This is an archive of the discontinued LLVM Phabricator instance.

Differential D26588

Add LocationContext to members of check::RegionChanges
AbandonedPublic

Authored by NoQ on Nov 13 2016, 7:43 AM.

Details

Reviewers
dcoughlin
dergachev.a
zaks.anna
k-wisniewski
Summary

Hi,

I've been working on a checker that uses RegionChanges interface and needed to access to LocationContext. Another change is an easy way to obtain arguments' SVals from StackFrameCtx, with which the function/method has been called. In my opinion having that might prove useful for creating future checkers so I publish it here for review and discussion. Obvoiusly, this needs some improvement, but I'll be more than happy to hear community's opinion about the current version, as I wasn't sure if my changes fit into architecture etc.

Also: this is my first public contribution to clang. so if there are any annoying aspects of it (like the list of subscribers being to broad, bad forma, wrong metadata etc.) - sorry!

Diff Detail

Event Timeline

k-wisniewski updated this revision to Diff 77744.Nov 13 2016, 7:43 AM
k-wisniewski retitled this revision from to Add LocationContext to members of check::RegionChanges.
k-wisniewski updated this object.
k-wisniewski added reviewers: dergachev.a, dcoughlin, zaks.anna.
k-wisniewski added a subscriber: cfe-commits.
NoQ added a subscriber: NoQ.Nov 14 2016, 8:01 AM
a.sidorin added a subscriber: a.sidorin.Nov 14 2016, 9:48 AM

Hi Krzysztof!
This change seems useful: I can imagine the situation where we want to ask current LocationContext in this callback. The change looks pretty intrusive but I mostly agree with it. Initially, I have some questions about the implementation of getArgSVal() function (inline comments). I'll add more comments later.

include/clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h
735

Maybe we should put a check that requested StackFrame is our StackFrame or our parent StackFrame here?

741

Unfortunately, this code does not consider the fact that argument values may be overwritten. If we want to get initial values, we should find another way.

NoQ added a comment.Nov 14 2016, 11:37 AM

Welcome to phabricator! I agree that having the location context in this callback is useful, and i'm all for reducing boilerplate in various checkers through better API.

include/clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h
231

Because this API becomes more complicated, i think we should add some docstrings here, explaining the meaning of the location context parameter, in particular.

733

Indent.

741

Uhm, yeah, this is in fact a problem!

The purpose of this code is, in fact, to construct SymbolRegionValue for the parameter, so it is equivalent to calling SValBuilder::getRegionValueSymbolVal() over the parameter region, as long as the current StoreManager implementation remains unquestioned.

We could also ask StoreManager to provide a binding for this region from an empty store, maybe extend its API to allow such queries, this would remove the layering violation.

Because this topic getting is rather complicated, it might have been better to make a separate review for this change, originally (no problem now that most of the interested people have already had a look).

NoQ added a child revision: D26589: Add static analyzer checker for finding infinite recursion.Nov 14 2016, 11:38 AM
NoQ added inline comments.Nov 14 2016, 8:12 PM
include/clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h
735

Hmm. We should probably add a similar check to getSVal(Ex, LCtx)!- and also check that Ex is an active expression.

Unfortunately, we do not know the current location context within any of these methods, not sure how to implement that.

zaks.anna edited edge metadata.Nov 14 2016, 11:51 PM

Hi and welcome to the project!

This patch definitely looks quite complex for a first contribution, so great job at digging through the analyzer internals!

One higher level comment I have is that you should try and split patches whenever possible. For example, in the description, you mention that the patch contains 2 changes:

  • extending RegionChanges interface with LocationContext
  • adding an easy way to obtain arguments' SVals from StackFrameCtx

Since they are independent changes, please submit them as separate patches. This simplifies the job of the reviewers and anyone who will ever look at this patch in commit history or on phabricator. Also, this ensures that each change has sufficient test coverage. The LLVM Dev policy has a great explanation of the reasoning behind this: http://llvm.org/docs/DeveloperPolicy.html#incremental-development.

How do you plan on testing these changes? The main 2 methods are unit tests and checker regression tests. Since no checker uses these maybe we should only commit them once such checker is added...

I've only started looking at the first change and would like to understand the motivation behind it a bit more.

include/clang/StaticAnalyzer/Core/Checker.h
325

LocationContext can be obtained by calling CallEvent::getLocationContext(). I do not think that adding another parameter here buys us much. Am I missing something?

333

What is the scenario in which you need the context here? The idea is that the checker would be interested in region changes if it is already tracking information in the state. For that check, the information in the state is sufficient. What is your scenario?

Also, For any checker API change, we need to update the CheckerDocumentation.cpp.

k-wisniewski added a comment.Nov 15 2016, 4:56 AM

Hi again!

Thanks for review! I'll upload updated version of this patch today in the evening/tomorrow. As Anna suggested I'll split it into two parts - one regarding extraction of argument SVals for StackFrameCtx and another one adding LocationContext to check::RegionChanges interface. I have commented inline on why I think this change is needed.

Cheers!

include/clang/StaticAnalyzer/Core/Checker.h
325

How about the situation when this callback is triggered by something other than a call, like variable assignment? I've tried using that location context and had lots of segfaults as in such cases it appeared to be null. Do you have some info that it should be non-null in such a case?

333

Well I've added it to be consistent with checkRegionChanges, but AFAIK this callback is no longer necessary and there was a discussion about getting rid of it altogether. Maybe it's a good moment ot purge it?

include/clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h
231

Will do!

741

Yeah, as Anna suggested I will split this change and the addition of LocationContext in check::RegionChanges and we should probably continue this discussion there

NoQ added inline comments.Nov 15 2016, 4:56 AM
include/clang/StaticAnalyzer/Core/Checker.h
325

CallEvent* is optional here - it's there only for invalidations through calls.

333

Environment, which is a significant portion of the state, is essentially unaccessible without a location context.

Call stack is also an important bit of information to any checker that does something special to support/exploit the inlining IPA - there are many checkers that scan the call stack, but so far none of them needed to subscribe to checkRegionChanges; their possible use case may look like "we want an update only if a certain condition was met within the current stack frame".

For the recursion checker, i think, the point is "if current frame is spoiled, we no longer want updates" (which should probably be fixed in the checker patch: even though the callback is broken, it'd take one less action to fix it if we decide to).

zaks.anna added inline comments.Nov 15 2016, 2:16 PM
include/clang/StaticAnalyzer/Core/Checker.h
325

Ok, makes sense. Have you looked into providing a checker context there? How much more difficult would that be? If that is too difficult, adding LocationContext is good as well.

If Call is optional and LocationContext is not, should the Call parameter be last.

333

I don't recall where that discussion has ended. If the callback is not used, I'd be fine with removing it. (That would need to be a separate patch.)

NoQ added inline comments.Nov 17 2016, 12:15 AM
include/clang/StaticAnalyzer/Core/Checker.h
325

If we add a CheckerContext, then we may end up calling callbacks that split states within callbacks that split states, and that'd be quite a mess to support.

Right now a checker may trigger checkRegionChanges() within its callback by manipulating the Store, which already leads to callbacks within callbacks, but that's bearable as long as you can't add transitions within the inner callbacks.

zaks.anna added inline comments.Nov 17 2016, 11:31 PM
include/clang/StaticAnalyzer/Core/Checker.h
325

This argument by itself does not seem to be preventing us from providing CheckerContext. For example, we could disallow splitting states (ex: by setting some flag within the CheckerContext) but still provide most of the convenience APIs.

The advantage of providing CheckerContext is that it is a class that provides access to different analyzer APIs that the checker writer might want to access. It is also familiar and somewhat expected as it is available in most other cases. It might be difficult to pipe enough information to construct it... I suspect that is the reason we do not provide it in this case.

I am OK with the patch as is but it would be good to explore if we could extend this API by providing the full CheckerContext.

NoQ added inline comments.Nov 18 2016, 9:05 AM
include/clang/StaticAnalyzer/Core/Checker.h
325

Hmm, with this kind of plan we should probably move all transition functionality into a sub-class of CheckerContext(?) So that it was obvious from the signature that some of those are restricted, and some are full-featured.

This definitely sounds like a big task, useful though, maybe a separate patch over all callbacks might be a good idea.

NoQ commandeered this revision.Nov 29 2016, 11:59 PM
NoQ added a reviewer: k-wisniewski.

Seems to become outdated with D27090.

NoQ abandoned this revision.Nov 29 2016, 11:59 PM

Revision Contents

PathSize
include/
clang/
StaticAnalyzer/
Core/
13 lines
10 lines
PathSensitive/
9 lines
35 lines
13 lines
lib/
StaticAnalyzer/
Checkers/
19 lines
4 lines
2 lines
10 lines
Core/
10 lines
27 lines
7 lines
6 lines
4 lines
15 lines

Diff 77744

include/clang/StaticAnalyzer/Core/Checker.h

Show First 20 LinesShow All 315 Lines▼ Show 20 Lines
class RegionChanges { class RegionChanges {
template <typename CHECKER> template <typename CHECKER>
static ProgramStateRef static ProgramStateRef
_checkRegionChanges(void *checker, _checkRegionChanges(void *checker,
ProgramStateRef state, ProgramStateRef state,
const InvalidatedSymbols *invalidated, const InvalidatedSymbols *invalidated,
ArrayRef<const MemRegion *> Explicits, ArrayRef<const MemRegion *> Explicits,
ArrayRef<const MemRegion *> Regions, ArrayRef<const MemRegion *> Regions,
const CallEvent *Call) { const CallEvent *Call,
const LocationContext *LCtx) {
zaks.annaUnsubmitted
Not Done
ReplyInline Actions

LocationContext can be obtained by calling CallEvent::getLocationContext(). I do not think that adding another parameter here buys us much. Am I missing something?

zaks.anna: LocationContext can be obtained by calling CallEvent::getLocationContext(). I do not think that…
NoQAuthorUnsubmitted
Not Done
ReplyInline Actions

CallEvent* is optional here - it's there only for invalidations through calls.

