Target, State, LCtx); CFGBlock::ConstCFGElementRef ElemRef) {
return create<CXXConstructorCall>(E, Target, State, LCtx, ElemRef);
} }
CallEventRef<CXXInheritedConstructorCall> CallEventRef<CXXInheritedConstructorCall>
getCXXInheritedConstructorCall(const CXXInheritedCtorInitExpr *E, getCXXInheritedConstructorCall(const CXXInheritedCtorInitExpr *E,
const MemRegion *Target, ProgramStateRef State, const MemRegion *Target, ProgramStateRef State,
const LocationContext *LCtx) { const LocationContext *LCtx,
return create<CXXInheritedConstructorCall>(E, Target, State, LCtx); CFGBlock::ConstCFGElementRef ElemRef) {
return create<CXXInheritedConstructorCall>(E, Target, State, LCtx, ElemRef);
} }
CallEventRef<CXXDestructorCall> CallEventRef<CXXDestructorCall>
getCXXDestructorCall(const CXXDestructorDecl *DD, const Stmt *Trigger, getCXXDestructorCall(const CXXDestructorDecl *DD, const Stmt *Trigger,
const MemRegion *Target, bool IsBase, const MemRegion *Target, bool IsBase,
ProgramStateRef State, const LocationContext *LCtx) { ProgramStateRef State, const LocationContext *LCtx,
return create<CXXDestructorCall>(DD, Trigger, Target, IsBase, State, LCtx); CFGBlock::ConstCFGElementRef ElemRef) {
return create<CXXDestructorCall>(DD, Trigger, Target, IsBase, State, LCtx,
ElemRef);
} }
CallEventRef<CXXAllocatorCall> CallEventRef<CXXAllocatorCall>
getCXXAllocatorCall(const CXXNewExpr *E, ProgramStateRef State, getCXXAllocatorCall(const CXXNewExpr *E, ProgramStateRef State,
const LocationContext *LCtx) { const LocationContext *LCtx,
return create<CXXAllocatorCall>(E, State, LCtx); CFGBlock::ConstCFGElementRef ElemRef) {
return create<CXXAllocatorCall>(E, State, LCtx, ElemRef);
} }
CallEventRef<CXXDeallocatorCall> CallEventRef<CXXDeallocatorCall>
getCXXDeallocatorCall(const CXXDeleteExpr *E, ProgramStateRef State, getCXXDeallocatorCall(const CXXDeleteExpr *E, ProgramStateRef State,
const LocationContext *LCtx) { const LocationContext *LCtx,
return create<CXXDeallocatorCall>(E, State, LCtx); CFGBlock::ConstCFGElementRef ElemRef) {
return create<CXXDeallocatorCall>(E, State, LCtx, ElemRef);
} }
}; };
template <typename T> template <typename T>
CallEventRef<T> CallEvent::cloneWithState(ProgramStateRef NewState) const { CallEventRef<T> CallEvent::cloneWithState(ProgramStateRef NewState) const {
assert(isa<T>(*this) && "Cloning to unrelated type"); assert(isa<T>(*this) && "Cloning to unrelated type");
static_assert(sizeof(T) == sizeof(CallEvent), static_assert(sizeof(T) == sizeof(CallEvent),
"Subclasses may not add fields"); "Subclasses may not add fields");
▲ Show 20 LinesShow All 45 LinesShow Last 20 Lines

clang/include/clang/StaticAnalyzer/Core/PathSensitive/ExprEngine.h

Show First 20 LinesShow All 155 Lines▼ Show 20 Linesprivate:
/// MRMgr - MemRegionManager object that creates memory regions. /// MRMgr - MemRegionManager object that creates memory regions.
MemRegionManager &MRMgr; MemRegionManager &MRMgr;
/// svalBuilder - SValBuilder object that creates SVals from expressions. /// svalBuilder - SValBuilder object that creates SVals from expressions.
SValBuilder &svalBuilder; SValBuilder &svalBuilder;
unsigned int currStmtIdx = 0; unsigned int currStmtIdx = 0;
const NodeBuilderContext *currBldrCtx = nullptr; const NodeBuilderContext *currBldrCtx = nullptr;
NoQUnsubmitted
Done
ReplyInline Actions

You don't need to track it separately, it can be derived from the two previous member variables:

{currBldrCtx->getBlock(), currStmtIdx}
NoQ: You don't need to track it separately, it can be derived from the two previous member variables…
isuckatcsAuthorUnsubmitted
Done
ReplyInline Actions

This is actually deliberate. We use the CFGElementRef multiple places over ExpressionEngine and I think it's easier and more readable to just use currElementRef instead of using an initializer list. Also this way it's only set once in ExprEngine::processCFGElement() and is harder to misuse it.

isuckatcs: This is actually deliberate. We use the `CFGElementRef` multiple places over `ExpressionEngine`…
NoQUnsubmitted
Done
ReplyInline Actions

You can make a method to avoid spelling out curly braces, like getCurrElementRef() or something like that. I think it's even harder to misuse it if it's set zero times.

NoQ: You can make a method to avoid spelling out curly braces, like `getCurrElementRef()` or…
/// Helper object to determine if an Objective-C message expression /// Helper object to determine if an Objective-C message expression
/// implicitly never returns. /// implicitly never returns.
ObjCNoReturn ObjCNoRet; ObjCNoReturn ObjCNoRet;
/// The BugReporter associated with this engine. It is important that /// The BugReporter associated with this engine. It is important that
/// this object be placed at the very end of member variables so that its /// this object be placed at the very end of member variables so that its
/// destructor is called before the rest of the ExprEngine is destroyed. /// destructor is called before the rest of the ExprEngine is destroyed.
PathSensitiveBugReporter BR; PathSensitiveBugReporter BR;
▲ Show 20 LinesShow All 56 Lines▼ Show 20 Linespublic:
const Stmt *getStmt() const; const Stmt *getStmt() const;
const LocationContext *getRootLocationContext() const { const LocationContext *getRootLocationContext() const {
assert(G.roots_begin() != G.roots_end()); assert(G.roots_begin() != G.roots_end());
return (*G.roots_begin())->getLocation().getLocationContext(); return (*G.roots_begin())->getLocation().getLocationContext();
} }
CFGBlock::ConstCFGElementRef getCFGElementRef() const {
const CFGBlock *blockPtr = currBldrCtx ? currBldrCtx->getBlock() : nullptr;
return {blockPtr, currStmtIdx};
}
void GenerateAutoTransition(ExplodedNode *N); void GenerateAutoTransition(ExplodedNode *N);
void enqueueEndOfPath(ExplodedNodeSet &S); void enqueueEndOfPath(ExplodedNodeSet &S);
void GenerateCallExitNode(ExplodedNode *N); void GenerateCallExitNode(ExplodedNode *N);
/// Dump graph to the specified filename. /// Dump graph to the specified filename.
/// If filename is empty, generate a temporary one. /// If filename is empty, generate a temporary one.
/// \return The filename the graph is written into. /// \return The filename the graph is written into.
▲ Show 20 LinesShow All 799 LinesShow Last 20 Lines

clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp

Show First 20 LinesShow All 3,440 Lines▼ Show 20 Lines if (isAllocated(RSCurr, RSPrev, S)) {
OS << "reallocated by call to '"; OS << "reallocated by call to '";
const Stmt *S = RSCurr->getStmt(); const Stmt *S = RSCurr->getStmt();
if (const auto *MemCallE = dyn_cast<CXXMemberCallExpr>(S)) { if (const auto *MemCallE = dyn_cast<CXXMemberCallExpr>(S)) {
OS << MemCallE->getMethodDecl()->getDeclName(); OS << MemCallE->getMethodDecl()->getDeclName();
} else if (const auto *OpCallE = dyn_cast<CXXOperatorCallExpr>(S)) { } else if (const auto *OpCallE = dyn_cast<CXXOperatorCallExpr>(S)) {
OS << OpCallE->getDirectCallee()->getDeclName(); OS << OpCallE->getDirectCallee()->getDeclName();
} else if (const auto *CallE = dyn_cast<CallExpr>(S)) { } else if (const auto *CallE = dyn_cast<CallExpr>(S)) {
auto &CEMgr = BRC.getStateManager().getCallEventManager(); auto &CEMgr = BRC.getStateManager().getCallEventManager();
CallEventRef<> Call = CEMgr.getSimpleCall(CallE, state, CurrentLC); CallEventRef<> Call =
CEMgr.getSimpleCall(CallE, state, CurrentLC, {nullptr, 0});
isuckatcsAuthorUnsubmitted
Done
ReplyInline Actions

One currently known drawback is that in situations like this we need to create a dummy element ref.
Here the call event is only created to extract the declaration from the call expression.

isuckatcs: One currently known drawback is that in situations like this we need to create a dummy element…
NoQUnsubmitted
Done
ReplyInline Actions

Given that there's a statement, we could grep the CFG to find it. But I agree that it looks unnecessary.

NoQ: Given that there's a statement, we could grep the CFG to find it. But I agree that it looks…
isuckatcsAuthorUnsubmitted
Done
ReplyInline Actions

I was thinking about adding one more constructor for these kind of situations, which doesn't take an element ref as parameter, thought I think it would isntead result in forgetting about passing the element ref when they are needed.

isuckatcs: I was thinking about adding one more constructor for these kind of situations, which doesn't…
if (const auto *D = dyn_cast_or_null<NamedDecl>(Call->getDecl())) if (const auto *D = dyn_cast_or_null<NamedDecl>(Call->getDecl()))
OS << D->getDeclName(); OS << D->getDeclName();
else else
OS << "unknown"; OS << "unknown";
} }
OS << "'"; OS << "'";
StackHint = std::make_unique<StackHintGeneratorForSymbol>( StackHint = std::make_unique<StackHintGeneratorForSymbol>(
Sym, "Returning; inner buffer was reallocated"); Sym, "Returning; inner buffer was reallocated");
▲ Show 20 LinesShow All 171 LinesShow Last 20 Lines

clang/lib/StaticAnalyzer/Checkers/RetainCountChecker/RetainCountDiagnostics.cpp

Show First 20 LinesShow All 228 Lines▼ Show 20 Lines if (const auto *MD = dyn_cast<CXXMethodDecl>(CE->getCalleeDecl())) {
os << "Call to function '" << FD->getQualifiedNameAsString() << '\''; os << "Call to function '" << FD->getQualifiedNameAsString() << '\'';
} else { } else {
os << "function call"; os << "function call";
} }
} else if (isa<CXXNewExpr>(S)) { } else if (isa<CXXNewExpr>(S)) {
os << "Operator 'new'"; os << "Operator 'new'";
} else { } else {
assert(isa<ObjCMessageExpr>(S)); assert(isa<ObjCMessageExpr>(S));
CallEventRef<ObjCMethodCall> Call = CallEventRef<ObjCMethodCall> Call = Mgr.getObjCMethodCall(
Mgr.getObjCMethodCall(cast<ObjCMessageExpr>(S), CurrSt, LCtx); cast<ObjCMessageExpr>(S), CurrSt, LCtx, {nullptr, 0});
switch (Call->getMessageKind()) { switch (Call->getMessageKind()) {
case OCM_Message: case OCM_Message:
os << "Method"; os << "Method";
break; break;
case OCM_PropertyAccess: case OCM_PropertyAccess:
os << "Property"; os << "Property";
break; break;
case OCM_Subscript: case OCM_Subscript:
os << "Subscript"; os << "Subscript";
break; break;
} }
} }
std::optional<CallEventRef<>> CE = Mgr.getCall(S, CurrSt, LCtx); std::optional<CallEventRef<>> CE = Mgr.getCall(S, CurrSt, LCtx, {nullptr, 0});
auto Idx = findArgIdxOfSymbol(CurrSt, LCtx, Sym, CE); auto Idx = findArgIdxOfSymbol(CurrSt, LCtx, Sym, CE);
// If index is not found, we assume that the symbol was returned. // If index is not found, we assume that the symbol was returned.
if (!Idx) { if (!Idx) {
os << " returns "; os << " returns ";
} else { } else {
os << " writes "; os << " writes ";
} }
▲ Show 20 LinesShow All 743 LinesShow Last 20 Lines

