This is an archive of the discontinued LLVM Phabricator instance.

Differential D47303

[analyzer] NFC: Merge object construction related state traits into one.
ClosedPublic

Authored by NoQ on May 23 2018, 5:58 PM.

Details

Reviewers
dcoughlin
xazax.hun
a.sidorin
george.karpenkov
szepet
rnkovacs
Commits
rGf83d547989c2: [analyzer] NFC: Track all constructed objects in a single state trait.
rC333719: [analyzer] NFC: Track all constructed objects in a single state trait.
rL333719: [analyzer] NFC: Track all constructed objects in a single state trait.
Summary

As noticed in http://lists.llvm.org/pipermail/cfe-dev/2018-May/058055.html we need a path-sensitive program state trait that for, essentially, every constructed object maintains the region of that object until the statement that consumes the object is encountered.

We already have such trait for new-expressions and bind/materialize temporary expressions, which are three separate traits. Because we plan to add more, it doesn't make sense to maintain that many traits that do the same thing in different circumstances, so i guess it's better to merge them into a single multi-purpose trait. "Multi-purpose" is definitely not the top buzzword in programming, but here i believe it's worth it because the underlying reasoning for needing these traits and needing them to work in a particular manner is the same. We need them because our constructor expressions are turned inside out, and we need a better connection between "inside" and "out" in both directions. One of these directions is handled by the ConstructionContext; the other is path-sensitive.

I've switched to using SVals as values of the trait because new-expressions need that and it seems to be comfortable in most situations. When the value is always a region, assertions are inserted.

No functional change intended here; this is a refactoring pass.

Diff Detail

Repository
rL LLVM

Event Timeline

NoQ created this revision.May 23 2018, 5:58 PM
Herald added subscribers: cfe-commits, baloghadamsoftware. · View Herald TranscriptMay 23 2018, 5:58 PM
NoQ edited the summary of this revision. (Show Details)May 23 2018, 6:01 PM
NoQ added a child revision: D47304: [analyzer] NFC: Merge the functions for obtaining constructed object location and storing this location for later use..May 23 2018, 6:08 PM
george.karpenkov requested changes to this revision.May 23 2018, 6:17 PM

Definitely looks much cleaner, some nits inline. Can we protect against API misuse?

include/clang/StaticAnalyzer/Core/PathSensitive/ExprEngine.h
769 ↗(On Diff #148324)

Should we somehow assert that those functions are called in the correct order? What will happen if e.g. finishObjectConstruction is called twice with the same statement?

lib/StaticAnalyzer/Core/ExprEngine.cpp
101 ↗(On Diff #148324)

The comment seems incorrect, the map is not only answering the "whether" question, it also maps those pairs into --- (their regions where these objects are constructed into?)

377 ↗(On Diff #148324)

nitpick: most C++ containers eliminate the need for two lookups by allowing the get method to return a reference. I'm not sure whether this can be done here though.

This revision now requires changes to proceed.May 23 2018, 6:17 PM
NoQ updated this revision to Diff 148692.May 25 2018, 5:03 PM
NoQ marked 3 inline comments as done.

Fix review comments.

lib/StaticAnalyzer/Core/ExprEngine.cpp
377 ↗(On Diff #148324)

It's likely to be harder than usual because one doesn't simply obtain a non-const reference to an object from an immutable map.

That's said, it's quite unimportant what do we do if the object is already there.

george.karpenkov accepted this revision.May 28 2018, 5:01 PM
This revision is now accepted and ready to land.May 28 2018, 5:01 PM
Closed by commit rL333719: [analyzer] NFC: Track all constructed objects in a single state trait. (authored by NoQ). · Explain WhyMay 31 2018, 7:04 PM
This revision was automatically updated to reflect the committed changes.
Herald added a subscriber: llvm-commits. · View Herald TranscriptMay 31 2018, 7:04 PM

Revision Contents

PathSize
cfe/
trunk/
include/
clang/
StaticAnalyzer/
Core/
PathSensitive/
86 lines
lib/
StaticAnalyzer/
Core/
330 lines
67 lines
13 lines

Diff 149391

cfe/trunk/include/clang/StaticAnalyzer/Core/PathSensitive/ExprEngine.h

Show First 20 LinesShow All 747 Lines▼ Show 20 Linesprivate:
/// statement created a temporary object region rather than directly /// statement created a temporary object region rather than directly
/// constructing into an existing region. /// constructing into an existing region.
const CXXConstructExpr *findDirectConstructorForCurrentCFGElement(); const CXXConstructExpr *findDirectConstructorForCurrentCFGElement();
/// For a given constructor, look forward in the current CFG block to /// For a given constructor, look forward in the current CFG block to
/// determine the region into which an object will be constructed by \p CE. /// determine the region into which an object will be constructed by \p CE.
/// When the lookahead fails, a temporary region is returned, and the /// When the lookahead fails, a temporary region is returned, and the
/// IsConstructorWithImproperlyModeledTargetRegion flag is set in \p CallOpts. /// IsConstructorWithImproperlyModeledTargetRegion flag is set in \p CallOpts.
const MemRegion *getRegionForConstructedObject(const CXXConstructExpr *CE, SVal getLocationForConstructedObject(const CXXConstructExpr *CE,
ExplodedNode *Pred, ExplodedNode *Pred,
const ConstructionContext *CC, const ConstructionContext *CC,
EvalCallOptions &CallOpts); EvalCallOptions &CallOpts);
/// Store the region of a C++ temporary object corresponding to a /// Store the location of a C++ object corresponding to a statement
/// CXXBindTemporaryExpr for later destruction. /// until the statement is actually encountered. For example, if a DeclStmt
static ProgramStateRef addInitializedTemporary( /// has CXXConstructExpr as its initializer, the object would be considered
ProgramStateRef State, const CXXBindTemporaryExpr *BTE, /// to be "under construction" between CXXConstructExpr and DeclStmt.
const LocationContext *LC, const CXXTempObjectRegion *R); /// This allows, among other things, to keep bindings to variable's fields
/// made within the constructor alive until its declaration actually
/// goes into scope.
static ProgramStateRef addObjectUnderConstruction(
ProgramStateRef State, const Stmt *S,
const LocationContext *LC, SVal V);
/// Mark the object sa fully constructed, cleaning up the state trait
/// that tracks objects under construction.
static ProgramStateRef finishObjectConstruction(ProgramStateRef State,
const Stmt *S,
const LocationContext *LC);
/// If the given statement corresponds to an object under construction,
/// being part of its construciton context, retrieve that object's location.
static Optional<SVal> getObjectUnderConstruction(ProgramStateRef State,
const Stmt *S,
const LocationContext *LC);
/// Check if all initialized temporary regions are clear for the given /// Check if all objects under construction have been fully constructed
/// context range (including FromLC, not including ToLC). /// for the given context range (including FromLC, not including ToLC).
/// This is useful for assertions. /// This is useful for assertions.
static bool areInitializedTemporariesClear(ProgramStateRef State, static bool areAllObjectsFullyConstructed(ProgramStateRef State,
const LocationContext *FromLC,
const LocationContext *ToLC);
/// Store the region of a C++ temporary object corresponding to a
/// CXXBindTemporaryExpr for later destruction.
static ProgramStateRef addTemporaryMaterialization(
ProgramStateRef State, const MaterializeTemporaryExpr *MTE,
const LocationContext *LC, const CXXTempObjectRegion *R);
/// Check if all temporary materialization regions are clear for the given
/// context range (including FromLC, not including ToLC).
/// This is useful for assertions.
static bool areTemporaryMaterializationsClear(ProgramStateRef State,
const LocationContext *FromLC, const LocationContext *FromLC,
const LocationContext *ToLC); const LocationContext *ToLC);
/// Adds an initialized temporary and/or a materialization, whichever is /// Adds an initialized temporary and/or a materialization, whichever is
/// necessary, by looking at the whole construction context. Handles /// necessary, by looking at the whole construction context. Handles
/// function return values, which need the construction context of the parent /// function return values, which need the construction context of the parent
/// stack frame, automagically. /// stack frame, automagically.
ProgramStateRef addAllNecessaryTemporaryInfo( ProgramStateRef markStatementsCorrespondingToConstructedObject(
ProgramStateRef State, const ConstructionContext *CC, ProgramStateRef State, const ConstructionContext *CC,
const LocationContext *LC, const MemRegion *R); const LocationContext *LC, SVal V);
/// Store the region returned by operator new() so that the constructor
/// that follows it knew what location to initialize. The value should be
/// cleared once the respective CXXNewExpr CFGStmt element is processed.
static ProgramStateRef
setCXXNewAllocatorValue(ProgramStateRef State, const CXXNewExpr *CNE,
const LocationContext *CallerLC, SVal V);
/// Retrieve the location returned by the current operator new().
static SVal
getCXXNewAllocatorValue(ProgramStateRef State, const CXXNewExpr *CNE,
const LocationContext *CallerLC);
/// Clear the location returned by the respective operator new(). This needs
/// to be done as soon as CXXNewExpr CFG block is evaluated.
static ProgramStateRef
clearCXXNewAllocatorValue(ProgramStateRef State, const CXXNewExpr *CNE,
const LocationContext *CallerLC);
/// Check if all allocator values are clear for the given context range
/// (including FromLC, not including ToLC). This is useful for assertions.
static bool areCXXNewAllocatorValuesClear(ProgramStateRef State,
const LocationContext *FromLC,
const LocationContext *ToLC);
}; };
/// Traits for storing the call processing policy inside GDM. /// Traits for storing the call processing policy inside GDM.
/// The GDM stores the corresponding CallExpr pointer. /// The GDM stores the corresponding CallExpr pointer.
// FIXME: This does not use the nice trait macros because it must be accessible // FIXME: This does not use the nice trait macros because it must be accessible
// from multiple translation units. // from multiple translation units.
struct ReplayWithoutInlining{}; struct ReplayWithoutInlining{};
template <> template <>
Show All 10 Lines