NoQ: CallEvent* is optional here - it's there only for invalidations through calls.
k-wisniewskiUnsubmitted
Not Done
ReplyInline Actions

How about the situation when this callback is triggered by something other than a call, like variable assignment? I've tried using that location context and had lots of segfaults as in such cases it appeared to be null. Do you have some info that it should be non-null in such a case?

k-wisniewski: How about the situation when this callback is triggered by something other than a call, like…
zaks.annaUnsubmitted
Not Done
ReplyInline Actions

Ok, makes sense. Have you looked into providing a checker context there? How much more difficult would that be? If that is too difficult, adding LocationContext is good as well.

If Call is optional and LocationContext is not, should the Call parameter be last.

zaks.anna: Ok, makes sense. Have you looked into providing a checker context there? How much more…
NoQAuthorUnsubmitted
Not Done
ReplyInline Actions

If we add a CheckerContext, then we may end up calling callbacks that split states within callbacks that split states, and that'd be quite a mess to support.

Right now a checker may trigger checkRegionChanges() within its callback by manipulating the Store, which already leads to callbacks within callbacks, but that's bearable as long as you can't add transitions within the inner callbacks.

NoQ: If we add a CheckerContext, then we may end up calling callbacks that split states within…
zaks.annaUnsubmitted
Not Done
ReplyInline Actions

This argument by itself does not seem to be preventing us from providing CheckerContext. For example, we could disallow splitting states (ex: by setting some flag within the CheckerContext) but still provide most of the convenience APIs.

The advantage of providing CheckerContext is that it is a class that provides access to different analyzer APIs that the checker writer might want to access. It is also familiar and somewhat expected as it is available in most other cases. It might be difficult to pipe enough information to construct it... I suspect that is the reason we do not provide it in this case.

I am OK with the patch as is but it would be good to explore if we could extend this API by providing the full CheckerContext.

zaks.anna: This argument by itself does not seem to be preventing us from providing CheckerContext. For…
NoQAuthorUnsubmitted
Not Done
ReplyInline Actions

Hmm, with this kind of plan we should probably move all transition functionality into a sub-class of CheckerContext(?) So that it was obvious from the signature that some of those are restricted, and some are full-featured.

This definitely sounds like a big task, useful though, maybe a separate patch over all callbacks might be a good idea.

NoQ: Hmm, with this kind of plan we should probably move all transition functionality into a sub…
return ((const CHECKER *)checker)->checkRegionChanges(state, invalidated, return ((const CHECKER *) checker)->checkRegionChanges(state, invalidated,
Explicits, Regions, Call); Explicits, Regions,
Call, LCtx);
} }
template <typename CHECKER> template <typename CHECKER>
static bool _wantsRegionChangeUpdate(void *checker, static bool _wantsRegionChangeUpdate(void *checker,
ProgramStateRef state) { ProgramStateRef state,
return ((const CHECKER *)checker)->wantsRegionChangeUpdate(state); const LocationContext *LCtx) {
zaks.annaUnsubmitted
Not Done
ReplyInline Actions

What is the scenario in which you need the context here? The idea is that the checker would be interested in region changes if it is already tracking information in the state. For that check, the information in the state is sufficient. What is your scenario?

Also, For any checker API change, we need to update the CheckerDocumentation.cpp.

zaks.anna: What is the scenario in which you need the context here? The idea is that the checker would be…
NoQAuthorUnsubmitted
Not Done
ReplyInline Actions

Environment, which is a significant portion of the state, is essentially unaccessible without a location context.

Call stack is also an important bit of information to any checker that does something special to support/exploit the inlining IPA - there are many checkers that scan the call stack, but so far none of them needed to subscribe to checkRegionChanges; their possible use case may look like "we want an update only if a certain condition was met within the current stack frame".

For the recursion checker, i think, the point is "if current frame is spoiled, we no longer want updates" (which should probably be fixed in the checker patch: even though the callback is broken, it'd take one less action to fix it if we decide to).

NoQ: Environment, which is a significant portion of the state, is essentially unaccessible without a…
k-wisniewskiUnsubmitted
Not Done
ReplyInline Actions

Well I've added it to be consistent with checkRegionChanges, but AFAIK this callback is no longer necessary and there was a discussion about getting rid of it altogether. Maybe it's a good moment ot purge it?

k-wisniewski: Well I've added it to be consistent with checkRegionChanges, but AFAIK this callback is no…
zaks.annaUnsubmitted
Not Done
ReplyInline Actions

I don't recall where that discussion has ended. If the callback is not used, I'd be fine with removing it. (That would need to be a separate patch.)

zaks.anna: I don't recall where that discussion has ended. If the callback is not used, I'd be fine with…
return ((const CHECKER *) checker)->wantsRegionChangeUpdate(state, LCtx);
} }
public: public:
template <typename CHECKER> template <typename CHECKER>
static void _register(CHECKER *checker, CheckerManager &mgr) { static void _register(CHECKER *checker, CheckerManager &mgr) {
mgr._registerForRegionChanges( mgr._registerForRegionChanges(
CheckerManager::CheckRegionChangesFunc(checker, CheckerManager::CheckRegionChangesFunc(checker,
_checkRegionChanges<CHECKER>), _checkRegionChanges<CHECKER>),
▲ Show 20 LinesShow All 229 LinesShow Last 20 Lines

include/clang/StaticAnalyzer/Core/CheckerManager.h

Show First 20 LinesShow All 317 Lines▼ Show 20 Lines//===----------------------------------------------------------------------===//
/// precise diagnostics. /// precise diagnostics.
void runCheckersForDeadSymbols(ExplodedNodeSet &Dst, void runCheckersForDeadSymbols(ExplodedNodeSet &Dst,
const ExplodedNodeSet &Src, const ExplodedNodeSet &Src,
SymbolReaper &SymReaper, const Stmt *S, SymbolReaper &SymReaper, const Stmt *S,
ExprEngine &Eng, ExprEngine &Eng,
ProgramPoint::Kind K); ProgramPoint::Kind K);
/// \brief True if at least one checker wants to check region changes. /// \brief True if at least one checker wants to check region changes.
bool wantsRegionChangeUpdate(ProgramStateRef state); bool wantsRegionChangeUpdate(ProgramStateRef state, const LocationContext *LCtx);
/// \brief Run checkers for region changes. /// \brief Run checkers for region changes.
/// ///
/// This corresponds to the check::RegionChanges callback. /// This corresponds to the check::RegionChanges callback.
/// \param state The current program state. /// \param state The current program state.
/// \param invalidated A set of all symbols potentially touched by the change. /// \param invalidated A set of all symbols potentially touched by the change.
/// \param ExplicitRegions The regions explicitly requested for invalidation. /// \param ExplicitRegions The regions explicitly requested for invalidation.
/// For example, in the case of a function call, these would be arguments. /// For example, in the case of a function call, these would be arguments.
/// \param Regions The transitive closure of accessible regions, /// \param Regions The transitive closure of accessible regions,
/// i.e. all regions that may have been touched by this change. /// i.e. all regions that may have been touched by this change.
/// \param Call The call expression wrapper if the regions are invalidated /// \param Call The call expression wrapper if the regions are invalidated
/// by a call. /// by a call.
ProgramStateRef ProgramStateRef
runCheckersForRegionChanges(ProgramStateRef state, runCheckersForRegionChanges(ProgramStateRef state,
const InvalidatedSymbols *invalidated, const InvalidatedSymbols *invalidated,
ArrayRef<const MemRegion *> ExplicitRegions, ArrayRef<const MemRegion *> ExplicitRegions,
ArrayRef<const MemRegion *> Regions, ArrayRef<const MemRegion *> Regions,
const CallEvent *Call); const CallEvent *Call,
const LocationContext *LCtx);
/// \brief Run checkers when pointers escape. /// \brief Run checkers when pointers escape.
/// ///
/// This notifies the checkers about pointer escape, which occurs whenever /// This notifies the checkers about pointer escape, which occurs whenever
/// the analyzer cannot track the symbol any more. For example, as a /// the analyzer cannot track the symbol any more. For example, as a
/// result of assigning a pointer into a global or when it's passed to a /// result of assigning a pointer into a global or when it's passed to a
/// function call the analyzer cannot model. /// function call the analyzer cannot model.
/// ///
▲ Show 20 LinesShow All 91 Lines▼ Show 20 Lines typedef CheckerFn<void (SymbolReaper &, CheckerContext &)>
CheckDeadSymbolsFunc; CheckDeadSymbolsFunc;
typedef CheckerFn<void (ProgramStateRef,SymbolReaper &)> CheckLiveSymbolsFunc; typedef CheckerFn<void (ProgramStateRef,SymbolReaper &)> CheckLiveSymbolsFunc;
typedef CheckerFn<ProgramStateRef (ProgramStateRef, typedef CheckerFn<ProgramStateRef (ProgramStateRef,
const InvalidatedSymbols *symbols, const InvalidatedSymbols *symbols,
ArrayRef<const MemRegion *> ExplicitRegions, ArrayRef<const MemRegion *> ExplicitRegions,
ArrayRef<const MemRegion *> Regions, ArrayRef<const MemRegion *> Regions,
const CallEvent *Call)> const CallEvent *Call,
const LocationContext *LCtx)>
CheckRegionChangesFunc; CheckRegionChangesFunc;
typedef CheckerFn<bool (ProgramStateRef)> WantsRegionChangeUpdateFunc; typedef CheckerFn<bool (ProgramStateRef, const LocationContext *)> WantsRegionChangeUpdateFunc;
typedef CheckerFn<ProgramStateRef (ProgramStateRef, typedef CheckerFn<ProgramStateRef (ProgramStateRef,
const InvalidatedSymbols &Escaped, const InvalidatedSymbols &Escaped,
const CallEvent *Call, const CallEvent *Call,
PointerEscapeKind Kind, PointerEscapeKind Kind,
RegionAndSymbolInvalidationTraits *ITraits)> RegionAndSymbolInvalidationTraits *ITraits)>
CheckPointerEscapeFunc; CheckPointerEscapeFunc;
▲ Show 20 LinesShow All 179 LinesShow Last 20 Lines