clang/lib/StaticAnalyzer/Core/CallEvent.cpp

Show First 20 LinesShow All 281 Lines▼ Show 20 LinesProgramStateRef CallEvent::invalidateRegions(unsigned BlockCount,
return Result->invalidateRegions(ValuesToInvalidate, getOriginExpr(), return Result->invalidateRegions(ValuesToInvalidate, getOriginExpr(),
BlockCount, getLocationContext(), BlockCount, getLocationContext(),
/*CausedByPointerEscape*/ true, /*CausedByPointerEscape*/ true,
/*Symbols=*/nullptr, this, &ETraits); /*Symbols=*/nullptr, this, &ETraits);
} }
ProgramPoint CallEvent::getProgramPoint(bool IsPreVisit, ProgramPoint CallEvent::getProgramPoint(bool IsPreVisit,
const ProgramPointTag *Tag) const { const ProgramPointTag *Tag) const {
if (const Expr *E = getOriginExpr()) { if (const Expr *E = getOriginExpr()) {
if (IsPreVisit) if (IsPreVisit)
return PreStmt(E, getLocationContext(), Tag); return PreStmt(E, getLocationContext(), Tag);
return PostStmt(E, getLocationContext(), Tag); return PostStmt(E, getLocationContext(), Tag);
} }
const Decl *D = getDecl(); const Decl *D = getDecl();
assert(D && "Cannot get a program point without a statement or decl"); assert(D && "Cannot get a program point without a statement or decl");
assert(ElemRef.getParent() &&
"Cannot get a program point without a CFGElementRef");
SourceLocation Loc = getSourceRange().getBegin(); SourceLocation Loc = getSourceRange().getBegin();
if (IsPreVisit) if (IsPreVisit)
return PreImplicitCall(D, Loc, getLocationContext(), Tag); return PreImplicitCall(D, Loc, getLocationContext(), ElemRef, Tag);
return PostImplicitCall(D, Loc, getLocationContext(), Tag); return PostImplicitCall(D, Loc, getLocationContext(), ElemRef, Tag);
} }
SVal CallEvent::getArgSVal(unsigned Index) const { SVal CallEvent::getArgSVal(unsigned Index) const {
const Expr *ArgE = getArgExpr(Index); const Expr *ArgE = getArgExpr(Index);
if (!ArgE) if (!ArgE)
return UnknownVal(); return UnknownVal();
return getSVal(ArgE); return getSVal(ArgE);
} }
▲ Show 20 LinesShow All 1,057 Lines▼ Show 20 Lines if (!SelfVal.isUnknown()) {
MemRegionManager &MRMgr = SVB.getRegionManager(); MemRegionManager &MRMgr = SVB.getRegionManager();
Loc SelfLoc = SVB.makeLoc(MRMgr.getVarRegion(SelfD, CalleeCtx)); Loc SelfLoc = SVB.makeLoc(MRMgr.getVarRegion(SelfD, CalleeCtx));
Bindings.push_back(std::make_pair(SelfLoc, SelfVal)); Bindings.push_back(std::make_pair(SelfLoc, SelfVal));
} }
} }
CallEventRef<> CallEventRef<>
CallEventManager::getSimpleCall(const CallExpr *CE, ProgramStateRef State, CallEventManager::getSimpleCall(const CallExpr *CE, ProgramStateRef State,
const LocationContext *LCtx) { const LocationContext *LCtx,
CFGBlock::ConstCFGElementRef ElemRef) {
if (const auto *MCE = dyn_cast<CXXMemberCallExpr>(CE)) if (const auto *MCE = dyn_cast<CXXMemberCallExpr>(CE))
return create<CXXMemberCall>(MCE, State, LCtx); return create<CXXMemberCall>(MCE, State, LCtx, ElemRef);
if (const auto *OpCE = dyn_cast<CXXOperatorCallExpr>(CE)) { if (const auto *OpCE = dyn_cast<CXXOperatorCallExpr>(CE)) {
const FunctionDecl *DirectCallee = OpCE->getDirectCallee(); const FunctionDecl *DirectCallee = OpCE->getDirectCallee();
if (const auto *MD = dyn_cast<CXXMethodDecl>(DirectCallee)) if (const auto *MD = dyn_cast<CXXMethodDecl>(DirectCallee))
if (MD->isInstance()) if (MD->isInstance())
return create<CXXMemberOperatorCall>(OpCE, State, LCtx); return create<CXXMemberOperatorCall>(OpCE, State, LCtx, ElemRef);
} else if (CE->getCallee()->getType()->isBlockPointerType()) { } else if (CE->getCallee()->getType()->isBlockPointerType()) {
return create<BlockCall>(CE, State, LCtx); return create<BlockCall>(CE, State, LCtx, ElemRef);
} }
// Otherwise, it's a normal function call, static member function call, or // Otherwise, it's a normal function call, static member function call, or
// something we can't reason about. // something we can't reason about.
return create<SimpleFunctionCall>(CE, State, LCtx); return create<SimpleFunctionCall>(CE, State, LCtx, ElemRef);
} }
CallEventRef<> CallEventRef<>
CallEventManager::getCaller(const StackFrameContext *CalleeCtx, CallEventManager::getCaller(const StackFrameContext *CalleeCtx,
ProgramStateRef State) { ProgramStateRef State) {
const LocationContext *ParentCtx = CalleeCtx->getParent(); const LocationContext *ParentCtx = CalleeCtx->getParent();
const LocationContext *CallerCtx = ParentCtx->getStackFrame(); const LocationContext *CallerCtx = ParentCtx->getStackFrame();
CFGBlock::ConstCFGElementRef ElemRef = {CalleeCtx->getCallSiteBlock(),
CalleeCtx->getIndex()};
assert(CallerCtx && "This should not be used for top-level stack frames"); assert(CallerCtx && "This should not be used for top-level stack frames");
const Stmt *CallSite = CalleeCtx->getCallSite(); const Stmt *CallSite = CalleeCtx->getCallSite();
if (CallSite) { if (CallSite) {
if (CallEventRef<> Out = getCall(CallSite, State, CallerCtx)) if (CallEventRef<> Out = getCall(CallSite, State, CallerCtx, ElemRef))
return Out; return Out;
SValBuilder &SVB = State->getStateManager().getSValBuilder(); SValBuilder &SVB = State->getStateManager().getSValBuilder();
const auto *Ctor = cast<CXXMethodDecl>(CalleeCtx->getDecl()); const auto *Ctor = cast<CXXMethodDecl>(CalleeCtx->getDecl());
Loc ThisPtr = SVB.getCXXThis(Ctor, CalleeCtx); Loc ThisPtr = SVB.getCXXThis(Ctor, CalleeCtx);
SVal ThisVal = State->getSVal(ThisPtr); SVal ThisVal = State->getSVal(ThisPtr);
if (const auto *CE = dyn_cast<CXXConstructExpr>(CallSite)) if (const auto *CE = dyn_cast<CXXConstructExpr>(CallSite))
return getCXXConstructorCall(CE, ThisVal.getAsRegion(), State, CallerCtx); return getCXXConstructorCall(CE, ThisVal.getAsRegion(), State, CallerCtx,
ElemRef);
else if (const auto *CIE = dyn_cast<CXXInheritedCtorInitExpr>(CallSite)) else if (const auto *CIE = dyn_cast<CXXInheritedCtorInitExpr>(CallSite))
return getCXXInheritedConstructorCall(CIE, ThisVal.getAsRegion(), State, return getCXXInheritedConstructorCall(CIE, ThisVal.getAsRegion(), State,
CallerCtx); CallerCtx, ElemRef);
else { else {
// All other cases are handled by getCall. // All other cases are handled by getCall.
llvm_unreachable("This is not an inlineable statement"); llvm_unreachable("This is not an inlineable statement");
} }
} }
// Fall back to the CFG. The only thing we haven't handled yet is // Fall back to the CFG. The only thing we haven't handled yet is
// destructors, though this could change in the future. // destructors, though this could change in the future.
Show All 13 Lines if (std::optional<CFGAutomaticObjDtor> AutoDtor =
Trigger = AutoDtor->getTriggerStmt(); Trigger = AutoDtor->getTriggerStmt();
else if (std::optional<CFGDeleteDtor> DeleteDtor = E.getAs<CFGDeleteDtor>()) else if (std::optional<CFGDeleteDtor> DeleteDtor = E.getAs<CFGDeleteDtor>())
Trigger = DeleteDtor->getDeleteExpr(); Trigger = DeleteDtor->getDeleteExpr();
else else
Trigger = Dtor->getBody(); Trigger = Dtor->getBody();
return getCXXDestructorCall(Dtor, Trigger, ThisVal.getAsRegion(), return getCXXDestructorCall(Dtor, Trigger, ThisVal.getAsRegion(),
E.getAs<CFGBaseDtor>().has_value(), State, E.getAs<CFGBaseDtor>().has_value(), State,
CallerCtx); CallerCtx, ElemRef);
} }
CallEventRef<> CallEventManager::getCall(const Stmt *S, ProgramStateRef State, CallEventRef<> CallEventManager::getCall(const Stmt *S, ProgramStateRef State,
const LocationContext *LC) { const LocationContext *LC,
CFGBlock::ConstCFGElementRef ElemRef) {
if (const auto *CE = dyn_cast<CallExpr>(S)) { if (const auto *CE = dyn_cast<CallExpr>(S)) {
return getSimpleCall(CE, State, LC); return getSimpleCall(CE, State, LC, ElemRef);
} else if (const auto *NE = dyn_cast<CXXNewExpr>(S)) { } else if (const auto *NE = dyn_cast<CXXNewExpr>(S)) {
return getCXXAllocatorCall(NE, State, LC); return getCXXAllocatorCall(NE, State, LC, ElemRef);
} else if (const auto *DE = dyn_cast<CXXDeleteExpr>(S)) { } else if (const auto *DE = dyn_cast<CXXDeleteExpr>(S)) {
return getCXXDeallocatorCall(DE, State, LC); return getCXXDeallocatorCall(DE, State, LC, ElemRef);
} else if (const auto *ME = dyn_cast<ObjCMessageExpr>(S)) { } else if (const auto *ME = dyn_cast<ObjCMessageExpr>(S)) {
return getObjCMethodCall(ME, State, LC); return getObjCMethodCall(ME, State, LC, ElemRef);
} else { } else {
return nullptr; return nullptr;
} }
} }