cfe/trunk/lib/StaticAnalyzer/Core/ExprEngine.cpp

Show First 20 LinesShow All 92 Lines▼ Show 20 LinesSTATISTIC(NumMaxBlockCountReached,
"The # of aborted paths due to reaching the maximum block count in " "The # of aborted paths due to reaching the maximum block count in "
"a top level function"); "a top level function");
STATISTIC(NumMaxBlockCountReachedInInlined, STATISTIC(NumMaxBlockCountReachedInInlined,
"The # of aborted paths due to reaching the maximum block count in " "The # of aborted paths due to reaching the maximum block count in "
"an inlined function"); "an inlined function");
STATISTIC(NumTimesRetriedWithoutInlining, STATISTIC(NumTimesRetriedWithoutInlining,
"The # of times we re-evaluated a call without inlining"); "The # of times we re-evaluated a call without inlining");
using InitializedTemporariesMap =
llvm::ImmutableMap<std::pair<const CXXBindTemporaryExpr *, //===----------------------------------------------------------------------===//
const StackFrameContext *>, // Internal program state traits.
const CXXTempObjectRegion *>; //===----------------------------------------------------------------------===//
// Keeps track of whether CXXBindTemporaryExpr nodes have been evaluated. // When modeling a C++ constructor, for a variety of reasons we need to track
// The StackFrameContext assures that nested calls due to inlined recursive // the location of the object for the duration of its ConstructionContext.
// functions do not interfere. // ObjectsUnderConstruction maps statements within the construction context
REGISTER_TRAIT_WITH_PROGRAMSTATE(InitializedTemporaries, // to the object's location, so that on every such statement the location
InitializedTemporariesMap) // could have been retrieved.
using TemporaryMaterializationMap = typedef std::pair<const Stmt *, const LocationContext *> ConstructedObjectKey;
llvm::ImmutableMap<std::pair<const MaterializeTemporaryExpr *, typedef llvm::ImmutableMap<ConstructedObjectKey, SVal>
const StackFrameContext *>, ObjectsUnderConstructionMap;
const CXXTempObjectRegion *>; REGISTER_TRAIT_WITH_PROGRAMSTATE(ObjectsUnderConstruction,
ObjectsUnderConstructionMap)
// Keeps track of temporaries that will need to be materialized later.
// The StackFrameContext assures that nested calls due to inlined recursive
// functions do not interfere.
REGISTER_TRAIT_WITH_PROGRAMSTATE(TemporaryMaterializations,
TemporaryMaterializationMap)
using CXXNewAllocatorValuesMap =
llvm::ImmutableMap<std::pair<const CXXNewExpr *, const LocationContext *>,
SVal>;
// Keeps track of return values of various operator new() calls between
// evaluation of the inlined operator new(), through the constructor call,
// to the actual evaluation of the CXXNewExpr.
// TODO: Refactor the key for this trait into a LocationContext sub-class,
// which would be put on the stack of location contexts before operator new()
// is evaluated, and removed from the stack when the whole CXXNewExpr
// is fully evaluated.
// Probably do something similar to the previous trait as well.
REGISTER_TRAIT_WITH_PROGRAMSTATE(CXXNewAllocatorValues,
CXXNewAllocatorValuesMap)
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// Engine construction and deletion. // Engine construction and deletion.
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
static const char* TagProviderName = "ExprEngine"; static const char* TagProviderName = "ExprEngine";
ExprEngine::ExprEngine(cross_tu::CrossTranslationUnitContext &CTU, ExprEngine::ExprEngine(cross_tu::CrossTranslationUnitContext &CTU,
▲ Show 20 LinesShow All 162 Lines▼ Show 20 LinesExprEngine::createTemporaryRegionIfNeeded(ProgramStateRef State,
// Take the region for Init, i.e. for the whole object. If we do not remember // Take the region for Init, i.e. for the whole object. If we do not remember
// the region in which the object originally was constructed, come up with // the region in which the object originally was constructed, come up with
// a new temporary region out of thin air and copy the contents of the object // a new temporary region out of thin air and copy the contents of the object
// (which are currently present in the Environment, because Init is an rvalue) // (which are currently present in the Environment, because Init is an rvalue)
// into that region. This is not correct, but it is better than nothing. // into that region. This is not correct, but it is better than nothing.
bool FoundOriginalMaterializationRegion = false; bool FoundOriginalMaterializationRegion = false;
const TypedValueRegion *TR = nullptr; const TypedValueRegion *TR = nullptr;
if (const auto *MT = dyn_cast<MaterializeTemporaryExpr>(Result)) { if (const auto *MT = dyn_cast<MaterializeTemporaryExpr>(Result)) {
auto Key = std::make_pair(MT, LC->getCurrentStackFrame()); if (Optional<SVal> V = getObjectUnderConstruction(State, MT, LC)) {
if (const CXXTempObjectRegion *const *TRPtr =
State->get<TemporaryMaterializations>(Key)) {
FoundOriginalMaterializationRegion = true; FoundOriginalMaterializationRegion = true;
TR = *TRPtr; TR = cast<CXXTempObjectRegion>(V->getAsRegion());
assert(TR); assert(TR);
State = State->remove<TemporaryMaterializations>(Key); State = finishObjectConstruction(State, MT, LC);
} else { } else {
StorageDuration SD = MT->getStorageDuration(); StorageDuration SD = MT->getStorageDuration();
// If this object is bound to a reference with static storage duration, we // If this object is bound to a reference with static storage duration, we
// put it in a different region to prevent "address leakage" warnings. // put it in a different region to prevent "address leakage" warnings.
if (SD == SD_Static || SD == SD_Thread) { if (SD == SD_Static || SD == SD_Thread) {
TR = MRMgr.getCXXStaticTempObjectRegion(Init); TR = MRMgr.getCXXStaticTempObjectRegion(Init);
} else { } else {
TR = MRMgr.getCXXTempObjectRegion(Init, LC); TR = MRMgr.getCXXTempObjectRegion(Init, LC);
▲ Show 20 LinesShow All 64 Lines▼ Show 20 LinesExprEngine::createTemporaryRegionIfNeeded(ProgramStateRef State,
if (!FoundOriginalMaterializationRegion) { if (!FoundOriginalMaterializationRegion) {
// Notify checkers once for two bindLoc()s. // Notify checkers once for two bindLoc()s.
State = processRegionChange(State, TR, LC); State = processRegionChange(State, TR, LC);
} }
return State; return State;
} }
ProgramStateRef ExprEngine::addInitializedTemporary( ProgramStateRef
ProgramStateRef State, const CXXBindTemporaryExpr *BTE, ExprEngine::addObjectUnderConstruction(ProgramStateRef State, const Stmt *S,
const LocationContext *LC, const CXXTempObjectRegion *R) { const LocationContext *LC, SVal V) {
const auto &Key = std::make_pair(BTE, LC->getCurrentStackFrame()); ConstructedObjectKey Key(S, LC->getCurrentStackFrame());
if (!State->contains<InitializedTemporaries>(Key)) {
return State->set<InitializedTemporaries>(Key, R);
}
// FIXME: Currently the state might already contain the marker due to // FIXME: Currently the state might already contain the marker due to
// incorrect handling of temporaries bound to default parameters; for // incorrect handling of temporaries bound to default parameters.
// those, we currently skip the CXXBindTemporaryExpr but rely on adding assert(!State->get<ObjectsUnderConstruction>(Key) ||
// temporary destructor nodes. Otherwise, this branch should be unreachable. isa<CXXBindTemporaryExpr>(S));
return State; return State->set<ObjectsUnderConstruction>(Key, V);
} }
bool ExprEngine::areInitializedTemporariesClear(ProgramStateRef State, Optional<SVal> ExprEngine::getObjectUnderConstruction(ProgramStateRef State,
const LocationContext *FromLC, const Stmt *S, const LocationContext *LC) {
const LocationContext *ToLC) { ConstructedObjectKey Key(S, LC->getCurrentStackFrame());
const LocationContext *LC = FromLC; return Optional<SVal>::create(State->get<ObjectsUnderConstruction>(Key));
while (LC != ToLC) {
assert(LC && "ToLC must be a parent of FromLC!");
