1 //===- ExprEngineCXX.cpp - ExprEngine support for C++ -----------*- C++ -*-===// 2 // 3 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. 4 // See https://llvm.org/LICENSE.txt for license information. 5 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception 6 // 7 //===----------------------------------------------------------------------===// 8 // 9 // This file defines the C++ expression evaluation engine. 10 // 11 //===----------------------------------------------------------------------===// 12 13 #include "clang/StaticAnalyzer/Core/PathSensitive/ExprEngine.h" 14 #include "clang/Analysis/ConstructionContext.h" 15 #include "clang/AST/DeclCXX.h" 16 #include "clang/AST/StmtCXX.h" 17 #include "clang/AST/ParentMap.h" 18 #include "clang/Basic/PrettyStackTrace.h" 19 #include "clang/StaticAnalyzer/Core/CheckerManager.h" 20 #include "clang/StaticAnalyzer/Core/PathSensitive/AnalysisManager.h" 21 #include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h" 22 23 using namespace clang; 24 using namespace ento; 25 26 void ExprEngine::CreateCXXTemporaryObject(const MaterializeTemporaryExpr *ME, 27 ExplodedNode *Pred, 28 ExplodedNodeSet &Dst) { 29 StmtNodeBuilder Bldr(Pred, Dst, *currBldrCtx); 30 const Expr *tempExpr = ME->GetTemporaryExpr()->IgnoreParens(); 31 ProgramStateRef state = Pred->getState(); 32 const LocationContext *LCtx = Pred->getLocationContext(); 33 34 state = createTemporaryRegionIfNeeded(state, LCtx, tempExpr, ME); 35 Bldr.generateNode(ME, Pred, state); 36 } 37 38 // FIXME: This is the sort of code that should eventually live in a Core 39 // checker rather than as a special case in ExprEngine. 40 void ExprEngine::performTrivialCopy(NodeBuilder &Bldr, ExplodedNode *Pred, 41 const CallEvent &Call) { 42 SVal ThisVal; 43 bool AlwaysReturnsLValue; 44 const CXXRecordDecl *ThisRD = nullptr; 45 if (const CXXConstructorCall *Ctor = dyn_cast<CXXConstructorCall>(&Call)) { 46 assert(Ctor->getDecl()->isTrivial()); 47 assert(Ctor->getDecl()->isCopyOrMoveConstructor()); 48 ThisVal = Ctor->getCXXThisVal(); 49 ThisRD = Ctor->getDecl()->getParent(); 50 AlwaysReturnsLValue = false; 51 } else { 52 assert(cast<CXXMethodDecl>(Call.getDecl())->isTrivial()); 53 assert(cast<CXXMethodDecl>(Call.getDecl())->getOverloadedOperator() == 54 OO_Equal); 55 ThisVal = cast<CXXInstanceCall>(Call).getCXXThisVal(); 56 ThisRD = cast<CXXMethodDecl>(Call.getDecl())->getParent(); 57 AlwaysReturnsLValue = true; 58 } 59 60 assert(ThisRD); 61 if (ThisRD->isEmpty()) { 62 // Do nothing for empty classes. Otherwise it'd retrieve an UnknownVal 63 // and bind it and RegionStore would think that the actual value 64 // in this region at this offset is unknown. 65 return; 66 } 67 68 const LocationContext *LCtx = Pred->getLocationContext(); 69 70 ExplodedNodeSet Dst; 71 Bldr.takeNodes(Pred); 72 73 SVal V = Call.getArgSVal(0); 74 75 // If the value being copied is not unknown, load from its location to get 76 // an aggregate rvalue. 77 if (Optional<Loc> L = V.getAs<Loc>()) 78 V = Pred->getState()->getSVal(*L); 79 else 80 assert(V.isUnknownOrUndef()); 81 82 const Expr *CallExpr = Call.getOriginExpr(); 83 evalBind(Dst, CallExpr, Pred, ThisVal, V, true); 84 85 PostStmt PS(CallExpr, LCtx); 86 for (ExplodedNodeSet::iterator I = Dst.begin(), E = Dst.end(); 87 I != E; ++I) { 88 ProgramStateRef State = (*I)->getState(); 89 if (AlwaysReturnsLValue) 90 State = State->BindExpr(CallExpr, LCtx, ThisVal); 91 else 92 State = bindReturnValue(Call, LCtx, State); 93 Bldr.generateNode(PS, State, *I); 94 } 95 } 96 97 98 SVal ExprEngine::makeZeroElementRegion(ProgramStateRef State, SVal LValue, 99 QualType &Ty, bool &IsArray) { 100 SValBuilder &SVB = State->getStateManager().getSValBuilder(); 101 ASTContext &Ctx = SVB.getContext(); 102 103 while (const ArrayType *AT = Ctx.getAsArrayType(Ty)) { 104 Ty = AT->getElementType(); 105 LValue = State->getLValue(Ty, SVB.makeZeroArrayIndex(), LValue); 106 IsArray = true; 107 } 108 109 return LValue; 110 } 111 112 std::pair<ProgramStateRef, SVal> ExprEngine::prepareForObjectConstruction( 113 const Expr *E, ProgramStateRef State, const LocationContext *LCtx, 114 const ConstructionContext *CC, EvalCallOptions &CallOpts) { 115 SValBuilder &SVB = getSValBuilder(); 116 MemRegionManager &MRMgr = SVB.getRegionManager(); 117 ASTContext &ACtx = SVB.getContext(); 118 119 // See if we're constructing an existing region by looking at the 120 // current construction context. 