clang/lib/StaticAnalyzer/Core/ExprEngine.cpp

Show First 20 LinesShow All 1,307 Lines▼ Show 20 Linesvoid ExprEngine::ProcessNewAllocator(const CXXNewExpr *NE,
// TODO: We're not evaluating allocators for all cases just yet as // TODO: We're not evaluating allocators for all cases just yet as
// we're not handling the return value correctly, which causes false // we're not handling the return value correctly, which causes false
// positives when the alpha.cplusplus.NewDeleteLeaks check is on. // positives when the alpha.cplusplus.NewDeleteLeaks check is on.
if (Opts.MayInlineCXXAllocator) if (Opts.MayInlineCXXAllocator)
VisitCXXNewAllocatorCall(NE, Pred, Dst); VisitCXXNewAllocatorCall(NE, Pred, Dst);
else { else {
NodeBuilder Bldr(Pred, Dst, *currBldrCtx); NodeBuilder Bldr(Pred, Dst, *currBldrCtx);
const LocationContext *LCtx = Pred->getLocationContext(); const LocationContext *LCtx = Pred->getLocationContext();
PostImplicitCall PP(NE->getOperatorNew(), NE->getBeginLoc(), LCtx); PostImplicitCall PP(NE->getOperatorNew(), NE->getBeginLoc(), LCtx,
getCFGElementRef());
Bldr.generateNode(PP, Pred->getState(), Pred); Bldr.generateNode(PP, Pred->getState(), Pred);
} }
Engine.enqueue(Dst, currBldrCtx->getBlock(), currStmtIdx); Engine.enqueue(Dst, currBldrCtx->getBlock(), currStmtIdx);
} }
void ExprEngine::ProcessAutomaticObjDtor(const CFGAutomaticObjDtor Dtor, void ExprEngine::ProcessAutomaticObjDtor(const CFGAutomaticObjDtor Dtor,
ExplodedNode *Pred, ExplodedNode *Pred,
ExplodedNodeSet &Dst) { ExplodedNodeSet &Dst) {
Show All 31 Lines if (ElementCount.isConstant()) {
assert(ArrayLength && assert(ArrayLength &&
"An automatic dtor for a 0 length array shouldn't be triggered!"); "An automatic dtor for a 0 length array shouldn't be triggered!");
// Still handle this case if we don't have assertions enabled. // Still handle this case if we don't have assertions enabled.
if (!ArrayLength) { if (!ArrayLength) {
static SimpleProgramPointTag PT( static SimpleProgramPointTag PT(
"ExprEngine", "Skipping automatic 0 length array destruction, " "ExprEngine", "Skipping automatic 0 length array destruction, "
"which shouldn't be in the CFG."); "which shouldn't be in the CFG.");
PostImplicitCall PP(DtorDecl, varDecl->getLocation(), LCtx, &PT); PostImplicitCall PP(DtorDecl, varDecl->getLocation(), LCtx,
getCFGElementRef(), &PT);
NodeBuilder Bldr(Pred, Dst, *currBldrCtx); NodeBuilder Bldr(Pred, Dst, *currBldrCtx);
Bldr.generateSink(PP, Pred->getState(), Pred); Bldr.generateSink(PP, Pred->getState(), Pred);
return; return;
} }
} }
} }
EvalCallOptions CallOpts; EvalCallOptions CallOpts;
Region = makeElementRegion(state, loc::MemRegionVal(Region), varType, Region = makeElementRegion(state, loc::MemRegionVal(Region), varType,
CallOpts.IsArrayCtorOrDtor, Idx) CallOpts.IsArrayCtorOrDtor, Idx)
.getAsRegion(); .getAsRegion();
NodeBuilder Bldr(Pred, Dst, getBuilderContext()); NodeBuilder Bldr(Pred, Dst, getBuilderContext());
static SimpleProgramPointTag PT("ExprEngine", static SimpleProgramPointTag PT("ExprEngine",
"Prepare for object destruction"); "Prepare for object destruction");
PreImplicitCall PP(DtorDecl, varDecl->getLocation(), LCtx, &PT); PreImplicitCall PP(DtorDecl, varDecl->getLocation(), LCtx, getCFGElementRef(),
&PT);
Pred = Bldr.generateNode(PP, state, Pred); Pred = Bldr.generateNode(PP, state, Pred);
if (!Pred) if (!Pred)
return; return;
Bldr.takeNodes(Pred); Bldr.takeNodes(Pred);
VisitCXXDestructor(varType, Region, Dtor.getTriggerStmt(), VisitCXXDestructor(varType, Region, Dtor.getTriggerStmt(),
/*IsBase=*/false, Pred, Dst, CallOpts); /*IsBase=*/false, Pred, Dst, CallOpts);
Show All 11 Linesvoid ExprEngine::ProcessDeleteDtor(const CFGDeleteDtor Dtor,
// If the argument to delete is known to be a null value, // If the argument to delete is known to be a null value,
// don't run destructor. // don't run destructor.
if (State->isNull(ArgVal).isConstrainedTrue()) { if (State->isNull(ArgVal).isConstrainedTrue()) {
QualType BTy = getContext().getBaseElementType(DTy); QualType BTy = getContext().getBaseElementType(DTy);
const CXXRecordDecl *RD = BTy->getAsCXXRecordDecl(); const CXXRecordDecl *RD = BTy->getAsCXXRecordDecl();
const CXXDestructorDecl *Dtor = RD->getDestructor(); const CXXDestructorDecl *Dtor = RD->getDestructor();
PostImplicitCall PP(Dtor, DE->getBeginLoc(), LCtx); PostImplicitCall PP(Dtor, DE->getBeginLoc(), LCtx, getCFGElementRef());
NodeBuilder Bldr(Pred, Dst, *currBldrCtx); NodeBuilder Bldr(Pred, Dst, *currBldrCtx);
Bldr.generateNode(PP, Pred->getState(), Pred); Bldr.generateNode(PP, Pred->getState(), Pred);
return; return;
} }
auto getDtorDecl = [](const QualType &DTy) { auto getDtorDecl = [](const QualType &DTy) {
const CXXRecordDecl *RD = DTy->getAsCXXRecordDecl(); const CXXRecordDecl *RD = DTy->getAsCXXRecordDecl();
return RD->getDestructor(); return RD->getDestructor();
Show All 16 Lines if (ArgR) {
// If we're about to destruct a 0 length array, don't run any of the // If we're about to destruct a 0 length array, don't run any of the
// destructors. // destructors.