include/clang/StaticAnalyzer/Core/PathSensitive/ExprEngine.h

Show First 20 LinesShow All 282 Lines▼ Show 20 Linespublic:
/// evalAssume - Callback function invoked by the ConstraintManager when /// evalAssume - Callback function invoked by the ConstraintManager when
/// making assumptions about state values. /// making assumptions about state values.
ProgramStateRef processAssume(ProgramStateRef state, SVal cond, ProgramStateRef processAssume(ProgramStateRef state, SVal cond,
bool assumption) override; bool assumption) override;
/// wantsRegionChangeUpdate - Called by ProgramStateManager to determine if a /// wantsRegionChangeUpdate - Called by ProgramStateManager to determine if a
/// region change should trigger a processRegionChanges update. /// region change should trigger a processRegionChanges update.
bool wantsRegionChangeUpdate(ProgramStateRef state) override; bool wantsRegionChangeUpdate(ProgramStateRef state, const LocationContext *LCtx) override;
/// processRegionChanges - Called by ProgramStateManager whenever a change is made /// processRegionChanges - Called by ProgramStateManager whenever a change is made
/// to the store. Used to update checkers that track region values. /// to the store. Used to update checkers that track region values.
ProgramStateRef ProgramStateRef
processRegionChanges(ProgramStateRef state, processRegionChanges(ProgramStateRef state,
const InvalidatedSymbols *invalidated, const InvalidatedSymbols *invalidated,
ArrayRef<const MemRegion *> ExplicitRegions, ArrayRef<const MemRegion *> ExplicitRegions,
ArrayRef<const MemRegion *> Regions, ArrayRef<const MemRegion *> Regions,
const CallEvent *Call) override; const CallEvent *Call,
const LocationContext *LCtx) override;
/// printState - Called by ProgramStateManager to print checker-specific data. /// printState - Called by ProgramStateManager to print checker-specific data.
void printState(raw_ostream &Out, ProgramStateRef State, void printState(raw_ostream &Out, ProgramStateRef State,
const char *NL, const char *Sep) override; const char *NL, const char *Sep) override;
ProgramStateManager& getStateManager() override { return StateMgr; } ProgramStateManager& getStateManager() override { return StateMgr; }
StoreManager& getStoreManager() { return StateMgr.getStoreManager(); } StoreManager& getStoreManager() { return StateMgr.getStoreManager(); }
▲ Show 20 LinesShow All 196 Lines▼ Show 20 Linesprotected:
/// evalBind - Handle the semantics of binding a value to a specific location. /// evalBind - Handle the semantics of binding a value to a specific location.
/// This method is used by evalStore, VisitDeclStmt, and others. /// This method is used by evalStore, VisitDeclStmt, and others.
void evalBind(ExplodedNodeSet &Dst, const Stmt *StoreE, ExplodedNode *Pred, void evalBind(ExplodedNodeSet &Dst, const Stmt *StoreE, ExplodedNode *Pred,
SVal location, SVal Val, bool atDeclInit = false, SVal location, SVal Val, bool atDeclInit = false,
const ProgramPoint *PP = nullptr); const ProgramPoint *PP = nullptr);
/// Call PointerEscape callback when a value escapes as a result of bind. /// Call PointerEscape callback when a value escapes as a result of bind.
ProgramStateRef processPointerEscapedOnBind(ProgramStateRef State, ProgramStateRef processPointerEscapedOnBind(ProgramStateRef State,
SVal Loc, SVal Val) override; SVal Loc,
SVal Val,
const LocationContext *LCtx) override;
/// Call PointerEscape callback when a value escapes as a result of /// Call PointerEscape callback when a value escapes as a result of
/// region invalidation. /// region invalidation.
/// \param[in] ITraits Specifies invalidation traits for regions/symbols. /// \param[in] ITraits Specifies invalidation traits for regions/symbols.
ProgramStateRef notifyCheckersOfPointerEscape( ProgramStateRef notifyCheckersOfPointerEscape(
ProgramStateRef State, ProgramStateRef State,
const InvalidatedSymbols *Invalidated, const InvalidatedSymbols *Invalidated,
ArrayRef<const MemRegion *> ExplicitRegions, ArrayRef<const MemRegion *> ExplicitRegions,
ArrayRef<const MemRegion *> Regions, ArrayRef<const MemRegion *> Regions,
▲ Show 20 LinesShow All 137 LinesShow Last 20 Lines

include/clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h

Show First 20 LinesShow All 222 Lines▼ Show 20 Linespublic:
// Binding and retrieving values to/from the environment and symbolic store. // Binding and retrieving values to/from the environment and symbolic store.
//==---------------------------------------------------------------------==// //==---------------------------------------------------------------------==//
/// Create a new state by binding the value 'V' to the statement 'S' in the /// Create a new state by binding the value 'V' to the statement 'S' in the
/// state's environment. /// state's environment.
ProgramStateRef BindExpr(const Stmt *S, const LocationContext *LCtx, ProgramStateRef BindExpr(const Stmt *S, const LocationContext *LCtx,
SVal V, bool Invalidate = true) const; SVal V, bool Invalidate = true) const;
ProgramStateRef bindLoc(Loc location, ProgramStateRef bindLoc(Loc location,
NoQAuthorUnsubmitted
Not Done
ReplyInline Actions

Because this API becomes more complicated, i think we should add some docstrings here, explaining the meaning of the location context parameter, in particular.

NoQ: Because this API becomes more complicated, i think we should add some docstrings here…
k-wisniewskiUnsubmitted
Not Done
ReplyInline Actions

Will do!

k-wisniewski: Will do!
SVal V, SVal V,
const LocationContext *LCtx,
bool notifyChanges = true) const; bool notifyChanges = true) const;
ProgramStateRef bindLoc(SVal location, SVal V) const; ProgramStateRef bindLoc(SVal location, SVal V, const LocationContext *LCtx) const;
ProgramStateRef bindDefault(SVal loc, SVal V) const; ProgramStateRef bindDefault(SVal loc, SVal V, const LocationContext *LCtx) const;
ProgramStateRef killBinding(Loc LV) const; ProgramStateRef killBinding(Loc LV) const;
/// \brief Returns the state with bindings for the given regions /// \brief Returns the state with bindings for the given regions
/// cleared from the store. /// cleared from the store.
/// ///
/// Optionally invalidates global regions as well. /// Optionally invalidates global regions as well.
/// ///
▲ Show 20 LinesShow All 42 Lines▼ Show 20 Linespublic:
SVal getLValue(const FieldDecl *decl, SVal Base) const; SVal getLValue(const FieldDecl *decl, SVal Base) const;
/// Get the lvalue for an indirect field reference. /// Get the lvalue for an indirect field reference.
SVal getLValue(const IndirectFieldDecl *decl, SVal Base) const; SVal getLValue(const IndirectFieldDecl *decl, SVal Base) const;
/// Get the lvalue for an array index. /// Get the lvalue for an array index.
SVal getLValue(QualType ElementType, SVal Idx, SVal Base) const; SVal getLValue(QualType ElementType, SVal Idx, SVal Base) const;
/// Get the symbolic value of arguments used in a call
/// that created the given stack frame
SVal getArgSVal(const StackFrameContext *SFC, const unsigned ArgIdx) const;
/// Returns the SVal bound to the statement 'S' in the state's environment. /// Returns the SVal bound to the statement 'S' in the state's environment.
SVal getSVal(const Stmt *S, const LocationContext *LCtx) const; SVal getSVal(const Stmt *S, const LocationContext *LCtx) const;
SVal getSValAsScalarOrLoc(const Stmt *Ex, const LocationContext *LCtx) const; SVal getSValAsScalarOrLoc(const Stmt *Ex, const LocationContext *LCtx) const;
/// \brief Return the value bound to the specified location. /// \brief Return the value bound to the specified location.
/// Returns UnknownVal() if none found. /// Returns UnknownVal() if none found.
SVal getSVal(Loc LV, QualType T = QualType()) const; SVal getSVal(Loc LV, QualType T = QualType()) const;
▲ Show 20 LinesShow All 375 Lines▼ Show 20 Lines if (Val.isUnknown())
return std::make_pair(this, this); return std::make_pair(this, this);
assert(Val.getAs<NonLoc>() && "Only NonLocs are supported!"); assert(Val.getAs<NonLoc>() && "Only NonLocs are supported!");
return getStateManager().ConstraintMgr return getStateManager().ConstraintMgr
->assumeWithinInclusiveRangeDual(this, Val.castAs<NonLoc>(), From, To); ->assumeWithinInclusiveRangeDual(this, Val.castAs<NonLoc>(), From, To);
} }
inline ProgramStateRef ProgramState::bindLoc(SVal LV, SVal V) const { inline ProgramStateRef ProgramState::bindLoc(SVal LV, SVal V, const LocationContext *LCtx) const {
if (Optional<Loc> L = LV.getAs<Loc>()) if (Optional<Loc> L = LV.getAs<Loc>())
return bindLoc(*L, V); return bindLoc(*L, V, LCtx);
return this; return this;
} }
inline Loc ProgramState::getLValue(const VarDecl *VD, inline Loc ProgramState::getLValue(const VarDecl *VD,
const LocationContext *LC) const { const LocationContext *LC) const {
return getStateManager().StoreMgr->getLValueVar(VD, LC); return getStateManager().StoreMgr->getLValueVar(VD, LC);
} }
Show All 21 Lines
} }
inline SVal ProgramState::getLValue(QualType ElementType, SVal Idx, SVal Base) const{ inline SVal ProgramState::getLValue(QualType ElementType, SVal Idx, SVal Base) const{
if (Optional<NonLoc> N = Idx.getAs<NonLoc>()) if (Optional<NonLoc> N = Idx.getAs<NonLoc>())
return getStateManager().StoreMgr->getLValueElement(ElementType, *N, Base); return getStateManager().StoreMgr->getLValueElement(ElementType, *N, Base);
return UnknownVal(); return UnknownVal();
} }
inline SVal ProgramState::getArgSVal(const StackFrameContext *SFC,
const unsigned ArgIdx) const {
NoQAuthorUnsubmitted
Not Done
ReplyInline Actions

Indent.