121 if (CC) { 122 switch (CC->getKind()) { 123 case ConstructionContext::CXX17ElidedCopyVariableKind: 124 case ConstructionContext::SimpleVariableKind: { 125 const auto *DSCC = cast<VariableConstructionContext>(CC); 126 const auto *DS = DSCC->getDeclStmt(); 127 const auto *Var = cast<VarDecl>(DS->getSingleDecl()); 128 SVal LValue = State->getLValue(Var, LCtx); 129 QualType Ty = Var->getType(); 130 LValue = 131 makeZeroElementRegion(State, LValue, Ty, CallOpts.IsArrayCtorOrDtor); 132 State = 133 addObjectUnderConstruction(State, DSCC->getDeclStmt(), LCtx, LValue); 134 return std::make_pair(State, LValue); 135 } 136 case ConstructionContext::CXX17ElidedCopyConstructorInitializerKind: 137 case ConstructionContext::SimpleConstructorInitializerKind: { 138 const auto *ICC = cast<ConstructorInitializerConstructionContext>(CC); 139 const auto *Init = ICC->getCXXCtorInitializer(); 140 assert(Init->isAnyMemberInitializer()); 141 const CXXMethodDecl *CurCtor = cast<CXXMethodDecl>(LCtx->getDecl()); 142 Loc ThisPtr = 143 SVB.getCXXThis(CurCtor, LCtx->getStackFrame()); 144 SVal ThisVal = State->getSVal(ThisPtr); 145 146 const ValueDecl *Field; 147 SVal FieldVal; 148 if (Init->isIndirectMemberInitializer()) { 149 Field = Init->getIndirectMember(); 150 FieldVal = State->getLValue(Init->getIndirectMember(), ThisVal); 151 } else { 152 Field = Init->getMember(); 153 FieldVal = State->getLValue(Init->getMember(), ThisVal); 154 } 155 156 QualType Ty = Field->getType(); 157 FieldVal = makeZeroElementRegion(State, FieldVal, Ty, 158 CallOpts.IsArrayCtorOrDtor); 159 State = addObjectUnderConstruction(State, Init, LCtx, FieldVal); 160 return std::make_pair(State, FieldVal); 161 } 162 case ConstructionContext::NewAllocatedObjectKind: { 163 if (AMgr.getAnalyzerOptions().MayInlineCXXAllocator) { 164 const auto *NECC = cast<NewAllocatedObjectConstructionContext>(CC); 165 const auto *NE = NECC->getCXXNewExpr(); 166 SVal V = *getObjectUnderConstruction(State, NE, LCtx); 167 if (const SubRegion *MR = 168 dyn_cast_or_null<SubRegion>(V.getAsRegion())) { 169 if (NE->isArray()) { 170 // TODO: In fact, we need to call the constructor for every 171 // allocated element, not just the first one! 172 CallOpts.IsArrayCtorOrDtor = true; 173 return std::make_pair( 174 State, loc::MemRegionVal(getStoreManager().GetElementZeroRegion( 175 MR, NE->getType()->getPointeeType()))); 176 } 177 return std::make_pair(State, V); 178 } 179 // TODO: Detect when the allocator returns a null pointer. 180 // Constructor shall not be called in this case. 181 } 182 break; 183 } 184 case ConstructionContext::SimpleReturnedValueKind: 185 case ConstructionContext::CXX17ElidedCopyReturnedValueKind: { 186 // The temporary is to be managed by the parent stack frame. 187 // So build it in the parent stack frame if we're not in the 188 // top frame of the analysis. 189 const StackFrameContext *SFC = LCtx->getStackFrame(); 190 if (const LocationContext *CallerLCtx = SFC->getParent()) { 191 auto RTC = (*SFC->getCallSiteBlock())[SFC->getIndex()] 192 .getAs<CFGCXXRecordTypedCall>(); 193 if (!RTC) { 194 // We were unable to find the correct construction context for the 195 // call in the parent stack frame. This is equivalent to not being 196 // able to find construction context at all. 197 break; 198 } 199 return prepareForObjectConstruction( 200 cast<Expr>(SFC->getCallSite()), State, CallerLCtx, 201 RTC->getConstructionContext(), CallOpts); 202 } else { 203 // We are on the top frame of the analysis. We do not know where is the 204 // object returned to. Conjure a symbolic region for the return value. 205 // TODO: We probably need a new MemRegion kind to represent the storage 206 // of that SymbolicRegion, so that we cound produce a fancy symbol 207 // instead of an anonymous conjured symbol. 208 // TODO: Do we need to track the region to avoid having it dead 209 // too early? It does die too early, at least in C++17, but because 210 // putting anything into a SymbolicRegion causes an immediate escape, 211 // it doesn't cause any leak false positives. 212 const auto *RCC = cast<ReturnedValueConstructionContext>(CC); 213 // Make sure that this doesn't coincide with any other symbol 214 // conjured for the returned expression. 215 static const int TopLevelSymRegionTag = 0; 216 const Expr *RetE = RCC->getReturnStmt()->getRetValue(); 217 assert(RetE && "Void returns should not have a construction context"); 218 QualType ReturnTy = RetE->getType(); 219 QualType RegionTy = ACtx.getPointerType(ReturnTy); 220 SVal V = SVB.conjureSymbolVal(&TopLevelSymRegionTag, RetE, SFC, 221 RegionTy, currBldrCtx->blockCount()); 222 return std::make_pair(State, V); 223 } 224 llvm_unreachable("Unhandled return value construction context!"); 225 } 226 case ConstructionContext::ElidedTemporaryObjectKind: { 227 assert(AMgr.getAnalyzerOptions().ShouldElideConstructors); 228 const auto *TCC = cast<ElidedTemporaryObjectConstructionContext>(CC); 229 const CXXBindTemporaryExpr *BTE = TCC->getCXXBindTemporaryExpr(); 230 const MaterializeTemporaryExpr *MTE = TCC->getMaterializedTemporaryExpr(); 231 const CXXConstructExpr *CE = TCC->getConstructorAfterElision(); 232 233 // Support pre-C++17 copy elision. We'll have the elidable copy 234 // constructor in the AST and in the CFG, but we'll skip it 235 // and construct directly into the final object. This call 236 // also sets the CallOpts flags for us. 237 SVal V; 238 // If the elided copy/move constructor is not supported, there's still 239 // benefit in trying to model the non-elided constructor. 