2010-12-23 02:53:44 +08:00
|
|
|
//=-- ExprEngine.cpp - Path-Sensitive Expression-Level Dataflow ---*- C++ -*-=
|
2008-01-31 10:35:41 +08:00
|
|
|
//
|
2008-01-31 14:49:09 +08:00
|
|
|
// The LLVM Compiler Infrastructure
|
2008-01-16 07:55:06 +08:00
|
|
|
//
|
|
|
|
|
// This file is distributed under the University of Illinois Open Source
|
|
|
|
|
// License. See LICENSE.TXT for details.
|
|
|
|
|
//
|
|
|
|
|
//===----------------------------------------------------------------------===//
|
|
|
|
|
//
|
2008-02-15 06:13:12 +08:00
|
|
|
// This file defines a meta-engine for path-sensitive dataflow analysis that
|
|
|
|
|
// is built on GREngine, but provides the boilerplate to execute transfer
|
|
|
|
|
// functions and build the ExplodedGraph at the expression level.
|
2008-01-16 07:55:06 +08:00
|
|
|
//
|
|
|
|
|
//===----------------------------------------------------------------------===//
|
2010-12-23 02:52:56 +08:00
|
|
|
|
|
|
|
|
// FIXME: Restructure checker registration.
|
2011-01-10 17:23:01 +08:00
|
|
|
#include "ExprEngineInternalChecks.h"
|
2010-12-23 02:52:56 +08:00
|
|
|
|
2010-12-24 03:38:26 +08:00
|
|
|
#include "clang/StaticAnalyzer/BugReporter/BugType.h"
|
|
|
|
|
#include "clang/StaticAnalyzer/PathSensitive/AnalysisManager.h"
|
|
|
|
|
#include "clang/StaticAnalyzer/PathSensitive/ExprEngine.h"
|
|
|
|
|
#include "clang/StaticAnalyzer/PathSensitive/ExprEngineBuilders.h"
|
|
|
|
|
#include "clang/StaticAnalyzer/PathSensitive/Checker.h"
|
2010-01-12 01:06:35 +08:00
|
|
|
#include "clang/AST/CharUnits.h"
|
2009-04-26 09:32:48 +08:00
|
|
|
#include "clang/AST/ParentMap.h"
|
|
|
|
|
#include "clang/AST/StmtObjC.h"
|
2010-03-16 21:14:16 +08:00
|
|
|
#include "clang/AST/DeclCXX.h"
|
2009-06-14 09:54:56 +08:00
|
|
|
#include "clang/Basic/Builtins.h"
|
2009-04-26 09:32:48 +08:00
|
|
|
#include "clang/Basic/SourceManager.h"
|
2008-03-08 04:57:30 +08:00
|
|
|
#include "clang/Basic/SourceManager.h"
|
2009-03-11 10:41:36 +08:00
|
|
|
#include "clang/Basic/PrettyStackTrace.h"
|
2008-09-13 13:16:45 +08:00
|
|
|
#include "llvm/Support/raw_ostream.h"
|
2009-08-23 20:08:50 +08:00
|
|
|
#include "llvm/ADT/ImmutableList.h"
|
2008-07-11 06:03:41 +08:00
|
|
|
|
2008-02-27 14:07:00 +08:00
|
|
|
#ifndef NDEBUG
|
|
|
|
|
#include "llvm/Support/GraphWriter.h"
|
|
|
|
|
#endif
|
|
|
|
|
|
2008-02-15 06:16:04 +08:00
|
|
|
using namespace clang;
|
2010-12-23 15:20:52 +08:00
|
|
|
using namespace ento;
|
2008-02-15 06:16:04 +08:00
|
|
|
using llvm::dyn_cast;
|
Add (initial?) static analyzer support for handling C++ references.
This change was a lot bigger than I originally anticipated; among
other things it requires us storing more information in the CFG to
record what block-level expressions need to be evaluated as lvalues.
The big change is that CFGBlocks no longer contain Stmt*'s by
CFGElements. Currently CFGElements just wrap Stmt*, but they also
store a bit indicating whether the block-level expression should be
evalauted as an lvalue. DeclStmts involving the initialization of a
reference require us treating the initialization expression as an
lvalue, even though that information isn't recorded in the AST.
Conceptually this change isn't that complicated, but it required
bubbling up the data through the CFGBuilder, to GRCoreEngine, and
eventually to GRExprEngine.
The addition of CFGElement is also useful for when we want to handle
more control-flow constructs or other data we want to keep in the CFG
that isn't represented well with just a block of statements.
In GRExprEngine, this patch introduces logic for evaluating the
lvalues of references, which currently retrieves the internal "pointer
value" that the reference represents. EvalLoad does a two stage load
to catch null dereferences involving an invalid reference (although
this could possibly be caught earlier during the initialization of a
reference).
Symbols are currently symbolicated using the reference type, instead
of a pointer type, and special handling is required creating
ElementRegions that layer on SymbolicRegions (see the changes to
RegionStoreManager).
Along the way, the DeadStoresChecker also silences warnings involving
dead stores to references. This was the original change I introduced
(which I wrote test cases for) that I realized caused GRExprEngine to
crash.
llvm-svn: 91501
2009-12-16 11:18:58 +08:00
|
|
|
using llvm::dyn_cast_or_null;
|
2008-02-15 06:16:04 +08:00
|
|
|
using llvm::cast;
|
|
|
|
|
using llvm::APSInt;
|
2008-01-24 03:59:44 +08:00
|
|
|
|
2010-02-26 23:43:34 +08:00
|
|
|
namespace {
|
|
|
|
|
// Trait class for recording returned expression in the state.
|
|
|
|
|
struct ReturnExpr {
|
|
|
|
|
static int TagInt;
|
|
|
|
|
typedef const Stmt *data_type;
|
|
|
|
|
};
|
|
|
|
|
int ReturnExpr::TagInt;
|
|
|
|
|
}
|
|
|
|
|
|
2009-11-26 05:51:20 +08:00
|
|
|
//===----------------------------------------------------------------------===//
|
|
|
|
|
// Utility functions.
|
|
|
|
|
//===----------------------------------------------------------------------===//
|
|
|
|
|
|
|
|
|
|
static inline Selector GetNullarySelector(const char* name, ASTContext& Ctx) {
|
|
|
|
|
IdentifierInfo* II = &Ctx.Idents.get(name);
|
|
|
|
|
return Ctx.Selectors.getSelector(0, &II);
|
|
|
|
|
}
|
|
|
|
|
|
2009-07-23 05:43:51 +08:00
|
|
|
//===----------------------------------------------------------------------===//
|
|
|
|
|
// Checker worklist routines.
|
|
|
|
|
//===----------------------------------------------------------------------===//
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2010-12-23 02:53:44 +08:00
|
|
|
void ExprEngine::CheckerVisit(const Stmt *S, ExplodedNodeSet &Dst,
|
2010-08-04 15:10:57 +08:00
|
|
|
ExplodedNodeSet &Src, CallbackKind Kind) {
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2010-06-26 04:59:31 +08:00
|
|
|
// Determine if we already have a cached 'CheckersOrdered' vector
|
2010-08-04 15:10:57 +08:00
|
|
|
// specifically tailored for the provided <CallbackKind, Stmt kind>. This
|
2010-06-26 04:59:31 +08:00
|
|
|
// can reduce the number of checkers actually called.
|
|
|
|
|
CheckersOrdered *CO = &Checkers;
|
|
|
|
|
llvm::OwningPtr<CheckersOrdered> NewCO;
|
2010-08-04 15:10:57 +08:00
|
|
|
|
|
|
|
|
// The cache key is made up of the and the callback kind (pre- or post-visit)
|
|
|
|
|
// and the statement kind.
|
|
|
|
|
CallbackTag K = GetCallbackTag(Kind, S->getStmtClass());
|
2010-06-26 04:59:31 +08:00
|
|
|
|
|
|
|
|
CheckersOrdered *& CO_Ref = COCache[K];
|
|
|
|
|
|
|
|
|
|
if (!CO_Ref) {
|
|
|
|
|
// If we have no previously cached CheckersOrdered vector for this
|
|
|
|
|
// statement kind, then create one.
|
|
|
|
|
NewCO.reset(new CheckersOrdered);
|
|
|
|
|
}
|
|
|
|
|
else {
|
|
|
|
|
// Use the already cached set.
|
|
|
|
|
CO = CO_Ref;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (CO->empty()) {
|
|
|
|
|
// If there are no checkers, return early without doing any
|
|
|
|
|
// more work.
|
2009-12-09 10:45:41 +08:00
|
|
|
Dst.insert(Src);
|
2009-12-02 13:49:12 +08:00
|
|
|
return;
|
2009-07-23 05:43:51 +08:00
|
|
|
}
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2009-08-06 20:48:26 +08:00
|
|
|
ExplodedNodeSet Tmp;
|
|
|
|
|
ExplodedNodeSet *PrevSet = &Src;
|
2010-06-26 04:59:31 +08:00
|
|
|
unsigned checkersEvaluated = 0;
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2010-08-06 12:20:59 +08:00
|
|
|
for (CheckersOrdered::iterator I=CO->begin(), E=CO->end(); I!=E; ++I) {
|
|
|
|
|
// If all nodes are sunk, bail out early.
|
|
|
|
|
if (PrevSet->empty())
|
|
|
|
|
break;
|
2009-12-09 10:45:41 +08:00
|
|
|
ExplodedNodeSet *CurrSet = 0;
|
|
|
|
|
if (I+1 == E)
|
|
|
|
|
CurrSet = &Dst;
|
|
|
|
|
else {
|
|
|
|
|
CurrSet = (PrevSet == &Tmp) ? &Src : &Tmp;
|
|
|
|
|
CurrSet->clear();
|
2010-02-16 07:02:46 +08:00
|
|
|
}
|
2009-10-29 10:09:30 +08:00
|
|
|
void *tag = I->first;
|
|
|
|
|
Checker *checker = I->second;
|
2010-06-26 04:59:31 +08:00
|
|
|
bool respondsToCallback = true;
|
2010-02-16 07:02:46 +08:00
|
|
|
|
2009-08-06 20:48:26 +08:00
|
|
|
for (ExplodedNodeSet::iterator NI = PrevSet->begin(), NE = PrevSet->end();
|
2010-06-26 04:59:31 +08:00
|
|
|
NI != NE; ++NI) {
|
|
|
|
|
|
2010-08-04 15:10:57 +08:00
|
|
|
checker->GR_Visit(*CurrSet, *Builder, *this, S, *NI, tag,
|
|
|
|
|
Kind == PreVisitStmtCallback, respondsToCallback);
|
2010-06-26 04:59:31 +08:00
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
2009-07-23 05:43:51 +08:00
|
|
|
PrevSet = CurrSet;
|
2010-06-26 04:59:31 +08:00
|
|
|
|
|
|
|
|
if (NewCO.get()) {
|
|
|
|
|
++checkersEvaluated;
|
|
|
|
|
if (respondsToCallback)
|
|
|
|
|
NewCO->push_back(*I);
|
|
|
|
|
}
|
2009-07-23 05:43:51 +08:00
|
|
|
}
|
2010-06-26 04:59:31 +08:00
|
|
|
|
|
|
|
|
// If we built NewCO, check if we called all the checkers. This is important
|
|
|
|
|
// so that we know that we accurately determined the entire set of checkers
|
2010-08-05 23:03:30 +08:00
|
|
|
// that responds to this callback. Note that 'checkersEvaluated' might
|
|
|
|
|
// not be the same as Checkers.size() if one of the Checkers generates
|
|
|
|
|
// a sink node.
|
|
|
|
|
if (NewCO.get() && checkersEvaluated == Checkers.size())
|
2010-06-26 04:59:31 +08:00
|
|
|
CO_Ref = NewCO.take();
|
2009-07-23 05:43:51 +08:00
|
|
|
|
|
|
|
|
// Don't autotransition. The CheckerContext objects should do this
|
|
|
|
|
// automatically.
|
2009-12-02 13:49:12 +08:00
|
|
|
}
|
|
|
|
|
|
2010-12-23 02:53:44 +08:00
|
|
|
void ExprEngine::CheckerEvalNilReceiver(const ObjCMessageExpr *ME,
|
2009-12-02 13:49:12 +08:00
|
|
|
ExplodedNodeSet &Dst,
|
|
|
|
|
const GRState *state,
|
|
|
|
|
ExplodedNode *Pred) {
|
2010-12-02 05:57:22 +08:00
|
|
|
bool evaluated = false;
|
2009-12-09 20:16:07 +08:00
|
|
|
ExplodedNodeSet DstTmp;
|
|
|
|
|
|
2009-12-02 13:49:12 +08:00
|
|
|
for (CheckersOrdered::iterator I=Checkers.begin(),E=Checkers.end();I!=E;++I) {
|
|
|
|
|
void *tag = I->first;
|
|
|
|
|
Checker *checker = I->second;
|
|
|
|
|
|
2010-12-02 05:57:22 +08:00
|
|
|
if (checker->GR_evalNilReceiver(DstTmp, *Builder, *this, ME, Pred, state,
|
2009-12-09 20:16:07 +08:00
|
|
|
tag)) {
|
2010-12-02 05:57:22 +08:00
|
|
|
evaluated = true;
|
2009-12-02 13:49:12 +08:00
|
|
|
break;
|
2009-12-09 20:16:07 +08:00
|
|
|
} else
|
|
|
|
|
// The checker didn't evaluate the expr. Restore the Dst.
|
|
|
|
|
DstTmp.clear();
|
2009-12-02 13:49:12 +08:00
|
|
|
}
|
2009-12-09 20:16:07 +08:00
|
|
|
|
2010-12-02 05:57:22 +08:00
|
|
|
if (evaluated)
|
2009-12-09 20:16:07 +08:00
|
|
|
Dst.insert(DstTmp);
|
|
|
|
|
else
|
|
|
|
|
Dst.insert(Pred);
|
2009-07-23 05:43:51 +08:00
|
|
|
}
|
|
|
|
|
|
2009-12-07 17:17:35 +08:00
|
|
|
// CheckerEvalCall returns true if one of the checkers processed the node.
|
|
|
|
|
// This may return void when all call evaluation logic goes to some checker
|
|
|
|
|
// in the future.
|
2010-12-23 02:53:44 +08:00
|
|
|
bool ExprEngine::CheckerEvalCall(const CallExpr *CE,
|
2010-02-16 07:02:46 +08:00
|
|
|
ExplodedNodeSet &Dst,
|
2009-12-07 17:17:35 +08:00
|
|
|
ExplodedNode *Pred) {
|
2010-12-02 05:57:22 +08:00
|
|
|
bool evaluated = false;
|
2009-12-09 20:16:07 +08:00
|
|
|
ExplodedNodeSet DstTmp;
|
2009-12-07 17:17:35 +08:00
|
|
|
|
|
|
|
|
for (CheckersOrdered::iterator I=Checkers.begin(),E=Checkers.end();I!=E;++I) {
|
|
|
|
|
void *tag = I->first;
|
|
|
|
|
Checker *checker = I->second;
|
|
|
|
|
|
2010-12-02 05:57:22 +08:00
|
|
|
if (checker->GR_evalCallExpr(DstTmp, *Builder, *this, CE, Pred, tag)) {
|
|
|
|
|
evaluated = true;
|
2009-12-07 17:17:35 +08:00
|
|
|
break;
|
2009-12-09 20:16:07 +08:00
|
|
|
} else
|
|
|
|
|
// The checker didn't evaluate the expr. Restore the DstTmp set.
|
|
|
|
|
DstTmp.clear();
|
2009-12-07 17:17:35 +08:00
|
|
|
}
|
|
|
|
|
|
2010-12-02 05:57:22 +08:00
|
|
|
if (evaluated)
|
2009-12-09 20:16:07 +08:00
|
|
|
Dst.insert(DstTmp);
|
|
|
|
|
else
|
|
|
|
|
Dst.insert(Pred);
|
|
|
|
|
|
2010-12-02 05:57:22 +08:00
|
|
|
return evaluated;
|
2009-12-07 17:17:35 +08:00
|
|
|
}
|
|
|
|
|
|
2010-02-16 07:02:46 +08:00
|
|
|
// FIXME: This is largely copy-paste from CheckerVisit(). Need to
|
2009-11-04 12:24:16 +08:00
|
|
|
// unify.
|
2010-12-23 02:53:44 +08:00
|
|
|
void ExprEngine::CheckerVisitBind(const Stmt *StoreE, ExplodedNodeSet &Dst,
|
2010-09-02 08:56:20 +08:00
|
|
|
ExplodedNodeSet &Src, SVal location,
|
|
|
|
|
SVal val, bool isPrevisit) {
|
2010-02-16 07:02:46 +08:00
|
|
|
|
2009-11-04 12:24:16 +08:00
|
|
|
if (Checkers.empty()) {
|
2009-12-09 10:45:41 +08:00
|
|
|
Dst.insert(Src);
|
2009-11-04 12:24:16 +08:00
|
|
|
return;
|
|
|
|
|
}
|
2010-02-16 07:02:46 +08:00
|
|
|
|
2009-11-04 12:24:16 +08:00
|
|
|
ExplodedNodeSet Tmp;
|
|
|
|
|
ExplodedNodeSet *PrevSet = &Src;
|
2010-02-16 07:02:46 +08:00
|
|
|
|
2009-11-04 12:24:16 +08:00
|
|
|
for (CheckersOrdered::iterator I=Checkers.begin(),E=Checkers.end(); I!=E; ++I)
|
|
|
|
|
{
|
2009-12-09 10:45:41 +08:00
|
|
|
ExplodedNodeSet *CurrSet = 0;
|
|
|
|
|
if (I+1 == E)
|
|
|
|
|
CurrSet = &Dst;
|
|
|
|
|
else {
|
|
|
|
|
CurrSet = (PrevSet == &Tmp) ? &Src : &Tmp;
|
|
|
|
|
CurrSet->clear();
|
|
|
|
|
}
|
2009-12-19 04:13:39 +08:00
|
|
|
|
2009-11-04 12:24:16 +08:00
|
|
|
void *tag = I->first;
|
|
|
|
|
Checker *checker = I->second;
|
2010-02-16 07:02:46 +08:00
|
|
|
|
2009-11-04 12:24:16 +08:00
|
|
|
for (ExplodedNodeSet::iterator NI = PrevSet->begin(), NE = PrevSet->end();
|
|
|
|
|
NI != NE; ++NI)
|
2010-09-02 08:56:20 +08:00
|
|
|
checker->GR_VisitBind(*CurrSet, *Builder, *this, StoreE,
|
2009-11-05 08:42:23 +08:00
|
|
|
*NI, tag, location, val, isPrevisit);
|
2010-02-16 07:02:46 +08:00
|
|
|
|
2009-11-04 12:24:16 +08:00
|
|
|
// Update which NodeSet is the current one.
|
|
|
|
|
PrevSet = CurrSet;
|
|
|
|
|
}
|
2010-02-16 07:02:46 +08:00
|
|
|
|
2009-11-04 12:24:16 +08:00
|
|
|
// Don't autotransition. The CheckerContext objects should do this
|
|
|
|
|
// automatically.
|
|
|
|
|
}
|
2008-07-12 02:37:32 +08:00
|
|
|
//===----------------------------------------------------------------------===//
|
|
|
|
|
// Engine construction and deletion.
|
|
|
|
|
//===----------------------------------------------------------------------===//
|
|
|
|
|
|
2010-12-23 02:53:44 +08:00
|
|
|
static void RegisterInternalChecks(ExprEngine &Eng) {
|
2009-11-26 05:51:20 +08:00
|
|
|
// Register internal "built-in" BugTypes with the BugReporter. These BugTypes
|
|
|
|
|
// are different than what probably many checks will do since they don't
|
2010-12-23 02:53:44 +08:00
|
|
|
// create BugReports on-the-fly but instead wait until ExprEngine finishes
|
2009-11-26 05:51:20 +08:00
|
|
|
// analyzing a function. Generation of BugReport objects is done via a call
|
|
|
|
|
// to 'FlushReports' from BugReporter.
|
|
|
|
|
// The following checks do not need to have their associated BugTypes
|
|
|
|
|
// explicitly registered with the BugReporter. If they issue any BugReports,
|
|
|
|
|
// their associated BugType will get registered with the BugReporter
|
2010-12-23 02:53:44 +08:00
|
|
|
// automatically. Note that the check itself is owned by the ExprEngine
|
2010-02-16 07:02:46 +08:00
|
|
|
// object.
|
2010-02-04 08:47:48 +08:00
|
|
|
RegisterAdjustedReturnValueChecker(Eng);
|
2010-06-16 13:45:09 +08:00
|
|
|
// CallAndMessageChecker should be registered before AttrNonNullChecker,
|
|
|
|
|
// where we assume arguments are not undefined.
|
2009-11-26 05:51:20 +08:00
|
|
|
RegisterCallAndMessageChecker(Eng);
|
2010-06-16 13:45:09 +08:00
|
|
|
RegisterAttrNonNullChecker(Eng);
|
2009-11-26 05:51:20 +08:00
|
|
|
RegisterDereferenceChecker(Eng);
|
|
|
|
|
RegisterVLASizeChecker(Eng);
|
|
|
|
|
RegisterDivZeroChecker(Eng);
|
|
|
|
|
RegisterReturnUndefChecker(Eng);
|
|
|
|
|
RegisterUndefinedArraySubscriptChecker(Eng);
|
|
|
|
|
RegisterUndefinedAssignmentChecker(Eng);
|
|
|
|
|
RegisterUndefBranchChecker(Eng);
|
2010-02-16 16:33:59 +08:00
|
|
|
RegisterUndefCapturedBlockVarChecker(Eng);
|
2009-11-26 05:51:20 +08:00
|
|
|
RegisterUndefResultChecker(Eng);
|
2010-06-09 14:08:24 +08:00
|
|
|
RegisterStackAddrLeakChecker(Eng);
|
2010-09-10 11:05:40 +08:00
|
|
|
RegisterObjCAtSyncChecker(Eng);
|
2009-12-07 17:17:35 +08:00
|
|
|
|
|
|
|
|
// This is not a checker yet.
|
|
|
|
|
RegisterNoReturnFunctionChecker(Eng);
|
2009-12-08 17:07:59 +08:00
|
|
|
RegisterBuiltinFunctionChecker(Eng);
|
2009-12-09 20:23:28 +08:00
|
|
|
RegisterOSAtomicChecker(Eng);
|
2010-02-25 08:20:35 +08:00
|
|
|
RegisterUnixAPIChecker(Eng);
|
2010-02-25 13:44:09 +08:00
|
|
|
RegisterMacOSXAPIChecker(Eng);
|
2008-05-02 02:33:28 +08:00
|
|
|
}
|
|
|
|
|
|
2010-12-23 02:53:44 +08:00
|
|
|
ExprEngine::ExprEngine(AnalysisManager &mgr, TransferFuncs *tf)
|
2009-08-15 11:17:38 +08:00
|
|
|
: AMgr(mgr),
|
2010-12-23 02:53:44 +08:00
|
|
|
Engine(*this),
|
|
|
|
|
G(Engine.getGraph()),
|
2008-04-10 05:41:14 +08:00
|
|
|
Builder(NULL),
|
2010-07-01 15:10:59 +08:00
|
|
|
StateMgr(getContext(), mgr.getStoreManagerCreator(),
|
2010-01-05 08:15:18 +08:00
|
|
|
mgr.getConstraintManagerCreator(), G.getAllocator(),
|
|
|
|
|
*this),
|
2008-04-10 05:41:14 +08:00
|
|
|
SymMgr(StateMgr.getSymbolManager()),
|
2010-12-02 15:49:45 +08:00
|
|
|
svalBuilder(StateMgr.getSValBuilder()),
|
2010-12-17 12:44:39 +08:00
|
|
|
EntryNode(NULL), currentStmt(NULL),
|
2008-12-22 16:30:52 +08:00
|
|
|
NSExceptionII(NULL), NSExceptionInstanceRaiseSelectors(NULL),
|
2010-07-01 15:10:59 +08:00
|
|
|
RaiseSel(GetNullarySelector("raise", getContext())),
|
2010-01-05 08:15:18 +08:00
|
|
|
BR(mgr, *this), TF(tf) {
|
2009-11-26 05:45:48 +08:00
|
|
|
// Register internal checks.
|
2009-11-26 05:51:20 +08:00
|
|
|
RegisterInternalChecks(*this);
|
2010-02-16 07:02:46 +08:00
|
|
|
|
2010-01-05 08:15:18 +08:00
|
|
|
// FIXME: Eventually remove the TF object entirely.
|
|
|
|
|
TF->RegisterChecks(*this);
|
|
|
|
|
TF->RegisterPrinters(getStateManager().Printers);
|
2009-11-26 05:45:48 +08:00
|
|
|
}
|
2008-04-10 05:41:14 +08:00
|
|
|
|
2010-12-23 02:53:44 +08:00
|
|
|
ExprEngine::~ExprEngine() {
|
2009-02-05 07:49:09 +08:00
|
|
|
BR.FlushReports();
|
2008-05-02 02:33:28 +08:00
|
|
|
delete [] NSExceptionInstanceRaiseSelectors;
|
2010-06-26 04:59:31 +08:00
|
|
|
|
|
|
|
|
// Delete the set of checkers.
|
2009-10-31 01:47:32 +08:00
|
|
|
for (CheckersOrdered::iterator I=Checkers.begin(), E=Checkers.end(); I!=E;++I)
|
2009-10-29 10:09:30 +08:00
|
|
|
delete I->second;
|
2010-06-26 04:59:31 +08:00
|
|
|
|
|
|
|
|
for (CheckersOrderedCache::iterator I=COCache.begin(), E=COCache.end();
|
|
|
|
|
I!=E;++I)
|
|
|
|
|
delete I->second;
|
2008-04-10 05:41:14 +08:00
|
|
|
}
|
|
|
|
|
|
2008-04-16 07:06:53 +08:00
|
|
|
//===----------------------------------------------------------------------===//
|
|
|
|
|
// Utility methods.
|
|
|
|
|
//===----------------------------------------------------------------------===//
|
|
|
|
|
|
2010-12-23 02:53:44 +08:00
|
|
|
const GRState* ExprEngine::getInitialState(const LocationContext *InitLoc) {
|
2009-08-17 14:19:58 +08:00
|
|
|
const GRState *state = StateMgr.getInitialState(InitLoc);
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2009-09-10 04:36:12 +08:00
|
|
|
// Preconditions.
|
|
|
|
|
|
2009-04-10 08:59:50 +08:00
|
|
|
// FIXME: It would be nice if we had a more general mechanism to add
|
|
|
|
|
// such preconditions. Some day.
|
2009-12-18 03:17:27 +08:00
|
|
|
do {
|
2010-02-16 07:02:46 +08:00
|
|
|
const Decl *D = InitLoc->getDecl();
|
2009-12-18 03:17:27 +08:00
|
|
|
if (const FunctionDecl *FD = dyn_cast<FunctionDecl>(D)) {
|
|
|
|
|
// Precondition: the first argument of 'main' is an integer guaranteed
|
|
|
|
|
// to be > 0.
|
|
|
|
|
const IdentifierInfo *II = FD->getIdentifier();
|
|
|
|
|
if (!II || !(II->getName() == "main" && FD->getNumParams() > 0))
|
|
|
|
|
break;
|
|
|
|
|
|
|
|
|
|
const ParmVarDecl *PD = FD->getParamDecl(0);
|
|
|
|
|
QualType T = PD->getType();
|
|
|
|
|
if (!T->isIntegerType())
|
|
|
|
|
break;
|
2010-02-16 07:02:46 +08:00
|
|
|
|
2009-12-18 03:17:27 +08:00
|
|
|
const MemRegion *R = state->getRegion(PD, InitLoc);
|
|
|
|
|
if (!R)
|
|
|
|
|
break;
|
2010-02-16 07:02:46 +08:00
|
|
|
|
2010-02-09 00:18:51 +08:00
|
|
|
SVal V = state->getSVal(loc::MemRegionVal(R));
|
2010-12-02 05:57:22 +08:00
|
|
|
SVal Constraint_untested = evalBinOp(state, BO_GT, V,
|
2010-12-02 15:49:45 +08:00
|
|
|
svalBuilder.makeZeroVal(T),
|
2009-12-18 03:17:27 +08:00
|
|
|
getContext().IntTy);
|
|
|
|
|
|
|
|
|
|
DefinedOrUnknownSVal *Constraint =
|
|
|
|
|
dyn_cast<DefinedOrUnknownSVal>(&Constraint_untested);
|
2010-02-16 07:02:46 +08:00
|
|
|
|
2009-12-18 03:17:27 +08:00
|
|
|
if (!Constraint)
|
|
|
|
|
break;
|
2010-02-16 07:02:46 +08:00
|
|
|
|
2010-12-02 06:16:56 +08:00
|
|
|
if (const GRState *newState = state->assume(*Constraint, true))
|
2009-12-18 03:17:27 +08:00
|
|
|
state = newState;
|
2010-02-16 07:02:46 +08:00
|
|
|
|
2009-12-18 03:17:27 +08:00
|
|
|
break;
|
2009-04-10 08:59:50 +08:00
|
|
|
}
|
2009-12-18 03:17:27 +08:00
|
|
|
|
2010-02-16 07:02:46 +08:00
|
|
|
if (const ObjCMethodDecl *MD = dyn_cast<ObjCMethodDecl>(D)) {
|
2009-12-18 03:17:27 +08:00
|
|
|
// Precondition: 'self' is always non-null upon entry to an Objective-C
|
|
|
|
|
// method.
|
|
|
|
|
const ImplicitParamDecl *SelfD = MD->getSelfDecl();
|
|
|
|
|
const MemRegion *R = state->getRegion(SelfD, InitLoc);
|
2010-02-09 00:18:51 +08:00
|
|
|
SVal V = state->getSVal(loc::MemRegionVal(R));
|
2010-02-16 07:02:46 +08:00
|
|
|
|
2009-12-18 03:17:27 +08:00
|
|
|
if (const Loc *LV = dyn_cast<Loc>(&V)) {
|
|
|
|
|
// Assume that the pointer value in 'self' is non-null.
|
2010-12-02 06:16:56 +08:00
|
|
|
state = state->assume(*LV, true);
|
2009-12-18 03:17:27 +08:00
|
|
|
assert(state && "'self' cannot be null");
|
|
|
|
|
}
|
2009-09-10 04:36:12 +08:00
|
|
|
}
|
2009-12-18 03:17:27 +08:00
|
|
|
} while (0);
|
2010-02-16 07:02:46 +08:00
|
|
|
|
2009-04-10 08:59:50 +08:00
|
|
|
return state;
|
2008-02-05 05:59:01 +08:00
|
|
|
}
|
|
|
|
|
|
2008-04-16 07:06:53 +08:00
|
|
|
//===----------------------------------------------------------------------===//
|
|
|
|
|
// Top-level transfer function logic (Dispatcher).
|
|
|
|
|
//===----------------------------------------------------------------------===//
|
|
|
|
|
|
2010-12-02 05:57:22 +08:00
|
|
|
/// evalAssume - Called by ConstraintManager. Used to call checker-specific
|
2010-01-05 08:15:18 +08:00
|
|
|
/// logic for handling assumptions on symbolic values.
|
2011-01-11 10:34:45 +08:00
|
|
|
const GRState *ExprEngine::processAssume(const GRState *state, SVal cond,
|
2010-02-16 07:02:46 +08:00
|
|
|
bool assumption) {
|
2010-08-04 15:10:57 +08:00
|
|
|
// Determine if we already have a cached 'CheckersOrdered' vector
|
|
|
|
|
// specifically tailored for processing assumptions. This
|
|
|
|
|
// can reduce the number of checkers actually called.
|
|
|
|
|
CheckersOrdered *CO = &Checkers;
|
|
|
|
|
llvm::OwningPtr<CheckersOrdered> NewCO;
|
2010-01-05 08:15:18 +08:00
|
|
|
|
2011-01-11 10:34:45 +08:00
|
|
|
CallbackTag K = GetCallbackTag(processAssumeCallback);
|
2010-08-04 15:10:57 +08:00
|
|
|
CheckersOrdered *& CO_Ref = COCache[K];
|
|
|
|
|
|
|
|
|
|
if (!CO_Ref) {
|
|
|
|
|
// If we have no previously cached CheckersOrdered vector for this
|
|
|
|
|
// statement kind, then create one.
|
|
|
|
|
NewCO.reset(new CheckersOrdered);
|
|
|
|
|
}
|
|
|
|
|
else {
|
|
|
|
|
// Use the already cached set.
|
|
|
|
|
CO = CO_Ref;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (!CO->empty()) {
|
|
|
|
|
// Let the checkers have a crack at the assume before the transfer functions
|
|
|
|
|
// get their turn.
|
2010-08-12 12:05:07 +08:00
|
|
|
for (CheckersOrdered::iterator I = CO->begin(), E = CO->end(); I!=E; ++I) {
|
2010-08-04 15:10:57 +08:00
|
|
|
|
|
|
|
|
// If any checker declares the state infeasible (or if it starts that
|
|
|
|
|
// way), bail out.
|
|
|
|
|
if (!state)
|
|
|
|
|
return NULL;
|
|
|
|
|
|
|
|
|
|
Checker *C = I->second;
|
|
|
|
|
bool respondsToCallback = true;
|
|
|
|
|
|
2010-12-02 05:57:22 +08:00
|
|
|
state = C->evalAssume(state, cond, assumption, &respondsToCallback);
|
2010-08-04 15:10:57 +08:00
|
|
|
|
2010-12-02 06:16:56 +08:00
|
|
|
// Check if we're building the cache of checkers that care about
|
|
|
|
|
// assumptions.
|
2010-08-04 15:10:57 +08:00
|
|
|
if (NewCO.get() && respondsToCallback)
|
|
|
|
|
NewCO->push_back(*I);
|
|
|
|
|
}
|
2010-02-16 07:02:46 +08:00
|
|
|
|
2010-08-04 15:10:57 +08:00
|
|
|
// If we got through all the checkers, and we built a list of those that
|
2010-12-02 06:16:56 +08:00
|
|
|
// care about assumptions, save it.
|
2010-08-04 15:10:57 +08:00
|
|
|
if (NewCO.get())
|
|
|
|
|
CO_Ref = NewCO.take();
|
2010-01-05 08:15:18 +08:00
|
|
|
}
|
2010-02-16 07:02:46 +08:00
|
|
|
|
2010-08-04 15:10:57 +08:00
|
|
|
// If the state is infeasible at this point, bail out.
|
2010-01-05 08:15:18 +08:00
|
|
|
if (!state)
|
|
|
|
|
return NULL;
|
2010-02-16 07:02:46 +08:00
|
|
|
|
2010-12-02 05:57:22 +08:00
|
|
|
return TF->evalAssume(state, cond, assumption);
|
2010-01-05 08:15:18 +08:00
|
|
|
}
|
|
|
|
|
|
2011-01-11 10:34:45 +08:00
|
|
|
bool ExprEngine::wantsRegionChangeUpdate(const GRState* state) {
|
2010-08-15 04:44:32 +08:00
|
|
|
CallbackTag K = GetCallbackTag(EvalRegionChangesCallback);
|
|
|
|
|
CheckersOrdered *CO = COCache[K];
|
|
|
|
|
|
|
|
|
|
if (!CO)
|
|
|
|
|
CO = &Checkers;
|
|
|
|
|
|
|
|
|
|
for (CheckersOrdered::iterator I = CO->begin(), E = CO->end(); I != E; ++I) {
|
|
|
|
|
Checker *C = I->second;
|
2011-01-11 10:34:45 +08:00
|
|
|
if (C->wantsRegionChangeUpdate(state))
|
2010-08-15 04:44:32 +08:00
|
|
|
return true;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return false;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
const GRState *
|
2011-01-11 10:34:45 +08:00
|
|
|
ExprEngine::processRegionChanges(const GRState *state,
|
2010-08-15 04:44:32 +08:00
|
|
|
const MemRegion * const *Begin,
|
|
|
|
|
const MemRegion * const *End) {
|
2011-01-11 10:34:45 +08:00
|
|
|
// FIXME: Most of this method is copy-pasted from processAssume.
|
2010-08-15 04:44:32 +08:00
|
|
|
|
|
|
|
|
// Determine if we already have a cached 'CheckersOrdered' vector
|
|
|
|
|
// specifically tailored for processing region changes. This
|
|
|
|
|
// can reduce the number of checkers actually called.
|
|
|
|
|
CheckersOrdered *CO = &Checkers;
|
|
|
|
|
llvm::OwningPtr<CheckersOrdered> NewCO;
|
|
|
|
|
|
|
|
|
|
CallbackTag K = GetCallbackTag(EvalRegionChangesCallback);
|
|
|
|
|
CheckersOrdered *& CO_Ref = COCache[K];
|
|
|
|
|
|
|
|
|
|
if (!CO_Ref) {
|
|
|
|
|
// If we have no previously cached CheckersOrdered vector for this
|
|
|
|
|
// callback, then create one.
|
|
|
|
|
NewCO.reset(new CheckersOrdered);
|
|
|
|
|
}
|
|
|
|
|
else {
|
|
|
|
|
// Use the already cached set.
|
|
|
|
|
CO = CO_Ref;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// If there are no checkers, just return the state as is.
