2010-12-23 02:53:44 +08:00
|
|
|
//==- CoreEngine.cpp - Path-Sensitive Dataflow Engine ------------*- C++ -*-//
|
2009-09-09 23:08:12 +08:00
|
|
|
//
|
2008-01-15 07:24:37 +08:00
|
|
|
// The LLVM Compiler Infrastructure
|
|
|
|
//
|
|
|
|
// This file is distributed under the University of Illinois Open Source
|
|
|
|
// License. See LICENSE.TXT for details.
|
|
|
|
//
|
|
|
|
//===----------------------------------------------------------------------===//
|
|
|
|
//
|
|
|
|
// This file defines a generic engine for intraprocedural, path-sensitive,
|
|
|
|
// dataflow analysis via graph reachability engine.
|
|
|
|
//
|
|
|
|
//===----------------------------------------------------------------------===//
|
|
|
|
|
2011-02-10 09:03:03 +08:00
|
|
|
#include "clang/StaticAnalyzer/Core/PathSensitive/AnalysisManager.h"
|
|
|
|
#include "clang/StaticAnalyzer/Core/PathSensitive/CoreEngine.h"
|
|
|
|
#include "clang/StaticAnalyzer/Core/PathSensitive/ExprEngine.h"
|
2010-07-22 21:52:13 +08:00
|
|
|
#include "clang/Index/TranslationUnit.h"
|
2008-01-15 07:24:37 +08:00
|
|
|
#include "clang/AST/Expr.h"
|
2011-10-11 06:36:31 +08:00
|
|
|
#include "clang/AST/StmtCXX.h"
|
2008-01-15 07:24:37 +08:00
|
|
|
#include "llvm/Support/Casting.h"
|
|
|
|
#include "llvm/ADT/DenseMap.h"
|
|
|
|
using namespace clang;
|
2010-12-23 15:20:52 +08:00
|
|
|
using namespace ento;
|
2008-01-15 07:24:37 +08:00
|
|
|
|
2008-12-17 06:13:33 +08:00
|
|
|
//===----------------------------------------------------------------------===//
|
|
|
|
// Worklist classes for exploration of reachable states.
|
|
|
|
//===----------------------------------------------------------------------===//
|
|
|
|
|
2010-12-23 02:53:44 +08:00
|
|
|
WorkList::Visitor::~Visitor() {}
|
2010-11-13 13:04:49 +08:00
|
|
|
|
2008-01-15 07:24:37 +08:00
|
|
|
namespace {
|
2010-12-23 02:53:44 +08:00
|
|
|
class DFS : public WorkList {
|
2011-07-23 18:55:15 +08:00
|
|
|
SmallVector<WorkListUnit,20> Stack;
|
2008-01-15 07:24:37 +08:00
|
|
|
public:
|
|
|
|
virtual bool hasWork() const {
|
|
|
|
return !Stack.empty();
|
|
|
|
}
|
|
|
|
|
2011-01-11 10:34:50 +08:00
|
|
|
virtual void enqueue(const WorkListUnit& U) {
|
2008-01-15 07:24:37 +08:00
|
|
|
Stack.push_back(U);
|
|
|
|
}
|
|
|
|
|
2011-01-11 10:34:50 +08:00
|
|
|
virtual WorkListUnit dequeue() {
|
2008-01-15 07:24:37 +08:00
|
|
|
assert (!Stack.empty());
|
2010-12-23 02:53:44 +08:00
|
|
|
const WorkListUnit& U = Stack.back();
|
2008-01-15 07:24:37 +08:00
|
|
|
Stack.pop_back(); // This technically "invalidates" U, but we are fine.
|
|
|
|
return U;
|
|
|
|
}
|
2010-11-13 13:04:49 +08:00
|
|
|
|
2011-01-11 10:34:50 +08:00
|
|
|
virtual bool visitItemsInWorkList(Visitor &V) {
|
2011-07-23 18:55:15 +08:00
|
|
|
for (SmallVectorImpl<WorkListUnit>::iterator
|
2010-11-13 13:04:49 +08:00
|
|
|
I = Stack.begin(), E = Stack.end(); I != E; ++I) {
|
2011-01-11 10:34:50 +08:00
|
|
|
if (V.visit(*I))
|
2010-11-13 13:04:49 +08:00
|
|
|
return true;
|
|
|
|
}
|
|
|
|
return false;
|
|
|
|
}
|
2008-01-15 07:24:37 +08:00
|
|
|
};
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2010-12-23 02:53:44 +08:00
|
|
|
class BFS : public WorkList {
|
|
|
|
std::deque<WorkListUnit> Queue;
|
2009-05-02 06:18:46 +08:00
|
|
|
public:
|
|
|
|
virtual bool hasWork() const {
|
|
|
|
return !Queue.empty();
|
|
|
|
}
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2011-01-11 10:34:50 +08:00
|
|
|
virtual void enqueue(const WorkListUnit& U) {
|
2010-11-13 13:04:49 +08:00
|
|
|
Queue.push_front(U);
|
2009-05-02 06:18:46 +08:00
|
|
|
}
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2011-01-11 10:34:50 +08:00
|
|
|
virtual WorkListUnit dequeue() {
|
2010-12-23 02:53:44 +08:00
|
|
|
WorkListUnit U = Queue.front();
|
2010-11-13 13:04:49 +08:00
|
|
|
Queue.pop_front();
|
2009-05-02 06:18:46 +08:00
|
|
|
return U;
|
|
|
|
}
|
2010-11-13 13:04:49 +08:00
|
|
|
|
2011-01-11 10:34:50 +08:00
|
|
|
virtual bool visitItemsInWorkList(Visitor &V) {
|
2010-12-23 02:53:44 +08:00
|
|
|
for (std::deque<WorkListUnit>::iterator
|
2010-11-13 13:04:49 +08:00
|
|
|
I = Queue.begin(), E = Queue.end(); I != E; ++I) {
|
2011-01-11 10:34:50 +08:00
|
|
|
if (V.visit(*I))
|
2010-11-13 13:04:49 +08:00
|
|
|
return true;
|
|
|
|
}
|
|
|
|
return false;
|
|
|
|
}
|
2009-05-02 06:18:46 +08:00
|
|
|
};
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2008-01-15 07:24:37 +08:00
|
|
|
} // end anonymous namespace
|
|
|
|
|
2010-12-23 02:53:44 +08:00
|
|
|
// Place the dstor for WorkList here because it contains virtual member
|
2008-01-17 02:18:48 +08:00
|
|
|
// functions, and we the code for the dstor generated in one compilation unit.
