1 //==- CoreEngine.cpp - Path-Sensitive Dataflow Engine ------------*- C++ -*-// 2 // 3 // The LLVM Compiler Infrastructure 4 // 5 // This file is distributed under the University of Illinois Open Source 6 // License. See LICENSE.TXT for details. 7 // 8 //===----------------------------------------------------------------------===// 9 // 10 // This file defines a generic engine for intraprocedural, path-sensitive, 11 // dataflow analysis via graph reachability engine. 12 // 13 //===----------------------------------------------------------------------===// 14 15 #include "clang/StaticAnalyzer/Core/PathSensitive/AnalysisManager.h" 16 #include "clang/StaticAnalyzer/Core/PathSensitive/CoreEngine.h" 17 #include "clang/StaticAnalyzer/Core/PathSensitive/ExprEngine.h" 18 #include "clang/Index/TranslationUnit.h" 19 #include "clang/AST/Expr.h" 20 #include "clang/AST/StmtCXX.h" 21 #include "llvm/Support/Casting.h" 22 #include "llvm/ADT/DenseMap.h" 23 using namespace clang; 24 using namespace ento; 25 26 //===----------------------------------------------------------------------===// 27 // Worklist classes for exploration of reachable states. 28 //===----------------------------------------------------------------------===// 29 30 WorkList::Visitor::~Visitor() {} 31 32 namespace { 33 class DFS : public WorkList { 34 SmallVector<WorkListUnit,20> Stack; 35 public: 36 virtual bool hasWork() const { 37 return !Stack.empty(); 38 } 39 40 virtual void enqueue(const WorkListUnit& U) { 41 Stack.push_back(U); 42 } 43 44 virtual WorkListUnit dequeue() { 45 assert (!Stack.empty()); 46 const WorkListUnit& U = Stack.back(); 47 Stack.pop_back(); // This technically "invalidates" U, but we are fine. 48 return U; 49 } 50 51 virtual bool visitItemsInWorkList(Visitor &V) { 52 for (SmallVectorImpl<WorkListUnit>::iterator 53 I = Stack.begin(), E = Stack.end(); I != E; ++I) { 54 if (V.visit(*I)) 55 return true; 56 } 57 return false; 58 } 59 }; 60 61 class BFS : public WorkList { 62 std::deque<WorkListUnit> Queue; 63 public: 64 virtual bool hasWork() const { 65 return !Queue.empty(); 66 } 67 68 virtual void enqueue(const WorkListUnit& U) { 69 Queue.push_front(U); 70 } 71 72 virtual WorkListUnit dequeue() { 73 WorkListUnit U = Queue.front(); 74 Queue.pop_front(); 75 return U; 76 } 77 78 virtual bool visitItemsInWorkList(Visitor &V) { 79 for (std::deque<WorkListUnit>::iterator 80 I = Queue.begin(), E = Queue.end(); I != E; ++I) { 81 if (V.visit(*I)) 82 return true; 83 } 84 return false; 85 } 86 }; 87 88 } // end anonymous namespace 89 90 // Place the dstor for WorkList here because it contains virtual member 91 // functions, and we the code for the dstor generated in one compilation unit. 92 WorkList::~WorkList() {} 93 94 WorkList *WorkList::makeDFS() { return new DFS(); } 95 WorkList *WorkList::makeBFS() { return new BFS(); } 96 97 namespace { 98 class BFSBlockDFSContents : public WorkList { 99 std::deque<WorkListUnit> Queue; 100 SmallVector<WorkListUnit,20> Stack; 101 public: 102 virtual bool hasWork() const { 103 return !Queue.empty() || !Stack.empty(); 104 } 105 106 virtual void enqueue(const WorkListUnit& U) { 107 if (isa<BlockEntrance>(U.getNode()->getLocation())) 108 Queue.push_front(U); 109 else 110 Stack.push_back(U); 111 } 112 113 virtual WorkListUnit dequeue() { 114 // Process all basic blocks to completion. 