1e580d831SEugene Zelenko //===- ExplodedGraph.cpp - Local, Path-Sens. "Exploded Graph" -------------===// 2fa0734ecSArgyrios Kyrtzidis // 32946cd70SChandler Carruth // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. 42946cd70SChandler Carruth // See https://llvm.org/LICENSE.txt for license information. 52946cd70SChandler Carruth // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception 6fa0734ecSArgyrios Kyrtzidis // 7fa0734ecSArgyrios Kyrtzidis //===----------------------------------------------------------------------===// 8fa0734ecSArgyrios Kyrtzidis // 9fa0734ecSArgyrios Kyrtzidis // This file defines the template classes ExplodedNode and ExplodedGraph, 10fa0734ecSArgyrios Kyrtzidis // which represent a path-sensitive, intra-procedural "exploded graph." 11fa0734ecSArgyrios Kyrtzidis // 12fa0734ecSArgyrios Kyrtzidis //===----------------------------------------------------------------------===// 13fa0734ecSArgyrios Kyrtzidis 14f8cbac4bSTed Kremenek #include "clang/StaticAnalyzer/Core/PathSensitive/ExplodedGraph.h" 15e580d831SEugene Zelenko #include "clang/AST/Expr.h" 16e580d831SEugene Zelenko #include "clang/AST/ExprObjC.h" 173a02247dSChandler Carruth #include "clang/AST/ParentMap.h" 183a02247dSChandler Carruth #include "clang/AST/Stmt.h" 19dd53bdbfSKristof Umann #include "clang/Analysis/CFGStmtMap.h" 20e580d831SEugene Zelenko #include "clang/Analysis/ProgramPoint.h" 21e580d831SEugene Zelenko #include "clang/Analysis/Support/BumpVector.h" 22e580d831SEugene Zelenko #include "clang/Basic/LLVM.h" 234f7df9beSJordan Rose #include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h" 24001fd5b4STed Kremenek #include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h" 25e580d831SEugene Zelenko #include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState_Fwd.h" 263a02247dSChandler Carruth #include "llvm/ADT/DenseSet.h" 27e580d831SEugene Zelenko #include "llvm/ADT/FoldingSet.h" 28e580d831SEugene Zelenko #include "llvm/ADT/Optional.h" 29e580d831SEugene Zelenko #include "llvm/ADT/PointerUnion.h" 30fa0734ecSArgyrios Kyrtzidis #include "llvm/ADT/SmallVector.h" 31e580d831SEugene Zelenko #include "llvm/Support/Casting.h" 32e580d831SEugene Zelenko #include <cassert> 33e580d831SEugene Zelenko #include <memory> 34fa0734ecSArgyrios Kyrtzidis 35fa0734ecSArgyrios Kyrtzidis using namespace clang; 36fa0734ecSArgyrios Kyrtzidis using namespace ento; 37fa0734ecSArgyrios Kyrtzidis 38fa0734ecSArgyrios Kyrtzidis //===----------------------------------------------------------------------===// 39a40f8ebcSTed Kremenek // Cleanup. 40a40f8ebcSTed Kremenek //===----------------------------------------------------------------------===// 41a40f8ebcSTed Kremenek 42e580d831SEugene Zelenko ExplodedGraph::ExplodedGraph() = default; 4344d2973bSTed Kremenek 44e580d831SEugene Zelenko ExplodedGraph::~ExplodedGraph() = default; 45a40f8ebcSTed Kremenek 46a40f8ebcSTed Kremenek //===----------------------------------------------------------------------===// 47a40f8ebcSTed Kremenek // Node reclamation. 48a40f8ebcSTed Kremenek //===----------------------------------------------------------------------===// 49a40f8ebcSTed Kremenek 5004fa9e3dSTed Kremenek bool ExplodedGraph::isInterestingLValueExpr(const Expr *Ex) { 5104fa9e3dSTed Kremenek if (!Ex->isLValue()) 5204fa9e3dSTed Kremenek return false; 5304fa9e3dSTed Kremenek return isa<DeclRefExpr>(Ex) || 5404fa9e3dSTed Kremenek isa<MemberExpr>(Ex) || 5504fa9e3dSTed Kremenek isa<ObjCIvarRefExpr>(Ex); 5604fa9e3dSTed Kremenek } 5704fa9e3dSTed Kremenek 581dd7fd71STed Kremenek bool ExplodedGraph::shouldCollect(const ExplodedNode *node) { 598f564058STed Kremenek // First, we only consider nodes for reclamation of the following 608f564058STed Kremenek // conditions apply: 611dd7fd71STed Kremenek // 621dd7fd71STed Kremenek // (1) 1 predecessor (that has one successor) 631dd7fd71STed Kremenek // (2) 1 successor (that has one predecessor) 648f564058STed Kremenek // 658f564058STed Kremenek // If a node has no successor it is on the "frontier", while a node 668f564058STed Kremenek // with no predecessor is a root. 678f564058STed Kremenek // 688f564058STed Kremenek // After these prerequisites, we discard all "filler" nodes that 698f564058STed Kremenek // are used only for intermediate processing, and are not essential 708f564058STed Kremenek // for analyzer history: 718f564058STed Kremenek // 728f564058STed Kremenek // (a) PreStmtPurgeDeadSymbols 738f564058STed Kremenek // 748f564058STed Kremenek // We then discard all other nodes where *all* of the following conditions 758f564058STed Kremenek // apply: 768f564058STed Kremenek // 77199fdd82SJordan Rose // (3) The ProgramPoint is for a PostStmt, but not a PostStore. 781dd7fd71STed Kremenek // (4) There is no 'tag' for the ProgramPoint. 791dd7fd71STed Kremenek // (5) The 'store' is the same as the predecessor. 801dd7fd71STed Kremenek // (6) The 'GDM' is the same as the predecessor. 811dd7fd71STed Kremenek // (7) The LocationContext is the same as the predecessor. 8296250482STed Kremenek // (8) Expressions that are *not* lvalue expressions. 8396250482STed Kremenek // (9) The PostStmt isn't for a non-consumed Stmt or Expr. 8468a172caSAnton Yartsev // (10) The successor is neither a CallExpr StmtPoint nor a CallEnter or 8568a172caSAnton Yartsev // PreImplicitCall (so that we would be able to find it when retrying a 8668a172caSAnton Yartsev // call with no inlining). 87681cce99SJordan Rose // FIXME: It may be safe to reclaim PreCall and PostCall nodes as well. 881dd7fd71STed Kremenek 891dd7fd71STed Kremenek // Conditions 1 and 2. 901dd7fd71STed Kremenek if (node->pred_size() != 1 || node->succ_size() != 1) 911dd7fd71STed Kremenek return false; 921dd7fd71STed Kremenek 931dd7fd71STed Kremenek const ExplodedNode *pred = *(node->pred_begin()); 941dd7fd71STed Kremenek if (pred->succ_size() != 1) 951dd7fd71STed Kremenek return false; 961dd7fd71STed Kremenek 971dd7fd71STed Kremenek const ExplodedNode *succ = *(node->succ_begin()); 981dd7fd71STed Kremenek if (succ->pred_size() != 1) 991dd7fd71STed Kremenek return false; 1001dd7fd71STed Kremenek 1018f564058STed Kremenek // Now reclaim any nodes that are (by definition) not essential to 1028f564058STed Kremenek // analysis history and are not consulted by any client code. 1031dd7fd71STed Kremenek ProgramPoint progPoint = node->getLocation(); 1048f564058STed Kremenek if (progPoint.getAs<PreStmtPurgeDeadSymbols>()) 105f352d8c7STed Kremenek return !progPoint.getTag(); 1068f564058STed Kremenek 1078f564058STed Kremenek // Condition 3. 10887396b9bSDavid Blaikie if (!progPoint.getAs<PostStmt>() || progPoint.getAs<PostStore>()) 1091dd7fd71STed Kremenek return false; 1101dd7fd71STed Kremenek 1111dd7fd71STed Kremenek // Condition 4. 11254417f6dSAnna Zaks if (progPoint.getTag()) 1131dd7fd71STed Kremenek return false; 1141dd7fd71STed Kremenek 1151dd7fd71STed Kremenek // Conditions 5, 6, and 7. 1161dd7fd71STed Kremenek ProgramStateRef state = node->getState(); 1171dd7fd71STed Kremenek ProgramStateRef pred_state = pred->getState(); 1181dd7fd71STed Kremenek if (state->store != pred_state->store || state->GDM != pred_state->GDM || 1191dd7fd71STed Kremenek progPoint.getLocationContext() != pred->getLocationContext()) 1201dd7fd71STed Kremenek return false; 1211dd7fd71STed Kremenek 12254417f6dSAnna Zaks // All further checks require expressions. As per #3, we know that we have 12354417f6dSAnna Zaks // a PostStmt. 12454417f6dSAnna Zaks const Expr *Ex = dyn_cast<Expr>(progPoint.castAs<PostStmt>().getStmt()); 12504fa9e3dSTed Kremenek if (!Ex) 12604fa9e3dSTed Kremenek return false; 12704fa9e3dSTed Kremenek 12804fa9e3dSTed Kremenek // Condition 8. 12904fa9e3dSTed Kremenek // Do not collect nodes for "interesting" lvalue expressions since they are 13004fa9e3dSTed Kremenek // used extensively for generating path diagnostics. 