if (ElementCount.isConstant() && if (ElementCount.isConstant() &&
ElementCount.getAsInteger()->getLimitedValue() == 0) { ElementCount.getAsInteger()->getLimitedValue() == 0) {
static SimpleProgramPointTag PT( static SimpleProgramPointTag PT(
"ExprEngine", "Skipping 0 length array delete destruction"); "ExprEngine", "Skipping 0 length array delete destruction");
PostImplicitCall PP(getDtorDecl(DTy), DE->getBeginLoc(), LCtx, &PT); PostImplicitCall PP(getDtorDecl(DTy), DE->getBeginLoc(), LCtx,
getCFGElementRef(), &PT);
NodeBuilder Bldr(Pred, Dst, *currBldrCtx); NodeBuilder Bldr(Pred, Dst, *currBldrCtx);
Bldr.generateNode(PP, Pred->getState(), Pred); Bldr.generateNode(PP, Pred->getState(), Pred);
return; return;
} }
ArgR = State->getLValue(DTy, svalBuilder.makeArrayIndex(Idx), ArgVal) ArgR = State->getLValue(DTy, svalBuilder.makeArrayIndex(Idx), ArgVal)
.getAsRegion(); .getAsRegion();
} }
} }
NodeBuilder Bldr(Pred, Dst, getBuilderContext()); NodeBuilder Bldr(Pred, Dst, getBuilderContext());
static SimpleProgramPointTag PT("ExprEngine", static SimpleProgramPointTag PT("ExprEngine",
"Prepare for object destruction"); "Prepare for object destruction");
PreImplicitCall PP(getDtorDecl(DTy), DE->getBeginLoc(), LCtx, &PT); PreImplicitCall PP(getDtorDecl(DTy), DE->getBeginLoc(), LCtx,
getCFGElementRef(), &PT);
Pred = Bldr.generateNode(PP, State, Pred); Pred = Bldr.generateNode(PP, State, Pred);
if (!Pred) if (!Pred)
return; return;
Bldr.takeNodes(Pred); Bldr.takeNodes(Pred);
VisitCXXDestructor(DTy, ArgR, DE, /*IsBase=*/false, Pred, Dst, CallOpts); VisitCXXDestructor(DTy, ArgR, DE, /*IsBase=*/false, Pred, Dst, CallOpts);
} }
▲ Show 20 LinesShow All 43 Lines▼ Show 20 Lines if (ElementCount.isConstant()) {
assert(ArrayLength && assert(ArrayLength &&
"A member dtor for a 0 length array shouldn't be triggered!"); "A member dtor for a 0 length array shouldn't be triggered!");
// Still handle this case if we don't have assertions enabled. // Still handle this case if we don't have assertions enabled.
if (!ArrayLength) { if (!ArrayLength) {
static SimpleProgramPointTag PT( static SimpleProgramPointTag PT(
"ExprEngine", "Skipping member 0 length array destruction, which " "ExprEngine", "Skipping member 0 length array destruction, which "
"shouldn't be in the CFG."); "shouldn't be in the CFG.");
PostImplicitCall PP(DtorDecl, Member->getLocation(), LCtx, &PT); PostImplicitCall PP(DtorDecl, Member->getLocation(), LCtx,
getCFGElementRef(), &PT);
NodeBuilder Bldr(Pred, Dst, *currBldrCtx); NodeBuilder Bldr(Pred, Dst, *currBldrCtx);
Bldr.generateSink(PP, Pred->getState(), Pred); Bldr.generateSink(PP, Pred->getState(), Pred);
return; return;
} }
} }
} }
EvalCallOptions CallOpts; EvalCallOptions CallOpts;
FieldVal = FieldVal =
makeElementRegion(State, FieldVal, T, CallOpts.IsArrayCtorOrDtor, Idx); makeElementRegion(State, FieldVal, T, CallOpts.IsArrayCtorOrDtor, Idx);
NodeBuilder Bldr(Pred, Dst, getBuilderContext()); NodeBuilder Bldr(Pred, Dst, getBuilderContext());
static SimpleProgramPointTag PT("ExprEngine", static SimpleProgramPointTag PT("ExprEngine",
"Prepare for object destruction"); "Prepare for object destruction");
PreImplicitCall PP(DtorDecl, Member->getLocation(), LCtx, &PT); PreImplicitCall PP(DtorDecl, Member->getLocation(), LCtx, getCFGElementRef(),
&PT);
Pred = Bldr.generateNode(PP, State, Pred); Pred = Bldr.generateNode(PP, State, Pred);
if (!Pred) if (!Pred)
return; return;
Bldr.takeNodes(Pred); Bldr.takeNodes(Pred);
VisitCXXDestructor(T, FieldVal.getAsRegion(), CurDtor->getBody(), VisitCXXDestructor(T, FieldVal.getAsRegion(), CurDtor->getBody(),
/*IsBase=*/false, Pred, Dst, CallOpts); /*IsBase=*/false, Pred, Dst, CallOpts);
Show All 19 Linesvoid ExprEngine::ProcessTemporaryDtor(const CFGTemporaryDtor D,
// If copy elision has occurred, and the constructor corresponding to the // If copy elision has occurred, and the constructor corresponding to the
// destructor was elided, we need to skip the destructor as well. // destructor was elided, we need to skip the destructor as well.
if (isDestructorElided(State, BTE, LC)) { if (isDestructorElided(State, BTE, LC)) {
State = cleanupElidedDestructor(State, BTE, LC); State = cleanupElidedDestructor(State, BTE, LC);
NodeBuilder Bldr(Pred, Dst, *currBldrCtx); NodeBuilder Bldr(Pred, Dst, *currBldrCtx);
PostImplicitCall PP(D.getDestructorDecl(getContext()), PostImplicitCall PP(D.getDestructorDecl(getContext()),
D.getBindTemporaryExpr()->getBeginLoc(), D.getBindTemporaryExpr()->getBeginLoc(),
Pred->getLocationContext()); Pred->getLocationContext(), getCFGElementRef());
Bldr.generateNode(PP, State, Pred); Bldr.generateNode(PP, State, Pred);
return; return;
} }
ExplodedNodeSet CleanDtorState; ExplodedNodeSet CleanDtorState;
StmtNodeBuilder StmtBldr(Pred, CleanDtorState, *currBldrCtx); StmtNodeBuilder StmtBldr(Pred, CleanDtorState, *currBldrCtx);
StmtBldr.generateNode(D.getBindTemporaryExpr(), Pred, State); StmtBldr.generateNode(D.getBindTemporaryExpr(), Pred, State);
▲ Show 20 LinesShow All 2,362 LinesShow Last 20 Lines