NoQ: Indent.
const FunctionDecl *FunctionDecl = SFC->getDecl()->getAsFunction();
unsigned NumArgs = FunctionDecl->getNumParams();
a.sidorinUnsubmitted
Not Done
ReplyInline Actions

Maybe we should put a check that requested StackFrame is our StackFrame or our parent StackFrame here?

a.sidorin: Maybe we should put a check that requested StackFrame is our StackFrame or our parent…
NoQAuthorUnsubmitted
Not Done
ReplyInline Actions

Hmm. We should probably add a similar check to getSVal(Ex, LCtx)!- and also check that Ex is an active expression.

Unfortunately, we do not know the current location context within any of these methods, not sure how to implement that.

NoQ: Hmm. We should probably add a similar check to `getSVal(Ex, LCtx)`!- and also check that `Ex`…
assert(ArgIdx < NumArgs && "Arg access out of range!");
if (SFC->inTopFrame()) {
// if we are in the top frame we don't have any arguments bound in the store
// because the call wasn't modeled in the first place.
const VarDecl *ArgDecl = FunctionDecl->parameters()[ArgIdx];
a.sidorinUnsubmitted
Not Done
ReplyInline Actions

Unfortunately, this code does not consider the fact that argument values may be overwritten. If we want to get initial values, we should find another way.

a.sidorin: Unfortunately, this code does not consider the fact that argument values may be overwritten. If…
NoQAuthorUnsubmitted
Not Done
ReplyInline Actions

Uhm, yeah, this is in fact a problem!

The purpose of this code is, in fact, to construct SymbolRegionValue for the parameter, so it is equivalent to calling SValBuilder::getRegionValueSymbolVal() over the parameter region, as long as the current StoreManager implementation remains unquestioned.

We could also ask StoreManager to provide a binding for this region from an empty store, maybe extend its API to allow such queries, this would remove the layering violation.

Because this topic getting is rather complicated, it might have been better to make a separate review for this change, originally (no problem now that most of the interested people have already had a look).

NoQ: Uhm, yeah, this is in fact a problem! The purpose of this code is, in fact, to construct…
k-wisniewskiUnsubmitted
Not Done
ReplyInline Actions

Yeah, as Anna suggested I will split this change and the addition of LocationContext in check::RegionChanges and we should probably continue this discussion there

k-wisniewski: Yeah, as Anna suggested I will split this change and the addition of LocationContext in check…
const Loc ArgLoc = getLValue(ArgDecl, SFC);
return getSVal(ArgLoc);
} else {
// in this case we need to ask the environment as the arguments' memory
// region may have been purged as no longer needed.
const Stmt *callSite = SFC->getCallSite();
const CallExpr *callSiteExpr = dyn_cast<CallExpr>(callSite);
const Expr *argExpr = callSiteExpr->getArg(ArgIdx);
return getSVal(argExpr, SFC->getParent());
}
}
inline SVal ProgramState::getSVal(const Stmt *Ex, inline SVal ProgramState::getSVal(const Stmt *Ex,
const LocationContext *LCtx) const{ const LocationContext *LCtx) const{
return Env.getSVal(EnvironmentEntry(Ex, LCtx), return Env.getSVal(EnvironmentEntry(Ex, LCtx),
*getStateManager().svalBuilder); *getStateManager().svalBuilder);
} }
inline SVal inline SVal
ProgramState::getSValAsScalarOrLoc(const Stmt *S, ProgramState::getSValAsScalarOrLoc(const Stmt *S,
▲ Show 20 LinesShow All 119 LinesShow Last 20 Lines

include/clang/StaticAnalyzer/Core/PathSensitive/SubEngine.h

Show First 20 LinesShow All 120 Lines▼ Show 20 Linespublic:
/// Called by ConstraintManager. Used to call checker-specific /// Called by ConstraintManager. Used to call checker-specific
/// logic for handling assumptions on symbolic values. /// logic for handling assumptions on symbolic values.
virtual ProgramStateRef processAssume(ProgramStateRef state, virtual ProgramStateRef processAssume(ProgramStateRef state,
SVal cond, bool assumption) = 0; SVal cond, bool assumption) = 0;
/// wantsRegionChangeUpdate - Called by ProgramStateManager to determine if a /// wantsRegionChangeUpdate - Called by ProgramStateManager to determine if a
/// region change should trigger a processRegionChanges update. /// region change should trigger a processRegionChanges update.
virtual bool wantsRegionChangeUpdate(ProgramStateRef state) = 0; virtual bool wantsRegionChangeUpdate(ProgramStateRef state,
const LocationContext *LCtx) = 0;
/// processRegionChanges - Called by ProgramStateManager whenever a change is /// processRegionChanges - Called by ProgramStateManager whenever a change is
/// made to the store. Used to update checkers that track region values. /// made to the store. Used to update checkers that track region values.
virtual ProgramStateRef virtual ProgramStateRef
processRegionChanges(ProgramStateRef state, processRegionChanges(ProgramStateRef state,
const InvalidatedSymbols *invalidated, const InvalidatedSymbols *invalidated,
ArrayRef<const MemRegion *> ExplicitRegions, ArrayRef<const MemRegion *> ExplicitRegions,
ArrayRef<const MemRegion *> Regions, ArrayRef<const MemRegion *> Regions,
const CallEvent *Call) = 0; const CallEvent *Call,
const LocationContext *LCtx) = 0;
inline ProgramStateRef inline ProgramStateRef
processRegionChange(ProgramStateRef state, processRegionChange(ProgramStateRef state,
const MemRegion* MR) { const MemRegion* MR,
return processRegionChanges(state, nullptr, MR, MR, nullptr); const LocationContext *LCtx) {
return processRegionChanges(state, nullptr, MR, MR, nullptr, LCtx);
} }
virtual ProgramStateRef virtual ProgramStateRef
processPointerEscapedOnBind(ProgramStateRef State, SVal Loc, SVal Val) = 0; processPointerEscapedOnBind(ProgramStateRef State, SVal Loc, SVal Val, const LocationContext *LCtx) = 0;
virtual ProgramStateRef virtual ProgramStateRef
notifyCheckersOfPointerEscape(ProgramStateRef State, notifyCheckersOfPointerEscape(ProgramStateRef State,
const InvalidatedSymbols *Invalidated, const InvalidatedSymbols *Invalidated,
ArrayRef<const MemRegion *> ExplicitRegions, ArrayRef<const MemRegion *> ExplicitRegions,
ArrayRef<const MemRegion *> Regions, ArrayRef<const MemRegion *> Regions,
const CallEvent *Call, const CallEvent *Call,
RegionAndSymbolInvalidationTraits &HTraits) = 0; RegionAndSymbolInvalidationTraits &HTraits) = 0;
Show All 15 Lines