|
2010-12-23 02:53:44 +08:00
|
|
|
WorkList::~WorkList() {}
|
2008-01-17 02:18:48 +08:00
|
|
|
|
2011-01-11 10:34:50 +08:00
|
|
|
WorkList *WorkList::makeDFS() { return new DFS(); }
|
|
|
|
WorkList *WorkList::makeBFS() { return new BFS(); }
|
2008-01-15 07:24:37 +08:00
|
|
|
|
2008-12-17 06:13:33 +08:00
|
|
|
namespace {
|
2010-12-23 02:53:44 +08:00
|
|
|
class BFSBlockDFSContents : public WorkList {
|
|
|
|
std::deque<WorkListUnit> Queue;
|
2011-07-23 18:55:15 +08:00
|
|
|
SmallVector<WorkListUnit,20> Stack;
|
2008-12-17 06:13:33 +08:00
|
|
|
public:
|
|
|
|
virtual bool hasWork() const {
|
|
|
|
return !Queue.empty() || !Stack.empty();
|
|
|
|
}
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2011-01-11 10:34:50 +08:00
|
|
|
virtual void enqueue(const WorkListUnit& U) {
|
2008-12-17 06:13:33 +08:00
|
|
|
if (isa<BlockEntrance>(U.getNode()->getLocation()))
|
2010-11-13 13:04:49 +08:00
|
|
|
Queue.push_front(U);
|
2008-12-17 06:13:33 +08:00
|
|
|
else
|
|
|
|
Stack.push_back(U);
|
|
|
|
}
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2011-01-11 10:34:50 +08:00
|
|
|
virtual WorkListUnit dequeue() {
|
2008-12-17 06:13:33 +08:00
|
|
|
// Process all basic blocks to completion.
|
|
|
|
if (!Stack.empty()) {
|
2010-12-23 02:53:44 +08:00
|
|
|
const WorkListUnit& U = Stack.back();
|
2008-12-17 06:13:33 +08:00
|
|
|
Stack.pop_back(); // This technically "invalidates" U, but we are fine.
|
|
|
|
return U;
|
|
|
|
}
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2008-12-17 06:13:33 +08:00
|
|
|
assert(!Queue.empty());
|
|
|
|
// Don't use const reference. The subsequent pop_back() might make it
|
|
|
|
// unsafe.
|
2010-12-23 02:53:44 +08:00
|
|
|
WorkListUnit U = Queue.front();
|
2010-11-13 13:04:49 +08:00
|
|
|
Queue.pop_front();
|
2009-09-09 23:08:12 +08:00
|
|
|
return U;
|
2008-12-17 06:13:33 +08:00
|
|
|
}
|
2011-01-11 10:34:50 +08:00
|
|
|
virtual bool visitItemsInWorkList(Visitor &V) {
|
2011-07-23 18:55:15 +08:00
|
|
|
for (SmallVectorImpl<WorkListUnit>::iterator
|
2010-11-13 13:04:49 +08:00
|
|
|
I = Stack.begin(), E = Stack.end(); I != E; ++I) {
|
2011-01-11 10:34:50 +08:00
|
|
|
if (V.visit(*I))
|
2010-11-13 13:04:49 +08:00
|
|
|
return true;
|
|
|
|
}
|
2010-12-23 02:53:44 +08:00
|
|
|
for (std::deque<WorkListUnit>::iterator
|
2010-11-13 13:04:49 +08:00
|
|
|
I = Queue.begin(), E = Queue.end(); I != E; ++I) {
|
2011-01-11 10:34:50 +08:00
|
|
|
if (V.visit(*I))
|
2010-11-13 13:04:49 +08:00
|
|
|
return true;
|
|
|
|
}
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
|
2008-12-17 06:13:33 +08:00
|
|
|
};
|
|
|
|
} // end anonymous namespace
|
|
|
|
|
2011-01-11 10:34:50 +08:00
|
|
|
WorkList* WorkList::makeBFSBlockDFSContents() {
|
2008-12-17 06:13:33 +08:00
|
|
|
return new BFSBlockDFSContents();
|
|
|
|
}
|
|
|
|
|
|
|
|
//===----------------------------------------------------------------------===//
|
|
|
|
// Core analysis engine.
|
|
|
|
//===----------------------------------------------------------------------===//
|
2010-02-26 03:01:53 +08:00
|
|
|
|
2008-01-15 07:24:37 +08:00
|
|
|
/// ExecuteWorkList - Run the worklist algorithm for a maximum number of steps.
|
2010-12-23 02:53:44 +08:00
|
|
|
bool CoreEngine::ExecuteWorkList(const LocationContext *L, unsigned Steps,
|
2012-01-27 05:29:00 +08:00
|
|
|
ProgramStateRef InitState) {
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2008-01-15 07:24:37 +08:00
|
|
|
if (G->num_roots() == 0) { // Initialize the analysis by constructing
|
|
|
|
// the root if none exists.