for (auto I : State->get<InitializedTemporaries>())
if (I.first.second == LC)
return false;
LC = LC->getParent();
}
return true;
} }
ProgramStateRef ExprEngine::addTemporaryMaterialization( ProgramStateRef ExprEngine::finishObjectConstruction(ProgramStateRef State,
ProgramStateRef State, const MaterializeTemporaryExpr *MTE, const Stmt *S, const LocationContext *LC) {
const LocationContext *LC, const CXXTempObjectRegion *R) { ConstructedObjectKey Key(S, LC->getCurrentStackFrame());
const auto &Key = std::make_pair(MTE, LC->getCurrentStackFrame()); assert(State->contains<ObjectsUnderConstruction>(Key));
assert(!State->contains<TemporaryMaterializations>(Key)); return State->remove<ObjectsUnderConstruction>(Key);
return State->set<TemporaryMaterializations>(Key, R);
} }
bool ExprEngine::areTemporaryMaterializationsClear( bool ExprEngine::areAllObjectsFullyConstructed(ProgramStateRef State,
ProgramStateRef State, const LocationContext *FromLC, const LocationContext *FromLC,
const LocationContext *ToLC) { const LocationContext *ToLC) {
const LocationContext *LC = FromLC; const LocationContext *LC = FromLC;
while (LC != ToLC) { while (LC != ToLC) {
assert(LC && "ToLC must be a parent of FromLC!"); assert(LC && "ToLC must be a parent of FromLC!");
for (auto I : State->get<TemporaryMaterializations>()) for (auto I : State->get<ObjectsUnderConstruction>())
if (I.first.second == LC) if (I.first.second == LC)
return false; return false;
LC = LC->getParent(); LC = LC->getParent();
} }
return true; return true;
} }
ProgramStateRef ExprEngine::addAllNecessaryTemporaryInfo( ProgramStateRef ExprEngine::markStatementsCorrespondingToConstructedObject(
ProgramStateRef State, const ConstructionContext *CC, ProgramStateRef State, const ConstructionContext *CC,
const LocationContext *LC, const MemRegion *R) { const LocationContext *LC, SVal V) {
const CXXBindTemporaryExpr *BTE = nullptr;
const MaterializeTemporaryExpr *MTE = nullptr;
if (CC) { if (CC) {
// If the temporary is being returned from the function, it will be // If the temporary is being returned from the function, it will be
// destroyed or lifetime-extended in the caller stack frame. // destroyed or lifetime-extended in the caller stack frame.
if (isa<ReturnedValueConstructionContext>(CC)) { if (isa<ReturnedValueConstructionContext>(CC)) {
const StackFrameContext *SFC = LC->getCurrentStackFrame(); const StackFrameContext *SFC = LC->getCurrentStackFrame();
assert(SFC); assert(SFC);
LC = SFC->getParent(); LC = SFC->getParent();
if (!LC) { if (!LC) {
Show All 24 Lines if (isa<ReturnedValueConstructionContext>(CC)) {
// stack frames before finally settling in a temporary. // stack frames before finally settling in a temporary.
// We don't seem to need to explicitly support construction into // We don't seem to need to explicitly support construction into
// a variable after a return. // a variable after a return.
return State; return State;
} }
// Proceed to deal with the temporary we've found on the parent // Proceed to deal with the temporary we've found on the parent
// stack frame. // stack frame.
} }
// In case of temporary object construction, extract data necessary for // In case of temporary object construction, extract data necessary for
// destruction and lifetime extension. // destruction and lifetime extension.
if (const auto *TCC = dyn_cast<TemporaryObjectConstructionContext>(CC)) { if (const auto *TCC = dyn_cast<TemporaryObjectConstructionContext>(CC)) {
if (AMgr.getAnalyzerOptions().includeTemporaryDtorsInCFG()) { if (AMgr.getAnalyzerOptions().includeTemporaryDtorsInCFG()) {
BTE = TCC->getCXXBindTemporaryExpr(); const CXXBindTemporaryExpr *BTE =
MTE = TCC->getMaterializedTemporaryExpr(); TCC->getCXXBindTemporaryExpr();
const MaterializeTemporaryExpr *MTE =
TCC->getMaterializedTemporaryExpr();
if (!BTE) { if (!BTE) {
// FIXME: Lifetime extension for temporaries without destructors // FIXME: Lifetime extension for temporaries without destructors
// is not implemented yet. // is not implemented yet.
MTE = nullptr; MTE = nullptr;
} }
if (MTE && MTE->getStorageDuration() != SD_FullExpression) { if (MTE && MTE->getStorageDuration() != SD_FullExpression) {
// If the temporary is lifetime-extended, don't save the BTE, // If the temporary is lifetime-extended, don't save the BTE,
// because we don't need a temporary destructor, but an automatic // because we don't need a temporary destructor, but an automatic
// destructor. // destructor.
BTE = nullptr; BTE = nullptr;
} }
}
}
if (BTE) {
State = addInitializedTemporary(State, BTE, LC,
cast<CXXTempObjectRegion>(R));
}
if (MTE) { if (BTE)
State = addTemporaryMaterialization(State, MTE, LC, State = addObjectUnderConstruction(State, BTE, LC, V);
cast<CXXTempObjectRegion>(R));
}
}
return State; if (MTE)
State = addObjectUnderConstruction(State, MTE, LC, V);
} }
ProgramStateRef
ExprEngine::setCXXNewAllocatorValue(ProgramStateRef State,
const CXXNewExpr *CNE,
const LocationContext *CallerLC, SVal V) {
assert(!State->get<CXXNewAllocatorValues>(std::make_pair(CNE, CallerLC)) &&
"Allocator value already set!");
return State->set<CXXNewAllocatorValues>(std::make_pair(CNE, CallerLC), V);
} }
SVal ExprEngine::getCXXNewAllocatorValue(ProgramStateRef State,
const CXXNewExpr *CNE,
const LocationContext *CallerLC) {
return *State->get<CXXNewAllocatorValues>(std::make_pair(CNE, CallerLC));
} }
ProgramStateRef return State;
ExprEngine::clearCXXNewAllocatorValue(ProgramStateRef State,
const CXXNewExpr *CNE,
const LocationContext *CallerLC) {
return State->remove<CXXNewAllocatorValues>(std::make_pair(CNE, CallerLC));
} }
bool ExprEngine::areCXXNewAllocatorValuesClear(ProgramStateRef State,
const LocationContext *FromLC,
const LocationContext *ToLC) {
const LocationContext *LC = FromLC;
while (LC != ToLC) {
assert(LC && "ToLC must be a parent of FromLC!");
for (auto I : State->get<CXXNewAllocatorValues>())
if (I.first.second == LC)
return false;
LC = LC->getParent();
}
return true;
}
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// Top-level transfer function logic (Dispatcher). // Top-level transfer function logic (Dispatcher).
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
/// evalAssume - Called by ConstraintManager. Used to call checker-specific /// evalAssume - Called by ConstraintManager. Used to call checker-specific
/// logic for handling assumptions on symbolic values. /// logic for handling assumptions on symbolic values.
ProgramStateRef ExprEngine::processAssume(ProgramStateRef state, ProgramStateRef ExprEngine::processAssume(ProgramStateRef state,
SVal cond, bool assumption) { SVal cond, bool assumption) {
return getCheckerManager().runCheckersForEvalAssume(state, cond, assumption); return getCheckerManager().runCheckersForEvalAssume(state, cond, assumption);
} }
ProgramStateRef ProgramStateRef
ExprEngine::processRegionChanges(ProgramStateRef state, ExprEngine::processRegionChanges(ProgramStateRef state,
const InvalidatedSymbols *invalidated, const InvalidatedSymbols *invalidated,
ArrayRef<const MemRegion *> Explicits, ArrayRef<const MemRegion *> Explicits,
ArrayRef<const MemRegion *> Regions, ArrayRef<const MemRegion *> Regions,
const LocationContext *LCtx, const LocationContext *LCtx,
const CallEvent *Call) { const CallEvent *Call) {
return getCheckerManager().runCheckersForRegionChanges(state, invalidated, return getCheckerManager().runCheckersForRegionChanges(state, invalidated,
Explicits, Regions, Explicits, Regions,
LCtx, Call); LCtx, Call);
} }
static void printInitializedTemporariesForContext(raw_ostream &Out, static void printObjectsUnderConstructionForContext(raw_ostream &Out,
ProgramStateRef State, ProgramStateRef State,
const char *NL, const char *NL,
const char *Sep, const char *Sep,
const LocationContext *LC) { const LocationContext *LC) {
PrintingPolicy PP = PrintingPolicy PP =