|
|
|
|
|
if (CO->empty())
|
|
|
|
|
return state;
|
|
|
|
|
|
|
|
|
|
for (CheckersOrdered::iterator I = CO->begin(), E = CO->end(); I != E; ++I) {
|
|
|
|
|
// If any checker declares the state infeasible (or if it starts that way),
|
|
|
|
|
// bail out.
|
|
|
|
|
if (!state)
|
|
|
|
|
return NULL;
|
|
|
|
|
|
|
|
|
|
Checker *C = I->second;
|
|
|
|
|
bool respondsToCallback = true;
|
|
|
|
|
|
|
|
|
|
state = C->EvalRegionChanges(state, Begin, End, &respondsToCallback);
|
|
|
|
|
|
|
|
|
|
// See if we're building a cache of checkers that care about region changes.
|
|
|
|
|
if (NewCO.get() && respondsToCallback)
|
|
|
|
|
NewCO->push_back(*I);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// If we got through all the checkers, and we built a list of those that
|
|
|
|
|
// care about region changes, save it.
|
|
|
|
|
if (NewCO.get())
|
|
|
|
|
CO_Ref = NewCO.take();
|
|
|
|
|
|
|
|
|
|
return state;
|
|
|
|
|
}
|
|
|
|
|
|
2011-01-11 10:34:45 +08:00
|
|
|
void ExprEngine::processEndWorklist(bool hasWorkRemaining) {
|
2010-06-24 06:08:00 +08:00
|
|
|
for (CheckersOrdered::iterator I = Checkers.begin(), E = Checkers.end();
|
|
|
|
|
I != E; ++I) {
|
2010-08-03 09:55:07 +08:00
|
|
|
I->second->VisitEndAnalysis(G, BR, *this);
|
2010-06-24 06:08:00 +08:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2011-01-11 10:34:45 +08:00
|
|
|
void ExprEngine::processCFGElement(const CFGElement E,
|
2010-12-23 02:53:44 +08:00
|
|
|
StmtNodeBuilder& builder) {
|
2010-11-15 16:48:43 +08:00
|
|
|
switch (E.getKind()) {
|
|
|
|
|
case CFGElement::Statement:
|
|
|
|
|
ProcessStmt(E.getAs<CFGStmt>(), builder);
|
|
|
|
|
break;
|
|
|
|
|
case CFGElement::Initializer:
|
|
|
|
|
ProcessInitializer(E.getAs<CFGInitializer>(), builder);
|
|
|
|
|
break;
|
|
|
|
|
case CFGElement::ImplicitDtor:
|
|
|
|
|
ProcessImplicitDtor(E.getAs<CFGImplicitDtor>(), builder);
|
|
|
|
|
break;
|
|
|
|
|
default:
|
|
|
|
|
// Suppress compiler warning.
|
|
|
|
|
llvm_unreachable("Unexpected CFGElement kind.");
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2010-12-23 02:53:44 +08:00
|
|
|
void ExprEngine::ProcessStmt(const CFGStmt S, StmtNodeBuilder& builder) {
|
2010-12-17 12:44:39 +08:00
|
|
|
currentStmt = S.getStmt();
|
2009-03-11 10:41:36 +08:00
|
|
|
PrettyStackTraceLoc CrashInfo(getContext().getSourceManager(),
|
2010-12-17 12:44:39 +08:00
|
|
|
currentStmt->getLocStart(),
|
2009-03-11 10:41:36 +08:00
|
|
|
"Error evaluating statement");
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2008-04-16 07:06:53 +08:00
|
|
|
Builder = &builder;
|
2010-02-26 10:38:09 +08:00
|
|
|
EntryNode = builder.getBasePredecessor();
|
2009-09-09 23:08:12 +08:00
|
|
|
|
|
|
|
|
// Create the cleaned state.
|
2010-08-15 04:18:45 +08:00
|
|
|
const LocationContext *LC = EntryNode->getLocationContext();
|
2010-12-17 12:44:39 +08:00
|
|
|
SymbolReaper SymReaper(LC, currentStmt, SymMgr);
|
2010-03-05 12:45:36 +08:00
|
|
|
|
2010-08-15 04:18:45 +08:00
|
|
|
if (AMgr.shouldPurgeDead()) {
|
|
|
|
|
const GRState *St = EntryNode->getState();
|
2010-03-05 12:45:36 +08:00
|
|
|
|
2010-08-15 04:18:45 +08:00
|
|
|
for (CheckersOrdered::iterator I = Checkers.begin(), E = Checkers.end();
|
|
|
|
|
I != E; ++I) {
|
|
|
|
|
Checker *checker = I->second;
|
|
|
|
|
checker->MarkLiveSymbols(St, SymReaper);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
const StackFrameContext *SFC = LC->getCurrentStackFrame();
|
|
|
|
|
CleanedState = StateMgr.RemoveDeadBindings(St, SFC, SymReaper);
|
|
|
|
|
} else {
|
|
|
|
|
CleanedState = EntryNode->getState();
|
|
|
|
|
}
|
2009-01-22 06:26:05 +08:00
|
|
|
|
2008-04-25 02:31:42 +08:00
|
|
|
// Process any special transfer function for dead symbols.
|
2009-08-06 20:48:26 +08:00
|
|
|
ExplodedNodeSet Tmp;
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2009-01-22 06:26:05 +08:00
|
|
|
if (!SymReaper.hasDeadSymbols())
|
2008-04-25 07:35:58 +08:00
|
|
|
Tmp.Add(EntryNode);
|
2008-04-25 02:31:42 +08:00
|
|
|
else {
|
|
|
|
|
SaveAndRestore<bool> OldSink(Builder->BuildSinks);
|
2008-04-25 07:35:58 +08:00
|
|
|
SaveOr OldHasGen(Builder->HasGeneratedNode);
|
|
|
|
|
|
2008-06-18 13:34:07 +08:00
|
|
|
SaveAndRestore<bool> OldPurgeDeadSymbols(Builder->PurgingDeadSymbols);
|
|
|
|
|
Builder->PurgingDeadSymbols = true;
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2009-11-13 14:53:04 +08:00
|
|
|
// FIXME: This should soon be removed.
|
|
|
|
|
ExplodedNodeSet Tmp2;
|
2010-12-02 05:57:22 +08:00
|
|
|
getTF().evalDeadSymbols(Tmp2, *this, *Builder, EntryNode,
|
2009-01-22 06:26:05 +08:00
|
|
|
CleanedState, SymReaper);
|
2008-04-25 07:35:58 +08:00
|
|
|
|
2009-11-13 14:53:04 +08:00
|
|
|
if (Checkers.empty())
|
2009-12-14 10:13:39 +08:00
|
|
|
Tmp.insert(Tmp2);
|
2009-11-13 14:53:04 +08:00
|
|
|
else {
|
|
|
|
|
ExplodedNodeSet Tmp3;
|
|
|
|
|
ExplodedNodeSet *SrcSet = &Tmp2;
|
|
|
|
|
for (CheckersOrdered::iterator I = Checkers.begin(), E = Checkers.end();
|
|
|
|
|
I != E; ++I) {
|
2009-12-09 10:45:41 +08:00
|
|
|
ExplodedNodeSet *DstSet = 0;
|
|
|
|
|
if (I+1 == E)
|
|
|
|
|
DstSet = &Tmp;
|
|
|
|
|
else {
|
|
|
|
|
DstSet = (SrcSet == &Tmp2) ? &Tmp3 : &Tmp2;
|
|
|
|
|
DstSet->clear();
|
|
|
|
|
}
|
|
|
|
|
|
2009-11-13 14:53:04 +08:00
|
|
|
void *tag = I->first;
|
|
|
|
|
Checker *checker = I->second;
|
|
|
|
|
for (ExplodedNodeSet::iterator NI = SrcSet->begin(), NE = SrcSet->end();
|
|
|
|
|
NI != NE; ++NI)
|
2010-12-17 12:44:39 +08:00
|
|
|
checker->GR_evalDeadSymbols(*DstSet, *Builder, *this, currentStmt,
|
Add (initial?) static analyzer support for handling C++ references.
This change was a lot bigger than I originally anticipated; among
other things it requires us storing more information in the CFG to
record what block-level expressions need to be evaluated as lvalues.
The big change is that CFGBlocks no longer contain Stmt*'s by
CFGElements. Currently CFGElements just wrap Stmt*, but they also
store a bit indicating whether the block-level expression should be
evalauted as an lvalue. DeclStmts involving the initialization of a
reference require us treating the initialization expression as an
lvalue, even though that information isn't recorded in the AST.
Conceptually this change isn't that complicated, but it required
bubbling up the data through the CFGBuilder, to GRCoreEngine, and
eventually to GRExprEngine.
The addition of CFGElement is also useful for when we want to handle
more control-flow constructs or other data we want to keep in the CFG
that isn't represented well with just a block of statements.
In GRExprEngine, this patch introduces logic for evaluating the
lvalues of references, which currently retrieves the internal "pointer
value" that the reference represents. EvalLoad does a two stage load
to catch null dereferences involving an invalid reference (although
this could possibly be caught earlier during the initialization of a
reference).
Symbols are currently symbolicated using the reference type, instead
of a pointer type, and special handling is required creating
ElementRegions that layer on SymbolicRegions (see the changes to
RegionStoreManager).
Along the way, the DeadStoresChecker also silences warnings involving
dead stores to references. This was the original change I introduced
(which I wrote test cases for) that I realized caused GRExprEngine to
crash.
llvm-svn: 91501
2009-12-16 11:18:58 +08:00
|
|
|
*NI, SymReaper, tag);
|
2009-11-13 14:53:04 +08:00
|
|
|
SrcSet = DstSet;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2008-04-25 07:35:58 +08:00
|
|
|
if (!Builder->BuildSinks && !Builder->HasGeneratedNode)
|
|
|
|
|
Tmp.Add(EntryNode);
|
2008-04-25 02:31:42 +08:00
|
|
|
}
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2008-04-25 07:35:58 +08:00
|
|
|
bool HasAutoGenerated = false;
|
|
|
|
|
|
2009-08-06 20:48:26 +08:00
|
|
|
for (ExplodedNodeSet::iterator I=Tmp.begin(), E=Tmp.end(); I!=E; ++I) {
|
|
|
|
|
ExplodedNodeSet Dst;
|
2009-09-09 23:08:12 +08:00
|
|
|
|
|
|
|
|
// Set the cleaned state.
|
2008-04-25 07:35:58 +08:00
|
|
|
Builder->SetCleanedState(*I == EntryNode ? CleanedState : GetState(*I));
|
2009-09-09 23:08:12 +08:00
|
|
|
|
|
|
|
|
// Visit the statement.
|
2010-12-17 12:44:39 +08:00
|
|
|
Visit(currentStmt, *I, Dst);
|
2008-04-25 07:35:58 +08:00
|
|
|
|
|
|
|
|
// Do we need to auto-generate a node? We only need to do this to generate
|
2010-12-23 02:53:44 +08:00
|
|
|
// a node with a "cleaned" state; CoreEngine will actually handle
|
2009-09-09 23:08:12 +08:00
|
|
|
// auto-transitions for other cases.
|
2008-04-25 07:35:58 +08:00
|
|
|
if (Dst.size() == 1 && *Dst.begin() == EntryNode
|
|
|
|
|
&& !Builder->HasGeneratedNode && !HasAutoGenerated) {
|
|
|
|
|
HasAutoGenerated = true;
|
2010-12-17 12:44:39 +08:00
|
|
|
builder.generateNode(currentStmt, GetState(EntryNode), *I);
|
2008-04-25 07:35:58 +08:00
|
|
|
}
|
2008-04-25 02:31:42 +08:00
|
|
|
}
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2008-04-16 07:06:53 +08:00
|
|
|
// NULL out these variables to cleanup.
|
2008-04-25 07:35:58 +08:00
|
|
|
CleanedState = NULL;
|
|
|
|
|
EntryNode = NULL;
|
2008-07-18 05:27:31 +08:00
|
|
|
|
2010-12-17 12:44:39 +08:00
|
|
|
currentStmt = 0;
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2008-04-16 07:06:53 +08:00
|
|
|
Builder = NULL;
|
|
|
|
|
}
|
|
|
|
|
|
2010-12-23 02:53:44 +08:00
|
|
|
void ExprEngine::ProcessInitializer(const CFGInitializer Init,
|
|
|
|
|
StmtNodeBuilder &builder) {
|
2010-12-17 12:44:39 +08:00
|
|
|
// We don't set EntryNode and currentStmt. And we don't clean up state.
|
2011-01-09 04:30:50 +08:00
|
|
|
const CXXCtorInitializer *BMI = Init.getInitializer();
|
2010-11-16 15:52:17 +08:00
|
|
|
|
|
|
|
|
ExplodedNode *Pred = builder.getBasePredecessor();
|
|
|
|
|
const LocationContext *LC = Pred->getLocationContext();
|
|
|
|
|
|
2010-12-04 17:14:42 +08:00
|
|
|
if (BMI->isAnyMemberInitializer()) {
|
2010-11-16 15:52:17 +08:00
|
|
|
ExplodedNodeSet Dst;
|
|
|
|
|
|
|
|
|
|
// Evaluate the initializer.
|
|
|
|
|
Visit(BMI->getInit(), Pred, Dst);
|
|
|
|
|
|
|
|
|
|
for (ExplodedNodeSet::iterator I = Dst.begin(), E = Dst.end(); I != E; ++I){
|
|
|
|
|
ExplodedNode *Pred = *I;
|
|
|
|
|
const GRState *state = Pred->getState();
|
|
|
|
|
|
2010-12-04 17:14:42 +08:00
|
|
|
const FieldDecl *FD = BMI->getAnyMember();
|
2010-11-16 15:52:17 +08:00
|
|
|
const RecordDecl *RD = FD->getParent();
|
|
|
|
|
const CXXThisRegion *ThisR = getCXXThisRegion(cast<CXXRecordDecl>(RD),
|
|
|
|
|
cast<StackFrameContext>(LC));
|
|
|
|
|
|
|
|
|
|
SVal ThisV = state->getSVal(ThisR);
|
|
|
|
|
SVal FieldLoc = state->getLValue(FD, ThisV);
|
|
|
|
|
SVal InitVal = state->getSVal(BMI->getInit());
|
|
|
|
|
state = state->bindLoc(FieldLoc, InitVal);
|
|
|
|
|
|
|
|
|
|
// Use a custom node building process.
|
|
|
|
|
PostInitializer PP(BMI, LC);
|
|
|
|
|
// Builder automatically add the generated node to the deferred set,
|
|
|
|
|
// which are processed in the builder's dtor.
|
|
|
|
|
builder.generateNode(PP, state, Pred);
|
|
|
|
|
}
|
|
|
|
|
}
|
2010-11-15 16:48:43 +08:00
|
|
|
}
|
|
|
|
|
|
2010-12-23 02:53:44 +08:00
|
|
|
void ExprEngine::ProcessImplicitDtor(const CFGImplicitDtor D,
|
|
|
|
|
StmtNodeBuilder &builder) {
|
2010-11-20 14:53:12 +08:00
|
|
|
Builder = &builder;
|
|
|
|
|
|
2010-11-17 17:16:19 +08:00
|
|
|
switch (D.getDtorKind()) {
|
|
|
|
|
case CFGElement::AutomaticObjectDtor:
|
|
|
|
|
ProcessAutomaticObjDtor(cast<CFGAutomaticObjDtor>(D), builder);
|
|
|
|
|
break;
|
|
|
|
|
case CFGElement::BaseDtor:
|
|
|
|
|
ProcessBaseDtor(cast<CFGBaseDtor>(D), builder);
|
|
|
|
|
break;
|
|
|
|
|
case CFGElement::MemberDtor:
|
|
|
|
|
ProcessMemberDtor(cast<CFGMemberDtor>(D), builder);
|
|
|
|
|
break;
|
|
|
|
|
case CFGElement::TemporaryDtor:
|
|
|
|
|
ProcessTemporaryDtor(cast<CFGTemporaryDtor>(D), builder);
|
|
|
|
|
break;
|
|
|
|
|
default:
|
|
|
|
|
llvm_unreachable("Unexpected dtor kind.");
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2010-12-23 02:53:44 +08:00
|
|
|
void ExprEngine::ProcessAutomaticObjDtor(const CFGAutomaticObjDtor dtor,
|
|
|
|
|
StmtNodeBuilder &builder) {
|
2010-11-25 14:35:14 +08:00
|
|
|
ExplodedNode *pred = builder.getBasePredecessor();
|
|
|
|
|
const GRState *state = pred->getState();
|
|
|
|
|
const VarDecl *varDecl = dtor.getVarDecl();
|
|
|
|
|
|
|
|
|
|
QualType varType = varDecl->getType();
|
|
|
|
|
|
|
|
|
|
if (const ReferenceType *refType = varType->getAs<ReferenceType>())
|
|
|
|
|
varType = refType->getPointeeType();
|
|
|
|
|
|
|
|
|
|
const CXXRecordDecl *recordDecl = varType->getAsCXXRecordDecl();
|
|
|
|
|
assert(recordDecl && "get CXXRecordDecl fail");
|
|
|
|
|
const CXXDestructorDecl *dtorDecl = recordDecl->getDestructor();
|
2010-11-20 14:53:12 +08:00
|
|
|
|
2010-11-25 14:35:14 +08:00
|
|
|
Loc dest = state->getLValue(varDecl, pred->getLocationContext());
|
2010-11-20 14:53:12 +08:00
|
|
|
|
2010-11-25 14:35:14 +08:00
|
|
|
ExplodedNodeSet dstSet;
|
|
|
|
|
VisitCXXDestructor(dtorDecl, cast<loc::MemRegionVal>(dest).getRegion(),
|
|
|
|
|
dtor.getTriggerStmt(), pred, dstSet);
|
2010-11-17 17:16:19 +08:00
|
|
|
}
|
|
|
|
|
|
2010-12-23 02:53:44 +08:00
|
|
|
void ExprEngine::ProcessBaseDtor(const CFGBaseDtor D,
|
|
|
|
|
StmtNodeBuilder &builder) {
|
2010-11-17 17:16:19 +08:00
|
|
|
}
|
|
|
|
|
|
2010-12-23 02:53:44 +08:00
|
|
|
void ExprEngine::ProcessMemberDtor(const CFGMemberDtor D,
|
|
|
|
|
StmtNodeBuilder &builder) {
|
2010-11-17 17:16:19 +08:00
|
|
|
}
|
|
|
|
|
|
2010-12-23 02:53:44 +08:00
|
|
|
void ExprEngine::ProcessTemporaryDtor(const CFGTemporaryDtor D,
|
|
|
|
|
StmtNodeBuilder &builder) {
|
2010-11-15 16:48:43 +08:00
|
|
|
}
|
|
|
|
|
|
2010-12-23 02:53:44 +08:00
|
|
|
void ExprEngine::Visit(const Stmt* S, ExplodedNode* Pred,
|
2010-07-20 14:22:24 +08:00
|
|
|
ExplodedNodeSet& Dst) {
|
2009-03-11 10:41:36 +08:00
|
|
|
PrettyStackTraceLoc CrashInfo(getContext().getSourceManager(),
|
|
|
|
|
S->getLocStart(),
|
|
|
|
|
"Error evaluating statement");
|
|
|
|
|
|
2010-12-04 11:47:34 +08:00
|
|
|
// Expressions to ignore.
|
|
|
|
|
if (const Expr *Ex = dyn_cast<Expr>(S))
|
2010-12-16 15:46:53 +08:00
|
|
|
S = Ex->IgnoreParens();
|
2010-12-04 11:47:34 +08:00
|
|
|
|
2008-04-16 07:06:53 +08:00
|
|
|
// FIXME: add metadata to the CFG so that we can disable
|
|
|
|
|
// this check when we KNOW that there is no block-level subexpression.
|
|
|
|
|
// The motivation is that this check requires a hashtable lookup.
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2010-12-17 12:44:39 +08:00
|
|
|
if (S != currentStmt && Pred->getLocationContext()->getCFG()->isBlkExpr(S)) {
|
2008-04-16 07:06:53 +08:00
|
|
|
Dst.Add(Pred);
|
|
|
|
|
return;
|
|
|
|
|
}
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2008-04-16 07:06:53 +08:00
|
|
|
switch (S->getStmtClass()) {
|
2009-12-15 09:38:04 +08:00
|
|
|
// C++ stuff we don't support yet.
|
2010-04-16 01:33:31 +08:00
|
|
|
case Stmt::CXXBindTemporaryExprClass:
|
|
|
|
|
case Stmt::CXXCatchStmtClass:
|
2009-12-15 09:38:04 +08:00
|
|
|
case Stmt::CXXDefaultArgExprClass:
|
2010-04-16 01:33:31 +08:00
|
|
|
case Stmt::CXXDependentScopeMemberExprClass:
|
2010-12-06 16:20:24 +08:00
|
|
|
case Stmt::ExprWithCleanupsClass:
|
2010-04-16 01:33:31 +08:00
|
|
|
case Stmt::CXXNullPtrLiteralExprClass:
|
|
|
|
|
case Stmt::CXXPseudoDestructorExprClass:
|
2009-12-15 09:38:04 +08:00
|
|
|
case Stmt::CXXTemporaryObjectExprClass:
|
2010-04-16 01:33:31 +08:00
|
|
|
case Stmt::CXXThrowExprClass:
|
|
|
|
|
case Stmt::CXXTryStmtClass:
|
|
|
|
|
case Stmt::CXXTypeidExprClass:
|
2010-09-09 07:47:05 +08:00
|
|
|
case Stmt::CXXUuidofExprClass:
|
2009-12-15 09:38:04 +08:00
|
|
|
case Stmt::CXXUnresolvedConstructExprClass:
|
2010-07-08 14:14:04 +08:00
|
|
|
case Stmt::CXXScalarValueInitExprClass:
|
2010-04-16 01:33:31 +08:00
|
|
|
case Stmt::DependentScopeDeclRefExprClass:
|
|
|
|
|
case Stmt::UnaryTypeTraitExprClass:
|
2010-12-07 08:08:36 +08:00
|
|
|
case Stmt::BinaryTypeTraitExprClass:
|
2010-04-16 01:33:31 +08:00
|
|
|
case Stmt::UnresolvedLookupExprClass:
|
2009-12-15 09:38:04 +08:00
|
|
|
case Stmt::UnresolvedMemberExprClass:
|
2010-09-11 04:55:54 +08:00
|
|
|
case Stmt::CXXNoexceptExprClass:
|
2011-01-04 01:17:50 +08:00
|
|
|
case Stmt::PackExpansionExprClass:
|
2010-04-16 01:33:31 +08:00
|
|
|
{
|
2009-12-15 09:38:04 +08:00
|
|
|
SaveAndRestore<bool> OldSink(Builder->BuildSinks);
|
|
|
|
|
Builder->BuildSinks = true;
|
|
|
|
|
MakeNode(Dst, S, Pred, GetState(Pred));
|
|
|
|
|
break;
|
|
|
|
|
}
|
2010-12-04 11:47:34 +08:00
|
|
|
|
|
|
|
|
case Stmt::ParenExprClass:
|
|
|
|
|
llvm_unreachable("ParenExprs already handled.");
|
2010-04-16 01:33:31 +08:00
|
|
|
// Cases that should never be evaluated simply because they shouldn't
|
|
|
|
|
// appear in the CFG.
|
|
|
|
|
case Stmt::BreakStmtClass:
|
|
|
|
|
case Stmt::CaseStmtClass:
|
|
|
|
|
case Stmt::CompoundStmtClass:
|
|
|
|
|
case Stmt::ContinueStmtClass:
|
|
|
|
|
case Stmt::DefaultStmtClass:
|
|
|
|
|
case Stmt::DoStmtClass:
|
|
|
|
|
case Stmt::GotoStmtClass:
|
|
|
|
|
case Stmt::IndirectGotoStmtClass:
|
|
|
|
|
case Stmt::LabelStmtClass:
|
|
|
|
|
case Stmt::NoStmtClass:
|
|
|
|
|
case Stmt::NullStmtClass:
|
|
|
|
|
case Stmt::SwitchCaseClass:
|
2010-11-16 07:31:06 +08:00
|
|
|
case Stmt::OpaqueValueExprClass:
|
2010-04-16 01:33:31 +08:00
|
|
|
llvm_unreachable("Stmt should not be in analyzer evaluation loop");
|
|
|
|
|
break;
|
|
|
|
|
|
2010-06-23 03:05:10 +08:00
|
|
|
case Stmt::GNUNullExprClass: {
|
2010-12-02 15:49:45 +08:00
|
|
|
MakeNode(Dst, S, Pred, GetState(Pred)->BindExpr(S, svalBuilder.makeNull()));
|
2010-06-23 03:05:10 +08:00
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
|
2010-09-10 11:05:33 +08:00
|
|
|
case Stmt::ObjCAtSynchronizedStmtClass:
|
|
|
|
|
VisitObjCAtSynchronizedStmt(cast<ObjCAtSynchronizedStmt>(S), Pred, Dst);
|
|
|
|
|
break;
|
|
|
|
|
|
2010-04-16 01:33:31 +08:00
|
|
|
// Cases not handled yet; but will handle some day.
|
|
|
|
|
case Stmt::DesignatedInitExprClass:
|
|
|
|
|
case Stmt::ExtVectorElementExprClass:
|
|
|
|
|
case Stmt::ImaginaryLiteralClass:
|
|
|
|
|
case Stmt::ImplicitValueInitExprClass:
|
|
|
|
|
case Stmt::ObjCAtCatchStmtClass:
|
|
|
|
|
case Stmt::ObjCAtFinallyStmtClass:
|
|
|
|
|
case Stmt::ObjCAtTryStmtClass:
|
|
|
|
|
case Stmt::ObjCEncodeExprClass:
|
|
|
|
|
case Stmt::ObjCIsaExprClass:
|
|
|
|
|
case Stmt::ObjCPropertyRefExprClass:
|
|
|
|
|
case Stmt::ObjCProtocolExprClass:
|
|
|
|
|
case Stmt::ObjCSelectorExprClass:
|
|
|
|
|
case Stmt::ObjCStringLiteralClass:
|
|
|
|
|
case Stmt::ParenListExprClass:
|
|
|
|
|
case Stmt::PredefinedExprClass:
|
|
|
|
|
case Stmt::ShuffleVectorExprClass:
|
|
|
|
|
case Stmt::VAArgExprClass:
|
|
|
|
|
// Fall through.
|
|
|
|
|
|
|
|
|
|
// Cases we intentionally don't evaluate, since they don't need
|
|
|
|
|
// to be explicitly evaluated.
|
2010-04-13 21:15:19 +08:00
|
|
|
case Stmt::AddrLabelExprClass:
|
|
|
|
|
case Stmt::IntegerLiteralClass:
|
|
|
|
|
case Stmt::CharacterLiteralClass:
|
2010-04-14 14:29:29 +08:00
|
|
|
case Stmt::CXXBoolLiteralExprClass:
|
2010-04-13 21:15:19 +08:00
|
|
|
case Stmt::FloatingLiteralClass:
|
2011-01-05 02:46:34 +08:00
|
|
|
case Stmt::SizeOfPackExprClass:
|
2008-04-16 07:06:53 +08:00
|
|
|
Dst.Add(Pred); // No-op. Simply propagate the current state unchanged.
|
|
|
|
|
break;
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2008-04-22 12:56:29 +08:00
|
|
|
case Stmt::ArraySubscriptExprClass:
|
2010-12-16 15:46:53 +08:00
|
|
|
VisitLvalArraySubscriptExpr(cast<ArraySubscriptExpr>(S), Pred, Dst);
|
2008-04-22 12:56:29 +08:00
|
|
|
break;
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2008-04-16 07:06:53 +08:00
|
|
|
case Stmt::AsmStmtClass:
|
|
|
|
|
VisitAsmStmt(cast<AsmStmt>(S), Pred, Dst);
|
|
|
|
|
break;
|
2010-02-16 07:02:46 +08:00
|
|
|
|
2010-12-16 15:46:53 +08:00
|
|
|
case Stmt::BlockDeclRefExprClass: {
|
|
|
|
|
const BlockDeclRefExpr *BE = cast<BlockDeclRefExpr>(S);
|
|
|
|
|
VisitCommonDeclRefExpr(BE, BE->getDecl(), Pred, Dst);
|
2009-12-08 06:05:27 +08:00
|
|
|
break;
|
2010-12-16 15:46:53 +08:00
|
|
|
}
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2009-11-25 09:33:13 +08:00
|
|
|
case Stmt::BlockExprClass:
|
|
|
|
|
VisitBlockExpr(cast<BlockExpr>(S), Pred, Dst);
|
|
|
|
|
break;
|
|
|
|
|
|
2008-04-16 07:06:53 +08:00
|
|
|
case Stmt::BinaryOperatorClass: {
|
2010-07-20 14:22:24 +08:00
|
|
|
const BinaryOperator* B = cast<BinaryOperator>(S);
|
2008-04-16 07:06:53 +08:00
|
|
|
if (B->isLogicalOp()) {
|
|
|
|
|
VisitLogicalExpr(B, Pred, Dst);
|
|
|
|
|
break;
|
|
|
|
|
}
|
2010-08-25 19:45:40 +08:00
|
|
|
else if (B->getOpcode() == BO_Comma) {
|
2009-02-13 09:45:31 +08:00
|
|
|
const GRState* state = GetState(Pred);
|
2010-02-09 00:18:51 +08:00
|
|
|
MakeNode(Dst, B, Pred, state->BindExpr(B, state->getSVal(B->getRHS())));
|
2008-04-16 07:06:53 +08:00
|
|
|
break;
|
|
|
|
|
}
|
2008-11-15 03:47:18 +08:00
|
|
|
|
2010-02-16 07:02:46 +08:00
|
|
|
if (AMgr.shouldEagerlyAssume() &&
|
2009-12-16 19:27:52 +08:00
|
|
|
(B->isRelationalOp() || B->isEqualityOp())) {
|
2009-08-06 20:48:26 +08:00
|
|
|
ExplodedNodeSet Tmp;
|
2010-12-16 15:46:53 +08:00
|
|
|
VisitBinaryOperator(cast<BinaryOperator>(S), Pred, Tmp);
|
2010-12-02 05:57:22 +08:00
|
|
|
evalEagerlyAssume(Dst, Tmp, cast<Expr>(S));
|
2009-02-26 06:32:02 +08:00
|
|
|
}
|
|
|
|
|
else
|
2010-12-16 15:46:53 +08:00
|
|
|
VisitBinaryOperator(cast<BinaryOperator>(S), Pred, Dst);
|
2009-02-26 06:32:02 +08:00
|
|
|
|
2008-04-16 07:06:53 +08:00
|
|
|
break;
|
|
|
|
|
}
|
2008-11-15 03:47:18 +08:00
|
|
|
|
2010-11-18 14:29:23 +08:00
|
|
|
case Stmt::CallExprClass: {
|
2010-07-20 14:22:24 +08:00
|
|
|
const CallExpr* C = cast<CallExpr>(S);
|
2010-12-16 15:46:53 +08:00
|
|
|
VisitCall(C, Pred, C->arg_begin(), C->arg_end(), Dst);
|
2008-11-15 03:47:18 +08:00
|
|
|
break;
|
2008-04-16 07:06:53 +08:00
|
|
|
}
|
2008-11-15 03:47:18 +08:00
|
|
|
|
2010-11-01 17:09:44 +08:00
|
|
|
case Stmt::CXXConstructExprClass: {
|
|
|
|
|
const CXXConstructExpr *C = cast<CXXConstructExpr>(S);
|
|
|
|
|
// For block-level CXXConstructExpr, we don't have a destination region.
|
|
|
|
|
// Let VisitCXXConstructExpr() create one.
|
2010-12-16 15:46:53 +08:00
|
|
|
VisitCXXConstructExpr(C, 0, Pred, Dst);
|
2010-11-01 17:09:44 +08:00
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
|
2010-04-01 15:58:50 +08:00
|
|
|
case Stmt::CXXMemberCallExprClass: {
|
2010-07-20 14:22:24 +08:00
|
|
|
const CXXMemberCallExpr *MCE = cast<CXXMemberCallExpr>(S);
|
2010-04-01 15:58:50 +08:00
|
|
|
VisitCXXMemberCallExpr(MCE, Pred, Dst);
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
|
2010-11-18 14:29:23 +08:00
|
|
|
case Stmt::CXXOperatorCallExprClass: {
|
|
|
|
|
const CXXOperatorCallExpr *C = cast<CXXOperatorCallExpr>(S);
|
|
|
|
|
VisitCXXOperatorCallExpr(C, Pred, Dst);
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
|
2010-04-19 19:47:28 +08:00
|
|
|
case Stmt::CXXNewExprClass: {
|
2010-07-20 14:22:24 +08:00
|
|
|
const CXXNewExpr *NE = cast<CXXNewExpr>(S);
|
2010-04-19 19:47:28 +08:00
|
|
|
VisitCXXNewExpr(NE, Pred, Dst);
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
|
2010-04-21 10:17:31 +08:00
|
|
|
case Stmt::CXXDeleteExprClass: {
|
2010-07-20 14:22:24 +08:00
|
|
|
const CXXDeleteExpr *CDE = cast<CXXDeleteExpr>(S);
|
2010-04-21 10:17:31 +08:00
|
|
|
VisitCXXDeleteExpr(CDE, Pred, Dst);
|
|
|
|
|
break;
|
|
|
|
|
}
|
2008-04-16 07:06:53 +08:00
|
|
|
// FIXME: ChooseExpr is really a constant. We need to fix
|
|
|
|
|
// the CFG do not model them as explicit control-flow.
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2008-04-16 07:06:53 +08:00
|
|
|
case Stmt::ChooseExprClass: { // __builtin_choose_expr
|
2010-07-20 14:22:24 +08:00
|
|
|
const ChooseExpr* C = cast<ChooseExpr>(S);
|
2008-04-16 07:06:53 +08:00
|
|
|
VisitGuardedExpr(C, C->getLHS(), C->getRHS(), Pred, Dst);
|
|
|
|
|
break;
|
|
|
|
|
}
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2008-04-16 07:06:53 +08:00
|
|
|
case Stmt::CompoundAssignOperatorClass:
|
2010-12-16 15:46:53 +08:00
|
|
|
VisitBinaryOperator(cast<BinaryOperator>(S), Pred, Dst);
|
2008-04-16 07:06:53 +08:00
|
|
|
break;
|
2008-11-07 18:38:33 +08:00
|
|
|
|
|
|
|
|
case Stmt::CompoundLiteralExprClass:
|
2010-12-16 15:46:53 +08:00
|
|
|
VisitCompoundLiteralExpr(cast<CompoundLiteralExpr>(S), Pred, Dst);
|
2008-11-07 18:38:33 +08:00
|
|
|
break;
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2008-04-16 07:06:53 +08:00
|
|
|
case Stmt::ConditionalOperatorClass: { // '?' operator
|
2010-07-20 14:22:24 +08:00
|
|
|
const ConditionalOperator* C = cast<ConditionalOperator>(S);
|
2008-04-16 07:06:53 +08:00
|
|
|
VisitGuardedExpr(C, C->getLHS(), C->getRHS(), Pred, Dst);
|
|
|
|
|
break;
|
|
|
|
|
}
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2009-12-16 19:27:52 +08:00
|
|
|
case Stmt::CXXThisExprClass:
|
|
|
|
|
VisitCXXThisExpr(cast<CXXThisExpr>(S), Pred, Dst);
|
|
|
|
|
break;
|
|
|
|
|
|
2010-12-16 15:46:53 +08:00
|
|
|
case Stmt::DeclRefExprClass: {
|
|
|
|
|
const DeclRefExpr *DE = cast<DeclRefExpr>(S);
|
|
|
|
|
VisitCommonDeclRefExpr(DE, DE->getDecl(), Pred, Dst);
|
2008-04-16 07:06:53 +08:00
|
|
|
break;
|
2010-12-16 15:46:53 +08:00
|
|
|
}
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2008-04-16 07:06:53 +08:00
|
|
|
case Stmt::DeclStmtClass:
|
|
|
|
|
VisitDeclStmt(cast<DeclStmt>(S), Pred, Dst);
|
|
|
|
|
break;
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2009-12-24 09:49:25 +08:00
|
|
|
case Stmt::ForStmtClass:
|
|
|
|
|
// This case isn't for branch processing, but for handling the
|
|
|
|
|
// initialization of a condition variable.
|
|
|
|
|
VisitCondInit(cast<ForStmt>(S)->getConditionVariable(), S, Pred, Dst);
|
2010-02-16 07:02:46 +08:00
|
|
|
break;
|
2009-12-24 09:49:25 +08:00
|
|
|
|
2008-08-19 07:01:59 +08:00
|
|
|
case Stmt::ImplicitCastExprClass:
|
2010-04-13 20:38:32 +08:00
|
|
|
case Stmt::CStyleCastExprClass:
|
|
|
|
|
case Stmt::CXXStaticCastExprClass:
|
|
|
|
|
case Stmt::CXXDynamicCastExprClass:
|
|
|
|
|
case Stmt::CXXReinterpretCastExprClass:
|
|
|
|
|
case Stmt::CXXConstCastExprClass:
|
|
|
|
|
case Stmt::CXXFunctionalCastExprClass: {
|
2010-07-20 14:22:24 +08:00
|
|
|
const CastExpr* C = cast<CastExpr>(S);
|
2010-12-16 15:46:53 +08:00
|
|
|
VisitCast(C, C->getSubExpr(), Pred, Dst);
|
2008-04-16 07:06:53 +08:00
|
|
|
break;
|
|
|
|
|
}
|
2010-02-16 07:02:46 +08:00
|
|
|
|
2009-12-23 12:49:01 +08:00
|
|
|
case Stmt::IfStmtClass:
|
|
|
|
|
// This case isn't for branch processing, but for handling the
|
|
|
|
|
// initialization of a condition variable.
|
2009-12-24 08:40:03 +08:00
|
|
|
VisitCondInit(cast<IfStmt>(S)->getConditionVariable(), S, Pred, Dst);
|
2009-12-23 12:49:01 +08:00
|
|
|
break;
|
2008-10-30 13:02:23 +08:00
|
|
|
|
|
|
|
|
case Stmt::InitListExprClass:
|
|
|
|
|
VisitInitListExpr(cast<InitListExpr>(S), Pred, Dst);
|
|
|
|
|
break;
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2008-10-17 08:03:18 +08:00
|
|
|
case Stmt::MemberExprClass:
|
2010-12-16 15:46:53 +08:00
|
|
|
VisitMemberExpr(cast<MemberExpr>(S), Pred, Dst);
|
2008-04-22 07:43:38 +08:00
|
|
|
break;
|
2008-10-17 08:03:18 +08:00
|
|
|
case Stmt::ObjCIvarRefExprClass:
|
2010-12-16 15:46:53 +08:00
|
|
|
VisitLvalObjCIvarRefExpr(cast<ObjCIvarRefExpr>(S), Pred, Dst);
|
2008-10-17 08:03:18 +08:00
|
|
|
break;
|
2008-11-13 03:24:17 +08:00
|
|
|
|
|
|
|
|
case Stmt::ObjCForCollectionStmtClass:
|
|
|
|
|
VisitObjCForCollectionStmt(cast<ObjCForCollectionStmt>(S), Pred, Dst);
|
|
|
|
|
break;
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2009-12-23 06:13:46 +08:00
|
|
|
case Stmt::ObjCMessageExprClass:
|
2010-12-16 15:46:53 +08:00
|
|
|
VisitObjCMessageExpr(cast<ObjCMessageExpr>(S), Pred, Dst);
|
2008-04-16 07:06:53 +08:00
|
|
|
break;
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2008-12-10 04:18:58 +08:00
|
|
|
case Stmt::ObjCAtThrowStmtClass: {
|
|
|
|
|
// FIXME: This is not complete. We basically treat @throw as
|
|
|
|
|
// an abort.
|
|
|
|
|
SaveAndRestore<bool> OldSink(Builder->BuildSinks);
|
|
|
|
|
Builder->BuildSinks = true;
|
|
|
|
|
MakeNode(Dst, S, Pred, GetState(Pred));
|
|
|
|
|
break;
|
|
|
|
|
}
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2008-04-30 05:04:26 +08:00
|
|
|
case Stmt::ReturnStmtClass:
|
|
|
|
|
VisitReturnStmt(cast<ReturnStmt>(S), Pred, Dst);
|
|
|
|
|
break;
|
2009-09-09 23:08:12 +08:00
|
|
|
|
Completely reimplement __builtin_offsetof, based on a patch by Roberto
Amadini.