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2011-08-13 07:37:29 +08:00
|
|
|
const CFGBlock *Entry = &(L->getCFG()->getEntry());
|
2009-09-09 23:08:12 +08:00
|
|
|
|
|
|
|
assert (Entry->empty() &&
|
2008-01-15 07:24:37 +08:00
|
|
|
"Entry block must be empty.");
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2008-01-15 07:24:37 +08:00
|
|
|
assert (Entry->succ_size() == 1 &&
|
|
|
|
"Entry block must have 1 successor.");
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2008-01-15 07:24:37 +08:00
|
|
|
// Get the solitary successor.
|
2011-08-13 07:37:29 +08:00
|
|
|
const CFGBlock *Succ = *(Entry->succ_begin());
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2008-01-15 07:24:37 +08:00
|
|
|
// Construct an edge representing the
|
|
|
|
// starting location in the function.
|
2009-08-15 11:17:38 +08:00
|
|
|
BlockEdge StartLoc(Entry, Succ, L);
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2008-02-13 02:08:17 +08:00
|
|
|
// Set the current block counter to being empty.
|
|
|
|
WList->setBlockCounter(BCounterFactory.GetEmptyCounter());
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2010-07-22 21:52:13 +08:00
|
|
|
if (!InitState)
|
|
|
|
// Generate the root.
|
2011-01-11 12:49:40 +08:00
|
|
|
generateNode(StartLoc, SubEng.getInitialState(L), 0);
|
2010-07-22 21:52:13 +08:00
|
|
|
else
|
2010-12-21 05:19:09 +08:00
|
|
|
generateNode(StartLoc, InitState, 0);
|
2008-01-15 07:24:37 +08:00
|
|
|
}
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2010-09-30 07:48:13 +08:00
|
|
|
// Check if we have a steps limit
|
|
|
|
bool UnlimitedSteps = Steps == 0;
|
|
|
|
|
|
|
|
while (WList->hasWork()) {
|
|
|
|
if (!UnlimitedSteps) {
|
|
|
|
if (Steps == 0)
|
|
|
|
break;
|
|
|
|
--Steps;
|
|
|
|
}
|
|
|
|
|
2011-01-11 10:34:50 +08:00
|
|
|
const WorkListUnit& WU = WList->dequeue();
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2008-02-13 02:08:17 +08:00
|
|
|
// Set the current block counter.
|
|
|
|
WList->setBlockCounter(WU.getBlockCounter());
|
|
|
|
|
|
|
|
// Retrieve the node.
|
2011-08-13 07:37:29 +08:00
|
|
|
ExplodedNode *Node = WU.getNode();
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2008-01-15 07:24:37 +08:00
|
|
|
// Dispatch on the location type.
|
|
|
|
switch (Node->getLocation().getKind()) {
|
2008-12-17 06:13:33 +08:00
|
|
|
case ProgramPoint::BlockEdgeKind:
|
2008-01-15 07:24:37 +08:00
|
|
|
HandleBlockEdge(cast<BlockEdge>(Node->getLocation()), Node);
|
|
|
|
break;
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2008-01-15 07:24:37 +08:00
|
|
|
case ProgramPoint::BlockEntranceKind:
|
|
|
|
HandleBlockEntrance(cast<BlockEntrance>(Node->getLocation()), Node);
|
|
|
|
break;
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2008-01-15 07:24:37 +08:00
|
|
|
case ProgramPoint::BlockExitKind:
|
2008-01-15 08:24:08 +08:00
|
|
|
assert (false && "BlockExit location never occur in forward analysis.");
|
2008-01-15 07:24:37 +08:00
|
|
|
break;
|
2008-12-17 06:13:33 +08:00
|
|
|
|
2010-02-26 03:01:53 +08:00
|
|
|
case ProgramPoint::CallEnterKind:
|
2012-01-07 09:03:17 +08:00
|
|
|
SubEng.processCallEnter(cast<CallEnter>(Node->getLocation()), Node);
|
2010-02-26 03:01:53 +08:00
|
|
|
break;
|
|
|
|
|
|
|
|
case ProgramPoint::CallExitKind:
|
2012-01-07 09:03:17 +08:00
|
|
|
SubEng.processCallExit(Node);
|
2010-02-26 03:01:53 +08:00
|
|
|
break;
|
|
|
|
|
2008-12-17 06:13:33 +08:00
|
|
|
default:
|
2010-11-16 15:52:17 +08:00
|
|
|
assert(isa<PostStmt>(Node->getLocation()) ||
|
|
|
|
isa<PostInitializer>(Node->getLocation()));
|
|
|
|
HandlePostStmt(WU.getBlock(), WU.getIndex(), Node);
|
2009-09-09 23:08:12 +08:00
|
|
|
break;
|
2008-01-15 07:24:37 +08:00
|
|
|
}
|
|
|
|
}
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2011-01-11 10:34:45 +08:00
|
|
|
SubEng.processEndWorklist(hasWorkRemaining());
|
2008-01-15 07:24:37 +08:00
|
|
|
return WList->hasWork();
|
|
|
|
}
|
|
|
|
|
2010-12-23 02:53:44 +08:00
|
|
|
void CoreEngine::ExecuteWorkListWithInitialState(const LocationContext *L,
|
2011-08-16 06:09:50 +08:00
|
|
|
unsigned Steps,
|
2012-01-27 05:29:00 +08:00
|
|
|
ProgramStateRef InitState,
|
2011-08-16 06:09:50 +08:00
|
|
|
ExplodedNodeSet &Dst) {
|
2010-07-22 21:52:13 +08:00
|
|
|
ExecuteWorkList(L, Steps, InitState);
|
2011-07-23 18:55:15 +08:00
|
|
|
for (SmallVectorImpl<ExplodedNode*>::iterator I = G->EndNodes.begin(),
|
2010-07-22 21:52:13 +08:00
|
|
|
E = G->EndNodes.end(); I != E; ++I) {
|
|
|
|
Dst.Add(*I);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2011-08-13 07:37:29 +08:00
|
|
|
void CoreEngine::HandleBlockEdge(const BlockEdge &L, ExplodedNode *Pred) {
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2011-08-13 07:37:29 +08:00
|
|
|
const CFGBlock *Blk = L.getDst();
|
2011-10-27 05:06:22 +08:00
|
|
|
NodeBuilderContext BuilderCtx(*this, Blk, Pred);
|
2009-09-09 23:08:12 +08:00
|
|
|
|
|
|
|
// Check if we are entering the EXIT block.