LC->getAnalysisDeclContext()->getASTContext().getPrintingPolicy(); LC->getAnalysisDeclContext()->getASTContext().getPrintingPolicy();
for (auto I : State->get<InitializedTemporaries>()) { for (auto I : State->get<ObjectsUnderConstruction>()) {
std::pair<const CXXBindTemporaryExpr *, const LocationContext *> Key = ConstructedObjectKey Key = I.first;
I.first;
const MemRegion *Value = I.second;
if (Key.second != LC)
continue;
Out << '(' << Key.second << ',' << Key.first << ") ";
Key.first->printPretty(Out, nullptr, PP);
if (Value)
Out << " : " << Value;
Out << NL;
}
}
static void printTemporaryMaterializationsForContext(
raw_ostream &Out, ProgramStateRef State, const char *NL, const char *Sep,
const LocationContext *LC) {
PrintingPolicy PP =
LC->getAnalysisDeclContext()->getASTContext().getPrintingPolicy();
for (auto I : State->get<TemporaryMaterializations>()) {
std::pair<const MaterializeTemporaryExpr *, const LocationContext *> Key =
I.first;
const MemRegion *Value = I.second;
if (Key.second != LC)
continue;
Out << '(' << Key.second << ',' << Key.first << ") ";
Key.first->printPretty(Out, nullptr, PP);
assert(Value);
Out << " : " << Value << NL;
}
}
static void printCXXNewAllocatorValuesForContext(raw_ostream &Out,
ProgramStateRef State,
const char *NL,
const char *Sep,
const LocationContext *LC) {
PrintingPolicy PP =
LC->getAnalysisDeclContext()->getASTContext().getPrintingPolicy();
for (auto I : State->get<CXXNewAllocatorValues>()) {
std::pair<const CXXNewExpr *, const LocationContext *> Key = I.first;
SVal Value = I.second; SVal Value = I.second;
if (Key.second != LC) if (Key.second != LC)
continue; continue;
Out << '(' << Key.second << ',' << Key.first << ") "; Out << '(' << Key.second << ',' << Key.first << ") ";
Key.first->printPretty(Out, nullptr, PP); Key.first->printPretty(Out, nullptr, PP);
Out << " : " << Value << NL; Out << " : " << Value << NL;
} }
} }
void ExprEngine::printState(raw_ostream &Out, ProgramStateRef State, void ExprEngine::printState(raw_ostream &Out, ProgramStateRef State,
const char *NL, const char *Sep, const char *NL, const char *Sep,
const LocationContext *LCtx) { const LocationContext *LCtx) {
if (LCtx) { if (LCtx) {
if (!State->get<InitializedTemporaries>().isEmpty()) { if (!State->get<ObjectsUnderConstruction>().isEmpty()) {
Out << Sep << "Initialized temporaries:" << NL; Out << Sep << "Objects under construction:" << NL;
LCtx->dumpStack(Out, "", NL, Sep, [&](const LocationContext *LC) {
printInitializedTemporariesForContext(Out, State, NL, Sep, LC);
});
}
if (!State->get<TemporaryMaterializations>().isEmpty()) {
Out << Sep << "Temporaries to be materialized:" << NL;
LCtx->dumpStack(Out, "", NL, Sep, [&](const LocationContext *LC) { LCtx->dumpStack(Out, "", NL, Sep, [&](const LocationContext *LC) {
printTemporaryMaterializationsForContext(Out, State, NL, Sep, LC); printObjectsUnderConstructionForContext(Out, State, NL, Sep, LC);
});
}
if (!State->get<CXXNewAllocatorValues>().isEmpty()) {
Out << Sep << "operator new() allocator return values:" << NL;
LCtx->dumpStack(Out, "", NL, Sep, [&](const LocationContext *LC) {
printCXXNewAllocatorValuesForContext(Out, State, NL, Sep, LC);
}); });
} }
} }
getCheckerManager().runCheckersForPrintState(Out, State, NL, Sep); getCheckerManager().runCheckersForPrintState(Out, State, NL, Sep);
} }
void ExprEngine::processEndWorklist(bool hasWorkRemaining) { void ExprEngine::processEndWorklist(bool hasWorkRemaining) {
▲ Show 20 LinesShow All 87 Lines▼ Show 20 Lines if (!ReferenceStmt) {
assert(K == ProgramPoint::PostStmtPurgeDeadSymbolsKind && assert(K == ProgramPoint::PostStmtPurgeDeadSymbolsKind &&
"Use PostStmtPurgeDeadSymbolsKind for clearing a LocationContext"); "Use PostStmtPurgeDeadSymbolsKind for clearing a LocationContext");
LC = LC->getParent(); LC = LC->getParent();
} }
const StackFrameContext *SFC = LC ? LC->getCurrentStackFrame() : nullptr; const StackFrameContext *SFC = LC ? LC->getCurrentStackFrame() : nullptr;
SymbolReaper SymReaper(SFC, ReferenceStmt, SymMgr, getStoreManager()); SymbolReaper SymReaper(SFC, ReferenceStmt, SymMgr, getStoreManager());
for (auto I : CleanedState->get<InitializedTemporaries>()) for (auto I : CleanedState->get<ObjectsUnderConstruction>()) {
if (I.second)
SymReaper.markLive(I.second);
for (auto I : CleanedState->get<TemporaryMaterializations>())
if (I.second)
SymReaper.markLive(I.second);
for (auto I : CleanedState->get<CXXNewAllocatorValues>()) {
if (SymbolRef Sym = I.second.getAsSymbol()) if (SymbolRef Sym = I.second.getAsSymbol())
SymReaper.markLive(Sym); SymReaper.markLive(Sym);
if (const MemRegion *MR = I.second.getAsRegion()) if (const MemRegion *MR = I.second.getAsRegion())
SymReaper.markElementIndicesLive(MR); SymReaper.markLive(MR);
} }
getCheckerManager().runCheckersForLiveSymbols(CleanedState, SymReaper); getCheckerManager().runCheckersForLiveSymbols(CleanedState, SymReaper);
// Create a state in which dead bindings are removed from the environment // Create a state in which dead bindings are removed from the environment
// and the store. TODO: The function should just return new env and store, // and the store. TODO: The function should just return new env and store,
// not a new state. // not a new state.
CleanedState = StateMgr.removeDeadBindings(CleanedState, SFC, SymReaper); CleanedState = StateMgr.removeDeadBindings(CleanedState, SFC, SymReaper);
▲ Show 20 LinesShow All 340 Lines▼ Show 20 Lines
void ExprEngine::ProcessTemporaryDtor(const CFGTemporaryDtor D, void ExprEngine::ProcessTemporaryDtor(const CFGTemporaryDtor D,
ExplodedNode *Pred, ExplodedNode *Pred,
ExplodedNodeSet &Dst) { ExplodedNodeSet &Dst) {
ExplodedNodeSet CleanDtorState; ExplodedNodeSet CleanDtorState;
StmtNodeBuilder StmtBldr(Pred, CleanDtorState, *currBldrCtx); StmtNodeBuilder StmtBldr(Pred, CleanDtorState, *currBldrCtx);
ProgramStateRef State = Pred->getState(); ProgramStateRef State = Pred->getState();
const MemRegion *MR = nullptr; const MemRegion *MR = nullptr;
if (const CXXTempObjectRegion *const *MRPtr = if (Optional<SVal> V =
State->get<InitializedTemporaries>(std::make_pair( getObjectUnderConstruction(State, D.getBindTemporaryExpr(),
D.getBindTemporaryExpr(), Pred->getStackFrame()))) { Pred->getLocationContext())) {
// FIXME: Currently we insert temporary destructors for default parameters, // FIXME: Currently we insert temporary destructors for default parameters,
// but we don't insert the constructors, so the entry in // but we don't insert the constructors, so the entry in
// InitializedTemporaries may be missing. // ObjectsUnderConstruction may be missing.
State = State->remove<InitializedTemporaries>( State = finishObjectConstruction(State, D.getBindTemporaryExpr(),
std::make_pair(D.getBindTemporaryExpr(), Pred->getStackFrame())); Pred->getLocationContext());
// *MRPtr may still be null when the construction context for the temporary MR = V->getAsRegion();
// was not implemented.
MR = *MRPtr;
} }
StmtBldr.generateNode(D.getBindTemporaryExpr(), Pred, State); StmtBldr.generateNode(D.getBindTemporaryExpr(), Pred, State);
QualType T = D.getBindTemporaryExpr()->getSubExpr()->getType(); QualType T = D.getBindTemporaryExpr()->getSubExpr()->getType();
// FIXME: Currently CleanDtorState can be empty here due to temporaries being // FIXME: Currently CleanDtorState can be empty here due to temporaries being
// bound to default parameters. // bound to default parameters.
assert(CleanDtorState.size() <= 1); assert(CleanDtorState.size() <= 1);
ExplodedNode *CleanPred = ExplodedNode *CleanPred =
Show All 22 Lines
void ExprEngine::processCleanupTemporaryBranch(const CXXBindTemporaryExpr *BTE, void ExprEngine::processCleanupTemporaryBranch(const CXXBindTemporaryExpr *BTE,
NodeBuilderContext &BldCtx, NodeBuilderContext &BldCtx,
ExplodedNode *Pred, ExplodedNode *Pred,
ExplodedNodeSet &Dst, ExplodedNodeSet &Dst,
const CFGBlock *DstT, const CFGBlock *DstT,
const CFGBlock *DstF) { const CFGBlock *DstF) {