clang/lib/StaticAnalyzer/Core/ExprEngineCXX.cpp

Show First 20 LinesShow All 351 Lines▼ Show 20 Lines case ConstructionContext::ArgumentKind: {
*Caller->getAdjustedParameterIndex(Idx), BldrCtx->blockCount()); *Caller->getAdjustedParameterIndex(Idx), BldrCtx->blockCount());
if (!TVR) if (!TVR)
return std::nullopt; return std::nullopt;
return loc::MemRegionVal(TVR); return loc::MemRegionVal(TVR);
}; };
if (const auto *CE = dyn_cast<CallExpr>(E)) { if (const auto *CE = dyn_cast<CallExpr>(E)) {
CallEventRef<> Caller = CEMgr.getSimpleCall(CE, State, LCtx); CallEventRef<> Caller =
CEMgr.getSimpleCall(CE, State, LCtx, getCFGElementRef());
if (std::optional<SVal> V = getArgLoc(Caller)) if (std::optional<SVal> V = getArgLoc(Caller))
return *V; return *V;
else else
break; break;
} else if (const auto *CCE = dyn_cast<CXXConstructExpr>(E)) { } else if (const auto *CCE = dyn_cast<CXXConstructExpr>(E)) {
// Don't bother figuring out the target region for the future // Don't bother figuring out the target region for the future
// constructor because we won't need it. // constructor because we won't need it.
CallEventRef<> Caller = CallEventRef<> Caller = CEMgr.getCXXConstructorCall(
CEMgr.getCXXConstructorCall(CCE, /*Target=*/nullptr, State, LCtx); CCE, /*Target=*/nullptr, State, LCtx, getCFGElementRef());
if (std::optional<SVal> V = getArgLoc(Caller)) if (std::optional<SVal> V = getArgLoc(Caller))
return *V; return *V;
else else
break; break;
} else if (const auto *ME = dyn_cast<ObjCMessageExpr>(E)) { } else if (const auto *ME = dyn_cast<ObjCMessageExpr>(E)) {
CallEventRef<> Caller = CEMgr.getObjCMethodCall(ME, State, LCtx); CallEventRef<> Caller =
CEMgr.getObjCMethodCall(ME, State, LCtx, getCFGElementRef());
if (std::optional<SVal> V = getArgLoc(Caller)) if (std::optional<SVal> V = getArgLoc(Caller))
return *V; return *V;
else else
break; break;
} }
} }
} // switch (CC->getKind()) } // switch (CC->getKind())
} }
▲ Show 20 LinesShow All 337 Lines▼ Show 20 Lines if (DstPrepare.size() == 0)
return; return;
Pred = *BldrPrepare.begin(); Pred = *BldrPrepare.begin();
} }
const MemRegion *TargetRegion = Target.getAsRegion(); const MemRegion *TargetRegion = Target.getAsRegion();
CallEventManager &CEMgr = getStateManager().getCallEventManager(); CallEventManager &CEMgr = getStateManager().getCallEventManager();
CallEventRef<> Call = CallEventRef<> Call =
CIE ? (CallEventRef<>)CEMgr.getCXXInheritedConstructorCall( CIE ? (CallEventRef<>)CEMgr.getCXXInheritedConstructorCall(
CIE, TargetRegion, State, LCtx) CIE, TargetRegion, State, LCtx, getCFGElementRef())
: (CallEventRef<>)CEMgr.getCXXConstructorCall( : (CallEventRef<>)CEMgr.getCXXConstructorCall(
CE, TargetRegion, State, LCtx); CE, TargetRegion, State, LCtx, getCFGElementRef());
ExplodedNodeSet DstPreVisit; ExplodedNodeSet DstPreVisit;
getCheckerManager().runCheckersForPreStmt(DstPreVisit, Pred, E, *this); getCheckerManager().runCheckersForPreStmt(DstPreVisit, Pred, E, *this);
ExplodedNodeSet PreInitialized; ExplodedNodeSet PreInitialized;
if (CE) { if (CE) {
// FIXME: Is it possible and/or useful to do this before PreStmt? // FIXME: Is it possible and/or useful to do this before PreStmt?
StmtNodeBuilder Bldr(DstPreVisit, PreInitialized, *currBldrCtx); StmtNodeBuilder Bldr(DstPreVisit, PreInitialized, *currBldrCtx);
▲ Show 20 LinesShow All 124 Lines▼ Show 20 Linesvoid ExprEngine::VisitCXXDestructor(QualType ObjectType,
const CXXDestructorDecl *DtorDecl = RecordDecl->getDestructor(); const CXXDestructorDecl *DtorDecl = RecordDecl->getDestructor();
// FIXME: There should always be a Decl, otherwise the destructor call // FIXME: There should always be a Decl, otherwise the destructor call
// shouldn't have been added to the CFG in the first place. // shouldn't have been added to the CFG in the first place.
if (!DtorDecl) { if (!DtorDecl) {
// Skip the invalid destructor. We cannot simply return because // Skip the invalid destructor. We cannot simply return because
// it would interrupt the analysis instead. // it would interrupt the analysis instead.
static SimpleProgramPointTag T("ExprEngine", "SkipInvalidDestructor"); static SimpleProgramPointTag T("ExprEngine", "SkipInvalidDestructor");
// FIXME: PostImplicitCall with a null decl may crash elsewhere anyway. // FIXME: PostImplicitCall with a null decl may crash elsewhere anyway.
PostImplicitCall PP(/*Decl=*/nullptr, S->getEndLoc(), LCtx, &T); PostImplicitCall PP(/*Decl=*/nullptr, S->getEndLoc(), LCtx,
getCFGElementRef(), &T);
NodeBuilder Bldr(Pred, Dst, *currBldrCtx); NodeBuilder Bldr(Pred, Dst, *currBldrCtx);
Bldr.generateNode(PP, Pred->getState(), Pred); Bldr.generateNode(PP, Pred->getState(), Pred);
return; return;
} }
if (!Dest) { if (!Dest) {
// We're trying to destroy something that is not a region. This may happen // We're trying to destroy something that is not a region. This may happen
// for a variety of reasons (unknown target region, concrete integer instead // for a variety of reasons (unknown target region, concrete integer instead
// of target region, etc.). The current code makes an attempt to recover. // of target region, etc.). The current code makes an attempt to recover.
// FIXME: We probably don't really need to recover when we're dealing // FIXME: We probably don't really need to recover when we're dealing
// with concrete integers specifically. // with concrete integers specifically.
CallOpts.IsCtorOrDtorWithImproperlyModeledTargetRegion = true; CallOpts.IsCtorOrDtorWithImproperlyModeledTargetRegion = true;