|
2009-12-23 16:54:57 +08:00
|
|
|
if (Blk == &(L.getLocationContext()->getCFG()->getExit())) {
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2009-12-23 16:54:57 +08:00
|
|
|
assert (L.getLocationContext()->getCFG()->getExit().size() == 0
|
2008-01-29 08:33:40 +08:00
|
|
|
&& "EXIT block cannot contain Stmts.");
|
2008-01-15 07:24:37 +08:00
|
|
|
|
2008-04-12 06:03:04 +08:00
|
|
|
// Process the final state transition.
|
2011-10-26 03:56:48 +08:00
|
|
|
SubEng.processEndOfFunction(BuilderCtx);
|
2008-01-15 07:24:37 +08:00
|
|
|
|
|
|
|
// This path is done. Don't enqueue any more nodes.
|
|
|
|
return;
|
|
|
|
}
|
2008-03-01 04:27:50 +08:00
|
|
|
|
2011-10-27 05:06:22 +08:00
|
|
|
// Call into the SubEngine to process entering the CFGBlock.
|
2011-01-11 14:37:47 +08:00
|
|
|
ExplodedNodeSet dstNodes;
|
|
|
|
BlockEntrance BE(Blk, Pred->getLocationContext());
|
2011-10-27 05:06:22 +08:00
|
|
|
NodeBuilderWithSinks nodeBuilder(Pred, dstNodes, BuilderCtx, BE);
|
|
|
|
SubEng.processCFGBlockEntrance(nodeBuilder);
|
2011-01-11 14:37:47 +08:00
|
|
|
|
2011-10-27 05:06:22 +08:00
|
|
|
// Auto-generate a node.
|
|
|
|
if (!nodeBuilder.hasGeneratedNodes()) {
|
|
|
|
nodeBuilder.generateNode(Pred->State, Pred);
|
2011-01-11 14:37:47 +08:00
|
|
|
}
|
|
|
|
|
2011-10-27 05:06:22 +08:00
|
|
|
// Enqueue nodes onto the worklist.
|
|
|
|
enqueue(dstNodes);
|
|
|
|
|
|
|
|
// Make sink nodes as exhausted.
|
|
|
|
const SmallVectorImpl<ExplodedNode*> &Sinks = nodeBuilder.getSinks();
|
2011-07-23 18:55:15 +08:00
|
|
|
for (SmallVectorImpl<ExplodedNode*>::const_iterator
|
2011-10-27 05:06:22 +08:00
|
|
|
I =Sinks.begin(), E = Sinks.end(); I != E; ++I) {
|
2011-04-02 10:56:17 +08:00
|
|
|
blocksExhausted.push_back(std::make_pair(L, *I));
|
2010-08-11 08:03:02 +08:00
|
|
|
}
|
2008-01-15 07:24:37 +08:00
|
|
|
}
|
|
|
|
|
2011-08-13 07:37:29 +08:00
|
|
|
void CoreEngine::HandleBlockEntrance(const BlockEntrance &L,
|
|
|
|
ExplodedNode *Pred) {
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2008-02-13 02:08:17 +08:00
|
|
|
// Increment the block counter.
|
2010-12-23 02:53:44 +08:00
|
|
|
BlockCounter Counter = WList->getBlockCounter();
|
2010-03-23 13:05:02 +08:00
|
|
|
Counter = BCounterFactory.IncrementCount(Counter,
|
|
|
|
Pred->getLocationContext()->getCurrentStackFrame(),
|
|
|
|
L.getBlock()->getBlockID());
|
2008-02-13 02:08:17 +08:00
|
|
|
WList->setBlockCounter(Counter);
|
2009-09-09 23:08:12 +08:00
|
|
|
|
|
|
|
// Process the entrance of the block.
|
Add (initial?) static analyzer support for handling C++ references.
This change was a lot bigger than I originally anticipated; among
other things it requires us storing more information in the CFG to
record what block-level expressions need to be evaluated as lvalues.
The big change is that CFGBlocks no longer contain Stmt*'s by
CFGElements. Currently CFGElements just wrap Stmt*, but they also
store a bit indicating whether the block-level expression should be
evalauted as an lvalue. DeclStmts involving the initialization of a
reference require us treating the initialization expression as an
lvalue, even though that information isn't recorded in the AST.
Conceptually this change isn't that complicated, but it required
bubbling up the data through the CFGBuilder, to GRCoreEngine, and
eventually to GRExprEngine.
The addition of CFGElement is also useful for when we want to handle
more control-flow constructs or other data we want to keep in the CFG
that isn't represented well with just a block of statements.
In GRExprEngine, this patch introduces logic for evaluating the
lvalues of references, which currently retrieves the internal "pointer
value" that the reference represents. EvalLoad does a two stage load
to catch null dereferences involving an invalid reference (although
this could possibly be caught earlier during the initialization of a
reference).
Symbols are currently symbolicated using the reference type, instead
of a pointer type, and special handling is required creating
ElementRegions that layer on SymbolicRegions (see the changes to
RegionStoreManager).