BranchNodeBuilder TempDtorBuilder(Pred, Dst, BldCtx, DstT, DstF); BranchNodeBuilder TempDtorBuilder(Pred, Dst, BldCtx, DstT, DstF);
if (Pred->getState()->contains<InitializedTemporaries>( ProgramStateRef State = Pred->getState();
std::make_pair(BTE, Pred->getStackFrame()))) { const LocationContext *LC = Pred->getLocationContext();
if (getObjectUnderConstruction(State, BTE, LC)) {
TempDtorBuilder.markInfeasible(false); TempDtorBuilder.markInfeasible(false);
TempDtorBuilder.generateNode(Pred->getState(), true, Pred); TempDtorBuilder.generateNode(State, true, Pred);
} else { } else {
TempDtorBuilder.markInfeasible(true); TempDtorBuilder.markInfeasible(true);
TempDtorBuilder.generateNode(Pred->getState(), false, Pred); TempDtorBuilder.generateNode(State, false, Pred);
} }
} }
void ExprEngine::VisitCXXBindTemporaryExpr(const CXXBindTemporaryExpr *BTE, void ExprEngine::VisitCXXBindTemporaryExpr(const CXXBindTemporaryExpr *BTE,
ExplodedNodeSet &PreVisit, ExplodedNodeSet &PreVisit,
ExplodedNodeSet &Dst) { ExplodedNodeSet &Dst) {
// This is a fallback solution in case we didn't have a construction // This is a fallback solution in case we didn't have a construction
// context when we were constructing the temporary. Otherwise the map should // context when we were constructing the temporary. Otherwise the map should
// have been populated there. // have been populated there.
if (!getAnalysisManager().options.includeTemporaryDtorsInCFG()) { if (!getAnalysisManager().options.includeTemporaryDtorsInCFG()) {
// In case we don't have temporary destructors in the CFG, do not mark // In case we don't have temporary destructors in the CFG, do not mark
// the initialization - we would otherwise never clean it up. // the initialization - we would otherwise never clean it up.
Dst = PreVisit; Dst = PreVisit;
return; return;
} }
StmtNodeBuilder StmtBldr(PreVisit, Dst, *currBldrCtx); StmtNodeBuilder StmtBldr(PreVisit, Dst, *currBldrCtx);
for (ExplodedNode *Node : PreVisit) { for (ExplodedNode *Node : PreVisit) {
ProgramStateRef State = Node->getState(); ProgramStateRef State = Node->getState();
const auto &Key = std::make_pair(BTE, Node->getStackFrame()); const LocationContext *LC = Node->getLocationContext();
if (!getObjectUnderConstruction(State, BTE, LC)) {
if (!State->contains<InitializedTemporaries>(Key)) {
// FIXME: Currently the state might also already contain the marker due to // FIXME: Currently the state might also already contain the marker due to
// incorrect handling of temporaries bound to default parameters; for // incorrect handling of temporaries bound to default parameters; for
// those, we currently skip the CXXBindTemporaryExpr but rely on adding // those, we currently skip the CXXBindTemporaryExpr but rely on adding
// temporary destructor nodes. // temporary destructor nodes.
State = State->set<InitializedTemporaries>(Key, nullptr); State = addObjectUnderConstruction(State, BTE, LC, UnknownVal());
} }
StmtBldr.generateNode(BTE, Node, State); StmtBldr.generateNode(BTE, Node, State);
} }
} }
ProgramStateRef ExprEngine::escapeValue(ProgramStateRef State, SVal V, ProgramStateRef ExprEngine::escapeValue(ProgramStateRef State, SVal V,
PointerEscapeKind K) const { PointerEscapeKind K) const {
class CollectReachableSymbolsCallback final : public SymbolVisitor { class CollectReachableSymbolsCallback final : public SymbolVisitor {
▲ Show 20 LinesShow All 1,074 Lines▼ Show 20 Linesvoid ExprEngine::processBeginOfFunction(NodeBuilderContext &BC,
getCheckerManager().runCheckersForBeginFunction(Dst, L, Pred, *this); getCheckerManager().runCheckersForBeginFunction(Dst, L, Pred, *this);
} }
/// ProcessEndPath - Called by CoreEngine. Used to generate end-of-path /// ProcessEndPath - Called by CoreEngine. Used to generate end-of-path
/// nodes when the control reaches the end of a function. /// nodes when the control reaches the end of a function.
void ExprEngine::processEndOfFunction(NodeBuilderContext& BC, void ExprEngine::processEndOfFunction(NodeBuilderContext& BC,
ExplodedNode *Pred, ExplodedNode *Pred,
const ReturnStmt *RS) { const ReturnStmt *RS) {
// See if we have any stale C++ allocator values.
assert(areCXXNewAllocatorValuesClear(Pred->getState(),
Pred->getLocationContext(),
Pred->getStackFrame()->getParent()));
// FIXME: We currently cannot assert that temporaries are clear, because // FIXME: We currently cannot assert that temporaries are clear, because
// lifetime extended temporaries are not always modelled correctly. In some // lifetime extended temporaries are not always modelled correctly. In some
// cases when we materialize the temporary, we do // cases when we materialize the temporary, we do
// createTemporaryRegionIfNeeded(), and the region changes, and also the // createTemporaryRegionIfNeeded(), and the region changes, and also the
// respective destructor becomes automatic from temporary. So for now clean up // respective destructor becomes automatic from temporary. So for now clean up
// the state manually before asserting. Ideally, the code above the assertion // the state manually before asserting. Ideally, the code above the assertion
// should go away, but the assertion should remain. // should go away, but the assertion should remain.
{ {
ExplodedNodeSet CleanUpTemporaries; ExplodedNodeSet CleanUpObjects;
NodeBuilder Bldr(Pred, CleanUpTemporaries, BC); NodeBuilder Bldr(Pred, CleanUpObjects, BC);
ProgramStateRef State = Pred->getState(); ProgramStateRef State = Pred->getState();
const LocationContext *FromLC = Pred->getLocationContext(); const LocationContext *FromLC = Pred->getLocationContext();
const LocationContext *ToLC = FromLC->getCurrentStackFrame()->getParent(); const LocationContext *ToLC = FromLC->getCurrentStackFrame()->getParent();
const LocationContext *LC = FromLC; const LocationContext *LC = FromLC;
while (LC != ToLC) { while (LC != ToLC) {
assert(LC && "ToLC must be a parent of FromLC!"); assert(LC && "ToLC must be a parent of FromLC!");
for (auto I : State->get<InitializedTemporaries>()) for (auto I : State->get<ObjectsUnderConstruction>())
if (I.first.second == LC) if (I.first.second == LC) {
State = State->remove<InitializedTemporaries>(I.first); // The comment above only pardons us for not cleaning up a
// CXXBindTemporaryExpr. If any other statements are found here,
// it must be a separate problem.
assert(isa<CXXBindTemporaryExpr>(I.first.first));
State = State->remove<ObjectsUnderConstruction>(I.first);
}
LC = LC->getParent(); LC = LC->getParent();
} }
if (State != Pred->getState()) { if (State != Pred->getState()) {
Pred = Bldr.generateNode(Pred->getLocation(), State, Pred); Pred = Bldr.generateNode(Pred->getLocation(), State, Pred);
if (!Pred) { if (!Pred) {
// The node with clean temporaries already exists. We might have reached // The node with clean temporaries already exists. We might have reached
// it on a path on which we initialize different temporaries. // it on a path on which we initialize different temporaries.
return; return;
} }
} }
} }
assert(areInitializedTemporariesClear(Pred->getState(), assert(areAllObjectsFullyConstructed(Pred->getState(),
Pred->getLocationContext(),
Pred->getStackFrame()->getParent()));
assert(areTemporaryMaterializationsClear(Pred->getState(),
Pred->getLocationContext(), Pred->getLocationContext(),
Pred->getStackFrame()->getParent())); Pred->getStackFrame()->getParent()));
PrettyStackTraceLocationContext CrashInfo(Pred->getLocationContext()); PrettyStackTraceLocationContext CrashInfo(Pred->getLocationContext());
StateMgr.EndPath(Pred->getState()); StateMgr.EndPath(Pred->getState());
ExplodedNodeSet Dst; ExplodedNodeSet Dst;
if (Pred->getLocationContext()->inTopFrame()) { if (Pred->getLocationContext()->inTopFrame()) {
// Remove dead symbols. // Remove dead symbols.
ExplodedNodeSet AfterRemovedDead; ExplodedNodeSet AfterRemovedDead;
▲ Show 20 LinesShow All 937 LinesShow Last 20 Lines