if (const Expr *E = dyn_cast_or_null<Expr>(S)) { if (const Expr *E = dyn_cast_or_null<Expr>(S)) {
Dest = MRMgr.getCXXTempObjectRegion(E, Pred->getLocationContext()); Dest = MRMgr.getCXXTempObjectRegion(E, Pred->getLocationContext());
} else { } else {
static SimpleProgramPointTag T("ExprEngine", "SkipInvalidDestructor"); static SimpleProgramPointTag T("ExprEngine", "SkipInvalidDestructor");
NodeBuilder Bldr(Pred, Dst, *currBldrCtx); NodeBuilder Bldr(Pred, Dst, *currBldrCtx);
Bldr.generateSink(Pred->getLocation().withTag(&T), Bldr.generateSink(Pred->getLocation().withTag(&T),
Pred->getState(), Pred); Pred->getState(), Pred);
return; return;
} }
} }
CallEventManager &CEMgr = getStateManager().getCallEventManager(); CallEventManager &CEMgr = getStateManager().getCallEventManager();
CallEventRef<CXXDestructorCall> Call = CallEventRef<CXXDestructorCall> Call = CEMgr.getCXXDestructorCall(
CEMgr.getCXXDestructorCall(DtorDecl, S, Dest, IsBaseDtor, State, LCtx); DtorDecl, S, Dest, IsBaseDtor, State, LCtx, getCFGElementRef());
PrettyStackTraceLoc CrashInfo(getContext().getSourceManager(), PrettyStackTraceLoc CrashInfo(getContext().getSourceManager(),
Call->getSourceRange().getBegin(), Call->getSourceRange().getBegin(),
"Error evaluating destructor"); "Error evaluating destructor");
ExplodedNodeSet DstPreCall; ExplodedNodeSet DstPreCall;
getCheckerManager().runCheckersForPreCall(DstPreCall, Pred, getCheckerManager().runCheckersForPreCall(DstPreCall, Pred,
*Call, *this); *Call, *this);
Show All 13 Linesvoid ExprEngine::VisitCXXNewAllocatorCall(const CXXNewExpr *CNE,
ExplodedNodeSet &Dst) { ExplodedNodeSet &Dst) {
ProgramStateRef State = Pred->getState(); ProgramStateRef State = Pred->getState();
const LocationContext *LCtx = Pred->getLocationContext(); const LocationContext *LCtx = Pred->getLocationContext();
PrettyStackTraceLoc CrashInfo(getContext().getSourceManager(), PrettyStackTraceLoc CrashInfo(getContext().getSourceManager(),
CNE->getBeginLoc(), CNE->getBeginLoc(),
"Error evaluating New Allocator Call"); "Error evaluating New Allocator Call");
CallEventManager &CEMgr = getStateManager().getCallEventManager(); CallEventManager &CEMgr = getStateManager().getCallEventManager();
CallEventRef<CXXAllocatorCall> Call = CallEventRef<CXXAllocatorCall> Call =
CEMgr.getCXXAllocatorCall(CNE, State, LCtx); CEMgr.getCXXAllocatorCall(CNE, State, LCtx, getCFGElementRef());
ExplodedNodeSet DstPreCall; ExplodedNodeSet DstPreCall;
getCheckerManager().runCheckersForPreCall(DstPreCall, Pred, getCheckerManager().runCheckersForPreCall(DstPreCall, Pred,
*Call, *this); *Call, *this);
ExplodedNodeSet DstPostCall; ExplodedNodeSet DstPostCall;
StmtNodeBuilder CallBldr(DstPreCall, DstPostCall, *currBldrCtx); StmtNodeBuilder CallBldr(DstPreCall, DstPostCall, *currBldrCtx);
for (ExplodedNode *I : DstPreCall) { for (ExplodedNode *I : DstPreCall) {
▲ Show 20 LinesShow All 81 Lines▼ Show 20 Lines if (IsStandardGlobalOpNewFunction)
symVal = svalBuilder.getConjuredHeapSymbolVal(CNE, LCtx, blockCount); symVal = svalBuilder.getConjuredHeapSymbolVal(CNE, LCtx, blockCount);
else else
symVal = svalBuilder.conjureSymbolVal(nullptr, CNE, LCtx, CNE->getType(), symVal = svalBuilder.conjureSymbolVal(nullptr, CNE, LCtx, CNE->getType(),
blockCount); blockCount);
} }
CallEventManager &CEMgr = getStateManager().getCallEventManager(); CallEventManager &CEMgr = getStateManager().getCallEventManager();
CallEventRef<CXXAllocatorCall> Call = CallEventRef<CXXAllocatorCall> Call =
CEMgr.getCXXAllocatorCall(CNE, State, LCtx); CEMgr.getCXXAllocatorCall(CNE, State, LCtx, getCFGElementRef());
if (!AMgr.getAnalyzerOptions().MayInlineCXXAllocator) { if (!AMgr.getAnalyzerOptions().MayInlineCXXAllocator) {
// Invalidate placement args. // Invalidate placement args.
// FIXME: Once we figure out how we want allocators to work, // FIXME: Once we figure out how we want allocators to work,
// we should be using the usual pre-/(default-)eval-/post-call checkers // we should be using the usual pre-/(default-)eval-/post-call checkers
// here. // here.
State = Call->invalidateRegions(blockCount); State = Call->invalidateRegions(blockCount);
if (!State) if (!State)
▲ Show 20 LinesShow All 84 Lines▼ Show 20 Linesvoid ExprEngine::VisitCXXNewExpr(const CXXNewExpr *CNE, ExplodedNode *Pred,
} }
} }
void ExprEngine::VisitCXXDeleteExpr(const CXXDeleteExpr *CDE, void ExprEngine::VisitCXXDeleteExpr(const CXXDeleteExpr *CDE,
ExplodedNode *Pred, ExplodedNodeSet &Dst) { ExplodedNode *Pred, ExplodedNodeSet &Dst) {
CallEventManager &CEMgr = getStateManager().getCallEventManager(); CallEventManager &CEMgr = getStateManager().getCallEventManager();
CallEventRef<CXXDeallocatorCall> Call = CEMgr.getCXXDeallocatorCall( CallEventRef<CXXDeallocatorCall> Call = CEMgr.getCXXDeallocatorCall(
CDE, Pred->getState(), Pred->getLocationContext()); CDE, Pred->getState(), Pred->getLocationContext(), getCFGElementRef());
ExplodedNodeSet DstPreCall; ExplodedNodeSet DstPreCall;
getCheckerManager().runCheckersForPreCall(DstPreCall, Pred, *Call, *this); getCheckerManager().runCheckersForPreCall(DstPreCall, Pred, *Call, *this);
ExplodedNodeSet DstPostCall; ExplodedNodeSet DstPostCall;
if (AMgr.getAnalyzerOptions().MayInlineCXXAllocator) { if (AMgr.getAnalyzerOptions().MayInlineCXXAllocator) {
StmtNodeBuilder Bldr(DstPreCall, DstPostCall, *currBldrCtx); StmtNodeBuilder Bldr(DstPreCall, DstPostCall, *currBldrCtx);
for (ExplodedNode *I : DstPreCall) { for (ExplodedNode *I : DstPreCall) {
▲ Show 20 LinesShow All 120 LinesShow Last 20 Lines

