1 //=-- ExprEngine.cpp - Path-Sensitive Expression-Level Dataflow ---*- C++ -*-= 2 // 3 // The LLVM Compiler Infrastructure 4 // 5 // This file is distributed under the University of Illinois Open Source 6 // License. See LICENSE.TXT for details. 7 // 8 //===----------------------------------------------------------------------===// 9 // 10 // This file defines a meta-engine for path-sensitive dataflow analysis that 11 // is built on GREngine, but provides the boilerplate to execute transfer 12 // functions and build the ExplodedGraph at the expression level. 13 // 14 //===----------------------------------------------------------------------===// 15 16 #include "clang/StaticAnalyzer/Core/CheckerManager.h" 17 #include "clang/StaticAnalyzer/Core/BugReporter/BugType.h" 18 #include "clang/StaticAnalyzer/Core/PathSensitive/AnalysisManager.h" 19 #include "clang/StaticAnalyzer/Core/PathSensitive/ExprEngine.h" 20 #include "clang/StaticAnalyzer/Core/PathSensitive/ObjCMessage.h" 21 #include "clang/AST/CharUnits.h" 22 #include "clang/AST/ParentMap.h" 23 #include "clang/AST/StmtObjC.h" 24 #include "clang/AST/DeclCXX.h" 25 #include "clang/Basic/Builtins.h" 26 #include "clang/Basic/SourceManager.h" 27 #include "clang/Basic/SourceManager.h" 28 #include "clang/Basic/PrettyStackTrace.h" 29 #include "llvm/Support/raw_ostream.h" 30 #include "llvm/ADT/ImmutableList.h" 31 32 #ifndef NDEBUG 33 #include "llvm/Support/GraphWriter.h" 34 #endif 35 36 using namespace clang; 37 using namespace ento; 38 using llvm::APSInt; 39 40 //===----------------------------------------------------------------------===// 41 // Utility functions. 42 //===----------------------------------------------------------------------===// 43 44 static inline Selector GetNullarySelector(const char* name, ASTContext &Ctx) { 45 IdentifierInfo* II = &Ctx.Idents.get(name); 46 return Ctx.Selectors.getSelector(0, &II); 47 } 48 49 //===----------------------------------------------------------------------===// 50 // Engine construction and deletion. 51 //===----------------------------------------------------------------------===// 52 53 ExprEngine::ExprEngine(AnalysisManager &mgr, bool gcEnabled) 54 : AMgr(mgr), 55 AnalysisDeclContexts(mgr.getAnalysisDeclContextManager()), 56 Engine(*this), 57 G(Engine.getGraph()), 58 StateMgr(getContext(), mgr.getStoreManagerCreator(), 59 mgr.getConstraintManagerCreator(), G.getAllocator(), 60 *this), 61 SymMgr(StateMgr.getSymbolManager()), 62 svalBuilder(StateMgr.getSValBuilder()), 63 EntryNode(NULL), 64 currentStmt(NULL), currentStmtIdx(0), currentBuilderContext(0), 65 NSExceptionII(NULL), NSExceptionInstanceRaiseSelectors(NULL), 66 RaiseSel(GetNullarySelector("raise", getContext())), 67 ObjCGCEnabled(gcEnabled), BR(mgr, *this) { 68 69 if (mgr.shouldEagerlyTrimExplodedGraph()) { 70 // Enable eager node reclaimation when constructing the ExplodedGraph. 71 G.enableNodeReclamation(); 72 } 73 } 74 75 ExprEngine::~ExprEngine() { 76 BR.FlushReports(); 77 delete [] NSExceptionInstanceRaiseSelectors; 78 } 79 80 //===----------------------------------------------------------------------===// 81 // Utility methods. 82 //===----------------------------------------------------------------------===// 83 84 const ProgramState *ExprEngine::getInitialState(const LocationContext *InitLoc) { 85 const ProgramState *state = StateMgr.getInitialState(InitLoc); 86 87 // Preconditions. 88 89 // FIXME: It would be nice if we had a more general mechanism to add 90 // such preconditions. Some day. 91 do { 92 const Decl *D = InitLoc->getDecl(); 93 if (const FunctionDecl *FD = dyn_cast<FunctionDecl>(D)) { 94 // Precondition: the first argument of 'main' is an integer guaranteed 95 // to be > 0. 96 const IdentifierInfo *II = FD->getIdentifier(); 97 if (!II || !(II->getName() == "main" && FD->getNumParams() > 0)) 98 break; 99 100 const ParmVarDecl *PD = FD->getParamDecl(0); 101 QualType T = PD->getType(); 102 if (!T->isIntegerType()) 103 break; 104 105 const MemRegion *R = state->getRegion(PD, InitLoc); 106 if (!R) 107 break; 108 109 SVal V = state->getSVal(loc::MemRegionVal(R)); 110 SVal Constraint_untested = evalBinOp(state, BO_GT, V, 111 svalBuilder.makeZeroVal(T), 112 getContext().IntTy); 113 114 DefinedOrUnknownSVal *Constraint = 115 dyn_cast<DefinedOrUnknownSVal>(&Constraint_untested); 116 117 if (!Constraint) 118 break; 119 120 if (const ProgramState *newState = state->assume(*Constraint, true)) 121 state = newState; 122 123 break; 124 } 125 126 if (const ObjCMethodDecl *MD = dyn_cast<ObjCMethodDecl>(D)) { 127 // Precondition: 'self' is always non-null upon entry to an Objective-C 128 // method. 129 const ImplicitParamDecl *SelfD = MD->getSelfDecl(); 130 const MemRegion *R = state->getRegion(SelfD, InitLoc); 131 SVal V = state->getSVal(loc::MemRegionVal(R)); 132 133 if (const Loc *LV = dyn_cast<Loc>(&V)) { 134 // Assume that the pointer value in 'self' is non-null. 135 state = state->assume(*LV, true); 136 assert(state && "'self' cannot be null"); 137 } 138 } 139 } while (0); 140 141 return state; 142 } 143 144 bool 145 ExprEngine::doesInvalidateGlobals(const CallOrObjCMessage &callOrMessage) const 146 { 147 if (callOrMessage.isFunctionCall() && !callOrMessage.isCXXCall()) { 148 SVal calleeV = callOrMessage.getFunctionCallee(); 149 if (const FunctionTextRegion *codeR = 150 dyn_cast_or_null<FunctionTextRegion>(calleeV.getAsRegion())) { 151 152 const FunctionDecl *fd = codeR->getDecl(); 153 if (const IdentifierInfo *ii = fd->getIdentifier()) { 154 StringRef fname = ii->getName(); 155 if (fname == "strlen") 156 return false; 157 } 158 } 159 } 160 161 // The conservative answer: invalidates globals. 162 return true; 163 } 164 165 //===----------------------------------------------------------------------===// 166 // Top-level transfer function logic (Dispatcher). 167 //===----------------------------------------------------------------------===// 168 169 /// evalAssume - Called by ConstraintManager. Used to call checker-specific 170 /// logic for handling assumptions on symbolic values. 171 const ProgramState *ExprEngine::processAssume(const ProgramState *state, 172 SVal cond, bool assumption) { 173 return getCheckerManager().runCheckersForEvalAssume(state, cond, assumption); 174 } 175 176 bool ExprEngine::wantsRegionChangeUpdate(const ProgramState *state) { 177 return getCheckerManager().wantsRegionChangeUpdate(state); 178 } 179 180 const ProgramState * 181 ExprEngine::processRegionChanges(const ProgramState *state, 182 const StoreManager::InvalidatedSymbols *invalidated, 183 ArrayRef<const MemRegion *> Explicits, 184 ArrayRef<const MemRegion *> Regions) { 185 return getCheckerManager().runCheckersForRegionChanges(state, invalidated, 186 Explicits, Regions); 187 } 188 189 void ExprEngine::printState(raw_ostream &Out, const ProgramState *State, 190 const char *NL, const char *Sep) { 191 getCheckerManager().runCheckersForPrintState(Out, State, NL, Sep); 192 } 193 194 void ExprEngine::processEndWorklist(bool hasWorkRemaining) { 195 getCheckerManager().runCheckersForEndAnalysis(G, BR, *this); 196 } 197 198 void ExprEngine::processCFGElement(const CFGElement E, ExplodedNode *Pred, 199 unsigned StmtIdx, NodeBuilderContext *Ctx) { 200 currentStmtIdx = StmtIdx; 201 currentBuilderContext = Ctx; 202 203 switch (E.getKind()) { 204 case CFGElement::Invalid: 205 llvm_unreachable("Unexpected CFGElement kind."); 206 case CFGElement::Statement: 207 ProcessStmt(const_cast<Stmt*>(E.getAs<CFGStmt>()->getStmt()), Pred); 208 return; 209 case CFGElement::Initializer: 210 ProcessInitializer(E.getAs<CFGInitializer>()->getInitializer(), Pred); 211 return; 212 case CFGElement::AutomaticObjectDtor: 213 case CFGElement::BaseDtor: 214 case CFGElement::MemberDtor: 215 case CFGElement::TemporaryDtor: 216 ProcessImplicitDtor(*E.getAs<CFGImplicitDtor>(), Pred); 217 return; 218 } 219 currentStmtIdx = 0; 220 currentBuilderContext = 0; 221 } 222 223 void ExprEngine::ProcessStmt(const CFGStmt S, 224 ExplodedNode *Pred) { 225 // TODO: Use RAII to remove the unnecessary, tagged nodes. 226 //RegisterCreatedNodes registerCreatedNodes(getGraph()); 227 228 // Reclaim any unnecessary nodes in the ExplodedGraph. 229 G.reclaimRecentlyAllocatedNodes(); 230 // Recycle any unused states in the ProgramStateManager. 