13104fa9e3dSTed Kremenek if (isInterestingLValueExpr(Ex)) 13296250482STed Kremenek return false; 13396250482STed Kremenek 13496250482STed Kremenek // Condition 9. 13567e0062bSAnna Zaks // Do not collect nodes for non-consumed Stmt or Expr to ensure precise 13667e0062bSAnna Zaks // diagnostic generation; specifically, so that we could anchor arrows 13767e0062bSAnna Zaks // pointing to the beginning of statements (as written in code). 138fc76d855SKristof Umann const ParentMap &PM = progPoint.getLocationContext()->getParentMap(); 1391dd7fd71STed Kremenek if (!PM.isConsumedExpr(Ex)) 1401dd7fd71STed Kremenek return false; 1411dd7fd71STed Kremenek 14296250482STed Kremenek // Condition 10. 143bec49efdSAnna Zaks const ProgramPoint SuccLoc = succ->getLocation(); 14487396b9bSDavid Blaikie if (Optional<StmtPoint> SP = SuccLoc.getAs<StmtPoint>()) 145e537cc05SJordan Rose if (CallEvent::isCallStmt(SP->getStmt())) 146bec49efdSAnna Zaks return false; 147bec49efdSAnna Zaks 14868a172caSAnton Yartsev // Condition 10, continuation. 14968a172caSAnton Yartsev if (SuccLoc.getAs<CallEnter>() || SuccLoc.getAs<PreImplicitCall>()) 15068a172caSAnton Yartsev return false; 15168a172caSAnton Yartsev 1521dd7fd71STed Kremenek return true; 1531dd7fd71STed Kremenek } 1541dd7fd71STed Kremenek 1551dd7fd71STed Kremenek void ExplodedGraph::collectNode(ExplodedNode *node) { 1561dd7fd71STed Kremenek // Removing a node means: 1571dd7fd71STed Kremenek // (a) changing the predecessors successor to the successor of this node 1581dd7fd71STed Kremenek // (b) changing the successors predecessor to the predecessor of this node 1591dd7fd71STed Kremenek // (c) Putting 'node' onto freeNodes. 1601dd7fd71STed Kremenek assert(node->pred_size() == 1 || node->succ_size() == 1); 1611dd7fd71STed Kremenek ExplodedNode *pred = *(node->pred_begin()); 1621dd7fd71STed Kremenek ExplodedNode *succ = *(node->succ_begin()); 1631dd7fd71STed Kremenek pred->replaceSuccessor(succ); 1641dd7fd71STed Kremenek succ->replacePredecessor(pred); 165a2aa929eSTed Kremenek FreeNodes.push_back(node); 1661dd7fd71STed Kremenek Nodes.RemoveNode(node); 1671dd7fd71STed Kremenek --NumNodes; 1681dd7fd71STed Kremenek node->~ExplodedNode(); 1691dd7fd71STed Kremenek } 1701dd7fd71STed Kremenek 17135e55fe4STed Kremenek void ExplodedGraph::reclaimRecentlyAllocatedNodes() { 172a2aa929eSTed Kremenek if (ChangedNodes.empty()) 173a40f8ebcSTed Kremenek return; 17444d2973bSTed Kremenek 175746c06d0SJordan Rose // Only periodically reclaim nodes so that we can build up a set of 17635e55fe4STed Kremenek // nodes that meet the reclamation criteria. Freshly created nodes 17735e55fe4STed Kremenek // by definition have no successor, and thus cannot be reclaimed (see below). 178746c06d0SJordan Rose assert(ReclaimCounter > 0); 179746c06d0SJordan Rose if (--ReclaimCounter != 0) 18035e55fe4STed Kremenek return; 181746c06d0SJordan Rose ReclaimCounter = ReclaimNodeInterval; 18235e55fe4STed Kremenek 183e580d831SEugene Zelenko for (const auto node : ChangedNodes) 1841dd7fd71STed Kremenek if (shouldCollect(node)) 1851dd7fd71STed Kremenek collectNode(node); 186a2aa929eSTed Kremenek ChangedNodes.clear(); 187a40f8ebcSTed Kremenek } 188a40f8ebcSTed Kremenek 189a40f8ebcSTed Kremenek //===----------------------------------------------------------------------===// 190fa0734ecSArgyrios Kyrtzidis // ExplodedNode. 191fa0734ecSArgyrios Kyrtzidis //===----------------------------------------------------------------------===// 192fa0734ecSArgyrios Kyrtzidis 1932b10f3f8SJordan Rose // An NodeGroup's storage type is actually very much like a TinyPtrVector: 1942b10f3f8SJordan Rose // it can be either a pointer to a single ExplodedNode, or a pointer to a 1952b10f3f8SJordan Rose // BumpVector allocated with the ExplodedGraph's allocator. This allows the 1962b10f3f8SJordan Rose // common case of single-node NodeGroups to be implemented with no extra memory. 