115 if (!Stack.empty()) { 116 const WorkListUnit& U = Stack.back(); 117 Stack.pop_back(); // This technically "invalidates" U, but we are fine. 118 return U; 119 } 120 121 assert(!Queue.empty()); 122 // Don't use const reference. The subsequent pop_back() might make it 123 // unsafe. 124 WorkListUnit U = Queue.front(); 125 Queue.pop_front(); 126 return U; 127 } 128 virtual bool visitItemsInWorkList(Visitor &V) { 129 for (SmallVectorImpl<WorkListUnit>::iterator 130 I = Stack.begin(), E = Stack.end(); I != E; ++I) { 131 if (V.visit(*I)) 132 return true; 133 } 134 for (std::deque<WorkListUnit>::iterator 135 I = Queue.begin(), E = Queue.end(); I != E; ++I) { 136 if (V.visit(*I)) 137 return true; 138 } 139 return false; 140 } 141 142 }; 143 } // end anonymous namespace 144 145 WorkList* WorkList::makeBFSBlockDFSContents() { 146 return new BFSBlockDFSContents(); 147 } 148 149 //===----------------------------------------------------------------------===// 150 // Core analysis engine. 151 //===----------------------------------------------------------------------===// 152 153 /// ExecuteWorkList - Run the worklist algorithm for a maximum number of steps. 154 bool CoreEngine::ExecuteWorkList(const LocationContext *L, unsigned Steps, 155 ProgramStateRef InitState) { 156 157 if (G->num_roots() == 0) { // Initialize the analysis by constructing 158 // the root if none exists. 159 160 const CFGBlock *Entry = &(L->getCFG()->getEntry()); 161 162 assert (Entry->empty() && 163 "Entry block must be empty."); 164 165 assert (Entry->succ_size() == 1 && 166 "Entry block must have 1 successor."); 167 168 // Get the solitary successor. 169 const CFGBlock *Succ = *(Entry->succ_begin()); 170 171 // Construct an edge representing the 172 // starting location in the function. 173 BlockEdge StartLoc(Entry, Succ, L); 174 175 // Set the current block counter to being empty. 176 WList->setBlockCounter(BCounterFactory.GetEmptyCounter()); 177 178 if (!InitState) 179 // Generate the root. 180 generateNode(StartLoc, SubEng.getInitialState(L), 0); 181 else 182 generateNode(StartLoc, InitState, 0); 183 } 184 185 // Check if we have a steps limit 186 bool UnlimitedSteps = Steps == 0; 187 188 while (WList->hasWork()) { 189 if (!UnlimitedSteps) { 190 if (Steps == 0) 191 break; 192 --Steps; 193 } 194 195 const WorkListUnit& WU = WList->dequeue(); 196 197 // Set the current block counter. 198 WList->setBlockCounter(WU.getBlockCounter()); 199 200 // Retrieve the node. 201 ExplodedNode *Node = WU.getNode(); 202 203 // Dispatch on the location type. 204 switch (Node->getLocation().getKind()) { 205 case ProgramPoint::BlockEdgeKind: 206 HandleBlockEdge(cast<BlockEdge>(Node->getLocation()), Node); 207 break; 208 209 case ProgramPoint::BlockEntranceKind: 210 HandleBlockEntrance(cast<BlockEntrance>(Node->getLocation()), Node); 211 break; 212 213 case ProgramPoint::BlockExitKind: 214 assert (false && "BlockExit location never occur in forward analysis."); 215 break; 216 217 case ProgramPoint::CallEnterKind: { 218 CallEnter CEnter = cast<CallEnter>(Node->getLocation()); 219 if (AnalyzedCallees) 220 if (const CallExpr* CE = 221 dyn_cast_or_null<CallExpr>(CEnter.getCallExpr())) 222 if (const Decl *CD = CE->getCalleeDecl()) 223 AnalyzedCallees->insert(CD); 224 SubEng.processCallEnter(CEnter, Node); 225 break; 226 } 227 228 case ProgramPoint::CallExitKind: 229 SubEng.processCallExit(Node); 230 break; 231 232 default: 233 assert(isa<PostStmt>(Node->getLocation()) || 234 isa<PostInitializer>(Node->getLocation())); 235 HandlePostStmt(WU.getBlock(), WU.getIndex(), Node); 236 break; 237 } 238 } 239 240 SubEng.processEndWorklist(hasWorkRemaining()); 241 return WList->hasWork(); 242 } 243 244 void CoreEngine::ExecuteWorkListWithInitialState(const LocationContext *L, 245 unsigned Steps, 246 ProgramStateRef InitState, 247 ExplodedNodeSet &Dst) { 248 ExecuteWorkList(L, Steps, InitState); 249 for (ExplodedGraph::eop_iterator I = G->eop_begin(), 250 E = G->eop_end(); I != E; ++I) { 251 Dst.Add(*I); 252 } 253 } 254 255 void CoreEngine::HandleBlockEdge(const BlockEdge &L, ExplodedNode *Pred) { 256 257 const CFGBlock *Blk = L.getDst(); 258 NodeBuilderContext BuilderCtx(*this, Blk, Pred); 259 260 // Check if we are entering the EXIT block. 261 if (Blk == &(L.getLocationContext()->getCFG()->getExit())) { 262 263 assert (L.getLocationContext()->getCFG()->getExit().size() == 0 264 && "EXIT block cannot contain Stmts."); 265 266 // Process the final state transition. 267 SubEng.processEndOfFunction(BuilderCtx); 268 269 // This path is done. Don't enqueue any more nodes. 270 return; 271 } 272 273 // Call into the SubEngine to process entering the CFGBlock. 274 ExplodedNodeSet dstNodes; 275 BlockEntrance BE(Blk, Pred->getLocationContext()); 276 NodeBuilderWithSinks nodeBuilder(Pred, dstNodes, BuilderCtx, BE); 277 SubEng.processCFGBlockEntrance(nodeBuilder); 278 279 // Auto-generate a node. 280 if (!nodeBuilder.hasGeneratedNodes()) { 281 nodeBuilder.generateNode(Pred->State, Pred); 282 } 283 284 // Enqueue nodes onto the worklist. 285 enqueue(dstNodes); 286 287 // Make sink nodes as exhausted. 288 const SmallVectorImpl<ExplodedNode*> &Sinks = nodeBuilder.getSinks(); 289 for (SmallVectorImpl<ExplodedNode*>::const_iterator 290 I =Sinks.begin(), E = Sinks.end(); I != E; ++I) { 291 blocksExhausted.push_back(std::make_pair(L, *I)); 292 } 293 } 294 295 void CoreEngine::HandleBlockEntrance(const BlockEntrance &L, 296 ExplodedNode *Pred) { 297 298 // Increment the block counter. 299 BlockCounter Counter = WList->getBlockCounter(); 300 Counter = BCounterFactory.IncrementCount(Counter, 301 Pred->getLocationContext()->getCurrentStackFrame(), 302 L.getBlock()->getBlockID()); 303 WList->setBlockCounter(Counter); 304 305 // Process the entrance of the block. 