This change introduces a new expression node type, OffsetOfExpr, that
describes __builtin_offsetof. Previously, __builtin_offsetof was
implemented using a unary operator whose subexpression involved
various synthesized array-subscript and member-reference expressions,
which was ugly and made it very hard to instantiate as a
template. OffsetOfExpr represents the AST more faithfully, with proper
type source information and a more compact representation.
OffsetOfExpr also has support for dependent __builtin_offsetof
expressions; it can be value-dependent, but will never be
type-dependent (like sizeof or alignof). This commit introduces
template instantiation for __builtin_offsetof as well.
There are two major caveats to this patch:
1) CodeGen cannot handle the case where __builtin_offsetof is not a
constant expression, so it produces an error. So, to avoid
regressing in C, we retain the old UnaryOperator-based
__builtin_offsetof implementation in C while using the shiny new
OffsetOfExpr implementation in C++. The old implementation can go
away once we have proper CodeGen support for this case, which we
expect won't cause much trouble in C++.
2) __builtin_offsetof doesn't work well with non-POD class types,
particularly when the designated field is found within a base
class. I will address this in a subsequent patch.
Fixes PR5880 and a bunch of assertions when building Boost.Python
tests.
llvm-svn: 102542
2010-04-29 06:16:22 +08:00
|
|
|
case Stmt::OffsetOfExprClass:
|
|
|
|
|
VisitOffsetOfExpr(cast<OffsetOfExpr>(S), Pred, Dst);
|
|
|
|
|
break;
|
|
|
|
|
|
2008-11-12 01:56:53 +08:00
|
|
|
case Stmt::SizeOfAlignOfExprClass:
|
|
|
|
|
VisitSizeOfAlignOfExpr(cast<SizeOfAlignOfExpr>(S), Pred, Dst);
|
2008-04-16 07:06:53 +08:00
|
|
|
break;
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2008-04-16 07:06:53 +08:00
|
|
|
case Stmt::StmtExprClass: {
|
2010-07-20 14:22:24 +08:00
|
|
|
const StmtExpr* SE = cast<StmtExpr>(S);
|
2009-02-14 13:55:08 +08:00
|
|
|
|
|
|
|
|
if (SE->getSubStmt()->body_empty()) {
|
|
|
|
|
// Empty statement expression.
|
|
|
|
|
assert(SE->getType() == getContext().VoidTy
|
|
|
|
|
&& "Empty statement expression must have void type.");
|
|
|
|
|
Dst.Add(Pred);
|
|
|
|
|
break;
|
|
|
|
|
}
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2009-02-14 13:55:08 +08:00
|
|
|
if (Expr* LastExpr = dyn_cast<Expr>(*SE->getSubStmt()->body_rbegin())) {
|
|
|
|
|
const GRState* state = GetState(Pred);
|
2010-02-09 00:18:51 +08:00
|
|
|
MakeNode(Dst, SE, Pred, state->BindExpr(SE, state->getSVal(LastExpr)));
|
2009-02-14 13:55:08 +08:00
|
|
|
}
|
2008-04-16 07:06:53 +08:00
|
|
|
else
|
|
|
|
|
Dst.Add(Pred);
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2008-04-16 07:06:53 +08:00
|
|
|
break;
|
|
|
|
|
}
|
2008-11-30 13:49:49 +08:00
|
|
|
|
2010-12-16 15:46:53 +08:00
|
|
|
case Stmt::StringLiteralClass: {
|
|
|
|
|
const GRState* state = GetState(Pred);
|
|
|
|
|
SVal V = state->getLValue(cast<StringLiteral>(S));
|
|
|
|
|
MakeNode(Dst, S, Pred, state->BindExpr(S, V));
|
|
|
|
|
return;
|
|
|
|
|
}
|
2010-02-16 07:02:46 +08:00
|
|
|
|
2009-12-24 08:40:03 +08:00
|
|
|
case Stmt::SwitchStmtClass:
|
|
|
|
|
// This case isn't for branch processing, but for handling the
|
|
|
|
|
// initialization of a condition variable.
|
|
|
|
|
VisitCondInit(cast<SwitchStmt>(S)->getConditionVariable(), S, Pred, Dst);
|
|
|
|
|
break;
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2009-03-19 07:49:26 +08:00
|
|
|
case Stmt::UnaryOperatorClass: {
|
2010-07-20 14:22:24 +08:00
|
|
|
const UnaryOperator *U = cast<UnaryOperator>(S);
|
2010-08-25 19:45:40 +08:00
|
|
|
if (AMgr.shouldEagerlyAssume()&&(U->getOpcode() == UO_LNot)) {
|
2009-08-06 20:48:26 +08:00
|
|
|
ExplodedNodeSet Tmp;
|
2010-12-16 15:46:53 +08:00
|
|
|
VisitUnaryOperator(U, Pred, Tmp);
|
2010-12-02 05:57:22 +08:00
|
|
|
evalEagerlyAssume(Dst, Tmp, U);
|
2009-03-19 07:49:26 +08:00
|
|
|
}
|
|
|
|
|
else
|
2010-12-16 15:46:53 +08:00
|
|
|
VisitUnaryOperator(U, Pred, Dst);
|
2008-04-30 05:04:26 +08:00
|
|
|
break;
|
2009-03-19 07:49:26 +08:00
|
|
|
}
|
2010-02-16 07:02:46 +08:00
|
|
|
|
2009-12-24 08:54:56 +08:00
|
|
|
case Stmt::WhileStmtClass:
|
|
|
|
|
// This case isn't for branch processing, but for handling the
|
|
|
|
|
// initialization of a condition variable.
|
|
|
|
|
VisitCondInit(cast<WhileStmt>(S)->getConditionVariable(), S, Pred, Dst);
|
2010-02-16 07:02:46 +08:00
|
|
|
break;
|
2008-04-30 05:04:26 +08:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2008-04-16 07:06:53 +08:00
|
|
|
//===----------------------------------------------------------------------===//
|
|
|
|
|
// Block entrance. (Update counters).
|
|
|
|
|
//===----------------------------------------------------------------------===//
|
|
|
|
|
|
2011-01-11 14:37:47 +08:00
|
|
|
void ExprEngine::processCFGBlockEntrance(ExplodedNodeSet &dstNodes,
|
|
|
|
|
GenericNodeBuilder<BlockEntrance> &nodeBuilder){
|
|
|
|
|
|
|
|
|
|
// FIXME: Refactor this into a checker.
|
|
|
|
|
const CFGBlock *block = nodeBuilder.getProgramPoint().getBlock();
|
|
|
|
|
ExplodedNode *pred = nodeBuilder.getPredecessor();
|
|
|
|
|
|
|
|
|
|
if (nodeBuilder.getBlockCounter().getNumVisited(
|
|
|
|
|
pred->getLocationContext()->getCurrentStackFrame(),
|
|
|
|
|
block->getBlockID()) >= AMgr.getMaxVisit()) {
|
|
|
|
|
|
|
|
|
|
static int tag = 0;
|
|
|
|
|
const BlockEntrance &BE = nodeBuilder.getProgramPoint();
|
|
|
|
|
BlockEntrance BE_tagged(BE.getBlock(), BE.getLocationContext(), &tag);
|
|
|
|
|
nodeBuilder.generateNode(pred->getState(), pred, BE_tagged, true);
|
|
|
|
|
}
|
2008-04-16 07:06:53 +08:00
|
|
|
}
|
|
|
|
|
|
2009-04-11 08:11:10 +08:00
|
|
|
//===----------------------------------------------------------------------===//
|
|
|
|
|
// Generic node creation.
|
|
|
|
|
//===----------------------------------------------------------------------===//
|
|
|
|
|
|
2010-12-23 02:53:44 +08:00
|
|
|
ExplodedNode* ExprEngine::MakeNode(ExplodedNodeSet& Dst, const Stmt* S,
|
2009-08-06 20:48:26 +08:00
|
|
|
ExplodedNode* Pred, const GRState* St,
|
|
|
|
|
ProgramPoint::Kind K, const void *tag) {
|
2010-12-23 02:53:44 +08:00
|
|
|
assert (Builder && "StmtNodeBuilder not present.");
|
2009-04-11 08:11:10 +08:00
|
|
|
SaveAndRestore<const void*> OldTag(Builder->Tag);
|
|
|
|
|
Builder->Tag = tag;
|
|
|
|
|
return Builder->MakeNode(Dst, S, Pred, St, K);
|
|
|
|
|
}
|
|
|
|
|
|
2008-04-16 07:06:53 +08:00
|
|
|
//===----------------------------------------------------------------------===//
|
|
|
|
|
// Branch processing.
|
|
|
|
|
//===----------------------------------------------------------------------===//
|
|
|
|
|
|
2010-12-23 02:53:44 +08:00
|
|
|
const GRState* ExprEngine::MarkBranch(const GRState* state,
|
2010-07-20 14:22:24 +08:00
|
|
|
const Stmt* Terminator,
|
|
|
|
|
bool branchTaken) {
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2008-02-27 03:05:15 +08:00
|
|
|
switch (Terminator->getStmtClass()) {
|
|
|
|
|
default:
|
2009-02-13 09:45:31 +08:00
|
|
|
return state;
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2008-02-27 03:05:15 +08:00
|
|
|
case Stmt::BinaryOperatorClass: { // '&&' and '||'
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2010-07-20 14:22:24 +08:00
|
|
|
const BinaryOperator* B = cast<BinaryOperator>(Terminator);
|
2008-02-27 03:05:15 +08:00
|
|
|
BinaryOperator::Opcode Op = B->getOpcode();
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2010-08-25 19:45:40 +08:00
|
|
|
assert (Op == BO_LAnd || Op == BO_LOr);
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2008-02-27 03:05:15 +08:00
|
|
|
// For &&, if we take the true branch, then the value of the whole
|
|
|
|
|
// expression is that of the RHS expression.
|
|
|
|
|
//
|
|
|
|
|
// For ||, if we take the false branch, then the value of the whole
|
|
|
|
|
// expression is that of the RHS expression.
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2010-08-25 19:45:40 +08:00
|
|
|
const Expr* Ex = (Op == BO_LAnd && branchTaken) ||
|
|
|
|
|
(Op == BO_LOr && !branchTaken)
|
2010-07-20 14:22:24 +08:00
|
|
|
? B->getRHS() : B->getLHS();
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2009-08-28 06:17:37 +08:00
|
|
|
return state->BindExpr(B, UndefinedVal(Ex));
|
2008-02-27 03:05:15 +08:00
|
|
|
}
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2008-02-27 03:05:15 +08:00
|
|
|
case Stmt::ConditionalOperatorClass: { // ?:
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2010-07-20 14:22:24 +08:00
|
|
|
const ConditionalOperator* C = cast<ConditionalOperator>(Terminator);
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2008-02-27 03:05:15 +08:00
|
|
|
// For ?, if branchTaken == true then the value is either the LHS or
|
|
|
|
|
// the condition itself. (GNU extension).
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2010-07-20 14:22:24 +08:00
|
|
|
const Expr* Ex;
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2008-02-27 03:05:15 +08:00
|
|
|
if (branchTaken)
|
2009-09-09 23:08:12 +08:00
|
|
|
Ex = C->getLHS() ? C->getLHS() : C->getCond();
|
2008-02-27 03:05:15 +08:00
|
|
|
else
|
|
|
|
|
Ex = C->getRHS();
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2009-08-28 06:17:37 +08:00
|
|
|
return state->BindExpr(C, UndefinedVal(Ex));
|
2008-02-27 03:05:15 +08:00
|
|
|
}
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2008-02-27 03:05:15 +08:00
|
|
|
case Stmt::ChooseExprClass: { // ?:
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2010-07-20 14:22:24 +08:00
|
|
|
const ChooseExpr* C = cast<ChooseExpr>(Terminator);
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2010-07-20 14:22:24 +08:00
|
|
|
const Expr* Ex = branchTaken ? C->getLHS() : C->getRHS();
|
2009-08-28 06:17:37 +08:00
|
|
|
return state->BindExpr(C, UndefinedVal(Ex));
|
2008-02-27 03:05:15 +08:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2009-03-14 00:32:54 +08:00
|
|
|
/// RecoverCastedSymbol - A helper function for ProcessBranch that is used
|
|
|
|
|
/// to try to recover some path-sensitivity for casts of symbolic
|
|
|
|
|
/// integers that promote their values (which are currently not tracked well).
|
|
|
|
|
/// This function returns the SVal bound to Condition->IgnoreCasts if all the
|
|
|
|
|
// cast(s) did was sign-extend the original value.
|
|
|
|
|
static SVal RecoverCastedSymbol(GRStateManager& StateMgr, const GRState* state,
|
2010-07-20 14:22:24 +08:00
|
|
|
const Stmt* Condition, ASTContext& Ctx) {
|
2009-03-14 00:32:54 +08:00
|
|
|
|
2010-07-20 14:22:24 +08:00
|
|
|
const Expr *Ex = dyn_cast<Expr>(Condition);
|
2009-03-14 00:32:54 +08:00
|
|
|
if (!Ex)
|
|
|
|
|
return UnknownVal();
|
|
|
|
|
|
|
|
|
|
uint64_t bits = 0;
|
|
|
|
|
bool bitsInit = false;
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2010-07-20 14:22:24 +08:00
|
|
|
while (const CastExpr *CE = dyn_cast<CastExpr>(Ex)) {
|
2009-03-14 00:32:54 +08:00
|
|
|
QualType T = CE->getType();
|
|
|
|
|
|
|
|
|
|
if (!T->isIntegerType())
|
|
|
|
|
return UnknownVal();
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2009-03-14 00:32:54 +08:00
|
|
|
uint64_t newBits = Ctx.getTypeSize(T);
|
|
|
|
|
if (!bitsInit || newBits < bits) {
|
|
|
|
|
bitsInit = true;
|
|
|
|
|
bits = newBits;
|
|
|
|
|
}
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2009-03-14 00:32:54 +08:00
|
|
|
Ex = CE->getSubExpr();
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// We reached a non-cast. Is it a symbolic value?
|
|
|
|
|
QualType T = Ex->getType();
|
|
|
|
|
|
|
|
|
|
if (!bitsInit || !T->isIntegerType() || Ctx.getTypeSize(T) > bits)
|
|
|
|
|
return UnknownVal();
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2010-02-09 00:18:51 +08:00
|
|
|
return state->getSVal(Ex);
|
2009-03-14 00:32:54 +08:00
|
|
|
}
|
|
|
|
|
|
2011-01-11 10:34:45 +08:00
|
|
|
void ExprEngine::processBranch(const Stmt* Condition, const Stmt* Term,
|
2010-12-23 02:53:44 +08:00
|
|
|
BranchNodeBuilder& builder) {
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2008-02-16 06:29:00 +08:00
|
|
|
// Check for NULL conditions; e.g. "for(;;)"
|
2009-09-09 23:08:12 +08:00
|
|
|
if (!Condition) {
|
2008-02-16 06:29:00 +08:00
|
|
|
builder.markInfeasible(false);
|
|
|
|
|
return;
|
|
|
|
|
}
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2009-03-11 11:54:24 +08:00
|
|
|
PrettyStackTraceLoc CrashInfo(getContext().getSourceManager(),
|
|
|
|
|
Condition->getLocStart(),
|
|
|
|
|
"Error evaluating branch");
|
2009-08-27 09:39:13 +08:00
|
|
|
|
2009-11-23 11:20:54 +08:00
|
|
|
for (CheckersOrdered::iterator I=Checkers.begin(),E=Checkers.end();I!=E;++I) {
|
|
|
|
|
void *tag = I->first;
|
|
|
|
|
Checker *checker = I->second;
|
|
|
|
|
checker->VisitBranchCondition(builder, *this, Condition, tag);
|
|
|
|
|
}
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2009-11-23 11:20:54 +08:00
|
|
|
// If the branch condition is undefined, return;
|
|
|
|
|
if (!builder.isFeasible(true) && !builder.isFeasible(false))
|
|
|
|
|
return;
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2009-11-23 11:20:54 +08:00
|
|
|
const GRState* PrevState = builder.getState();
|
2010-02-09 00:18:51 +08:00
|
|
|
SVal X = PrevState->getSVal(Condition);
|
2008-01-31 07:03:39 +08:00
|
|
|
|
2009-11-23 11:20:54 +08:00
|
|
|
if (X.isUnknown()) {
|
|
|
|
|
// Give it a chance to recover from unknown.
|
|
|
|
|
if (const Expr *Ex = dyn_cast<Expr>(Condition)) {
|
|
|
|
|
if (Ex->getType()->isIntegerType()) {
|
|
|
|
|
// Try to recover some path-sensitivity. Right now casts of symbolic
|
|
|
|
|
// integers that promote their values are currently not tracked well.
|
|
|
|
|
// If 'Condition' is such an expression, try and recover the
|
|
|
|
|
// underlying value and use that instead.
|
|
|
|
|
SVal recovered = RecoverCastedSymbol(getStateManager(),
|
|
|
|
|
builder.getState(), Condition,
|
|
|
|
|
getContext());
|
2010-02-16 07:02:46 +08:00
|
|
|
|
2009-11-23 11:20:54 +08:00
|
|
|
if (!recovered.isUnknown()) {
|
|
|
|
|
X = recovered;
|
|
|
|
|
}
|
2008-01-31 07:03:39 +08:00
|
|
|
}
|
2009-11-23 11:20:54 +08:00
|
|
|
}
|
|
|
|
|
// If the condition is still unknown, give up.
|
|
|
|
|
if (X.isUnknown()) {
|
|
|
|
|
builder.generateNode(MarkBranch(PrevState, Term, true), true);
|
|
|
|
|
builder.generateNode(MarkBranch(PrevState, Term, false), false);
|
2008-01-31 07:03:39 +08:00
|
|
|
return;
|
2009-09-09 23:08:12 +08:00
|
|
|
}
|
2008-01-31 07:03:39 +08:00
|
|
|
}
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2009-11-23 11:20:54 +08:00
|
|
|
DefinedSVal V = cast<DefinedSVal>(X);
|
|
|
|
|
|
2008-03-01 04:27:50 +08:00
|
|
|
// Process the true branch.
|
2009-07-21 02:44:36 +08:00
|
|
|
if (builder.isFeasible(true)) {
|
2010-12-02 06:16:56 +08:00
|
|
|
if (const GRState *state = PrevState->assume(V, true))
|
2009-07-21 02:44:36 +08:00
|
|
|
builder.generateNode(MarkBranch(state, Term, true), true);
|
|
|
|
|
else
|
|
|
|
|
builder.markInfeasible(true);
|
|
|
|
|
}
|
2009-09-09 23:08:12 +08:00
|
|
|
|
|
|
|
|
// Process the false branch.
|
2009-07-21 02:44:36 +08:00
|
|
|
if (builder.isFeasible(false)) {
|
2010-12-02 06:16:56 +08:00
|
|
|
if (const GRState *state = PrevState->assume(V, false))
|
2009-07-21 02:44:36 +08:00
|
|
|
builder.generateNode(MarkBranch(state, Term, false), false);
|
|
|
|
|
else
|
|
|
|
|
builder.markInfeasible(false);
|
|
|
|
|
}
|
2008-02-05 08:26:40 +08:00
|
|
|
}
|
|
|
|
|
|
2011-01-11 10:34:45 +08:00
|
|
|
/// processIndirectGoto - Called by CoreEngine. Used to generate successor
|
2008-02-13 08:24:44 +08:00
|
|
|
/// nodes by processing the 'effects' of a computed goto jump.
|
2011-01-11 10:34:45 +08:00
|
|
|
void ExprEngine::processIndirectGoto(IndirectGotoNodeBuilder& builder) {
|
2008-02-13 08:24:44 +08:00
|
|
|
|
2009-09-09 23:08:12 +08:00
|
|
|
const GRState *state = builder.getState();
|
2010-02-09 00:18:51 +08:00
|
|
|
SVal V = state->getSVal(builder.getTarget());
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2008-02-13 08:24:44 +08:00
|
|
|
// Three possibilities:
|
|
|
|
|
//
|
|
|
|
|
// (1) We know the computed label.
|
2008-02-28 17:25:22 +08:00
|
|
|
// (2) The label is NULL (or some other constant), or Undefined.
|
2008-02-13 08:24:44 +08:00
|
|
|
// (3) We have no clue about the label. Dispatch to all targets.
|
|
|
|
|
//
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2010-12-23 02:53:44 +08:00
|
|
|
typedef IndirectGotoNodeBuilder::iterator iterator;
|
2008-02-13 08:24:44 +08:00
|
|
|
|
2008-10-17 13:57:07 +08:00
|
|
|
if (isa<loc::GotoLabel>(V)) {
|
2010-07-20 14:22:24 +08:00
|
|
|
const LabelStmt* L = cast<loc::GotoLabel>(V).getLabel();
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2008-02-13 08:24:44 +08:00
|
|
|
for (iterator I=builder.begin(), E=builder.end(); I != E; ++I) {
|
2008-02-14 01:27:37 +08:00
|
|
|
if (I.getLabel() == L) {
|
2009-02-13 09:45:31 +08:00
|
|
|
builder.generateNode(I, state);
|
2008-02-13 08:24:44 +08:00
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
}
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2008-02-13 08:24:44 +08:00
|
|
|
assert (false && "No block with label.");
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
|
2008-10-17 13:57:07 +08:00
|
|
|
if (isa<loc::ConcreteInt>(V) || isa<UndefinedVal>(V)) {
|
2008-02-13 08:24:44 +08:00
|
|
|
// Dispatch to the first target and mark it as a sink.
|
2009-11-24 15:06:39 +08:00
|
|
|
//ExplodedNode* N = builder.generateNode(builder.begin(), state, true);
|
|
|
|
|
// FIXME: add checker visit.
|
|
|
|
|
// UndefBranches.insert(N);
|
2008-02-13 08:24:44 +08:00
|
|
|
return;
|
|
|
|
|
}
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2008-02-13 08:24:44 +08:00
|
|
|
// This is really a catch-all. We don't support symbolics yet.
|
2009-04-24 01:49:43 +08:00
|
|
|
// FIXME: Implement dispatch for symbolic pointers.
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2008-02-13 08:24:44 +08:00
|
|
|
for (iterator I=builder.begin(), E=builder.end(); I != E; ++I)
|
2009-02-13 09:45:31 +08:00
|
|
|
builder.generateNode(I, state);
|
2008-02-13 08:24:44 +08:00
|
|
|
}
|
2008-02-05 08:26:40 +08:00
|
|
|
|
2008-04-16 07:06:53 +08:00
|
|
|
|
2010-12-23 02:53:44 +08:00
|
|
|
void ExprEngine::VisitGuardedExpr(const Expr* Ex, const Expr* L,
|
2010-07-20 14:22:24 +08:00
|
|
|
const Expr* R,
|
2009-08-06 20:48:26 +08:00
|
|
|
ExplodedNode* Pred, ExplodedNodeSet& Dst) {
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2010-12-17 12:44:39 +08:00
|
|
|
assert(Ex == currentStmt &&
|
2009-12-16 19:27:52 +08:00
|
|
|
Pred->getLocationContext()->getCFG()->isBlkExpr(Ex));
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2009-02-13 09:45:31 +08:00
|
|
|
const GRState* state = GetState(Pred);
|
2010-02-09 00:18:51 +08:00
|
|
|
SVal X = state->getSVal(Ex);
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2008-04-16 07:06:53 +08:00
|
|
|
assert (X.isUndef());
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2010-07-20 14:22:24 +08:00
|
|
|
const Expr *SE = (Expr*) cast<UndefinedVal>(X).getData();
|
2009-09-09 23:08:12 +08:00
|
|
|
assert(SE);
|
2010-02-09 00:18:51 +08:00
|
|
|
X = state->getSVal(SE);
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2008-04-16 07:06:53 +08:00
|
|
|
// Make sure that we invalidate the previous binding.
|
2009-08-28 06:17:37 +08:00
|
|
|
MakeNode(Dst, Ex, Pred, state->BindExpr(Ex, X, true));
|
2008-04-16 07:06:53 +08:00
|
|
|
}
|
|
|
|
|
|
2010-12-23 02:53:44 +08:00
|
|
|
/// ProcessEndPath - Called by CoreEngine. Used to generate end-of-path
|
2009-11-14 09:05:20 +08:00
|
|
|
/// nodes when the control reaches the end of a function.
|
2011-01-11 10:34:45 +08:00
|
|
|
void ExprEngine::processEndOfFunction(EndOfFunctionNodeBuilder& builder) {
|
2010-12-02 05:57:22 +08:00
|
|
|
getTF().evalEndPath(*this, builder);
|
2009-11-14 09:05:20 +08:00
|
|
|
StateMgr.EndPath(builder.getState());
|
2009-11-17 15:54:15 +08:00
|
|
|
for (CheckersOrdered::iterator I=Checkers.begin(),E=Checkers.end(); I!=E;++I){
|
|
|
|
|
void *tag = I->first;
|
|
|
|
|
Checker *checker = I->second;
|
2010-12-02 05:57:22 +08:00
|
|
|
checker->evalEndPath(builder, tag, *this);
|
2009-11-17 15:54:15 +08:00
|
|
|
}
|
2009-11-14 09:05:20 +08:00
|
|
|
}
|
|
|
|
|
|
2010-12-23 02:53:44 +08:00
|
|
|
/// ProcessSwitch - Called by CoreEngine. Used to generate successor
|
2008-02-14 07:08:21 +08:00
|
|
|
/// nodes by processing the 'effects' of a switch statement.
|
2011-01-11 10:34:45 +08:00
|
|
|
void ExprEngine::processSwitch(SwitchNodeBuilder& builder) {
|
2010-12-23 02:53:44 +08:00
|
|
|
typedef SwitchNodeBuilder::iterator iterator;
|
2009-09-09 23:08:12 +08:00
|
|
|
const GRState* state = builder.getState();
|
2010-07-20 14:22:24 +08:00
|
|
|
const Expr* CondE = builder.getCondition();
|
2010-02-09 00:18:51 +08:00
|
|
|
SVal CondV_untested = state->getSVal(CondE);
|
2008-02-14 07:08:21 +08:00
|
|
|
|
2009-09-12 06:07:28 +08:00
|
|
|
if (CondV_untested.isUndef()) {
|
2009-11-24 15:06:39 +08:00
|
|
|
//ExplodedNode* N = builder.generateDefaultCaseNode(state, true);
|
2010-02-16 07:02:46 +08:00
|
|
|
// FIXME: add checker
|
2009-11-24 15:06:39 +08:00
|
|
|
//UndefBranches.insert(N);
|
|
|
|
|
|
2008-02-14 07:08:21 +08:00
|
|
|
return;
|
|
|
|
|
}
|
2009-09-12 06:07:28 +08:00
|
|
|
DefinedOrUnknownSVal CondV = cast<DefinedOrUnknownSVal>(CondV_untested);
|
2008-02-19 06:57:02 +08:00
|
|
|
|
2009-09-12 06:07:28 +08:00
|
|
|
const GRState *DefaultSt = state;
|
2010-08-27 06:19:33 +08:00
|
|
|
|
|
|
|
|
iterator I = builder.begin(), EI = builder.end();
|
|
|
|
|
bool defaultIsFeasible = I == EI;
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2010-08-27 06:19:33 +08:00
|
|
|
for ( ; I != EI; ++I) {
|
2010-08-27 06:04:01 +08:00
|
|
|
const CaseStmt* Case = I.getCase();
|
2009-01-17 09:54:16 +08:00
|
|
|
|
|
|
|
|
// Evaluate the LHS of the case value.
|
|
|
|
|
Expr::EvalResult V1;
|
2009-09-09 23:08:12 +08:00
|
|
|
bool b = Case->getLHS()->Evaluate(V1, getContext());
|
|
|
|
|
|
2009-01-17 09:54:16 +08:00
|
|
|
// Sanity checks. These go away in Release builds.
|
2009-09-09 23:08:12 +08:00
|
|
|
assert(b && V1.Val.isInt() && !V1.HasSideEffects
|
2009-01-17 09:54:16 +08:00
|
|
|
&& "Case condition must evaluate to an integer constant.");
|
2010-12-23 09:01:28 +08:00
|
|
|
(void)b; // silence unused variable warning
|
2009-09-09 23:08:12 +08:00
|
|
|
assert(V1.Val.getInt().getBitWidth() ==
|
2009-01-17 09:54:16 +08:00
|
|
|
getContext().getTypeSize(CondE->getType()));
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2008-02-14 07:08:21 +08:00
|
|
|
// Get the RHS of the case, if it exists.
|
2009-01-17 09:54:16 +08:00
|
|
|
Expr::EvalResult V2;
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2010-07-20 14:22:24 +08:00
|
|
|
if (const Expr* E = Case->getRHS()) {
|
2009-01-17 09:54:16 +08:00
|
|
|
b = E->Evaluate(V2, getContext());
|
2009-09-09 23:08:12 +08:00
|
|
|
assert(b && V2.Val.isInt() && !V2.HasSideEffects
|
2009-01-17 09:54:16 +08:00
|
|
|
&& "Case condition must evaluate to an integer constant.");
|
2010-12-23 09:01:28 +08:00
|
|
|
(void)b; // silence unused variable warning
|
2008-02-14 07:08:21 +08:00
|
|
|
}
|
2008-03-18 06:17:56 +08:00
|
|
|
else
|
|
|
|
|
V2 = V1;
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2008-02-14 07:08:21 +08:00
|
|
|
// FIXME: Eventually we should replace the logic below with a range
|
|
|
|
|
// comparison, rather than concretize the values within the range.
|
2008-02-22 02:02:17 +08:00
|
|
|
// This should be easy once we have "ranges" for NonLVals.
