1e580d831SEugene Zelenko //===- ExplodedGraph.cpp - Local, Path-Sens. "Exploded Graph" -------------===//
2fa0734ecSArgyrios Kyrtzidis //
32946cd70SChandler Carruth // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
42946cd70SChandler Carruth // See https://llvm.org/LICENSE.txt for license information.
52946cd70SChandler Carruth // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6fa0734ecSArgyrios Kyrtzidis //
7fa0734ecSArgyrios Kyrtzidis //===----------------------------------------------------------------------===//
8fa0734ecSArgyrios Kyrtzidis //
9fa0734ecSArgyrios Kyrtzidis // This file defines the template classes ExplodedNode and ExplodedGraph,
10fa0734ecSArgyrios Kyrtzidis // which represent a path-sensitive, intra-procedural "exploded graph."
11fa0734ecSArgyrios Kyrtzidis //
12fa0734ecSArgyrios Kyrtzidis //===----------------------------------------------------------------------===//
13fa0734ecSArgyrios Kyrtzidis
14f8cbac4bSTed Kremenek #include "clang/StaticAnalyzer/Core/PathSensitive/ExplodedGraph.h"
15e580d831SEugene Zelenko #include "clang/AST/Expr.h"
16e580d831SEugene Zelenko #include "clang/AST/ExprObjC.h"
173a02247dSChandler Carruth #include "clang/AST/ParentMap.h"
183a02247dSChandler Carruth #include "clang/AST/Stmt.h"
19dd53bdbfSKristof Umann #include "clang/Analysis/CFGStmtMap.h"
20e580d831SEugene Zelenko #include "clang/Analysis/ProgramPoint.h"
21e580d831SEugene Zelenko #include "clang/Analysis/Support/BumpVector.h"
22e580d831SEugene Zelenko #include "clang/Basic/LLVM.h"
234f7df9beSJordan Rose #include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h"
24001fd5b4STed Kremenek #include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h"
25e580d831SEugene Zelenko #include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState_Fwd.h"
263a02247dSChandler Carruth #include "llvm/ADT/DenseSet.h"
27e580d831SEugene Zelenko #include "llvm/ADT/FoldingSet.h"
28e580d831SEugene Zelenko #include "llvm/ADT/Optional.h"
29e580d831SEugene Zelenko #include "llvm/ADT/PointerUnion.h"
30fa0734ecSArgyrios Kyrtzidis #include "llvm/ADT/SmallVector.h"
31e580d831SEugene Zelenko #include "llvm/Support/Casting.h"
32e580d831SEugene Zelenko #include <cassert>
33e580d831SEugene Zelenko #include <memory>
34fa0734ecSArgyrios Kyrtzidis
35fa0734ecSArgyrios Kyrtzidis using namespace clang;
36fa0734ecSArgyrios Kyrtzidis using namespace ento;
37fa0734ecSArgyrios Kyrtzidis
38fa0734ecSArgyrios Kyrtzidis //===----------------------------------------------------------------------===//
39a40f8ebcSTed Kremenek // Cleanup.
40a40f8ebcSTed Kremenek //===----------------------------------------------------------------------===//
41a40f8ebcSTed Kremenek
42e580d831SEugene Zelenko ExplodedGraph::ExplodedGraph() = default;
4344d2973bSTed Kremenek
44e580d831SEugene Zelenko ExplodedGraph::~ExplodedGraph() = default;
45a40f8ebcSTed Kremenek
46a40f8ebcSTed Kremenek //===----------------------------------------------------------------------===//
47a40f8ebcSTed Kremenek // Node reclamation.
48a40f8ebcSTed Kremenek //===----------------------------------------------------------------------===//
49a40f8ebcSTed Kremenek
isInterestingLValueExpr(const Expr * Ex)5004fa9e3dSTed Kremenek bool ExplodedGraph::isInterestingLValueExpr(const Expr *Ex) {
5104fa9e3dSTed Kremenek if (!Ex->isLValue())
5204fa9e3dSTed Kremenek return false;
53*16be17adSBalazs Benics return isa<DeclRefExpr, MemberExpr, ObjCIvarRefExpr, ArraySubscriptExpr>(Ex);
5404fa9e3dSTed Kremenek }
5504fa9e3dSTed Kremenek
shouldCollect(const ExplodedNode * node)561dd7fd71STed Kremenek bool ExplodedGraph::shouldCollect(const ExplodedNode *node) {
578f564058STed Kremenek // First, we only consider nodes for reclamation of the following
588f564058STed Kremenek // conditions apply:
591dd7fd71STed Kremenek //
601dd7fd71STed Kremenek // (1) 1 predecessor (that has one successor)
611dd7fd71STed Kremenek // (2) 1 successor (that has one predecessor)
628f564058STed Kremenek //
638f564058STed Kremenek // If a node has no successor it is on the "frontier", while a node
648f564058STed Kremenek // with no predecessor is a root.
658f564058STed Kremenek //
668f564058STed Kremenek // After these prerequisites, we discard all "filler" nodes that
678f564058STed Kremenek // are used only for intermediate processing, and are not essential
688f564058STed Kremenek // for analyzer history:
698f564058STed Kremenek //
708f564058STed Kremenek // (a) PreStmtPurgeDeadSymbols
718f564058STed Kremenek //
728f564058STed Kremenek // We then discard all other nodes where *all* of the following conditions
738f564058STed Kremenek // apply:
748f564058STed Kremenek //
75199fdd82SJordan Rose // (3) The ProgramPoint is for a PostStmt, but not a PostStore.