231 StateMgr.recycleUnusedStates(); 232 233 currentStmt = S.getStmt(); 234 PrettyStackTraceLoc CrashInfo(getContext().getSourceManager(), 235 currentStmt->getLocStart(), 236 "Error evaluating statement"); 237 238 EntryNode = Pred; 239 240 const ProgramState *EntryState = EntryNode->getState(); 241 CleanedState = EntryState; 242 243 // Create the cleaned state. 244 const LocationContext *LC = EntryNode->getLocationContext(); 245 SymbolReaper SymReaper(LC, currentStmt, SymMgr, getStoreManager()); 246 247 if (AMgr.getPurgeMode() != PurgeNone) { 248 getCheckerManager().runCheckersForLiveSymbols(CleanedState, SymReaper); 249 250 const StackFrameContext *SFC = LC->getCurrentStackFrame(); 251 252 // Create a state in which dead bindings are removed from the environment 253 // and the store. TODO: The function should just return new env and store, 254 // not a new state. 255 CleanedState = StateMgr.removeDeadBindings(CleanedState, SFC, SymReaper); 256 } 257 258 // Process any special transfer function for dead symbols. 259 ExplodedNodeSet Tmp; 260 // A tag to track convenience transitions, which can be removed at cleanup. 261 static SimpleProgramPointTag cleanupTag("ExprEngine : Clean Node"); 262 263 if (!SymReaper.hasDeadSymbols()) { 264 // Generate a CleanedNode that has the environment and store cleaned 265 // up. Since no symbols are dead, we can optimize and not clean out 266 // the constraint manager. 267 StmtNodeBuilder Bldr(Pred, Tmp, *currentBuilderContext); 268 Bldr.generateNode(currentStmt, EntryNode, CleanedState, false, &cleanupTag); 269 270 } else { 271 // Call checkers with the non-cleaned state so that they could query the 272 // values of the soon to be dead symbols. 273 ExplodedNodeSet CheckedSet; 274 getCheckerManager().runCheckersForDeadSymbols(CheckedSet, EntryNode, 275 SymReaper, currentStmt, *this); 276 277 // For each node in CheckedSet, generate CleanedNodes that have the 278 // environment, the store, and the constraints cleaned up but have the 279 // user-supplied states as the predecessors. 280 StmtNodeBuilder Bldr(CheckedSet, Tmp, *currentBuilderContext); 281 for (ExplodedNodeSet::const_iterator 282 I = CheckedSet.begin(), E = CheckedSet.end(); I != E; ++I) { 283 const ProgramState *CheckerState = (*I)->getState(); 284 285 // The constraint manager has not been cleaned up yet, so clean up now. 286 CheckerState = getConstraintManager().removeDeadBindings(CheckerState, 287 SymReaper); 288 289 assert(StateMgr.haveEqualEnvironments(CheckerState, EntryState) && 290 "Checkers are not allowed to modify the Environment as a part of " 291 "checkDeadSymbols processing."); 292 assert(StateMgr.haveEqualStores(CheckerState, EntryState) && 293 "Checkers are not allowed to modify the Store as a part of " 294 "checkDeadSymbols processing."); 295 296 // Create a state based on CleanedState with CheckerState GDM and 297 // generate a transition to that state. 298 const ProgramState *CleanedCheckerSt = 299 StateMgr.getPersistentStateWithGDM(CleanedState, CheckerState); 300 Bldr.generateNode(currentStmt, *I, CleanedCheckerSt, false, &cleanupTag, 301 ProgramPoint::PostPurgeDeadSymbolsKind); 302 } 303 } 304 305 ExplodedNodeSet Dst; 306 for (ExplodedNodeSet::iterator I=Tmp.begin(), E=Tmp.end(); I!=E; ++I) { 307 ExplodedNodeSet DstI; 308 // Visit the statement. 309 Visit(currentStmt, *I, DstI); 310 Dst.insert(DstI); 311 } 312 313 // Enqueue the new nodes onto the work list. 314 Engine.enqueue(Dst, currentBuilderContext->getBlock(), currentStmtIdx); 315 316 // NULL out these variables to cleanup. 317 CleanedState = NULL; 318 EntryNode = NULL; 319 currentStmt = 0; 320 } 321 322 void ExprEngine::ProcessInitializer(const CFGInitializer Init, 323 ExplodedNode *Pred) { 324 ExplodedNodeSet Dst; 325 326 // We don't set EntryNode and currentStmt. And we don't clean up state. 327 const CXXCtorInitializer *BMI = Init.getInitializer(); 328 const StackFrameContext *stackFrame = 329 cast<StackFrameContext>(Pred->getLocationContext()); 330 const CXXConstructorDecl *decl = 331 cast<CXXConstructorDecl>(stackFrame->getDecl()); 332 const CXXThisRegion *thisReg = getCXXThisRegion(decl, stackFrame); 333 334 SVal thisVal = Pred->getState()->getSVal(thisReg); 335 336 if (BMI->isAnyMemberInitializer()) { 337 ExplodedNodeSet AfterEval; 338 339 // Evaluate the initializer. 340 Visit(BMI->getInit(), Pred, AfterEval); 341 342 StmtNodeBuilder Bldr(AfterEval, Dst, *currentBuilderContext); 343 for (ExplodedNodeSet::iterator I = AfterEval.begin(), 344 E = AfterEval.end(); I != E; ++I){ 345 ExplodedNode *P = *I; 346 const ProgramState *state = P->getState(); 347 348 const FieldDecl *FD = BMI->getAnyMember(); 349 350 SVal FieldLoc = state->getLValue(FD, thisVal); 351 SVal InitVal = state->getSVal(BMI->getInit()); 352 state = state->bindLoc(FieldLoc, InitVal); 353 354 // Use a custom node building process. 355 PostInitializer PP(BMI, stackFrame); 356 // Builder automatically add the generated node to the deferred set, 357 // which are processed in the builder's dtor. 358 Bldr.generateNode(PP, P, state); 359 } 360 } else { 361 assert(BMI->isBaseInitializer()); 362 363 // Get the base class declaration. 364 const CXXConstructExpr *ctorExpr = cast<CXXConstructExpr>(BMI->getInit()); 365 366 // Create the base object region. 367 SVal baseVal = 368 getStoreManager().evalDerivedToBase(thisVal, ctorExpr->getType()); 369 const MemRegion *baseReg = baseVal.getAsRegion(); 370 assert(baseReg); 371 372 VisitCXXConstructExpr(ctorExpr, baseReg, Pred, Dst); 373 } 374 375 // Enqueue the new nodes onto the work list. 376 Engine.enqueue(Dst, currentBuilderContext->getBlock(), currentStmtIdx); 377 } 378 379 void ExprEngine::ProcessImplicitDtor(const CFGImplicitDtor D, 380 ExplodedNode *Pred) { 381 ExplodedNodeSet Dst; 382 switch (D.getKind()) { 383 case CFGElement::AutomaticObjectDtor: 384 ProcessAutomaticObjDtor(cast<CFGAutomaticObjDtor>(D), Pred, Dst); 385 break; 386 case CFGElement::BaseDtor: 387 ProcessBaseDtor(cast<CFGBaseDtor>(D), Pred, Dst); 388 break; 389 case CFGElement::MemberDtor: 390 ProcessMemberDtor(cast<CFGMemberDtor>(D), Pred, Dst); 391 break; 392 case CFGElement::TemporaryDtor: 393 ProcessTemporaryDtor(cast<CFGTemporaryDtor>(D), Pred, Dst); 394 break; 395 default: 396 llvm_unreachable("Unexpected dtor kind."); 397 } 398 399 // Enqueue the new nodes onto the work list. 400 Engine.enqueue(Dst, currentBuilderContext->getBlock(), currentStmtIdx); 401 } 402 403 void ExprEngine::ProcessAutomaticObjDtor(const CFGAutomaticObjDtor Dtor, 404 ExplodedNode *Pred, 405 ExplodedNodeSet &Dst) { 406 const ProgramState *state = Pred->getState(); 407 const VarDecl *varDecl = Dtor.getVarDecl(); 408 409 QualType varType = varDecl->getType(); 410 411 if (const ReferenceType *refType = varType->getAs<ReferenceType>()) 412 varType = refType->getPointeeType(); 413 414 const CXXRecordDecl *recordDecl = varType->getAsCXXRecordDecl(); 415 assert(recordDecl && "get CXXRecordDecl fail"); 416 const CXXDestructorDecl *dtorDecl = recordDecl->getDestructor(); 417 418 Loc dest = state->getLValue(varDecl, Pred->getLocationContext()); 419 420 VisitCXXDestructor(dtorDecl, cast<loc::MemRegionVal>(dest).getRegion(), 421 Dtor.getTriggerStmt(), Pred, Dst); 422 } 423 424 void ExprEngine::ProcessBaseDtor(const CFGBaseDtor D, 425 ExplodedNode *Pred, ExplodedNodeSet &Dst) {} 426 427 void ExprEngine::ProcessMemberDtor(const CFGMemberDtor D, 428 ExplodedNode *Pred, ExplodedNodeSet &Dst) {} 429 430 void ExprEngine::ProcessTemporaryDtor(const CFGTemporaryDtor D, 431 ExplodedNode *Pred, 432 ExplodedNodeSet &Dst) {} 433 434 void ExprEngine::Visit(const Stmt *S, ExplodedNode *Pred, 435 ExplodedNodeSet &DstTop) { 436 PrettyStackTraceLoc CrashInfo(getContext().getSourceManager(), 437 S->getLocStart(), 438 "Error evaluating statement"); 439 ExplodedNodeSet Dst; 440 StmtNodeBuilder Bldr(Pred, DstTop, *currentBuilderContext); 441 442 // Expressions to ignore. 443 if (const Expr *Ex = dyn_cast<Expr>(S)) 444 S = Ex->IgnoreParens(); 445 446 // FIXME: add metadata to the CFG so that we can disable 447 // this check when we KNOW that there is no block-level subexpression. 448 // The motivation is that this check requires a hashtable lookup. 