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2008-03-18 06:17:56 +08:00
|
|
|
do {
|
2009-09-09 23:08:12 +08:00
|
|
|
nonloc::ConcreteInt CaseVal(getBasicVals().getValue(V1.Val.getInt()));
|
2010-12-02 05:57:22 +08:00
|
|
|
DefinedOrUnknownSVal Res = svalBuilder.evalEQ(DefaultSt ? DefaultSt : state,
|
2010-01-09 02:54:04 +08:00
|
|
|
CondV, CaseVal);
|
2010-02-16 07:02:46 +08:00
|
|
|
|
2009-09-09 23:08:12 +08:00
|
|
|
// Now "assume" that the case matches.
|
2010-12-02 06:16:56 +08:00
|
|
|
if (const GRState* stateNew = state->assume(Res, true)) {
|
2009-06-19 06:57:13 +08:00
|
|
|
builder.generateCaseStmtNode(I, stateNew);
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2008-02-14 07:08:21 +08:00
|
|
|
// If CondV evaluates to a constant, then we know that this
|
|
|
|
|
// is the *only* case that we can take, so stop evaluating the
|
|
|
|
|
// others.
|
2008-10-17 13:57:07 +08:00
|
|
|
if (isa<nonloc::ConcreteInt>(CondV))
|
2008-02-14 07:08:21 +08:00
|
|
|
return;
|
|
|
|
|
}
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2008-02-14 07:08:21 +08:00
|
|
|
// Now "assume" that the case doesn't match. Add this state
|
|
|
|
|
// to the default state (if it is feasible).
|
2010-01-09 02:54:04 +08:00
|
|
|
if (DefaultSt) {
|
2010-12-02 06:16:56 +08:00
|
|
|
if (const GRState *stateNew = DefaultSt->assume(Res, false)) {
|
2010-01-09 02:54:04 +08:00
|
|
|
defaultIsFeasible = true;
|
|
|
|
|
DefaultSt = stateNew;
|
|
|
|
|
}
|
|
|
|
|
else {
|
|
|
|
|
defaultIsFeasible = false;
|
|
|
|
|
DefaultSt = NULL;
|
|
|
|
|
}
|
2008-04-23 13:03:18 +08:00
|
|
|
}
|
2010-02-16 07:02:46 +08:00
|
|
|
|
2008-03-18 06:17:56 +08:00
|
|
|
// Concretize the next value in the range.
|
2009-01-17 09:54:16 +08:00
|
|
|
if (V1.Val.getInt() == V2.Val.getInt())
|
2008-03-18 06:17:56 +08:00
|
|
|
break;
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2009-01-17 09:54:16 +08:00
|
|
|
++V1.Val.getInt();
|
|
|
|
|
assert (V1.Val.getInt() <= V2.Val.getInt());
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2008-03-18 06:17:56 +08:00
|
|
|
} while (true);
|
2008-02-14 07:08:21 +08:00
|
|
|
}
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2010-09-09 08:40:40 +08:00
|
|
|
if (!defaultIsFeasible)
|
|
|
|
|
return;
|
|
|
|
|
|
|
|
|
|
// If we have switch(enum value), the default branch is not
|
|
|
|
|
// feasible if all of the enum constants not covered by 'case:' statements
|
|
|
|
|
// are not feasible values for the switch condition.
|
|
|
|
|
//
|
|
|
|
|
// Note that this isn't as accurate as it could be. Even if there isn't
|
|
|
|
|
// a case for a particular enum value as long as that enum value isn't
|
|
|
|
|
// feasible then it shouldn't be considered for making 'default:' reachable.
|
|
|
|
|
const SwitchStmt *SS = builder.getSwitch();
|
|
|
|
|
const Expr *CondExpr = SS->getCond()->IgnoreParenImpCasts();
|
|
|
|
|
if (CondExpr->getType()->getAs<EnumType>()) {
|
|
|
|
|
if (SS->isAllEnumCasesCovered())
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
builder.generateDefaultCaseNode(DefaultSt);
|
2008-02-14 07:08:21 +08:00
|
|
|
}
|
|
|
|
|
|
2011-01-11 10:34:45 +08:00
|
|
|
void ExprEngine::processCallEnter(CallEnterNodeBuilder &B) {
|
2010-11-24 16:53:20 +08:00
|
|
|
const GRState *state = B.getState()->EnterStackFrame(B.getCalleeContext());
|
2010-12-21 05:19:09 +08:00
|
|
|
B.generateNode(state);
|
2010-02-26 03:01:53 +08:00
|
|
|
}
|
|
|
|
|
|
2011-01-11 10:34:45 +08:00
|
|
|
void ExprEngine::processCallExit(CallExitNodeBuilder &B) {
|
2010-02-26 03:01:53 +08:00
|
|
|
const GRState *state = B.getState();
|
|
|
|
|
const ExplodedNode *Pred = B.getPredecessor();
|
2010-11-24 16:53:20 +08:00
|
|
|
const StackFrameContext *calleeCtx =
|
2010-02-26 03:01:53 +08:00
|
|
|
cast<StackFrameContext>(Pred->getLocationContext());
|
2010-11-24 16:53:20 +08:00
|
|
|
const Stmt *CE = calleeCtx->getCallSite();
|
2010-02-26 03:01:53 +08:00
|
|
|
|
2010-02-26 23:43:34 +08:00
|
|
|
// If the callee returns an expression, bind its value to CallExpr.
|
|
|
|
|
const Stmt *ReturnedExpr = state->get<ReturnExpr>();
|
|
|
|
|
if (ReturnedExpr) {
|
|
|
|
|
SVal RetVal = state->getSVal(ReturnedExpr);
|
|
|
|
|
state = state->BindExpr(CE, RetVal);
|
2010-03-23 16:09:29 +08:00
|
|
|
// Clear the return expr GDM.
|
2010-03-25 09:39:39 +08:00
|
|
|
state = state->remove<ReturnExpr>();
|
2010-02-26 23:43:34 +08:00
|
|
|
}
|
|
|
|
|
|
2010-03-23 17:13:17 +08:00
|
|
|
// Bind the constructed object value to CXXConstructExpr.
|
|
|
|
|
if (const CXXConstructExpr *CCE = dyn_cast<CXXConstructExpr>(CE)) {
|
2010-11-16 15:52:17 +08:00
|
|
|
const CXXThisRegion *ThisR =
|
2010-11-24 16:53:20 +08:00
|
|
|
getCXXThisRegion(CCE->getConstructor()->getParent(), calleeCtx);
|
2010-11-24 21:08:51 +08:00
|
|
|
|
2010-03-23 17:13:17 +08:00
|
|
|
SVal ThisV = state->getSVal(ThisR);
|
2010-12-22 15:20:27 +08:00
|
|
|
// Always bind the region to the CXXConstructExpr.
|
|
|
|
|
state = state->BindExpr(CCE, ThisV);
|
2010-03-23 17:13:17 +08:00
|
|
|
}
|
|
|
|
|
|
2010-12-21 05:19:09 +08:00
|
|
|
B.generateNode(state);
|
2010-02-26 03:01:53 +08:00
|
|
|
}
|
|
|
|
|
|
2008-04-16 07:06:53 +08:00
|
|
|
//===----------------------------------------------------------------------===//
|
|
|
|
|
// Transfer functions: logical operations ('&&', '||').
|
|
|
|
|
//===----------------------------------------------------------------------===//
|
2008-02-14 07:08:21 +08:00
|
|
|
|
2010-12-23 02:53:44 +08:00
|
|
|
void ExprEngine::VisitLogicalExpr(const BinaryOperator* B, ExplodedNode* Pred,
|
2009-08-06 20:48:26 +08:00
|
|
|
ExplodedNodeSet& Dst) {
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2010-08-25 19:45:40 +08:00
|
|
|
assert(B->getOpcode() == BO_LAnd ||
|
|
|
|
|
B->getOpcode() == BO_LOr);
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2010-12-17 12:44:39 +08:00
|
|
|
assert(B==currentStmt && Pred->getLocationContext()->getCFG()->isBlkExpr(B));
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2009-02-13 09:45:31 +08:00
|
|
|
const GRState* state = GetState(Pred);
|
2010-02-09 00:18:51 +08:00
|
|
|
SVal X = state->getSVal(B);
|
2009-06-20 01:10:32 +08:00
|
|
|
assert(X.isUndef());
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2009-09-12 06:07:28 +08:00
|
|
|
const Expr *Ex = (const Expr*) cast<UndefinedVal>(X).getData();
|
2009-06-20 01:10:32 +08:00
|
|
|
assert(Ex);
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2008-02-27 03:05:15 +08:00
|
|
|
if (Ex == B->getRHS()) {
|
2010-02-09 00:18:51 +08:00
|
|
|
X = state->getSVal(Ex);
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2008-02-28 17:25:22 +08:00
|
|
|
// Handle undefined values.
|
|
|
|
|
if (X.isUndef()) {
|
2009-08-28 06:17:37 +08:00
|
|
|
MakeNode(Dst, B, Pred, state->BindExpr(B, X));
|
2008-02-27 03:40:44 +08:00
|
|
|
return;
|
|
|
|
|
}
|
2010-02-16 07:02:46 +08:00
|
|
|
|
2009-09-12 06:07:28 +08:00
|
|
|
DefinedOrUnknownSVal XD = cast<DefinedOrUnknownSVal>(X);
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2008-02-27 03:05:15 +08:00
|
|
|
// We took the RHS. Because the value of the '&&' or '||' expression must
|
|
|
|
|
// evaluate to 0 or 1, we must assume the value of the RHS evaluates to 0
|
|
|
|
|
// or 1. Alternatively, we could take a lazy approach, and calculate this
|
|
|
|
|
// value later when necessary. We don't have the machinery in place for
|
|
|
|
|
// this right now, and since most logical expressions are used for branches,
|
2009-09-09 23:08:12 +08:00
|
|
|
// the payoff is not likely to be large. Instead, we do eager evaluation.
|
2010-12-02 06:16:56 +08:00
|
|
|
if (const GRState *newState = state->assume(XD, true))
|
2009-09-09 23:08:12 +08:00
|
|
|
MakeNode(Dst, B, Pred,
|
2010-12-02 15:49:45 +08:00
|
|
|
newState->BindExpr(B, svalBuilder.makeIntVal(1U, B->getType())));
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2010-12-02 06:16:56 +08:00
|
|
|
if (const GRState *newState = state->assume(XD, false))
|
2009-09-09 23:08:12 +08:00
|
|
|
MakeNode(Dst, B, Pred,
|
2010-12-02 15:49:45 +08:00
|
|
|
newState->BindExpr(B, svalBuilder.makeIntVal(0U, B->getType())));
|
2008-02-05 08:26:40 +08:00
|
|
|
}
|
|
|
|
|
else {
|
2008-02-27 03:05:15 +08:00
|
|
|
// We took the LHS expression. Depending on whether we are '&&' or
|
|
|
|
|
// '||' we know what the value of the expression is via properties of
|
|
|
|
|
// the short-circuiting.
|
2010-12-02 15:49:45 +08:00
|
|
|
X = svalBuilder.makeIntVal(B->getOpcode() == BO_LAnd ? 0U : 1U,
|
2009-06-23 17:02:15 +08:00
|
|
|
B->getType());
|
2009-08-28 06:17:37 +08:00
|
|
|
MakeNode(Dst, B, Pred, state->BindExpr(B, X));
|
2008-02-27 03:05:15 +08:00
|
|
|
}
|
2008-01-30 07:32:35 +08:00
|
|
|
}
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2008-04-16 07:06:53 +08:00
|
|
|
//===----------------------------------------------------------------------===//
|
2008-04-17 02:39:06 +08:00
|
|
|
// Transfer functions: Loads and stores.
|
2008-04-16 07:06:53 +08:00
|
|
|
//===----------------------------------------------------------------------===//
|
2008-01-16 07:55:06 +08:00
|
|
|
|
2010-12-23 02:53:44 +08:00
|
|
|
void ExprEngine::VisitBlockExpr(const BlockExpr *BE, ExplodedNode *Pred,
|
2009-11-25 09:33:13 +08:00
|
|
|
ExplodedNodeSet &Dst) {
|
2010-02-16 07:02:46 +08:00
|
|
|
|
2009-11-26 06:23:25 +08:00
|
|
|
ExplodedNodeSet Tmp;
|
2010-02-16 07:02:46 +08:00
|
|
|
|
2009-11-25 09:33:13 +08:00
|
|
|
CanQualType T = getContext().getCanonicalType(BE->getType());
|
2010-12-02 15:49:45 +08:00
|
|
|
SVal V = svalBuilder.getBlockPointer(BE->getBlockDecl(), T,
|
2009-11-26 07:53:07 +08:00
|
|
|
Pred->getLocationContext());
|
|
|
|
|
|
2009-11-26 06:23:25 +08:00
|
|
|
MakeNode(Tmp, BE, Pred, GetState(Pred)->BindExpr(BE, V),
|
2009-11-25 09:33:13 +08:00
|
|
|
ProgramPoint::PostLValueKind);
|
2010-02-16 07:02:46 +08:00
|
|
|
|
2009-11-26 06:23:25 +08:00
|
|
|
// Post-visit the BlockExpr.
|
2010-08-04 15:10:57 +08:00
|
|
|
CheckerVisit(BE, Dst, Tmp, PostVisitStmtCallback);
|
2009-11-25 09:33:13 +08:00
|
|
|
}
|
|
|
|
|
|
2010-12-23 02:53:44 +08:00
|
|
|
void ExprEngine::VisitCommonDeclRefExpr(const Expr *Ex, const NamedDecl *D,
|
|
|
|
|
ExplodedNode *Pred,
|
|
|
|
|
ExplodedNodeSet &Dst) {
|
2009-09-12 06:07:28 +08:00
|
|
|
const GRState *state = GetState(Pred);
|
2008-10-16 14:09:51 +08:00
|
|
|
|
|
|
|
|
if (const VarDecl* VD = dyn_cast<VarDecl>(D)) {
|
2010-12-16 15:46:53 +08:00
|
|
|
assert(Ex->isLValue());
|
2009-08-22 06:28:32 +08:00
|
|
|
SVal V = state->getLValue(VD, Pred->getLocationContext());
|
2008-10-17 10:20:14 +08:00
|
|
|
|
2010-12-16 15:46:53 +08:00
|
|
|
// For references, the 'lvalue' is the pointer address stored in the
|
|
|
|
|
// reference region.
|
|
|
|
|
if (VD->getType()->isReferenceType()) {
|
|
|
|
|
if (const MemRegion *R = V.getAsRegion())
|
|
|
|
|
V = state->getSVal(R);
|
|
|
|
|
else
|
|
|
|
|
V = UnknownVal();
|
Add (initial?) static analyzer support for handling C++ references.
This change was a lot bigger than I originally anticipated; among
other things it requires us storing more information in the CFG to
record what block-level expressions need to be evaluated as lvalues.
The big change is that CFGBlocks no longer contain Stmt*'s by
CFGElements. Currently CFGElements just wrap Stmt*, but they also
store a bit indicating whether the block-level expression should be
evalauted as an lvalue. DeclStmts involving the initialization of a
reference require us treating the initialization expression as an
lvalue, even though that information isn't recorded in the AST.
Conceptually this change isn't that complicated, but it required
bubbling up the data through the CFGBuilder, to GRCoreEngine, and
eventually to GRExprEngine.
The addition of CFGElement is also useful for when we want to handle
more control-flow constructs or other data we want to keep in the CFG
that isn't represented well with just a block of statements.
In GRExprEngine, this patch introduces logic for evaluating the
lvalues of references, which currently retrieves the internal "pointer
value" that the reference represents. EvalLoad does a two stage load
to catch null dereferences involving an invalid reference (although
this could possibly be caught earlier during the initialization of a
reference).
Symbols are currently symbolicated using the reference type, instead
of a pointer type, and special handling is required creating
ElementRegions that layer on SymbolicRegions (see the changes to
RegionStoreManager).
Along the way, the DeadStoresChecker also silences warnings involving
dead stores to references. This was the original change I introduced
(which I wrote test cases for) that I realized caused GRExprEngine to
crash.
llvm-svn: 91501
2009-12-16 11:18:58 +08:00
|
|
|
}
|
2008-10-16 14:09:51 +08:00
|
|
|
|
2010-12-16 15:46:53 +08:00
|
|
|
MakeNode(Dst, Ex, Pred, state->BindExpr(Ex, V),
|
|
|
|
|
ProgramPoint::PostLValueKind);
|
Add (initial?) static analyzer support for handling C++ references.
This change was a lot bigger than I originally anticipated; among
other things it requires us storing more information in the CFG to
record what block-level expressions need to be evaluated as lvalues.
The big change is that CFGBlocks no longer contain Stmt*'s by
CFGElements. Currently CFGElements just wrap Stmt*, but they also
store a bit indicating whether the block-level expression should be
evalauted as an lvalue. DeclStmts involving the initialization of a
reference require us treating the initialization expression as an
lvalue, even though that information isn't recorded in the AST.
Conceptually this change isn't that complicated, but it required
bubbling up the data through the CFGBuilder, to GRCoreEngine, and
eventually to GRExprEngine.
The addition of CFGElement is also useful for when we want to handle
more control-flow constructs or other data we want to keep in the CFG
that isn't represented well with just a block of statements.
In GRExprEngine, this patch introduces logic for evaluating the
lvalues of references, which currently retrieves the internal "pointer
value" that the reference represents. EvalLoad does a two stage load
to catch null dereferences involving an invalid reference (although
this could possibly be caught earlier during the initialization of a
reference).
Symbols are currently symbolicated using the reference type, instead
of a pointer type, and special handling is required creating
ElementRegions that layer on SymbolicRegions (see the changes to
RegionStoreManager).
Along the way, the DeadStoresChecker also silences warnings involving
dead stores to references. This was the original change I introduced
(which I wrote test cases for) that I realized caused GRExprEngine to
crash.
llvm-svn: 91501
2009-12-16 11:18:58 +08:00
|
|
|
return;
|
2010-12-16 15:46:53 +08:00
|
|
|
}
|
|
|
|
|
if (const EnumConstantDecl* ED = dyn_cast<EnumConstantDecl>(D)) {
|
|
|
|
|
assert(!Ex->isLValue());
|
2010-12-02 15:49:45 +08:00
|
|
|
SVal V = svalBuilder.makeIntVal(ED->getInitVal());
|
2009-08-28 06:17:37 +08:00
|
|
|
MakeNode(Dst, Ex, Pred, state->BindExpr(Ex, V));
|
2008-10-16 14:09:51 +08:00
|
|
|
return;
|
2010-12-16 15:46:53 +08:00
|
|
|
}
|
|
|
|
|
if (const FunctionDecl* FD = dyn_cast<FunctionDecl>(D)) {
|
2010-12-02 15:49:45 +08:00
|
|
|
SVal V = svalBuilder.getFunctionPointer(FD);
|
2009-08-28 06:17:37 +08:00
|
|
|
MakeNode(Dst, Ex, Pred, state->BindExpr(Ex, V),
|
2009-05-08 02:27:16 +08:00
|
|
|
ProgramPoint::PostLValueKind);
|
2008-10-16 14:09:51 +08:00
|
|
|
return;
|
2008-04-30 05:04:26 +08:00
|
|
|
}
|
2008-10-16 14:09:51 +08:00
|
|
|
assert (false &&
|
|
|
|
|
"ValueDecl support for this ValueDecl not implemented.");
|
2008-02-07 12:16:04 +08:00
|
|
|
}
|
|
|
|
|
|
2008-04-22 12:56:29 +08:00
|
|
|
/// VisitArraySubscriptExpr - Transfer function for array accesses
|
2010-12-23 02:53:44 +08:00
|
|
|
void ExprEngine::VisitLvalArraySubscriptExpr(const ArraySubscriptExpr* A,
|
|
|
|
|
ExplodedNode* Pred,
|
|
|
|
|
ExplodedNodeSet& Dst){
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2010-07-20 14:22:24 +08:00
|
|
|
const Expr* Base = A->getBase()->IgnoreParens();
|
|
|
|
|
const Expr* Idx = A->getIdx()->IgnoreParens();
|
2010-12-16 15:46:53 +08:00
|
|
|
|
|
|
|
|
// Evaluate the base.
|
2009-08-06 20:48:26 +08:00
|
|
|
ExplodedNodeSet Tmp;
|
2010-12-16 15:46:53 +08:00
|
|
|
Visit(Base, Pred, Tmp);
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2009-08-06 20:48:26 +08:00
|
|
|
for (ExplodedNodeSet::iterator I1=Tmp.begin(), E1=Tmp.end(); I1!=E1; ++I1) {
|
|
|
|
|
ExplodedNodeSet Tmp2;
|
2008-10-17 08:51:01 +08:00
|
|
|
Visit(Idx, *I1, Tmp2); // Evaluate the index.
|
2009-11-11 21:42:54 +08:00
|
|
|
ExplodedNodeSet Tmp3;
|
2010-08-04 15:10:57 +08:00
|
|
|
CheckerVisit(A, Tmp3, Tmp2, PreVisitStmtCallback);
|
2009-11-11 21:42:54 +08:00
|
|
|
|
|
|
|
|
for (ExplodedNodeSet::iterator I2=Tmp3.begin(),E2=Tmp3.end();I2!=E2; ++I2) {
|
2009-02-13 09:45:31 +08:00
|
|
|
const GRState* state = GetState(*I2);
|
2010-02-09 00:18:51 +08:00
|
|
|
SVal V = state->getLValue(A->getType(), state->getSVal(Idx),
|
|
|
|
|
state->getSVal(Base));
|
2010-12-16 15:46:53 +08:00
|
|
|
assert(A->isLValue());
|
|
|
|
|
MakeNode(Dst, A, *I2, state->BindExpr(A, V), ProgramPoint::PostLValueKind);
|
2008-04-30 07:24:44 +08:00
|
|
|
}
|
2008-04-30 05:04:26 +08:00
|
|
|
}
|
2008-04-22 12:56:29 +08:00
|
|
|
}
|
|
|
|
|
|
2008-04-22 07:43:38 +08:00
|
|
|
/// VisitMemberExpr - Transfer function for member expressions.
|
2010-12-23 02:53:44 +08:00
|
|
|
void ExprEngine::VisitMemberExpr(const MemberExpr* M, ExplodedNode* Pred,
|
|
|
|
|
ExplodedNodeSet& Dst) {
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2010-12-16 15:46:53 +08:00
|
|
|
Expr *baseExpr = M->getBase()->IgnoreParens();
|
|
|
|
|
ExplodedNodeSet dstBase;
|
|
|
|
|
Visit(baseExpr, Pred, dstBase);
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2010-12-16 15:46:53 +08:00
|
|
|
FieldDecl *field = dyn_cast<FieldDecl>(M->getMemberDecl());
|
|
|
|
|
if (!field) // FIXME: skipping member expressions for non-fields
|
2008-12-21 07:49:58 +08:00
|
|
|
return;
|
|
|
|
|
|
2010-12-16 15:46:53 +08:00
|
|
|
for (ExplodedNodeSet::iterator I = dstBase.begin(), E = dstBase.end();
|
|
|
|
|
I != E; ++I) {
|
2009-02-13 09:45:31 +08:00
|
|
|
const GRState* state = GetState(*I);
|
2010-12-16 15:46:53 +08:00
|
|
|
SVal baseExprVal = state->getSVal(baseExpr);
|
|
|
|
|
if (isa<nonloc::LazyCompoundVal>(baseExprVal) ||
|
|
|
|
|
isa<nonloc::CompoundVal>(baseExprVal)) {
|
|
|
|
|
MakeNode(Dst, M, *I, state->BindExpr(M, UnknownVal()));
|
|
|
|
|
continue;
|
|
|
|
|
}
|
|
|
|
|
|
2008-10-17 08:51:01 +08:00
|
|
|
// FIXME: Should we insert some assumption logic in here to determine
|
|
|
|
|
// if "Base" is a valid piece of memory? Before we put this assumption
|
2008-12-21 07:49:58 +08:00
|
|
|
// later when using FieldOffset lvals (which we no longer have).
|
2008-10-17 08:51:01 +08:00
|
|
|
|
2010-12-16 15:46:53 +08:00
|
|
|
// For all other cases, compute an lvalue.
|
|
|
|
|
SVal L = state->getLValue(field, baseExprVal);
|
|
|
|
|
if (M->isLValue())
|
2009-10-30 15:19:39 +08:00
|
|
|
MakeNode(Dst, M, *I, state->BindExpr(M, L), ProgramPoint::PostLValueKind);
|
|
|
|
|
else
|
2010-12-02 05:57:22 +08:00
|
|
|
evalLoad(Dst, M, *I, state, L);
|
2008-04-22 07:43:38 +08:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2010-12-02 05:57:22 +08:00
|
|
|
/// evalBind - Handle the semantics of binding a value to a specific location.
|
|
|
|
|
/// This method is used by evalStore and (soon) VisitDeclStmt, and others.
|
2010-12-23 02:53:44 +08:00
|
|
|
void ExprEngine::evalBind(ExplodedNodeSet& Dst, const Stmt* StoreE,
|
2010-09-02 08:56:20 +08:00
|
|
|
ExplodedNode* Pred, const GRState* state,
|
|
|
|
|
SVal location, SVal Val, bool atDeclInit) {
|
2010-02-16 07:02:46 +08:00
|
|
|
|
|
|
|
|
|
2009-11-04 12:24:16 +08:00
|
|
|
// Do a previsit of the bind.
|
|
|
|
|
ExplodedNodeSet CheckedSet, Src;
|
|
|
|
|
Src.Add(Pred);
|
2010-09-02 08:56:20 +08:00
|
|
|
CheckerVisitBind(StoreE, CheckedSet, Src, location, Val, true);
|
2010-02-16 07:02:46 +08:00
|
|
|
|
2009-11-04 12:24:16 +08:00
|
|
|
for (ExplodedNodeSet::iterator I = CheckedSet.begin(), E = CheckedSet.end();
|
|
|
|
|
I!=E; ++I) {
|
2010-02-16 07:02:46 +08:00
|
|
|
|
2009-11-04 12:24:16 +08:00
|
|
|
if (Pred != *I)
|
|
|
|
|
state = GetState(*I);
|
2010-02-16 07:02:46 +08:00
|
|
|
|
2009-11-04 12:24:16 +08:00
|
|
|
const GRState* newState = 0;
|
2009-02-13 09:45:31 +08:00
|
|
|
|
2009-11-04 12:24:16 +08:00
|
|
|
if (atDeclInit) {
|
|
|
|
|
const VarRegion *VR =
|
|
|
|
|
cast<VarRegion>(cast<loc::MemRegionVal>(location).getRegion());
|
2009-11-04 08:09:15 +08:00
|
|
|
|
2009-11-04 12:24:16 +08:00
|
|
|
newState = state->bindDecl(VR, Val);
|
2009-11-04 08:09:15 +08:00
|
|
|
}
|
|
|
|
|
else {
|
2009-11-04 12:24:16 +08:00
|
|
|
if (location.isUnknown()) {
|
|
|
|
|
// We know that the new state will be the same as the old state since
|
|
|
|
|
// the location of the binding is "unknown". Consequently, there
|
|
|
|
|
// is no reason to just create a new node.
|
|
|
|
|
newState = state;
|
|
|
|
|
}
|
|
|
|
|
else {
|
|
|
|
|
// We are binding to a value other than 'unknown'. Perform the binding
|
|
|
|
|
// using the StoreManager.
|
|
|
|
|
newState = state->bindLoc(cast<Loc>(location), Val);
|
|
|
|
|
}
|
2009-11-04 08:09:15 +08:00
|
|
|
}
|
2009-02-13 09:45:31 +08:00
|
|
|
|
2010-12-23 02:53:44 +08:00
|
|
|
// The next thing to do is check if the TransferFuncs object wants to
|
2009-11-04 12:24:16 +08:00
|
|
|
// update the state based on the new binding. If the GRTransferFunc object
|
|
|
|
|
// doesn't do anything, just auto-propagate the current state.
|
2010-09-02 08:56:20 +08:00
|
|
|
|
|
|
|
|
// NOTE: We use 'AssignE' for the location of the PostStore if 'AssignE'
|
|
|
|
|
// is non-NULL. Checkers typically care about
|
|
|
|
|
|
2010-12-23 02:53:44 +08:00
|
|
|
StmtNodeBuilderRef BuilderRef(Dst, *Builder, *this, *I, newState, StoreE,
|
2010-09-09 15:13:00 +08:00
|
|
|
true);
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2010-12-02 05:57:22 +08:00
|
|
|
getTF().evalBind(BuilderRef, location, Val);
|
2009-11-04 12:24:16 +08:00
|
|
|
}
|
2009-02-13 09:45:31 +08:00
|
|
|
}
|
|
|
|
|
|
2010-12-02 05:57:22 +08:00
|
|
|
/// evalStore - Handle the semantics of a store via an assignment.
|
2009-02-13 09:45:31 +08:00
|
|
|
/// @param Dst The node set to store generated state nodes
|
2010-09-02 09:56:39 +08:00
|
|
|
/// @param AssignE The assignment expression if the store happens in an
|
|
|
|
|
/// assignment.
|
|
|
|
|
/// @param LocatioinE The location expression that is stored to.
|
2009-02-13 09:45:31 +08:00
|
|
|
/// @param state The current simulation state
|
|
|
|
|
/// @param location The location to store the value
|
|
|
|
|
/// @param Val The value to be stored
|
2010-12-23 02:53:44 +08:00
|
|
|
void ExprEngine::evalStore(ExplodedNodeSet& Dst, const Expr *AssignE,
|
2010-09-02 08:56:20 +08:00
|
|
|
const Expr* LocationE,
|
2009-11-05 08:42:23 +08:00
|
|
|
ExplodedNode* Pred,
|
2009-04-11 08:11:10 +08:00
|
|
|
const GRState* state, SVal location, SVal Val,
|
|
|
|
|
const void *tag) {
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2010-12-23 02:53:44 +08:00
|
|
|
assert(Builder && "StmtNodeBuilder must be defined.");
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2008-04-30 05:04:26 +08:00
|
|
|
// Evaluate the location (checks for bad dereferences).
|
2009-11-11 11:26:34 +08:00
|
|
|
ExplodedNodeSet Tmp;
|
2010-12-02 05:57:22 +08:00
|
|
|
evalLocation(Tmp, LocationE, Pred, state, location, tag, false);
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2009-11-11 11:26:34 +08:00
|
|
|
if (Tmp.empty())
|
2008-04-30 05:04:26 +08:00
|
|
|
return;
|
2008-04-19 04:35:30 +08:00
|
|
|
|
2009-11-11 11:26:34 +08:00
|
|
|
assert(!location.isUndef());
|
2009-02-13 09:45:31 +08:00
|
|
|
|
2009-11-11 11:26:34 +08:00
|
|
|
SaveAndRestore<ProgramPoint::Kind> OldSPointKind(Builder->PointKind,
|
|
|
|
|
ProgramPoint::PostStoreKind);
|
|
|
|
|
SaveAndRestore<const void*> OldTag(Builder->Tag, tag);
|
2010-02-16 07:02:46 +08:00
|
|
|
|
2010-09-02 08:56:20 +08:00
|
|
|
// Proceed with the store. We use AssignE as the anchor for the PostStore
|
|
|
|
|
// ProgramPoint if it is non-NULL, and LocationE otherwise.
|
|
|
|
|
const Expr *StoreE = AssignE ? AssignE : LocationE;
|
|
|
|
|
|
2009-11-11 11:26:34 +08:00
|
|
|
for (ExplodedNodeSet::iterator NI=Tmp.begin(), NE=Tmp.end(); NI!=NE; ++NI)
|
2010-12-02 05:57:22 +08:00
|
|
|
evalBind(Dst, StoreE, *NI, GetState(*NI), location, Val);
|
2008-04-30 05:04:26 +08:00
|
|
|
}
|
|
|
|
|
|
2010-12-23 02:53:44 +08:00
|
|
|
void ExprEngine::evalLoad(ExplodedNodeSet& Dst, const Expr *Ex,
|
2010-07-20 10:41:28 +08:00
|
|
|
ExplodedNode* Pred,
|
2009-04-11 08:11:10 +08:00
|
|
|
const GRState* state, SVal location,
|
2009-11-16 12:49:44 +08:00
|
|
|
const void *tag, QualType LoadTy) {
|
2010-11-24 09:47:11 +08:00
|
|
|
assert(!isa<NonLoc>(location) && "location cannot be a NonLoc.");
|
2008-04-30 05:04:26 +08:00
|
|
|
|
Add (initial?) static analyzer support for handling C++ references.
This change was a lot bigger than I originally anticipated; among
other things it requires us storing more information in the CFG to
record what block-level expressions need to be evaluated as lvalues.
The big change is that CFGBlocks no longer contain Stmt*'s by
CFGElements. Currently CFGElements just wrap Stmt*, but they also
store a bit indicating whether the block-level expression should be
evalauted as an lvalue. DeclStmts involving the initialization of a
reference require us treating the initialization expression as an
lvalue, even though that information isn't recorded in the AST.
Conceptually this change isn't that complicated, but it required
bubbling up the data through the CFGBuilder, to GRCoreEngine, and
eventually to GRExprEngine.
The addition of CFGElement is also useful for when we want to handle
more control-flow constructs or other data we want to keep in the CFG
that isn't represented well with just a block of statements.
In GRExprEngine, this patch introduces logic for evaluating the
lvalues of references, which currently retrieves the internal "pointer
value" that the reference represents. EvalLoad does a two stage load
to catch null dereferences involving an invalid reference (although
this could possibly be caught earlier during the initialization of a
reference).
Symbols are currently symbolicated using the reference type, instead
of a pointer type, and special handling is required creating
ElementRegions that layer on SymbolicRegions (see the changes to
RegionStoreManager).
Along the way, the DeadStoresChecker also silences warnings involving
dead stores to references. This was the original change I introduced
(which I wrote test cases for) that I realized caused GRExprEngine to
crash.
llvm-svn: 91501
2009-12-16 11:18:58 +08:00
|
|
|
// Are we loading from a region? This actually results in two loads; one
|
|
|
|
|
// to fetch the address of the referenced value and one to fetch the
|
|
|
|
|
// referenced value.
|
2010-02-16 07:02:46 +08:00
|
|
|
if (const TypedRegion *TR =
|
Add (initial?) static analyzer support for handling C++ references.
This change was a lot bigger than I originally anticipated; among
other things it requires us storing more information in the CFG to
record what block-level expressions need to be evaluated as lvalues.
The big change is that CFGBlocks no longer contain Stmt*'s by
CFGElements. Currently CFGElements just wrap Stmt*, but they also
store a bit indicating whether the block-level expression should be
evalauted as an lvalue. DeclStmts involving the initialization of a
reference require us treating the initialization expression as an
lvalue, even though that information isn't recorded in the AST.
Conceptually this change isn't that complicated, but it required
bubbling up the data through the CFGBuilder, to GRCoreEngine, and
eventually to GRExprEngine.
The addition of CFGElement is also useful for when we want to handle
more control-flow constructs or other data we want to keep in the CFG
that isn't represented well with just a block of statements.
In GRExprEngine, this patch introduces logic for evaluating the
lvalues of references, which currently retrieves the internal "pointer
value" that the reference represents. EvalLoad does a two stage load
to catch null dereferences involving an invalid reference (although
this could possibly be caught earlier during the initialization of a
reference).
Symbols are currently symbolicated using the reference type, instead
of a pointer type, and special handling is required creating
ElementRegions that layer on SymbolicRegions (see the changes to
RegionStoreManager).
Along the way, the DeadStoresChecker also silences warnings involving
dead stores to references. This was the original change I introduced
(which I wrote test cases for) that I realized caused GRExprEngine to
crash.
llvm-svn: 91501
2009-12-16 11:18:58 +08:00
|
|
|
dyn_cast_or_null<TypedRegion>(location.getAsRegion())) {
|
2010-02-16 07:02:46 +08:00
|
|
|
|
2010-08-11 14:10:55 +08:00
|
|
|
QualType ValTy = TR->getValueType();
|
Add (initial?) static analyzer support for handling C++ references.
This change was a lot bigger than I originally anticipated; among
other things it requires us storing more information in the CFG to
record what block-level expressions need to be evaluated as lvalues.
The big change is that CFGBlocks no longer contain Stmt*'s by
CFGElements. Currently CFGElements just wrap Stmt*, but they also
store a bit indicating whether the block-level expression should be
evalauted as an lvalue. DeclStmts involving the initialization of a
reference require us treating the initialization expression as an
lvalue, even though that information isn't recorded in the AST.
Conceptually this change isn't that complicated, but it required
bubbling up the data through the CFGBuilder, to GRCoreEngine, and
eventually to GRExprEngine.
The addition of CFGElement is also useful for when we want to handle
more control-flow constructs or other data we want to keep in the CFG
that isn't represented well with just a block of statements.
In GRExprEngine, this patch introduces logic for evaluating the
lvalues of references, which currently retrieves the internal "pointer
value" that the reference represents. EvalLoad does a two stage load
to catch null dereferences involving an invalid reference (although
this could possibly be caught earlier during the initialization of a
reference).
Symbols are currently symbolicated using the reference type, instead
of a pointer type, and special handling is required creating
ElementRegions that layer on SymbolicRegions (see the changes to
RegionStoreManager).
Along the way, the DeadStoresChecker also silences warnings involving
dead stores to references. This was the original change I introduced
(which I wrote test cases for) that I realized caused GRExprEngine to
crash.
llvm-svn: 91501
2009-12-16 11:18:58 +08:00
|
|
|
if (const ReferenceType *RT = ValTy->getAs<ReferenceType>()) {
|
2010-02-16 07:02:46 +08:00
|
|
|
static int loadReferenceTag = 0;
|
Add (initial?) static analyzer support for handling C++ references.
This change was a lot bigger than I originally anticipated; among
other things it requires us storing more information in the CFG to
record what block-level expressions need to be evaluated as lvalues.
The big change is that CFGBlocks no longer contain Stmt*'s by
CFGElements. Currently CFGElements just wrap Stmt*, but they also
store a bit indicating whether the block-level expression should be
evalauted as an lvalue. DeclStmts involving the initialization of a
reference require us treating the initialization expression as an
lvalue, even though that information isn't recorded in the AST.
Conceptually this change isn't that complicated, but it required
bubbling up the data through the CFGBuilder, to GRCoreEngine, and
eventually to GRExprEngine.
The addition of CFGElement is also useful for when we want to handle
more control-flow constructs or other data we want to keep in the CFG
that isn't represented well with just a block of statements.
In GRExprEngine, this patch introduces logic for evaluating the
lvalues of references, which currently retrieves the internal "pointer
value" that the reference represents. EvalLoad does a two stage load
to catch null dereferences involving an invalid reference (although
this could possibly be caught earlier during the initialization of a
reference).
Symbols are currently symbolicated using the reference type, instead
of a pointer type, and special handling is required creating
ElementRegions that layer on SymbolicRegions (see the changes to
RegionStoreManager).
Along the way, the DeadStoresChecker also silences warnings involving
dead stores to references. This was the original change I introduced
(which I wrote test cases for) that I realized caused GRExprEngine to
crash.
llvm-svn: 91501
2009-12-16 11:18:58 +08:00
|
|
|
ExplodedNodeSet Tmp;
|
2010-12-02 05:57:22 +08:00
|
|
|
evalLoadCommon(Tmp, Ex, Pred, state, location, &loadReferenceTag,
|
Add (initial?) static analyzer support for handling C++ references.
This change was a lot bigger than I originally anticipated; among
other things it requires us storing more information in the CFG to
record what block-level expressions need to be evaluated as lvalues.
The big change is that CFGBlocks no longer contain Stmt*'s by
CFGElements. Currently CFGElements just wrap Stmt*, but they also
store a bit indicating whether the block-level expression should be
evalauted as an lvalue. DeclStmts involving the initialization of a
reference require us treating the initialization expression as an
lvalue, even though that information isn't recorded in the AST.
Conceptually this change isn't that complicated, but it required
bubbling up the data through the CFGBuilder, to GRCoreEngine, and
eventually to GRExprEngine.
The addition of CFGElement is also useful for when we want to handle
more control-flow constructs or other data we want to keep in the CFG
that isn't represented well with just a block of statements.
In GRExprEngine, this patch introduces logic for evaluating the
lvalues of references, which currently retrieves the internal "pointer
value" that the reference represents. EvalLoad does a two stage load
to catch null dereferences involving an invalid reference (although
this could possibly be caught earlier during the initialization of a
reference).
Symbols are currently symbolicated using the reference type, instead
of a pointer type, and special handling is required creating
ElementRegions that layer on SymbolicRegions (see the changes to
RegionStoreManager).
Along the way, the DeadStoresChecker also silences warnings involving
dead stores to references. This was the original change I introduced
(which I wrote test cases for) that I realized caused GRExprEngine to
crash.
llvm-svn: 91501
2009-12-16 11:18:58 +08:00
|
|
|
getContext().getPointerType(RT->getPointeeType()));
|
|
|
|
|
|
|
|
|
|
// Perform the load from the referenced value.
|
|
|
|
|
for (ExplodedNodeSet::iterator I=Tmp.begin(), E=Tmp.end() ; I!=E; ++I) {
|
|
|
|
|
state = GetState(*I);
|
2010-02-09 00:18:51 +08:00
|
|
|
location = state->getSVal(Ex);
|
2010-12-02 05:57:22 +08:00
|
|
|
evalLoadCommon(Dst, Ex, *I, state, location, tag, LoadTy);
|
2010-02-16 07:02:46 +08:00
|
|
|
}
|
Add (initial?) static analyzer support for handling C++ references.