761dd7fd71STed Kremenek // (4) There is no 'tag' for the ProgramPoint.
771dd7fd71STed Kremenek // (5) The 'store' is the same as the predecessor.
781dd7fd71STed Kremenek // (6) The 'GDM' is the same as the predecessor.
791dd7fd71STed Kremenek // (7) The LocationContext is the same as the predecessor.
8096250482STed Kremenek // (8) Expressions that are *not* lvalue expressions.
8196250482STed Kremenek // (9) The PostStmt isn't for a non-consumed Stmt or Expr.
8268a172caSAnton Yartsev // (10) The successor is neither a CallExpr StmtPoint nor a CallEnter or
8368a172caSAnton Yartsev // PreImplicitCall (so that we would be able to find it when retrying a
8468a172caSAnton Yartsev // call with no inlining).
85681cce99SJordan Rose // FIXME: It may be safe to reclaim PreCall and PostCall nodes as well.
861dd7fd71STed Kremenek
871dd7fd71STed Kremenek // Conditions 1 and 2.
881dd7fd71STed Kremenek if (node->pred_size() != 1 || node->succ_size() != 1)
891dd7fd71STed Kremenek return false;
901dd7fd71STed Kremenek
911dd7fd71STed Kremenek const ExplodedNode *pred = *(node->pred_begin());
921dd7fd71STed Kremenek if (pred->succ_size() != 1)
931dd7fd71STed Kremenek return false;
941dd7fd71STed Kremenek
951dd7fd71STed Kremenek const ExplodedNode *succ = *(node->succ_begin());
961dd7fd71STed Kremenek if (succ->pred_size() != 1)
971dd7fd71STed Kremenek return false;
981dd7fd71STed Kremenek
998f564058STed Kremenek // Now reclaim any nodes that are (by definition) not essential to
1008f564058STed Kremenek // analysis history and are not consulted by any client code.
1011dd7fd71STed Kremenek ProgramPoint progPoint = node->getLocation();
1028f564058STed Kremenek if (progPoint.getAs<PreStmtPurgeDeadSymbols>())
103f352d8c7STed Kremenek return !progPoint.getTag();
1048f564058STed Kremenek
1058f564058STed Kremenek // Condition 3.
10687396b9bSDavid Blaikie if (!progPoint.getAs<PostStmt>() || progPoint.getAs<PostStore>())
1071dd7fd71STed Kremenek return false;
1081dd7fd71STed Kremenek
1091dd7fd71STed Kremenek // Condition 4.
11054417f6dSAnna Zaks if (progPoint.getTag())
1111dd7fd71STed Kremenek return false;
1121dd7fd71STed Kremenek
1131dd7fd71STed Kremenek // Conditions 5, 6, and 7.
1141dd7fd71STed Kremenek ProgramStateRef state = node->getState();
1151dd7fd71STed Kremenek ProgramStateRef pred_state = pred->getState();
1161dd7fd71STed Kremenek if (state->store != pred_state->store || state->GDM != pred_state->GDM ||
1171dd7fd71STed Kremenek progPoint.getLocationContext() != pred->getLocationContext())
1181dd7fd71STed Kremenek return false;
1191dd7fd71STed Kremenek
12054417f6dSAnna Zaks // All further checks require expressions. As per #3, we know that we have
12154417f6dSAnna Zaks // a PostStmt.
12254417f6dSAnna Zaks const Expr *Ex = dyn_cast<Expr>(progPoint.castAs<PostStmt>().getStmt());
12304fa9e3dSTed Kremenek if (!Ex)
12404fa9e3dSTed Kremenek return false;
12504fa9e3dSTed Kremenek
12604fa9e3dSTed Kremenek // Condition 8.
12704fa9e3dSTed Kremenek // Do not collect nodes for "interesting" lvalue expressions since they are
12804fa9e3dSTed Kremenek // used extensively for generating path diagnostics.
12904fa9e3dSTed Kremenek if (isInterestingLValueExpr(Ex))
13096250482STed Kremenek return false;
13196250482STed Kremenek
13296250482STed Kremenek // Condition 9.
13367e0062bSAnna Zaks // Do not collect nodes for non-consumed Stmt or Expr to ensure precise
13467e0062bSAnna Zaks // diagnostic generation; specifically, so that we could anchor arrows
13567e0062bSAnna Zaks // pointing to the beginning of statements (as written in code).
136fc76d855SKristof Umann const ParentMap &PM = progPoint.getLocationContext()->getParentMap();
1371dd7fd71STed Kremenek if (!PM.isConsumedExpr(Ex))
1381dd7fd71STed Kremenek return false;
1391dd7fd71STed Kremenek
14096250482STed Kremenek // Condition 10.
141bec49efdSAnna Zaks const ProgramPoint SuccLoc = succ->getLocation();
14287396b9bSDavid Blaikie if (Optional<StmtPoint> SP = SuccLoc.getAs<StmtPoint>())
143e537cc05SJordan Rose if (CallEvent::isCallStmt(SP->getStmt()))
144bec49efdSAnna Zaks return false;
145bec49efdSAnna Zaks
14668a172caSAnton Yartsev // Condition 10, continuation.