306 if (CFGElement E = L.getFirstElement()) { 307 NodeBuilderContext Ctx(*this, L.getBlock(), Pred); 308 SubEng.processCFGElement(E, Pred, 0, &Ctx); 309 } 310 else 311 HandleBlockExit(L.getBlock(), Pred); 312 } 313 314 void CoreEngine::HandleBlockExit(const CFGBlock * B, ExplodedNode *Pred) { 315 316 if (const Stmt *Term = B->getTerminator()) { 317 switch (Term->getStmtClass()) { 318 default: 319 llvm_unreachable("Analysis for this terminator not implemented."); 320 321 case Stmt::BinaryOperatorClass: // '&&' and '||' 322 HandleBranch(cast<BinaryOperator>(Term)->getLHS(), Term, B, Pred); 323 return; 324 325 case Stmt::BinaryConditionalOperatorClass: 326 case Stmt::ConditionalOperatorClass: 327 HandleBranch(cast<AbstractConditionalOperator>(Term)->getCond(), 328 Term, B, Pred); 329 return; 330 331 // FIXME: Use constant-folding in CFG construction to simplify this 332 // case. 333 334 case Stmt::ChooseExprClass: 335 HandleBranch(cast<ChooseExpr>(Term)->getCond(), Term, B, Pred); 336 return; 337 338 case Stmt::CXXTryStmtClass: { 339 // Generate a node for each of the successors. 340 // Our logic for EH analysis can certainly be improved. 341 for (CFGBlock::const_succ_iterator it = B->succ_begin(), 342 et = B->succ_end(); it != et; ++it) { 343 if (const CFGBlock *succ = *it) { 344 generateNode(BlockEdge(B, succ, Pred->getLocationContext()), 345 Pred->State, Pred); 346 } 347 } 348 return; 349 } 350 351 case Stmt::DoStmtClass: 352 HandleBranch(cast<DoStmt>(Term)->getCond(), Term, B, Pred); 353 return; 354 355 case Stmt::CXXForRangeStmtClass: 356 HandleBranch(cast<CXXForRangeStmt>(Term)->getCond(), Term, B, Pred); 357 return; 358 359 case Stmt::ForStmtClass: 360 HandleBranch(cast<ForStmt>(Term)->getCond(), Term, B, Pred); 361 return; 362 363 case Stmt::ContinueStmtClass: 364 case Stmt::BreakStmtClass: 365 case Stmt::GotoStmtClass: 366 break; 367 368 case Stmt::IfStmtClass: 369 HandleBranch(cast<IfStmt>(Term)->getCond(), Term, B, Pred); 370 return; 371 372 case Stmt::IndirectGotoStmtClass: { 373 // Only 1 successor: the indirect goto dispatch block. 374 assert (B->succ_size() == 1); 375 376 IndirectGotoNodeBuilder 377 builder(Pred, B, cast<IndirectGotoStmt>(Term)->getTarget(), 378 *(B->succ_begin()), this); 379 380 SubEng.processIndirectGoto(builder); 381 return; 382 } 383 384 case Stmt::ObjCForCollectionStmtClass: { 385 // In the case of ObjCForCollectionStmt, it appears twice in a CFG: 386 // 387 // (1) inside a basic block, which represents the binding of the 388 // 'element' variable to a value. 389 // (2) in a terminator, which represents the branch. 390 // 391 // For (1), subengines will bind a value (i.e., 0 or 1) indicating 392 // whether or not collection contains any more elements. We cannot 393 // just test to see if the element is nil because a container can 394 // contain nil elements. 395 HandleBranch(Term, Term, B, Pred); 396 return; 397 } 398 399 case Stmt::SwitchStmtClass: { 400 SwitchNodeBuilder builder(Pred, B, cast<SwitchStmt>(Term)->getCond(), 401 this); 402 403 SubEng.processSwitch(builder); 404 return; 405 } 406 407 case Stmt::WhileStmtClass: 408 HandleBranch(cast<WhileStmt>(Term)->getCond(), Term, B, Pred); 409 return; 410 } 411 } 412 413 assert (B->succ_size() == 1 && 414 "Blocks with no terminator should have at most 1 successor."); 415 416 generateNode(BlockEdge(B, *(B->succ_begin()), Pred->getLocationContext()), 417 Pred->State, Pred); 418 } 419 420 void CoreEngine::HandleBranch(const Stmt *Cond, const Stmt *Term, 421 const CFGBlock * B, ExplodedNode *Pred) { 422 assert(B->succ_size() == 2); 423 NodeBuilderContext Ctx(*this, B, Pred); 424 ExplodedNodeSet Dst; 425 SubEng.processBranch(Cond, Term, Ctx, Pred, Dst, 426 *(B->succ_begin()), *(B->succ_begin()+1)); 427 // Enqueue the new frontier onto the worklist. 