cfe/trunk/lib/StaticAnalyzer/Core/ExprEngineCXX.cpp

Show First 20 LinesShow All 105 Lines▼ Show 20 Lines while (const ArrayType *AT = Ctx.getAsArrayType(Ty)) {
LValue = State->getLValue(Ty, SVB.makeZeroArrayIndex(), LValue); LValue = State->getLValue(Ty, SVB.makeZeroArrayIndex(), LValue);
IsArray = true; IsArray = true;
} }
return LValue; return LValue;
} }
const MemRegion * SVal ExprEngine::getLocationForConstructedObject(const CXXConstructExpr *CE,
ExprEngine::getRegionForConstructedObject(const CXXConstructExpr *CE,
ExplodedNode *Pred, ExplodedNode *Pred,
const ConstructionContext *CC, const ConstructionContext *CC,
EvalCallOptions &CallOpts) { EvalCallOptions &CallOpts) {
const LocationContext *LCtx = Pred->getLocationContext(); const LocationContext *LCtx = Pred->getLocationContext();
ProgramStateRef State = Pred->getState(); ProgramStateRef State = Pred->getState();
MemRegionManager &MRMgr = getSValBuilder().getRegionManager(); MemRegionManager &MRMgr = getSValBuilder().getRegionManager();
// See if we're constructing an existing region by looking at the // See if we're constructing an existing region by looking at the
// current construction context. // current construction context.
if (CC) { if (CC) {
switch (CC->getKind()) { switch (CC->getKind()) {
case ConstructionContext::SimpleVariableKind: { case ConstructionContext::SimpleVariableKind: {
const auto *DSCC = cast<SimpleVariableConstructionContext>(CC); const auto *DSCC = cast<SimpleVariableConstructionContext>(CC);
const auto *DS = DSCC->getDeclStmt(); const auto *DS = DSCC->getDeclStmt();
const auto *Var = cast<VarDecl>(DS->getSingleDecl()); const auto *Var = cast<VarDecl>(DS->getSingleDecl());
SVal LValue = State->getLValue(Var, LCtx); SVal LValue = State->getLValue(Var, LCtx);
QualType Ty = Var->getType(); QualType Ty = Var->getType();
LValue = return makeZeroElementRegion(State, LValue, Ty,
makeZeroElementRegion(State, LValue, Ty, CallOpts.IsArrayCtorOrDtor); CallOpts.IsArrayCtorOrDtor);
return LValue.getAsRegion();
} }
case ConstructionContext::SimpleConstructorInitializerKind: { case ConstructionContext::SimpleConstructorInitializerKind: {
const auto *ICC = cast<ConstructorInitializerConstructionContext>(CC); const auto *ICC = cast<ConstructorInitializerConstructionContext>(CC);
const auto *Init = ICC->getCXXCtorInitializer(); const auto *Init = ICC->getCXXCtorInitializer();
assert(Init->isAnyMemberInitializer()); assert(Init->isAnyMemberInitializer());
const CXXMethodDecl *CurCtor = cast<CXXMethodDecl>(LCtx->getDecl()); const CXXMethodDecl *CurCtor = cast<CXXMethodDecl>(LCtx->getDecl());
Loc ThisPtr = Loc ThisPtr =
getSValBuilder().getCXXThis(CurCtor, LCtx->getCurrentStackFrame()); getSValBuilder().getCXXThis(CurCtor, LCtx->getCurrentStackFrame());
SVal ThisVal = State->getSVal(ThisPtr); SVal ThisVal = State->getSVal(ThisPtr);
const ValueDecl *Field; const ValueDecl *Field;
SVal FieldVal; SVal FieldVal;
if (Init->isIndirectMemberInitializer()) { if (Init->isIndirectMemberInitializer()) {
Field = Init->getIndirectMember(); Field = Init->getIndirectMember();
FieldVal = State->getLValue(Init->getIndirectMember(), ThisVal); FieldVal = State->getLValue(Init->getIndirectMember(), ThisVal);
} else { } else {
Field = Init->getMember(); Field = Init->getMember();
FieldVal = State->getLValue(Init->getMember(), ThisVal); FieldVal = State->getLValue(Init->getMember(), ThisVal);
} }
QualType Ty = Field->getType(); QualType Ty = Field->getType();
FieldVal = makeZeroElementRegion(State, FieldVal, Ty, FieldVal = makeZeroElementRegion(State, FieldVal, Ty,
CallOpts.IsArrayCtorOrDtor); CallOpts.IsArrayCtorOrDtor);
return FieldVal.getAsRegion(); return FieldVal;
} }
case ConstructionContext::NewAllocatedObjectKind: { case ConstructionContext::NewAllocatedObjectKind: {
if (AMgr.getAnalyzerOptions().mayInlineCXXAllocator()) { if (AMgr.getAnalyzerOptions().mayInlineCXXAllocator()) {
const auto *NECC = cast<NewAllocatedObjectConstructionContext>(CC); const auto *NECC = cast<NewAllocatedObjectConstructionContext>(CC);
const auto *NE = NECC->getCXXNewExpr(); const auto *NE = NECC->getCXXNewExpr();
// TODO: Detect when the allocator returns a null pointer. SVal V = *getObjectUnderConstruction(State, NE, LCtx);
// Constructor shall not be called in this case. if (const SubRegion *MR =
if (const SubRegion *MR = dyn_cast_or_null<SubRegion>( dyn_cast_or_null<SubRegion>(V.getAsRegion())) {
getCXXNewAllocatorValue(State, NE, LCtx).getAsRegion())) {
if (NE->isArray()) { if (NE->isArray()) {
// TODO: In fact, we need to call the constructor for every // TODO: In fact, we need to call the constructor for every
// allocated element, not just the first one! // allocated element, not just the first one!
CallOpts.IsArrayCtorOrDtor = true; CallOpts.IsArrayCtorOrDtor = true;
return getStoreManager().GetElementZeroRegion( return loc::MemRegionVal(getStoreManager().GetElementZeroRegion(
MR, NE->getType()->getPointeeType()); MR, NE->getType()->getPointeeType()));
} }
return MR; return V;
} }
// TODO: Detect when the allocator returns a null pointer.
// Constructor shall not be called in this case.
} }
break; break;
} }
case ConstructionContext::TemporaryObjectKind: { case ConstructionContext::TemporaryObjectKind: {
const auto *TOCC = cast<TemporaryObjectConstructionContext>(CC); const auto *TOCC = cast<TemporaryObjectConstructionContext>(CC);
if (const auto *MTE = TOCC->getMaterializedTemporaryExpr()) { if (const auto *MTE = TOCC->getMaterializedTemporaryExpr()) {
if (const ValueDecl *VD = MTE->getExtendingDecl()) { if (const ValueDecl *VD = MTE->getExtendingDecl()) {
// Pattern-match various forms of lifetime extension that aren't // Pattern-match various forms of lifetime extension that aren't
Show All 14 Lines case ConstructionContext::TemporaryObjectKind: {
// Automatic destructors aren't quite working in this case. // Automatic destructors aren't quite working in this case.
CallOpts.IsTemporaryLifetimeExtendedViaAggregate = true; CallOpts.IsTemporaryLifetimeExtendedViaAggregate = true;
} }
} }
} }
// TODO: Support temporaries lifetime-extended via static references. // TODO: Support temporaries lifetime-extended via static references.
// They'd need a getCXXStaticTempObjectRegion(). // They'd need a getCXXStaticTempObjectRegion().
CallOpts.IsTemporaryCtorOrDtor = true; CallOpts.IsTemporaryCtorOrDtor = true;
return MRMgr.getCXXTempObjectRegion(CE, LCtx); return loc::MemRegionVal(MRMgr.getCXXTempObjectRegion(CE, LCtx));
} }
case ConstructionContext::SimpleReturnedValueKind: { case ConstructionContext::SimpleReturnedValueKind: {
// The temporary is to be managed by the parent stack frame. // The temporary is to be managed by the parent stack frame.
// So build it in the parent stack frame if we're not in the // So build it in the parent stack frame if we're not in the
// top frame of the analysis. // top frame of the analysis.
// TODO: What exactly happens when we are? Does the temporary object live // TODO: What exactly happens when we are? Does the temporary object live
// long enough in the region store in this case? Would checkers think // long enough in the region store in this case? Would checkers think
// that this object immediately goes out of scope? // that this object immediately goes out of scope?
const LocationContext *TempLCtx = LCtx; const LocationContext *TempLCtx = LCtx;
const StackFrameContext *SFC = LCtx->getCurrentStackFrame(); const StackFrameContext *SFC = LCtx->getCurrentStackFrame();
if (const LocationContext *CallerLCtx = SFC->getParent()) { if (const LocationContext *CallerLCtx = SFC->getParent()) {
auto RTC = (*SFC->getCallSiteBlock())[SFC->getIndex()] auto RTC = (*SFC->getCallSiteBlock())[SFC->getIndex()]
.getAs<CFGCXXRecordTypedCall>(); .getAs<CFGCXXRecordTypedCall>();
if (!RTC) { if (!RTC) {
// We were unable to find the correct construction context for the // We were unable to find the correct construction context for the
// call in the parent stack frame. This is equivalent to not being // call in the parent stack frame. This is equivalent to not being
// able to find construction context at all. // able to find construction context at all.
CallOpts.IsCtorOrDtorWithImproperlyModeledTargetRegion = true; CallOpts.IsCtorOrDtorWithImproperlyModeledTargetRegion = true;
} else if (!isa<TemporaryObjectConstructionContext>( } else if (!isa<TemporaryObjectConstructionContext>(
RTC->getConstructionContext())) { RTC->getConstructionContext())) {
// FXIME: The return value is constructed directly into a // FIXME: The return value is constructed directly into a
// non-temporary due to C++17 mandatory copy elision. This is not // non-temporary due to C++17 mandatory copy elision. This is not
// implemented yet. // implemented yet.
assert(getContext().getLangOpts().CPlusPlus17); assert(getContext().getLangOpts().CPlusPlus17);
CallOpts.IsCtorOrDtorWithImproperlyModeledTargetRegion = true; CallOpts.IsCtorOrDtorWithImproperlyModeledTargetRegion = true;
} }
TempLCtx = CallerLCtx; TempLCtx = CallerLCtx;
} }
CallOpts.IsTemporaryCtorOrDtor = true; CallOpts.IsTemporaryCtorOrDtor = true;
return MRMgr.getCXXTempObjectRegion(CE, TempLCtx); return loc::MemRegionVal(MRMgr.getCXXTempObjectRegion(CE, TempLCtx));
} }
case ConstructionContext::CXX17ElidedCopyVariableKind: case ConstructionContext::CXX17ElidedCopyVariableKind:
case ConstructionContext::CXX17ElidedCopyReturnedValueKind: case ConstructionContext::CXX17ElidedCopyReturnedValueKind:
case ConstructionContext::CXX17ElidedCopyConstructorInitializerKind: case ConstructionContext::CXX17ElidedCopyConstructorInitializerKind:
// Not implemented yet. // Not implemented yet.
break; break;
} }
} }
// If we couldn't find an existing region to construct into, assume we're // If we couldn't find an existing region to construct into, assume we're
// constructing a temporary. Notify the caller of our failure. // constructing a temporary. Notify the caller of our failure.
CallOpts.IsCtorOrDtorWithImproperlyModeledTargetRegion = true; CallOpts.IsCtorOrDtorWithImproperlyModeledTargetRegion = true;
return MRMgr.getCXXTempObjectRegion(CE, LCtx); return loc::MemRegionVal(MRMgr.getCXXTempObjectRegion(CE, LCtx));
} }
const CXXConstructExpr * const CXXConstructExpr *
ExprEngine::findDirectConstructorForCurrentCFGElement() { ExprEngine::findDirectConstructorForCurrentCFGElement() {
// Go backward in the CFG to see if the previous element (ignoring // Go backward in the CFG to see if the previous element (ignoring
// destructors) was a CXXConstructExpr. If so, that constructor // destructors) was a CXXConstructExpr. If so, that constructor
// was constructed directly into an existing region. // was constructed directly into an existing region.
// This process is essentially the inverse of that performed in // This process is essentially the inverse of that performed in
Show All 21 Lines
} }
void ExprEngine::VisitCXXConstructExpr(const CXXConstructExpr *CE, void ExprEngine::VisitCXXConstructExpr(const CXXConstructExpr *CE,
ExplodedNode *Pred, ExplodedNode *Pred,