14768a172caSAnton Yartsev if (SuccLoc.getAs<CallEnter>() || SuccLoc.getAs<PreImplicitCall>())
14868a172caSAnton Yartsev return false;
14968a172caSAnton Yartsev
1501dd7fd71STed Kremenek return true;
1511dd7fd71STed Kremenek }
1521dd7fd71STed Kremenek
collectNode(ExplodedNode * node)1531dd7fd71STed Kremenek void ExplodedGraph::collectNode(ExplodedNode *node) {
1541dd7fd71STed Kremenek // Removing a node means:
1551dd7fd71STed Kremenek // (a) changing the predecessors successor to the successor of this node
1561dd7fd71STed Kremenek // (b) changing the successors predecessor to the predecessor of this node
1571dd7fd71STed Kremenek // (c) Putting 'node' onto freeNodes.
1581dd7fd71STed Kremenek assert(node->pred_size() == 1 || node->succ_size() == 1);
1591dd7fd71STed Kremenek ExplodedNode *pred = *(node->pred_begin());
1601dd7fd71STed Kremenek ExplodedNode *succ = *(node->succ_begin());
1611dd7fd71STed Kremenek pred->replaceSuccessor(succ);
1621dd7fd71STed Kremenek succ->replacePredecessor(pred);
163a2aa929eSTed Kremenek FreeNodes.push_back(node);
1641dd7fd71STed Kremenek Nodes.RemoveNode(node);
1651dd7fd71STed Kremenek --NumNodes;
1661dd7fd71STed Kremenek node->~ExplodedNode();
1671dd7fd71STed Kremenek }
1681dd7fd71STed Kremenek
reclaimRecentlyAllocatedNodes()16935e55fe4STed Kremenek void ExplodedGraph::reclaimRecentlyAllocatedNodes() {
170a2aa929eSTed Kremenek if (ChangedNodes.empty())
171a40f8ebcSTed Kremenek return;
17244d2973bSTed Kremenek
173746c06d0SJordan Rose // Only periodically reclaim nodes so that we can build up a set of
17435e55fe4STed Kremenek // nodes that meet the reclamation criteria. Freshly created nodes
17535e55fe4STed Kremenek // by definition have no successor, and thus cannot be reclaimed (see below).
176746c06d0SJordan Rose assert(ReclaimCounter > 0);
177746c06d0SJordan Rose if (--ReclaimCounter != 0)
17835e55fe4STed Kremenek return;
179746c06d0SJordan Rose ReclaimCounter = ReclaimNodeInterval;
18035e55fe4STed Kremenek
181e580d831SEugene Zelenko for (const auto node : ChangedNodes)
1821dd7fd71STed Kremenek if (shouldCollect(node))
1831dd7fd71STed Kremenek collectNode(node);
184a2aa929eSTed Kremenek ChangedNodes.clear();
185a40f8ebcSTed Kremenek }
186a40f8ebcSTed Kremenek
187a40f8ebcSTed Kremenek //===----------------------------------------------------------------------===//
188fa0734ecSArgyrios Kyrtzidis // ExplodedNode.
189fa0734ecSArgyrios Kyrtzidis //===----------------------------------------------------------------------===//
190fa0734ecSArgyrios Kyrtzidis
1912b10f3f8SJordan Rose // An NodeGroup's storage type is actually very much like a TinyPtrVector:
1922b10f3f8SJordan Rose // it can be either a pointer to a single ExplodedNode, or a pointer to a
1932b10f3f8SJordan Rose // BumpVector allocated with the ExplodedGraph's allocator. This allows the
1942b10f3f8SJordan Rose // common case of single-node NodeGroups to be implemented with no extra memory.
1952b10f3f8SJordan Rose //
1962b10f3f8SJordan Rose // Consequently, each of the NodeGroup methods have up to four cases to handle:
1972b10f3f8SJordan Rose // 1. The flag is set and this group does not actually contain any nodes.
1982b10f3f8SJordan Rose // 2. The group is empty, in which case the storage value is null.
1992b10f3f8SJordan Rose // 3. The group contains a single node.
2002b10f3f8SJordan Rose // 4. The group contains more than one node.