lib/StaticAnalyzer/Checkers/CStringChecker.cpp

Show First 20 LinesShow All 56 Lines▼ Show 20 Linespublic:
CStringChecksFilter Filter; CStringChecksFilter Filter;
static void *getTag() { static int tag; return &tag; } static void *getTag() { static int tag; return &tag; }
bool evalCall(const CallExpr *CE, CheckerContext &C) const; bool evalCall(const CallExpr *CE, CheckerContext &C) const;
void checkPreStmt(const DeclStmt *DS, CheckerContext &C) const; void checkPreStmt(const DeclStmt *DS, CheckerContext &C) const;
void checkLiveSymbols(ProgramStateRef state, SymbolReaper &SR) const; void checkLiveSymbols(ProgramStateRef state, SymbolReaper &SR) const;
void checkDeadSymbols(SymbolReaper &SR, CheckerContext &C) const; void checkDeadSymbols(SymbolReaper &SR, CheckerContext &C) const;
bool wantsRegionChangeUpdate(ProgramStateRef state) const; bool wantsRegionChangeUpdate(ProgramStateRef state, const LocationContext *LCtx) const;
ProgramStateRef ProgramStateRef
checkRegionChanges(ProgramStateRef state, checkRegionChanges(ProgramStateRef state,
const InvalidatedSymbols *, const InvalidatedSymbols *,
ArrayRef<const MemRegion *> ExplicitRegions, ArrayRef<const MemRegion *> ExplicitRegions,
ArrayRef<const MemRegion *> Regions, ArrayRef<const MemRegion *> Regions,
const CallEvent *Call) const; const CallEvent *Call,
const LocationContext *LCtx) const;
typedef void (CStringChecker::*FnCheck)(CheckerContext &, typedef void (CStringChecker::*FnCheck)(CheckerContext &,
const CallExpr *) const; const CallExpr *) const;
void evalMemcpy(CheckerContext &C, const CallExpr *CE) const; void evalMemcpy(CheckerContext &C, const CallExpr *CE) const;
void evalMempcpy(CheckerContext &C, const CallExpr *CE) const; void evalMempcpy(CheckerContext &C, const CallExpr *CE) const;
void evalMemmove(CheckerContext &C, const CallExpr *CE) const; void evalMemmove(CheckerContext &C, const CallExpr *CE) const;
void evalBcopy(CheckerContext &C, const CallExpr *CE) const; void evalBcopy(CheckerContext &C, const CallExpr *CE) const;
▲ Show 20 LinesShow All 1,858 Lines▼ Show 20 Lines if (Optional<Loc> SearchStrLoc = SearchStrVal.getAs<Loc>()) {
// Invalidate the search string, representing the change of one delimiter // Invalidate the search string, representing the change of one delimiter
// character to NUL. // character to NUL.
State = InvalidateBuffer(C, State, SearchStrPtr, Result, State = InvalidateBuffer(C, State, SearchStrPtr, Result,
/*IsSourceBuffer*/false, nullptr); /*IsSourceBuffer*/false, nullptr);
// Overwrite the search string pointer. The new value is either an address // Overwrite the search string pointer. The new value is either an address
// further along in the same string, or NULL if there are no more tokens. // further along in the same string, or NULL if there are no more tokens.
State = State->bindLoc(*SearchStrLoc, State = State->bindLoc(*SearchStrLoc,
SVB.conjureSymbolVal(getTag(), CE, LCtx, CharPtrTy, SVB.conjureSymbolVal(getTag(),
C.blockCount())); CE,
LCtx,
CharPtrTy,
C.blockCount()),
LCtx);
} else { } else {
assert(SearchStrVal.isUnknown()); assert(SearchStrVal.isUnknown());
// Conjure a symbolic value. It's the best we can do. // Conjure a symbolic value. It's the best we can do.
Result = SVB.conjureSymbolVal(nullptr, CE, LCtx, C.blockCount()); Result = SVB.conjureSymbolVal(nullptr, CE, LCtx, C.blockCount());
} }
// Set the return value, and finish. // Set the return value, and finish.
State = State->BindExpr(CE, LCtx, Result); State = State->BindExpr(CE, LCtx, Result);
▲ Show 20 LinesShow All 150 Lines▼ Show 20 Lines DefinedOrUnknownSVal strLength =
getCStringLength(C, state, Init, StrVal).castAs<DefinedOrUnknownSVal>(); getCStringLength(C, state, Init, StrVal).castAs<DefinedOrUnknownSVal>();
state = state->set<CStringLength>(MR, strLength); state = state->set<CStringLength>(MR, strLength);
} }
C.addTransition(state); C.addTransition(state);
} }
bool CStringChecker::wantsRegionChangeUpdate(ProgramStateRef state) const { bool CStringChecker::wantsRegionChangeUpdate(ProgramStateRef state,
const LocationContext *LCtx) const {
CStringLengthTy Entries = state->get<CStringLength>(); CStringLengthTy Entries = state->get<CStringLength>();
return !Entries.isEmpty(); return !Entries.isEmpty();
} }
ProgramStateRef ProgramStateRef
CStringChecker::checkRegionChanges(ProgramStateRef state, CStringChecker::checkRegionChanges(ProgramStateRef state,
const InvalidatedSymbols *, const InvalidatedSymbols *,
ArrayRef<const MemRegion *> ExplicitRegions, ArrayRef<const MemRegion *> ExplicitRegions,
ArrayRef<const MemRegion *> Regions, ArrayRef<const MemRegion *> Regions,
const CallEvent *Call) const { const CallEvent *Call,
const LocationContext *LCtx) const {
CStringLengthTy Entries = state->get<CStringLength>(); CStringLengthTy Entries = state->get<CStringLength>();
if (Entries.isEmpty()) if (Entries.isEmpty())
return state; return state;
llvm::SmallPtrSet<const MemRegion *, 8> Invalidated; llvm::SmallPtrSet<const MemRegion *, 8> Invalidated;
llvm::SmallPtrSet<const MemRegion *, 32> SuperRegions; llvm::SmallPtrSet<const MemRegion *, 32> SuperRegions;
// First build sets for the changed regions and their super-regions. // First build sets for the changed regions and their super-regions.
▲ Show 20 LinesShow All 93 LinesShow Last 20 Lines

lib/StaticAnalyzer/Checkers/CXXSelfAssignmentChecker.cpp

Show First 20 LinesShow All 45 Lines▼ Show 20 Linesvoid CXXSelfAssignmentChecker::checkBeginFunction(CheckerContext &C) const {
if (!MD->isCopyAssignmentOperator() && !MD->isMoveAssignmentOperator()) if (!MD->isCopyAssignmentOperator() && !MD->isMoveAssignmentOperator())
return; return;
auto &State = C.getState(); auto &State = C.getState();
auto &SVB = C.getSValBuilder(); auto &SVB = C.getSValBuilder();
auto ThisVal = auto ThisVal =
State->getSVal(SVB.getCXXThis(MD, LCtx->getCurrentStackFrame())); State->getSVal(SVB.getCXXThis(MD, LCtx->getCurrentStackFrame()));
auto Param = SVB.makeLoc(State->getRegion(MD->getParamDecl(0), LCtx)); auto Param = SVB.makeLoc(State->getRegion(MD->getParamDecl(0), LCtx));
auto ParamVal = State->getSVal(Param); auto ParamVal = State->getSVal(Param);
ProgramStateRef SelfAssignState = State->bindLoc(Param, ThisVal); ProgramStateRef SelfAssignState = State->bindLoc(Param, ThisVal, LCtx);
C.addTransition(SelfAssignState); C.addTransition(SelfAssignState);
ProgramStateRef NonSelfAssignState = State->bindLoc(Param, ParamVal); ProgramStateRef NonSelfAssignState = State->bindLoc(Param, ParamVal, LCtx);
C.addTransition(NonSelfAssignState); C.addTransition(NonSelfAssignState);
} }
void ento::registerCXXSelfAssignmentChecker(CheckerManager &Mgr) { void ento::registerCXXSelfAssignmentChecker(CheckerManager &Mgr) {
Mgr.registerChecker<CXXSelfAssignmentChecker>(); Mgr.registerChecker<CXXSelfAssignmentChecker>();
} }

lib/StaticAnalyzer/Checkers/MallocChecker.cpp

Show First 20 LinesShow All 1,149 Lines▼ Show 20 LinesProgramStateRef MallocChecker::MallocMemAux(CheckerContext &C,
unsigned Count = C.blockCount(); unsigned Count = C.blockCount();
SValBuilder &svalBuilder = C.getSValBuilder(); SValBuilder &svalBuilder = C.getSValBuilder();
const LocationContext *LCtx = C.getPredecessor()->getLocationContext(); const LocationContext *LCtx = C.getPredecessor()->getLocationContext();
DefinedSVal RetVal = svalBuilder.getConjuredHeapSymbolVal(CE, LCtx, Count) DefinedSVal RetVal = svalBuilder.getConjuredHeapSymbolVal(CE, LCtx, Count)
.castAs<DefinedSVal>(); .castAs<DefinedSVal>();
State = State->BindExpr(CE, C.getLocationContext(), RetVal); State = State->BindExpr(CE, C.getLocationContext(), RetVal);
// Fill the region with the initialization value. // Fill the region with the initialization value.
State = State->bindDefault(RetVal, Init); State = State->bindDefault(RetVal, Init, LCtx);
// Set the region's extent equal to the Size parameter. // Set the region's extent equal to the Size parameter.
const SymbolicRegion *R = const SymbolicRegion *R =
dyn_cast_or_null<SymbolicRegion>(RetVal.getAsRegion()); dyn_cast_or_null<SymbolicRegion>(RetVal.getAsRegion());
if (!R) if (!R)
return nullptr; return nullptr;
if (Optional<DefinedOrUnknownSVal> DefinedSize = if (Optional<DefinedOrUnknownSVal> DefinedSize =
Size.getAs<DefinedOrUnknownSVal>()) { Size.getAs<DefinedOrUnknownSVal>()) {
▲ Show 20 LinesShow All 1,626 LinesShow Last 20 Lines

lib/StaticAnalyzer/Checkers/RetainCountChecker.cpp

Show First 20 LinesShow All 2,641 Lines▼ Show 20 Linespublic:
ProgramStateRef evalAssume(ProgramStateRef state, SVal Cond, ProgramStateRef evalAssume(ProgramStateRef state, SVal Cond,
bool Assumption) const; bool Assumption) const;
ProgramStateRef ProgramStateRef
checkRegionChanges(ProgramStateRef state, checkRegionChanges(ProgramStateRef state,
const InvalidatedSymbols *invalidated, const InvalidatedSymbols *invalidated,
ArrayRef<const MemRegion *> ExplicitRegions, ArrayRef<const MemRegion *> ExplicitRegions,
ArrayRef<const MemRegion *> Regions, ArrayRef<const MemRegion *> Regions,
const CallEvent *Call) const; const CallEvent *Call,
const LocationContext* LCtx) const;
bool wantsRegionChangeUpdate(ProgramStateRef state) const { bool wantsRegionChangeUpdate(ProgramStateRef state, const LocationContext *LCtx) const {
return true; return true;
} }
void checkPreStmt(const ReturnStmt *S, CheckerContext &C) const; void checkPreStmt(const ReturnStmt *S, CheckerContext &C) const;
void checkReturnWithRetEffect(const ReturnStmt *S, CheckerContext &C, void checkReturnWithRetEffect(const ReturnStmt *S, CheckerContext &C,
ExplodedNode *Pred, RetEffect RE, RefVal X, ExplodedNode *Pred, RetEffect RE, RefVal X,
SymbolRef Sym, ProgramStateRef state) const; SymbolRef Sym, ProgramStateRef state) const;
▲ Show 20 LinesShow All 972 Lines▼ Show 20 Lines if (Optional<loc::MemRegionVal> regionLoc = loc.getAs<loc::MemRegionVal>()) {
if (!escapes) { if (!escapes) {
// To test (3), generate a new state with the binding added. If it is // To test (3), generate a new state with the binding added. If it is
// the same state, then it escapes (since the store cannot represent // the same state, then it escapes (since the store cannot represent
// the binding). // the binding).
// Do this only if we know that the store is not supposed to generate the // Do this only if we know that the store is not supposed to generate the
// same state. // same state.
SVal StoredVal = state->getSVal(regionLoc->getRegion()); SVal StoredVal = state->getSVal(regionLoc->getRegion());
if (StoredVal != val) if (StoredVal != val)
escapes = (state == (state->bindLoc(*regionLoc, val))); escapes = (state == (state->bindLoc(*regionLoc, val, C.getLocationContext())));
} }
if (!escapes) { if (!escapes) {
// Case 4: We do not currently model what happens when a symbol is // Case 4: We do not currently model what happens when a symbol is
// assigned to a struct field, so be conservative here and let the symbol // assigned to a struct field, so be conservative here and let the symbol
// go. TODO: This could definitely be improved upon. // go. TODO: This could definitely be improved upon.
escapes = !isa<VarRegion>(regionLoc->getRegion()); escapes = !isa<VarRegion>(regionLoc->getRegion());
} }
} }
▲ Show 20 LinesShow All 53 Lines▼ Show 20 LinesProgramStateRef RetainCountChecker::evalAssume(ProgramStateRef state,
return state; return state;
} }
ProgramStateRef ProgramStateRef
RetainCountChecker::checkRegionChanges(ProgramStateRef state, RetainCountChecker::checkRegionChanges(ProgramStateRef state,
const InvalidatedSymbols *invalidated, const InvalidatedSymbols *invalidated,
ArrayRef<const MemRegion *> ExplicitRegions, ArrayRef<const MemRegion *> ExplicitRegions,
ArrayRef<const MemRegion *> Regions, ArrayRef<const MemRegion *> Regions,
const CallEvent *Call) const { const CallEvent *Call,
const LocationContext *LCtx) const {
if (!invalidated) if (!invalidated)
return state; return state;
llvm::SmallPtrSet<SymbolRef, 8> WhitelistedSymbols; llvm::SmallPtrSet<SymbolRef, 8> WhitelistedSymbols;
for (ArrayRef<const MemRegion *>::iterator I = ExplicitRegions.begin(), for (ArrayRef<const MemRegion *>::iterator I = ExplicitRegions.begin(),
E = ExplicitRegions.end(); I != E; ++I) { E = ExplicitRegions.end(); I != E; ++I) {
if (const SymbolicRegion *SR = (*I)->StripCasts()->getAs<SymbolicRegion>()) if (const SymbolicRegion *SR = (*I)->StripCasts()->getAs<SymbolicRegion>())
WhitelistedSymbols.insert(SR->getSymbol()); WhitelistedSymbols.insert(SR->getSymbol());
▲ Show 20 LinesShow All 313 LinesShow Last 20 Lines