ExplodedNodeSet &destNodes) { ExplodedNodeSet &destNodes) {
const LocationContext *LCtx = Pred->getLocationContext(); const LocationContext *LCtx = Pred->getLocationContext();
ProgramStateRef State = Pred->getState(); ProgramStateRef State = Pred->getState();
const MemRegion *Target = nullptr; SVal Target = UnknownVal();
// FIXME: Handle arrays, which run the same constructor for every element. // FIXME: Handle arrays, which run the same constructor for every element.
// For now, we just run the first constructor (which should still invalidate // For now, we just run the first constructor (which should still invalidate
// the entire array). // the entire array).
EvalCallOptions CallOpts; EvalCallOptions CallOpts;
auto C = getCurrentCFGElement().getAs<CFGConstructor>(); auto C = getCurrentCFGElement().getAs<CFGConstructor>();
assert(C || getCurrentCFGElement().getAs<CFGStmt>()); assert(C || getCurrentCFGElement().getAs<CFGStmt>());
const ConstructionContext *CC = C ? C->getConstructionContext() : nullptr; const ConstructionContext *CC = C ? C->getConstructionContext() : nullptr;
switch (CE->getConstructionKind()) { switch (CE->getConstructionKind()) {
case CXXConstructExpr::CK_Complete: { case CXXConstructExpr::CK_Complete: {
Target = getRegionForConstructedObject(CE, Pred, CC, CallOpts); Target = getLocationForConstructedObject(CE, Pred, CC, CallOpts);
break; break;
} }
case CXXConstructExpr::CK_VirtualBase: case CXXConstructExpr::CK_VirtualBase:
// Make sure we are not calling virtual base class initializers twice. // Make sure we are not calling virtual base class initializers twice.
// Only the most-derived object should initialize virtual base classes. // Only the most-derived object should initialize virtual base classes.
if (const Stmt *Outer = LCtx->getCurrentStackFrame()->getCallSite()) { if (const Stmt *Outer = LCtx->getCurrentStackFrame()->getCallSite()) {
const CXXConstructExpr *OuterCtor = dyn_cast<CXXConstructExpr>(Outer); const CXXConstructExpr *OuterCtor = dyn_cast<CXXConstructExpr>(Outer);
if (OuterCtor) { if (OuterCtor) {
Show All 19 Lines case CXXConstructExpr::CK_NonVirtualBase:
// correspond to surrounding aggregate initializations. // correspond to surrounding aggregate initializations.
// FIXME: For now this code essentially bails out. We need to find the // FIXME: For now this code essentially bails out. We need to find the
// correct target region and set it. // correct target region and set it.
// FIXME: Instead of relying on the ParentMap, we should have the // FIXME: Instead of relying on the ParentMap, we should have the
// trigger-statement (InitListExpr in this case) passed down from CFG or // trigger-statement (InitListExpr in this case) passed down from CFG or
// otherwise always available during construction. // otherwise always available during construction.
if (dyn_cast_or_null<InitListExpr>(LCtx->getParentMap().getParent(CE))) { if (dyn_cast_or_null<InitListExpr>(LCtx->getParentMap().getParent(CE))) {
MemRegionManager &MRMgr = getSValBuilder().getRegionManager(); MemRegionManager &MRMgr = getSValBuilder().getRegionManager();
Target = MRMgr.getCXXTempObjectRegion(CE, LCtx); Target = loc::MemRegionVal(MRMgr.getCXXTempObjectRegion(CE, LCtx));
CallOpts.IsCtorOrDtorWithImproperlyModeledTargetRegion = true; CallOpts.IsCtorOrDtorWithImproperlyModeledTargetRegion = true;
break; break;
} }
// FALLTHROUGH // FALLTHROUGH
case CXXConstructExpr::CK_Delegating: { case CXXConstructExpr::CK_Delegating: {
const CXXMethodDecl *CurCtor = cast<CXXMethodDecl>(LCtx->getDecl()); const CXXMethodDecl *CurCtor = cast<CXXMethodDecl>(LCtx->getDecl());
Loc ThisPtr = getSValBuilder().getCXXThis(CurCtor, Loc ThisPtr = getSValBuilder().getCXXThis(CurCtor,
LCtx->getCurrentStackFrame()); LCtx->getCurrentStackFrame());
SVal ThisVal = State->getSVal(ThisPtr); SVal ThisVal = State->getSVal(ThisPtr);
if (CE->getConstructionKind() == CXXConstructExpr::CK_Delegating) { if (CE->getConstructionKind() == CXXConstructExpr::CK_Delegating) {
Target = ThisVal.getAsRegion(); Target = ThisVal;
} else { } else {
// Cast to the base type. // Cast to the base type.
bool IsVirtual = bool IsVirtual =
(CE->getConstructionKind() == CXXConstructExpr::CK_VirtualBase); (CE->getConstructionKind() == CXXConstructExpr::CK_VirtualBase);
SVal BaseVal = getStoreManager().evalDerivedToBase(ThisVal, CE->getType(), SVal BaseVal = getStoreManager().evalDerivedToBase(ThisVal, CE->getType(),
IsVirtual); IsVirtual);
Target = BaseVal.getAsRegion(); Target = BaseVal;
} }
break; break;
} }
} }
CallEventManager &CEMgr = getStateManager().getCallEventManager(); CallEventManager &CEMgr = getStateManager().getCallEventManager();
CallEventRef<CXXConstructorCall> Call = CallEventRef<CXXConstructorCall> Call =
CEMgr.getCXXConstructorCall(CE, Target, State, LCtx); CEMgr.getCXXConstructorCall(CE, Target.getAsRegion(), State, LCtx);
ExplodedNodeSet DstPreVisit; ExplodedNodeSet DstPreVisit;
getCheckerManager().runCheckersForPreStmt(DstPreVisit, Pred, CE, *this); getCheckerManager().runCheckersForPreStmt(DstPreVisit, Pred, CE, *this);
// FIXME: Is it possible and/or useful to do this before PreStmt? // FIXME: Is it possible and/or useful to do this before PreStmt?
ExplodedNodeSet PreInitialized; ExplodedNodeSet PreInitialized;
{ {
StmtNodeBuilder Bldr(DstPreVisit, PreInitialized, *currBldrCtx); StmtNodeBuilder Bldr(DstPreVisit, PreInitialized, *currBldrCtx);
Show All 9 Lines for (ExplodedNodeSet::iterator I = DstPreVisit.begin(),
// to handle random fields of a placement-initialized object picking up // to handle random fields of a placement-initialized object picking up
// old bindings. We might only want to do it when we need to, though. // old bindings. We might only want to do it when we need to, though.
// FIXME: This isn't actually correct for arrays -- we need to zero- // FIXME: This isn't actually correct for arrays -- we need to zero-
// initialize the entire array, not just the first element -- but our // initialize the entire array, not just the first element -- but our
// handling of arrays everywhere else is weak as well, so this shouldn't // handling of arrays everywhere else is weak as well, so this shouldn't
// actually make things worse. Placement new makes this tricky as well, // actually make things worse. Placement new makes this tricky as well,
// since it's then possible to be initializing one part of a multi- // since it's then possible to be initializing one part of a multi-
// dimensional array. // dimensional array.
State = State->bindDefaultZero(loc::MemRegionVal(Target), LCtx); State = State->bindDefaultZero(Target, LCtx);
} }
State = addAllNecessaryTemporaryInfo(State, CC, LCtx, Target); State = markStatementsCorrespondingToConstructedObject(State, CC, LCtx,
Target);
Bldr.generateNode(CE, *I, State, /*tag=*/nullptr, Bldr.generateNode(CE, *I, State, /*tag=*/nullptr,
ProgramPoint::PreStmtKind); ProgramPoint::PreStmtKind);
} }
} }
ExplodedNodeSet DstPreCall; ExplodedNodeSet DstPreCall;
getCheckerManager().runCheckersForPreCall(DstPreCall, PreInitialized, getCheckerManager().runCheckersForPreCall(DstPreCall, PreInitialized,
▲ Show 20 LinesShow All 143 Lines▼ Show 20 Lines for (auto I : DstPostCall) {
// C++11 [basic.stc.dynamic.allocation]p3. // C++11 [basic.stc.dynamic.allocation]p3.
if (const FunctionDecl *FD = CNE->getOperatorNew()) { if (const FunctionDecl *FD = CNE->getOperatorNew()) {
QualType Ty = FD->getType(); QualType Ty = FD->getType();
if (const auto *ProtoType = Ty->getAs<FunctionProtoType>()) if (const auto *ProtoType = Ty->getAs<FunctionProtoType>())
if (!ProtoType->isNothrow()) if (!ProtoType->isNothrow())
State = State->assume(RetVal.castAs<DefinedOrUnknownSVal>(), true); State = State->assume(RetVal.castAs<DefinedOrUnknownSVal>(), true);
} }
ValueBldr.generateNode(CNE, I, ValueBldr.generateNode(
setCXXNewAllocatorValue(State, CNE, LCtx, RetVal)); CNE, I, addObjectUnderConstruction(State, CNE, LCtx, RetVal));
} }
ExplodedNodeSet DstPostPostCallCallback; ExplodedNodeSet DstPostPostCallCallback;
getCheckerManager().runCheckersForPostCall(DstPostPostCallCallback, getCheckerManager().runCheckersForPostCall(DstPostPostCallCallback,
DstPostValue, *Call, *this); DstPostValue, *Call, *this);
for (auto I : DstPostPostCallCallback) { for (auto I : DstPostPostCallCallback) {
getCheckerManager().runCheckersForNewAllocator( getCheckerManager().runCheckersForNewAllocator(
CNE, getCXXNewAllocatorValue(I->getState(), CNE, LCtx), Dst, I, *this); CNE, *getObjectUnderConstruction(I->getState(), CNE, LCtx), Dst, I,
*this);
} }
} }
void ExprEngine::VisitCXXNewExpr(const CXXNewExpr *CNE, ExplodedNode *Pred, void ExprEngine::VisitCXXNewExpr(const CXXNewExpr *CNE, ExplodedNode *Pred,
ExplodedNodeSet &Dst) { ExplodedNodeSet &Dst) {
// FIXME: Much of this should eventually migrate to CXXAllocatorCall. // FIXME: Much of this should eventually migrate to CXXAllocatorCall.
// Also, we need to decide how allocators actually work -- they're not // Also, we need to decide how allocators actually work -- they're not
// really part of the CXXNewExpr because they happen BEFORE the // really part of the CXXNewExpr because they happen BEFORE the
// CXXConstructExpr subexpression. See PR12014 for some discussion. // CXXConstructExpr subexpression. See PR12014 for some discussion.
unsigned blockCount = currBldrCtx->blockCount(); unsigned blockCount = currBldrCtx->blockCount();
const LocationContext *LCtx = Pred->getLocationContext(); const LocationContext *LCtx = Pred->getLocationContext();
SVal symVal = UnknownVal(); SVal symVal = UnknownVal();
FunctionDecl *FD = CNE->getOperatorNew(); FunctionDecl *FD = CNE->getOperatorNew();
bool IsStandardGlobalOpNewFunction = bool IsStandardGlobalOpNewFunction =
FD->isReplaceableGlobalAllocationFunction(); FD->isReplaceableGlobalAllocationFunction();
ProgramStateRef State = Pred->getState(); ProgramStateRef State = Pred->getState();
// Retrieve the stored operator new() return value. // Retrieve the stored operator new() return value.
if (AMgr.getAnalyzerOptions().mayInlineCXXAllocator()) { if (AMgr.getAnalyzerOptions().mayInlineCXXAllocator()) {
symVal = getCXXNewAllocatorValue(State, CNE, LCtx); symVal = *getObjectUnderConstruction(State, CNE, LCtx);
State = clearCXXNewAllocatorValue(State, CNE, LCtx); State = finishObjectConstruction(State, CNE, LCtx);
} }
// We assume all standard global 'operator new' functions allocate memory in // We assume all standard global 'operator new' functions allocate memory in
// heap. We realize this is an approximation that might not correctly model // heap. We realize this is an approximation that might not correctly model
// a custom global allocator. // a custom global allocator.
if (symVal.isUnknown()) { if (symVal.isUnknown()) {
if (IsStandardGlobalOpNewFunction) if (IsStandardGlobalOpNewFunction)
symVal = svalBuilder.getConjuredHeapSymbolVal(CNE, LCtx, blockCount); symVal = svalBuilder.getConjuredHeapSymbolVal(CNE, LCtx, blockCount);
▲ Show 20 LinesShow All 174 LinesShow Last 20 Lines