Along the way, the DeadStoresChecker also silences warnings involving
dead stores to references. This was the original change I introduced
(which I wrote test cases for) that I realized caused GRExprEngine to
crash.
llvm-svn: 91501
2009-12-16 11:18:58 +08:00
|
|
|
if (CFGElement E = L.getFirstElement()) {
|
2011-10-19 07:06:48 +08:00
|
|
|
NodeBuilderContext Ctx(*this, L.getBlock(), Pred);
|
2011-10-25 02:26:19 +08:00
|
|
|
SubEng.processCFGElement(E, Pred, 0, &Ctx);
|
2008-01-15 07:24:37 +08:00
|
|
|
}
|
2009-09-09 23:08:12 +08:00
|
|
|
else
|
2008-01-15 08:24:08 +08:00
|
|
|
HandleBlockExit(L.getBlock(), Pred);
|
2008-01-15 07:24:37 +08:00
|
|
|
}
|
|
|
|
|
2011-08-13 07:37:29 +08:00
|
|
|
void CoreEngine::HandleBlockExit(const CFGBlock * B, ExplodedNode *Pred) {
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2011-08-13 07:37:29 +08:00
|
|
|
if (const Stmt *Term = B->getTerminator()) {
|
2008-01-30 06:56:11 +08:00
|
|
|
switch (Term->getStmtClass()) {
|
|
|
|
default:
|
2011-09-23 13:06:16 +08:00
|
|
|
llvm_unreachable("Analysis for this terminator not implemented.");
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2008-02-13 05:51:20 +08:00
|
|
|
case Stmt::BinaryOperatorClass: // '&&' and '||'
|
|
|
|
HandleBranch(cast<BinaryOperator>(Term)->getLHS(), Term, B, Pred);
|
|
|
|
return;
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2011-02-17 18:25:35 +08:00
|
|
|
case Stmt::BinaryConditionalOperatorClass:
|
2008-02-05 08:26:40 +08:00
|
|
|
case Stmt::ConditionalOperatorClass:
|
2011-02-17 18:25:35 +08:00
|
|
|
HandleBranch(cast<AbstractConditionalOperator>(Term)->getCond(),
|
|
|
|
Term, B, Pred);
|
2008-02-13 05:51:20 +08:00
|
|
|
return;
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2008-02-13 05:51:20 +08:00
|
|
|
// FIXME: Use constant-folding in CFG construction to simplify this
|
|
|
|
// case.
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2008-02-05 08:26:40 +08:00
|
|
|
case Stmt::ChooseExprClass:
|
|
|
|
HandleBranch(cast<ChooseExpr>(Term)->getCond(), Term, B, Pred);
|
2008-02-13 05:51:20 +08:00
|
|
|
return;
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2008-02-13 05:51:20 +08:00
|
|
|
case Stmt::DoStmtClass:
|
|
|
|
HandleBranch(cast<DoStmt>(Term)->getCond(), Term, B, Pred);
|
|
|
|
return;
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2011-10-11 06:36:31 +08:00
|
|
|
case Stmt::CXXForRangeStmtClass:
|
|
|
|
HandleBranch(cast<CXXForRangeStmt>(Term)->getCond(), Term, B, Pred);
|
|
|
|
return;
|
|
|
|
|
2008-01-30 06:56:11 +08:00
|
|
|
case Stmt::ForStmtClass:
|
|
|
|
HandleBranch(cast<ForStmt>(Term)->getCond(), Term, B, Pred);
|
2008-02-13 05:51:20 +08:00
|
|
|
return;
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2008-02-14 00:56:51 +08:00
|
|
|
case Stmt::ContinueStmtClass:
|
|
|
|
case Stmt::BreakStmtClass:
|
2009-09-09 23:08:12 +08:00
|
|
|
case Stmt::GotoStmtClass:
|
2008-01-30 06:56:11 +08:00
|
|
|
break;
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2008-02-13 05:51:20 +08:00
|
|
|
case Stmt::IfStmtClass:
|
|
|
|
HandleBranch(cast<IfStmt>(Term)->getCond(), Term, B, Pred);
|
|
|
|
return;
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2008-02-13 08:24:44 +08:00
|
|
|
case Stmt::IndirectGotoStmtClass: {
|
|
|
|
// Only 1 successor: the indirect goto dispatch block.
|
|
|
|
assert (B->succ_size() == 1);
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2010-12-23 02:53:44 +08:00
|
|
|
IndirectGotoNodeBuilder
|
2008-02-13 08:24:44 +08:00
|
|
|
builder(Pred, B, cast<IndirectGotoStmt>(Term)->getTarget(),
|
|
|
|
*(B->succ_begin()), this);
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2011-01-11 12:49:40 +08:00
|
|
|
SubEng.processIndirectGoto(builder);
|
2008-02-13 08:24:44 +08:00
|
|
|
return;
|
|
|
|
}
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2008-11-13 03:24:17 +08:00
|
|
|
case Stmt::ObjCForCollectionStmtClass: {
|
|
|
|
// In the case of ObjCForCollectionStmt, it appears twice in a CFG:
|
|
|
|
//
|
|
|
|
// (1) inside a basic block, which represents the binding of the
|
|
|
|
// 'element' variable to a value.
|
|
|
|
// (2) in a terminator, which represents the branch.
|
|
|
|
//
|
|
|
|
// For (1), subengines will bind a value (i.e., 0 or 1) indicating
|
|
|
|
// whether or not collection contains any more elements. We cannot
|
|
|
|
// just test to see if the element is nil because a container can
|
|
|
|
// contain nil elements.