1972b10f3f8SJordan Rose // 1982b10f3f8SJordan Rose // Consequently, each of the NodeGroup methods have up to four cases to handle: 1992b10f3f8SJordan Rose // 1. The flag is set and this group does not actually contain any nodes. 2002b10f3f8SJordan Rose // 2. The group is empty, in which case the storage value is null. 2012b10f3f8SJordan Rose // 3. The group contains a single node. 2022b10f3f8SJordan Rose // 4. The group contains more than one node. 203e580d831SEugene Zelenko using ExplodedNodeVector = BumpVector<ExplodedNode *>; 204e580d831SEugene Zelenko using GroupStorage = llvm::PointerUnion<ExplodedNode *, ExplodedNodeVector *>; 205fa0734ecSArgyrios Kyrtzidis 206fa0734ecSArgyrios Kyrtzidis void ExplodedNode::addPredecessor(ExplodedNode *V, ExplodedGraph &G) { 207fa0734ecSArgyrios Kyrtzidis assert(!V->isSink()); 208fa0734ecSArgyrios Kyrtzidis Preds.addNode(V, G); 209fa0734ecSArgyrios Kyrtzidis V->Succs.addNode(this, G); 210fa0734ecSArgyrios Kyrtzidis } 211fa0734ecSArgyrios Kyrtzidis 212a40f8ebcSTed Kremenek void ExplodedNode::NodeGroup::replaceNode(ExplodedNode *node) { 2132b10f3f8SJordan Rose assert(!getFlag()); 2142b10f3f8SJordan Rose 21580547386SJordan Rose GroupStorage &Storage = reinterpret_cast<GroupStorage&>(P); 21680547386SJordan Rose assert(Storage.is<ExplodedNode *>()); 21780547386SJordan Rose Storage = node; 21880547386SJordan Rose assert(Storage.is<ExplodedNode *>()); 219a40f8ebcSTed Kremenek } 220a40f8ebcSTed Kremenek 221fa0734ecSArgyrios Kyrtzidis void ExplodedNode::NodeGroup::addNode(ExplodedNode *N, ExplodedGraph &G) { 222fa0734ecSArgyrios Kyrtzidis assert(!getFlag()); 223fa0734ecSArgyrios Kyrtzidis 22480547386SJordan Rose GroupStorage &Storage = reinterpret_cast<GroupStorage&>(P); 22580547386SJordan Rose if (Storage.isNull()) { 22680547386SJordan Rose Storage = N; 22780547386SJordan Rose assert(Storage.is<ExplodedNode *>()); 22880547386SJordan Rose return; 22980547386SJordan Rose } 230fa0734ecSArgyrios Kyrtzidis 23180547386SJordan Rose ExplodedNodeVector *V = Storage.dyn_cast<ExplodedNodeVector *>(); 23280547386SJordan Rose 23380547386SJordan Rose if (!V) { 23480547386SJordan Rose // Switch from single-node to multi-node representation. 23580547386SJordan Rose ExplodedNode *Old = Storage.get<ExplodedNode *>(); 23680547386SJordan Rose 23780547386SJordan Rose BumpVectorContext &Ctx = G.getNodeAllocator(); 23880547386SJordan Rose V = G.getAllocator().Allocate<ExplodedNodeVector>(); 23980547386SJordan Rose new (V) ExplodedNodeVector(Ctx, 4); 24080547386SJordan Rose V->push_back(Old, Ctx); 24180547386SJordan Rose 24280547386SJordan Rose Storage = V; 24380547386SJordan Rose assert(!getFlag()); 24480547386SJordan Rose assert(Storage.is<ExplodedNodeVector *>()); 245fa0734ecSArgyrios Kyrtzidis } 24680547386SJordan Rose 24780547386SJordan Rose V->push_back(N, G.getNodeAllocator()); 248fa0734ecSArgyrios Kyrtzidis } 249fa0734ecSArgyrios Kyrtzidis 250fa0734ecSArgyrios Kyrtzidis unsigned ExplodedNode::NodeGroup::size() const { 251fa0734ecSArgyrios Kyrtzidis if (getFlag()) 252fa0734ecSArgyrios Kyrtzidis return 0; 253fa0734ecSArgyrios Kyrtzidis 25480547386SJordan Rose const GroupStorage &Storage = reinterpret_cast<const GroupStorage &>(P); 25580547386SJordan Rose if (Storage.isNull()) 25680547386SJordan Rose return 0; 25780547386SJordan Rose if (ExplodedNodeVector *V = Storage.dyn_cast<ExplodedNodeVector *>()) 25880547386SJordan Rose return V->size(); 25980547386SJordan Rose return 1; 260fa0734ecSArgyrios Kyrtzidis } 261fa0734ecSArgyrios Kyrtzidis 26280547386SJordan Rose ExplodedNode * const *ExplodedNode::NodeGroup::begin() const { 263fa0734ecSArgyrios Kyrtzidis if (getFlag()) 2640dbb783cSCraig Topper return nullptr; 265fa0734ecSArgyrios Kyrtzidis 26680547386SJordan Rose const GroupStorage &Storage = reinterpret_cast<const GroupStorage &>(P); 26780547386SJordan