lib/StaticAnalyzer/Core/CheckerManager.cpp

Show First 20 LinesShow All 513 Lines▼ Show 20 Linesvoid CheckerManager::runCheckersForDeadSymbols(ExplodedNodeSet &Dst,
const Stmt *S, const Stmt *S,
ExprEngine &Eng, ExprEngine &Eng,
ProgramPoint::Kind K) { ProgramPoint::Kind K) {
CheckDeadSymbolsContext C(DeadSymbolsCheckers, SymReaper, S, Eng, K); CheckDeadSymbolsContext C(DeadSymbolsCheckers, SymReaper, S, Eng, K);
expandGraphWithCheckers(C, Dst, Src); expandGraphWithCheckers(C, Dst, Src);
} }
/// \brief True if at least one checker wants to check region changes. /// \brief True if at least one checker wants to check region changes.
bool CheckerManager::wantsRegionChangeUpdate(ProgramStateRef state) { bool CheckerManager::wantsRegionChangeUpdate(ProgramStateRef state, const LocationContext *LCtx) {
for (unsigned i = 0, e = RegionChangesCheckers.size(); i != e; ++i) for (unsigned i = 0, e = RegionChangesCheckers.size(); i != e; ++i)
if (RegionChangesCheckers[i].WantUpdateFn(state)) if (RegionChangesCheckers[i].WantUpdateFn(state, LCtx))
return true; return true;
return false; return false;
} }
/// \brief Run checkers for region changes. /// \brief Run checkers for region changes.
ProgramStateRef ProgramStateRef
CheckerManager::runCheckersForRegionChanges(ProgramStateRef state, CheckerManager::runCheckersForRegionChanges(ProgramStateRef state,
const InvalidatedSymbols *invalidated, const InvalidatedSymbols *invalidated,
ArrayRef<const MemRegion *> ExplicitRegions, ArrayRef<const MemRegion *> ExplicitRegions,
ArrayRef<const MemRegion *> Regions, ArrayRef<const MemRegion *> Regions,
const CallEvent *Call) { const CallEvent *Call,
const LocationContext *LCtx) {
for (unsigned i = 0, e = RegionChangesCheckers.size(); i != e; ++i) { for (unsigned i = 0, e = RegionChangesCheckers.size(); i != e; ++i) {
// If any checker declares the state infeasible (or if it starts that way), // If any checker declares the state infeasible (or if it starts that way),
// bail out. // bail out.
if (!state) if (!state)
return nullptr; return nullptr;
state = RegionChangesCheckers[i].CheckFn(state, invalidated, state = RegionChangesCheckers[i].CheckFn(state, invalidated,
ExplicitRegions, Regions, Call); ExplicitRegions, Regions,
Call, LCtx);
} }
return state; return state;
} }
/// \brief Run checkers to process symbol escape event. /// \brief Run checkers to process symbol escape event.
ProgramStateRef ProgramStateRef
CheckerManager::runCheckersForPointerEscape(ProgramStateRef State, CheckerManager::runCheckersForPointerEscape(ProgramStateRef State,
const InvalidatedSymbols &Escaped, const InvalidatedSymbols &Escaped,
▲ Show 20 LinesShow All 232 LinesShow Last 20 Lines