This change was a lot bigger than I originally anticipated; among
other things it requires us storing more information in the CFG to
record what block-level expressions need to be evaluated as lvalues.
The big change is that CFGBlocks no longer contain Stmt*'s by
CFGElements. Currently CFGElements just wrap Stmt*, but they also
store a bit indicating whether the block-level expression should be
evalauted as an lvalue. DeclStmts involving the initialization of a
reference require us treating the initialization expression as an
lvalue, even though that information isn't recorded in the AST.
Conceptually this change isn't that complicated, but it required
bubbling up the data through the CFGBuilder, to GRCoreEngine, and
eventually to GRExprEngine.
The addition of CFGElement is also useful for when we want to handle
more control-flow constructs or other data we want to keep in the CFG
that isn't represented well with just a block of statements.
In GRExprEngine, this patch introduces logic for evaluating the
lvalues of references, which currently retrieves the internal "pointer
value" that the reference represents. EvalLoad does a two stage load
to catch null dereferences involving an invalid reference (although
this could possibly be caught earlier during the initialization of a
reference).
Symbols are currently symbolicated using the reference type, instead
of a pointer type, and special handling is required creating
ElementRegions that layer on SymbolicRegions (see the changes to
RegionStoreManager).
Along the way, the DeadStoresChecker also silences warnings involving
dead stores to references. This was the original change I introduced
(which I wrote test cases for) that I realized caused GRExprEngine to
crash.
llvm-svn: 91501
2009-12-16 11:18:58 +08:00
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
}
|
2010-02-16 07:02:46 +08:00
|
|
|
|
2010-12-02 05:57:22 +08:00
|
|
|
evalLoadCommon(Dst, Ex, Pred, state, location, tag, LoadTy);
|
Add (initial?) static analyzer support for handling C++ references.
This change was a lot bigger than I originally anticipated; among
other things it requires us storing more information in the CFG to
record what block-level expressions need to be evaluated as lvalues.
The big change is that CFGBlocks no longer contain Stmt*'s by
CFGElements. Currently CFGElements just wrap Stmt*, but they also
store a bit indicating whether the block-level expression should be
evalauted as an lvalue. DeclStmts involving the initialization of a
reference require us treating the initialization expression as an
lvalue, even though that information isn't recorded in the AST.
Conceptually this change isn't that complicated, but it required
bubbling up the data through the CFGBuilder, to GRCoreEngine, and
eventually to GRExprEngine.
The addition of CFGElement is also useful for when we want to handle
more control-flow constructs or other data we want to keep in the CFG
that isn't represented well with just a block of statements.
In GRExprEngine, this patch introduces logic for evaluating the
lvalues of references, which currently retrieves the internal "pointer
value" that the reference represents. EvalLoad does a two stage load
to catch null dereferences involving an invalid reference (although
this could possibly be caught earlier during the initialization of a
reference).
Symbols are currently symbolicated using the reference type, instead
of a pointer type, and special handling is required creating
ElementRegions that layer on SymbolicRegions (see the changes to
RegionStoreManager).
Along the way, the DeadStoresChecker also silences warnings involving
dead stores to references. This was the original change I introduced
(which I wrote test cases for) that I realized caused GRExprEngine to
crash.
llvm-svn: 91501
2009-12-16 11:18:58 +08:00
|
|
|
}
|
|
|
|
|
|
2010-12-23 02:53:44 +08:00
|
|
|
void ExprEngine::evalLoadCommon(ExplodedNodeSet& Dst, const Expr *Ex,
|
Add (initial?) static analyzer support for handling C++ references.
This change was a lot bigger than I originally anticipated; among
other things it requires us storing more information in the CFG to
record what block-level expressions need to be evaluated as lvalues.
The big change is that CFGBlocks no longer contain Stmt*'s by
CFGElements. Currently CFGElements just wrap Stmt*, but they also
store a bit indicating whether the block-level expression should be
evalauted as an lvalue. DeclStmts involving the initialization of a
reference require us treating the initialization expression as an
lvalue, even though that information isn't recorded in the AST.
Conceptually this change isn't that complicated, but it required
bubbling up the data through the CFGBuilder, to GRCoreEngine, and
eventually to GRExprEngine.
The addition of CFGElement is also useful for when we want to handle
more control-flow constructs or other data we want to keep in the CFG
that isn't represented well with just a block of statements.
In GRExprEngine, this patch introduces logic for evaluating the
lvalues of references, which currently retrieves the internal "pointer
value" that the reference represents. EvalLoad does a two stage load
to catch null dereferences involving an invalid reference (although
this could possibly be caught earlier during the initialization of a
reference).
Symbols are currently symbolicated using the reference type, instead
of a pointer type, and special handling is required creating
ElementRegions that layer on SymbolicRegions (see the changes to
RegionStoreManager).
Along the way, the DeadStoresChecker also silences warnings involving
dead stores to references. This was the original change I introduced
(which I wrote test cases for) that I realized caused GRExprEngine to
crash.
llvm-svn: 91501
2009-12-16 11:18:58 +08:00
|
|
|
ExplodedNode* Pred,
|
|
|
|
|
const GRState* state, SVal location,
|
|
|
|
|
const void *tag, QualType LoadTy) {
|
2010-02-16 07:02:46 +08:00
|
|
|
|
2009-09-09 23:08:12 +08:00
|
|
|
// Evaluate the location (checks for bad dereferences).
|
2009-11-11 11:26:34 +08:00
|
|
|
ExplodedNodeSet Tmp;
|
2010-12-02 05:57:22 +08:00
|
|
|
evalLocation(Tmp, Ex, Pred, state, location, tag, true);
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2009-11-11 11:26:34 +08:00
|
|
|
if (Tmp.empty())
|
2008-04-30 05:04:26 +08:00
|
|
|
return;
|
2010-02-16 07:02:46 +08:00
|
|
|
|
2009-11-11 11:26:34 +08:00
|
|
|
assert(!location.isUndef());
|
2010-02-16 07:02:46 +08:00
|
|
|
|
2009-11-11 11:26:34 +08:00
|
|
|
SaveAndRestore<ProgramPoint::Kind> OldSPointKind(Builder->PointKind);
|
|
|
|
|
SaveAndRestore<const void*> OldTag(Builder->Tag);
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2008-04-30 05:04:26 +08:00
|
|
|
// Proceed with the load.
|
2009-11-11 11:26:34 +08:00
|
|
|
for (ExplodedNodeSet::iterator NI=Tmp.begin(), NE=Tmp.end(); NI!=NE; ++NI) {
|
|
|
|
|
state = GetState(*NI);
|
2010-09-09 15:13:00 +08:00
|
|
|
|
2009-11-11 11:26:34 +08:00
|
|
|
if (location.isUnknown()) {
|
|
|
|
|
// This is important. We must nuke the old binding.
|
|
|
|
|
MakeNode(Dst, Ex, *NI, state->BindExpr(Ex, UnknownVal()),
|
|
|
|
|
ProgramPoint::PostLoadKind, tag);
|
|
|
|
|
}
|
|
|
|
|
else {
|
2010-09-09 15:13:00 +08:00
|
|
|
if (LoadTy.isNull())
|
|
|
|
|
LoadTy = Ex->getType();
|
|
|
|
|
SVal V = state->getSVal(cast<Loc>(location), LoadTy);
|
|
|
|
|
MakeNode(Dst, Ex, *NI, state->bindExprAndLocation(Ex, location, V),
|
|
|
|
|
ProgramPoint::PostLoadKind, tag);
|
2009-11-11 11:26:34 +08:00
|
|
|
}
|
2008-11-28 16:34:30 +08:00
|
|
|
}
|
2008-04-30 05:04:26 +08:00
|
|
|
}
|
|
|
|
|
|
2010-12-23 02:53:44 +08:00
|
|
|
void ExprEngine::evalLocation(ExplodedNodeSet &Dst, const Stmt *S,
|
2009-11-11 11:26:34 +08:00
|
|
|
ExplodedNode* Pred,
|
|
|
|
|
const GRState* state, SVal location,
|
|
|
|
|
const void *tag, bool isLoad) {
|
2009-11-20 11:50:46 +08:00
|
|
|
// Early checks for performance reason.
|
|
|
|
|
if (location.isUnknown() || Checkers.empty()) {
|
2009-11-11 11:26:34 +08:00
|
|
|
Dst.Add(Pred);
|
|
|
|
|
return;
|
|
|
|
|
}
|
2010-02-16 07:02:46 +08:00
|
|
|
|
2009-11-11 11:26:34 +08:00
|
|
|
ExplodedNodeSet Src, Tmp;
|
|
|
|
|
Src.Add(Pred);
|
|
|
|
|
ExplodedNodeSet *PrevSet = &Src;
|
2010-02-16 07:02:46 +08:00
|
|
|
|
2009-11-11 11:26:34 +08:00
|
|
|
for (CheckersOrdered::iterator I=Checkers.begin(),E=Checkers.end(); I!=E; ++I)
|
2009-11-03 07:19:29 +08:00
|
|
|
{
|
2009-12-09 10:45:41 +08:00
|
|
|
ExplodedNodeSet *CurrSet = 0;
|
|
|
|
|
if (I+1 == E)
|
|
|
|
|
CurrSet = &Dst;
|
|
|
|
|
else {
|
|
|
|
|
CurrSet = (PrevSet == &Tmp) ? &Src : &Tmp;
|
|
|
|
|
CurrSet->clear();
|
|
|
|
|
}
|
2010-02-16 07:02:46 +08:00
|
|
|
|
2009-11-11 11:26:34 +08:00
|
|
|
void *tag = I->first;
|
|
|
|
|
Checker *checker = I->second;
|
2010-02-16 07:02:46 +08:00
|
|
|
|
2009-11-11 11:26:34 +08:00
|
|
|
for (ExplodedNodeSet::iterator NI = PrevSet->begin(), NE = PrevSet->end();
|
2009-11-24 06:22:01 +08:00
|
|
|
NI != NE; ++NI) {
|
|
|
|
|
// Use the 'state' argument only when the predecessor node is the
|
|
|
|
|
// same as Pred. This allows us to catch updates to the state.
|
2010-12-21 05:22:47 +08:00
|
|
|
checker->GR_visitLocation(*CurrSet, *Builder, *this, S, *NI,
|
2009-11-24 06:22:01 +08:00
|
|
|
*NI == Pred ? state : GetState(*NI),
|
2009-11-11 11:26:34 +08:00
|
|
|
location, tag, isLoad);
|
2009-11-24 06:22:01 +08:00
|
|
|
}
|
2010-02-16 07:02:46 +08:00
|
|
|
|
2009-11-11 11:26:34 +08:00
|
|
|
// Update which NodeSet is the current one.
|
|
|
|
|
PrevSet = CurrSet;
|
2009-11-03 07:19:29 +08:00
|
|
|
}
|
2008-04-17 02:39:06 +08:00
|
|
|
}
|
|
|
|
|
|
2010-12-23 02:53:44 +08:00
|
|
|
bool ExprEngine::InlineCall(ExplodedNodeSet &Dst, const CallExpr *CE,
|
2010-05-06 11:38:27 +08:00
|
|
|
ExplodedNode *Pred) {
|
|
|
|
|
const GRState *state = GetState(Pred);
|
|
|
|
|
const Expr *Callee = CE->getCallee();
|
|
|
|
|
SVal L = state->getSVal(Callee);
|
|
|
|
|
|
|
|
|
|
const FunctionDecl *FD = L.getAsFunctionDecl();
|
|
|
|
|
if (!FD)
|
|
|
|
|
return false;
|
|
|
|
|
|
2010-07-19 09:31:21 +08:00
|
|
|
// Check if the function definition is in the same translation unit.
|
|
|
|
|
if (FD->hasBody(FD)) {
|
2010-11-24 16:53:20 +08:00
|
|
|
const StackFrameContext *stackFrame =
|
|
|
|
|
AMgr.getStackFrame(AMgr.getAnalysisContext(FD),
|
|
|
|
|
Pred->getLocationContext(),
|
2010-12-16 15:46:53 +08:00
|
|
|
CE, Builder->getBlock(), Builder->getIndex());
|
2010-07-19 09:31:21 +08:00
|
|
|
// Now we have the definition of the callee, create a CallEnter node.
|
2010-11-24 16:53:20 +08:00
|
|
|
CallEnter Loc(CE, stackFrame, Pred->getLocationContext());
|
2010-07-19 09:31:21 +08:00
|
|
|
|
|
|
|
|
ExplodedNode *N = Builder->generateNode(Loc, state, Pred);
|
|
|
|
|
Dst.Add(N);
|
|
|
|
|
return true;
|
|
|
|
|
}
|
2010-05-06 11:38:27 +08:00
|
|
|
|
2010-07-19 09:31:21 +08:00
|
|
|
// Check if we can find the function definition in other translation units.
|
|
|
|
|
if (AMgr.hasIndexer()) {
|
2010-11-24 16:53:20 +08:00
|
|
|
AnalysisContext *C = AMgr.getAnalysisContextInAnotherTU(FD);
|
2010-07-19 09:31:21 +08:00
|
|
|
if (C == 0)
|
|
|
|
|
return false;
|
2010-11-24 16:53:20 +08:00
|
|
|
const StackFrameContext *stackFrame =
|
|
|
|
|
AMgr.getStackFrame(C, Pred->getLocationContext(),
|
2010-12-16 15:46:53 +08:00
|
|
|
CE, Builder->getBlock(), Builder->getIndex());
|
2010-11-24 16:53:20 +08:00
|
|
|
CallEnter Loc(CE, stackFrame, Pred->getLocationContext());
|
2010-07-19 09:31:21 +08:00
|
|
|
ExplodedNode *N = Builder->generateNode(Loc, state, Pred);
|
2010-05-06 11:38:27 +08:00
|
|
|
Dst.Add(N);
|
2010-07-19 09:31:21 +08:00
|
|
|
return true;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return false;
|
2010-05-06 11:38:27 +08:00
|
|
|
}
|
|
|
|
|
|
2010-12-23 02:53:44 +08:00
|
|
|
void ExprEngine::VisitCall(const CallExpr* CE, ExplodedNode* Pred,
|
2010-07-20 14:22:24 +08:00
|
|
|
CallExpr::const_arg_iterator AI,
|
|
|
|
|
CallExpr::const_arg_iterator AE,
|
2010-12-16 15:46:53 +08:00
|
|
|
ExplodedNodeSet& Dst) {
|
2009-12-18 04:06:29 +08:00
|
|
|
|
2008-10-28 08:22:11 +08:00
|
|
|
// Determine the type of function we're calling (if available).
|
2009-02-27 07:50:07 +08:00
|
|
|
const FunctionProtoType *Proto = NULL;
|
2008-10-28 08:22:11 +08:00
|
|
|
QualType FnType = CE->getCallee()->IgnoreParens()->getType();
|
2009-07-30 05:53:49 +08:00
|
|
|
if (const PointerType *FnTypePtr = FnType->getAs<PointerType>())
|
2009-09-22 07:43:11 +08:00
|
|
|
Proto = FnTypePtr->getPointeeType()->getAs<FunctionProtoType>();
|
2008-10-28 08:22:11 +08:00
|
|
|
|
2010-09-23 13:14:51 +08:00
|
|
|
// Evaluate the arguments.
|
2009-12-18 04:06:29 +08:00
|
|
|
ExplodedNodeSet ArgsEvaluated;
|
2010-12-02 05:57:22 +08:00
|
|
|
evalArguments(CE->arg_begin(), CE->arg_end(), Proto, Pred, ArgsEvaluated);
|
2008-02-19 09:44:53 +08:00
|
|
|
|
2009-12-18 04:10:17 +08:00
|
|
|
// Now process the call itself.
|
2009-08-06 20:48:26 +08:00
|
|
|
ExplodedNodeSet DstTmp;
|
2010-07-20 14:22:24 +08:00
|
|
|
const Expr* Callee = CE->getCallee()->IgnoreParens();
|
2010-02-16 07:02:46 +08:00
|
|
|
|
2009-12-18 04:06:29 +08:00
|
|
|
for (ExplodedNodeSet::iterator NI=ArgsEvaluated.begin(),
|
2009-12-18 04:10:17 +08:00
|
|
|
NE=ArgsEvaluated.end(); NI != NE; ++NI) {
|
|
|
|
|
// Evaluate the callee.
|
2009-08-06 20:48:26 +08:00
|
|
|
ExplodedNodeSet DstTmp2;
|
2010-02-16 07:02:46 +08:00
|
|
|
Visit(Callee, *NI, DstTmp2);
|
2009-07-23 05:43:51 +08:00
|
|
|
// Perform the previsit of the CallExpr, storing the results in DstTmp.
|
2010-08-04 15:10:57 +08:00
|
|
|
CheckerVisit(CE, DstTmp, DstTmp2, PreVisitStmtCallback);
|
2009-07-23 05:43:51 +08:00
|
|
|
}
|
2010-02-16 07:02:46 +08:00
|
|
|
|
2009-12-18 04:06:29 +08:00
|
|
|
// Finally, evaluate the function call. We try each of the checkers
|
|
|
|
|
// to see if the can evaluate the function call.
|
2009-12-09 10:45:41 +08:00
|
|
|
ExplodedNodeSet DstTmp3;
|
2009-12-19 04:13:39 +08:00
|
|
|
|
2009-09-09 23:08:12 +08:00
|
|
|
for (ExplodedNodeSet::iterator DI = DstTmp.begin(), DE = DstTmp.end();
|
2009-09-05 13:00:57 +08:00
|
|
|
DI != DE; ++DI) {
|
2010-02-16 07:02:46 +08:00
|
|
|
|
2009-02-13 09:45:31 +08:00
|
|
|
const GRState* state = GetState(*DI);
|
2010-02-09 00:18:51 +08:00
|
|
|
SVal L = state->getSVal(Callee);
|
2010-02-16 07:02:46 +08:00
|
|
|
|
2008-03-04 00:47:31 +08:00
|
|
|
// FIXME: Add support for symbolic function calls (calls involving
|
|
|
|
|
// function pointer values that are symbolic).
|
2008-03-06 05:15:02 +08:00
|
|
|
SaveAndRestore<bool> OldSink(Builder->BuildSinks);
|
2009-12-09 10:45:41 +08:00
|
|
|
ExplodedNodeSet DstChecker;
|
2010-02-16 07:02:46 +08:00
|
|
|
|
2009-12-07 17:17:35 +08:00
|
|
|
// If the callee is processed by a checker, skip the rest logic.
|
|
|
|
|
if (CheckerEvalCall(CE, DstChecker, *DI))
|
2009-12-09 13:48:53 +08:00
|
|
|
DstTmp3.insert(DstChecker);
|
2010-05-06 11:38:27 +08:00
|
|
|
else if (AMgr.shouldInlineCall() && InlineCall(Dst, CE, *DI)) {
|
|
|
|
|
// Callee is inlined. We shouldn't do post call checking.
|
|
|
|
|
return;
|
|
|
|
|
}
|
2009-12-07 17:17:35 +08:00
|
|
|
else {
|
2009-12-09 10:45:41 +08:00
|
|
|
for (ExplodedNodeSet::iterator DI_Checker = DstChecker.begin(),
|
2009-12-18 04:06:29 +08:00
|
|
|
DE_Checker = DstChecker.end();
|
|
|
|
|
DI_Checker != DE_Checker; ++DI_Checker) {
|
2010-02-16 07:02:46 +08:00
|
|
|
|
2009-12-18 04:06:29 +08:00
|
|
|
// Dispatch to the plug-in transfer function.
|
2010-12-02 05:57:22 +08:00
|
|
|
unsigned oldSize = DstTmp3.size();
|
2009-12-09 10:45:41 +08:00
|
|
|
SaveOr OldHasGen(Builder->HasGeneratedNode);
|
|
|
|
|
Pred = *DI_Checker;
|
2010-02-16 07:02:46 +08:00
|
|
|
|
2009-12-09 10:45:41 +08:00
|
|
|
// Dispatch to transfer function logic to handle the call itself.
|
|
|
|
|
// FIXME: Allow us to chain together transfer functions.
|
2010-12-23 02:53:44 +08:00
|
|
|
assert(Builder && "StmtNodeBuilder must be defined.");
|
2010-12-02 05:57:22 +08:00
|
|
|
getTF().evalCall(DstTmp3, *this, *Builder, CE, L, Pred);
|
2010-02-16 07:02:46 +08:00
|
|
|
|
2009-12-09 10:45:41 +08:00
|
|
|
// Handle the case where no nodes where generated. Auto-generate that
|
|
|
|
|
// contains the updated state if we aren't generating sinks.
|
2010-12-02 05:57:22 +08:00
|
|
|
if (!Builder->BuildSinks && DstTmp3.size() == oldSize &&
|
2009-12-09 10:45:41 +08:00
|
|
|
!Builder->HasGeneratedNode)
|
|
|
|
|
MakeNode(DstTmp3, CE, Pred, state);
|
|
|
|
|
}
|
2009-12-07 17:17:35 +08:00
|
|
|
}
|
2008-04-16 07:06:53 +08:00
|
|
|
}
|
2010-02-16 07:02:46 +08:00
|
|
|
|
2009-12-18 04:06:29 +08:00
|
|
|
// Finally, perform the post-condition check of the CallExpr and store
|
|
|
|
|
// the created nodes in 'Dst'.
|
2010-12-16 15:46:53 +08:00
|
|
|
CheckerVisit(CE, Dst, DstTmp3, PostVisitStmtCallback);
|
2008-04-16 07:06:53 +08:00
|
|
|
}
|
|
|
|
|
|
2008-10-17 08:03:18 +08:00
|
|
|
//===----------------------------------------------------------------------===//
|
|
|
|
|
// Transfer function: Objective-C ivar references.
|
|
|
|
|
//===----------------------------------------------------------------------===//
|
2009-02-26 06:32:02 +08:00
|
|
|
|
2009-03-01 04:50:43 +08:00
|
|
|
static std::pair<const void*,const void*> EagerlyAssumeTag
|
2010-05-11 14:18:17 +08:00
|
|
|
= std::pair<const void*,const void*>(&EagerlyAssumeTag,static_cast<void*>(0));
|
2009-03-01 04:50:43 +08:00
|
|
|
|
2010-12-23 02:53:44 +08:00
|
|
|
void ExprEngine::evalEagerlyAssume(ExplodedNodeSet &Dst, ExplodedNodeSet &Src,
|
2010-07-20 14:22:24 +08:00
|
|
|
const Expr *Ex) {
|
2009-08-06 20:48:26 +08:00
|
|
|
for (ExplodedNodeSet::iterator I=Src.begin(), E=Src.end(); I!=E; ++I) {
|
|
|
|
|
ExplodedNode *Pred = *I;
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2009-02-26 07:32:10 +08:00
|
|
|
// Test if the previous node was as the same expression. This can happen
|
|
|
|
|
// when the expression fails to evaluate to anything meaningful and
|
|
|
|
|
// (as an optimization) we don't generate a node.
|
2009-09-09 23:08:12 +08:00
|
|
|
ProgramPoint P = Pred->getLocation();
|
2009-02-26 07:32:10 +08:00
|
|
|
if (!isa<PostStmt>(P) || cast<PostStmt>(P).getStmt() != Ex) {
|
2009-09-09 23:08:12 +08:00
|
|
|
Dst.Add(Pred);
|
2009-02-26 07:32:10 +08:00
|
|
|
continue;
|
2009-09-09 23:08:12 +08:00
|
|
|
}
|
2009-02-26 07:32:10 +08:00
|
|
|
|
2010-04-20 12:53:09 +08:00
|
|
|
const GRState* state = GetState(Pred);
|
2010-02-09 00:18:51 +08:00
|
|
|
SVal V = state->getSVal(Ex);
|
2009-09-12 06:07:28 +08:00
|
|
|
if (nonloc::SymExprVal *SEV = dyn_cast<nonloc::SymExprVal>(&V)) {
|
2009-02-26 06:32:02 +08:00
|
|
|
// First assume that the condition is true.
|
2010-12-02 06:16:56 +08:00
|
|
|
if (const GRState *stateTrue = state->assume(*SEV, true)) {
|
2009-09-09 23:08:12 +08:00
|
|
|
stateTrue = stateTrue->BindExpr(Ex,
|
2010-12-02 15:49:45 +08:00
|
|
|
svalBuilder.makeIntVal(1U, Ex->getType()));
|
2009-09-09 23:08:12 +08:00
|
|
|
Dst.Add(Builder->generateNode(PostStmtCustom(Ex,
|
2009-08-15 11:17:38 +08:00
|
|
|
&EagerlyAssumeTag, Pred->getLocationContext()),
|
2009-02-26 06:32:02 +08:00
|
|
|
stateTrue, Pred));
|
|
|
|
|
}
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2009-02-26 06:32:02 +08:00
|
|
|
// Next, assume that the condition is false.
|
2010-12-02 06:16:56 +08:00
|
|
|
if (const GRState *stateFalse = state->assume(*SEV, false)) {
|
2009-09-09 23:08:12 +08:00
|
|
|
stateFalse = stateFalse->BindExpr(Ex,
|
2010-12-02 15:49:45 +08:00
|
|
|
svalBuilder.makeIntVal(0U, Ex->getType()));
|
2009-08-15 11:17:38 +08:00
|
|
|
Dst.Add(Builder->generateNode(PostStmtCustom(Ex, &EagerlyAssumeTag,
|
|
|
|
|
Pred->getLocationContext()),
|
2009-02-26 06:32:02 +08:00
|
|
|
stateFalse, Pred));
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
else
|
|
|
|
|
Dst.Add(Pred);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2010-09-10 11:05:33 +08:00
|
|
|
//===----------------------------------------------------------------------===//
|
|
|
|
|
// Transfer function: Objective-C @synchronized.
|
|
|
|
|
//===----------------------------------------------------------------------===//
|
|
|
|
|
|
2010-12-23 02:53:44 +08:00
|
|
|
void ExprEngine::VisitObjCAtSynchronizedStmt(const ObjCAtSynchronizedStmt *S,
|
2010-09-10 11:05:33 +08:00
|
|
|
ExplodedNode *Pred,
|
|
|
|
|
ExplodedNodeSet &Dst) {
|
|
|
|
|
|
|
|
|
|
// The mutex expression is a CFGElement, so we don't need to explicitly
|
|
|
|
|
// visit it since it will already be processed.
|
|
|
|
|
|
|
|
|
|
// Pre-visit the ObjCAtSynchronizedStmt.
|
|
|
|
|
ExplodedNodeSet Tmp;
|
|
|
|
|
Tmp.Add(Pred);
|
|
|
|
|
CheckerVisit(S, Dst, Tmp, PreVisitStmtCallback);
|
|
|
|
|
}
|
|
|
|
|
|
2009-02-26 06:32:02 +08:00
|
|
|
//===----------------------------------------------------------------------===//
|
|
|
|
|
// Transfer function: Objective-C ivar references.
|
|
|
|
|
//===----------------------------------------------------------------------===//
|
2008-10-17 08:03:18 +08:00
|
|
|
|
2010-12-23 02:53:44 +08:00
|
|
|
void ExprEngine::VisitLvalObjCIvarRefExpr(const ObjCIvarRefExpr* Ex,
|
|
|
|
|
ExplodedNode* Pred,
|
|
|
|
|
ExplodedNodeSet& Dst) {
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2010-12-16 15:46:53 +08:00
|
|
|
// Visit the base expression, which is needed for computing the lvalue
|
|
|
|
|
// of the ivar.
|
|
|
|
|
ExplodedNodeSet dstBase;
|
|
|
|
|
const Expr *baseExpr = Ex->getBase();
|
|
|
|
|
Visit(baseExpr, Pred, dstBase);
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2010-12-16 15:46:53 +08:00
|
|
|
// Using the base, compute the lvalue of the instance variable.
|
|
|
|
|
for (ExplodedNodeSet::iterator I = dstBase.begin(), E = dstBase.end();
|
|
|
|
|
I!=E; ++I) {
|
|
|
|
|
ExplodedNode *nodeBase = *I;
|
|
|
|
|
const GRState *state = GetState(nodeBase);
|
|
|
|
|
SVal baseVal = state->getSVal(baseExpr);
|
|
|
|
|
SVal location = state->getLValue(Ex->getDecl(), baseVal);
|
|
|
|
|
MakeNode(Dst, Ex, *I, state->BindExpr(Ex, location));
|
2008-10-17 08:03:18 +08:00
|
|
|
}
|
2008-11-13 03:24:17 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
//===----------------------------------------------------------------------===//
|
|
|
|
|
// Transfer function: Objective-C fast enumeration 'for' statements.
|
|
|
|
|
//===----------------------------------------------------------------------===//
|
|
|
|
|
|
2010-12-23 02:53:44 +08:00
|
|
|
void ExprEngine::VisitObjCForCollectionStmt(const ObjCForCollectionStmt* S,
|
2009-09-10 13:44:00 +08:00
|
|
|
ExplodedNode* Pred, ExplodedNodeSet& Dst) {
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2008-11-13 03:24:17 +08:00
|
|
|
// ObjCForCollectionStmts are processed in two places. This method
|
|
|
|
|
// handles the case where an ObjCForCollectionStmt* occurs as one of the
|
|
|
|
|
// statements within a basic block. This transfer function does two things:
|
|
|
|
|
//
|
|
|
|
|
// (1) binds the next container value to 'element'. This creates a new
|
|
|
|
|
// node in the ExplodedGraph.
|
|
|
|
|
//
|
|
|
|
|
// (2) binds the value 0/1 to the ObjCForCollectionStmt* itself, indicating
|
|
|
|
|
// whether or not the container has any more elements. This value
|
|
|
|
|
// will be tested in ProcessBranch. We need to explicitly bind
|
|
|
|
|
// this value because a container can contain nil elements.
|
2009-09-09 23:08:12 +08:00
|
|
|
//
|
2008-11-13 03:24:17 +08:00
|
|
|
// FIXME: Eventually this logic should actually do dispatches to
|
|
|
|
|
// 'countByEnumeratingWithState:objects:count:' (NSFastEnumeration).
|
|
|
|
|
// This will require simulating a temporary NSFastEnumerationState, either
|
|
|
|
|
// through an SVal or through the use of MemRegions. This value can
|
|
|
|
|
// be affixed to the ObjCForCollectionStmt* instead of 0/1; when the loop
|
|
|
|
|
// terminates we reclaim the temporary (it goes out of scope) and we
|
|
|
|
|
// we can test if the SVal is 0 or if the MemRegion is null (depending
|
|
|
|
|
// on what approach we take).
|
|
|
|
|
//
|
|
|
|
|
// For now: simulate (1) by assigning either a symbol or nil if the
|
|
|
|
|
// container is empty. Thus this transfer function will by default
|
|
|
|
|
// result in state splitting.
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2010-07-20 14:22:24 +08:00
|
|
|
const Stmt* elem = S->getElement();
|
2008-11-15 03:47:18 +08:00
|
|
|
SVal ElementV;
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2010-07-20 14:22:24 +08:00
|
|
|
if (const DeclStmt* DS = dyn_cast<DeclStmt>(elem)) {
|
|
|
|
|
const VarDecl* ElemD = cast<VarDecl>(DS->getSingleDecl());
|
2008-11-13 03:24:17 +08:00
|
|
|
assert (ElemD->getInit() == 0);
|
2009-08-22 06:28:32 +08:00
|
|
|
ElementV = GetState(Pred)->getLValue(ElemD, Pred->getLocationContext());
|
2008-11-15 03:47:18 +08:00
|
|
|
VisitObjCForCollectionStmtAux(S, Pred, Dst, ElementV);
|
|
|
|
|
return;
|
2008-11-13 03:24:17 +08:00
|
|
|
}
|
2008-11-15 03:47:18 +08:00
|
|
|
|
2009-08-06 20:48:26 +08:00
|
|
|
ExplodedNodeSet Tmp;
|
2010-12-16 15:46:53 +08:00
|
|
|
Visit(cast<Expr>(elem), Pred, Tmp);
|
2009-08-06 20:48:26 +08:00
|
|
|
for (ExplodedNodeSet::iterator I = Tmp.begin(), E = Tmp.end(); I!=E; ++I) {
|
2008-11-15 03:47:18 +08:00
|
|
|
const GRState* state = GetState(*I);
|
2010-02-09 00:18:51 +08:00
|
|
|
VisitObjCForCollectionStmtAux(S, *I, Dst, state->getSVal(elem));
|
2008-11-15 03:47:18 +08:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2010-12-23 02:53:44 +08:00
|
|
|
void ExprEngine::VisitObjCForCollectionStmtAux(const ObjCForCollectionStmt* S,
|
2009-09-10 13:44:00 +08:00
|
|
|
ExplodedNode* Pred, ExplodedNodeSet& Dst,
|
2008-11-15 03:47:18 +08:00
|
|
|
SVal ElementV) {
|
|
|
|
|
|
2009-11-11 11:26:34 +08:00
|
|
|
// Check if the location we are writing back to is a null pointer.
|
2010-07-20 14:22:24 +08:00
|
|
|
const Stmt* elem = S->getElement();
|
2009-11-11 11:26:34 +08:00
|
|
|
ExplodedNodeSet Tmp;
|
2010-12-02 05:57:22 +08:00
|
|
|
evalLocation(Tmp, elem, Pred, GetState(Pred), ElementV, NULL, false);
|
2010-02-16 07:02:46 +08:00
|
|
|
|
2009-11-11 11:26:34 +08:00
|
|
|
if (Tmp.empty())
|
2008-11-15 03:47:18 +08:00
|
|
|
return;
|
2010-02-16 07:02:46 +08:00
|
|
|
|
2009-11-11 11:26:34 +08:00
|
|
|
for (ExplodedNodeSet::iterator NI=Tmp.begin(), NE=Tmp.end(); NI!=NE; ++NI) {
|
|
|
|
|
Pred = *NI;
|
|
|
|
|
const GRState *state = GetState(Pred);
|
|
|
|
|
|
|
|
|
|
// Handle the case where the container still has elements.
|
2010-12-02 15:49:45 +08:00
|
|
|
SVal TrueV = svalBuilder.makeTruthVal(1);
|
2009-11-11 11:26:34 +08:00
|
|
|
const GRState *hasElems = state->BindExpr(S, TrueV);
|
|
|
|
|
|
|
|
|
|
// Handle the case where the container has no elements.
|
2010-12-02 15:49:45 +08:00
|
|
|
SVal FalseV = svalBuilder.makeTruthVal(0);
|
2009-11-11 11:26:34 +08:00
|
|
|
const GRState *noElems = state->BindExpr(S, FalseV);
|
|
|
|
|
|
|
|
|
|
if (loc::MemRegionVal* MV = dyn_cast<loc::MemRegionVal>(&ElementV))
|
|
|
|
|
if (const TypedRegion* R = dyn_cast<TypedRegion>(MV->getRegion())) {
|
|
|
|
|
// FIXME: The proper thing to do is to really iterate over the
|
|
|
|
|
// container. We will do this with dispatch logic to the store.
|
|
|
|
|
// For now, just 'conjure' up a symbolic value.
|
2010-08-11 14:10:55 +08:00
|
|
|
QualType T = R->getValueType();
|
2009-11-11 11:26:34 +08:00
|
|
|
assert(Loc::IsLocType(T));
|
|
|
|
|
unsigned Count = Builder->getCurrentBlockCount();
|
|
|
|
|
SymbolRef Sym = SymMgr.getConjuredSymbol(elem, T, Count);
|
2010-12-02 15:49:45 +08:00
|
|
|
SVal V = svalBuilder.makeLoc(Sym);
|
2009-11-11 11:26:34 +08:00
|
|
|
hasElems = hasElems->bindLoc(ElementV, V);
|
|
|
|
|
|
|
|
|
|
// Bind the location to 'nil' on the false branch.
|
2010-12-02 15:49:45 +08:00
|
|
|
SVal nilV = svalBuilder.makeIntVal(0, T);
|
2009-11-11 11:26:34 +08:00
|
|
|
noElems = noElems->bindLoc(ElementV, nilV);
|
|
|
|
|
}
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2009-11-11 11:26:34 +08:00
|
|
|
// Create the new nodes.
|
|
|
|
|
MakeNode(Dst, S, Pred, hasElems);
|
|
|
|
|
MakeNode(Dst, S, Pred, noElems);
|
|
|
|
|
}
|
2008-10-17 08:03:18 +08:00
|
|
|
}
|
|
|
|
|
|
2008-04-16 07:06:53 +08:00
|
|
|
//===----------------------------------------------------------------------===//
|
|
|
|
|
// Transfer function: Objective-C message expressions.
|
|
|
|
|
//===----------------------------------------------------------------------===//
|
|
|
|
|
|
2010-02-16 07:02:46 +08:00
|
|
|
namespace {
|
|
|
|
|
class ObjCMsgWLItem {
|
|
|
|
|
public:
|
2010-07-20 14:22:24 +08:00
|
|
|
ObjCMessageExpr::const_arg_iterator I;
|
2010-02-16 07:02:46 +08:00
|
|
|
ExplodedNode *N;
|
|
|
|
|
|
2010-07-20 14:22:24 +08:00
|
|
|
ObjCMsgWLItem(const ObjCMessageExpr::const_arg_iterator &i, ExplodedNode *n)
|
2010-02-16 07:02:46 +08:00
|
|
|
: I(i), N(n) {}
|
|
|
|
|
};
|
|
|
|
|
} // end anonymous namespace
|
|
|
|
|
|
2010-12-23 02:53:44 +08:00
|
|
|
void ExprEngine::VisitObjCMessageExpr(const ObjCMessageExpr* ME,
|
2010-07-20 14:22:24 +08:00
|
|
|
ExplodedNode* Pred,
|
2010-12-16 15:46:53 +08:00
|
|
|
ExplodedNodeSet& Dst){
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2010-02-16 07:02:46 +08:00
|
|
|
// Create a worklist to process both the arguments.
|
|
|
|
|
llvm::SmallVector<ObjCMsgWLItem, 20> WL;
|
2008-04-16 07:06:53 +08:00
|
|
|
|
2010-02-16 07:02:46 +08:00
|
|
|
// But first evaluate the receiver (if any).
|
2010-07-20 14:22:24 +08:00
|
|
|
ObjCMessageExpr::const_arg_iterator AI = ME->arg_begin(), AE = ME->arg_end();
|
|
|
|
|
if (const Expr *Receiver = ME->getInstanceReceiver()) {
|
2010-02-16 07:02:46 +08:00
|
|
|
ExplodedNodeSet Tmp;
|
|
|
|
|
Visit(Receiver, Pred, Tmp);
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2010-02-16 07:02:46 +08:00
|
|
|
if (Tmp.empty())
|
|
|
|
|
return;
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2010-02-16 07:02:46 +08:00
|
|
|
for (ExplodedNodeSet::iterator I=Tmp.begin(), E=Tmp.end(); I!=E; ++I)
|
|
|
|
|
WL.push_back(ObjCMsgWLItem(AI, *I));
|
|
|
|
|
}
|
|
|
|
|
else
|
|
|
|
|
WL.push_back(ObjCMsgWLItem(AI, Pred));
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2010-02-16 07:02:46 +08:00
|
|
|
// Evaluate the arguments.
|
|
|
|
|
ExplodedNodeSet ArgsEvaluated;
|
|
|
|
|
while (!WL.empty()) {
|
|
|
|
|
ObjCMsgWLItem Item = WL.back();
|
|
|
|
|
WL.pop_back();
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2010-02-16 07:02:46 +08:00
|
|
|
if (Item.I == AE) {
|
|
|
|
|
ArgsEvaluated.insert(Item.N);
|
|
|
|
|
continue;
|
2008-04-16 07:06:53 +08:00
|
|
|
}
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2010-02-16 07:02:46 +08:00
|
|
|
// Evaluate the subexpression.
|
|
|
|
|
ExplodedNodeSet Tmp;
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2010-02-16 07:02:46 +08:00
|
|
|
// FIXME: [Objective-C++] handle arguments that are references
|
|
|
|
|
Visit(*Item.I, Item.N, Tmp);
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2010-02-16 07:02:46 +08:00
|
|
|
// Enqueue evaluating the next argument on the worklist.
|
|
|
|
|
++(Item.I);
|
|
|
|
|
for (ExplodedNodeSet::iterator NI=Tmp.begin(), NE=Tmp.end(); NI!=NE; ++NI)
|
|
|
|
|
WL.push_back(ObjCMsgWLItem(Item.I, *NI));
|
|
|
|
|
}
|
2008-04-16 07:06:53 +08:00
|
|
|
|
2010-02-16 07:02:46 +08:00
|
|
|
// Now that the arguments are processed, handle the previsits checks.
|
|
|
|
|
ExplodedNodeSet DstPrevisit;
|
2010-08-04 15:10:57 +08:00
|
|
|
CheckerVisit(ME, DstPrevisit, ArgsEvaluated, PreVisitStmtCallback);
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2010-02-16 07:02:46 +08:00
|
|
|
// Proceed with evaluate the message expression.
|
2010-12-02 05:57:22 +08:00
|
|
|
ExplodedNodeSet dstEval;
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2010-02-16 07:02:46 +08:00
|
|
|
for (ExplodedNodeSet::iterator DI = DstPrevisit.begin(),
|
|
|
|
|
DE = DstPrevisit.end(); DI != DE; ++DI) {
|
2009-12-23 06:13:46 +08:00
|
|
|
|
2009-11-21 09:25:37 +08:00
|
|
|
Pred = *DI;
|
|
|
|
|
bool RaisesException = false;
|
2010-12-02 05:57:22 +08:00
|
|
|
unsigned oldSize = dstEval.size();
|
2009-12-23 06:13:46 +08:00
|
|
|
SaveAndRestore<bool> OldSink(Builder->BuildSinks);
|
2010-02-16 07:02:46 +08:00
|
|
|
SaveOr OldHasGen(Builder->HasGeneratedNode);
|
2009-09-09 23:08:12 +08:00
|
|
|
|
Overhaul the AST representation of Objective-C message send
expressions, to improve source-location information, clarify the
actual receiver of the message, and pave the way for proper C++
support. The ObjCMessageExpr node represents four different kinds of
message sends in a single AST node:
1) Send to a object instance described by an expression (e.g., [x method:5])
2) Send to a class described by the class name (e.g., [NSString method:5])
3) Send to a superclass class (e.g, [super method:5] in class method)
4) Send to a superclass instance (e.g., [super method:5] in instance method)
Previously these four cases where tangled together. Now, they have
more distinct representations. Specific changes:
1) Unchanged; the object instance is represented by an Expr*.