240 // Stash our state before trying to elide, as it'll get overwritten. 241 ProgramStateRef PreElideState = State; 242 EvalCallOptions PreElideCallOpts = CallOpts; 243 244 std::tie(State, V) = prepareForObjectConstruction( 245 CE, State, LCtx, TCC->getConstructionContextAfterElision(), CallOpts); 246 247 // FIXME: This definition of "copy elision has not failed" is unreliable. 248 // It doesn't indicate that the constructor will actually be inlined 249 // later; it is still up to evalCall() to decide. 250 if (!CallOpts.IsCtorOrDtorWithImproperlyModeledTargetRegion) { 251 // Remember that we've elided the constructor. 252 State = addObjectUnderConstruction(State, CE, LCtx, V); 253 254 // Remember that we've elided the destructor. 255 if (BTE) 256 State = elideDestructor(State, BTE, LCtx); 257 258 // Instead of materialization, shamelessly return 259 // the final object destination. 260 if (MTE) 261 State = addObjectUnderConstruction(State, MTE, LCtx, V); 262 263 return std::make_pair(State, V); 264 } else { 265 // Copy elision failed. Revert the changes and proceed as if we have 266 // a simple temporary. 267 State = PreElideState; 268 CallOpts = PreElideCallOpts; 269 } 270 LLVM_FALLTHROUGH; 271 } 272 case ConstructionContext::SimpleTemporaryObjectKind: { 273 const auto *TCC = cast<TemporaryObjectConstructionContext>(CC); 274 const CXXBindTemporaryExpr *BTE = TCC->getCXXBindTemporaryExpr(); 275 const MaterializeTemporaryExpr *MTE = TCC->getMaterializedTemporaryExpr(); 276 SVal V = UnknownVal(); 277 278 if (MTE) { 279 if (const ValueDecl *VD = MTE->getExtendingDecl()) { 280 assert(MTE->getStorageDuration() != SD_FullExpression); 281 if (!VD->getType()->isReferenceType()) { 282 // We're lifetime-extended by a surrounding aggregate. 283 // Automatic destructors aren't quite working in this case 284 // on the CFG side. We should warn the caller about that. 285 // FIXME: Is there a better way to retrieve this information from 286 // the MaterializeTemporaryExpr? 287 CallOpts.IsTemporaryLifetimeExtendedViaAggregate = true; 288 } 289 } 290 291 if (MTE->getStorageDuration() == SD_Static || 292 MTE->getStorageDuration() == SD_Thread) 293 V = loc::MemRegionVal(MRMgr.getCXXStaticTempObjectRegion(E)); 294 } 295 296 if (V.isUnknown()) 297 V = loc::MemRegionVal(MRMgr.getCXXTempObjectRegion(E, LCtx)); 298 299 if (BTE) 300 State = addObjectUnderConstruction(State, BTE, LCtx, V); 301 302 if (MTE) 303 State = addObjectUnderConstruction(State, MTE, LCtx, V); 304 305 CallOpts.IsTemporaryCtorOrDtor = true; 306 return std::make_pair(State, V); 307 } 308 case ConstructionContext::ArgumentKind: { 309 // Arguments are technically temporaries. 310 CallOpts.IsTemporaryCtorOrDtor = true; 311 312 const auto *ACC = cast<ArgumentConstructionContext>(CC); 313 const Expr *E = ACC->getCallLikeExpr(); 314 unsigned Idx = ACC->getIndex(); 315 const CXXBindTemporaryExpr *BTE = ACC->getCXXBindTemporaryExpr(); 316 317 CallEventManager &CEMgr = getStateManager().getCallEventManager(); 318 SVal V = UnknownVal(); 319 auto getArgLoc = [&](CallEventRef<> Caller) -> Optional<SVal> { 320 const LocationContext *FutureSFC = Caller->getCalleeStackFrame(); 321 // Return early if we are unable to reliably foresee 322 // the future stack frame. 323 if (!FutureSFC) 324 return None; 325 326 // This should be equivalent to Caller->getDecl() for now, but 327 // FutureSFC->getDecl() is likely to support better stuff (like 328 // virtual functions) earlier. 329 const Decl *CalleeD = FutureSFC->getDecl(); 330 331 // FIXME: Support for variadic arguments is not implemented here yet. 332 if (CallEvent::isVariadic(CalleeD)) 333 return None; 334 335 // Operator arguments do not correspond to operator parameters 336 // because this-argument is implemented as a normal argument in 337 // operator call expressions but not in operator declarations. 