201e580d831SEugene Zelenko using ExplodedNodeVector = BumpVector<ExplodedNode *>;
202e580d831SEugene Zelenko using GroupStorage = llvm::PointerUnion<ExplodedNode *, ExplodedNodeVector *>;
203fa0734ecSArgyrios Kyrtzidis
addPredecessor(ExplodedNode * V,ExplodedGraph & G)204fa0734ecSArgyrios Kyrtzidis void ExplodedNode::addPredecessor(ExplodedNode *V, ExplodedGraph &G) {
205fa0734ecSArgyrios Kyrtzidis assert(!V->isSink());
206fa0734ecSArgyrios Kyrtzidis Preds.addNode(V, G);
207fa0734ecSArgyrios Kyrtzidis V->Succs.addNode(this, G);
208fa0734ecSArgyrios Kyrtzidis }
209fa0734ecSArgyrios Kyrtzidis
replaceNode(ExplodedNode * node)210a40f8ebcSTed Kremenek void ExplodedNode::NodeGroup::replaceNode(ExplodedNode *node) {
2112b10f3f8SJordan Rose assert(!getFlag());
2122b10f3f8SJordan Rose
21380547386SJordan Rose GroupStorage &Storage = reinterpret_cast<GroupStorage&>(P);
21480547386SJordan Rose assert(Storage.is<ExplodedNode *>());
21580547386SJordan Rose Storage = node;
21680547386SJordan Rose assert(Storage.is<ExplodedNode *>());
217a40f8ebcSTed Kremenek }
218a40f8ebcSTed Kremenek
addNode(ExplodedNode * N,ExplodedGraph & G)219fa0734ecSArgyrios Kyrtzidis void ExplodedNode::NodeGroup::addNode(ExplodedNode *N, ExplodedGraph &G) {
220fa0734ecSArgyrios Kyrtzidis assert(!getFlag());
221fa0734ecSArgyrios Kyrtzidis
22280547386SJordan Rose GroupStorage &Storage = reinterpret_cast<GroupStorage&>(P);
22380547386SJordan Rose if (Storage.isNull()) {
22480547386SJordan Rose Storage = N;
22580547386SJordan Rose assert(Storage.is<ExplodedNode *>());
22680547386SJordan Rose return;
22780547386SJordan Rose }
228fa0734ecSArgyrios Kyrtzidis
22980547386SJordan Rose ExplodedNodeVector *V = Storage.dyn_cast<ExplodedNodeVector *>();
23080547386SJordan Rose
23180547386SJordan Rose if (!V) {
23280547386SJordan Rose // Switch from single-node to multi-node representation.
23380547386SJordan Rose ExplodedNode *Old = Storage.get<ExplodedNode *>();
23480547386SJordan Rose
23580547386SJordan Rose BumpVectorContext &Ctx = G.getNodeAllocator();
23680547386SJordan Rose V = G.getAllocator().Allocate<ExplodedNodeVector>();
23780547386SJordan Rose new (V) ExplodedNodeVector(Ctx, 4);
23880547386SJordan Rose V->push_back(Old, Ctx);
23980547386SJordan Rose
24080547386SJordan Rose Storage = V;
24180547386SJordan Rose assert(!getFlag());
24280547386SJordan Rose assert(Storage.is<ExplodedNodeVector *>());
243fa0734ecSArgyrios Kyrtzidis }
24480547386SJordan Rose
24580547386SJordan Rose V->push_back(N, G.getNodeAllocator());
246fa0734ecSArgyrios Kyrtzidis }
247fa0734ecSArgyrios Kyrtzidis
size() const248fa0734ecSArgyrios Kyrtzidis unsigned ExplodedNode::NodeGroup::size() const {
249fa0734ecSArgyrios Kyrtzidis if (getFlag())
250fa0734ecSArgyrios Kyrtzidis return 0;
251fa0734ecSArgyrios Kyrtzidis
25280547386SJordan Rose const GroupStorage &Storage = reinterpret_cast<const GroupStorage &>(P);
25380547386SJordan Rose if (Storage.isNull())
25480547386SJordan Rose return 0;
25580547386SJordan Rose if (ExplodedNodeVector *V = Storage.dyn_cast<ExplodedNodeVector *>())
25680547386SJordan Rose return V->size();
25780547386SJordan Rose return 1;
258fa0734ecSArgyrios Kyrtzidis }
259fa0734ecSArgyrios Kyrtzidis
begin() const26080547386SJordan Rose ExplodedNode * const *ExplodedNode::NodeGroup::begin() const {
261fa0734ecSArgyrios Kyrtzidis if (getFlag())
2620dbb783cSCraig Topper return nullptr;
263fa0734ecSArgyrios Kyrtzidis
26480547386SJordan Rose const GroupStorage &Storage = reinterpret_cast<const GroupStorage &>(P);
26580547386SJordan Rose if (Storage.isNull())
2660dbb783cSCraig Topper return nullptr;
26780547386SJordan Rose if (ExplodedNodeVector *V = Storage.dyn_cast<ExplodedNodeVector *>())
26880547386SJordan Rose return V->begin();
26980547386SJordan Rose return Storage.getAddrOfPtr1();
270fa0734ecSArgyrios Kyrtzidis }
271fa0734ecSArgyrios Kyrtzidis
end() const27280547386SJordan Rose ExplodedNode * const *ExplodedNode::NodeGroup::end() const {
273fa0734ecSArgyrios Kyrtzidis if (getFlag())
2740dbb783cSCraig Topper return nullptr;
275fa0734ecSArgyrios Kyrtzidis
27680547386SJordan Rose const GroupStorage &Storage = reinterpret_cast<const GroupStorage &>(P);
27780547386SJordan Rose if (Storage.isNull())
2780dbb783cSCraig Topper return nullptr;
27980547386SJordan Rose if (ExplodedNodeVector *V = Storage.dyn_cast<ExplodedNodeVector *>())
28080547386SJordan Rose return V->end();
28180547386SJordan Rose return Storage.getAddrOfPtr1() + 1;
282fa0734ecSArgyrios Kyrtzidis }
283fa0734ecSArgyrios Kyrtzidis
isTrivial() const28498bee022SGeorge Karpenkov bool ExplodedNode::isTrivial() const {
28598bee022SGeorge Karpenkov return pred_size() == 1 && succ_size() == 1 &&
286ff6df778SGeorge Karpenkov getFirstPred()->getState()->getID() == getState()->getID() &&
287ff6df778SGeorge Karpenkov getFirstPred()->succ_size() == 1;
28898bee022SGeorge Karpenkov }
28998bee022SGeorge Karpenkov
getCFGBlock() const290dd53bdbfSKristof Umann const CFGBlock *ExplodedNode::getCFGBlock() const {
291dd53bdbfSKristof Umann ProgramPoint P = getLocation();
292dd53bdbfSKristof Umann if (auto BEP = P.getAs<BlockEntrance>())
293dd53bdbfSKristof Umann return BEP->getBlock();
294dd53bdbfSKristof Umann
295dd53bdbfSKristof Umann // Find the node's current statement in the CFG.