lib/StaticAnalyzer/Core/ExprEngine.cpp

Show First 20 LinesShow All 232 Lines▼ Show 20 LinesExprEngine::createTemporaryRegionIfNeeded(ProgramStateRef State,
if (!TR) if (!TR)
TR = MRMgr.getCXXTempObjectRegion(Inner, LC); TR = MRMgr.getCXXTempObjectRegion(Inner, LC);
SVal Reg = loc::MemRegionVal(TR); SVal Reg = loc::MemRegionVal(TR);
if (V.isUnknown()) if (V.isUnknown())
V = getSValBuilder().conjureSymbolVal(Result, LC, TR->getValueType(), V = getSValBuilder().conjureSymbolVal(Result, LC, TR->getValueType(),
currBldrCtx->blockCount()); currBldrCtx->blockCount());
State = State->bindLoc(Reg, V); State = State->bindLoc(Reg, V, LC);
// Re-apply the casts (from innermost to outermost) for type sanity. // Re-apply the casts (from innermost to outermost) for type sanity.
for (SmallVectorImpl<const CastExpr *>::reverse_iterator I = Casts.rbegin(), for (SmallVectorImpl<const CastExpr *>::reverse_iterator I = Casts.rbegin(),
E = Casts.rend(); E = Casts.rend();
I != E; ++I) { I != E; ++I) {
Reg = StoreMgr.evalDerivedToBase(Reg, *I); Reg = StoreMgr.evalDerivedToBase(Reg, *I);
} }
State = State->BindExpr(Result, LC, Reg); State = State->BindExpr(Result, LC, Reg);
return State; return State;
} }
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// Top-level transfer function logic (Dispatcher). // Top-level transfer function logic (Dispatcher).
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
/// evalAssume - Called by ConstraintManager. Used to call checker-specific /// evalAssume - Called by ConstraintManager. Used to call checker-specific
/// logic for handling assumptions on symbolic values. /// logic for handling assumptions on symbolic values.
ProgramStateRef ExprEngine::processAssume(ProgramStateRef state, ProgramStateRef ExprEngine::processAssume(ProgramStateRef state,
SVal cond, bool assumption) { SVal cond, bool assumption) {
return getCheckerManager().runCheckersForEvalAssume(state, cond, assumption); return getCheckerManager().runCheckersForEvalAssume(state, cond, assumption);
} }
bool ExprEngine::wantsRegionChangeUpdate(ProgramStateRef state) { bool ExprEngine::wantsRegionChangeUpdate(ProgramStateRef state,
return getCheckerManager().wantsRegionChangeUpdate(state); const LocationContext *LCtx) {
return getCheckerManager().wantsRegionChangeUpdate(state, LCtx);
} }
ProgramStateRef ProgramStateRef
ExprEngine::processRegionChanges(ProgramStateRef state, ExprEngine::processRegionChanges(ProgramStateRef state,
const InvalidatedSymbols *invalidated, const InvalidatedSymbols *invalidated,
ArrayRef<const MemRegion *> Explicits, ArrayRef<const MemRegion *> Explicits,
ArrayRef<const MemRegion *> Regions, ArrayRef<const MemRegion *> Regions,
const CallEvent *Call) { const CallEvent *Call,
const LocationContext *LCtx) {
return getCheckerManager().runCheckersForRegionChanges(state, invalidated, return getCheckerManager().runCheckersForRegionChanges(state, invalidated,
Explicits, Regions, Call); Explicits, Regions,
Call, LCtx);
} }
void ExprEngine::printState(raw_ostream &Out, ProgramStateRef State, void ExprEngine::printState(raw_ostream &Out, ProgramStateRef State,
const char *NL, const char *Sep) { const char *NL, const char *Sep) {
getCheckerManager().runCheckersForPrintState(Out, State, NL, Sep); getCheckerManager().runCheckersForPrintState(Out, State, NL, Sep);
} }
void ExprEngine::processEndWorklist(bool hasWorkRemaining) { void ExprEngine::processEndWorklist(bool hasWorkRemaining) {
▲ Show 20 LinesShow All 1,843 Lines▼ Show 20 Lines
} // end anonymous namespace } // end anonymous namespace
// A value escapes in three possible cases: // A value escapes in three possible cases:
// (1) We are binding to something that is not a memory region. // (1) We are binding to something that is not a memory region.
// (2) We are binding to a MemrRegion that does not have stack storage. // (2) We are binding to a MemrRegion that does not have stack storage.
// (3) We are binding to a MemRegion with stack storage that the store // (3) We are binding to a MemRegion with stack storage that the store
// does not understand. // does not understand.
ProgramStateRef ExprEngine::processPointerEscapedOnBind(ProgramStateRef State, ProgramStateRef ExprEngine::processPointerEscapedOnBind(ProgramStateRef State,
SVal Loc, SVal Val) { SVal Loc,
SVal Val,
const LocationContext *LCtx) {
// Are we storing to something that causes the value to "escape"? // Are we storing to something that causes the value to "escape"?
bool escapes = true; bool escapes = true;
// TODO: Move to StoreManager. // TODO: Move to StoreManager.
if (Optional<loc::MemRegionVal> regionLoc = Loc.getAs<loc::MemRegionVal>()) { if (Optional<loc::MemRegionVal> regionLoc = Loc.getAs<loc::MemRegionVal>()) {
escapes = !regionLoc->getRegion()->hasStackStorage(); escapes = !regionLoc->getRegion()->hasStackStorage();
if (!escapes) { if (!escapes) {
// To test (3), generate a new state with the binding added. If it is // To test (3), generate a new state with the binding added. If it is
// the same state, then it escapes (since the store cannot represent // the same state, then it escapes (since the store cannot represent
// the binding). // the binding).
// Do this only if we know that the store is not supposed to generate the // Do this only if we know that the store is not supposed to generate the
// same state. // same state.
SVal StoredVal = State->getSVal(regionLoc->getRegion()); SVal StoredVal = State->getSVal(regionLoc->getRegion());
if (StoredVal != Val) if (StoredVal != Val)
escapes = (State == (State->bindLoc(*regionLoc, Val))); escapes = (State == (State->bindLoc(*regionLoc, Val, LCtx)));
} }
} }
// If our store can represent the binding and we aren't storing to something // If our store can represent the binding and we aren't storing to something
// that doesn't have local storage then just return and have the simulation // that doesn't have local storage then just return and have the simulation
// state continue as is. // state continue as is.
if (!escapes) if (!escapes)
return State; return State;
▲ Show 20 LinesShow All 80 Lines▼ Show 20 Linesvoid ExprEngine::evalBind(ExplodedNodeSet &Dst, const Stmt *StoreE,
StmtNodeBuilder Bldr(CheckedSet, Dst, *currBldrCtx); StmtNodeBuilder Bldr(CheckedSet, Dst, *currBldrCtx);
// If the location is not a 'Loc', it will already be handled by // If the location is not a 'Loc', it will already be handled by
// the checkers. There is nothing left to do. // the checkers. There is nothing left to do.
if (!location.getAs<Loc>()) { if (!location.getAs<Loc>()) {
const ProgramPoint L = PostStore(StoreE, LC, /*Loc*/nullptr, const ProgramPoint L = PostStore(StoreE, LC, /*Loc*/nullptr,
/*tag*/nullptr); /*tag*/nullptr);
ProgramStateRef state = Pred->getState(); ProgramStateRef state = Pred->getState();
state = processPointerEscapedOnBind(state, location, Val); state = processPointerEscapedOnBind(state, location, Val, LC);
Bldr.generateNode(L, state, Pred); Bldr.generateNode(L, state, Pred);
return; return;
} }
for (ExplodedNodeSet::iterator I = CheckedSet.begin(), E = CheckedSet.end(); for (ExplodedNodeSet::iterator I = CheckedSet.begin(), E = CheckedSet.end();
I!=E; ++I) { I!=E; ++I) {
ExplodedNode *PredI = *I; ExplodedNode *PredI = *I;
ProgramStateRef state = PredI->getState(); ProgramStateRef state = PredI->getState();
state = processPointerEscapedOnBind(state, location, Val); state = processPointerEscapedOnBind(state, location, Val, LC);
// When binding the value, pass on the hint that this is a initialization. // When binding the value, pass on the hint that this is a initialization.
// For initializations, we do not need to inform clients of region // For initializations, we do not need to inform clients of region
// changes. // changes.
state = state->bindLoc(location.castAs<Loc>(), state = state->bindLoc(location.castAs<Loc>(),
Val, /* notifyChanges = */ !atDeclInit); Val, LC, /* notifyChanges = */ !atDeclInit);
const MemRegion *LocReg = nullptr; const MemRegion *LocReg = nullptr;
if (Optional<loc::MemRegionVal> LocRegVal = if (Optional<loc::MemRegionVal> LocRegVal =
location.getAs<loc::MemRegionVal>()) { location.getAs<loc::MemRegionVal>()) {
LocReg = LocRegVal->getRegion(); LocReg = LocRegVal->getRegion();
} }
const ProgramPoint L = PostStore(StoreE, LC, LocReg, nullptr); const ProgramPoint L = PostStore(StoreE, LC, LocReg, nullptr);
▲ Show 20 LinesShow All 209 Lines▼ Show 20 Linesvoid ExprEngine::VisitGCCAsmStmt(const GCCAsmStmt *A, ExplodedNode *Pred,
ProgramStateRef state = Pred->getState(); ProgramStateRef state = Pred->getState();
for (const Expr *O : A->outputs()) { for (const Expr *O : A->outputs()) {
SVal X = state->getSVal(O, Pred->getLocationContext()); SVal X = state->getSVal(O, Pred->getLocationContext());
assert (!X.getAs<NonLoc>()); // Should be an Lval, or unknown, undef. assert (!X.getAs<NonLoc>()); // Should be an Lval, or unknown, undef.
if (Optional<Loc> LV = X.getAs<Loc>()) if (Optional<Loc> LV = X.getAs<Loc>())
state = state->bindLoc(*LV, UnknownVal()); state = state->bindLoc(*LV, UnknownVal(), Pred->getLocationContext());
} }
Bldr.generateNode(A, Pred, state); Bldr.generateNode(A, Pred, state);
} }
void ExprEngine::VisitMSAsmStmt(const MSAsmStmt *A, ExplodedNode *Pred, void ExprEngine::VisitMSAsmStmt(const MSAsmStmt *A, ExplodedNode *Pred,
ExplodedNodeSet &Dst) { ExplodedNodeSet &Dst) {
StmtNodeBuilder Bldr(Pred, Dst, *currBldrCtx); StmtNodeBuilder Bldr(Pred, Dst, *currBldrCtx);
▲ Show 20 LinesShow All 300 LinesShow Last 20 Lines

lib/StaticAnalyzer/Core/ExprEngineC.cpp

Show First 20 LinesShow All 220 Lines▼ Show 20 Lines for (; I != E; ++I) {
if (CI != CE) { if (CI != CE) {
assert(CI->getVariable() == capturedR->getDecl()); assert(CI->getVariable() == capturedR->getDecl());
copyExpr = CI->getCopyExpr(); copyExpr = CI->getCopyExpr();
CI++; CI++;
} }
if (capturedR != originalR) { if (capturedR != originalR) {
SVal originalV; SVal originalV;
const LocationContext *LCtx = Pred->getLocationContext();
if (copyExpr) { if (copyExpr) {
originalV = State->getSVal(copyExpr, Pred->getLocationContext()); originalV = State->getSVal(copyExpr, LCtx);
} else { } else {
originalV = State->getSVal(loc::MemRegionVal(originalR)); originalV = State->getSVal(loc::MemRegionVal(originalR));
} }
State = State->bindLoc(loc::MemRegionVal(capturedR), originalV); State = State->bindLoc(loc::MemRegionVal(capturedR), originalV, LCtx);
} }
} }
} }
ExplodedNodeSet Tmp; ExplodedNodeSet Tmp;
StmtNodeBuilder Bldr(Pred, Tmp, *currBldrCtx); StmtNodeBuilder Bldr(Pred, Tmp, *currBldrCtx);
Bldr.generateNode(BE, Pred, Bldr.generateNode(BE, Pred,
State->BindExpr(BE, Pred->getLocationContext(), V), State->BindExpr(BE, Pred->getLocationContext(), V),
▲ Show 20 LinesShow All 230 Lines▼ Show 20 Linesvoid ExprEngine::VisitCompoundLiteralExpr(const CompoundLiteralExpr *CL,
const Expr *Init = CL->getInitializer(); const Expr *Init = CL->getInitializer();
SVal V = State->getSVal(CL->getInitializer(), LCtx); SVal V = State->getSVal(CL->getInitializer(), LCtx);
if (isa<CXXConstructExpr>(Init)) { if (isa<CXXConstructExpr>(Init)) {
// No work needed. Just pass the value up to this expression. // No work needed. Just pass the value up to this expression.
} else { } else {
assert(isa<InitListExpr>(Init)); assert(isa<InitListExpr>(Init));
Loc CLLoc = State->getLValue(CL, LCtx); Loc CLLoc = State->getLValue(CL, LCtx);
State = State->bindLoc(CLLoc, V); State = State->bindLoc(CLLoc, V, LCtx);
// Compound literal expressions are a GNU extension in C++. // Compound literal expressions are a GNU extension in C++.
// Unlike in C, where CLs are lvalues, in C++ CLs are prvalues, // Unlike in C, where CLs are lvalues, in C++ CLs are prvalues,
// and like temporary objects created by the functional notation T() // and like temporary objects created by the functional notation T()
// CLs are destroyed at the end of the containing full-expression. // CLs are destroyed at the end of the containing full-expression.
// HOWEVER, an rvalue of array type is not something the analyzer can // HOWEVER, an rvalue of array type is not something the analyzer can
// reason about, since we expect all regions to be wrapped in Locs. // reason about, since we expect all regions to be wrapped in Locs.
// So we treat array CLs as lvalues as well, knowing that they will decay // So we treat array CLs as lvalues as well, knowing that they will decay
▲ Show 20 LinesShow All 545 LinesShow Last 20 Lines