449 450 if (S != currentStmt && Pred->getLocationContext()->getCFG()->isBlkExpr(S)) 451 return; 452 453 switch (S->getStmtClass()) { 454 // C++ and ARC stuff we don't support yet. 455 case Expr::ObjCIndirectCopyRestoreExprClass: 456 case Stmt::CXXBindTemporaryExprClass: 457 case Stmt::CXXCatchStmtClass: 458 case Stmt::CXXDependentScopeMemberExprClass: 459 case Stmt::CXXPseudoDestructorExprClass: 460 case Stmt::CXXThrowExprClass: 461 case Stmt::CXXTryStmtClass: 462 case Stmt::CXXTypeidExprClass: 463 case Stmt::CXXUuidofExprClass: 464 case Stmt::CXXUnresolvedConstructExprClass: 465 case Stmt::CXXScalarValueInitExprClass: 466 case Stmt::DependentScopeDeclRefExprClass: 467 case Stmt::UnaryTypeTraitExprClass: 468 case Stmt::BinaryTypeTraitExprClass: 469 case Stmt::ArrayTypeTraitExprClass: 470 case Stmt::ExpressionTraitExprClass: 471 case Stmt::UnresolvedLookupExprClass: 472 case Stmt::UnresolvedMemberExprClass: 473 case Stmt::CXXNoexceptExprClass: 474 case Stmt::PackExpansionExprClass: 475 case Stmt::SubstNonTypeTemplateParmPackExprClass: 476 case Stmt::SEHTryStmtClass: 477 case Stmt::SEHExceptStmtClass: 478 case Stmt::SEHFinallyStmtClass: { 479 const ExplodedNode *node = Bldr.generateNode(S, Pred, Pred->getState()); 480 Engine.addAbortedBlock(node, currentBuilderContext->getBlock()); 481 break; 482 } 483 484 // We don't handle default arguments either yet, but we can fake it 485 // for now by just skipping them. 486 case Stmt::SubstNonTypeTemplateParmExprClass: 487 case Stmt::CXXDefaultArgExprClass: 488 break; 489 490 case Stmt::ParenExprClass: 491 llvm_unreachable("ParenExprs already handled."); 492 case Stmt::GenericSelectionExprClass: 493 llvm_unreachable("GenericSelectionExprs already handled."); 494 // Cases that should never be evaluated simply because they shouldn't 495 // appear in the CFG. 496 case Stmt::BreakStmtClass: 497 case Stmt::CaseStmtClass: 498 case Stmt::CompoundStmtClass: 499 case Stmt::ContinueStmtClass: 500 case Stmt::CXXForRangeStmtClass: 501 case Stmt::DefaultStmtClass: 502 case Stmt::DoStmtClass: 503 case Stmt::ForStmtClass: 504 case Stmt::GotoStmtClass: 505 case Stmt::IfStmtClass: 506 case Stmt::IndirectGotoStmtClass: 507 case Stmt::LabelStmtClass: 508 case Stmt::NoStmtClass: 509 case Stmt::NullStmtClass: 510 case Stmt::SwitchStmtClass: 511 case Stmt::WhileStmtClass: 512 case Expr::MSDependentExistsStmtClass: 513 llvm_unreachable("Stmt should not be in analyzer evaluation loop"); 514 break; 515 516 case Stmt::GNUNullExprClass: { 517 // GNU __null is a pointer-width integer, not an actual pointer. 518 const ProgramState *state = Pred->getState(); 519 state = state->BindExpr(S, svalBuilder.makeIntValWithPtrWidth(0, false)); 520 Bldr.generateNode(S, Pred, state); 521 break; 522 } 523 524 case Stmt::ObjCAtSynchronizedStmtClass: 525 Bldr.takeNodes(Pred); 526 VisitObjCAtSynchronizedStmt(cast<ObjCAtSynchronizedStmt>(S), Pred, Dst); 527 Bldr.addNodes(Dst); 528 break; 529 530 case Stmt::ObjCPropertyRefExprClass: 531 // Implicitly handled by Environment::getSVal(). 532 break; 533 534 case Stmt::ImplicitValueInitExprClass: { 535 const ProgramState *state = Pred->getState(); 536 QualType ty = cast<ImplicitValueInitExpr>(S)->getType(); 537 SVal val = svalBuilder.makeZeroVal(ty); 538 Bldr.generateNode(S, Pred, state->BindExpr(S, val)); 539 break; 540 } 541 542 case Stmt::ExprWithCleanupsClass: 543 Bldr.takeNodes(Pred); 544 Visit(cast<ExprWithCleanups>(S)->getSubExpr(), Pred, Dst); 545 Bldr.addNodes(Dst); 546 break; 547 548 // Cases not handled yet; but will handle some day. 549 case Stmt::DesignatedInitExprClass: 550 case Stmt::ExtVectorElementExprClass: 551 case Stmt::ImaginaryLiteralClass: 552 case Stmt::ObjCAtCatchStmtClass: 553 case Stmt::ObjCAtFinallyStmtClass: 554 case Stmt::ObjCAtTryStmtClass: 555 case Stmt::ObjCAutoreleasePoolStmtClass: 556 case Stmt::ObjCEncodeExprClass: 557 case Stmt::ObjCIsaExprClass: 558 case Stmt::ObjCProtocolExprClass: 559 case Stmt::ObjCSelectorExprClass: 560 case Stmt::ObjCStringLiteralClass: 561 case Stmt::ParenListExprClass: 562 case Stmt::PredefinedExprClass: 563 case Stmt::ShuffleVectorExprClass: 564 case Stmt::VAArgExprClass: 565 case Stmt::CUDAKernelCallExprClass: 566 case Stmt::OpaqueValueExprClass: 567 case Stmt::AsTypeExprClass: 568 case Stmt::AtomicExprClass: 569 // Fall through. 570 571 // Cases we intentionally don't evaluate, since they don't need 572 // to be explicitly evaluated. 573 case Stmt::AddrLabelExprClass: 574 case Stmt::IntegerLiteralClass: 575 case Stmt::CharacterLiteralClass: 576 case Stmt::CXXBoolLiteralExprClass: 577 case Stmt::FloatingLiteralClass: 578 case Stmt::SizeOfPackExprClass: 579 case Stmt::CXXNullPtrLiteralExprClass: 580 // No-op. Simply propagate the current state unchanged. 581 break; 582 583 case Stmt::ArraySubscriptExprClass: 584 Bldr.takeNodes(Pred); 585 VisitLvalArraySubscriptExpr(cast<ArraySubscriptExpr>(S), Pred, Dst); 586 Bldr.addNodes(Dst); 587 break; 588 589 case Stmt::AsmStmtClass: 590 Bldr.takeNodes(Pred); 591 VisitAsmStmt(cast<AsmStmt>(S), Pred, Dst); 592 Bldr.addNodes(Dst); 593 break; 594 595 case Stmt::BlockDeclRefExprClass: { 596 Bldr.takeNodes(Pred); 597 const BlockDeclRefExpr *BE = cast<BlockDeclRefExpr>(S); 598 VisitCommonDeclRefExpr(BE, BE->getDecl(), Pred, Dst); 599 Bldr.addNodes(Dst); 600 break; 601 } 602 603 case Stmt::BlockExprClass: 604 Bldr.takeNodes(Pred); 605 VisitBlockExpr(cast<BlockExpr>(S), Pred, Dst); 606 Bldr.addNodes(Dst); 607 break; 608 609 case Stmt::BinaryOperatorClass: { 610 const BinaryOperator* B = cast<BinaryOperator>(S); 611 if (B->isLogicalOp()) { 612 Bldr.takeNodes(Pred); 613 VisitLogicalExpr(B, Pred, Dst); 614 Bldr.addNodes(Dst); 615 break; 616 } 617 else if (B->getOpcode() == BO_Comma) { 618 const ProgramState *state = Pred->getState(); 619 Bldr.generateNode(B, Pred, 620 state->BindExpr(B, state->getSVal(B->getRHS()))); 621 break; 622 } 623 624 Bldr.takeNodes(Pred); 625 626 if (AMgr.shouldEagerlyAssume() && 627 (B->isRelationalOp() || B->isEqualityOp())) { 628 ExplodedNodeSet Tmp; 629 VisitBinaryOperator(cast<BinaryOperator>(S), Pred, Tmp); 630 evalEagerlyAssume(Dst, Tmp, cast<Expr>(S)); 631 } 632 else 633 VisitBinaryOperator(cast<BinaryOperator>(S), Pred, Dst); 634 635 Bldr.addNodes(Dst); 636 break; 637 } 638 639 case Stmt::CallExprClass: 640 case Stmt::CXXOperatorCallExprClass: 641 case Stmt::CXXMemberCallExprClass: { 642 Bldr.takeNodes(Pred); 643 VisitCallExpr(cast<CallExpr>(S), Pred, Dst); 644 Bldr.addNodes(Dst); 645 break; 646 } 647 648 case Stmt::CXXTemporaryObjectExprClass: 649 case Stmt::CXXConstructExprClass: { 650 const CXXConstructExpr *C = cast<CXXConstructExpr>(S); 651 // For block-level CXXConstructExpr, we don't have a destination region. 652 // Let VisitCXXConstructExpr() create one. 653 Bldr.takeNodes(Pred); 654 VisitCXXConstructExpr(C, 0, Pred, Dst); 655 Bldr.addNodes(Dst); 656 break; 657 } 658 659 case Stmt::CXXNewExprClass: { 660 Bldr.takeNodes(Pred); 661 const CXXNewExpr *NE = cast<CXXNewExpr>(S); 662 VisitCXXNewExpr(NE, Pred, Dst); 663 Bldr.addNodes(Dst); 664 break; 665 } 666 667 case Stmt::CXXDeleteExprClass: { 668 Bldr.takeNodes(Pred); 669 const CXXDeleteExpr *CDE = cast<CXXDeleteExpr>(S); 670 VisitCXXDeleteExpr(CDE, Pred, Dst); 671 Bldr.addNodes(Dst); 672 break; 673 } 674 // FIXME: ChooseExpr is really a constant. We need to fix 675 // the CFG do not model them as explicit control-flow. 676 677 case Stmt::ChooseExprClass: { // __builtin_choose_expr 678 Bldr.takeNodes(Pred); 679 const ChooseExpr *C = cast<ChooseExpr>(S); 680 VisitGuardedExpr(C, C->getLHS(), C->getRHS(), Pred, Dst); 681 Bldr.addNodes(Dst); 682 break; 683 } 684 685 case Stmt::CompoundAssignOperatorClass: 686 Bldr.takeNodes(Pred); 687 VisitBinaryOperator(cast<BinaryOperator>(S), Pred, Dst); 688 Bldr.addNodes(Dst); 689 break; 690 691 case Stmt::CompoundLiteralExprClass: 692 Bldr.takeNodes(Pred); 693 VisitCompoundLiteralExpr(cast<CompoundLiteralExpr>(S), Pred, Dst); 694 Bldr.addNodes(Dst); 695 break; 696 697 case Stmt::BinaryConditionalOperatorClass: 698 case Stmt::ConditionalOperatorClass: { // '?' operator 699 Bldr.takeNodes(Pred); 700 const AbstractConditionalOperator *C 701 = cast<AbstractConditionalOperator>(S); 702 VisitGuardedExpr(C, C->getTrueExpr(), C->getFalseExpr(), Pred, Dst); 703 Bldr.addNodes(Dst); 704 break; 705 } 706 707 case Stmt::CXXThisExprClass: 708 Bldr.takeNodes(Pred); 709 VisitCXXThisExpr(cast<CXXThisExpr>(S), Pred, Dst); 710 Bldr.addNodes(Dst); 711 break; 712 713 case Stmt::DeclRefExprClass: { 714 Bldr.takeNodes(Pred); 715 const DeclRefExpr *DE = cast<DeclRefExpr>(S); 716 VisitCommonDeclRefExpr(DE, DE->getDecl(), Pred, Dst); 717 Bldr.addNodes(Dst); 718 break; 719 } 720 721 case Stmt::DeclStmtClass: 722 Bldr.takeNodes(Pred); 723 VisitDeclStmt(cast<DeclStmt>(S), Pred, Dst); 724 Bldr.addNodes(Dst); 725 break; 726 727 case Stmt::ImplicitCastExprClass: 728 case Stmt::CStyleCastExprClass: 729 case Stmt::CXXStaticCastExprClass: 730 case Stmt::CXXDynamicCastExprClass: 731 case Stmt::CXXReinterpretCastExprClass: 732 case Stmt::CXXConstCastExprClass: 733 case Stmt::CXXFunctionalCastExprClass: 734 case Stmt::ObjCBridgedCastExprClass: { 735 Bldr.takeNodes(Pred); 736 const CastExpr *C = cast<CastExpr>(S); 737 // Handle the previsit checks. 