Rose if (Storage.isNull()) 2680dbb783cSCraig Topper return nullptr; 26980547386SJordan Rose if (ExplodedNodeVector *V = Storage.dyn_cast<ExplodedNodeVector *>()) 27080547386SJordan Rose return V->begin(); 27180547386SJordan Rose return Storage.getAddrOfPtr1(); 272fa0734ecSArgyrios Kyrtzidis } 273fa0734ecSArgyrios Kyrtzidis 27480547386SJordan Rose ExplodedNode * const *ExplodedNode::NodeGroup::end() const { 275fa0734ecSArgyrios Kyrtzidis if (getFlag()) 2760dbb783cSCraig Topper return nullptr; 277fa0734ecSArgyrios Kyrtzidis 27880547386SJordan Rose const GroupStorage &Storage = reinterpret_cast<const GroupStorage &>(P); 27980547386SJordan Rose if (Storage.isNull()) 2800dbb783cSCraig Topper return nullptr; 28180547386SJordan Rose if (ExplodedNodeVector *V = Storage.dyn_cast<ExplodedNodeVector *>()) 28280547386SJordan Rose return V->end(); 28380547386SJordan Rose return Storage.getAddrOfPtr1() + 1; 284fa0734ecSArgyrios Kyrtzidis } 285fa0734ecSArgyrios Kyrtzidis 28698bee022SGeorge Karpenkov bool ExplodedNode::isTrivial() const { 28798bee022SGeorge Karpenkov return pred_size() == 1 && succ_size() == 1 && 288ff6df778SGeorge Karpenkov getFirstPred()->getState()->getID() == getState()->getID() && 289ff6df778SGeorge Karpenkov getFirstPred()->succ_size() == 1; 29098bee022SGeorge Karpenkov } 29198bee022SGeorge Karpenkov 292dd53bdbfSKristof Umann const CFGBlock *ExplodedNode::getCFGBlock() const { 293dd53bdbfSKristof Umann ProgramPoint P = getLocation(); 294dd53bdbfSKristof Umann if (auto BEP = P.getAs<BlockEntrance>()) 295dd53bdbfSKristof Umann return BEP->getBlock(); 296dd53bdbfSKristof Umann 297dd53bdbfSKristof Umann // Find the node's current statement in the CFG. 2986b85f8e9SArtem Dergachev // FIXME: getStmtForDiagnostics() does nasty things in order to provide 2996b85f8e9SArtem Dergachev // a valid statement for body farms, do we need this behavior here? 3006b85f8e9SArtem Dergachev if (const Stmt *S = getStmtForDiagnostics()) 301dd53bdbfSKristof Umann return getLocationContext() 302dd53bdbfSKristof Umann ->getAnalysisDeclContext() 303dd53bdbfSKristof Umann ->getCFGStmtMap() 304dd53bdbfSKristof Umann ->getBlock(S); 305dd53bdbfSKristof Umann 306dd53bdbfSKristof Umann return nullptr; 307dd53bdbfSKristof Umann } 308dd53bdbfSKristof Umann 3096b85f8e9SArtem Dergachev static const LocationContext * 3106b85f8e9SArtem Dergachev findTopAutosynthesizedParentContext(const LocationContext *LC) { 3116b85f8e9SArtem Dergachev assert(LC->getAnalysisDeclContext()->isBodyAutosynthesized()); 3126b85f8e9SArtem Dergachev const LocationContext *ParentLC = LC->getParent(); 3136b85f8e9SArtem Dergachev assert(ParentLC && "We don't start analysis from autosynthesized code"); 3146b85f8e9SArtem Dergachev while (ParentLC->getAnalysisDeclContext()->isBodyAutosynthesized()) { 3156b85f8e9SArtem Dergachev LC = ParentLC; 3166b85f8e9SArtem Dergachev ParentLC = LC->getParent(); 3176b85f8e9SArtem Dergachev assert(ParentLC && "We don't start analysis from autosynthesized code"); 3186b85f8e9SArtem Dergachev } 3196b85f8e9SArtem Dergachev return LC; 3206b85f8e9SArtem Dergachev } 3216b85f8e9SArtem Dergachev 3226b85f8e9SArtem Dergachev const Stmt *ExplodedNode::getStmtForDiagnostics() const { 3236b85f8e9SArtem Dergachev // We cannot place diagnostics on autosynthesized code. 3246b85f8e9SArtem Dergachev // Put them onto the call site through which we jumped into autosynthesized 3256b85f8e9SArtem Dergachev // code for the first time. 3266b85f8e9SArtem Dergachev const LocationContext *LC = getLocationContext(); 3276b85f8e9SArtem Dergachev if (LC->getAnalysisDeclContext()->isBodyAutosynthesized()) { 3286b85f8e9SArtem Dergachev // It must be a stack frame because we only autosynthesize functions. 3296b85f8e9SArtem Dergachev return cast<StackFrameContext>(findTopAutosynthesizedParentContext(LC)) 3306b85f8e9SArtem Dergachev ->getCallSite(); 3316b85f8e9SArtem Dergachev } 3326b85f8e9SArtem Dergachev // Otherwise, see if the node's program point directly points to a statement. 