338 const VarRegion *VR = Caller->getParameterLocation( 339 *Caller->getAdjustedParameterIndex(Idx)); 340 if (!VR) 341 return None; 342 343 return loc::MemRegionVal(VR); 344 }; 345 346 if (const auto *CE = dyn_cast<CallExpr>(E)) { 347 CallEventRef<> Caller = CEMgr.getSimpleCall(CE, State, LCtx); 348 if (auto OptV = getArgLoc(Caller)) 349 V = *OptV; 350 else 351 break; 352 State = addObjectUnderConstruction(State, {CE, Idx}, LCtx, V); 353 } else if (const auto *CCE = dyn_cast<CXXConstructExpr>(E)) { 354 // Don't bother figuring out the target region for the future 355 // constructor because we won't need it. 356 CallEventRef<> Caller = 357 CEMgr.getCXXConstructorCall(CCE, /*Target=*/nullptr, State, LCtx); 358 if (auto OptV = getArgLoc(Caller)) 359 V = *OptV; 360 else 361 break; 362 State = addObjectUnderConstruction(State, {CCE, Idx}, LCtx, V); 363 } else if (const auto *ME = dyn_cast<ObjCMessageExpr>(E)) { 364 CallEventRef<> Caller = CEMgr.getObjCMethodCall(ME, State, LCtx); 365 if (auto OptV = getArgLoc(Caller)) 366 V = *OptV; 367 else 368 break; 369 State = addObjectUnderConstruction(State, {ME, Idx}, LCtx, V); 370 } 371 372 assert(!V.isUnknown()); 373 374 if (BTE) 375 State = addObjectUnderConstruction(State, BTE, LCtx, V); 376 377 return std::make_pair(State, V); 378 } 379 } 380 } 381 // If we couldn't find an existing region to construct into, assume we're 382 // constructing a temporary. Notify the caller of our failure. 383 CallOpts.IsCtorOrDtorWithImproperlyModeledTargetRegion = true; 384 return std::make_pair( 385 State, loc::MemRegionVal(MRMgr.getCXXTempObjectRegion(E, LCtx))); 386 } 387 388 void ExprEngine::VisitCXXConstructExpr(const CXXConstructExpr *CE, 389 ExplodedNode *Pred, 390 ExplodedNodeSet &destNodes) { 391 const LocationContext *LCtx = Pred->getLocationContext(); 392 ProgramStateRef State = Pred->getState(); 393 394 SVal Target = UnknownVal(); 395 396 if (Optional<SVal> ElidedTarget = 397 getObjectUnderConstruction(State, CE, LCtx)) { 398 // We've previously modeled an elidable constructor by pretending that it in 399 // fact constructs into the correct target. This constructor can therefore 400 // be skipped. 401 Target = *ElidedTarget; 402 StmtNodeBuilder Bldr(Pred, destNodes, *currBldrCtx); 403 State = finishObjectConstruction(State, CE, LCtx); 404 if (auto L = Target.getAs<Loc>()) 405 State = State->BindExpr(CE, LCtx, State->getSVal(*L, CE->getType())); 406 Bldr.generateNode(CE, Pred, State); 407 return; 408 } 409 410 // FIXME: Handle arrays, which run the same constructor for every element. 411 // For now, we just run the first constructor (which should still invalidate 412 // the entire array). 413 414 EvalCallOptions CallOpts; 415 auto C = getCurrentCFGElement().getAs<CFGConstructor>(); 416 assert(C || getCurrentCFGElement().getAs<CFGStmt>()); 417 const ConstructionContext *CC = C ? C->getConstructionContext() : nullptr; 418 419 switch (CE->getConstructionKind()) { 420 case CXXConstructExpr::CK_Complete: { 421 std::tie(State, Target) = 422 prepareForObjectConstruction(CE, State, LCtx, CC, CallOpts); 423 break; 424 } 425 case CXXConstructExpr::CK_VirtualBase: 426 // Make sure we are not calling virtual base class initializers twice. 427 // Only the most-derived object should initialize virtual base classes. 428 if (const Stmt *Outer = LCtx->getStackFrame()->getCallSite()) { 429 const CXXConstructExpr *OuterCtor = dyn_cast<CXXConstructExpr>(Outer); 430 if (OuterCtor) { 431 switch (OuterCtor->getConstructionKind()) { 432 case CXXConstructExpr::CK_NonVirtualBase: 433 case CXXConstructExpr::CK_VirtualBase: 434 // Bail out! 435 destNodes.Add(Pred); 436 return; 437 case CXXConstructExpr::CK_Complete: 438 case CXXConstructExpr::CK_Delegating: 439 break; 440 } 441 } 442 } 443 LLVM_FALLTHROUGH; 444 case CXXConstructExpr::CK_NonVirtualBase: 445 // In C++17, classes with non-virtual bases may be aggregates, so they would 446 // be initialized as aggregates without a constructor call, so we may have 447 // a base class constructed directly into an initializer list without 448 // having the derived-class constructor call on the previous stack frame. 449 // Initializer lists may be nested into more initializer lists that 450 // correspond to surrounding aggregate initializations. 451 // FIXME: For now this code essentially bails out. We need to find the 452 // correct target region and set it. 453 // FIXME: Instead of relying on the ParentMap, we should have the 454 // trigger-statement (InitListExpr in this case) passed down from CFG or 455 // otherwise always available during construction. 