738 ExplodedNodeSet dstPrevisit; 739 getCheckerManager().runCheckersForPreStmt(dstPrevisit, Pred, C, *this); 740 741 // Handle the expression itself. 742 ExplodedNodeSet dstExpr; 743 for (ExplodedNodeSet::iterator i = dstPrevisit.begin(), 744 e = dstPrevisit.end(); i != e ; ++i) { 745 VisitCast(C, C->getSubExpr(), *i, dstExpr); 746 } 747 748 // Handle the postvisit checks. 749 getCheckerManager().runCheckersForPostStmt(Dst, dstExpr, C, *this); 750 Bldr.addNodes(Dst); 751 break; 752 } 753 754 case Expr::MaterializeTemporaryExprClass: { 755 Bldr.takeNodes(Pred); 756 const MaterializeTemporaryExpr *Materialize 757 = cast<MaterializeTemporaryExpr>(S); 758 if (!Materialize->getType()->isRecordType()) 759 CreateCXXTemporaryObject(Materialize, Pred, Dst); 760 else 761 Visit(Materialize->GetTemporaryExpr(), Pred, Dst); 762 Bldr.addNodes(Dst); 763 break; 764 } 765 766 case Stmt::InitListExprClass: 767 Bldr.takeNodes(Pred); 768 VisitInitListExpr(cast<InitListExpr>(S), Pred, Dst); 769 Bldr.addNodes(Dst); 770 break; 771 772 case Stmt::MemberExprClass: 773 Bldr.takeNodes(Pred); 774 VisitMemberExpr(cast<MemberExpr>(S), Pred, Dst); 775 Bldr.addNodes(Dst); 776 break; 777 778 case Stmt::ObjCIvarRefExprClass: 779 Bldr.takeNodes(Pred); 780 VisitLvalObjCIvarRefExpr(cast<ObjCIvarRefExpr>(S), Pred, Dst); 781 Bldr.addNodes(Dst); 782 break; 783 784 case Stmt::ObjCForCollectionStmtClass: 785 Bldr.takeNodes(Pred); 786 VisitObjCForCollectionStmt(cast<ObjCForCollectionStmt>(S), Pred, Dst); 787 Bldr.addNodes(Dst); 788 break; 789 790 case Stmt::ObjCMessageExprClass: 791 Bldr.takeNodes(Pred); 792 VisitObjCMessage(cast<ObjCMessageExpr>(S), Pred, Dst); 793 Bldr.addNodes(Dst); 794 break; 795 796 case Stmt::ObjCAtThrowStmtClass: { 797 // FIXME: This is not complete. We basically treat @throw as 798 // an abort. 799 Bldr.generateNode(S, Pred, Pred->getState()); 800 break; 801 } 802 803 case Stmt::ReturnStmtClass: 804 Bldr.takeNodes(Pred); 805 VisitReturnStmt(cast<ReturnStmt>(S), Pred, Dst); 806 Bldr.addNodes(Dst); 807 break; 808 809 case Stmt::OffsetOfExprClass: 810 Bldr.takeNodes(Pred); 811 VisitOffsetOfExpr(cast<OffsetOfExpr>(S), Pred, Dst); 812 Bldr.addNodes(Dst); 813 break; 814 815 case Stmt::UnaryExprOrTypeTraitExprClass: 816 Bldr.takeNodes(Pred); 817 VisitUnaryExprOrTypeTraitExpr(cast<UnaryExprOrTypeTraitExpr>(S), 818 Pred, Dst); 819 Bldr.addNodes(Dst); 820 break; 821 822 case Stmt::StmtExprClass: { 823 const StmtExpr *SE = cast<StmtExpr>(S); 824 825 if (SE->getSubStmt()->body_empty()) { 826 // Empty statement expression. 827 assert(SE->getType() == getContext().VoidTy 828 && "Empty statement expression must have void type."); 829 break; 830 } 831 832 if (Expr *LastExpr = dyn_cast<Expr>(*SE->getSubStmt()->body_rbegin())) { 833 const ProgramState *state = Pred->getState(); 834 Bldr.generateNode(SE, Pred, 835 state->BindExpr(SE, state->getSVal(LastExpr))); 836 } 837 break; 838 } 839 840 case Stmt::StringLiteralClass: { 841 const ProgramState *state = Pred->getState(); 842 SVal V = state->getLValue(cast<StringLiteral>(S)); 843 Bldr.generateNode(S, Pred, state->BindExpr(S, V)); 844 return; 845 } 846 847 case Stmt::UnaryOperatorClass: { 848 Bldr.takeNodes(Pred); 849 const UnaryOperator *U = cast<UnaryOperator>(S); 850 if (AMgr.shouldEagerlyAssume() && (U->getOpcode() == UO_LNot)) { 851 ExplodedNodeSet Tmp; 852 VisitUnaryOperator(U, Pred, Tmp); 853 evalEagerlyAssume(Dst, Tmp, U); 854 } 855 else 856 VisitUnaryOperator(U, Pred, Dst); 857 Bldr.addNodes(Dst); 858 break; 859 } 860 } 861 } 862 863 /// Block entrance. (Update counters). 864 void ExprEngine::processCFGBlockEntrance(NodeBuilderWithSinks &nodeBuilder) { 865 866 // FIXME: Refactor this into a checker. 867 ExplodedNode *pred = nodeBuilder.getContext().getPred(); 868 869 if (nodeBuilder.getContext().getCurrentBlockCount() >= AMgr.getMaxVisit()) { 870 static SimpleProgramPointTag tag("ExprEngine : Block count exceeded"); 871 nodeBuilder.generateNode(pred->getState(), pred, &tag, true); 872 } 873 } 874 875 //===----------------------------------------------------------------------===// 876 // Branch processing. 877 //===----------------------------------------------------------------------===// 878 879 const ProgramState *ExprEngine::MarkBranch(const ProgramState *state, 880 const Stmt *Terminator, 881 bool branchTaken) { 882 883 switch (Terminator->getStmtClass()) { 884 default: 885 return state; 886 887 case Stmt::BinaryOperatorClass: { // '&&' and '||' 888 889 const BinaryOperator* B = cast<BinaryOperator>(Terminator); 890 BinaryOperator::Opcode Op = B->getOpcode(); 891 892 assert (Op == BO_LAnd || Op == BO_LOr); 893 894 // For &&, if we take the true branch, then the value of the whole 895 // expression is that of the RHS expression. 896 // 897 // For ||, if we take the false branch, then the value of the whole 898 // expression is that of the RHS expression. 899 900 const Expr *Ex = (Op == BO_LAnd && branchTaken) || 901 (Op == BO_LOr && !branchTaken) 902 ? B->getRHS() : B->getLHS(); 903 904 return state->BindExpr(B, UndefinedVal(Ex)); 905 } 906 907 case Stmt::BinaryConditionalOperatorClass: 908 case Stmt::ConditionalOperatorClass: { // ?: 909 const AbstractConditionalOperator* C 910 = cast<AbstractConditionalOperator>(Terminator); 911 912 // For ?, if branchTaken == true then the value is either the LHS or 913 // the condition itself. (GNU extension). 914 915 const Expr *Ex; 916 917 if (branchTaken) 918 Ex = C->getTrueExpr(); 919 else 920 Ex = C->getFalseExpr(); 921 922 return state->BindExpr(C, UndefinedVal(Ex)); 923 } 924 925 case Stmt::ChooseExprClass: { // ?: 926 927 const ChooseExpr *C = cast<ChooseExpr>(Terminator); 928 929 const Expr *Ex = branchTaken ? C->getLHS() : C->getRHS(); 930 return state->BindExpr(C, UndefinedVal(Ex)); 931 } 932 } 933 } 934 935 /// RecoverCastedSymbol - A helper function for ProcessBranch that is used 936 /// to try to recover some path-sensitivity for casts of symbolic 937 /// integers that promote their values (which are currently not tracked well). 938 /// This function returns the SVal bound to Condition->IgnoreCasts if all the 939 // cast(s) did was sign-extend the original value. 940 static SVal RecoverCastedSymbol(ProgramStateManager& StateMgr, 941 const ProgramState *state, 942 const Stmt *Condition, 943 ASTContext &Ctx) { 944 945 const Expr *Ex = dyn_cast<Expr>(Condition); 946 if (!Ex) 947 return UnknownVal(); 948 949 uint64_t bits = 0; 950 bool bitsInit = false; 951 952 while (const CastExpr *CE = dyn_cast<CastExpr>(Ex)) { 953 QualType T = CE->getType(); 954 955 if (!T->isIntegerType()) 956 return UnknownVal(); 957 958 uint64_t newBits = Ctx.getTypeSize(T); 959 if (!bitsInit || newBits < bits) { 960 bitsInit = true; 961 bits = newBits; 962 } 963 964 Ex = CE->getSubExpr(); 965 } 966 967 // We reached a non-cast. Is it a symbolic value? 