428 enqueue(Dst); 429 } 430 431 void CoreEngine::HandlePostStmt(const CFGBlock *B, unsigned StmtIdx, 432 ExplodedNode *Pred) { 433 assert(B); 434 assert(!B->empty()); 435 436 if (StmtIdx == B->size()) 437 HandleBlockExit(B, Pred); 438 else { 439 NodeBuilderContext Ctx(*this, B, Pred); 440 SubEng.processCFGElement((*B)[StmtIdx], Pred, StmtIdx, &Ctx); 441 } 442 } 443 444 /// generateNode - Utility method to generate nodes, hook up successors, 445 /// and add nodes to the worklist. 446 void CoreEngine::generateNode(const ProgramPoint &Loc, 447 ProgramStateRef State, 448 ExplodedNode *Pred) { 449 450 bool IsNew; 451 ExplodedNode *Node = G->getNode(Loc, State, false, &IsNew); 452 453 if (Pred) 454 Node->addPredecessor(Pred, *G); // Link 'Node' with its predecessor. 455 else { 456 assert (IsNew); 457 G->addRoot(Node); // 'Node' has no predecessor. Make it a root. 458 } 459 460 // Only add 'Node' to the worklist if it was freshly generated. 461 if (IsNew) WList->enqueue(Node); 462 } 463 464 void CoreEngine::enqueueStmtNode(ExplodedNode *N, 465 const CFGBlock *Block, unsigned Idx) { 466 assert(Block); 467 assert (!N->isSink()); 468 469 // Check if this node entered a callee. 470 if (isa<CallEnter>(N->getLocation())) { 471 // Still use the index of the CallExpr. It's needed to create the callee 472 // StackFrameContext. 473 WList->enqueue(N, Block, Idx); 474 return; 475 } 476 477 // Do not create extra nodes. Move to the next CFG element. 478 if (isa<PostInitializer>(N->getLocation())) { 479 WList->enqueue(N, Block, Idx+1); 480 return; 481 } 482 483 const CFGStmt *CS = (*Block)[Idx].getAs<CFGStmt>(); 484 const Stmt *St = CS ? CS->getStmt() : 0; 485 PostStmt Loc(St, N->getLocationContext()); 486 487 if (Loc == N->getLocation()) { 488 // Note: 'N' should be a fresh node because otherwise it shouldn't be 489 // a member of Deferred. 490 WList->enqueue(N, Block, Idx+1); 491 return; 492 } 493 494 bool IsNew; 495 ExplodedNode *Succ = G->getNode(Loc, N->getState(), false, &IsNew); 496 Succ->addPredecessor(N, *G); 497 498 if (IsNew) 499 WList->enqueue(Succ, Block, Idx+1); 500 } 501 502 ExplodedNode *CoreEngine::generateCallExitNode(ExplodedNode *N) { 503 // Create a CallExit node and enqueue it. 504 const StackFrameContext *LocCtx 505 = cast<StackFrameContext>(N->getLocationContext()); 506 const Stmt *CE = LocCtx->getCallSite(); 507 508 // Use the the callee location context. 509 CallExit Loc(CE, LocCtx); 510 511 bool isNew; 512 ExplodedNode *Node = G->getNode(Loc, N->getState(), false, &isNew); 513 Node->addPredecessor(N, *G); 514 return isNew ? Node : 0; 515 } 516 517 518 void CoreEngine::enqueue(ExplodedNodeSet &Set) { 519 for (ExplodedNodeSet::iterator I = Set.begin(), 520 E = Set.end(); I != E; ++I) { 521 WList->enqueue(*I); 522 } 523 } 524 525 void CoreEngine::enqueue(ExplodedNodeSet &Set, 526 const CFGBlock *Block, unsigned Idx) { 527 for (ExplodedNodeSet::iterator I = Set.begin(), 528 E = Set.end(); I != E; ++I) { 529 