2966b85f8e9SArtem Dergachev // FIXME: getStmtForDiagnostics() does nasty things in order to provide
2976b85f8e9SArtem Dergachev // a valid statement for body farms, do we need this behavior here?
2986b85f8e9SArtem Dergachev if (const Stmt *S = getStmtForDiagnostics())
299dd53bdbfSKristof Umann return getLocationContext()
300dd53bdbfSKristof Umann ->getAnalysisDeclContext()
301dd53bdbfSKristof Umann ->getCFGStmtMap()
302dd53bdbfSKristof Umann ->getBlock(S);
303dd53bdbfSKristof Umann
304dd53bdbfSKristof Umann return nullptr;
305dd53bdbfSKristof Umann }
306dd53bdbfSKristof Umann
3076b85f8e9SArtem Dergachev static const LocationContext *
findTopAutosynthesizedParentContext(const LocationContext * LC)3086b85f8e9SArtem Dergachev findTopAutosynthesizedParentContext(const LocationContext *LC) {
3096b85f8e9SArtem Dergachev assert(LC->getAnalysisDeclContext()->isBodyAutosynthesized());
3106b85f8e9SArtem Dergachev const LocationContext *ParentLC = LC->getParent();
3116b85f8e9SArtem Dergachev assert(ParentLC && "We don't start analysis from autosynthesized code");
3126b85f8e9SArtem Dergachev while (ParentLC->getAnalysisDeclContext()->isBodyAutosynthesized()) {
3136b85f8e9SArtem Dergachev LC = ParentLC;
3146b85f8e9SArtem Dergachev ParentLC = LC->getParent();
3156b85f8e9SArtem Dergachev assert(ParentLC && "We don't start analysis from autosynthesized code");
3166b85f8e9SArtem Dergachev }
3176b85f8e9SArtem Dergachev return LC;
3186b85f8e9SArtem Dergachev }
3196b85f8e9SArtem Dergachev
getStmtForDiagnostics() const3206b85f8e9SArtem Dergachev const Stmt *ExplodedNode::getStmtForDiagnostics() const {
3216b85f8e9SArtem Dergachev // We cannot place diagnostics on autosynthesized code.
3226b85f8e9SArtem Dergachev // Put them onto the call site through which we jumped into autosynthesized
3236b85f8e9SArtem Dergachev // code for the first time.
3246b85f8e9SArtem Dergachev const LocationContext *LC = getLocationContext();
3256b85f8e9SArtem Dergachev if (LC->getAnalysisDeclContext()->isBodyAutosynthesized()) {
3266b85f8e9SArtem Dergachev // It must be a stack frame because we only autosynthesize functions.
3276b85f8e9SArtem Dergachev return cast<StackFrameContext>(findTopAutosynthesizedParentContext(LC))
3286b85f8e9SArtem Dergachev ->getCallSite();
3296b85f8e9SArtem Dergachev }
3306b85f8e9SArtem Dergachev // Otherwise, see if the node's program point directly points to a statement.
3316b85f8e9SArtem Dergachev // FIXME: Refactor into a ProgramPoint method?
3326b85f8e9SArtem Dergachev ProgramPoint P = getLocation();
3336b85f8e9SArtem Dergachev if (auto SP = P.getAs<StmtPoint>())
3346b85f8e9SArtem Dergachev return SP->getStmt();
3356b85f8e9SArtem Dergachev if (auto BE = P.getAs<BlockEdge>())
3366b85f8e9SArtem Dergachev return BE->getSrc()->getTerminatorStmt();
3376b85f8e9SArtem Dergachev if (auto CE = P.getAs<CallEnter>())
3386b85f8e9SArtem Dergachev return CE->getCallExpr();
3396b85f8e9SArtem Dergachev if (auto CEE = P.getAs<CallExitEnd>())
3406b85f8e9SArtem Dergachev return CEE->getCalleeContext()->getCallSite();
3416b85f8e9SArtem Dergachev if (auto PIPP = P.getAs<PostInitializer>())
3426b85f8e9SArtem Dergachev return PIPP->getInitializer()->getInit();
3436b85f8e9SArtem Dergachev if (auto CEB = P.getAs<CallExitBegin>())
3446b85f8e9SArtem Dergachev return CEB->getReturnStmt();
3456b85f8e9SArtem Dergachev if (auto FEP = P.getAs<FunctionExitPoint>())
3466b85f8e9SArtem Dergachev return FEP->getStmt();
3476b85f8e9SArtem Dergachev
3486b85f8e9SArtem Dergachev return nullptr;
3496b85f8e9SArtem Dergachev }
3506b85f8e9SArtem Dergachev
getNextStmtForDiagnostics() const3516b85f8e9SArtem Dergachev const Stmt *ExplodedNode::getNextStmtForDiagnostics() const {
3526b85f8e9SArtem Dergachev for (const ExplodedNode *N = getFirstSucc(); N; N = N->getFirstSucc()) {
3536b85f8e9SArtem Dergachev if (const Stmt *S = N->getStmtForDiagnostics()) {
3546b85f8e9SArtem Dergachev // Check if the statement is '?' or '&&'/'||'. These are "merges",
3556b85f8e9SArtem Dergachev // not actual statement points.