968 QualType T = Ex->getType(); 969 970 if (!bitsInit || !T->isIntegerType() || Ctx.getTypeSize(T) > bits) 971 return UnknownVal(); 972 973 return state->getSVal(Ex); 974 } 975 976 void ExprEngine::processBranch(const Stmt *Condition, const Stmt *Term, 977 NodeBuilderContext& BldCtx, 978 ExplodedNode *Pred, 979 ExplodedNodeSet &Dst, 980 const CFGBlock *DstT, 981 const CFGBlock *DstF) { 982 currentBuilderContext = &BldCtx; 983 984 // Check for NULL conditions; e.g. "for(;;)" 985 if (!Condition) { 986 BranchNodeBuilder NullCondBldr(Pred, Dst, BldCtx, DstT, DstF); 987 NullCondBldr.markInfeasible(false); 988 NullCondBldr.generateNode(Pred->getState(), true, Pred); 989 return; 990 } 991 992 PrettyStackTraceLoc CrashInfo(getContext().getSourceManager(), 993 Condition->getLocStart(), 994 "Error evaluating branch"); 995 996 ExplodedNodeSet CheckersOutSet; 997 getCheckerManager().runCheckersForBranchCondition(Condition, CheckersOutSet, 998 Pred, *this); 999 // We generated only sinks. 1000 if (CheckersOutSet.empty()) 1001 return; 1002 1003 BranchNodeBuilder builder(CheckersOutSet, Dst, BldCtx, DstT, DstF); 1004 for (NodeBuilder::iterator I = CheckersOutSet.begin(), 1005 E = CheckersOutSet.end(); E != I; ++I) { 1006 ExplodedNode *PredI = *I; 1007 1008 if (PredI->isSink()) 1009 continue; 1010 1011 const ProgramState *PrevState = Pred->getState(); 1012 SVal X = PrevState->getSVal(Condition); 1013 1014 if (X.isUnknownOrUndef()) { 1015 // Give it a chance to recover from unknown. 1016 if (const Expr *Ex = dyn_cast<Expr>(Condition)) { 1017 if (Ex->getType()->isIntegerType()) { 1018 // Try to recover some path-sensitivity. Right now casts of symbolic 1019 // integers that promote their values are currently not tracked well. 1020 // If 'Condition' is such an expression, try and recover the 1021 // underlying value and use that instead. 1022 SVal recovered = RecoverCastedSymbol(getStateManager(), 1023 PrevState, Condition, 1024 getContext()); 1025 1026 if (!recovered.isUnknown()) { 1027 X = recovered; 1028 } 1029 } 1030 } 1031 } 1032 // If the condition is still unknown, give up. 1033 if (X.isUnknownOrUndef()) { 1034 builder.generateNode(MarkBranch(PrevState, Term, true), true, PredI); 1035 builder.generateNode(MarkBranch(PrevState, Term, false), false, PredI); 1036 continue; 1037 } 1038 1039 DefinedSVal V = cast<DefinedSVal>(X); 1040 1041 // Process the true branch. 1042 if (builder.isFeasible(true)) { 1043 if (const ProgramState *state = PrevState->assume(V, true)) 1044 builder.generateNode(MarkBranch(state, Term, true), true, PredI); 1045 else 1046 builder.markInfeasible(true); 1047 } 1048 1049 // Process the false branch. 1050 if (builder.isFeasible(false)) { 1051 if (const ProgramState *state = PrevState->assume(V, false)) 1052 builder.generateNode(MarkBranch(state, Term, false), false, PredI); 1053 else 1054 builder.markInfeasible(false); 1055 } 1056 } 1057 currentBuilderContext = 0; 1058 } 1059 1060 /// processIndirectGoto - Called by CoreEngine. Used to generate successor 1061 /// nodes by processing the 'effects' of a computed goto jump. 1062 void ExprEngine::processIndirectGoto(IndirectGotoNodeBuilder &builder) { 1063 1064 const ProgramState *state = builder.getState(); 1065 SVal V = state->getSVal(builder.getTarget()); 1066 1067 // Three possibilities: 1068 // 1069 // (1) We know the computed label. 1070 // (2) The label is NULL (or some other constant), or Undefined. 1071 // (3) We have no clue about the label. Dispatch to all targets. 1072 // 1073 1074 typedef IndirectGotoNodeBuilder::iterator iterator; 1075 1076 if (isa<loc::GotoLabel>(V)) { 1077 const LabelDecl *L = cast<loc::GotoLabel>(V).getLabel(); 1078 1079 for (iterator I = builder.begin(), E = builder.end(); I != E; ++I) { 1080 if (I.getLabel() == L) { 1081 builder.generateNode(I, state); 1082 return; 1083 } 1084 } 1085 1086 llvm_unreachable("No block with label."); 1087 } 1088 1089 if (isa<loc::ConcreteInt>(V) || isa<UndefinedVal>(V)) { 1090 // Dispatch to the first target and mark it as a sink. 1091 //ExplodedNode* N = builder.generateNode(builder.begin(), state, true); 1092 // FIXME: add checker visit. 1093 // UndefBranches.insert(N); 1094 return; 1095 } 1096 1097 // This is really a catch-all. We don't support symbolics yet. 1098 // FIXME: Implement dispatch for symbolic pointers. 1099 1100 for (iterator I=builder.begin(), E=builder.end(); I != E; ++I) 1101 builder.generateNode(I, state); 1102 } 1103 1104 /// ProcessEndPath - Called by CoreEngine. Used to generate end-of-path 1105 /// nodes when the control reaches the end of a function. 1106 void ExprEngine::processEndOfFunction(NodeBuilderContext& BC) { 1107 StateMgr.EndPath(BC.Pred->getState()); 1108 ExplodedNodeSet Dst; 1109 getCheckerManager().runCheckersForEndPath(BC, Dst, *this); 1110 Engine.enqueueEndOfFunction(Dst); 1111 } 1112 1113 /// ProcessSwitch - Called by CoreEngine. Used to generate successor 1114 /// nodes by processing the 'effects' of a switch statement. 1115 void ExprEngine::processSwitch(SwitchNodeBuilder& builder) { 1116 typedef SwitchNodeBuilder::iterator iterator; 1117 const ProgramState *state = builder.getState(); 1118 const Expr *CondE = builder.getCondition(); 1119 SVal CondV_untested = state->getSVal(CondE); 1120 1121 if (CondV_untested.isUndef()) { 1122 //ExplodedNode* N = builder.generateDefaultCaseNode(state, true); 1123 // FIXME: add checker 1124 //UndefBranches.insert(N); 1125 1126 return; 1127 } 1128 DefinedOrUnknownSVal CondV = cast<DefinedOrUnknownSVal>(CondV_untested); 1129 1130 const ProgramState *DefaultSt = state; 1131 1132 iterator I = builder.begin(), EI = builder.end(); 1133 bool defaultIsFeasible = I == EI; 1134 1135 for ( ; I != EI; ++I) { 1136 // Successor may be pruned out during CFG construction. 1137 if (!I.getBlock()) 1138 continue; 1139 1140 const CaseStmt *Case = I.getCase(); 1141 1142 // Evaluate the LHS of the case value. 1143 llvm::APSInt V1 = Case->getLHS()->EvaluateKnownConstInt(getContext()); 1144 assert(V1.getBitWidth() == getContext().getTypeSize(CondE->getType())); 1145 1146 // Get the RHS of the case, if it exists. 1147 llvm::APSInt V2; 1148 if (const Expr *E = Case->getRHS()) 1149 V2 = E->EvaluateKnownConstInt(getContext()); 1150 else 1151 V2 = V1; 1152 1153 // FIXME: Eventually we should replace the logic below with a range 1154 // comparison, rather than concretize the values within the range. 1155 // This should be easy once we have "ranges" for NonLVals. 1156 1157 do { 1158 nonloc::ConcreteInt CaseVal(getBasicVals().getValue(V1)); 1159 DefinedOrUnknownSVal Res = svalBuilder.evalEQ(DefaultSt ? DefaultSt : state, 1160 CondV, CaseVal); 1161 1162 // Now "assume" that the case matches. 1163 if (const ProgramState *stateNew = state->assume(Res, true)) { 1164 builder.generateCaseStmtNode(I, stateNew); 1165 1166 // If CondV evaluates to a constant, then we know that this 1167 // is the *only* case that we can take, so stop evaluating the 1168 // others. 1169 if (isa<nonloc::ConcreteInt>(CondV)) 1170 return; 1171 } 1172 1173 // Now "assume" that the case doesn't match. Add this state 1174 // to the default state (if it is feasible). 1175 if (DefaultSt) { 1176 if (const ProgramState *stateNew = DefaultSt->assume(Res, false)) { 1177 defaultIsFeasible = true; 1178 DefaultSt = stateNew; 1179 } 1180 else { 1181 defaultIsFeasible = false; 1182 DefaultSt = NULL; 1183 } 1184 } 1185 1186 // Concretize the next value in the range. 1187 if (V1 == V2) 1188 break; 1189 1190 ++V1; 1191 assert (V1 <= V2); 1192 1193 } while (true); 1194 } 1195 1196 if (!defaultIsFeasible) 1197 return; 1198 1199 // If we have switch(enum value), the default branch is not 1200 // feasible if all of the enum constants not covered by 'case:' statements 1201 // are not feasible values for the switch condition. 1202 // 1203 // Note that this isn't as accurate as it could be. Even if there isn't 1204 // a case for a particular enum value as long as that enum value isn't 1205 // feasible then it shouldn't be considered for making 'default:' reachable. 1206 const SwitchStmt *SS = builder.getSwitch(); 1207 const Expr *CondExpr = SS->getCond()->IgnoreParenImpCasts(); 1208 if (CondExpr->getType()->getAs<EnumType>()) { 1209 if (SS->isAllEnumCasesCovered()) 1210 return; 1211 } 1212 1213 builder.generateDefaultCaseNode(DefaultSt); 1214 } 1215 1216 //===----------------------------------------------------------------------===// 1217 // Transfer functions: Loads and stores. 