enqueueStmtNode(*I, Block, Idx); 530 } 531 } 532 533 void CoreEngine::enqueueEndOfFunction(ExplodedNodeSet &Set) { 534 for (ExplodedNodeSet::iterator I = Set.begin(), E = Set.end(); I != E; ++I) { 535 ExplodedNode *N = *I; 536 // If we are in an inlined call, generate CallExit node. 537 if (N->getLocationContext()->getParent()) { 538 N = generateCallExitNode(N); 539 if (N) 540 WList->enqueue(N); 541 } else 542 G->addEndOfPath(N); 543 } 544 } 545 546 547 void NodeBuilder::anchor() { } 548 549 ExplodedNode* NodeBuilder::generateNodeImpl(const ProgramPoint &Loc, 550 ProgramStateRef State, 551 ExplodedNode *FromN, 552 bool MarkAsSink) { 553 HasGeneratedNodes = true; 554 bool IsNew; 555 ExplodedNode *N = C.Eng.G->getNode(Loc, State, MarkAsSink, &IsNew); 556 N->addPredecessor(FromN, *C.Eng.G); 557 Frontier.erase(FromN); 558 559 if (!IsNew) 560 return 0; 561 562 if (!MarkAsSink) 563 Frontier.Add(N); 564 565 return N; 566 } 567 568 void NodeBuilderWithSinks::anchor() { } 569 570 StmtNodeBuilder::~StmtNodeBuilder() { 571 if (EnclosingBldr) 572 for (ExplodedNodeSet::iterator I = Frontier.begin(), 573 E = Frontier.end(); I != E; ++I ) 574 EnclosingBldr->addNodes(*I); 575 } 576 577 void BranchNodeBuilder::anchor() { } 578 579 ExplodedNode *BranchNodeBuilder::generateNode(ProgramStateRef State, 580 bool branch, 581 ExplodedNode *NodePred) { 582 // If the branch has been marked infeasible we should not generate a node. 583 if (!isFeasible(branch)) 584 return NULL; 585 586 ProgramPoint Loc = BlockEdge(C.Block, branch ? DstT:DstF, 587 NodePred->getLocationContext()); 588 ExplodedNode *Succ = generateNodeImpl(Loc, State, NodePred); 589 return Succ; 590 } 591 592 ExplodedNode* 593 IndirectGotoNodeBuilder::generateNode(const iterator &I, 594 ProgramStateRef St, 595 bool IsSink) { 596 bool IsNew; 597 ExplodedNode *Succ = Eng.G->getNode(BlockEdge(Src, I.getBlock(), 598 Pred->getLocationContext()), St, 599 IsSink, &IsNew); 600 Succ->addPredecessor(Pred, *Eng.G); 601 602 if (!IsNew) 603 return 0; 604 605 if (!IsSink) 606 Eng.WList->enqueue(Succ); 607 608 return Succ; 609 } 610 611 612 ExplodedNode* 613 SwitchNodeBuilder::generateCaseStmtNode(const iterator &I, 614 ProgramStateRef St) { 615 616 bool IsNew; 617 ExplodedNode *Succ = Eng.G->getNode(BlockEdge(Src, I.getBlock(), 618 Pred->getLocationContext()), St, 619 false, &IsNew); 620 Succ->addPredecessor(Pred, *Eng.G); 621 if (!IsNew) 622 return 0; 623 624 Eng.WList->enqueue(Succ); 625 return Succ; 626 } 627 628 629 ExplodedNode* 630 SwitchNodeBuilder::generateDefaultCaseNode(ProgramStateRef St, 631 bool IsSink) { 632 // Get the block for the default case. 633 assert(Src->succ_rbegin() != Src->succ_rend()); 634 CFGBlock *DefaultBlock = *Src->succ_rbegin(); 635 636 // Sanity check for default blocks that are unreachable and not caught 637 // by earlier stages. 638 if (!DefaultBlock) 639 return NULL; 640 641 bool IsNew; 642 ExplodedNode *Succ = Eng.G->getNode(BlockEdge(Src, DefaultBlock, 643 Pred->getLocationContext()), St, 644 IsSink, &IsNew); 645 Succ->addPredecessor(Pred, *Eng.G); 646 647 if (!IsNew) 648 return 0; 649 650 if (!IsSink) 651 Eng.WList->enqueue(Succ); 652 653 return Succ; 654 } 655