cfe/trunk/lib/StaticAnalyzer/Core/ExprEngineCallAndReturn.cpp

Show First 20 LinesShow All 282 Lines▼ Show 20 Lines if (const auto *CNE = dyn_cast<CXXNewExpr>(CE)) {
// region for later use. // region for later use.
// Additionally cast the return value of the inlined operator new // Additionally cast the return value of the inlined operator new
// (which is of type 'void *') to the correct object type. // (which is of type 'void *') to the correct object type.
SVal AllocV = state->getSVal(CNE, callerCtx); SVal AllocV = state->getSVal(CNE, callerCtx);
AllocV = svalBuilder.evalCast( AllocV = svalBuilder.evalCast(
AllocV, CNE->getType(), AllocV, CNE->getType(),
getContext().getPointerType(getContext().VoidTy)); getContext().getPointerType(getContext().VoidTy));
state = state = addObjectUnderConstruction(state, CNE, calleeCtx->getParent(),
setCXXNewAllocatorValue(state, CNE, calleeCtx->getParent(), AllocV); AllocV);
} }
} }
// Step 3: BindedRetNode -> CleanedNodes // Step 3: BindedRetNode -> CleanedNodes
// If we can find a statement and a block in the inlined function, run remove // If we can find a statement and a block in the inlined function, run remove
// dead bindings before returning from the call. This is important to ensure // dead bindings before returning from the call. This is important to ensure
// that we report the issues such as leaks in the stack contexts in which // that we report the issues such as leaks in the stack contexts in which
// they occurred. // they occurred.
▲ Show 20 LinesShow All 48 Lines▼ Show 20 Lines for (ExplodedNodeSet::iterator I = CleanedNodes.begin(),
ExplodedNodeSet DstPostCall; ExplodedNodeSet DstPostCall;
if (const CXXNewExpr *CNE = dyn_cast_or_null<CXXNewExpr>(CE)) { if (const CXXNewExpr *CNE = dyn_cast_or_null<CXXNewExpr>(CE)) {
ExplodedNodeSet DstPostPostCallCallback; ExplodedNodeSet DstPostPostCallCallback;
getCheckerManager().runCheckersForPostCall(DstPostPostCallCallback, getCheckerManager().runCheckersForPostCall(DstPostPostCallCallback,
CEENode, *UpdatedCall, *this, CEENode, *UpdatedCall, *this,
/*WasInlined=*/true); /*WasInlined=*/true);
for (auto I : DstPostPostCallCallback) { for (auto I : DstPostPostCallCallback) {
getCheckerManager().runCheckersForNewAllocator( getCheckerManager().runCheckersForNewAllocator(
CNE, getCXXNewAllocatorValue(I->getState(), CNE, CNE,
*getObjectUnderConstruction(I->getState(), CNE,
calleeCtx->getParent()), calleeCtx->getParent()),
DstPostCall, I, *this, DstPostCall, I, *this,
/*WasInlined=*/true); /*WasInlined=*/true);
} }
} else { } else {
getCheckerManager().runCheckersForPostCall(DstPostCall, CEENode, getCheckerManager().runCheckersForPostCall(DstPostCall, CEENode,
*UpdatedCall, *this, *UpdatedCall, *this,
/*WasInlined=*/true); /*WasInlined=*/true);
} }
▲ Show 20 LinesShow All 216 Lines▼ Show 20 LinesProgramStateRef ExprEngine::bindReturnValue(const CallEvent &Call,
SVal R; SVal R;
QualType ResultTy = Call.getResultType(); QualType ResultTy = Call.getResultType();
unsigned Count = currBldrCtx->blockCount(); unsigned Count = currBldrCtx->blockCount();
if (auto RTC = getCurrentCFGElement().getAs<CFGCXXRecordTypedCall>()) { if (auto RTC = getCurrentCFGElement().getAs<CFGCXXRecordTypedCall>()) {
// Conjure a temporary if the function returns an object by value. // Conjure a temporary if the function returns an object by value.
MemRegionManager &MRMgr = svalBuilder.getRegionManager(); MemRegionManager &MRMgr = svalBuilder.getRegionManager();
const CXXTempObjectRegion *TR = MRMgr.getCXXTempObjectRegion(E, LCtx); const CXXTempObjectRegion *TR = MRMgr.getCXXTempObjectRegion(E, LCtx);
State = addAllNecessaryTemporaryInfo(State, RTC->getConstructionContext(), State = markStatementsCorrespondingToConstructedObject(
LCtx, TR); State, RTC->getConstructionContext(), LCtx, loc::MemRegionVal(TR));
// Invalidate the region so that it didn't look uninitialized. Don't notify // Invalidate the region so that it didn't look uninitialized. Don't notify
// the checkers. // the checkers.
State = State->invalidateRegions(TR, E, Count, LCtx, State = State->invalidateRegions(TR, E, Count, LCtx,
/* CausedByPointerEscape=*/false, nullptr, /* CausedByPointerEscape=*/false, nullptr,
&Call, nullptr); &Call, nullptr);
R = State->getSVal(TR, E->getType()); R = State->getSVal(TR, E->getType());
▲ Show 20 LinesShow All 466 LinesShow Last 20 Lines