|
|
|
|
HandleBranch(Term, Term, B, Pred);
|
|
|
|
return;
|
|
|
|
}
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2008-02-14 07:08:21 +08:00
|
|
|
case Stmt::SwitchStmtClass: {
|
2010-12-23 02:53:44 +08:00
|
|
|
SwitchNodeBuilder builder(Pred, B, cast<SwitchStmt>(Term)->getCond(),
|
2009-08-06 20:48:26 +08:00
|
|
|
this);
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2011-01-11 12:49:40 +08:00
|
|
|
SubEng.processSwitch(builder);
|
2008-02-14 07:08:21 +08:00
|
|
|
return;
|
|
|
|
}
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2008-01-30 06:56:11 +08:00
|
|
|
case Stmt::WhileStmtClass:
|
|
|
|
HandleBranch(cast<WhileStmt>(Term)->getCond(), Term, B, Pred);
|
2008-02-13 05:51:20 +08:00
|
|
|
return;
|
2008-01-30 06:56:11 +08:00
|
|
|
}
|
|
|
|
}
|
2008-02-13 05:51:20 +08:00
|
|
|
|
|
|
|
assert (B->succ_size() == 1 &&
|
|
|
|
"Blocks with no terminator should have at most 1 successor.");
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2010-12-21 05:19:09 +08:00
|
|
|
generateNode(BlockEdge(B, *(B->succ_begin()), Pred->getLocationContext()),
|
2009-08-15 11:17:38 +08:00
|
|
|
Pred->State, Pred);
|
2008-01-15 07:24:37 +08:00
|
|
|
}
|
|
|
|
|
2011-08-13 07:37:29 +08:00
|
|
|
void CoreEngine::HandleBranch(const Stmt *Cond, const Stmt *Term,
|
|
|
|
const CFGBlock * B, ExplodedNode *Pred) {
|
2011-01-11 12:49:40 +08:00
|
|
|
assert(B->succ_size() == 2);
|
2011-10-19 07:06:48 +08:00
|
|
|
NodeBuilderContext Ctx(*this, B, Pred);
|
2011-10-25 02:25:53 +08:00
|
|
|
ExplodedNodeSet Dst;
|
|
|
|
SubEng.processBranch(Cond, Term, Ctx, Pred, Dst,
|
2011-10-19 07:06:04 +08:00
|
|
|
*(B->succ_begin()), *(B->succ_begin()+1));
|
2011-10-25 02:25:53 +08:00
|
|
|
// Enqueue the new frontier onto the worklist.
|
|
|
|
enqueue(Dst);
|
2008-01-30 06:56:11 +08:00
|
|
|
}
|
|
|
|
|
2011-08-13 07:37:29 +08:00
|
|
|
void CoreEngine::HandlePostStmt(const CFGBlock *B, unsigned StmtIdx,
|
|
|
|
ExplodedNode *Pred) {
|
2011-10-19 07:06:04 +08:00
|
|
|
assert(B);
|
|
|
|
assert(!B->empty());
|
2008-01-15 07:24:37 +08:00
|
|
|
|
2008-01-15 08:24:08 +08:00
|
|
|
if (StmtIdx == B->size())
|
|
|
|
HandleBlockExit(B, Pred);
|
2008-01-15 07:24:37 +08:00
|
|
|
else {
|
2011-10-19 07:06:48 +08:00
|
|
|
NodeBuilderContext Ctx(*this, B, Pred);
|
2011-10-25 02:26:19 +08:00
|
|
|
SubEng.processCFGElement((*B)[StmtIdx], Pred, StmtIdx, &Ctx);
|
2008-01-15 07:24:37 +08:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2010-12-21 05:19:09 +08:00
|
|
|
/// generateNode - Utility method to generate nodes, hook up successors,
|
2008-01-15 07:24:37 +08:00
|
|
|
/// and add nodes to the worklist.
|
2011-08-13 07:37:29 +08:00
|
|
|
void CoreEngine::generateNode(const ProgramPoint &Loc,
|
2012-01-27 05:29:00 +08:00
|
|
|
ProgramStateRef State,
|
2011-08-16 06:09:50 +08:00
|
|
|
ExplodedNode *Pred) {
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2008-01-15 07:24:37 +08:00
|
|
|
bool IsNew;
|
2011-11-02 06:41:19 +08:00
|
|
|
ExplodedNode *Node = G->getNode(Loc, State, false, &IsNew);
|
2009-09-09 23:08:12 +08:00
|
|
|
|
|
|
|
if (Pred)
|
2009-10-07 08:42:52 +08:00
|
|
|
Node->addPredecessor(Pred, *G); // Link 'Node' with its predecessor.
|
2008-01-15 07:24:37 +08:00
|
|
|
else {
|
|
|
|
assert (IsNew);
|
|
|
|
G->addRoot(Node); // 'Node' has no predecessor. Make it a root.
|
|
|
|
}
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2008-01-15 07:24:37 +08:00
|
|
|
// Only add 'Node' to the worklist if it was freshly generated.
|
2011-01-11 10:34:50 +08:00
|
|
|
if (IsNew) WList->enqueue(Node);
|
2008-01-15 07:24:37 +08:00
|
|
|
}
|
|
|
|
|
2011-10-27 08:59:23 +08:00
|
|
|
void CoreEngine::enqueueStmtNode(ExplodedNode *N,
|
|
|
|
const CFGBlock *Block, unsigned Idx) {
|
2011-11-02 06:41:06 +08:00
|
|
|
assert(Block);
|
2011-10-27 08:59:23 +08:00
|
|
|
assert (!N->isSink());
|
|
|
|
|
|
|
|
// Check if this node entered a callee.
|
|
|
|
if (isa<CallEnter>(N->getLocation())) {
|
|
|
|
// Still use the index of the CallExpr. It's needed to create the callee
|
|
|
|
// StackFrameContext.
|
|
|
|
WList->enqueue(N, Block, Idx);
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
|
|
|
// Do not create extra nodes. Move to the next CFG element.