2) Previously stored the ObjCInterfaceDecl* referring to the class
receiving the message. Now stores a TypeSourceInfo* so that we know
how the class was spelled. This both maintains typedef information
and opens the door for more complicated C++ types (e.g., dependent
types). There was an alternative, unused representation of these
sends by naming the class via an IdentifierInfo *. In practice, we
either had an ObjCInterfaceDecl *, from which we would get the
IdentifierInfo *, or we fell into the case below...
3) Previously represented by a class message whose IdentifierInfo *
referred to "super". Sema and CodeGen would use isStr("super") to
determine if they had a send to super. Now represented as a
"class super" send, where we have both the location of the "super"
keyword and the ObjCInterfaceDecl* of the superclass we're
targetting (statically).
4) Previously represented by an instance message whose receiver is a
an ObjCSuperExpr, which Sema and CodeGen would check for via
isa<ObjCSuperExpr>(). Now represented as an "instance super" send,
where we have both the location of the "super" keyword and the
ObjCInterfaceDecl* of the superclass we're targetting
(statically). Note that ObjCSuperExpr only has one remaining use in
the AST, which is for "super.prop" references.
The new representation of ObjCMessageExpr is 2 pointers smaller than
the old one, since it combines more storage. It also eliminates a leak
when we loaded message-send expressions from a precompiled header. The
representation also feels much cleaner to me; comments welcome!
This patch attempts to maintain the same semantics we previously had
with Objective-C message sends. In several places, there are massive
changes that boil down to simply replacing a nested-if structure such
as:
if (message has a receiver expression) {
// instance message
if (isa<ObjCSuperExpr>(...)) {
// send to super
} else {
// send to an object
}
} else {
// class message
if (name->isStr("super")) {
// class send to super
} else {
// send to class
}
}
with a switch
switch (E->getReceiverKind()) {
case ObjCMessageExpr::SuperInstance: ...
case ObjCMessageExpr::Instance: ...
case ObjCMessageExpr::SuperClass: ...
case ObjCMessageExpr::Class:...
}
There are quite a few places (particularly in the checkers) where
send-to-super is effectively ignored. I've placed FIXMEs in most of
them, and attempted to address send-to-super in a reasonable way. This
could use some review.
llvm-svn: 101972
2010-04-21 08:45:42 +08:00
|
|
|
if (const Expr *Receiver = ME->getInstanceReceiver()) {
|
2010-04-20 12:53:09 +08:00
|
|
|
const GRState *state = GetState(Pred);
|
2009-12-02 13:49:12 +08:00
|
|
|
|
|
|
|
|
// Bifurcate the state into nil and non-nil ones.
|
2010-02-16 07:02:46 +08:00
|
|
|
DefinedOrUnknownSVal receiverVal =
|
2010-02-09 00:18:51 +08:00
|
|
|
cast<DefinedOrUnknownSVal>(state->getSVal(Receiver));
|
2009-12-02 13:49:12 +08:00
|
|
|
|
|
|
|
|
const GRState *notNilState, *nilState;
|
2010-12-02 06:16:56 +08:00
|
|
|
llvm::tie(notNilState, nilState) = state->assume(receiverVal);
|
2009-12-02 13:49:12 +08:00
|
|
|
|
2010-02-16 07:02:46 +08:00
|
|
|
// There are three cases: can be nil or non-nil, must be nil, must be
|
2009-12-02 13:49:12 +08:00
|
|
|
// non-nil. We handle must be nil, and merge the rest two into non-nil.
|
|
|
|
|
if (nilState && !notNilState) {
|
2010-12-02 05:57:22 +08:00
|
|
|
CheckerEvalNilReceiver(ME, dstEval, nilState, Pred);
|
2009-12-23 06:13:46 +08:00
|
|
|
continue;
|
2009-12-02 13:49:12 +08:00
|
|
|
}
|
|
|
|
|
|
2009-11-21 09:25:37 +08:00
|
|
|
// Check if the "raise" message was sent.
|
2010-02-16 07:02:46 +08:00
|
|
|
assert(notNilState);
|
2009-11-21 09:25:37 +08:00
|
|
|
if (ME->getSelector() == RaiseSel)
|
|
|
|
|
RaisesException = true;
|
2009-12-02 13:49:12 +08:00
|
|
|
|
|
|
|
|
// Check if we raise an exception. For now treat these as sinks.
|
|
|
|
|
// Eventually we will want to handle exceptions properly.
|
|
|
|
|
if (RaisesException)
|
|
|
|
|
Builder->BuildSinks = true;
|
|
|
|
|
|
|
|
|
|
// Dispatch to plug-in transfer function.
|
2010-12-02 05:57:22 +08:00
|
|
|
evalObjCMessageExpr(dstEval, ME, Pred, notNilState);
|
2009-02-19 12:06:22 +08:00
|
|
|
}
|
Overhaul the AST representation of Objective-C message send
expressions, to improve source-location information, clarify the
actual receiver of the message, and pave the way for proper C++
support. The ObjCMessageExpr node represents four different kinds of
message sends in a single AST node:
1) Send to a object instance described by an expression (e.g., [x method:5])
2) Send to a class described by the class name (e.g., [NSString method:5])
3) Send to a superclass class (e.g, [super method:5] in class method)
4) Send to a superclass instance (e.g., [super method:5] in instance method)
Previously these four cases where tangled together. Now, they have
more distinct representations. Specific changes:
1) Unchanged; the object instance is represented by an Expr*.
2) Previously stored the ObjCInterfaceDecl* referring to the class
receiving the message. Now stores a TypeSourceInfo* so that we know
how the class was spelled. This both maintains typedef information
and opens the door for more complicated C++ types (e.g., dependent
types). There was an alternative, unused representation of these
sends by naming the class via an IdentifierInfo *. In practice, we
either had an ObjCInterfaceDecl *, from which we would get the
IdentifierInfo *, or we fell into the case below...
3) Previously represented by a class message whose IdentifierInfo *
referred to "super". Sema and CodeGen would use isStr("super") to
determine if they had a send to super. Now represented as a
"class super" send, where we have both the location of the "super"
keyword and the ObjCInterfaceDecl* of the superclass we're
targetting (statically).
4) Previously represented by an instance message whose receiver is a
an ObjCSuperExpr, which Sema and CodeGen would check for via
isa<ObjCSuperExpr>(). Now represented as an "instance super" send,
where we have both the location of the "super" keyword and the
ObjCInterfaceDecl* of the superclass we're targetting
(statically). Note that ObjCSuperExpr only has one remaining use in
the AST, which is for "super.prop" references.
The new representation of ObjCMessageExpr is 2 pointers smaller than
the old one, since it combines more storage. It also eliminates a leak
when we loaded message-send expressions from a precompiled header. The
representation also feels much cleaner to me; comments welcome!
This patch attempts to maintain the same semantics we previously had
with Objective-C message sends. In several places, there are massive
changes that boil down to simply replacing a nested-if structure such
as:
if (message has a receiver expression) {
// instance message
if (isa<ObjCSuperExpr>(...)) {
// send to super
} else {
// send to an object
}
} else {
// class message
if (name->isStr("super")) {
// class send to super
} else {
// send to class
}
}
with a switch
switch (E->getReceiverKind()) {
case ObjCMessageExpr::SuperInstance: ...
case ObjCMessageExpr::Instance: ...
case ObjCMessageExpr::SuperClass: ...
case ObjCMessageExpr::Class:...
}
There are quite a few places (particularly in the checkers) where
send-to-super is effectively ignored. I've placed FIXMEs in most of
them, and attempted to address send-to-super in a reasonable way. This
could use some review.
llvm-svn: 101972
2010-04-21 08:45:42 +08:00
|
|
|
else if (ObjCInterfaceDecl *Iface = ME->getReceiverInterface()) {
|
|
|
|
|
IdentifierInfo* ClsName = Iface->getIdentifier();
|
2009-11-21 09:25:37 +08:00
|
|
|
Selector S = ME->getSelector();
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2009-11-21 09:25:37 +08:00
|
|
|
// Check for special instance methods.
|
|
|
|
|
if (!NSExceptionII) {
|
|
|
|
|
ASTContext& Ctx = getContext();
|
|
|
|
|
NSExceptionII = &Ctx.Idents.get("NSException");
|
|
|
|
|
}
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2009-11-21 09:25:37 +08:00
|
|
|
if (ClsName == NSExceptionII) {
|
|
|
|
|
enum { NUM_RAISE_SELECTORS = 2 };
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2009-11-21 09:25:37 +08:00
|
|
|
// Lazily create a cache of the selectors.
|
|
|
|
|
if (!NSExceptionInstanceRaiseSelectors) {
|
|
|
|
|
ASTContext& Ctx = getContext();
|
2010-02-16 07:02:46 +08:00
|
|
|
NSExceptionInstanceRaiseSelectors =
|
|
|
|
|
new Selector[NUM_RAISE_SELECTORS];
|
2009-11-21 09:25:37 +08:00
|
|
|
llvm::SmallVector<IdentifierInfo*, NUM_RAISE_SELECTORS> II;
|
|
|
|
|
unsigned idx = 0;
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2009-11-21 09:25:37 +08:00
|
|
|
// raise:format:
|
|
|
|
|
II.push_back(&Ctx.Idents.get("raise"));
|
|
|
|
|
II.push_back(&Ctx.Idents.get("format"));
|
|
|
|
|
NSExceptionInstanceRaiseSelectors[idx++] =
|
|
|
|
|
Ctx.Selectors.getSelector(II.size(), &II[0]);
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2009-11-21 09:25:37 +08:00
|
|
|
// raise:format::arguments:
|
|
|
|
|
II.push_back(&Ctx.Idents.get("arguments"));
|
|
|
|
|
NSExceptionInstanceRaiseSelectors[idx++] =
|
|
|
|
|
Ctx.Selectors.getSelector(II.size(), &II[0]);
|
|
|
|
|
}
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2009-11-21 09:25:37 +08:00
|
|
|
for (unsigned i = 0; i < NUM_RAISE_SELECTORS; ++i)
|
|
|
|
|
if (S == NSExceptionInstanceRaiseSelectors[i]) {
|
2009-12-23 06:13:46 +08:00
|
|
|
RaisesException = true;
|
|
|
|
|
break;
|
2009-11-21 09:25:37 +08:00
|
|
|
}
|
2008-05-02 02:33:28 +08:00
|
|
|
}
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2009-12-02 13:49:12 +08:00
|
|
|
// Check if we raise an exception. For now treat these as sinks.
|
|
|
|
|
// Eventually we will want to handle exceptions properly.
|
|
|
|
|
if (RaisesException)
|
|
|
|
|
Builder->BuildSinks = true;
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2009-12-02 13:49:12 +08:00
|
|
|
// Dispatch to plug-in transfer function.
|
2010-12-02 05:57:22 +08:00
|
|
|
evalObjCMessageExpr(dstEval, ME, Pred, Builder->GetState(Pred));
|
2009-12-02 13:49:12 +08:00
|
|
|
}
|
2010-02-16 07:02:46 +08:00
|
|
|
|
2009-12-23 06:13:46 +08:00
|
|
|
// Handle the case where no nodes where generated. Auto-generate that
|
|
|
|
|
// contains the updated state if we aren't generating sinks.
|
2010-12-02 05:57:22 +08:00
|
|
|
if (!Builder->BuildSinks && dstEval.size() == oldSize &&
|
2009-12-23 06:13:46 +08:00
|
|
|
!Builder->HasGeneratedNode)
|
2010-12-02 05:57:22 +08:00
|
|
|
MakeNode(dstEval, ME, Pred, GetState(Pred));
|
2009-11-21 09:25:37 +08:00
|
|
|
}
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2009-12-23 06:13:46 +08:00
|
|
|
// Finally, perform the post-condition check of the ObjCMessageExpr and store
|
|
|
|
|
// the created nodes in 'Dst'.
|
2010-12-16 15:46:53 +08:00
|
|
|
CheckerVisit(ME, Dst, dstEval, PostVisitStmtCallback);
|
2008-02-19 09:44:53 +08:00
|
|
|
}
|
|
|
|
|
|
2008-04-16 07:06:53 +08:00
|
|
|
//===----------------------------------------------------------------------===//
|
|
|
|
|
// Transfer functions: Miscellaneous statements.
|
|
|
|
|
//===----------------------------------------------------------------------===//
|
|
|
|
|
|
2010-12-23 02:53:44 +08:00
|
|
|
void ExprEngine::VisitCast(const CastExpr *CastE, const Expr *Ex,
|
|
|
|
|
ExplodedNode *Pred, ExplodedNodeSet &Dst) {
|
2010-12-16 15:46:53 +08:00
|
|
|
|
2009-08-06 20:48:26 +08:00
|
|
|
ExplodedNodeSet S1;
|
2010-12-16 15:46:53 +08:00
|
|
|
Visit(Ex, Pred, S1);
|
|
|
|
|
ExplodedNodeSet S2;
|
|
|
|
|
CheckerVisit(CastE, S2, S1, PreVisitStmtCallback);
|
|
|
|
|
|
|
|
|
|
if (CastE->getCastKind() == CK_LValueToRValue) {
|
|
|
|
|
for (ExplodedNodeSet::iterator I = S2.begin(), E = S2.end(); I!=E; ++I) {
|
|
|
|
|
ExplodedNode *subExprNode = *I;
|
|
|
|
|
const GRState *state = GetState(subExprNode);
|
|
|
|
|
evalLoad(Dst, CastE, subExprNode, state, state->getSVal(Ex));
|
|
|
|
|
}
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// All other casts.
|
2008-02-20 02:52:54 +08:00
|
|
|
QualType T = CastE->getType();
|
2008-10-21 14:54:23 +08:00
|
|
|
QualType ExTy = Ex->getType();
|
2008-10-22 16:02:16 +08:00
|
|
|
|
2008-10-31 15:26:14 +08:00
|
|
|
if (const ExplicitCastExpr *ExCast=dyn_cast_or_null<ExplicitCastExpr>(CastE))
|
2008-10-28 03:41:14 +08:00
|
|
|
T = ExCast->getTypeAsWritten();
|
2010-12-16 15:46:53 +08:00
|
|
|
|
|
|
|
|
#if 0
|
2009-12-23 08:26:16 +08:00
|
|
|
// If we are evaluating the cast in an lvalue context, we implicitly want
|
|
|
|
|
// the cast to evaluate to a location.
|
|
|
|
|
if (asLValue) {
|
|
|
|
|
ASTContext &Ctx = getContext();
|
|
|
|
|
T = Ctx.getPointerType(Ctx.getCanonicalType(T));
|
2009-12-23 09:19:20 +08:00
|
|
|
ExTy = Ctx.getPointerType(Ctx.getCanonicalType(ExTy));
|
2009-12-23 08:26:16 +08:00
|
|
|
}
|
2010-12-16 15:46:53 +08:00
|
|
|
#endif
|
2009-07-22 05:03:30 +08:00
|
|
|
|
2010-01-22 12:30:00 +08:00
|
|
|
switch (CastE->getCastKind()) {
|
2010-08-25 19:45:40 +08:00
|
|
|
case CK_ToVoid:
|
2010-01-22 12:30:00 +08:00
|
|
|
for (ExplodedNodeSet::iterator I = S2.begin(), E = S2.end(); I != E; ++I)
|
|
|
|
|
Dst.Add(*I);
|
|
|
|
|
return;
|
|
|
|
|
|
2010-12-01 12:43:34 +08:00
|
|
|
case CK_LValueToRValue:
|
2010-08-25 19:45:40 +08:00
|
|
|
case CK_NoOp:
|
|
|
|
|
case CK_FunctionToPointerDecay:
|
2010-01-22 12:30:00 +08:00
|
|
|
for (ExplodedNodeSet::iterator I = S2.begin(), E = S2.end(); I != E; ++I) {
|
|
|
|
|
// Copy the SVal of Ex to CastE.
|
|
|
|
|
ExplodedNode *N = *I;
|
|
|
|
|
const GRState *state = GetState(N);
|
2010-02-09 00:18:51 +08:00
|
|
|
SVal V = state->getSVal(Ex);
|
2010-01-22 12:30:00 +08:00
|
|
|
state = state->BindExpr(CastE, V);
|
|
|
|
|
MakeNode(Dst, CastE, N, state);
|
|
|
|
|
}
|
|
|
|
|
return;
|
|
|
|
|
|
2010-12-04 11:47:34 +08:00
|
|
|
case CK_GetObjCProperty:
|
2010-11-15 17:13:47 +08:00
|
|
|
case CK_Dependent:
|
2010-08-25 19:45:40 +08:00
|
|
|
case CK_ArrayToPointerDecay:
|
|
|
|
|
case CK_BitCast:
|
|
|
|
|
case CK_LValueBitCast:
|
|
|
|
|
case CK_IntegralCast:
|
2010-11-13 09:35:44 +08:00
|
|
|
case CK_NullToPointer:
|
2010-08-25 19:45:40 +08:00
|
|
|
case CK_IntegralToPointer:
|
|
|
|
|
case CK_PointerToIntegral:
|
2010-11-15 17:13:47 +08:00
|
|
|
case CK_PointerToBoolean:
|
|
|
|
|
case CK_IntegralToBoolean:
|
2010-08-25 19:45:40 +08:00
|
|
|
case CK_IntegralToFloating:
|
|
|
|
|
case CK_FloatingToIntegral:
|
2010-11-15 17:13:47 +08:00
|
|
|
case CK_FloatingToBoolean:
|
2010-08-25 19:45:40 +08:00
|
|
|
case CK_FloatingCast:
|
2010-11-13 17:02:35 +08:00
|
|
|
case CK_FloatingRealToComplex:
|
2010-11-14 16:17:51 +08:00
|
|
|
case CK_FloatingComplexToReal:
|
|
|
|
|
case CK_FloatingComplexToBoolean:
|
2010-11-13 17:02:35 +08:00
|
|
|
case CK_FloatingComplexCast:
|
2010-11-14 16:17:51 +08:00
|
|
|
case CK_FloatingComplexToIntegralComplex:
|
2010-11-13 17:02:35 +08:00
|
|
|
case CK_IntegralRealToComplex:
|
2010-11-14 16:17:51 +08:00
|
|
|
case CK_IntegralComplexToReal:
|
|
|
|
|
case CK_IntegralComplexToBoolean:
|
2010-11-13 17:02:35 +08:00
|
|
|
case CK_IntegralComplexCast:
|
2010-11-14 16:17:51 +08:00
|
|
|
case CK_IntegralComplexToFloatingComplex:
|
2010-08-25 19:45:40 +08:00
|
|
|
case CK_AnyPointerToObjCPointerCast:
|
|
|
|
|
case CK_AnyPointerToBlockPointerCast:
|
2010-11-26 16:21:53 +08:00
|
|
|
|
2010-08-25 19:45:40 +08:00
|
|
|
case CK_ObjCObjectLValueCast: {
|
2010-12-02 05:28:31 +08:00
|
|
|
// Delegate to SValBuilder to process.
|
2010-01-22 12:30:00 +08:00
|
|
|
for (ExplodedNodeSet::iterator I = S2.begin(), E = S2.end(); I != E; ++I) {
|
|
|
|
|
ExplodedNode* N = *I;
|
|
|
|
|
const GRState* state = GetState(N);
|
2010-02-09 00:18:51 +08:00
|
|
|
SVal V = state->getSVal(Ex);
|
2010-12-02 05:57:22 +08:00
|
|
|
V = svalBuilder.evalCast(V, T, ExTy);
|
2010-02-04 12:56:43 +08:00
|
|
|
state = state->BindExpr(CastE, V);
|
2010-01-22 12:30:00 +08:00
|
|
|
MakeNode(Dst, CastE, N, state);
|
|
|
|
|
}
|
|
|
|
|
return;
|
2010-06-23 03:05:10 +08:00
|
|
|
}
|
2010-11-26 16:21:53 +08:00
|
|
|
|
|
|
|
|
case CK_DerivedToBase:
|
|
|
|
|
case CK_UncheckedDerivedToBase:
|
|
|
|
|
// For DerivedToBase cast, delegate to the store manager.
|
|
|
|
|
for (ExplodedNodeSet::iterator I = S2.begin(), E = S2.end(); I != E; ++I) {
|
|
|
|
|
ExplodedNode *node = *I;
|
|
|
|
|
const GRState *state = GetState(node);
|
|
|
|
|
SVal val = state->getSVal(Ex);
|
|
|
|
|
val = getStoreManager().evalDerivedToBase(val, T);
|
|
|
|
|
state = state->BindExpr(CastE, val);
|
|
|
|
|
MakeNode(Dst, CastE, node, state);
|
|
|
|
|
}
|
|
|
|
|
return;
|
|
|
|
|
|
2010-06-23 03:05:10 +08:00
|
|
|
// Various C++ casts that are not handled yet.
|
2010-08-25 19:45:40 +08:00
|
|
|
case CK_Dynamic:
|
|
|
|
|
case CK_ToUnion:
|
|
|
|
|
case CK_BaseToDerived:
|
|
|
|
|
case CK_NullToMemberPointer:
|
|
|
|
|
case CK_BaseToDerivedMemberPointer:
|
|
|
|
|
case CK_DerivedToBaseMemberPointer:
|
|
|
|
|
case CK_UserDefinedConversion:
|
|
|
|
|
case CK_ConstructorConversion:
|
|
|
|
|
case CK_VectorSplat:
|
|
|
|
|
case CK_MemberPointerToBoolean: {
|
2010-06-23 03:05:10 +08:00
|
|
|
SaveAndRestore<bool> OldSink(Builder->BuildSinks);
|
|
|
|
|
Builder->BuildSinks = true;
|
|
|
|
|
MakeNode(Dst, CastE, Pred, GetState(Pred));
|
|
|
|
|
return;
|
|
|
|
|
}
|
2008-01-24 10:02:54 +08:00
|
|
|
}
|
2008-01-25 04:55:43 +08:00
|
|
|
}
|
|
|
|
|
|
2010-12-23 02:53:44 +08:00
|
|
|
void ExprEngine::VisitCompoundLiteralExpr(const CompoundLiteralExpr* CL,
|
2009-09-09 23:08:12 +08:00
|
|
|
ExplodedNode* Pred,
|
2010-12-16 15:46:53 +08:00
|
|
|
ExplodedNodeSet& Dst) {
|
2010-07-20 14:22:24 +08:00
|
|
|
const InitListExpr* ILE
|
|
|
|
|
= cast<InitListExpr>(CL->getInitializer()->IgnoreParens());
|
2009-08-06 20:48:26 +08:00
|
|
|
ExplodedNodeSet Tmp;
|
2008-10-28 05:54:31 +08:00
|
|
|
Visit(ILE, Pred, Tmp);
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2009-08-06 20:48:26 +08:00
|
|
|
for (ExplodedNodeSet::iterator I = Tmp.begin(), EI = Tmp.end(); I!=EI; ++I) {
|
2009-02-13 09:45:31 +08:00
|
|
|
const GRState* state = GetState(*I);
|
2010-02-09 00:18:51 +08:00
|
|
|
SVal ILV = state->getSVal(ILE);
|
2009-12-08 06:05:27 +08:00
|
|
|
const LocationContext *LC = (*I)->getLocationContext();
|
|
|
|
|
state = state->bindCompoundLiteral(CL, LC, ILV);
|
2008-10-28 05:54:31 +08:00
|
|
|
|
2010-12-16 15:46:53 +08:00
|
|
|
if (CL->isLValue()) {
|
2009-12-08 06:05:27 +08:00
|
|
|
MakeNode(Dst, CL, *I, state->BindExpr(CL, state->getLValue(CL, LC)));
|
|
|
|
|
}
|
2008-11-07 18:38:33 +08:00
|
|
|
else
|
2009-08-28 06:17:37 +08:00
|
|
|
MakeNode(Dst, CL, *I, state->BindExpr(CL, ILV));
|
2008-10-28 05:54:31 +08:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2010-12-23 02:53:44 +08:00
|
|
|
void ExprEngine::VisitDeclStmt(const DeclStmt *DS, ExplodedNode *Pred,
|
2009-09-09 23:08:12 +08:00
|
|
|
ExplodedNodeSet& Dst) {
|
2008-04-23 06:25:27 +08:00
|
|
|
|
2009-09-09 23:08:12 +08:00
|
|
|
// The CFG has one DeclStmt per Decl.
|
2010-07-20 14:22:24 +08:00
|
|
|
const Decl* D = *DS->decl_begin();
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2008-08-29 02:34:26 +08:00
|
|
|
if (!D || !isa<VarDecl>(D))
|
2008-04-23 06:25:27 +08:00
|
|
|
return;
|
2009-09-09 23:08:12 +08:00
|
|
|
|
|
|
|
|
const VarDecl* VD = dyn_cast<VarDecl>(D);
|
2010-07-23 10:54:53 +08:00
|
|
|
const Expr* InitEx = VD->getInit();
|
2008-04-23 06:25:27 +08:00
|
|
|
|
|
|
|
|
// FIXME: static variables may have an initializer, but the second
|
|
|
|
|
// time a function is called those values may not be current.
|
2009-08-06 20:48:26 +08:00
|
|
|
ExplodedNodeSet Tmp;
|
2008-04-23 06:25:27 +08:00
|
|
|
|
2010-12-19 10:26:37 +08:00
|
|
|
if (InitEx) {
|
|
|
|
|
if (VD->getType()->isReferenceType() && !InitEx->isLValue()) {
|
2010-12-22 15:20:27 +08:00
|
|
|
// If the initializer is C++ record type, it should already has a
|
|
|
|
|
// temp object.
|
|
|
|
|
if (!InitEx->getType()->isRecordType())
|
|
|
|
|
CreateCXXTemporaryObject(InitEx, Pred, Tmp);
|
|
|
|
|
else
|
|
|
|
|
Tmp.Add(Pred);
|
2010-12-19 10:26:37 +08:00
|
|
|
} else
|
|
|
|
|
Visit(InitEx, Pred, Tmp);
|
|
|
|
|
} else
|
2008-08-29 02:34:26 +08:00
|
|
|
Tmp.Add(Pred);
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2009-11-07 11:56:57 +08:00
|
|
|
ExplodedNodeSet Tmp2;
|
2010-08-04 15:10:57 +08:00
|
|
|
CheckerVisit(DS, Tmp2, Tmp, PreVisitStmtCallback);
|
2010-02-16 07:02:46 +08:00
|
|
|
|
2009-11-07 11:56:57 +08:00
|
|
|
for (ExplodedNodeSet::iterator I=Tmp2.begin(), E=Tmp2.end(); I!=E; ++I) {
|
2009-11-03 20:13:38 +08:00
|
|
|
ExplodedNode *N = *I;
|
2009-11-07 11:56:57 +08:00
|
|
|
const GRState *state = GetState(N);
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2009-02-14 09:54:57 +08:00
|
|
|
// Decls without InitExpr are not initialized explicitly.
|
2009-11-03 20:13:38 +08:00
|
|
|
const LocationContext *LC = N->getLocationContext();
|
2009-08-22 06:28:32 +08:00
|
|
|
|
2009-02-14 09:54:57 +08:00
|
|
|
if (InitEx) {
|
2010-02-09 00:18:51 +08:00
|
|
|
SVal InitVal = state->getSVal(InitEx);
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2010-12-22 15:20:27 +08:00
|
|
|
// We bound the temp obj region to the CXXConstructExpr. Now recover
|
|
|
|
|
// the lazy compound value when the variable is not a reference.
|
|
|
|
|
if (AMgr.getLangOptions().CPlusPlus && VD->getType()->isRecordType() &&
|
|
|
|
|
!VD->getType()->isReferenceType() && isa<loc::MemRegionVal>(InitVal)){
|
|
|
|
|
InitVal = state->getSVal(cast<loc::MemRegionVal>(InitVal).getRegion());
|
|
|
|
|
assert(isa<nonloc::LazyCompoundVal>(InitVal));
|
|
|
|
|
}
|
|
|
|
|
|
2009-02-14 09:54:57 +08:00
|
|
|
// Recover some path-sensitivity if a scalar value evaluated to
|
|
|
|
|
// UnknownVal.
|
2010-03-03 05:43:52 +08:00
|
|
|
if ((InitVal.isUnknown() ||
|
|
|
|
|
!getConstraintManager().canReasonAbout(InitVal)) &&
|
|
|
|
|
!VD->getType()->isReferenceType()) {
|
2010-12-02 15:49:45 +08:00
|
|
|
InitVal = svalBuilder.getConjuredSymbolVal(NULL, InitEx,
|
2009-11-03 20:13:38 +08:00
|
|
|
Builder->getCurrentBlockCount());
|
2009-09-09 23:08:12 +08:00
|
|
|
}
|
2010-02-16 07:02:46 +08:00
|
|
|
|
2010-12-02 05:57:22 +08:00
|
|
|
evalBind(Dst, DS, *I, state,
|
2010-02-16 07:02:46 +08:00
|
|
|
loc::MemRegionVal(state->getRegion(VD, LC)), InitVal, true);
|
2009-09-09 23:08:12 +08:00
|
|
|
}
|
2009-02-14 09:54:57 +08:00
|
|
|
else {
|
2009-11-04 08:09:15 +08:00
|
|
|
state = state->bindDeclWithNoInit(state->getRegion(VD, LC));
|
2009-02-14 09:54:57 +08:00
|
|
|
MakeNode(Dst, DS, *I, state);
|
|
|
|
|
}
|
2008-04-23 06:25:27 +08:00
|
|
|
}
|
|
|
|
|
}
|
2008-02-05 08:26:40 +08:00
|
|
|
|
2010-12-23 02:53:44 +08:00
|
|
|
void ExprEngine::VisitCondInit(const VarDecl *VD, const Stmt *S,
|
2009-12-24 08:40:03 +08:00
|
|
|
ExplodedNode *Pred, ExplodedNodeSet& Dst) {
|
2010-02-16 07:02:46 +08:00
|
|
|
|
2010-07-20 14:22:24 +08:00
|
|
|
const Expr* InitEx = VD->getInit();
|
2009-12-23 12:49:01 +08:00
|
|
|
ExplodedNodeSet Tmp;
|
|
|
|
|
Visit(InitEx, Pred, Tmp);
|
|
|
|
|
|
|
|
|
|
for (ExplodedNodeSet::iterator I=Tmp.begin(), E=Tmp.end(); I!=E; ++I) {
|
|
|
|
|
ExplodedNode *N = *I;
|
|
|
|
|
const GRState *state = GetState(N);
|
2010-02-16 07:02:46 +08:00
|
|
|
|
2009-12-23 12:49:01 +08:00
|
|
|
const LocationContext *LC = N->getLocationContext();
|
2010-02-09 00:18:51 +08:00
|
|
|
SVal InitVal = state->getSVal(InitEx);
|
2010-02-16 07:02:46 +08:00
|
|
|
|
2009-12-23 12:49:01 +08:00
|
|
|
// Recover some path-sensitivity if a scalar value evaluated to
|
|
|
|
|
// UnknownVal.
|
|
|
|
|
if (InitVal.isUnknown() ||
|
|
|
|
|
!getConstraintManager().canReasonAbout(InitVal)) {
|
2010-12-02 15:49:45 +08:00
|
|
|
InitVal = svalBuilder.getConjuredSymbolVal(NULL, InitEx,
|
2009-12-23 12:49:01 +08:00
|
|
|
Builder->getCurrentBlockCount());
|
|
|
|
|
}
|
2010-02-16 07:02:46 +08:00
|
|
|
|
2010-12-02 05:57:22 +08:00
|
|
|
evalBind(Dst, S, N, state,
|
2009-12-23 12:49:01 +08:00
|
|
|
loc::MemRegionVal(state->getRegion(VD, LC)), InitVal, true);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2008-10-31 01:47:32 +08:00
|
|
|
namespace {
|
|
|
|
|
// This class is used by VisitInitListExpr as an item in a worklist
|
|
|
|
|
// for processing the values contained in an InitListExpr.