456 if (dyn_cast_or_null<InitListExpr>(LCtx->getParentMap().getParent(CE))) { 457 MemRegionManager &MRMgr = getSValBuilder().getRegionManager(); 458 Target = loc::MemRegionVal(MRMgr.getCXXTempObjectRegion(CE, LCtx)); 459 CallOpts.IsCtorOrDtorWithImproperlyModeledTargetRegion = true; 460 break; 461 } 462 LLVM_FALLTHROUGH; 463 case CXXConstructExpr::CK_Delegating: { 464 const CXXMethodDecl *CurCtor = cast<CXXMethodDecl>(LCtx->getDecl()); 465 Loc ThisPtr = getSValBuilder().getCXXThis(CurCtor, 466 LCtx->getStackFrame()); 467 SVal ThisVal = State->getSVal(ThisPtr); 468 469 if (CE->getConstructionKind() == CXXConstructExpr::CK_Delegating) { 470 Target = ThisVal; 471 } else { 472 // Cast to the base type. 473 bool IsVirtual = 474 (CE->getConstructionKind() == CXXConstructExpr::CK_VirtualBase); 475 SVal BaseVal = getStoreManager().evalDerivedToBase(ThisVal, CE->getType(), 476 IsVirtual); 477 Target = BaseVal; 478 } 479 break; 480 } 481 } 482 483 if (State != Pred->getState()) { 484 static SimpleProgramPointTag T("ExprEngine", 485 "Prepare for object construction"); 486 ExplodedNodeSet DstPrepare; 487 StmtNodeBuilder BldrPrepare(Pred, DstPrepare, *currBldrCtx); 488 BldrPrepare.generateNode(CE, Pred, State, &T, ProgramPoint::PreStmtKind); 489 assert(DstPrepare.size() <= 1); 490 if (DstPrepare.size() == 0) 491 return; 492 Pred = *BldrPrepare.begin(); 493 } 494 495 CallEventManager &CEMgr = getStateManager().getCallEventManager(); 496 CallEventRef<CXXConstructorCall> Call = 497 CEMgr.getCXXConstructorCall(CE, Target.getAsRegion(), State, LCtx); 498 499 ExplodedNodeSet DstPreVisit; 500 getCheckerManager().runCheckersForPreStmt(DstPreVisit, Pred, CE, *this); 501 502 // FIXME: Is it possible and/or useful to do this before PreStmt? 503 ExplodedNodeSet PreInitialized; 504 { 505 StmtNodeBuilder Bldr(DstPreVisit, PreInitialized, *currBldrCtx); 506 for (ExplodedNodeSet::iterator I = DstPreVisit.begin(), 507 E = DstPreVisit.end(); 508 I != E; ++I) { 509 ProgramStateRef State = (*I)->getState(); 510 if (CE->requiresZeroInitialization()) { 511 // FIXME: Once we properly handle constructors in new-expressions, we'll 512 // need to invalidate the region before setting a default value, to make 513 // sure there aren't any lingering bindings around. This probably needs 514 // to happen regardless of whether or not the object is zero-initialized 515 // to handle random fields of a placement-initialized object picking up 516 // old bindings. We might only want to do it when we need to, though. 517 // FIXME: This isn't actually correct for arrays -- we need to zero- 518 // initialize the entire array, not just the first element -- but our 519 // handling of arrays everywhere else is weak as well, so this shouldn't 520 // actually make things worse. Placement new makes this tricky as well, 521 // since it's then possible to be initializing one part of a multi- 522 // dimensional array. 523 State = State->bindDefaultZero(Target, LCtx); 524 } 525 526 Bldr.generateNode(CE, *I, State, /*tag=*/nullptr, 527 ProgramPoint::PreStmtKind); 528 } 529 } 530 531 ExplodedNodeSet DstPreCall; 532 getCheckerManager().runCheckersForPreCall(DstPreCall, PreInitialized, 533 *Call, *this); 534 535 ExplodedNodeSet DstEvaluated; 536 StmtNodeBuilder Bldr(DstPreCall, DstEvaluated, *currBldrCtx); 537 538 if (CE->getConstructor()->isTrivial() && 539 CE->getConstructor()->isCopyOrMoveConstructor() && 540 !CallOpts.IsArrayCtorOrDtor) { 541 // FIXME: Handle other kinds of trivial constructors as well. 542 for (ExplodedNodeSet::iterator I = DstPreCall.begin(), E = DstPreCall.end(); 543 I != E; ++I) 544 performTrivialCopy(Bldr, *I, *Call); 545 546 } else { 547 for (ExplodedNodeSet::iterator I = DstPreCall.begin(), E = DstPreCall.end(); 548 I != E; ++I) 549 defaultEvalCall(Bldr, *I, *Call, CallOpts); 550 } 551 552 // If the CFG was constructed without elements for temporary destructors 553 // and the just-called constructor created a temporary object then 554 // stop exploration if the temporary object has a noreturn constructor. 555 // This can lose coverage because the destructor, if it were present 556 // in the CFG, would be called at the end of the full expression or 557 // later (for life-time extended temporaries) -- but avoids infeasible 558 // paths when no-return temporary destructors are used for assertions. 559 const AnalysisDeclContext *ADC = LCtx->getAnalysisDeclContext(); 560 if (!ADC->getCFGBuildOptions().AddTemporaryDtors) { 561 const MemRegion *Target = Call->getCXXThisVal().getAsRegion(); 562 if (Target && isa<CXXTempObjectRegion>(Target) && 563 Call->getDecl()->getParent()->isAnyDestructorNoReturn()) { 564 565 // If we've inlined the constructor, then DstEvaluated would be empty. 566 // In this case we still want a sink, which could be implemented 567 // in processCallExit. But we don't have that implemented at the moment, 568 // so if you hit this assertion, see if you can avoid inlining 569 // the respective constructor when analyzer-config cfg-temporary-dtors 570 // is set to false. 