3336b85f8e9SArtem Dergachev // FIXME: Refactor into a ProgramPoint method? 3346b85f8e9SArtem Dergachev ProgramPoint P = getLocation(); 3356b85f8e9SArtem Dergachev if (auto SP = P.getAs<StmtPoint>()) 3366b85f8e9SArtem Dergachev return SP->getStmt(); 3376b85f8e9SArtem Dergachev if (auto BE = P.getAs<BlockEdge>()) 3386b85f8e9SArtem Dergachev return BE->getSrc()->getTerminatorStmt(); 3396b85f8e9SArtem Dergachev if (auto CE = P.getAs<CallEnter>()) 3406b85f8e9SArtem Dergachev return CE->getCallExpr(); 3416b85f8e9SArtem Dergachev if (auto CEE = P.getAs<CallExitEnd>()) 3426b85f8e9SArtem Dergachev return CEE->getCalleeContext()->getCallSite(); 3436b85f8e9SArtem Dergachev if (auto PIPP = P.getAs<PostInitializer>()) 3446b85f8e9SArtem Dergachev return PIPP->getInitializer()->getInit(); 3456b85f8e9SArtem Dergachev if (auto CEB = P.getAs<CallExitBegin>()) 3466b85f8e9SArtem Dergachev return CEB->getReturnStmt(); 3476b85f8e9SArtem Dergachev if (auto FEP = P.getAs<FunctionExitPoint>()) 3486b85f8e9SArtem Dergachev return FEP->getStmt(); 3496b85f8e9SArtem Dergachev 3506b85f8e9SArtem Dergachev return nullptr; 3516b85f8e9SArtem Dergachev } 3526b85f8e9SArtem Dergachev 3536b85f8e9SArtem Dergachev const Stmt *ExplodedNode::getNextStmtForDiagnostics() const { 3546b85f8e9SArtem Dergachev for (const ExplodedNode *N = getFirstSucc(); N; N = N->getFirstSucc()) { 3556b85f8e9SArtem Dergachev if (const Stmt *S = N->getStmtForDiagnostics()) { 3566b85f8e9SArtem Dergachev // Check if the statement is '?' or '&&'/'||'. These are "merges", 3576b85f8e9SArtem Dergachev // not actual statement points. 3586b85f8e9SArtem Dergachev switch (S->getStmtClass()) { 3596b85f8e9SArtem Dergachev case Stmt::ChooseExprClass: 3606b85f8e9SArtem Dergachev case Stmt::BinaryConditionalOperatorClass: 3616b85f8e9SArtem Dergachev case Stmt::ConditionalOperatorClass: 3626b85f8e9SArtem Dergachev continue; 3636b85f8e9SArtem Dergachev case Stmt::BinaryOperatorClass: { 3646b85f8e9SArtem Dergachev BinaryOperatorKind Op = cast<BinaryOperator>(S)->getOpcode(); 3656b85f8e9SArtem Dergachev if (Op == BO_LAnd || Op == BO_LOr) 3666b85f8e9SArtem Dergachev continue; 3676b85f8e9SArtem Dergachev break; 3686b85f8e9SArtem Dergachev } 3696b85f8e9SArtem Dergachev default: 3706b85f8e9SArtem Dergachev break; 3716b85f8e9SArtem Dergachev } 3726b85f8e9SArtem Dergachev // We found the statement, so return it. 3736b85f8e9SArtem Dergachev return S; 3746b85f8e9SArtem Dergachev } 3756b85f8e9SArtem Dergachev } 3766b85f8e9SArtem Dergachev 3776b85f8e9SArtem Dergachev return nullptr; 3786b85f8e9SArtem Dergachev } 3796b85f8e9SArtem Dergachev 3806b85f8e9SArtem Dergachev const Stmt *ExplodedNode::getPreviousStmtForDiagnostics() const { 3816b85f8e9SArtem Dergachev for (const ExplodedNode *N = getFirstPred(); N; N = N->getFirstPred()) 3826b85f8e9SArtem Dergachev if (const Stmt *S = N->getStmtForDiagnostics()) 3836b85f8e9SArtem Dergachev return S; 3846b85f8e9SArtem Dergachev 3856b85f8e9SArtem Dergachev return nullptr; 3866b85f8e9SArtem Dergachev } 3876b85f8e9SArtem Dergachev 3886b85f8e9SArtem Dergachev const Stmt *ExplodedNode::getCurrentOrPreviousStmtForDiagnostics() const { 3896b85f8e9SArtem Dergachev if (const Stmt *S = getStmtForDiagnostics()) 3906b85f8e9SArtem Dergachev return S; 3916b85f8e9SArtem Dergachev 3926b85f8e9SArtem Dergachev return getPreviousStmtForDiagnostics(); 3936b85f8e9SArtem Dergachev } 3946b85f8e9SArtem Dergachev 395fa0734ecSArgyrios Kyrtzidis ExplodedNode *ExplodedGraph::getNode(const ProgramPoint &L, 39649b1e38eSTed Kremenek ProgramStateRef State, 39749ea5bf5SAnna Zaks bool IsSink, 39849ea5bf5SAnna Zaks bool* IsNew) { 399fa0734ecSArgyrios Kyrtzidis // Profile 'State' to determine if we already have an existing node. 400fa0734ecSArgyrios Kyrtzidis llvm::FoldingSetNodeID profile; 4010dbb783cSCraig