|
|
|
|
if (isa<PostInitializer>(N->getLocation())) {
|
|
|
|
WList->enqueue(N, Block, Idx+1);
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
|
|
|
const CFGStmt *CS = (*Block)[Idx].getAs<CFGStmt>();
|
|
|
|
const Stmt *St = CS ? CS->getStmt() : 0;
|
|
|
|
PostStmt Loc(St, N->getLocationContext());
|
|
|
|
|
|
|
|
if (Loc == N->getLocation()) {
|
|
|
|
// Note: 'N' should be a fresh node because otherwise it shouldn't be
|
|
|
|
// a member of Deferred.
|
|
|
|
WList->enqueue(N, Block, Idx+1);
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
|
|
|
bool IsNew;
|
2011-11-02 06:41:19 +08:00
|
|
|
ExplodedNode *Succ = G->getNode(Loc, N->getState(), false, &IsNew);
|
2011-10-27 08:59:23 +08:00
|
|
|
Succ->addPredecessor(N, *G);
|
|
|
|
|
|
|
|
if (IsNew)
|
|
|
|
WList->enqueue(Succ, Block, Idx+1);
|
|
|
|
}
|
|
|
|
|
2011-10-27 08:59:28 +08:00
|
|
|
ExplodedNode *CoreEngine::generateCallExitNode(ExplodedNode *N) {
|
|
|
|
// Create a CallExit node and enqueue it.
|
|
|
|
const StackFrameContext *LocCtx
|
|
|
|
= cast<StackFrameContext>(N->getLocationContext());
|
|
|
|
const Stmt *CE = LocCtx->getCallSite();
|
|
|
|
|
|
|
|
// Use the the callee location context.
|
|
|
|
CallExit Loc(CE, LocCtx);
|
|
|
|
|
|
|
|
bool isNew;
|
2011-11-02 06:41:19 +08:00
|
|
|
ExplodedNode *Node = G->getNode(Loc, N->getState(), false, &isNew);
|
2011-10-27 08:59:28 +08:00
|
|
|
Node->addPredecessor(N, *G);
|
|
|
|
return isNew ? Node : 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
2011-10-27 08:59:23 +08:00
|
|
|
void CoreEngine::enqueue(ExplodedNodeSet &Set) {
|
|
|
|
for (ExplodedNodeSet::iterator I = Set.begin(),
|
|
|
|
E = Set.end(); I != E; ++I) {
|
2011-10-19 07:06:04 +08:00
|
|
|
WList->enqueue(*I);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2011-10-27 08:59:23 +08:00
|
|
|
void CoreEngine::enqueue(ExplodedNodeSet &Set,
|
|
|
|
const CFGBlock *Block, unsigned Idx) {
|
|
|
|
for (ExplodedNodeSet::iterator I = Set.begin(),
|
|
|
|
E = Set.end(); I != E; ++I) {
|
|
|
|
enqueueStmtNode(*I, Block, Idx);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2011-10-27 08:59:28 +08:00
|
|
|
void CoreEngine::enqueueEndOfFunction(ExplodedNodeSet &Set) {
|
|
|
|
for (ExplodedNodeSet::iterator I = Set.begin(), E = Set.end(); I != E; ++I) {
|
|
|
|
ExplodedNode *N = *I;
|
|
|
|
// If we are in an inlined call, generate CallExit node.
|
|
|
|
if (N->getLocationContext()->getParent()) {
|
|
|
|
N = generateCallExitNode(N);
|
|
|
|
if (N)
|
|
|
|
WList->enqueue(N);
|
|
|
|
} else
|
|
|
|
G->addEndOfPath(N);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2011-10-27 08:59:23 +08:00
|
|
|
|
2011-12-20 10:48:34 +08:00
|
|
|
void NodeBuilder::anchor() { }
|
|
|
|
|
2011-10-19 07:05:58 +08:00
|
|
|
ExplodedNode* NodeBuilder::generateNodeImpl(const ProgramPoint &Loc,
|
2012-01-27 05:29:00 +08:00
|
|
|
ProgramStateRef State,
|
2011-10-19 07:06:33 +08:00
|
|
|
ExplodedNode *FromN,
|
|
|
|
bool MarkAsSink) {
|
2011-10-19 07:06:44 +08:00
|
|
|
HasGeneratedNodes = true;
|
2011-10-19 07:05:58 +08:00
|
|
|
bool IsNew;
|
2011-11-02 06:41:19 +08:00
|
|
|
ExplodedNode *N = C.Eng.G->getNode(Loc, State, MarkAsSink, &IsNew);
|
2011-10-19 07:06:04 +08:00
|
|
|
N->addPredecessor(FromN, *C.Eng.G);
|
2011-10-25 02:25:53 +08:00
|
|
|
Frontier.erase(FromN);
|
2011-11-02 06:41:14 +08:00
|
|
|
|
|
|
|
if (!IsNew)
|
|
|
|
return 0;
|
2011-10-19 07:05:58 +08:00
|
|
|
|
2011-11-02 06:41:19 +08:00
|
|
|
if (!MarkAsSink)
|
2011-10-25 02:25:53 +08:00
|
|
|
Frontier.Add(N);
|
2011-10-19 07:05:58 +08:00
|
|
|
|
2011-11-02 06:41:14 +08:00
|
|
|
return N;
|
2011-10-19 07:05:58 +08:00
|
|
|
}
|
|
|
|
|
2011-12-20 10:48:34 +08:00
|
|
|
void NodeBuilderWithSinks::anchor() { }
|
|
|
|
|
2011-10-25 05:19:59 +08:00
|
|
|
StmtNodeBuilder::~StmtNodeBuilder() {
|
2011-10-25 05:19:53 +08:00
|
|
|
if (EnclosingBldr)
|
|
|
|
for (ExplodedNodeSet::iterator I = Frontier.begin(),
|
|
|
|
E = Frontier.end(); I != E; ++I )
|
|
|
|
EnclosingBldr->addNodes(*I);
|
2010-04-14 14:35:09 +08:00
|
|
|
}
|
|
|
|
|
2011-12-20 10:48:34 +08:00
|
|
|
void BranchNodeBuilder::anchor() { }
|
|
|
|
|
2012-01-27 05:29:00 +08:00
|
|
|
ExplodedNode *BranchNodeBuilder::generateNode(ProgramStateRef State,
|
2011-10-19 07:06:04 +08:00
|
|
|
bool branch,
|
|
|
|
ExplodedNode *NodePred) {
|
2009-07-21 02:44:36 +08:00
|
|
|
// If the branch has been marked infeasible we should not generate a node.