|
2009-11-28 14:07:30 +08:00
|
|
|
class InitListWLItem {
|
2008-10-31 01:47:32 +08:00
|
|
|
public:
|
|
|
|
|
llvm::ImmutableList<SVal> Vals;
|
2009-08-06 20:48:26 +08:00
|
|
|
ExplodedNode* N;
|
2010-07-20 14:22:24 +08:00
|
|
|
InitListExpr::const_reverse_iterator Itr;
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2009-08-06 20:48:26 +08:00
|
|
|
InitListWLItem(ExplodedNode* n, llvm::ImmutableList<SVal> vals,
|
2010-07-20 14:22:24 +08:00
|
|
|
InitListExpr::const_reverse_iterator itr)
|
2008-10-31 01:47:32 +08:00
|
|
|
: Vals(vals), N(n), Itr(itr) {}
|
|
|
|
|
};
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
2010-12-23 02:53:44 +08:00
|
|
|
void ExprEngine::VisitInitListExpr(const InitListExpr* E, ExplodedNode* Pred,
|
2009-08-06 20:48:26 +08:00
|
|
|
ExplodedNodeSet& Dst) {
|
2008-10-30 13:02:23 +08:00
|
|
|
|
2008-10-31 07:14:36 +08:00
|
|
|
const GRState* state = GetState(Pred);
|
2008-11-13 13:05:34 +08:00
|
|
|
QualType T = getContext().getCanonicalType(E->getType());
|
2009-09-09 23:08:12 +08:00
|
|
|
unsigned NumInitElements = E->getNumInits();
|
2008-10-30 13:02:23 +08:00
|
|
|
|
2010-04-27 05:31:17 +08:00
|
|
|
if (T->isArrayType() || T->isRecordType() || T->isVectorType()) {
|
2008-10-31 07:14:36 +08:00
|
|
|
llvm::ImmutableList<SVal> StartVals = getBasicVals().getEmptySValList();
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2008-10-31 07:14:36 +08:00
|
|
|
// Handle base case where the initializer has no elements.
|
|
|
|
|
// e.g: static int* myArray[] = {};
|
|
|
|
|
if (NumInitElements == 0) {
|
2010-12-02 15:49:45 +08:00
|
|
|
SVal V = svalBuilder.makeCompoundVal(T, StartVals);
|
2009-08-28 06:17:37 +08:00
|
|
|
MakeNode(Dst, E, Pred, state->BindExpr(E, V));
|
2008-10-31 07:14:36 +08:00
|
|
|
return;
|
2009-09-09 23:08:12 +08:00
|
|
|
}
|
|
|
|
|
|
2008-10-31 07:14:36 +08:00
|
|
|
// Create a worklist to process the initializers.
|
|
|
|
|
llvm::SmallVector<InitListWLItem, 10> WorkList;
|
2009-09-09 23:08:12 +08:00
|
|
|
WorkList.reserve(NumInitElements);
|
|
|
|
|
WorkList.push_back(InitListWLItem(Pred, StartVals, E->rbegin()));
|
2010-07-20 14:22:24 +08:00
|
|
|
InitListExpr::const_reverse_iterator ItrEnd = E->rend();
|
2009-09-23 05:19:14 +08:00
|
|
|
assert(!(E->rbegin() == E->rend()));
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2008-10-31 07:14:36 +08:00
|
|
|
// Process the worklist until it is empty.
|
2008-10-31 01:47:32 +08:00
|
|
|
while (!WorkList.empty()) {
|
|
|
|
|
InitListWLItem X = WorkList.back();
|
|
|
|
|
WorkList.pop_back();
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2009-08-06 20:48:26 +08:00
|
|
|
ExplodedNodeSet Tmp;
|
2008-10-31 01:47:32 +08:00
|
|
|
Visit(*X.Itr, X.N, Tmp);
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2010-07-20 14:22:24 +08:00
|
|
|
InitListExpr::const_reverse_iterator NewItr = X.Itr + 1;
|
2008-10-30 13:02:23 +08:00
|
|
|
|
2009-12-16 19:27:52 +08:00
|
|
|
for (ExplodedNodeSet::iterator NI=Tmp.begin(),NE=Tmp.end();NI!=NE;++NI) {
|
2008-10-31 01:47:32 +08:00
|
|
|
// Get the last initializer value.
|
|
|
|
|
state = GetState(*NI);
|
2010-02-09 00:18:51 +08:00
|
|
|
SVal InitV = state->getSVal(cast<Expr>(*X.Itr));
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2008-10-31 01:47:32 +08:00
|
|
|
// Construct the new list of values by prepending the new value to
|
|
|
|
|
// the already constructed list.
|
|
|
|
|
llvm::ImmutableList<SVal> NewVals =
|
|
|
|
|
getBasicVals().consVals(InitV, X.Vals);
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2008-10-31 01:47:32 +08:00
|
|
|
if (NewItr == ItrEnd) {
|
2008-10-31 11:01:26 +08:00
|
|
|
// Now we have a list holding all init values. Make CompoundValData.
|
2010-12-02 15:49:45 +08:00
|
|
|
SVal V = svalBuilder.makeCompoundVal(T, NewVals);
|
2008-10-30 13:02:23 +08:00
|
|
|
|
2008-10-31 01:47:32 +08:00
|
|
|
// Make final state and node.
|
2009-08-28 06:17:37 +08:00
|
|
|
MakeNode(Dst, E, *NI, state->BindExpr(E, V));
|
2008-10-31 01:47:32 +08:00
|
|
|
}
|
|
|
|
|
else {
|
|
|
|
|
// Still some initializer values to go. Push them onto the worklist.
|
|
|
|
|
WorkList.push_back(InitListWLItem(*NI, NewVals, NewItr));
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2008-10-31 02:34:31 +08:00
|
|
|
return;
|
2008-10-30 13:02:23 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (Loc::IsLocType(T) || T->isIntegerType()) {
|
|
|
|
|
assert (E->getNumInits() == 1);
|
2009-08-06 20:48:26 +08:00
|
|
|
ExplodedNodeSet Tmp;
|
2010-07-20 14:22:24 +08:00
|
|
|
const Expr* Init = E->getInit(0);
|
2008-10-30 13:02:23 +08:00
|
|
|
Visit(Init, Pred, Tmp);
|
2009-12-16 19:27:52 +08:00
|
|
|
for (ExplodedNodeSet::iterator I=Tmp.begin(), EI=Tmp.end(); I != EI; ++I) {
|
2008-10-30 13:02:23 +08:00
|
|
|
state = GetState(*I);
|
2010-02-09 00:18:51 +08:00
|
|
|
MakeNode(Dst, E, *I, state->BindExpr(E, state->getSVal(Init)));
|
2008-10-30 13:02:23 +08:00
|
|
|
}
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
assert(0 && "unprocessed InitListExpr type");
|
|
|
|
|
}
|
2008-02-05 08:26:40 +08:00
|
|
|
|
2008-11-12 01:56:53 +08:00
|
|
|
/// VisitSizeOfAlignOfExpr - Transfer function for sizeof(type).
|
2010-12-23 02:53:44 +08:00
|
|
|
void ExprEngine::VisitSizeOfAlignOfExpr(const SizeOfAlignOfExpr* Ex,
|
2009-08-06 20:48:26 +08:00
|
|
|
ExplodedNode* Pred,
|
|
|
|
|
ExplodedNodeSet& Dst) {
|
2008-11-12 01:56:53 +08:00
|
|
|
QualType T = Ex->getTypeOfArgument();
|
2010-01-12 01:06:35 +08:00
|
|
|
CharUnits amt;
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2008-03-15 11:13:20 +08:00
|
|
|
if (Ex->isSizeOf()) {
|
2009-09-09 23:08:12 +08:00
|
|
|
if (T == getContext().VoidTy) {
|
2008-12-16 02:51:00 +08:00
|
|
|
// sizeof(void) == 1 byte.
|
2010-01-12 01:06:35 +08:00
|
|
|
amt = CharUnits::One();
|
2008-12-16 02:51:00 +08:00
|
|
|
}
|
2010-07-05 12:42:43 +08:00
|
|
|
else if (!T->isConstantSizeType()) {
|
|
|
|
|
assert(T->isVariableArrayType() && "Unknown non-constant-sized type.");
|
|
|
|
|
|
|
|
|
|
// FIXME: Add support for VLA type arguments, not just VLA expressions.
|
|
|
|
|
// When that happens, we should probably refactor VLASizeChecker's code.
|
|
|
|
|
if (Ex->isArgumentType()) {
|
|
|
|
|
Dst.Add(Pred);
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Get the size by getting the extent of the sub-expression.
|
|
|
|
|
// First, visit the sub-expression to find its region.
|
2010-07-20 14:22:24 +08:00
|
|
|
const Expr *Arg = Ex->getArgumentExpr();
|
2010-07-05 12:42:43 +08:00
|
|
|
ExplodedNodeSet Tmp;
|
2010-12-16 15:46:53 +08:00
|
|
|
Visit(Arg, Pred, Tmp);
|
2010-07-05 12:42:43 +08:00
|
|
|
|
|
|
|
|
for (ExplodedNodeSet::iterator I=Tmp.begin(), E=Tmp.end(); I!=E; ++I) {
|
|
|
|
|
const GRState* state = GetState(*I);
|
|
|
|
|
const MemRegion *MR = state->getSVal(Arg).getAsRegion();
|
|
|
|
|
|
|
|
|
|
// If the subexpression can't be resolved to a region, we don't know
|
|
|
|
|
// anything about its size. Just leave the state as is and continue.
|
|
|
|
|
if (!MR) {
|
|
|
|
|
Dst.Add(*I);
|
|
|
|
|
continue;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// The result is the extent of the VLA.
|
2010-12-02 15:49:45 +08:00
|
|
|
SVal Extent = cast<SubRegion>(MR)->getExtent(svalBuilder);
|
2010-07-05 12:42:43 +08:00
|
|
|
MakeNode(Dst, Ex, *I, state->BindExpr(Ex, Extent));
|
|
|
|
|
}
|
|
|
|
|
|
2008-03-15 11:13:20 +08:00
|
|
|
return;
|
2008-12-16 02:51:00 +08:00
|
|
|
}
|
2010-05-15 19:32:37 +08:00
|
|
|
else if (T->getAs<ObjCObjectType>()) {
|
|
|
|
|
// Some code tries to take the sizeof an ObjCObjectType, relying that
|
2008-12-16 02:51:00 +08:00
|
|
|
// the compiler has laid out its representation. Just report Unknown
|
2009-09-09 23:08:12 +08:00
|
|
|
// for these.
|
2010-02-02 10:01:51 +08:00
|
|
|
Dst.Add(Pred);
|
2008-05-01 05:31:12 +08:00
|
|
|
return;
|
2008-12-16 02:51:00 +08:00
|
|
|
}
|
|
|
|
|
else {
|
|
|
|
|
// All other cases.
|
2010-01-12 01:06:35 +08:00
|
|
|
amt = getContext().getTypeSizeInChars(T);
|
2009-09-09 23:08:12 +08:00
|
|
|
}
|
2008-03-15 11:13:20 +08:00
|
|
|
}
|
|
|
|
|
else // Get alignment of the type.
|
2010-01-27 20:54:25 +08:00
|
|
|
amt = getContext().getTypeAlignInChars(T);
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2008-03-22 05:30:14 +08:00
|
|
|
MakeNode(Dst, Ex, Pred,
|
2010-02-16 07:02:46 +08:00
|
|
|
GetState(Pred)->BindExpr(Ex,
|
2010-12-02 15:49:45 +08:00
|
|
|
svalBuilder.makeIntVal(amt.getQuantity(), Ex->getType())));
|
2008-04-22 07:43:38 +08:00
|
|
|
}
|
|
|
|
|
|
2010-12-23 02:53:44 +08:00
|
|
|
void ExprEngine::VisitOffsetOfExpr(const OffsetOfExpr* OOE,
|
2010-07-20 14:22:24 +08:00
|
|
|
ExplodedNode* Pred, ExplodedNodeSet& Dst) {
|
Completely reimplement __builtin_offsetof, based on a patch by Roberto
Amadini.
This change introduces a new expression node type, OffsetOfExpr, that
describes __builtin_offsetof. Previously, __builtin_offsetof was
implemented using a unary operator whose subexpression involved
various synthesized array-subscript and member-reference expressions,
which was ugly and made it very hard to instantiate as a
template. OffsetOfExpr represents the AST more faithfully, with proper
type source information and a more compact representation.
OffsetOfExpr also has support for dependent __builtin_offsetof
expressions; it can be value-dependent, but will never be
type-dependent (like sizeof or alignof). This commit introduces
template instantiation for __builtin_offsetof as well.
There are two major caveats to this patch:
1) CodeGen cannot handle the case where __builtin_offsetof is not a
constant expression, so it produces an error. So, to avoid
regressing in C, we retain the old UnaryOperator-based
__builtin_offsetof implementation in C while using the shiny new
OffsetOfExpr implementation in C++. The old implementation can go
away once we have proper CodeGen support for this case, which we
expect won't cause much trouble in C++.
2) __builtin_offsetof doesn't work well with non-POD class types,
particularly when the designated field is found within a base
class. I will address this in a subsequent patch.
Fixes PR5880 and a bunch of assertions when building Boost.Python
tests.
llvm-svn: 102542
2010-04-29 06:16:22 +08:00
|
|
|
Expr::EvalResult Res;
|
|
|
|
|
if (OOE->Evaluate(Res, getContext()) && Res.Val.isInt()) {
|
|
|
|
|
const APSInt &IV = Res.Val.getInt();
|
|
|
|
|
assert(IV.getBitWidth() == getContext().getTypeSize(OOE->getType()));
|
|
|
|
|
assert(OOE->getType()->isIntegerType());
|
|
|
|
|
assert(IV.isSigned() == OOE->getType()->isSignedIntegerType());
|
2010-12-02 15:49:45 +08:00
|
|
|
SVal X = svalBuilder.makeIntVal(IV);
|
Completely reimplement __builtin_offsetof, based on a patch by Roberto
Amadini.
This change introduces a new expression node type, OffsetOfExpr, that
describes __builtin_offsetof. Previously, __builtin_offsetof was
implemented using a unary operator whose subexpression involved
various synthesized array-subscript and member-reference expressions,
which was ugly and made it very hard to instantiate as a
template. OffsetOfExpr represents the AST more faithfully, with proper
type source information and a more compact representation.
OffsetOfExpr also has support for dependent __builtin_offsetof
expressions; it can be value-dependent, but will never be
type-dependent (like sizeof or alignof). This commit introduces
template instantiation for __builtin_offsetof as well.
There are two major caveats to this patch:
1) CodeGen cannot handle the case where __builtin_offsetof is not a
constant expression, so it produces an error. So, to avoid
regressing in C, we retain the old UnaryOperator-based
__builtin_offsetof implementation in C while using the shiny new
OffsetOfExpr implementation in C++. The old implementation can go
away once we have proper CodeGen support for this case, which we
expect won't cause much trouble in C++.
2) __builtin_offsetof doesn't work well with non-POD class types,
particularly when the designated field is found within a base
class. I will address this in a subsequent patch.
Fixes PR5880 and a bunch of assertions when building Boost.Python
tests.
llvm-svn: 102542
2010-04-29 06:16:22 +08:00
|
|
|
MakeNode(Dst, OOE, Pred, GetState(Pred)->BindExpr(OOE, X));
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
// FIXME: Handle the case where __builtin_offsetof is not a constant.
|
|
|
|
|
Dst.Add(Pred);
|
|
|
|
|
}
|
2008-02-20 12:02:35 +08:00
|
|
|
|
2010-12-23 02:53:44 +08:00
|
|
|
void ExprEngine::VisitUnaryOperator(const UnaryOperator* U,
|
2010-07-20 14:22:24 +08:00
|
|
|
ExplodedNode* Pred,
|
2010-12-16 15:46:53 +08:00
|
|
|
ExplodedNodeSet& Dst) {
|
2008-04-30 05:04:26 +08:00
|
|
|
|
2008-02-20 12:02:35 +08:00
|
|
|
switch (U->getOpcode()) {
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2008-02-20 12:02:35 +08:00
|
|
|
default:
|
|
|
|
|
break;
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2010-08-25 19:45:40 +08:00
|
|
|
case UO_Real: {
|
2010-07-20 14:22:24 +08:00
|
|
|
const Expr* Ex = U->getSubExpr()->IgnoreParens();
|
2009-08-06 20:48:26 +08:00
|
|
|
ExplodedNodeSet Tmp;
|
2008-06-20 01:55:38 +08:00
|
|
|
Visit(Ex, Pred, Tmp);
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2009-08-06 20:48:26 +08:00
|
|
|
for (ExplodedNodeSet::iterator I=Tmp.begin(), E=Tmp.end(); I!=E; ++I) {
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2008-10-17 13:57:07 +08:00
|
|
|
// FIXME: We don't have complex SValues yet.
|
2008-06-20 01:55:38 +08:00
|
|
|
if (Ex->getType()->isAnyComplexType()) {
|
|
|
|
|
// Just report "Unknown."
|
|
|
|
|
Dst.Add(*I);
|
|
|
|
|
continue;
|
|
|
|
|
}
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2010-08-25 19:45:40 +08:00
|
|
|
// For all other types, UO_Real is an identity operation.
|
2008-06-20 01:55:38 +08:00
|
|
|
assert (U->getType() == Ex->getType());
|
2009-02-13 09:45:31 +08:00
|
|
|
const GRState* state = GetState(*I);
|
2010-02-09 00:18:51 +08:00
|
|
|
MakeNode(Dst, U, *I, state->BindExpr(U, state->getSVal(Ex)));
|
2009-09-09 23:08:12 +08:00
|
|
|
}
|
|
|
|
|
|
2008-06-20 01:55:38 +08:00
|
|
|
return;
|
|
|
|
|
}
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2010-08-25 19:45:40 +08:00
|
|
|
case UO_Imag: {
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2010-07-20 14:22:24 +08:00
|
|
|
const Expr* Ex = U->getSubExpr()->IgnoreParens();
|
2009-08-06 20:48:26 +08:00
|
|
|
ExplodedNodeSet Tmp;
|
2008-06-20 01:55:38 +08:00
|
|
|
Visit(Ex, Pred, Tmp);
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2009-08-06 20:48:26 +08:00
|
|
|
for (ExplodedNodeSet::iterator I=Tmp.begin(), E=Tmp.end(); I!=E; ++I) {
|
2008-10-17 13:57:07 +08:00
|
|
|
// FIXME: We don't have complex SValues yet.
|
2008-06-20 01:55:38 +08:00
|
|
|
if (Ex->getType()->isAnyComplexType()) {
|
|
|
|
|
// Just report "Unknown."
|
|
|
|
|
Dst.Add(*I);
|
|
|
|
|
continue;
|
|
|
|
|
}
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2010-08-25 19:45:40 +08:00
|
|
|
// For all other types, UO_Imag returns 0.
|
2009-02-13 09:45:31 +08:00
|
|
|
const GRState* state = GetState(*I);
|
2010-12-02 15:49:45 +08:00
|
|
|
SVal X = svalBuilder.makeZeroVal(Ex->getType());
|
2009-08-28 06:17:37 +08:00
|
|
|
MakeNode(Dst, U, *I, state->BindExpr(U, X));
|
2008-06-20 01:55:38 +08:00
|
|
|
}
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2008-06-20 01:55:38 +08:00
|
|
|
return;
|
|
|
|
|
}
|
Completely reimplement __builtin_offsetof, based on a patch by Roberto
Amadini.
This change introduces a new expression node type, OffsetOfExpr, that
describes __builtin_offsetof. Previously, __builtin_offsetof was
implemented using a unary operator whose subexpression involved
various synthesized array-subscript and member-reference expressions,
which was ugly and made it very hard to instantiate as a
template. OffsetOfExpr represents the AST more faithfully, with proper
type source information and a more compact representation.
OffsetOfExpr also has support for dependent __builtin_offsetof
expressions; it can be value-dependent, but will never be
type-dependent (like sizeof or alignof). This commit introduces
template instantiation for __builtin_offsetof as well.
There are two major caveats to this patch:
1) CodeGen cannot handle the case where __builtin_offsetof is not a
constant expression, so it produces an error. So, to avoid
regressing in C, we retain the old UnaryOperator-based
__builtin_offsetof implementation in C while using the shiny new
OffsetOfExpr implementation in C++. The old implementation can go
away once we have proper CodeGen support for this case, which we
expect won't cause much trouble in C++.
2) __builtin_offsetof doesn't work well with non-POD class types,
particularly when the designated field is found within a base
class. I will address this in a subsequent patch.
Fixes PR5880 and a bunch of assertions when building Boost.Python
tests.
llvm-svn: 102542
2010-04-29 06:16:22 +08:00
|
|
|
|
2010-12-16 15:46:53 +08:00
|
|
|
case UO_Plus:
|
|
|
|
|
assert(!U->isLValue());
|
|
|
|
|
// FALL-THROUGH.
|
|
|
|
|
case UO_Deref:
|
2010-12-18 13:16:43 +08:00
|
|
|
case UO_AddrOf:
|
2010-08-25 19:45:40 +08:00
|
|
|
case UO_Extension: {
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2008-04-30 05:04:26 +08:00
|
|
|
// Unary "+" is a no-op, similar to a parentheses. We still have places
|
|
|
|
|
// where it may be a block-level expression, so we need to
|
|
|
|
|
// generate an extra node that just propagates the value of the
|
|
|
|
|
// subexpression.
|
|
|
|
|
|
2010-07-20 14:22:24 +08:00
|
|
|
const Expr* Ex = U->getSubExpr()->IgnoreParens();
|
2009-08-06 20:48:26 +08:00
|
|
|
ExplodedNodeSet Tmp;
|
2010-12-16 15:46:53 +08:00
|
|
|
Visit(Ex, Pred, Tmp);
|
2009-09-09 23:08:12 +08:00
|
|
|
|
|
|
|
|
for (ExplodedNodeSet::iterator I=Tmp.begin(), E=Tmp.end(); I!=E; ++I) {
|
2009-02-13 09:45:31 +08:00
|
|
|
const GRState* state = GetState(*I);
|
2010-02-09 00:18:51 +08:00
|
|
|
MakeNode(Dst, U, *I, state->BindExpr(U, state->getSVal(Ex)));
|
2008-04-30 05:04:26 +08:00
|
|
|
}
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2008-04-30 05:04:26 +08:00
|
|
|
return;
|
|
|
|
|
}
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2010-08-25 19:45:40 +08:00
|
|
|
case UO_LNot:
|
|
|
|
|
case UO_Minus:
|
|
|
|
|
case UO_Not: {
|
2010-12-16 15:46:53 +08:00
|
|
|
assert (!U->isLValue());
|
2010-07-20 14:22:24 +08:00
|
|
|
const Expr* Ex = U->getSubExpr()->IgnoreParens();
|
2009-08-06 20:48:26 +08:00
|
|
|
ExplodedNodeSet Tmp;
|
2008-04-30 05:04:26 +08:00
|
|
|
Visit(Ex, Pred, Tmp);
|
2009-09-09 23:08:12 +08:00
|
|
|
|
|
|
|
|
for (ExplodedNodeSet::iterator I=Tmp.begin(), E=Tmp.end(); I!=E; ++I) {
|
2009-02-13 09:45:31 +08:00
|
|
|
const GRState* state = GetState(*I);
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2008-09-30 13:32:44 +08:00
|
|
|
// Get the value of the subexpression.
|
2010-02-09 00:18:51 +08:00
|
|
|
SVal V = state->getSVal(Ex);
|
2008-09-30 13:32:44 +08:00
|
|
|
|
2008-11-15 08:20:05 +08:00
|
|
|
if (V.isUnknownOrUndef()) {
|
2009-08-28 06:17:37 +08:00
|
|
|
MakeNode(Dst, U, *I, state->BindExpr(U, V));
|
2008-11-15 08:20:05 +08:00
|
|
|
continue;
|
|
|
|
|
}
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2008-11-15 12:01:56 +08:00
|
|
|
// QualType DstT = getContext().getCanonicalType(U->getType());
|
|
|
|
|
// QualType SrcT = getContext().getCanonicalType(Ex->getType());
|
2009-09-09 23:08:12 +08:00
|
|
|
//
|
2008-11-15 12:01:56 +08:00
|
|
|
// if (DstT != SrcT) // Perform promotions.
|
2010-12-02 05:57:22 +08:00
|
|
|
// V = evalCast(V, DstT);
|
2009-09-09 23:08:12 +08:00
|
|
|
//
|
2008-11-15 12:01:56 +08:00
|
|
|
// if (V.isUnknownOrUndef()) {
|
|
|
|
|
// MakeNode(Dst, U, *I, BindExpr(St, U, V));
|
|
|
|
|
// continue;
|
|
|
|
|
// }
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2008-04-30 05:04:26 +08:00
|
|
|
switch (U->getOpcode()) {
|
|
|
|
|
default:
|
|
|
|
|
assert(false && "Invalid Opcode.");
|
|
|
|
|
break;
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2010-08-25 19:45:40 +08:00
|
|
|
case UO_Not:
|
2008-10-01 08:21:14 +08:00
|
|
|
// FIXME: Do we need to handle promotions?
|
2010-12-02 05:57:22 +08:00
|
|
|
state = state->BindExpr(U, evalComplement(cast<NonLoc>(V)));
|
2009-09-09 23:08:12 +08:00
|
|
|
break;
|
|
|
|
|
|
2010-08-25 19:45:40 +08:00
|
|
|
case UO_Minus:
|
2008-10-01 08:21:14 +08:00
|
|
|
// FIXME: Do we need to handle promotions?
|
2010-12-02 05:57:22 +08:00
|
|
|
state = state->BindExpr(U, evalMinus(cast<NonLoc>(V)));
|
2009-09-09 23:08:12 +08:00
|
|
|
break;
|
|
|
|
|
|
2010-08-25 19:45:40 +08:00
|
|
|
case UO_LNot:
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2008-04-30 05:04:26 +08:00
|
|
|
// C99 6.5.3.3: "The expression !E is equivalent to (0==E)."
|
|
|
|
|
//
|
|
|
|
|
// Note: technically we do "E == 0", but this is the same in the
|
|
|
|
|
// transfer functions as "0 == E".
|
2009-06-26 08:05:51 +08:00
|
|
|
SVal Result;
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2008-10-17 13:57:07 +08:00
|
|
|
if (isa<Loc>(V)) {
|
2010-12-02 15:49:45 +08:00
|
|
|
Loc X = svalBuilder.makeNull();
|
2010-12-02 05:57:22 +08:00
|
|
|
Result = evalBinOp(state, BO_EQ, cast<Loc>(V), X,
|
2009-06-26 08:05:51 +08:00
|
|
|
U->getType());
|
2008-04-30 05:04:26 +08:00
|
|
|
}
|
|
|
|
|
else {
|
2008-11-15 12:01:56 +08:00
|
|
|
nonloc::ConcreteInt X(getBasicVals().getValue(0, Ex->getType()));
|
2010-12-02 05:57:22 +08:00
|
|
|
Result = evalBinOp(state, BO_EQ, cast<NonLoc>(V), X,
|
2009-06-26 08:05:51 +08:00
|
|
|
U->getType());
|
2008-04-30 05:04:26 +08:00
|
|
|
}
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2009-08-28 06:17:37 +08:00
|
|
|
state = state->BindExpr(U, Result);
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2008-04-30 05:04:26 +08:00
|
|
|
break;
|
|
|
|
|
}
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2009-02-13 09:45:31 +08:00
|
|
|
MakeNode(Dst, U, *I, state);
|
2008-04-30 05:04:26 +08:00
|
|
|
}
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2008-04-30 05:04:26 +08:00
|
|
|
return;
|
|
|
|
|
}
|
2008-01-24 10:28:56 +08:00
|
|
|
}
|
2008-02-27 15:04:16 +08:00
|
|
|
|
2008-04-30 05:04:26 +08:00
|
|
|
// Handle ++ and -- (both pre- and post-increment).
|
|
|
|
|
assert (U->isIncrementDecrementOp());
|
2009-08-06 20:48:26 +08:00
|
|
|
ExplodedNodeSet Tmp;
|
2010-07-20 14:22:24 +08:00
|
|
|
const Expr* Ex = U->getSubExpr()->IgnoreParens();
|
2010-12-16 15:46:53 +08:00
|
|
|
Visit(Ex, Pred, Tmp);
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2009-08-06 20:48:26 +08:00
|
|
|
for (ExplodedNodeSet::iterator I = Tmp.begin(), E = Tmp.end(); I!=E; ++I) {
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2009-02-13 09:45:31 +08:00
|
|
|
const GRState* state = GetState(*I);
|
2010-12-22 16:38:13 +08:00
|
|
|
SVal loc = state->getSVal(Ex);
|
2009-09-09 23:08:12 +08:00
|
|
|
|
|
|
|
|
// Perform a load.
|
2009-08-06 20:48:26 +08:00
|
|
|
ExplodedNodeSet Tmp2;
|
2010-12-22 16:38:13 +08:00
|
|
|
evalLoad(Tmp2, Ex, *I, state, loc);
|
2008-04-22 12:56:29 +08:00
|
|
|
|
2009-12-16 19:27:52 +08:00
|
|
|
for (ExplodedNodeSet::iterator I2=Tmp2.begin(), E2=Tmp2.end();I2!=E2;++I2) {
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2009-02-13 09:45:31 +08:00
|
|
|
state = GetState(*I2);
|
2010-02-09 00:18:51 +08:00
|
|
|
SVal V2_untested = state->getSVal(Ex);
|
2009-09-09 23:08:12 +08:00
|
|
|
|
|
|
|
|
// Propagate unknown and undefined values.
|
2009-09-12 06:07:28 +08:00
|
|
|
if (V2_untested.isUnknownOrUndef()) {
|
|
|
|
|
MakeNode(Dst, U, *I2, state->BindExpr(U, V2_untested));
|
2008-04-30 05:04:26 +08:00
|
|
|
continue;
|
2010-02-16 07:02:46 +08:00
|
|
|
}
|
2009-09-12 06:07:28 +08:00
|
|
|
DefinedSVal V2 = cast<DefinedSVal>(V2_untested);
|
2009-09-09 23:08:12 +08:00
|
|
|
|
|
|
|
|
// Handle all other values.
|
2010-08-25 19:45:40 +08:00
|
|
|
BinaryOperator::Opcode Op = U->isIncrementOp() ? BO_Add
|
|
|
|
|
: BO_Sub;
|
2009-03-11 11:54:24 +08:00
|
|
|
|
2009-08-05 10:51:59 +08:00
|
|
|
// If the UnaryOperator has non-location type, use its type to create the
|
|
|
|
|
// constant value. If the UnaryOperator has location type, create the
|
|
|
|
|
// constant with int type and pointer width.
|
|
|
|
|
SVal RHS;
|
|
|
|
|
|
|
|
|
|
if (U->getType()->isAnyPointerType())
|
2010-12-24 16:39:33 +08:00
|
|
|
RHS = svalBuilder.makeArrayIndex(1);
|
2009-08-05 10:51:59 +08:00
|
|
|
else
|
2010-12-02 15:49:45 +08:00
|
|
|
RHS = svalBuilder.makeIntVal(1, U->getType());
|
2009-08-05 10:51:59 +08:00
|
|
|
|
2010-12-02 05:57:22 +08:00
|
|
|
SVal Result = evalBinOp(state, Op, V2, RHS, U->getType());
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2009-03-21 04:10:45 +08:00
|
|
|
// Conjure a new symbol if necessary to recover precision.
|
2009-04-22 06:38:05 +08:00
|
|
|
if (Result.isUnknown() || !getConstraintManager().canReasonAbout(Result)){
|
2009-09-12 06:07:28 +08:00
|
|
|
DefinedOrUnknownSVal SymVal =
|
2010-12-02 15:49:45 +08:00
|
|
|
svalBuilder.getConjuredSymbolVal(NULL, Ex,
|
2009-09-28 04:45:21 +08:00
|
|
|
Builder->getCurrentBlockCount());
|
2009-09-12 06:07:28 +08:00
|
|
|
Result = SymVal;
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2009-04-22 06:38:05 +08:00
|
|
|
// If the value is a location, ++/-- should always preserve
|
2009-06-26 08:05:51 +08:00
|
|
|
// non-nullness. Check if the original value was non-null, and if so
|
2009-09-09 23:08:12 +08:00
|
|
|
// propagate that constraint.
|
2009-04-22 06:38:05 +08:00
|
|
|
if (Loc::IsLocType(U->getType())) {
|
2009-09-12 06:07:28 +08:00
|
|
|
DefinedOrUnknownSVal Constraint =
|
2010-12-22 16:38:13 +08:00
|
|
|
svalBuilder.evalEQ(state, V2,svalBuilder.makeZeroVal(U->getType()));
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2010-12-02 06:16:56 +08:00
|
|
|
if (!state->assume(Constraint, true)) {
|
2009-04-22 06:38:05 +08:00
|
|
|
// It isn't feasible for the original value to be null.
|
|
|
|
|
// Propagate this constraint.
|
2010-12-02 05:57:22 +08:00
|
|
|
Constraint = svalBuilder.evalEQ(state, SymVal,
|
2010-12-02 15:49:45 +08:00
|
|
|
svalBuilder.makeZeroVal(U->getType()));
|
2009-09-12 06:07:28 +08:00
|
|
|
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2010-12-02 06:16:56 +08:00
|
|
|
state = state->assume(Constraint, false);
|
2009-06-19 06:57:13 +08:00
|
|
|
assert(state);
|
2009-09-09 23:08:12 +08:00
|
|
|
}
|
|
|
|
|
}
|
2009-04-22 06:38:05 +08:00
|
|
|
}
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2010-12-22 16:38:13 +08:00
|
|
|
// Since the lvalue-to-rvalue conversion is explicit in the AST,
|
|
|
|
|
// we bind an l-value if the operator is prefix and an lvalue (in C++).
|
2011-01-10 11:22:57 +08:00
|
|
|
if (U->isLValue())
|
2010-12-22 16:38:13 +08:00
|
|
|
state = state->BindExpr(U, loc);
|
|
|
|
|
else
|
|
|
|
|
state = state->BindExpr(U, V2);
|
2008-04-30 05:04:26 +08:00
|
|
|
|
2009-09-09 23:08:12 +08:00
|
|
|
// Perform the store.
|
2010-12-22 16:38:13 +08:00
|
|
|
evalStore(Dst, NULL, U, *I2, state, loc, Result);
|
2008-02-07 09:08:27 +08:00
|
|
|
}
|
2008-04-22 07:43:38 +08:00
|
|
|
}
|
2008-02-07 09:08:27 +08:00
|
|
|
}
|
|
|
|
|
|
2010-12-23 02:53:44 +08:00
|
|
|
void ExprEngine::VisitAsmStmt(const AsmStmt* A, ExplodedNode* Pred,
|
2009-12-16 19:27:52 +08:00
|
|
|
ExplodedNodeSet& Dst) {
|
2008-03-18 05:11:24 +08:00
|
|
|
VisitAsmStmtHelperOutputs(A, A->begin_outputs(), A->end_outputs(), Pred, Dst);
|
2009-09-09 23:08:12 +08:00
|
|
|
}
|
2008-03-18 05:11:24 +08:00
|
|
|
|
2010-12-23 02:53:44 +08:00
|
|
|
void ExprEngine::VisitAsmStmtHelperOutputs(const AsmStmt* A,
|
2010-07-20 14:22:24 +08:00
|
|
|
AsmStmt::const_outputs_iterator I,
|
|
|
|
|
AsmStmt::const_outputs_iterator E,
|
2009-12-16 19:27:52 +08:00
|
|
|
ExplodedNode* Pred, ExplodedNodeSet& Dst) {
|
2008-03-18 05:11:24 +08:00
|
|
|
if (I == E) {
|
|
|
|
|
VisitAsmStmtHelperInputs(A, A->begin_inputs(), A->end_inputs(), Pred, Dst);
|
|
|
|
|
return;
|
|
|
|
|
}
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2009-08-06 20:48:26 +08:00
|
|
|
ExplodedNodeSet Tmp;
|
2010-12-16 15:46:53 +08:00
|
|
|
Visit(*I, Pred, Tmp);
|
2008-03-18 05:11:24 +08:00
|
|
|
++I;
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2009-12-16 19:27:52 +08:00
|
|
|
for (ExplodedNodeSet::iterator NI = Tmp.begin(), NE = Tmp.end();NI != NE;++NI)
|
2008-03-18 05:11:24 +08:00
|
|
|
VisitAsmStmtHelperOutputs(A, I, E, *NI, Dst);
|
|
|
|
|
}
|
|
|
|
|
|
2010-12-23 02:53:44 +08:00
|
|
|
void ExprEngine::VisitAsmStmtHelperInputs(const AsmStmt* A,
|
2010-07-20 14:22:24 +08:00
|
|
|
AsmStmt::const_inputs_iterator I,
|
|
|
|
|
AsmStmt::const_inputs_iterator E,
|
2010-02-16 07:02:46 +08:00
|
|
|
ExplodedNode* Pred,
|
2009-12-16 19:27:52 +08:00
|
|
|
ExplodedNodeSet& Dst) {
|
2008-03-18 05:11:24 +08:00
|
|
|
if (I == E) {
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2008-03-18 05:11:24 +08:00
|
|
|
// We have processed both the inputs and the outputs. All of the outputs
|
2008-10-17 13:57:07 +08:00
|
|
|
// should evaluate to Locs. Nuke all of their values.