3566b85f8e9SArtem Dergachev switch (S->getStmtClass()) {
3576b85f8e9SArtem Dergachev case Stmt::ChooseExprClass:
3586b85f8e9SArtem Dergachev case Stmt::BinaryConditionalOperatorClass:
3596b85f8e9SArtem Dergachev case Stmt::ConditionalOperatorClass:
3606b85f8e9SArtem Dergachev continue;
3616b85f8e9SArtem Dergachev case Stmt::BinaryOperatorClass: {
3626b85f8e9SArtem Dergachev BinaryOperatorKind Op = cast<BinaryOperator>(S)->getOpcode();
3636b85f8e9SArtem Dergachev if (Op == BO_LAnd || Op == BO_LOr)
3646b85f8e9SArtem Dergachev continue;
3656b85f8e9SArtem Dergachev break;
3666b85f8e9SArtem Dergachev }
3676b85f8e9SArtem Dergachev default:
3686b85f8e9SArtem Dergachev break;
3696b85f8e9SArtem Dergachev }
3706b85f8e9SArtem Dergachev // We found the statement, so return it.
3716b85f8e9SArtem Dergachev return S;
3726b85f8e9SArtem Dergachev }
3736b85f8e9SArtem Dergachev }
3746b85f8e9SArtem Dergachev
3756b85f8e9SArtem Dergachev return nullptr;
3766b85f8e9SArtem Dergachev }
3776b85f8e9SArtem Dergachev
getPreviousStmtForDiagnostics() const3786b85f8e9SArtem Dergachev const Stmt *ExplodedNode::getPreviousStmtForDiagnostics() const {
3796b85f8e9SArtem Dergachev for (const ExplodedNode *N = getFirstPred(); N; N = N->getFirstPred())
3806b85f8e9SArtem Dergachev if (const Stmt *S = N->getStmtForDiagnostics())
3816b85f8e9SArtem Dergachev return S;
3826b85f8e9SArtem Dergachev
3836b85f8e9SArtem Dergachev return nullptr;
3846b85f8e9SArtem Dergachev }
3856b85f8e9SArtem Dergachev
getCurrentOrPreviousStmtForDiagnostics() const3866b85f8e9SArtem Dergachev const Stmt *ExplodedNode::getCurrentOrPreviousStmtForDiagnostics() const {
3876b85f8e9SArtem Dergachev if (const Stmt *S = getStmtForDiagnostics())
3886b85f8e9SArtem Dergachev return S;
3896b85f8e9SArtem Dergachev
3906b85f8e9SArtem Dergachev return getPreviousStmtForDiagnostics();
3916b85f8e9SArtem Dergachev }
3926b85f8e9SArtem Dergachev
getNode(const ProgramPoint & L,ProgramStateRef State,bool IsSink,bool * IsNew)393fa0734ecSArgyrios Kyrtzidis ExplodedNode *ExplodedGraph::getNode(const ProgramPoint &L,
39449b1e38eSTed Kremenek ProgramStateRef State,
39549ea5bf5SAnna Zaks bool IsSink,
39649ea5bf5SAnna Zaks bool* IsNew) {
397fa0734ecSArgyrios Kyrtzidis // Profile 'State' to determine if we already have an existing node.
398fa0734ecSArgyrios Kyrtzidis llvm::FoldingSetNodeID profile;
3990dbb783cSCraig Topper void *InsertPos = nullptr;
400fa0734ecSArgyrios Kyrtzidis
40149ea5bf5SAnna Zaks NodeTy::Profile(profile, L, State, IsSink);
402fa0734ecSArgyrios Kyrtzidis NodeTy* V = Nodes.FindNodeOrInsertPos(profile, InsertPos);
403fa0734ecSArgyrios Kyrtzidis
404fa0734ecSArgyrios Kyrtzidis if (!V) {
405a2aa929eSTed Kremenek if (!FreeNodes.empty()) {
406a2aa929eSTed Kremenek V = FreeNodes.back();
407a2aa929eSTed Kremenek FreeNodes.pop_back();
408a40f8ebcSTed Kremenek }
409a40f8ebcSTed Kremenek else {
410fa0734ecSArgyrios Kyrtzidis // Allocate a new node.