1218 //===----------------------------------------------------------------------===// 1219 1220 void ExprEngine::VisitCommonDeclRefExpr(const Expr *Ex, const NamedDecl *D, 1221 ExplodedNode *Pred, 1222 ExplodedNodeSet &Dst) { 1223 StmtNodeBuilder Bldr(Pred, Dst, *currentBuilderContext); 1224 1225 const ProgramState *state = Pred->getState(); 1226 1227 if (const VarDecl *VD = dyn_cast<VarDecl>(D)) { 1228 assert(Ex->isLValue()); 1229 SVal V = state->getLValue(VD, Pred->getLocationContext()); 1230 1231 // For references, the 'lvalue' is the pointer address stored in the 1232 // reference region. 1233 if (VD->getType()->isReferenceType()) { 1234 if (const MemRegion *R = V.getAsRegion()) 1235 V = state->getSVal(R); 1236 else 1237 V = UnknownVal(); 1238 } 1239 1240 Bldr.generateNode(Ex, Pred, state->BindExpr(Ex, V), false, 0, 1241 ProgramPoint::PostLValueKind); 1242 return; 1243 } 1244 if (const EnumConstantDecl *ED = dyn_cast<EnumConstantDecl>(D)) { 1245 assert(!Ex->isLValue()); 1246 SVal V = svalBuilder.makeIntVal(ED->getInitVal()); 1247 Bldr.generateNode(Ex, Pred, state->BindExpr(Ex, V)); 1248 return; 1249 } 1250 if (const FunctionDecl *FD = dyn_cast<FunctionDecl>(D)) { 1251 SVal V = svalBuilder.getFunctionPointer(FD); 1252 Bldr.generateNode(Ex, Pred, state->BindExpr(Ex, V), false, 0, 1253 ProgramPoint::PostLValueKind); 1254 return; 1255 } 1256 assert (false && 1257 "ValueDecl support for this ValueDecl not implemented."); 1258 } 1259 1260 /// VisitArraySubscriptExpr - Transfer function for array accesses 1261 void ExprEngine::VisitLvalArraySubscriptExpr(const ArraySubscriptExpr *A, 1262 ExplodedNode *Pred, 1263 ExplodedNodeSet &Dst){ 1264 1265 const Expr *Base = A->getBase()->IgnoreParens(); 1266 const Expr *Idx = A->getIdx()->IgnoreParens(); 1267 1268 1269 ExplodedNodeSet checkerPreStmt; 1270 getCheckerManager().runCheckersForPreStmt(checkerPreStmt, Pred, A, *this); 1271 1272 StmtNodeBuilder Bldr(checkerPreStmt, Dst, *currentBuilderContext); 1273 1274 for (ExplodedNodeSet::iterator it = checkerPreStmt.begin(), 1275 ei = checkerPreStmt.end(); it != ei; ++it) { 1276 const ProgramState *state = (*it)->getState(); 1277 SVal V = state->getLValue(A->getType(), state->getSVal(Idx), 1278 state->getSVal(Base)); 1279 assert(A->isLValue()); 1280 Bldr.generateNode(A, *it, state->BindExpr(A, V), 1281 false, 0, ProgramPoint::PostLValueKind); 1282 } 1283 } 1284 1285 /// VisitMemberExpr - Transfer function for member expressions. 1286 void ExprEngine::VisitMemberExpr(const MemberExpr *M, ExplodedNode *Pred, 1287 ExplodedNodeSet &TopDst) { 1288 1289 StmtNodeBuilder Bldr(Pred, TopDst, *currentBuilderContext); 1290 ExplodedNodeSet Dst; 1291 Decl *member = M->getMemberDecl(); 1292 if (VarDecl *VD = dyn_cast<VarDecl>(member)) { 1293 assert(M->isLValue()); 1294 Bldr.takeNodes(Pred); 1295 VisitCommonDeclRefExpr(M, VD, Pred, Dst); 1296 Bldr.addNodes(Dst); 1297 return; 1298 } 1299 1300 FieldDecl *field = dyn_cast<FieldDecl>(member); 1301 if (!field) // FIXME: skipping member expressions for non-fields 1302 return; 1303 1304 Expr *baseExpr = M->getBase()->IgnoreParens(); 1305 const ProgramState *state = Pred->getState(); 1306 SVal baseExprVal = state->getSVal(baseExpr); 1307 if (isa<nonloc::LazyCompoundVal>(baseExprVal) || 1308 isa<nonloc::CompoundVal>(baseExprVal) || 1309 // FIXME: This can originate by conjuring a symbol for an unknown 1310 // temporary struct object, see test/Analysis/fields.c: 1311 // (p = getit()).x 1312 isa<nonloc::SymbolVal>(baseExprVal)) { 1313 Bldr.generateNode(M, Pred, state->BindExpr(M, UnknownVal())); 1314 return; 1315 } 1316 1317 // FIXME: Should we insert some assumption logic in here to determine 1318 // if "Base" is a valid piece of memory? Before we put this assumption 1319 // later when using FieldOffset lvals (which we no longer have). 1320 1321 // For all other cases, compute an lvalue. 1322 SVal L = state->getLValue(field, baseExprVal); 1323 if (M->isLValue()) 1324 Bldr.generateNode(M, Pred, state->BindExpr(M, L), false, 0, 1325 ProgramPoint::PostLValueKind); 1326 else { 1327 Bldr.takeNodes(Pred); 1328 evalLoad(Dst, M, Pred, state, L); 1329 Bldr.addNodes(Dst); 1330 } 1331 } 1332 1333 /// evalBind - Handle the semantics of binding a value to a specific location. 1334 /// This method is used by evalStore and (soon) VisitDeclStmt, and others. 1335 void ExprEngine::evalBind(ExplodedNodeSet &Dst, const Stmt *StoreE, 1336 ExplodedNode *Pred, 1337 SVal location, SVal Val, bool atDeclInit, 1338 ProgramPoint::Kind PointKind) { 1339 1340 // Do a previsit of the bind. 1341 ExplodedNodeSet CheckedSet; 1342 getCheckerManager().runCheckersForBind(CheckedSet, Pred, location, Val, 1343 StoreE, *this, PointKind); 1344 1345 // TODO:AZ Remove TmpDst after NB refactoring is done. 1346 ExplodedNodeSet TmpDst; 1347 StmtNodeBuilder Bldr(CheckedSet, TmpDst, *currentBuilderContext); 1348 1349 for (ExplodedNodeSet::iterator I = CheckedSet.begin(), E = CheckedSet.end(); 1350 I!=E; ++I) { 1351 const ProgramState *state = (*I)->getState(); 1352 1353 if (atDeclInit) { 1354 const VarRegion *VR = 1355 cast<VarRegion>(cast<loc::MemRegionVal>(location).getRegion()); 1356 1357 state = state->bindDecl(VR, Val); 1358 } else { 1359 state = state->bindLoc(location, Val); 1360 } 1361 1362 Bldr.generateNode(StoreE, *I, state, false, 0, PointKind); 1363 } 1364 1365 Dst.insert(TmpDst); 1366 } 1367 1368 /// evalStore - Handle the semantics of a store via an assignment. 1369 /// @param Dst The node set to store generated state nodes 1370 /// @param AssignE The assignment expression if the store happens in an 1371 /// assignment. 1372 /// @param LocatioinE The location expression that is stored to. 1373 /// @param state The current simulation state 1374 /// @param location The location to store the value 1375 /// @param Val The value to be stored 1376 void ExprEngine::evalStore(ExplodedNodeSet &Dst, const Expr *AssignE, 1377 const Expr *LocationE, 1378 ExplodedNode *Pred, 1379 const ProgramState *state, SVal location, SVal Val, 1380 const ProgramPointTag *tag) { 1381 // Proceed with the store. We use AssignE as the anchor for the PostStore 1382 // ProgramPoint if it is non-NULL, and LocationE otherwise. 1383 const Expr *StoreE = AssignE ? AssignE : LocationE; 1384 1385 if (isa<loc::ObjCPropRef>(location)) { 1386 loc::ObjCPropRef prop = cast<loc::ObjCPropRef>(location); 1387 return VisitObjCMessage(ObjCPropertySetter(prop.getPropRefExpr(), 1388 StoreE, Val), Pred, Dst); 1389 } 1390 1391 // Evaluate the location (checks for bad dereferences). 1392 ExplodedNodeSet Tmp; 1393 evalLocation(Tmp, LocationE, Pred, state, location, tag, false); 1394 1395 if (Tmp.empty()) 1396 return; 1397 1398 if (location.isUndef()) 1399 return; 1400 1401 for (ExplodedNodeSet::iterator NI=Tmp.begin(), NE=Tmp.end(); NI!=NE; ++NI) 1402 evalBind(Dst, StoreE, *NI, location, Val, false, 1403 ProgramPoint::PostStoreKind); 1404 } 1405 1406 void ExprEngine::evalLoad(ExplodedNodeSet &Dst, const Expr *Ex, 1407 ExplodedNode *Pred, 1408 const ProgramState *state, SVal location, 1409 const ProgramPointTag *tag, QualType LoadTy) { 1410 assert(!isa<NonLoc>(location) && "location cannot be a NonLoc."); 1411 1412 if (isa<loc::ObjCPropRef>(location)) { 1413 loc::ObjCPropRef prop = cast<loc::ObjCPropRef>(location); 1414 return VisitObjCMessage(ObjCPropertyGetter(prop.getPropRefExpr(), Ex), 1415 Pred, Dst); 1416 } 1417 1418 // Are we loading from a region? This actually results in two loads; one 1419 // to fetch the address of the referenced value and one to fetch the 1420 // referenced value. 1421 if (const TypedValueRegion *TR = 1422 dyn_cast_or_null<TypedValueRegion>(location.getAsRegion())) { 1423 1424 QualType ValTy = TR->getValueType(); 1425 if (const ReferenceType *RT = ValTy->getAs<ReferenceType>()) { 1426 static SimpleProgramPointTag 1427 loadReferenceTag("ExprEngine : Load Reference"); 1428 ExplodedNodeSet Tmp; 1429 evalLoadCommon(Tmp, Ex, Pred, state, location, &loadReferenceTag, 1430 getContext().getPointerType(RT->getPointeeType())); 1431 1432 // Perform the load from the referenced value. 1433 for (ExplodedNodeSet::iterator I=Tmp.begin(), E=Tmp.end() ; I!=E; ++I) { 1434 state = (*I)->getState(); 1435 location = state->getSVal(Ex); 1436 evalLoadCommon(Dst, Ex, *I, state, location, tag, LoadTy); 1437 } 1438 return; 1439 } 1440 } 1441 1442 evalLoadCommon(Dst, Ex, Pred, state, location, tag, LoadTy); 1443 } 1444 1445 void ExprEngine::evalLoadCommon(ExplodedNodeSet &Dst, const Expr *Ex, 1446 ExplodedNode *Pred, 1447 const ProgramState *state, SVal location, 1448 const ProgramPointTag *tag, QualType LoadTy) { 1449 1450 // Evaluate the location (checks for bad dereferences). 