|
|
|
|
if (!isFeasible(branch))
|
|
|
|
return NULL;
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2011-10-19 07:06:04 +08:00
|
|
|
ProgramPoint Loc = BlockEdge(C.Block, branch ? DstT:DstF,
|
|
|
|
NodePred->getLocationContext());
|
|
|
|
ExplodedNode *Succ = generateNodeImpl(Loc, State, NodePred);
|
|
|
|
return Succ;
|
2008-01-30 06:56:11 +08:00
|
|
|
}
|
2008-01-30 07:32:35 +08:00
|
|
|
|
2009-08-06 09:32:16 +08:00
|
|
|
ExplodedNode*
|
2011-08-16 06:09:50 +08:00
|
|
|
IndirectGotoNodeBuilder::generateNode(const iterator &I,
|
2012-01-27 05:29:00 +08:00
|
|
|
ProgramStateRef St,
|
2011-11-02 06:41:19 +08:00
|
|
|
bool IsSink) {
|
2008-02-13 08:24:44 +08:00
|
|
|
bool IsNew;
|
2011-08-13 07:37:29 +08:00
|
|
|
ExplodedNode *Succ = Eng.G->getNode(BlockEdge(Src, I.getBlock(),
|
2011-11-02 06:41:19 +08:00
|
|
|
Pred->getLocationContext()), St,
|
|
|
|
IsSink, &IsNew);
|
2009-10-07 08:42:52 +08:00
|
|
|
Succ->addPredecessor(Pred, *Eng.G);
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2011-11-02 06:41:19 +08:00
|
|
|
if (!IsNew)
|
|
|
|
return 0;
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2011-11-02 06:41:19 +08:00
|
|
|
if (!IsSink)
|
|
|
|
Eng.WList->enqueue(Succ);
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2011-11-02 06:41:19 +08:00
|
|
|
return Succ;
|
2008-02-13 08:24:44 +08:00
|
|
|
}
|
2008-02-14 07:08:21 +08:00
|
|
|
|
|
|
|
|
2009-08-06 09:32:16 +08:00
|
|
|
ExplodedNode*
|
2011-08-16 06:09:50 +08:00
|
|
|
SwitchNodeBuilder::generateCaseStmtNode(const iterator &I,
|
2012-01-27 05:29:00 +08:00
|
|
|
ProgramStateRef St) {
|
2008-02-14 07:08:21 +08:00
|
|
|
|
|
|
|
bool IsNew;
|
2011-08-13 07:37:29 +08:00
|
|
|
ExplodedNode *Succ = Eng.G->getNode(BlockEdge(Src, I.getBlock(),
|
2011-11-02 06:41:19 +08:00
|
|
|
Pred->getLocationContext()), St,
|
|
|
|
false, &IsNew);
|
2009-10-07 08:42:52 +08:00
|
|
|
Succ->addPredecessor(Pred, *Eng.G);
|
2011-11-02 06:41:19 +08:00
|
|
|
if (!IsNew)
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
Eng.WList->enqueue(Succ);
|
|
|
|
return Succ;
|
2008-02-14 07:08:21 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
|
2009-08-06 09:32:16 +08:00
|
|
|
ExplodedNode*
|
2012-01-27 05:29:00 +08:00
|
|
|
SwitchNodeBuilder::generateDefaultCaseNode(ProgramStateRef St,
|
2011-11-02 06:41:19 +08:00
|
|
|
bool IsSink) {
|
2008-02-14 07:08:21 +08:00
|
|
|
// Get the block for the default case.
|
2011-09-30 11:51:54 +08:00
|
|
|
assert(Src->succ_rbegin() != Src->succ_rend());
|
2011-08-13 07:37:29 +08:00
|
|
|
CFGBlock *DefaultBlock = *Src->succ_rbegin();
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2011-09-30 11:51:54 +08:00
|
|
|
// Sanity check for default blocks that are unreachable and not caught
|
|
|
|
// by earlier stages.
|
|
|
|
if (!DefaultBlock)
|
|
|
|
return NULL;
|
|
|
|
|
2008-02-14 07:08:21 +08:00
|
|
|
bool IsNew;
|
2011-08-13 07:37:29 +08:00
|
|
|
ExplodedNode *Succ = Eng.G->getNode(BlockEdge(Src, DefaultBlock,
|
2011-11-02 06:41:19 +08:00
|
|
|
Pred->getLocationContext()), St,
|
|
|
|
IsSink, &IsNew);
|
2009-10-07 08:42:52 +08:00
|
|
|
Succ->addPredecessor(Pred, *Eng.G);
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2011-11-02 06:41:19 +08:00
|
|
|
if (!IsNew)
|
|
|
|
return 0;
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2011-11-02 06:41:19 +08:00
|
|
|
if (!IsSink)
|
|
|
|
Eng.WList->enqueue(Succ);
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2011-11-02 06:41:19 +08:00
|
|
|
return Succ;
|
2008-02-14 07:08:21 +08:00
|
|
|
}
|