Topper void *InsertPos = nullptr; 402fa0734ecSArgyrios Kyrtzidis 40349ea5bf5SAnna Zaks NodeTy::Profile(profile, L, State, IsSink); 404fa0734ecSArgyrios Kyrtzidis NodeTy* V = Nodes.FindNodeOrInsertPos(profile, InsertPos); 405fa0734ecSArgyrios Kyrtzidis 406fa0734ecSArgyrios Kyrtzidis if (!V) { 407a2aa929eSTed Kremenek if (!FreeNodes.empty()) { 408a2aa929eSTed Kremenek V = FreeNodes.back(); 409a2aa929eSTed Kremenek FreeNodes.pop_back(); 410a40f8ebcSTed Kremenek } 411a40f8ebcSTed Kremenek else { 412fa0734ecSArgyrios Kyrtzidis // Allocate a new node. 413fa0734ecSArgyrios Kyrtzidis V = (NodeTy*) getAllocator().Allocate<NodeTy>(); 414a40f8ebcSTed Kremenek } 415a40f8ebcSTed Kremenek 416*14e9eb3dSArtem Dergachev ++NumNodes; 417*14e9eb3dSArtem Dergachev new (V) NodeTy(L, State, NumNodes, IsSink); 418fa0734ecSArgyrios Kyrtzidis 419746c06d0SJordan Rose if (ReclaimNodeInterval) 42035e55fe4STed Kremenek ChangedNodes.push_back(V); 42135e55fe4STed Kremenek 422fa0734ecSArgyrios Kyrtzidis // Insert the node into the node set and return it. 423fa0734ecSArgyrios Kyrtzidis Nodes.InsertNode(V, InsertPos); 424fa0734ecSArgyrios Kyrtzidis 425fa0734ecSArgyrios Kyrtzidis if (IsNew) *IsNew = true; 426fa0734ecSArgyrios Kyrtzidis } 427fa0734ecSArgyrios Kyrtzidis else 428fa0734ecSArgyrios Kyrtzidis if (IsNew) *IsNew = false; 429fa0734ecSArgyrios Kyrtzidis 430fa0734ecSArgyrios Kyrtzidis return V; 431fa0734ecSArgyrios Kyrtzidis } 432fa0734ecSArgyrios Kyrtzidis 4334067e35fSBen Craig ExplodedNode *ExplodedGraph::createUncachedNode(const ProgramPoint &L, 4344067e35fSBen Craig ProgramStateRef State, 435*14e9eb3dSArtem Dergachev int64_t Id, 4364067e35fSBen Craig bool IsSink) { 4374067e35fSBen Craig NodeTy *V = (NodeTy *) getAllocator().Allocate<NodeTy>(); 438*14e9eb3dSArtem Dergachev new (V) NodeTy(L, State, Id, IsSink); 4394067e35fSBen Craig return V; 4404067e35fSBen Craig } 4414067e35fSBen Craig 442b564d1fbSDavid Blaikie std::unique_ptr<ExplodedGraph> 44325fac2f6SJordan Rose ExplodedGraph::trim(ArrayRef<const NodeTy *> Sinks, 4440833c84aSJordan Rose InterExplodedGraphMap *ForwardMap, 4450833c84aSJordan Rose InterExplodedGraphMap *InverseMap) const { 4460833c84aSJordan Rose if (Nodes.empty()) 4470dbb783cSCraig Topper return nullptr; 448fa0734ecSArgyrios Kyrtzidis 449e580d831SEugene Zelenko using Pass1Ty = llvm::DenseSet<const ExplodedNode *>; 450fa0734ecSArgyrios Kyrtzidis Pass1Ty Pass1; 451fa0734ecSArgyrios Kyrtzidis 452e580d831SEugene Zelenko using Pass2Ty = InterExplodedGraphMap; 4530833c84aSJordan Rose InterExplodedGraphMap Pass2Scratch; 4540833c84aSJordan Rose Pass2Ty &Pass2 = ForwardMap ? *ForwardMap : Pass2Scratch; 455fa0734ecSArgyrios Kyrtzidis 4560e62c1ccSChris Lattner SmallVector<const ExplodedNode*, 10> WL1, WL2; 457fa0734ecSArgyrios Kyrtzidis 458fa0734ecSArgyrios Kyrtzidis // ===- Pass 1 (reverse DFS) -=== 459e580d831SEugene Zelenko for (const auto Sink : Sinks) 460e580d831SEugene Zelenko if (Sink) 461e580d831SEugene Zelenko WL1.push_back(Sink); 462fa0734ecSArgyrios Kyrtzidis 4630833c84aSJordan Rose // Process the first worklist until it is empty. 464fa0734ecSArgyrios Kyrtzidis while (!WL1.empty()) { 46525284cc9SRobert Wilhelm const ExplodedNode *N = WL1.pop_back_val(); 466fa0734ecSArgyrios Kyrtzidis 467fa0734ecSArgyrios Kyrtzidis // Have we already visited this node? If so, continue to the next one. 468ad8e079cSBenjamin Kramer if (!Pass1.insert(N).second) 469fa0734ecSArgyrios Kyrtzidis continue; 470fa0734ecSArgyrios Kyrtzidis 471fa0734ecSArgyrios Kyrtzidis // If this is a root enqueue it to the second worklist. 472fa0734ecSArgyrios Kyrtzidis if (N->Preds.empty()) { 473fa0734ecSArgyrios Kyrtzidis WL2.push_back(N); 474fa0734ecSArgyrios Kyrtzidis continue; 475fa0734ecSArgyrios Kyrtzidis } 476fa0734ecSArgyrios Kyrtzidis 477fa0734ecSArgyrios Kyrtzidis // Visit our predecessors and enqueue them. 478ad8e079cSBenjamin Kramer WL1.append(N->Preds.begin(), N->Preds.end()); 479fa0734ecSArgyrios Kyrtzidis } 480fa0734ecSArgyrios Kyrtzidis 481fa0734ecSArgyrios Kyrtzidis // We didn't hit a root? Return with a null pointer for the new graph. 