571 // Otherwise there's nothing wrong with inlining such constructor. 572 assert(!DstEvaluated.empty() && 573 "We should not have inlined this constructor!"); 574 575 for (ExplodedNode *N : DstEvaluated) { 576 Bldr.generateSink(CE, N, N->getState()); 577 } 578 579 // There is no need to run the PostCall and PostStmt checker 580 // callbacks because we just generated sinks on all nodes in th 581 // frontier. 582 return; 583 } 584 } 585 586 ExplodedNodeSet DstPostArgumentCleanup; 587 for (auto I : DstEvaluated) 588 finishArgumentConstruction(DstPostArgumentCleanup, I, *Call); 589 590 // If there were other constructors called for object-type arguments 591 // of this constructor, clean them up. 592 ExplodedNodeSet DstPostCall; 593 getCheckerManager().runCheckersForPostCall(DstPostCall, 594 DstPostArgumentCleanup, 595 *Call, *this); 596 getCheckerManager().runCheckersForPostStmt(destNodes, DstPostCall, CE, *this); 597 } 598 599 void ExprEngine::VisitCXXDestructor(QualType ObjectType, 600 const MemRegion *Dest, 601 const Stmt *S, 602 bool IsBaseDtor, 603 ExplodedNode *Pred, 604 ExplodedNodeSet &Dst, 605 const EvalCallOptions &CallOpts) { 606 assert(S && "A destructor without a trigger!"); 607 const LocationContext *LCtx = Pred->getLocationContext(); 608 ProgramStateRef State = Pred->getState(); 609 610 const CXXRecordDecl *RecordDecl = ObjectType->getAsCXXRecordDecl(); 611 assert(RecordDecl && "Only CXXRecordDecls should have destructors"); 612 const CXXDestructorDecl *DtorDecl = RecordDecl->getDestructor(); 613 614 // FIXME: There should always be a Decl, otherwise the destructor call 615 // shouldn't have been added to the CFG in the first place. 616 if (!DtorDecl) { 617 // Skip the invalid destructor. We cannot simply return because 618 // it would interrupt the analysis instead. 619 static SimpleProgramPointTag T("ExprEngine", "SkipInvalidDestructor"); 620 // FIXME: PostImplicitCall with a null decl may crash elsewhere anyway. 621 PostImplicitCall PP(/*Decl=*/nullptr, S->getEndLoc(), LCtx, &T); 622 NodeBuilder Bldr(Pred, Dst, *currBldrCtx); 623 Bldr.generateNode(PP, Pred->getState(), Pred); 624 return; 625 } 626 627 CallEventManager &CEMgr = getStateManager().getCallEventManager(); 628 CallEventRef<CXXDestructorCall> Call = 629 CEMgr.getCXXDestructorCall(DtorDecl, S, Dest, IsBaseDtor, State, LCtx); 630 631 PrettyStackTraceLoc CrashInfo(getContext().getSourceManager(), 632 Call->getSourceRange().getBegin(), 633 "Error evaluating destructor"); 634 635 ExplodedNodeSet DstPreCall; 636 getCheckerManager().runCheckersForPreCall(DstPreCall, Pred, 637 *Call, *this); 638 639 ExplodedNodeSet DstInvalidated; 640 StmtNodeBuilder Bldr(DstPreCall, DstInvalidated, *currBldrCtx); 641 for (ExplodedNodeSet::iterator I = DstPreCall.begin(), E = DstPreCall.end(); 642 I != E; ++I) 643 defaultEvalCall(Bldr, *I, *Call, CallOpts); 644 645 getCheckerManager().runCheckersForPostCall(Dst, DstInvalidated, 646 *Call, *this); 647 } 648 649 void ExprEngine::VisitCXXNewAllocatorCall(const CXXNewExpr *CNE, 650 ExplodedNode *Pred, 651 ExplodedNodeSet &Dst) { 652 ProgramStateRef State = Pred->getState(); 653 const LocationContext *LCtx = Pred->getLocationContext(); 654 PrettyStackTraceLoc CrashInfo(getContext().getSourceManager(), 655 CNE->getBeginLoc(), 656 "Error evaluating New Allocator Call"); 657 CallEventManager &CEMgr = getStateManager().getCallEventManager(); 658 CallEventRef<CXXAllocatorCall> Call = 659 CEMgr.getCXXAllocatorCall(CNE, State, LCtx); 660 661 ExplodedNodeSet DstPreCall; 662 getCheckerManager().runCheckersForPreCall(DstPreCall, Pred, 663 *Call, *this); 664 665 ExplodedNodeSet DstPostCall; 666 StmtNodeBuilder CallBldr(DstPreCall, DstPostCall, *currBldrCtx); 667 for (auto I : DstPreCall) { 668 // FIXME: Provide evalCall for checkers? 669 defaultEvalCall(CallBldr, I, *Call); 670 } 671 // If the call is inlined, DstPostCall will be empty and we bail out now. 672 673 // Store return value of operator new() for future use, until the actual 674 // CXXNewExpr gets processed. 675 ExplodedNodeSet DstPostValue; 676 StmtNodeBuilder ValueBldr(DstPostCall, DstPostValue, *currBldrCtx); 677 for (auto I : DstPostCall) { 678 // FIXME: Because CNE serves as the "call site" for the allocator (due to 679 // lack of a better expression in the AST), the conjured return value symbol 680 // is going to be of the same type (C++ object pointer type). Technically 681 // this is not correct because the operator new's prototype always says that 682 // it returns a 'void *'. So we should change the type of the symbol, 683 // and then evaluate the cast over the symbolic pointer from 'void *' to 684 // the object pointer type. But without changing the symbol's type it 685 // is breaking too much to evaluate the no-op symbolic cast over it, so we 686 // skip it for now. 687 ProgramStateRef State = I->getState(); 688 SVal RetVal = State->getSVal(CNE, LCtx); 689 690 // If this allocation function is not declared as non-throwing, failures 691 // /must/ be signalled by exceptions, and thus the return value will never 692 // be NULL. -fno-exceptions does not influence this semantics. 