1451 ExplodedNodeSet Tmp; 1452 evalLocation(Tmp, Ex, Pred, state, location, tag, true); 1453 if (Tmp.empty()) 1454 return; 1455 1456 StmtNodeBuilder Bldr(Tmp, Dst, *currentBuilderContext); 1457 if (location.isUndef()) 1458 return; 1459 1460 // Proceed with the load. 1461 for (ExplodedNodeSet::iterator NI=Tmp.begin(), NE=Tmp.end(); NI!=NE; ++NI) { 1462 state = (*NI)->getState(); 1463 1464 if (location.isUnknown()) { 1465 // This is important. We must nuke the old binding. 1466 Bldr.generateNode(Ex, *NI, state->BindExpr(Ex, UnknownVal()), 1467 false, tag, ProgramPoint::PostLoadKind); 1468 } 1469 else { 1470 if (LoadTy.isNull()) 1471 LoadTy = Ex->getType(); 1472 SVal V = state->getSVal(cast<Loc>(location), LoadTy); 1473 Bldr.generateNode(Ex, *NI, state->bindExprAndLocation(Ex, location, V), 1474 false, tag, ProgramPoint::PostLoadKind); 1475 } 1476 } 1477 } 1478 1479 void ExprEngine::evalLocation(ExplodedNodeSet &Dst, const Stmt *S, 1480 ExplodedNode *Pred, 1481 const ProgramState *state, SVal location, 1482 const ProgramPointTag *tag, bool isLoad) { 1483 StmtNodeBuilder BldrTop(Pred, Dst, *currentBuilderContext); 1484 // Early checks for performance reason. 1485 if (location.isUnknown()) { 1486 return; 1487 } 1488 1489 ExplodedNodeSet Src; 1490 BldrTop.takeNodes(Pred); 1491 StmtNodeBuilder Bldr(Pred, Src, *currentBuilderContext); 1492 if (Pred->getState() != state) { 1493 // Associate this new state with an ExplodedNode. 1494 // FIXME: If I pass null tag, the graph is incorrect, e.g for 1495 // int *p; 1496 // p = 0; 1497 // *p = 0xDEADBEEF; 1498 // "p = 0" is not noted as "Null pointer value stored to 'p'" but 1499 // instead "int *p" is noted as 1500 // "Variable 'p' initialized to a null pointer value" 1501 1502 // FIXME: why is 'tag' not used instead of etag? 1503 static SimpleProgramPointTag etag("ExprEngine: Location"); 1504 1505 Bldr.generateNode(S, Pred, state, false, &etag); 1506 } 1507 ExplodedNodeSet Tmp; 1508 getCheckerManager().runCheckersForLocation(Tmp, Src, location, isLoad, S, 1509 *this); 1510 BldrTop.addNodes(Tmp); 1511 } 1512 1513 bool ExprEngine::InlineCall(ExplodedNodeSet &Dst, const CallExpr *CE, 1514 ExplodedNode *Pred) { 1515 return false; 1516 1517 // Inlining isn't correct right now because we: 1518 // (a) don't generate CallExit nodes. 1519 // (b) we need a way to postpone doing post-visits of CallExprs until 1520 // the CallExit. This means we need CallExits for the non-inline 1521 // cases as well. 1522 1523 #if 0 1524 const ProgramState *state = Pred->getState(); 1525 const Expr *Callee = CE->getCallee(); 1526 SVal L = state->getSVal(Callee); 1527 1528 const FunctionDecl *FD = L.getAsFunctionDecl(); 1529 if (!FD) 1530 return false; 1531 1532 // Specially handle CXXMethods. 1533 const CXXMethodDecl *methodDecl = 0; 1534 1535 switch (CE->getStmtClass()) { 1536 default: break; 1537 case Stmt::CXXOperatorCallExprClass: { 1538 const CXXOperatorCallExpr *opCall = cast<CXXOperatorCallExpr>(CE); 1539 methodDecl = 1540 dyn_cast_or_null<CXXMethodDecl>(opCall->getCalleeDecl()); 1541 break; 1542 } 1543 case Stmt::CXXMemberCallExprClass: { 1544 const CXXMemberCallExpr *memberCall = cast<CXXMemberCallExpr>(CE); 1545 const MemberExpr *memberExpr = 1546 cast<MemberExpr>(memberCall->getCallee()->IgnoreParens()); 1547 methodDecl = cast<CXXMethodDecl>(memberExpr->getMemberDecl()); 1548 break; 1549 } 1550 } 1551 1552 1553 1554 1555 // Check if the function definition is in the same translation unit. 1556 if (FD->hasBody(FD)) { 1557 const StackFrameContext *stackFrame = 1558 AMgr.getStackFrame(AMgr.getAnalysisDeclContext(FD), 1559 Pred->getLocationContext(), 1560 CE, currentBuilderContext->getBlock(), currentStmtIdx); 1561 // Now we have the definition of the callee, create a CallEnter node. 1562 CallEnter Loc(CE, stackFrame, Pred->getLocationContext()); 1563 1564 ExplodedNode *N = Builder->generateNode(Loc, state, Pred); 1565 Dst.Add(N); 1566 return true; 1567 } 1568 1569 // Check if we can find the function definition in other translation units. 1570 if (AMgr.hasIndexer()) { 1571 AnalysisDeclContext *C = AMgr.getAnalysisDeclContextInAnotherTU(FD); 1572 if (C == 0) 1573 return false; 1574 const StackFrameContext *stackFrame = 1575 AMgr.getStackFrame(C, Pred->getLocationContext(), 1576 CE, currentBuilderContext->getBlock(), currentStmtIdx); 1577 CallEnter Loc(CE, stackFrame, Pred->getLocationContext()); 1578 ExplodedNode *N = Builder->generateNode(Loc, state, Pred); 1579 Dst.Add(N); 1580 return true; 1581 } 1582 1583 // Generate the CallExit node. 1584 1585 return false; 1586 #endif 1587 } 1588 1589 std::pair<const ProgramPointTag *, const ProgramPointTag*> 1590 ExprEngine::getEagerlyAssumeTags() { 1591 static SimpleProgramPointTag 1592 EagerlyAssumeTrue("ExprEngine : Eagerly Assume True"), 1593 EagerlyAssumeFalse("ExprEngine : Eagerly Assume False"); 1594 return std::make_pair(&EagerlyAssumeTrue, &EagerlyAssumeFalse); 1595 } 1596 1597 void ExprEngine::evalEagerlyAssume(ExplodedNodeSet &Dst, ExplodedNodeSet &Src, 1598 const Expr *Ex) { 1599 StmtNodeBuilder Bldr(Src, Dst, *currentBuilderContext); 1600 1601 for (ExplodedNodeSet::iterator I=Src.begin(), E=Src.end(); I!=E; ++I) { 1602 ExplodedNode *Pred = *I; 1603 // Test if the previous node was as the same expression. This can happen 1604 // when the expression fails to evaluate to anything meaningful and 1605 // (as an optimization) we don't generate a node. 1606 ProgramPoint P = Pred->getLocation(); 1607 if (!isa<PostStmt>(P) || cast<PostStmt>(P).getStmt() != Ex) { 1608 continue; 1609 } 1610 1611 const ProgramState *state = Pred->getState(); 1612 SVal V = state->getSVal(Ex); 1613 if (nonloc::SymExprVal *SEV = dyn_cast<nonloc::SymExprVal>(&V)) { 1614 const std::pair<const ProgramPointTag *, const ProgramPointTag*> &tags = 1615 getEagerlyAssumeTags(); 1616 1617 // First assume that the condition is true. 1618 if (const ProgramState *StateTrue = state->assume(*SEV, true)) { 1619 SVal Val = svalBuilder.makeIntVal(1U, Ex->getType()); 1620 StateTrue = StateTrue->BindExpr(Ex, Val); 1621 Bldr.generateNode(Ex, Pred, StateTrue, false, tags.first); 1622 } 1623 1624 // Next, assume that the condition is false. 1625 if (const ProgramState *StateFalse = state->assume(*SEV, false)) { 1626 SVal Val = svalBuilder.makeIntVal(0U, Ex->getType()); 1627 StateFalse = StateFalse->BindExpr(Ex, Val); 1628 Bldr.generateNode(Ex, Pred, StateFalse, false, tags.second); 1629 } 1630 } 1631 } 1632 } 1633 1634 void ExprEngine::VisitAsmStmt(const AsmStmt *A, ExplodedNode *Pred, 1635 ExplodedNodeSet &Dst) { 1636 VisitAsmStmtHelperOutputs(A, A->begin_outputs(), A->end_outputs(), Pred, Dst); 1637 } 1638 1639 void ExprEngine::VisitAsmStmtHelperOutputs(const AsmStmt *A, 1640 AsmStmt::const_outputs_iterator I, 1641 AsmStmt::const_outputs_iterator E, 1642 ExplodedNode *Pred, ExplodedNodeSet &Dst) { 1643 if (I == E) { 1644 VisitAsmStmtHelperInputs(A, A->begin_inputs(), A->end_inputs(), Pred, Dst); 1645 return; 1646 } 1647 1648 ExplodedNodeSet Tmp; 1649 Visit(*I, Pred, Tmp); 1650 ++I; 1651 1652 for (ExplodedNodeSet::iterator NI = Tmp.begin(), NE = Tmp.end();NI != NE;++NI) 1653 VisitAsmStmtHelperOutputs(A, I, E, *NI, Dst); 1654 } 1655 1656 void ExprEngine::VisitAsmStmtHelperInputs(const AsmStmt *A, 1657 AsmStmt::const_inputs_iterator I, 1658 AsmStmt::const_inputs_iterator E, 1659 ExplodedNode *Pred, 1660 ExplodedNodeSet &Dst) { 1661 if (I == E) { 1662 StmtNodeBuilder Bldr(Pred, Dst, *currentBuilderContext); 1663 // We have processed both the inputs and the outputs. All of the outputs 1664 // should evaluate to Locs. Nuke all of their values. 1665 1666 // FIXME: Some day in the future it would be nice to allow a "plug-in" 1667 // which interprets the inline asm and stores proper results in the 1668 // outputs. 1669 1670 const ProgramState *state = Pred->getState(); 1671 1672 for (AsmStmt::const_outputs_iterator OI = A->begin_outputs(), 1673 OE = A->end_outputs(); OI != OE; ++OI) { 1674 1675 SVal X = state->getSVal(*OI); 1676 assert (!isa<NonLoc>(X)); // Should be an Lval, or unknown, undef. 