lib/StaticAnalyzer/Core/ExprEngineCXX.cpp

Show First 20 LinesShow All 311 Lines▼ Show 20 Lines if (CE->requiresZeroInitialization()) {
// to handle random fields of a placement-initialized object picking up // to handle random fields of a placement-initialized object picking up
// old bindings. We might only want to do it when we need to, though. // old bindings. We might only want to do it when we need to, though.
// FIXME: This isn't actually correct for arrays -- we need to zero- // FIXME: This isn't actually correct for arrays -- we need to zero-
// initialize the entire array, not just the first element -- but our // initialize the entire array, not just the first element -- but our
// handling of arrays everywhere else is weak as well, so this shouldn't // handling of arrays everywhere else is weak as well, so this shouldn't
// actually make things worse. Placement new makes this tricky as well, // actually make things worse. Placement new makes this tricky as well,
// since it's then possible to be initializing one part of a multi- // since it's then possible to be initializing one part of a multi-
// dimensional array. // dimensional array.
State = State->bindDefault(loc::MemRegionVal(Target), ZeroVal); State = State->bindDefault(loc::MemRegionVal(Target), ZeroVal, LCtx);
Bldr.generateNode(CE, *I, State, /*tag=*/nullptr, Bldr.generateNode(CE, *I, State, /*tag=*/nullptr,
ProgramPoint::PreStmtKind); ProgramPoint::PreStmtKind);
} }
} }
} }
ExplodedNodeSet DstPreCall; ExplodedNodeSet DstPreCall;
getCheckerManager().runCheckersForPreCall(DstPreCall, PreInitialized, getCheckerManager().runCheckersForPreCall(DstPreCall, PreInitialized,
▲ Show 20 LinesShow All 214 Lines▼ Show 20 Lines if (!VD) {
Dst.Add(Pred); Dst.Add(Pred);
return; return;
} }
const LocationContext *LCtx = Pred->getLocationContext(); const LocationContext *LCtx = Pred->getLocationContext();
SVal V = svalBuilder.conjureSymbolVal(CS, LCtx, VD->getType(), SVal V = svalBuilder.conjureSymbolVal(CS, LCtx, VD->getType(),
currBldrCtx->blockCount()); currBldrCtx->blockCount());
ProgramStateRef state = Pred->getState(); ProgramStateRef state = Pred->getState();
state = state->bindLoc(state->getLValue(VD, LCtx), V); state = state->bindLoc(state->getLValue(VD, LCtx), V, LCtx);
StmtNodeBuilder Bldr(Pred, Dst, *currBldrCtx); StmtNodeBuilder Bldr(Pred, Dst, *currBldrCtx);
Bldr.generateNode(CS, Pred, state); Bldr.generateNode(CS, Pred, state);
} }
void ExprEngine::VisitCXXThisExpr(const CXXThisExpr *TE, ExplodedNode *Pred, void ExprEngine::VisitCXXThisExpr(const CXXThisExpr *TE, ExplodedNode *Pred,
ExplodedNodeSet &Dst) { ExplodedNodeSet &Dst) {
StmtNodeBuilder Bldr(Pred, Dst, *currBldrCtx); StmtNodeBuilder Bldr(Pred, Dst, *currBldrCtx);
Show All 38 Lines for (LambdaExpr::const_capture_init_iterator i = LE->capture_init_begin(),
} else { } else {
// The field stores the length of a captured variable-length array. // The field stores the length of a captured variable-length array.
// These captures don't have initialization expressions; instead we // These captures don't have initialization expressions; instead we
// get the length from the VLAType size expression. // get the length from the VLAType size expression.
Expr *SizeExpr = FieldForCapture->getCapturedVLAType()->getSizeExpr(); Expr *SizeExpr = FieldForCapture->getCapturedVLAType()->getSizeExpr();
InitVal = State->getSVal(SizeExpr, LocCtxt); InitVal = State->getSVal(SizeExpr, LocCtxt);
} }
State = State->bindLoc(FieldLoc, InitVal); State = State->bindLoc(FieldLoc, InitVal, LocCtxt);
} }
// Decay the Loc into an RValue, because there might be a // Decay the Loc into an RValue, because there might be a
// MaterializeTemporaryExpr node above this one which expects the bound value // MaterializeTemporaryExpr node above this one which expects the bound value
// to be an RValue. // to be an RValue.
SVal LambdaRVal = State->getSVal(R); SVal LambdaRVal = State->getSVal(R);
ExplodedNodeSet Tmp; ExplodedNodeSet Tmp;
Show All 9 Lines

lib/StaticAnalyzer/Core/ExprEngineObjC.cpp

Show First 20 LinesShow All 109 Lines▼ Show 20 Lines if (Optional<loc::MemRegionVal> MV = elementV.getAs<loc::MemRegionVal>())
// FIXME: The proper thing to do is to really iterate over the // FIXME: The proper thing to do is to really iterate over the
// container. We will do this with dispatch logic to the store. // container. We will do this with dispatch logic to the store.
// For now, just 'conjure' up a symbolic value. // For now, just 'conjure' up a symbolic value.
QualType T = R->getValueType(); QualType T = R->getValueType();
assert(Loc::isLocType(T)); assert(Loc::isLocType(T));
SymbolRef Sym = SymMgr.conjureSymbol(elem, LCtx, T, SymbolRef Sym = SymMgr.conjureSymbol(elem, LCtx, T,
currBldrCtx->blockCount()); currBldrCtx->blockCount());
SVal V = svalBuilder.makeLoc(Sym); SVal V = svalBuilder.makeLoc(Sym);
hasElems = hasElems->bindLoc(elementV, V); hasElems = hasElems->bindLoc(elementV, V, LCtx);
// Bind the location to 'nil' on the false branch. // Bind the location to 'nil' on the false branch.
SVal nilV = svalBuilder.makeIntVal(0, T); SVal nilV = svalBuilder.makeIntVal(0, T);
noElems = noElems->bindLoc(elementV, nilV); noElems = noElems->bindLoc(elementV, nilV, LCtx);
} }
// Create the new nodes. // Create the new nodes.
Bldr.generateNode(S, Pred, hasElems); Bldr.generateNode(S, Pred, hasElems);
Bldr.generateNode(S, Pred, noElems); Bldr.generateNode(S, Pred, noElems);
} }
// Finally, run any custom checkers. // Finally, run any custom checkers.
▲ Show 20 LinesShow All 132 LinesShow Last 20 Lines

lib/StaticAnalyzer/Core/ProgramState.cpp

Show First 20 LinesShow All 105 Lines▼ Show 20 Lines StoreRef newStore = StoreMgr->removeDeadBindings(NewState.getStore(), LCtx,
SymReaper); SymReaper);
NewState.setStore(newStore); NewState.setStore(newStore);
SymReaper.setReapedStore(newStore); SymReaper.setReapedStore(newStore);
ProgramStateRef Result = getPersistentState(NewState); ProgramStateRef Result = getPersistentState(NewState);
return ConstraintMgr->removeDeadBindings(Result, SymReaper); return ConstraintMgr->removeDeadBindings(Result, SymReaper);
} }
ProgramStateRef ProgramState::bindLoc(Loc LV, SVal V, bool notifyChanges) const { ProgramStateRef ProgramState::bindLoc(Loc LV,
SVal V,
const LocationContext *LCtx,
bool notifyChanges) const {
ProgramStateManager &Mgr = getStateManager(); ProgramStateManager &Mgr = getStateManager();
ProgramStateRef newState = makeWithStore(Mgr.StoreMgr->Bind(getStore(), ProgramStateRef newState = makeWithStore(Mgr.StoreMgr->Bind(getStore(),
LV, V)); LV, V));
const MemRegion *MR = LV.getAsRegion(); const MemRegion *MR = LV.getAsRegion();
if (MR && Mgr.getOwningEngine() && notifyChanges) if (MR && Mgr.getOwningEngine() && notifyChanges)
return Mgr.getOwningEngine()->processRegionChange(newState, MR); return Mgr.getOwningEngine()->processRegionChange(newState, MR, LCtx);
return newState; return newState;
} }
ProgramStateRef ProgramState::bindDefault(SVal loc, SVal V) const { ProgramStateRef ProgramState::bindDefault(SVal loc,
SVal V,
const LocationContext *LCtx) const {
ProgramStateManager &Mgr = getStateManager(); ProgramStateManager &Mgr = getStateManager();
const MemRegion *R = loc.castAs<loc::MemRegionVal>().getRegion(); const MemRegion *R = loc.castAs<loc::MemRegionVal>().getRegion();
const StoreRef &newStore = Mgr.StoreMgr->BindDefault(getStore(), R, V); const StoreRef &newStore = Mgr.StoreMgr->BindDefault(getStore(), R, V);
ProgramStateRef new_state = makeWithStore(newStore); ProgramStateRef new_state = makeWithStore(newStore);
return Mgr.getOwningEngine() ? return Mgr.getOwningEngine() ?
Mgr.getOwningEngine()->processRegionChange(new_state, R) : Mgr.getOwningEngine()->processRegionChange(new_state, R, LCtx) :
new_state; new_state;
} }
typedef ArrayRef<const MemRegion *> RegionList; typedef ArrayRef<const MemRegion *> RegionList;
typedef ArrayRef<SVal> ValueList; typedef ArrayRef<SVal> ValueList;
ProgramStateRef ProgramStateRef
ProgramState::invalidateRegions(RegionList Regions, ProgramState::invalidateRegions(RegionList Regions,
▲ Show 20 LinesShow All 57 Lines▼ Show 20 Lines if (Eng) {
if (CausedByPointerEscape) { if (CausedByPointerEscape) {
newState = Eng->notifyCheckersOfPointerEscape(newState, IS, newState = Eng->notifyCheckersOfPointerEscape(newState, IS,
TopLevelInvalidated, TopLevelInvalidated,
Invalidated, Call, Invalidated, Call,
*ITraits); *ITraits);
} }
return Eng->processRegionChanges(newState, IS, TopLevelInvalidated, return Eng->processRegionChanges(newState, IS, TopLevelInvalidated,
Invalidated, Call); Invalidated, Call, LCtx);
} }
const StoreRef &newStore = const StoreRef &newStore =
Mgr.StoreMgr->invalidateRegions(getStore(), Values, E, Count, LCtx, Call, Mgr.StoreMgr->invalidateRegions(getStore(), Values, E, Count, LCtx, Call,
*IS, *ITraits, nullptr, nullptr); *IS, *ITraits, nullptr, nullptr);
return makeWithStore(newStore); return makeWithStore(newStore);
} }
▲ Show 20 LinesShow All 541 LinesShow Last 20 Lines