693 // FIXME: GCC has a -fcheck-new option, which forces it to consider the case 694 // where new can return NULL. If we end up supporting that option, we can 695 // consider adding a check for it here. 696 // C++11 [basic.stc.dynamic.allocation]p3. 697 if (const FunctionDecl *FD = CNE->getOperatorNew()) { 698 QualType Ty = FD->getType(); 699 if (const auto *ProtoType = Ty->getAs<FunctionProtoType>()) 700 if (!ProtoType->isNothrow()) 701 State = State->assume(RetVal.castAs<DefinedOrUnknownSVal>(), true); 702 } 703 704 ValueBldr.generateNode( 705 CNE, I, addObjectUnderConstruction(State, CNE, LCtx, RetVal)); 706 } 707 708 ExplodedNodeSet DstPostPostCallCallback; 709 getCheckerManager().runCheckersForPostCall(DstPostPostCallCallback, 710 DstPostValue, *Call, *this); 711 for (auto I : DstPostPostCallCallback) { 712 getCheckerManager().runCheckersForNewAllocator( 713 CNE, *getObjectUnderConstruction(I->getState(), CNE, LCtx), Dst, I, 714 *this); 715 } 716 } 717 718 void ExprEngine::VisitCXXNewExpr(const CXXNewExpr *CNE, ExplodedNode *Pred, 719 ExplodedNodeSet &Dst) { 720 // FIXME: Much of this should eventually migrate to CXXAllocatorCall. 721 // Also, we need to decide how allocators actually work -- they're not 722 // really part of the CXXNewExpr because they happen BEFORE the 723 // CXXConstructExpr subexpression. See PR12014 for some discussion. 724 725 unsigned blockCount = currBldrCtx->blockCount(); 726 const LocationContext *LCtx = Pred->getLocationContext(); 727 SVal symVal = UnknownVal(); 728 FunctionDecl *FD = CNE->getOperatorNew(); 729 730 bool IsStandardGlobalOpNewFunction = 731 FD->isReplaceableGlobalAllocationFunction(); 732 733 ProgramStateRef State = Pred->getState(); 734 735 // Retrieve the stored operator new() return value. 736 if (AMgr.getAnalyzerOptions().MayInlineCXXAllocator) { 737 symVal = *getObjectUnderConstruction(State, CNE, LCtx); 738 State = finishObjectConstruction(State, CNE, LCtx); 739 } 740 741 // We assume all standard global 'operator new' functions allocate memory in 742 // heap. We realize this is an approximation that might not correctly model 743 // a custom global allocator. 744 if (symVal.isUnknown()) { 745 if (IsStandardGlobalOpNewFunction) 746 symVal = svalBuilder.getConjuredHeapSymbolVal(CNE, LCtx, blockCount); 747 else 748 symVal = svalBuilder.conjureSymbolVal(nullptr, CNE, LCtx, CNE->getType(), 749 blockCount); 750 } 751 752 CallEventManager &CEMgr = getStateManager().getCallEventManager(); 753 CallEventRef<CXXAllocatorCall> Call = 754 CEMgr.getCXXAllocatorCall(CNE, State, LCtx); 755 756 if (!AMgr.getAnalyzerOptions().MayInlineCXXAllocator) { 757 // Invalidate placement args. 758 // FIXME: Once we figure out how we want allocators to work, 759 // we should be using the usual pre-/(default-)eval-/post-call checks here. 760 State = Call->invalidateRegions(blockCount); 761 if (!State) 762 return; 763 764 // If this allocation function is not declared as non-throwing, failures 765 // /must/ be signalled by exceptions, and thus the return value will never 766 // be NULL. -fno-exceptions does not influence this semantics. 767 // FIXME: GCC has a -fcheck-new option, which forces it to consider the case 768 // where new can return NULL. If we end up supporting that option, we can 769 // consider adding a check for it here. 770 // C++11 [basic.stc.dynamic.allocation]p3. 771 if (FD) { 772 QualType Ty = FD->getType(); 773 if (const auto *ProtoType = Ty->getAs<FunctionProtoType>()) 774 if (!ProtoType->isNothrow()) 775 if (auto dSymVal = symVal.getAs<DefinedOrUnknownSVal>()) 776 State = State->assume(*dSymVal, true); 777 } 778 } 779 780 StmtNodeBuilder Bldr(Pred, Dst, *currBldrCtx); 781 782 SVal Result = symVal; 783 784 if (CNE->isArray()) { 785 // FIXME: allocating an array requires simulating the constructors. 786 // For now, just return a symbolicated region. 