411fa0734ecSArgyrios Kyrtzidis V = (NodeTy*) getAllocator().Allocate<NodeTy>();
412a40f8ebcSTed Kremenek }
413a40f8ebcSTed Kremenek
41414e9eb3dSArtem Dergachev ++NumNodes;
41514e9eb3dSArtem Dergachev new (V) NodeTy(L, State, NumNodes, IsSink);
416fa0734ecSArgyrios Kyrtzidis
417746c06d0SJordan Rose if (ReclaimNodeInterval)
41835e55fe4STed Kremenek ChangedNodes.push_back(V);
41935e55fe4STed Kremenek
420fa0734ecSArgyrios Kyrtzidis // Insert the node into the node set and return it.
421fa0734ecSArgyrios Kyrtzidis Nodes.InsertNode(V, InsertPos);
422fa0734ecSArgyrios Kyrtzidis
423fa0734ecSArgyrios Kyrtzidis if (IsNew) *IsNew = true;
424fa0734ecSArgyrios Kyrtzidis }
425fa0734ecSArgyrios Kyrtzidis else
426fa0734ecSArgyrios Kyrtzidis if (IsNew) *IsNew = false;
427fa0734ecSArgyrios Kyrtzidis
428fa0734ecSArgyrios Kyrtzidis return V;
429fa0734ecSArgyrios Kyrtzidis }
430fa0734ecSArgyrios Kyrtzidis
createUncachedNode(const ProgramPoint & L,ProgramStateRef State,int64_t Id,bool IsSink)4314067e35fSBen Craig ExplodedNode *ExplodedGraph::createUncachedNode(const ProgramPoint &L,
4324067e35fSBen Craig ProgramStateRef State,
43314e9eb3dSArtem Dergachev int64_t Id,
4344067e35fSBen Craig bool IsSink) {
4354067e35fSBen Craig NodeTy *V = (NodeTy *) getAllocator().Allocate<NodeTy>();
43614e9eb3dSArtem Dergachev new (V) NodeTy(L, State, Id, IsSink);
4374067e35fSBen Craig return V;
4384067e35fSBen Craig }
4394067e35fSBen Craig
440b564d1fbSDavid Blaikie std::unique_ptr<ExplodedGraph>
trim(ArrayRef<const NodeTy * > Sinks,InterExplodedGraphMap * ForwardMap,InterExplodedGraphMap * InverseMap) const44125fac2f6SJordan Rose ExplodedGraph::trim(ArrayRef<const NodeTy *> Sinks,
4420833c84aSJordan Rose InterExplodedGraphMap *ForwardMap,
4430833c84aSJordan Rose InterExplodedGraphMap *InverseMap) const {
4440833c84aSJordan Rose if (Nodes.empty())
4450dbb783cSCraig Topper return nullptr;
446fa0734ecSArgyrios Kyrtzidis
447e580d831SEugene Zelenko using Pass1Ty = llvm::DenseSet<const ExplodedNode *>;
448fa0734ecSArgyrios Kyrtzidis Pass1Ty Pass1;
449fa0734ecSArgyrios Kyrtzidis
450e580d831SEugene Zelenko using Pass2Ty = InterExplodedGraphMap;
4510833c84aSJordan Rose InterExplodedGraphMap Pass2Scratch;
4520833c84aSJordan Rose Pass2Ty &Pass2 = ForwardMap ? *ForwardMap : Pass2Scratch;
453fa0734ecSArgyrios Kyrtzidis
4540e62c1ccSChris Lattner SmallVector<const ExplodedNode*, 10> WL1, WL2;
455fa0734ecSArgyrios Kyrtzidis
456fa0734ecSArgyrios Kyrtzidis // ===- Pass 1 (reverse DFS) -===
457e580d831SEugene Zelenko for (const auto Sink : Sinks)
458e580d831SEugene Zelenko if (Sink)
459e580d831SEugene Zelenko WL1.push_back(Sink);
460fa0734ecSArgyrios Kyrtzidis
4610833c84aSJordan Rose // Process the first worklist until it is empty.
462fa0734ecSArgyrios Kyrtzidis while (!WL1.empty()) {
46325284cc9SRobert Wilhelm const ExplodedNode *N = WL1.pop_back_val();
464fa0734ecSArgyrios Kyrtzidis
465fa0734ecSArgyrios Kyrtzidis // Have we already visited this node? If so, continue to the next one.
466ad8e079cSBenjamin Kramer if (!Pass1.insert(N).second)
467fa0734ecSArgyrios Kyrtzidis continue;
468fa0734ecSArgyrios Kyrtzidis
469fa0734ecSArgyrios Kyrtzidis // If this is a root enqueue it to the second worklist.
470fa0734ecSArgyrios Kyrtzidis if (N->Preds.empty()) {
471fa0734ecSArgyrios Kyrtzidis WL2.push_back(N);
472fa0734ecSArgyrios Kyrtzidis continue;
473fa0734ecSArgyrios Kyrtzidis }
474fa0734ecSArgyrios Kyrtzidis
475fa0734ecSArgyrios Kyrtzidis // Visit our predecessors and enqueue them.
476ad8e079cSBenjamin Kramer WL1.append(N->Preds.begin(), N->Preds.end());
477fa0734ecSArgyrios Kyrtzidis }
478fa0734ecSArgyrios Kyrtzidis
479fa0734ecSArgyrios Kyrtzidis // We didn't hit a root? Return with a null pointer for the new graph.