clang/lib/StaticAnalyzer/Core/ExprEngineCallAndReturn.cpp

Show First 20 LinesShow All 604 Lines▼ Show 20 Linesvoid ExprEngine::VisitCallExpr(const CallExpr *CE, ExplodedNode *Pred,
ExplodedNodeSet &dst) { ExplodedNodeSet &dst) {
// Perform the previsit of the CallExpr. // Perform the previsit of the CallExpr.
ExplodedNodeSet dstPreVisit; ExplodedNodeSet dstPreVisit;
getCheckerManager().runCheckersForPreStmt(dstPreVisit, Pred, CE, *this); getCheckerManager().runCheckersForPreStmt(dstPreVisit, Pred, CE, *this);
// Get the call in its initial state. We use this as a template to perform // Get the call in its initial state. We use this as a template to perform
// all the checks. // all the checks.
CallEventManager &CEMgr = getStateManager().getCallEventManager(); CallEventManager &CEMgr = getStateManager().getCallEventManager();
CallEventRef<> CallTemplate CallEventRef<> CallTemplate = CEMgr.getSimpleCall(
= CEMgr.getSimpleCall(CE, Pred->getState(), Pred->getLocationContext()); CE, Pred->getState(), Pred->getLocationContext(), getCFGElementRef());
// Evaluate the function call. We try each of the checkers // Evaluate the function call. We try each of the checkers
// to see if the can evaluate the function call. // to see if the can evaluate the function call.
ExplodedNodeSet dstCallEvaluated; ExplodedNodeSet dstCallEvaluated;
for (ExplodedNodeSet::iterator I = dstPreVisit.begin(), E = dstPreVisit.end(); for (ExplodedNodeSet::iterator I = dstPreVisit.begin(), E = dstPreVisit.end();
I != E; ++I) { I != E; ++I) {
evalCall(dstCallEvaluated, *I, *CallTemplate); evalCall(dstCallEvaluated, *I, *CallTemplate);
} }
▲ Show 20 LinesShow All 209 Lines▼ Show 20 Lines
// Conservatively evaluate call by invalidating regions and binding // Conservatively evaluate call by invalidating regions and binding
// a conjured return value. // a conjured return value.
void ExprEngine::conservativeEvalCall(const CallEvent &Call, NodeBuilder &Bldr, void ExprEngine::conservativeEvalCall(const CallEvent &Call, NodeBuilder &Bldr,
ExplodedNode *Pred, ProgramStateRef State) { ExplodedNode *Pred, ProgramStateRef State) {
State = Call.invalidateRegions(currBldrCtx->blockCount(), State); State = Call.invalidateRegions(currBldrCtx->blockCount(), State);
State = bindReturnValue(Call, Pred->getLocationContext(), State); State = bindReturnValue(Call, Pred->getLocationContext(), State);
// And make the result node. // And make the result node.
Bldr.generateNode(Call.getProgramPoint(), State, Pred); static SimpleProgramPointTag PT("ExprEngine", "Conservative eval call");
Bldr.generateNode(Call.getProgramPoint(false, &PT), State, Pred);
} }
ExprEngine::CallInlinePolicy ExprEngine::CallInlinePolicy
ExprEngine::mayInlineCallKind(const CallEvent &Call, const ExplodedNode *Pred, ExprEngine::mayInlineCallKind(const CallEvent &Call, const ExplodedNode *Pred,
AnalyzerOptions &Opts, AnalyzerOptions &Opts,
const EvalCallOptions &CallOpts) { const EvalCallOptions &CallOpts) {
const LocationContext *CurLC = Pred->getLocationContext(); const LocationContext *CurLC = Pred->getLocationContext();
const StackFrameContext *CallerSFC = CurLC->getStackFrame(); const StackFrameContext *CallerSFC = CurLC->getStackFrame();
▲ Show 20 LinesShow All 473 LinesShow Last 20 Lines

clang/lib/StaticAnalyzer/Core/ExprEngineObjC.cpp

Show First 20 LinesShow All 142 Lines▼ Show 20 Linesvoid ExprEngine::VisitObjCForCollectionStmt(const ObjCForCollectionStmt *S,
// FIXME: Eventually all pre- and post-checks should live in VisitStmt. // FIXME: Eventually all pre- and post-checks should live in VisitStmt.
getCheckerManager().runCheckersForPostStmt(Dst, Tmp, S, *this); getCheckerManager().runCheckersForPostStmt(Dst, Tmp, S, *this);
} }
void ExprEngine::VisitObjCMessage(const ObjCMessageExpr *ME, void ExprEngine::VisitObjCMessage(const ObjCMessageExpr *ME,
ExplodedNode *Pred, ExplodedNode *Pred,
ExplodedNodeSet &Dst) { ExplodedNodeSet &Dst) {
CallEventManager &CEMgr = getStateManager().getCallEventManager(); CallEventManager &CEMgr = getStateManager().getCallEventManager();
CallEventRef<ObjCMethodCall> Msg = CallEventRef<ObjCMethodCall> Msg = CEMgr.getObjCMethodCall(
CEMgr.getObjCMethodCall(ME, Pred->getState(), Pred->getLocationContext()); ME, Pred->getState(), Pred->getLocationContext(), getCFGElementRef());
// There are three cases for the receiver: // There are three cases for the receiver:
// (1) it is definitely nil, // (1) it is definitely nil,
// (2) it is definitely non-nil, and // (2) it is definitely non-nil, and
// (3) we don't know. // (3) we don't know.
// //
// If the receiver is definitely nil, we skip the pre/post callbacks and // If the receiver is definitely nil, we skip the pre/post callbacks and
// instead call the ObjCMessageNil callbacks and return. // instead call the ObjCMessageNil callbacks and return.
▲ Show 20 LinesShow All 124 LinesShow Last 20 Lines

clang/test/Analysis/PR60412.cpp

  • This file was added.
// RUN: %clang_analyze_cc1 -analyzer-checker=alpha.deadcode.UnreachableCode -verify %s
// expected-no-diagnostics
struct Test {
Test() {}
~Test();
};
int foo() {
struct a {
Test b, c;
} d;
return 1;
}
int main() {
if (foo()) return 1; // <- this used to warn as unreachable
}

clang/test/Analysis/analysis-after-multiple-dtors.cpp

  • This file was added.
// RUN: %clang_analyze_cc1 -analyzer-checker=core -verify %s
#include "Inputs/system-header-simulator-cxx.h"
struct Test {
Test() {}
~Test();
};
int foo() {
struct a {
// The dtor invocation of 'b' and 'c' used to create
// a loop in the egraph and the analysis stopped after
// this point.
Test b, c;
} d;
return 1;
}
int main() {
if (foo()) {
}
int x;
int y = x;
// expected-warning@-1{{Assigned value is garbage or undefined}}
(void)y;
}

clang/unittests/StaticAnalyzer/CallDescriptionTest.cpp

Show First 20 LinesShow All 83 Lines▼ Show 20 Lines const auto MatcherCreator = []() {
return cxxOperatorCallExpr(); return cxxOperatorCallExpr();
llvm_unreachable("Only these expressions are supported for now."); llvm_unreachable("Only these expressions are supported for now.");
}; };
const Expr *E = findNode<T>(D, MatcherCreator()); const Expr *E = findNode<T>(D, MatcherCreator());
CallEventManager &CEMgr = Eng.getStateManager().getCallEventManager(); CallEventManager &CEMgr = Eng.getStateManager().getCallEventManager();
CallEventRef<> Call = [=, &CEMgr]() -> CallEventRef<CallEvent> { CallEventRef<> Call = [=, &CEMgr]() -> CallEventRef<CallEvent> {
CFGBlock::ConstCFGElementRef ElemRef = {SFC->getCallSiteBlock(),
SFC->getIndex()};
if (std::is_base_of<CallExpr, T>::value) if (std::is_base_of<CallExpr, T>::value)
return CEMgr.getCall(E, State, SFC); return CEMgr.getCall(E, State, SFC, ElemRef);
if (std::is_same<T, CXXConstructExpr>::value) if (std::is_same<T, CXXConstructExpr>::value)
return CEMgr.getCXXConstructorCall(cast<CXXConstructExpr>(E), return CEMgr.getCXXConstructorCall(cast<CXXConstructExpr>(E),
/*Target=*/nullptr, State, SFC); /*Target=*/nullptr, State, SFC,
ElemRef);
llvm_unreachable("Only these expressions are supported for now."); llvm_unreachable("Only these expressions are supported for now.");
}(); }();
// If the call actually matched, check if we really expected it to match. // If the call actually matched, check if we really expected it to match.
const bool *LookupResult = RM.lookup(*Call); const bool *LookupResult = RM.lookup(*Call);
EXPECT_TRUE(!LookupResult || *LookupResult); EXPECT_TRUE(!LookupResult || *LookupResult);
// ResultMap is responsible for making sure that we've found *all* calls. // ResultMap is responsible for making sure that we've found *all* calls.
▲ Show 20 LinesShow All 523 LinesShow Last 20 Lines