482fa0734ecSArgyrios Kyrtzidis if (WL2.empty()) 4830dbb783cSCraig Topper return nullptr; 484fa0734ecSArgyrios Kyrtzidis 485fa0734ecSArgyrios Kyrtzidis // Create an empty graph. 486b564d1fbSDavid Blaikie std::unique_ptr<ExplodedGraph> G = MakeEmptyGraph(); 487fa0734ecSArgyrios Kyrtzidis 488fa0734ecSArgyrios Kyrtzidis // ===- Pass 2 (forward DFS to construct the new graph) -=== 489fa0734ecSArgyrios Kyrtzidis while (!WL2.empty()) { 49025284cc9SRobert Wilhelm const ExplodedNode *N = WL2.pop_back_val(); 491fa0734ecSArgyrios Kyrtzidis 492fa0734ecSArgyrios Kyrtzidis // Skip this node if we have already processed it. 493fa0734ecSArgyrios Kyrtzidis if (Pass2.find(N) != Pass2.end()) 494fa0734ecSArgyrios Kyrtzidis continue; 495fa0734ecSArgyrios Kyrtzidis 496fa0734ecSArgyrios Kyrtzidis // Create the corresponding node in the new graph and record the mapping 497fa0734ecSArgyrios Kyrtzidis // from the old node to the new node. 498*14e9eb3dSArtem Dergachev ExplodedNode *NewN = G->createUncachedNode(N->getLocation(), N->State, 499*14e9eb3dSArtem Dergachev N->getID(), N->isSink()); 500fa0734ecSArgyrios Kyrtzidis Pass2[N] = NewN; 501fa0734ecSArgyrios Kyrtzidis 502fa0734ecSArgyrios Kyrtzidis // Also record the reverse mapping from the new node to the old node. 503fa0734ecSArgyrios Kyrtzidis if (InverseMap) (*InverseMap)[NewN] = N; 504fa0734ecSArgyrios Kyrtzidis 505fa0734ecSArgyrios Kyrtzidis // If this node is a root, designate it as such in the graph. 506fa0734ecSArgyrios Kyrtzidis if (N->Preds.empty()) 507fa0734ecSArgyrios Kyrtzidis G->addRoot(NewN); 508fa0734ecSArgyrios Kyrtzidis 509fa0734ecSArgyrios Kyrtzidis // In the case that some of the intended predecessors of NewN have already 510fa0734ecSArgyrios Kyrtzidis // been created, we should hook them up as predecessors. 511fa0734ecSArgyrios Kyrtzidis 512fa0734ecSArgyrios Kyrtzidis // Walk through the predecessors of 'N' and hook up their corresponding 513fa0734ecSArgyrios Kyrtzidis // nodes in the new graph (if any) to the freshly created node. 51480547386SJordan Rose for (ExplodedNode::pred_iterator I = N->Preds.begin(), E = N->Preds.end(); 51580547386SJordan Rose I != E; ++I) { 516fa0734ecSArgyrios Kyrtzidis Pass2Ty::iterator PI = Pass2.find(*I); 517fa0734ecSArgyrios Kyrtzidis if (PI == Pass2.end()) 518fa0734ecSArgyrios Kyrtzidis continue; 519fa0734ecSArgyrios Kyrtzidis 5200833c84aSJordan Rose NewN->addPredecessor(const_cast<ExplodedNode *>(PI->second), *G); 521fa0734ecSArgyrios Kyrtzidis } 522fa0734ecSArgyrios Kyrtzidis 523fa0734ecSArgyrios Kyrtzidis // In the case that some of the intended successors of NewN have already 524fa0734ecSArgyrios Kyrtzidis // been created, we should hook them up as successors. Otherwise, enqueue 525fa0734ecSArgyrios Kyrtzidis // the new nodes from the original graph that should have nodes created 526fa0734ecSArgyrios Kyrtzidis // in the new graph. 52780547386SJordan Rose for (ExplodedNode::succ_iterator I = N->Succs.begin(), E = N->Succs.end(); 52880547386SJordan Rose I != E; ++I) { 529fa0734ecSArgyrios Kyrtzidis Pass2Ty::iterator PI = Pass2.find(*I); 530fa0734ecSArgyrios Kyrtzidis if (PI != Pass2.end()) { 5310833c84aSJordan Rose const_cast<ExplodedNode *>(PI->second)->addPredecessor(NewN, *G); 532fa0734ecSArgyrios Kyrtzidis continue; 533fa0734ecSArgyrios Kyrtzidis } 534fa0734ecSArgyrios Kyrtzidis 535fa0734ecSArgyrios Kyrtzidis // Enqueue nodes to the worklist that were marked during pass 1. 536fa0734ecSArgyrios Kyrtzidis if (Pass1.count(*I)) 537fa0734ecSArgyrios Kyrtzidis WL2.push_back(*I); 538fa0734ecSArgyrios Kyrtzidis } 539fa0734ecSArgyrios Kyrtzidis } 540fa0734ecSArgyrios Kyrtzidis 541fa0734ecSArgyrios Kyrtzidis return G; 542fa0734ecSArgyrios Kyrtzidis } 543