480fa0734ecSArgyrios Kyrtzidis if (WL2.empty())
4810dbb783cSCraig Topper return nullptr;
482fa0734ecSArgyrios Kyrtzidis
483fa0734ecSArgyrios Kyrtzidis // Create an empty graph.
484b564d1fbSDavid Blaikie std::unique_ptr<ExplodedGraph> G = MakeEmptyGraph();
485fa0734ecSArgyrios Kyrtzidis
486fa0734ecSArgyrios Kyrtzidis // ===- Pass 2 (forward DFS to construct the new graph) -===
487fa0734ecSArgyrios Kyrtzidis while (!WL2.empty()) {
48825284cc9SRobert Wilhelm const ExplodedNode *N = WL2.pop_back_val();
489fa0734ecSArgyrios Kyrtzidis
490fa0734ecSArgyrios Kyrtzidis // Skip this node if we have already processed it.
491fa0734ecSArgyrios Kyrtzidis if (Pass2.find(N) != Pass2.end())
492fa0734ecSArgyrios Kyrtzidis continue;
493fa0734ecSArgyrios Kyrtzidis
494fa0734ecSArgyrios Kyrtzidis // Create the corresponding node in the new graph and record the mapping
495fa0734ecSArgyrios Kyrtzidis // from the old node to the new node.
49614e9eb3dSArtem Dergachev ExplodedNode *NewN = G->createUncachedNode(N->getLocation(), N->State,
49714e9eb3dSArtem Dergachev N->getID(), N->isSink());
498fa0734ecSArgyrios Kyrtzidis Pass2[N] = NewN;
499fa0734ecSArgyrios Kyrtzidis
500fa0734ecSArgyrios Kyrtzidis // Also record the reverse mapping from the new node to the old node.
501fa0734ecSArgyrios Kyrtzidis if (InverseMap) (*InverseMap)[NewN] = N;
502fa0734ecSArgyrios Kyrtzidis
503fa0734ecSArgyrios Kyrtzidis // If this node is a root, designate it as such in the graph.
504fa0734ecSArgyrios Kyrtzidis if (N->Preds.empty())
505fa0734ecSArgyrios Kyrtzidis G->addRoot(NewN);
506fa0734ecSArgyrios Kyrtzidis
507fa0734ecSArgyrios Kyrtzidis // In the case that some of the intended predecessors of NewN have already
508fa0734ecSArgyrios Kyrtzidis // been created, we should hook them up as predecessors.
509fa0734ecSArgyrios Kyrtzidis
510fa0734ecSArgyrios Kyrtzidis // Walk through the predecessors of 'N' and hook up their corresponding
511fa0734ecSArgyrios Kyrtzidis // nodes in the new graph (if any) to the freshly created node.
51280547386SJordan Rose for (ExplodedNode::pred_iterator I = N->Preds.begin(), E = N->Preds.end();
51380547386SJordan Rose I != E; ++I) {
514fa0734ecSArgyrios Kyrtzidis Pass2Ty::iterator PI = Pass2.find(*I);
515fa0734ecSArgyrios Kyrtzidis if (PI == Pass2.end())
516fa0734ecSArgyrios Kyrtzidis continue;
517fa0734ecSArgyrios Kyrtzidis
5180833c84aSJordan Rose NewN->addPredecessor(const_cast<ExplodedNode *>(PI->second), *G);
519fa0734ecSArgyrios Kyrtzidis }
520fa0734ecSArgyrios Kyrtzidis
521fa0734ecSArgyrios Kyrtzidis // In the case that some of the intended successors of NewN have already
522fa0734ecSArgyrios Kyrtzidis // been created, we should hook them up as successors. Otherwise, enqueue
523fa0734ecSArgyrios Kyrtzidis // the new nodes from the original graph that should have nodes created
524fa0734ecSArgyrios Kyrtzidis // in the new graph.
52580547386SJordan Rose for (ExplodedNode::succ_iterator I = N->Succs.begin(), E = N->Succs.end();
52680547386SJordan Rose I != E; ++I) {
527fa0734ecSArgyrios Kyrtzidis Pass2Ty::iterator PI = Pass2.find(*I);
528fa0734ecSArgyrios Kyrtzidis if (PI != Pass2.end()) {
5290833c84aSJordan Rose const_cast<ExplodedNode *>(PI->second)->addPredecessor(NewN, *G);
530fa0734ecSArgyrios Kyrtzidis continue;
531fa0734ecSArgyrios Kyrtzidis }
532fa0734ecSArgyrios Kyrtzidis
533fa0734ecSArgyrios Kyrtzidis // Enqueue nodes to the worklist that were marked during pass 1.
534fa0734ecSArgyrios Kyrtzidis if (Pass1.count(*I))
535fa0734ecSArgyrios Kyrtzidis WL2.push_back(*I);
536fa0734ecSArgyrios Kyrtzidis }
537fa0734ecSArgyrios Kyrtzidis }
538fa0734ecSArgyrios Kyrtzidis
539fa0734ecSArgyrios Kyrtzidis return G;
540fa0734ecSArgyrios Kyrtzidis }
541