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2008-03-18 05:11:24 +08:00
|
|
|
// FIXME: Some day in the future it would be nice to allow a "plug-in"
|
|
|
|
|
// which interprets the inline asm and stores proper results in the
|
|
|
|
|
// outputs.
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2009-02-13 09:45:31 +08:00
|
|
|
const GRState* state = GetState(Pred);
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2010-07-20 14:22:24 +08:00
|
|
|
for (AsmStmt::const_outputs_iterator OI = A->begin_outputs(),
|
2008-03-18 05:11:24 +08:00
|
|
|
OE = A->end_outputs(); OI != OE; ++OI) {
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2010-02-09 00:18:51 +08:00
|
|
|
SVal X = state->getSVal(*OI);
|
2008-10-17 13:57:07 +08:00
|
|
|
assert (!isa<NonLoc>(X)); // Should be an Lval, or unknown, undef.
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2008-10-17 13:57:07 +08:00
|
|
|
if (isa<Loc>(X))
|
2009-06-20 01:10:32 +08:00
|
|
|
state = state->bindLoc(cast<Loc>(X), UnknownVal());
|
2008-03-18 05:11:24 +08:00
|
|
|
}
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2009-02-13 09:45:31 +08:00
|
|
|
MakeNode(Dst, A, Pred, state);
|
2008-03-18 05:11:24 +08:00
|
|
|
return;
|
|
|
|
|
}
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2009-08-06 20:48:26 +08:00
|
|
|
ExplodedNodeSet Tmp;
|
2008-03-18 05:11:24 +08:00
|
|
|
Visit(*I, Pred, Tmp);
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2008-03-18 05:11:24 +08:00
|
|
|
++I;
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2009-09-03 11:02:58 +08:00
|
|
|
for (ExplodedNodeSet::iterator NI = Tmp.begin(), NE = Tmp.end(); NI!=NE; ++NI)
|
2008-03-18 05:11:24 +08:00
|
|
|
VisitAsmStmtHelperInputs(A, I, E, *NI, Dst);
|
|
|
|
|
}
|
|
|
|
|
|
2010-12-23 02:53:44 +08:00
|
|
|
void ExprEngine::VisitReturnStmt(const ReturnStmt *RS, ExplodedNode *Pred,
|
2009-11-06 10:24:13 +08:00
|
|
|
ExplodedNodeSet &Dst) {
|
|
|
|
|
ExplodedNodeSet Src;
|
2010-07-20 14:22:24 +08:00
|
|
|
if (const Expr *RetE = RS->getRetValue()) {
|
2010-03-23 16:09:29 +08:00
|
|
|
// Record the returned expression in the state. It will be used in
|
2011-01-11 10:34:45 +08:00
|
|
|
// processCallExit to bind the return value to the call expr.
|
2010-02-26 23:43:34 +08:00
|
|
|
{
|
2010-03-03 05:43:52 +08:00
|
|
|
static int Tag = 0;
|
|
|
|
|
SaveAndRestore<const void *> OldTag(Builder->Tag, &Tag);
|
2010-02-26 23:43:34 +08:00
|
|
|
const GRState *state = GetState(Pred);
|
|
|
|
|
state = state->set<ReturnExpr>(RetE);
|
|
|
|
|
Pred = Builder->generateNode(RetE, state, Pred);
|
|
|
|
|
}
|
|
|
|
|
// We may get a NULL Pred because we generated a cached node.
|
|
|
|
|
if (Pred)
|
|
|
|
|
Visit(RetE, Pred, Src);
|
2008-03-31 23:02:58 +08:00
|
|
|
}
|
2009-11-06 10:24:13 +08:00
|
|
|
else {
|
|
|
|
|
Src.Add(Pred);
|
|
|
|
|
}
|
2010-02-16 07:02:46 +08:00
|
|
|
|
2009-11-06 10:24:13 +08:00
|
|
|
ExplodedNodeSet CheckedSet;
|
2010-08-04 15:10:57 +08:00
|
|
|
CheckerVisit(RS, CheckedSet, Src, PreVisitStmtCallback);
|
2010-02-16 07:02:46 +08:00
|
|
|
|
2009-11-06 10:24:13 +08:00
|
|
|
for (ExplodedNodeSet::iterator I = CheckedSet.begin(), E = CheckedSet.end();
|
|
|
|
|
I != E; ++I) {
|
2008-04-17 07:05:51 +08:00
|
|
|
|
2010-12-23 02:53:44 +08:00
|
|
|
assert(Builder && "StmtNodeBuilder must be defined.");
|
2010-02-16 07:02:46 +08:00
|
|
|
|
2009-11-06 10:24:13 +08:00
|
|
|
Pred = *I;
|
|
|
|
|
unsigned size = Dst.size();
|
2010-02-16 07:02:46 +08:00
|
|
|
|
2009-11-06 10:24:13 +08:00
|
|
|
SaveAndRestore<bool> OldSink(Builder->BuildSinks);
|
|
|
|
|
SaveOr OldHasGen(Builder->HasGeneratedNode);
|
2010-02-16 07:02:46 +08:00
|
|
|
|
2010-12-02 05:57:22 +08:00
|
|
|
getTF().evalReturn(Dst, *this, *Builder, RS, Pred);
|
2010-02-16 07:02:46 +08:00
|
|
|
|
|
|
|
|
// Handle the case where no nodes where generated.
|
|
|
|
|
if (!Builder->BuildSinks && Dst.size() == size &&
|
2009-11-06 10:24:13 +08:00
|
|
|
!Builder->HasGeneratedNode)
|
|
|
|
|
MakeNode(Dst, RS, Pred, GetState(Pred));
|
2008-11-21 08:27:44 +08:00
|
|
|
}
|
2008-03-31 23:02:58 +08:00
|
|
|
}
|
2008-03-25 08:34:37 +08:00
|
|
|
|
2008-04-16 07:06:53 +08:00
|
|
|
//===----------------------------------------------------------------------===//
|
|
|
|
|
// Transfer functions: Binary operators.
|
|
|
|
|
//===----------------------------------------------------------------------===//
|
|
|
|
|
|
2010-12-23 02:53:44 +08:00
|
|
|
void ExprEngine::VisitBinaryOperator(const BinaryOperator* B,
|
2009-08-06 20:48:26 +08:00
|
|
|
ExplodedNode* Pred,
|
2010-12-16 15:46:53 +08:00
|
|
|
ExplodedNodeSet& Dst) {
|
2009-08-06 20:48:26 +08:00
|
|
|
ExplodedNodeSet Tmp1;
|
2008-04-30 05:04:26 +08:00
|
|
|
Expr* LHS = B->getLHS()->IgnoreParens();
|
|
|
|
|
Expr* RHS = B->getRHS()->IgnoreParens();
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2010-12-16 15:46:53 +08:00
|
|
|
Visit(LHS, Pred, Tmp1);
|
2009-11-24 16:24:26 +08:00
|
|
|
ExplodedNodeSet Tmp3;
|
|
|
|
|
|
2009-09-03 11:02:58 +08:00
|
|
|
for (ExplodedNodeSet::iterator I1=Tmp1.begin(), E1=Tmp1.end(); I1!=E1; ++I1) {
|
2010-04-20 12:53:09 +08:00
|
|
|
SVal LeftV = GetState(*I1)->getSVal(LHS);
|
2009-08-06 20:48:26 +08:00
|
|
|
ExplodedNodeSet Tmp2;
|
2008-04-30 05:04:26 +08:00
|
|
|
Visit(RHS, *I1, Tmp2);
|
2009-09-02 21:26:26 +08:00
|
|
|
|
|
|
|
|
ExplodedNodeSet CheckedSet;
|
2010-08-04 15:10:57 +08:00
|
|
|
CheckerVisit(B, CheckedSet, Tmp2, PreVisitStmtCallback);
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2008-04-30 05:04:26 +08:00
|
|
|
// With both the LHS and RHS evaluated, process the operation itself.
|
2009-09-09 23:08:12 +08:00
|
|
|
|
|
|
|
|
for (ExplodedNodeSet::iterator I2=CheckedSet.begin(), E2=CheckedSet.end();
|
2009-09-02 21:26:26 +08:00
|
|
|
I2 != E2; ++I2) {
|
2008-02-07 06:50:25 +08:00
|
|
|
|
2009-09-12 06:07:28 +08:00
|
|
|
const GRState *state = GetState(*I2);
|
2010-02-09 00:18:51 +08:00
|
|
|
SVal RightV = state->getSVal(RHS);
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2009-09-12 06:07:28 +08:00
|
|
|
BinaryOperator::Opcode Op = B->getOpcode();
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2010-08-25 19:45:40 +08:00
|
|
|
if (Op == BO_Assign) {
|
2009-10-21 19:42:22 +08:00
|
|
|
// EXPERIMENTAL: "Conjured" symbols.
|
|
|
|
|
// FIXME: Handle structs.
|
|
|
|
|
QualType T = RHS->getType();
|
2010-02-16 07:02:46 +08:00
|
|
|
|
2010-07-29 08:28:33 +08:00
|
|
|
if (RightV.isUnknown() ||!getConstraintManager().canReasonAbout(RightV))
|
|
|
|
|
{
|
2009-10-21 19:42:22 +08:00
|
|
|
unsigned Count = Builder->getCurrentBlockCount();
|
2010-12-02 15:49:45 +08:00
|
|
|
RightV = svalBuilder.getConjuredSymbolVal(NULL, B->getRHS(), Count);
|
2008-01-24 03:59:44 +08:00
|
|
|
}
|
2009-10-30 15:19:39 +08:00
|
|
|
|
2010-12-16 15:46:53 +08:00
|
|
|
SVal ExprVal = B->isLValue() ? LeftV : RightV;
|
2009-10-30 15:19:39 +08:00
|
|
|
|
2009-10-21 19:42:22 +08:00
|
|
|
// Simulate the effects of a "store": bind the value of the RHS
|
|
|
|
|
// to the L-Value represented by the LHS.
|
2010-12-02 05:57:22 +08:00
|
|
|
evalStore(Tmp3, B, LHS, *I2, state->BindExpr(B, ExprVal), LeftV,RightV);
|
2009-10-21 19:42:22 +08:00
|
|
|
continue;
|
|
|
|
|
}
|
2010-02-16 07:02:46 +08:00
|
|
|
|
2009-10-21 19:42:22 +08:00
|
|
|
if (!B->isAssignmentOp()) {
|
|
|
|
|
// Process non-assignments except commas or short-circuited
|
|
|
|
|
// logical expressions (LAnd and LOr).
|
2010-12-02 05:57:22 +08:00
|
|
|
SVal Result = evalBinOp(state, Op, LeftV, RightV, B->getType());
|
2010-02-16 07:02:46 +08:00
|
|
|
|
2009-10-21 19:42:22 +08:00
|
|
|
if (Result.isUnknown()) {
|
2010-09-09 15:13:00 +08:00
|
|
|
MakeNode(Tmp3, B, *I2, state);
|
2009-10-21 19:42:22 +08:00
|
|
|
continue;
|
|
|
|
|
}
|
2010-02-16 07:02:46 +08:00
|
|
|
|
2009-10-21 19:42:22 +08:00
|
|
|
state = state->BindExpr(B, Result);
|
2010-02-16 07:02:46 +08:00
|
|
|
|
2009-11-24 16:24:26 +08:00
|
|
|
MakeNode(Tmp3, B, *I2, state);
|
2009-10-21 19:42:22 +08:00
|
|
|
continue;
|
2008-04-30 05:04:26 +08:00
|
|
|
}
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2008-04-30 05:04:26 +08:00
|
|
|
assert (B->isCompoundAssignmentOp());
|
|
|
|
|
|
2009-02-07 08:52:24 +08:00
|
|
|
switch (Op) {
|
|
|
|
|
default:
|
|
|
|
|
assert(0 && "Invalid opcode for compound assignment.");
|
2010-08-25 19:45:40 +08:00
|
|
|
case BO_MulAssign: Op = BO_Mul; break;
|
|
|
|
|
case BO_DivAssign: Op = BO_Div; break;
|
|
|
|
|
case BO_RemAssign: Op = BO_Rem; break;
|
|
|
|
|
case BO_AddAssign: Op = BO_Add; break;
|
|
|
|
|
case BO_SubAssign: Op = BO_Sub; break;
|
|
|
|
|
case BO_ShlAssign: Op = BO_Shl; break;
|
|
|
|
|
case BO_ShrAssign: Op = BO_Shr; break;
|
|
|
|
|
case BO_AndAssign: Op = BO_And; break;
|
|
|
|
|
case BO_XorAssign: Op = BO_Xor; break;
|
|
|
|
|
case BO_OrAssign: Op = BO_Or; break;
|
2008-10-28 07:02:39 +08:00
|
|
|
}
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2008-04-30 05:04:26 +08:00
|
|
|
// Perform a load (the LHS). This performs the checks for
|
|
|
|
|
// null dereferences, and so on.
|
2010-01-19 17:25:53 +08:00
|
|
|
ExplodedNodeSet Tmp4;
|
2010-02-09 00:18:51 +08:00
|
|
|
SVal location = state->getSVal(LHS);
|
2010-12-02 05:57:22 +08:00
|
|
|
evalLoad(Tmp4, LHS, *I2, state, location);
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2010-01-19 17:25:53 +08:00
|
|
|
for (ExplodedNodeSet::iterator I4=Tmp4.begin(), E4=Tmp4.end(); I4!=E4;
|
|
|
|
|
++I4) {
|
|
|
|
|
state = GetState(*I4);
|
2010-02-09 00:18:51 +08:00
|
|
|
SVal V = state->getSVal(LHS);
|
2008-04-30 05:04:26 +08:00
|
|
|
|
|
|
|
|
// Get the computation type.
|
2009-07-22 05:03:30 +08:00
|
|
|
QualType CTy =
|
|
|
|
|
cast<CompoundAssignOperator>(B)->getComputationResultType();
|
2008-11-15 12:01:56 +08:00
|
|
|
CTy = getContext().getCanonicalType(CTy);
|
2009-03-28 09:22:36 +08:00
|
|
|
|
2009-07-22 05:03:30 +08:00
|
|
|
QualType CLHSTy =
|
|
|
|
|
cast<CompoundAssignOperator>(B)->getComputationLHSType();
|
|
|
|
|
CLHSTy = getContext().getCanonicalType(CLHSTy);
|
2009-03-28 09:22:36 +08:00
|
|
|
|
2008-11-15 12:01:56 +08:00
|
|
|
QualType LTy = getContext().getCanonicalType(LHS->getType());
|
|
|
|
|
QualType RTy = getContext().getCanonicalType(RHS->getType());
|
2009-03-28 09:22:36 +08:00
|
|
|
|
|
|
|
|
// Promote LHS.
|
2010-12-02 05:57:22 +08:00
|
|
|
V = svalBuilder.evalCast(V, CLHSTy, LTy);
|
2009-03-28 09:22:36 +08:00
|
|
|
|
2009-09-09 23:08:12 +08:00
|
|
|
// Compute the result of the operation.
|
2010-12-02 05:57:22 +08:00
|
|
|
SVal Result = svalBuilder.evalCast(evalBinOp(state, Op, V, RightV, CTy),
|
2010-02-04 12:56:43 +08:00
|
|
|
B->getType(), CTy);
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2008-10-21 07:13:25 +08:00
|
|
|
// EXPERIMENTAL: "Conjured" symbols.
|
|
|
|
|
// FIXME: Handle structs.
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2008-11-15 12:01:56 +08:00
|
|
|
SVal LHSVal;
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2010-07-29 08:28:33 +08:00
|
|
|
if (Result.isUnknown() ||
|
|
|
|
|
!getConstraintManager().canReasonAbout(Result)) {
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2008-10-21 07:13:25 +08:00
|
|
|
unsigned Count = Builder->getCurrentBlockCount();
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2008-11-15 12:01:56 +08:00
|
|
|
// The symbolic value is actually for the type of the left-hand side
|
|
|
|
|
// expression, not the computation type, as this is the value the
|
|
|
|
|
// LValue on the LHS will bind to.
|
2010-12-02 15:49:45 +08:00
|
|
|
LHSVal = svalBuilder.getConjuredSymbolVal(NULL, B->getRHS(), LTy, Count);
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2008-11-23 13:52:28 +08:00
|
|
|
// However, we need to convert the symbol to the computation type.
|
2010-12-02 05:57:22 +08:00
|
|
|
Result = svalBuilder.evalCast(LHSVal, CTy, LTy);
|
2008-10-21 07:13:25 +08:00
|
|
|
}
|
2008-11-15 12:01:56 +08:00
|
|
|
else {
|
|
|
|
|
// The left-hand side may bind to a different value then the
|
|
|
|
|
// computation type.
|
2010-12-02 05:57:22 +08:00
|
|
|
LHSVal = svalBuilder.evalCast(Result, LTy, CTy);
|
2008-11-15 12:01:56 +08:00
|
|
|
}
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2011-01-10 11:54:19 +08:00
|
|
|
// In C++, assignment and compound assignment operators return an
|
|
|
|
|
// lvalue.
|
|
|
|
|
if (B->isLValue())
|
|
|
|
|
state = state->BindExpr(B, location);
|
|
|
|
|
else
|
|
|
|
|
state = state->BindExpr(B, Result);
|
|
|
|
|
|
|
|
|
|
evalStore(Tmp3, B, LHS, *I4, state, location, LHSVal);
|
2008-01-24 03:59:44 +08:00
|
|
|
}
|
2008-01-16 08:53:15 +08:00
|
|
|
}
|
2008-01-16 07:55:06 +08:00
|
|
|
}
|
2009-11-24 16:24:26 +08:00
|
|
|
|
2010-08-04 15:10:57 +08:00
|
|
|
CheckerVisit(B, Dst, Tmp3, PostVisitStmtCallback);
|
2008-01-16 07:55:06 +08:00
|
|
|
}
|
|
|
|
|
|
2009-10-31 01:47:32 +08:00
|
|
|
//===----------------------------------------------------------------------===//
|
|
|
|
|
// Checker registration/lookup.
|
|
|
|
|
//===----------------------------------------------------------------------===//
|
|
|
|
|
|
2010-12-23 02:53:44 +08:00
|
|
|
Checker *ExprEngine::lookupChecker(void *tag) const {
|
2009-11-10 09:17:45 +08:00
|
|
|
CheckerMap::const_iterator I = CheckerM.find(tag);
|
2009-10-31 01:47:32 +08:00
|
|
|
return (I == CheckerM.end()) ? NULL : Checkers[I->second].second;
|
|
|
|
|
}
|
|
|
|
|
|
2008-07-18 05:27:31 +08:00
|
|
|
//===----------------------------------------------------------------------===//
|
2008-02-15 06:36:46 +08:00
|
|
|
// Visualization.
|
2008-01-17 02:18:48 +08:00
|
|
|
//===----------------------------------------------------------------------===//
|
|
|
|
|
|
2008-01-17 05:46:15 +08:00
|
|
|
#ifndef NDEBUG
|
2010-12-23 02:53:44 +08:00
|
|
|
static ExprEngine* GraphPrintCheckerState;
|
2008-03-08 04:57:30 +08:00
|
|
|
static SourceManager* GraphPrintSourceManager;
|
2008-01-31 07:24:39 +08:00
|
|
|
|
2008-01-17 05:46:15 +08:00
|
|
|
namespace llvm {
|
|
|
|
|
template<>
|
2009-12-01 00:08:24 +08:00
|
|
|
struct DOTGraphTraits<ExplodedNode*> :
|
2008-01-17 05:46:15 +08:00
|
|
|
public DefaultDOTGraphTraits {
|
2009-11-30 22:16:05 +08:00
|
|
|
|
|
|
|
|
DOTGraphTraits (bool isSimple=false) : DefaultDOTGraphTraits(isSimple) {}
|
|
|
|
|
|
2010-12-23 02:53:44 +08:00
|
|
|
// FIXME: Since we do not cache error nodes in ExprEngine now, this does not
|
2009-10-29 10:09:30 +08:00
|
|
|
// work.
|
2009-08-06 20:48:26 +08:00
|
|
|
static std::string getNodeAttributes(const ExplodedNode* N, void*) {
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2009-11-12 04:16:36 +08:00
|
|
|
#if 0
|
|
|
|
|
// FIXME: Replace with a general scheme to tell if the node is
|
|
|
|
|
// an error node.
|
2008-02-15 06:54:53 +08:00
|
|
|
if (GraphPrintCheckerState->isImplicitNullDeref(N) ||
|
2008-02-19 08:22:37 +08:00
|
|
|
GraphPrintCheckerState->isExplicitNullDeref(N) ||
|
2008-02-28 17:25:22 +08:00
|
|
|
GraphPrintCheckerState->isUndefDeref(N) ||
|
|
|
|
|
GraphPrintCheckerState->isUndefStore(N) ||
|
|
|
|
|
GraphPrintCheckerState->isUndefControlFlow(N) ||
|
2008-03-01 07:14:48 +08:00
|
|
|
GraphPrintCheckerState->isUndefResult(N) ||
|
2008-03-01 07:53:11 +08:00
|
|
|
GraphPrintCheckerState->isBadCall(N) ||
|
|
|
|
|
GraphPrintCheckerState->isUndefArg(N))
|
2008-02-15 06:54:53 +08:00
|
|
|
return "color=\"red\",style=\"filled\"";
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2008-02-29 04:32:03 +08:00
|
|
|
if (GraphPrintCheckerState->isNoReturnCall(N))
|
|
|
|
|
return "color=\"blue\",style=\"filled\"";
|
2009-11-24 15:06:39 +08:00
|
|
|
#endif
|
2008-02-15 06:54:53 +08:00
|
|
|
return "";
|
|
|
|
|
}
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2009-11-30 22:16:05 +08:00
|
|
|
static std::string getNodeLabel(const ExplodedNode* N, void*){
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2009-06-25 07:06:47 +08:00
|
|
|
std::string sbuf;
|
|
|
|
|
llvm::raw_string_ostream Out(sbuf);
|
2008-01-24 06:30:44 +08:00
|
|
|
|
|
|
|
|
// Program Location.
|
2008-01-17 05:46:15 +08:00
|
|
|
ProgramPoint Loc = N->getLocation();
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2008-01-17 05:46:15 +08:00
|
|
|
switch (Loc.getKind()) {
|
|
|
|
|
case ProgramPoint::BlockEntranceKind:
|
2009-09-09 23:08:12 +08:00
|
|
|
Out << "Block Entrance: B"
|
2008-01-17 05:46:15 +08:00
|
|
|
<< cast<BlockEntrance>(Loc).getBlock()->getBlockID();
|
|
|
|
|
break;
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2008-01-17 05:46:15 +08:00
|
|
|
case ProgramPoint::BlockExitKind:
|
|
|
|
|
assert (false);
|
|
|
|
|
break;
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2010-02-26 03:01:53 +08:00
|
|
|
case ProgramPoint::CallEnterKind:
|
|
|
|
|
Out << "CallEnter";
|
|
|
|
|
break;
|
|
|
|
|
|
|
|
|
|
case ProgramPoint::CallExitKind:
|
|
|
|
|
Out << "CallExit";
|
|
|
|
|
break;
|
|
|
|
|
|
2008-01-17 05:46:15 +08:00
|
|
|
default: {
|
2009-07-23 06:35:28 +08:00
|
|
|
if (StmtPoint *L = dyn_cast<StmtPoint>(&Loc)) {
|
|
|
|
|
const Stmt* S = L->getStmt();
|
2008-12-17 06:02:27 +08:00
|
|
|
SourceLocation SLoc = S->getLocStart();
|
|
|
|
|
|
2009-09-09 23:08:12 +08:00
|
|
|
Out << S->getStmtClassName() << ' ' << (void*) S << ' ';
|
2009-06-30 09:26:17 +08:00
|
|
|
LangOptions LO; // FIXME.
|
|
|
|
|
S->printPretty(Out, 0, PrintingPolicy(LO));
|
2009-09-09 23:08:12 +08:00
|
|
|
|
|
|
|
|
if (SLoc.isFileID()) {
|
2008-12-17 06:02:27 +08:00
|
|
|
Out << "\\lline="
|
2009-02-04 08:55:58 +08:00
|
|
|
<< GraphPrintSourceManager->getInstantiationLineNumber(SLoc)
|
|
|
|
|
<< " col="
|
|
|
|
|
<< GraphPrintSourceManager->getInstantiationColumnNumber(SLoc)
|
|
|
|
|
<< "\\l";
|
2008-12-17 06:02:27 +08:00
|
|
|
}
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2009-07-23 06:35:28 +08:00
|
|
|
if (isa<PreStmt>(Loc))
|
2009-09-09 23:08:12 +08:00
|
|
|
Out << "\\lPreStmt\\l;";
|
2009-07-23 06:35:28 +08:00
|
|
|
else if (isa<PostLoad>(Loc))
|
2009-05-08 02:27:16 +08:00
|
|
|
Out << "\\lPostLoad\\l;";
|
|
|
|
|
else if (isa<PostStore>(Loc))
|
|
|
|
|
Out << "\\lPostStore\\l";
|
|
|
|
|
else if (isa<PostLValue>(Loc))
|
|
|
|
|
Out << "\\lPostLValue\\l";
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2009-11-12 04:16:36 +08:00
|
|
|
#if 0
|
|
|
|
|
// FIXME: Replace with a general scheme to determine
|
|
|
|
|
// the name of the check.
|
2008-12-17 06:02:27 +08:00
|
|
|
if (GraphPrintCheckerState->isImplicitNullDeref(N))
|
|
|
|
|
Out << "\\|Implicit-Null Dereference.\\l";
|
|
|
|
|
else if (GraphPrintCheckerState->isExplicitNullDeref(N))
|
|
|
|
|
Out << "\\|Explicit-Null Dereference.\\l";
|
|
|
|
|
else if (GraphPrintCheckerState->isUndefDeref(N))
|
|
|
|
|
Out << "\\|Dereference of undefialied value.\\l";
|
|
|
|
|
else if (GraphPrintCheckerState->isUndefStore(N))
|
|
|
|
|
Out << "\\|Store to Undefined Loc.";
|
|
|
|
|
else if (GraphPrintCheckerState->isUndefResult(N))
|
|
|
|
|
Out << "\\|Result of operation is undefined.";
|
|
|
|
|
else if (GraphPrintCheckerState->isNoReturnCall(N))
|
|
|
|
|
Out << "\\|Call to function marked \"noreturn\".";
|
|
|
|
|
else if (GraphPrintCheckerState->isBadCall(N))
|
|
|
|
|
Out << "\\|Call to NULL/Undefined.";
|
|
|
|
|
else if (GraphPrintCheckerState->isUndefArg(N))
|
|
|
|
|
Out << "\\|Argument in call is undefined";
|
2009-11-12 04:16:36 +08:00
|
|
|
#endif
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2008-12-17 06:02:27 +08:00
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
|
2008-01-17 05:46:15 +08:00
|
|
|
const BlockEdge& E = cast<BlockEdge>(Loc);
|
|
|
|
|
Out << "Edge: (B" << E.getSrc()->getBlockID() << ", B"
|
|
|
|
|
<< E.getDst()->getBlockID() << ')';
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2010-07-20 14:22:24 +08:00
|
|
|
if (const Stmt* T = E.getSrc()->getTerminator()) {
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2008-03-08 04:57:30 +08:00
|
|
|
SourceLocation SLoc = T->getLocStart();
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2008-01-31 07:03:39 +08:00
|
|
|
Out << "\\|Terminator: ";
|
2009-06-30 09:26:17 +08:00
|
|
|
LangOptions LO; // FIXME.
|
|
|
|
|
E.getSrc()->printTerminator(Out, LO);
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2008-03-09 11:30:59 +08:00
|
|
|
if (SLoc.isFileID()) {
|
|
|
|
|
Out << "\\lline="
|
2009-02-04 08:55:58 +08:00
|
|
|
<< GraphPrintSourceManager->getInstantiationLineNumber(SLoc)
|
|
|
|
|
<< " col="
|
|
|
|
|
<< GraphPrintSourceManager->getInstantiationColumnNumber(SLoc);
|
2008-03-09 11:30:59 +08:00
|
|
|
}
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2008-02-14 07:08:21 +08:00
|
|
|
if (isa<SwitchStmt>(T)) {
|
2010-07-20 14:22:24 +08:00
|
|
|
const Stmt* Label = E.getDst()->getLabel();
|
2009-09-09 23:08:12 +08:00
|
|
|
|
|
|
|
|
if (Label) {
|
2010-07-20 14:22:24 +08:00
|
|
|
if (const CaseStmt* C = dyn_cast<CaseStmt>(Label)) {
|
2008-02-14 07:08:21 +08:00
|
|
|
Out << "\\lcase ";
|
2009-06-30 09:26:17 +08:00
|
|
|
LangOptions LO; // FIXME.
|
|
|
|
|
C->getLHS()->printPretty(Out, 0, PrintingPolicy(LO));
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2010-07-20 14:22:24 +08:00
|
|
|
if (const Stmt* RHS = C->getRHS()) {
|
2008-02-14 07:08:21 +08:00
|
|
|
Out << " .. ";
|
2009-06-30 09:26:17 +08:00
|
|
|
RHS->printPretty(Out, 0, PrintingPolicy(LO));
|
2008-02-14 07:08:21 +08:00
|
|
|
}
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2008-02-14 07:08:21 +08:00
|
|
|
Out << ":";
|
|
|
|
|
}
|
|
|
|
|
else {
|
|
|
|
|
assert (isa<DefaultStmt>(Label));
|
|
|
|
|
Out << "\\ldefault:";
|
|
|
|
|
}
|
|
|
|
|
}
|
2009-09-09 23:08:12 +08:00
|
|
|
else
|
2008-02-14 07:08:21 +08:00
|
|
|
Out << "\\l(implicit) default:";
|
|
|
|
|
}
|
|
|
|
|
else if (isa<IndirectGotoStmt>(T)) {
|
2008-01-31 07:03:39 +08:00
|
|
|
// FIXME
|
|
|
|
|
}
|
|
|
|
|
else {
|
|
|
|
|
Out << "\\lCondition: ";
|
|
|
|
|
if (*E.getSrc()->succ_begin() == E.getDst())
|
|
|
|
|
Out << "true";
|
|
|
|
|
else
|
2009-09-09 23:08:12 +08:00
|
|
|
Out << "false";
|
2008-01-31 07:03:39 +08:00
|
|
|
}
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2008-01-31 07:03:39 +08:00
|
|
|
Out << "\\l";
|
|
|
|
|
}
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2009-11-12 04:16:36 +08:00
|
|
|
#if 0
|
|
|
|
|
// FIXME: Replace with a general scheme to determine
|
|
|
|
|
// the name of the check.
|
2008-02-28 17:25:22 +08:00
|
|
|
if (GraphPrintCheckerState->isUndefControlFlow(N)) {
|
|
|
|
|
Out << "\\|Control-flow based on\\lUndefined value.\\l";
|
2008-01-31 07:24:39 +08:00
|
|
|
}
|
2009-11-12 04:16:36 +08:00
|
|
|
#endif
|
2008-01-17 05:46:15 +08:00
|
|
|
}
|
|
|
|
|
}
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2009-06-18 09:23:53 +08:00
|
|
|
const GRState *state = N->getState();
|
2010-12-03 14:52:26 +08:00
|
|
|
Out << "\\|StateID: " << (void*) state
|
|
|
|
|
<< " NodeID: " << (void*) N << "\\|";
|
2010-03-05 12:45:36 +08:00
|
|
|
state->printDOT(Out, *N->getLocationContext()->getCFG());
|
2008-01-24 06:30:44 +08:00
|
|
|
Out << "\\l";
|
2008-01-17 05:46:15 +08:00
|
|
|
return Out.str();
|
|
|
|
|
}
|
|
|
|
|
};
|
2009-09-09 23:08:12 +08:00
|
|
|
} // end llvm namespace
|
2008-01-17 05:46:15 +08:00
|
|
|
#endif
|
|
|
|
|
|
2008-03-08 06:58:01 +08:00
|
|
|
#ifndef NDEBUG
|
2008-03-13 01:18:20 +08:00
|
|
|
template <typename ITERATOR>
|
2009-08-06 20:48:26 +08:00
|
|
|
ExplodedNode* GetGraphNode(ITERATOR I) { return *I; }
|
2008-03-13 01:18:20 +08:00
|
|
|
|
2009-08-06 20:48:26 +08:00
|
|
|
template <> ExplodedNode*
|
|
|
|
|
GetGraphNode<llvm::DenseMap<ExplodedNode*, Expr*>::iterator>
|
|
|
|
|
(llvm::DenseMap<ExplodedNode*, Expr*>::iterator I) {
|
2008-03-13 01:18:20 +08:00
|
|
|
return I->first;
|
|
|
|
|
}
|
2008-03-08 06:58:01 +08:00
|
|
|
#endif
|
|
|
|
|
|
2010-12-23 02:53:44 +08:00
|
|
|
void ExprEngine::ViewGraph(bool trim) {
|
2009-09-09 23:08:12 +08:00
|
|
|
#ifndef NDEBUG
|
2008-03-08 06:58:01 +08:00
|
|
|
if (trim) {
|
2009-08-06 20:48:26 +08:00
|
|
|
std::vector<ExplodedNode*> Src;
|
2009-03-11 09:41:22 +08:00
|
|
|
|
|
|
|
|
// Flush any outstanding reports to make sure we cover all the nodes.
|
|
|
|
|
// This does not cause them to get displayed.
|
|
|
|
|
for (BugReporter::iterator I=BR.begin(), E=BR.end(); I!=E; ++I)
|
|
|
|
|
const_cast<BugType*>(*I)->FlushReports(BR);
|
|
|
|
|
|
|
|
|
|
// Iterate through the reports and get their nodes.
|
|
|
|
|
for (BugReporter::iterator I=BR.begin(), E=BR.end(); I!=E; ++I) {
|
2009-09-03 11:02:58 +08:00
|
|
|
for (BugType::const_iterator I2=(*I)->begin(), E2=(*I)->end();
|
2009-09-09 23:08:12 +08:00
|
|
|
I2!=E2; ++I2) {
|
2009-03-11 09:41:22 +08:00
|
|
|
const BugReportEquivClass& EQ = *I2;
|
|
|
|
|
const BugReport &R = **EQ.begin();
|
2010-09-16 11:50:38 +08:00
|
|
|
ExplodedNode *N = const_cast<ExplodedNode*>(R.getErrorNode());
|
2009-03-11 09:41:22 +08:00
|
|
|
if (N) Src.push_back(N);
|
|
|
|
|
}
|
|
|
|
|
}
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2008-03-13 01:18:20 +08:00
|
|
|
ViewGraph(&Src[0], &Src[0]+Src.size());
|
2008-03-08 06:58:01 +08:00
|
|
|
}
|
2008-03-12 02:25:33 +08:00
|
|
|
else {
|
|
|
|
|
GraphPrintCheckerState = this;
|
|
|
|
|
GraphPrintSourceManager = &getContext().getSourceManager();
|
2008-08-14 05:24:49 +08:00
|
|
|
|
2010-12-23 02:53:44 +08:00
|
|
|
llvm::ViewGraph(*G.roots_begin(), "ExprEngine");
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2008-03-12 02:25:33 +08:00
|
|
|
GraphPrintCheckerState = NULL;
|
|
|
|
|
GraphPrintSourceManager = NULL;
|
|
|
|
|
}
|
|
|
|
|
#endif
|
|
|
|
|
}
|
|
|
|
|
|
2010-12-23 02:53:44 +08:00
|
|
|
void ExprEngine::ViewGraph(ExplodedNode** Beg, ExplodedNode** End) {
|
2008-03-12 02:25:33 +08:00
|
|
|
#ifndef NDEBUG
|
|
|
|
|
GraphPrintCheckerState = this;
|
|
|
|
|
GraphPrintSourceManager = &getContext().getSourceManager();
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2009-08-06 20:48:26 +08:00
|
|
|
std::auto_ptr<ExplodedGraph> TrimmedG(G.Trim(Beg, End).first);
|
2008-03-12 02:25:33 +08:00
|
|
|
|
2009-02-05 07:49:09 +08:00
|
|
|
if (!TrimmedG.get())
|
2009-08-23 20:08:50 +08:00
|
|
|
llvm::errs() << "warning: Trimmed ExplodedGraph is empty.\n";
|
2009-02-05 07:49:09 +08:00
|
|
|
else
|
2010-12-23 02:53:44 +08:00
|
|
|
llvm::ViewGraph(*TrimmedG->roots_begin(), "TrimmedExprEngine");
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2008-01-31 07:24:39 +08:00
|
|
|
GraphPrintCheckerState = NULL;
|
2008-03-08 04:57:30 +08:00
|
|
|
GraphPrintSourceManager = NULL;
|
2008-02-15 06:36:46 +08:00
|
|
|
#endif
|
2008-01-17 02:18:48 +08:00
|
|
|
}
|