1677 1678 if (isa<Loc>(X)) 1679 state = state->bindLoc(cast<Loc>(X), UnknownVal()); 1680 } 1681 1682 Bldr.generateNode(A, Pred, state); 1683 return; 1684 } 1685 1686 ExplodedNodeSet Tmp; 1687 Visit(*I, Pred, Tmp); 1688 1689 ++I; 1690 1691 for (ExplodedNodeSet::iterator NI = Tmp.begin(), NE = Tmp.end(); NI!=NE; ++NI) 1692 VisitAsmStmtHelperInputs(A, I, E, *NI, Dst); 1693 } 1694 1695 1696 //===----------------------------------------------------------------------===// 1697 // Visualization. 1698 //===----------------------------------------------------------------------===// 1699 1700 #ifndef NDEBUG 1701 static ExprEngine* GraphPrintCheckerState; 1702 static SourceManager* GraphPrintSourceManager; 1703 1704 namespace llvm { 1705 template<> 1706 struct DOTGraphTraits<ExplodedNode*> : 1707 public DefaultDOTGraphTraits { 1708 1709 DOTGraphTraits (bool isSimple=false) : DefaultDOTGraphTraits(isSimple) {} 1710 1711 // FIXME: Since we do not cache error nodes in ExprEngine now, this does not 1712 // work. 1713 static std::string getNodeAttributes(const ExplodedNode *N, void*) { 1714 1715 #if 0 1716 // FIXME: Replace with a general scheme to tell if the node is 1717 // an error node. 1718 if (GraphPrintCheckerState->isImplicitNullDeref(N) || 1719 GraphPrintCheckerState->isExplicitNullDeref(N) || 1720 GraphPrintCheckerState->isUndefDeref(N) || 1721 GraphPrintCheckerState->isUndefStore(N) || 1722 GraphPrintCheckerState->isUndefControlFlow(N) || 1723 GraphPrintCheckerState->isUndefResult(N) || 1724 GraphPrintCheckerState->isBadCall(N) || 1725 GraphPrintCheckerState->isUndefArg(N)) 1726 return "color=\"red\",style=\"filled\""; 1727 1728 if (GraphPrintCheckerState->isNoReturnCall(N)) 1729 return "color=\"blue\",style=\"filled\""; 1730 #endif 1731 return ""; 1732 } 1733 1734 static std::string getNodeLabel(const ExplodedNode *N, void*){ 1735 1736 std::string sbuf; 1737 llvm::raw_string_ostream Out(sbuf); 1738 1739 // Program Location. 1740 ProgramPoint Loc = N->getLocation(); 1741 1742 switch (Loc.getKind()) { 1743 case ProgramPoint::BlockEntranceKind: 1744 Out << "Block Entrance: B" 1745 << cast<BlockEntrance>(Loc).getBlock()->getBlockID(); 1746 break; 1747 1748 case ProgramPoint::BlockExitKind: 1749 assert (false); 1750 break; 1751 1752 case ProgramPoint::CallEnterKind: 1753 Out << "CallEnter"; 1754 break; 1755 1756 case ProgramPoint::CallExitKind: 1757 Out << "CallExit"; 1758 break; 1759 1760 default: { 1761 if (StmtPoint *L = dyn_cast<StmtPoint>(&Loc)) { 1762 const Stmt *S = L->getStmt(); 1763 SourceLocation SLoc = S->getLocStart(); 1764 1765 Out << S->getStmtClassName() << ' ' << (void*) S << ' '; 1766 LangOptions LO; // FIXME. 1767 S->printPretty(Out, 0, PrintingPolicy(LO)); 1768 1769 if (SLoc.isFileID()) { 1770 Out << "\\lline=" 1771 << GraphPrintSourceManager->getExpansionLineNumber(SLoc) 1772 << " col=" 1773 << GraphPrintSourceManager->getExpansionColumnNumber(SLoc) 1774 << "\\l"; 1775 } 1776 1777 if (isa<PreStmt>(Loc)) 1778 Out << "\\lPreStmt\\l;"; 1779 else if (isa<PostLoad>(Loc)) 1780 Out << "\\lPostLoad\\l;"; 1781 else if (isa<PostStore>(Loc)) 1782 Out << "\\lPostStore\\l"; 1783 else if (isa<PostLValue>(Loc)) 1784 Out << "\\lPostLValue\\l"; 1785 1786 #if 0 1787 // FIXME: Replace with a general scheme to determine 1788 // the name of the check. 1789 if (GraphPrintCheckerState->isImplicitNullDeref(N)) 1790 Out << "\\|Implicit-Null Dereference.\\l"; 1791 else if (GraphPrintCheckerState->isExplicitNullDeref(N)) 1792 Out << "\\|Explicit-Null Dereference.\\l"; 1793 else if (GraphPrintCheckerState->isUndefDeref(N)) 1794 Out << "\\|Dereference of undefialied value.\\l"; 1795 else if (GraphPrintCheckerState->isUndefStore(N)) 1796 Out << "\\|Store to Undefined Loc."; 1797 else if (GraphPrintCheckerState->isUndefResult(N)) 1798 Out << "\\|Result of operation is undefined."; 1799 else if (GraphPrintCheckerState->isNoReturnCall(N)) 1800 Out << "\\|Call to function marked \"noreturn\"."; 1801 else if (GraphPrintCheckerState->isBadCall(N)) 1802 Out << "\\|Call to NULL/Undefined."; 1803 else if (GraphPrintCheckerState->isUndefArg(N)) 1804 Out << "\\|Argument in call is undefined"; 1805 #endif 1806 1807 break; 1808 } 1809 1810 const BlockEdge &E = cast<BlockEdge>(Loc); 1811 Out << "Edge: (B" << E.getSrc()->getBlockID() << ", B" 1812 << E.getDst()->getBlockID() << ')'; 1813 1814 if (const Stmt *T = E.getSrc()->getTerminator()) { 1815 1816 SourceLocation SLoc = T->getLocStart(); 1817 1818 Out << "\\|Terminator: "; 1819 LangOptions LO; // FIXME. 1820 E.getSrc()->printTerminator(Out, LO); 1821 1822 if (SLoc.isFileID()) { 1823 Out << "\\lline=" 1824 << GraphPrintSourceManager->getExpansionLineNumber(SLoc) 1825 << " col=" 1826 << GraphPrintSourceManager->getExpansionColumnNumber(SLoc); 1827 } 1828 1829 if (isa<SwitchStmt>(T)) { 1830 const Stmt *Label = E.getDst()->getLabel(); 1831 1832 if (Label) { 1833 if (const CaseStmt *C = dyn_cast<CaseStmt>(Label)) { 1834 Out << "\\lcase "; 1835 LangOptions LO; // FIXME. 1836 C->getLHS()->printPretty(Out, 0, PrintingPolicy(LO)); 1837 1838 if (const Stmt *RHS = C->getRHS()) { 1839 Out << " .. "; 1840 RHS->printPretty(Out, 0, PrintingPolicy(LO)); 1841 } 1842 1843 Out << ":"; 1844 } 1845 else { 1846 assert (isa<DefaultStmt>(Label)); 1847 Out << "\\ldefault:"; 1848 } 1849 } 1850 else 1851 Out << "\\l(implicit) default:"; 1852 } 1853 else if (isa<IndirectGotoStmt>(T)) { 1854 // FIXME 1855 } 1856 else { 1857 Out << "\\lCondition: "; 1858 if (*E.getSrc()->succ_begin() == E.getDst()) 1859 Out << "true"; 1860 else 1861 Out << "false"; 1862 } 1863 1864 Out << "\\l"; 1865 } 1866 1867 #if 0 1868 // FIXME: Replace with a general scheme to determine 1869 // the name of the check. 1870 if (GraphPrintCheckerState->isUndefControlFlow(N)) { 1871 Out << "\\|Control-flow based on\\lUndefined value.\\l"; 1872 } 1873 #endif 1874 } 1875 } 1876 1877 const ProgramState *state = N->getState(); 1878 Out << "\\|StateID: " << (void*) state 1879 << " NodeID: " << (void*) N << "\\|"; 1880 state->printDOT(Out, *N->getLocationContext()->getCFG()); 1881 1882 Out << "\\l"; 1883 1884 if (const ProgramPointTag *tag = Loc.getTag()) { 1885 Out << "\\|Tag: " << tag->getTagDescription(); 1886 Out << "\\l"; 1887 } 1888 return Out.str(); 1889 } 1890 }; 1891 } // end llvm namespace 1892 #endif 1893 1894 #ifndef NDEBUG 1895 template <typename ITERATOR> 1896 ExplodedNode *GetGraphNode(ITERATOR I) { return *I; } 1897 1898 template <> ExplodedNode* 1899 GetGraphNode<llvm::DenseMap<ExplodedNode*, Expr*>::iterator> 1900 (llvm::DenseMap<ExplodedNode*, Expr*>::iterator I) { 1901 return I->first; 1902 } 1903 #endif 1904 1905 void ExprEngine::ViewGraph(bool trim) { 1906 #ifndef NDEBUG 1907 if (trim) { 1908 std::vector<ExplodedNode*> Src; 1909 1910 // Flush any outstanding reports to make sure we cover all the nodes. 1911 // This does not cause them to get displayed. 1912 for (BugReporter::iterator I=BR.begin(), E=BR.end(); I!=E; ++I) 1913 const_cast<BugType*>(*I)->FlushReports(BR); 1914 1915 // Iterate through the reports and get their nodes. 1916 for (BugReporter::EQClasses_iterator 1917 EI = BR.EQClasses_begin(), EE = BR.EQClasses_end(); EI != EE; ++EI) { 1918 BugReportEquivClass& EQ = *EI; 1919 const BugReport &R = **EQ.begin(); 1920 ExplodedNode *N = const_cast<ExplodedNode*>(R.getErrorNode()); 1921 if (N) Src.push_back(N); 1922 } 1923 1924 ViewGraph(&Src[0], &Src[0]+Src.size()); 1925 } 1926 else { 1927 GraphPrintCheckerState = this; 1928 GraphPrintSourceManager = &getContext().getSourceManager(); 1929 1930 llvm::ViewGraph(*G.roots_begin(), "ExprEngine"); 1931 1932 GraphPrintCheckerState = NULL; 1933 GraphPrintSourceManager = NULL; 1934 } 1935 #endif 1936 } 1937 1938 void ExprEngine::ViewGraph(ExplodedNode** Beg, ExplodedNode** End) { 1939 #ifndef NDEBUG 1940 GraphPrintCheckerState = this; 1941 GraphPrintSourceManager = &getContext().getSourceManager(); 1942 1943 std::auto_ptr<ExplodedGraph> TrimmedG(G.Trim(Beg, End).first); 1944 1945 if (!TrimmedG.get()) 1946 llvm::errs() << "warning: Trimmed ExplodedGraph is empty.\n"; 1947 else 1948 llvm::ViewGraph(*TrimmedG->roots_begin(), "TrimmedExprEngine"); 1949 1950 GraphPrintCheckerState = NULL; 1951 GraphPrintSourceManager = NULL; 1952 #endif 1953 } 1954