787 if (const SubRegion *NewReg = 788 dyn_cast_or_null<SubRegion>(symVal.getAsRegion())) { 789 QualType ObjTy = CNE->getType()->getAs<PointerType>()->getPointeeType(); 790 const ElementRegion *EleReg = 791 getStoreManager().GetElementZeroRegion(NewReg, ObjTy); 792 Result = loc::MemRegionVal(EleReg); 793 } 794 State = State->BindExpr(CNE, Pred->getLocationContext(), Result); 795 Bldr.generateNode(CNE, Pred, State); 796 return; 797 } 798 799 // FIXME: Once we have proper support for CXXConstructExprs inside 800 // CXXNewExpr, we need to make sure that the constructed object is not 801 // immediately invalidated here. (The placement call should happen before 802 // the constructor call anyway.) 803 if (FD && FD->isReservedGlobalPlacementOperator()) { 804 // Non-array placement new should always return the placement location. 805 SVal PlacementLoc = State->getSVal(CNE->getPlacementArg(0), LCtx); 806 Result = svalBuilder.evalCast(PlacementLoc, CNE->getType(), 807 CNE->getPlacementArg(0)->getType()); 808 } 809 810 // Bind the address of the object, then check to see if we cached out. 811 State = State->BindExpr(CNE, LCtx, Result); 812 ExplodedNode *NewN = Bldr.generateNode(CNE, Pred, State); 813 if (!NewN) 814 return; 815 816 // If the type is not a record, we won't have a CXXConstructExpr as an 817 // initializer. Copy the value over. 818 if (const Expr *Init = CNE->getInitializer()) { 819 if (!isa<CXXConstructExpr>(Init)) { 820 assert(Bldr.getResults().size() == 1); 821 Bldr.takeNodes(NewN); 822 evalBind(Dst, CNE, NewN, Result, State->getSVal(Init, LCtx), 823 /*FirstInit=*/IsStandardGlobalOpNewFunction); 824 } 825 } 826 } 827 828 void ExprEngine::VisitCXXDeleteExpr(const CXXDeleteExpr *CDE, 829 ExplodedNode *Pred, ExplodedNodeSet &Dst) { 830 StmtNodeBuilder Bldr(Pred, Dst, *currBldrCtx); 831 ProgramStateRef state = Pred->getState(); 832 Bldr.generateNode(CDE, Pred, state); 833 } 834 835 void ExprEngine::VisitCXXCatchStmt(const CXXCatchStmt *CS, 836 ExplodedNode *Pred, 837 ExplodedNodeSet &Dst) { 838 const VarDecl *VD = CS->getExceptionDecl(); 839 if (!VD) { 840 Dst.Add(Pred); 841 return; 842 } 843 844 const LocationContext *LCtx = Pred->getLocationContext(); 845 SVal V = svalBuilder.conjureSymbolVal(CS, LCtx, VD->getType(), 846 currBldrCtx->blockCount()); 847 ProgramStateRef state = Pred->getState(); 848 state = state->bindLoc(state->getLValue(VD, LCtx), V, LCtx); 849 850 StmtNodeBuilder Bldr(Pred, Dst, *currBldrCtx); 851 Bldr.generateNode(CS, Pred, state); 852 } 853 854 void ExprEngine::VisitCXXThisExpr(const CXXThisExpr *TE, ExplodedNode *Pred, 855 ExplodedNodeSet &Dst) { 856 StmtNodeBuilder Bldr(Pred, Dst, *currBldrCtx); 857 858 // Get the this object region from StoreManager. 859 const LocationContext *LCtx = Pred->getLocationContext(); 860 const MemRegion *R = 861 svalBuilder.getRegionManager().getCXXThisRegion( 862 getContext().getCanonicalType(TE->getType()), 863 LCtx); 864 865 ProgramStateRef state = Pred->getState(); 866 SVal V = state->getSVal(loc::MemRegionVal(R)); 867 Bldr.generateNode(TE, Pred, state->BindExpr(TE, LCtx, V)); 868 } 869 870 void ExprEngine::VisitLambdaExpr(const LambdaExpr *LE, ExplodedNode *Pred, 871 ExplodedNodeSet &Dst) { 872 const LocationContext *LocCtxt = Pred->getLocationContext(); 873 874 // Get the region of the lambda itself. 875 const MemRegion *R = svalBuilder.getRegionManager().getCXXTempObjectRegion( 876 LE, LocCtxt); 877 SVal V = loc::MemRegionVal(R); 878 879 ProgramStateRef State = Pred->getState(); 880 881 // If we created a new MemRegion for the lambda, we should explicitly bind 882 // the captures. 883 CXXRecordDecl::field_iterator CurField = LE->getLambdaClass()->field_begin(); 884 for (LambdaExpr::const_capture_init_iterator i = LE->capture_init_begin(), 885 e = LE->capture_init_end(); 886 i != e; ++i, ++CurField) { 887 FieldDecl *FieldForCapture = *CurField; 888 SVal FieldLoc = State->getLValue(FieldForCapture, V); 889 890 SVal InitVal; 891 if (!FieldForCapture->hasCapturedVLAType()) { 892 Expr *InitExpr = *i; 893 assert(InitExpr && "Capture missing initialization expression"); 894 InitVal = State->getSVal(InitExpr, LocCtxt); 895 } else { 896 // The field stores the length of a captured variable-length array. 897 // These captures don't have initialization expressions; instead we 898 // get the length from the VLAType size expression. 899 Expr *SizeExpr = FieldForCapture->getCapturedVLAType()->getSizeExpr(); 900 InitVal = State->getSVal(SizeExpr, LocCtxt); 901 } 902 903 State = State->bindLoc(FieldLoc, InitVal, LocCtxt); 904 } 905 906 // Decay the Loc into an RValue, because there might be a 907 // MaterializeTemporaryExpr node above this one which expects the bound value 908 // to be an RValue. 909 SVal LambdaRVal = State->getSVal(R); 910 911 ExplodedNodeSet Tmp; 912 StmtNodeBuilder Bldr(Pred, Tmp, *currBldrCtx); 913 // FIXME: is this the right program point kind? 914 Bldr.generateNode(LE, Pred, 915 State->BindExpr(LE, LocCtxt, LambdaRVal), 916 nullptr, ProgramPoint::PostLValueKind); 917 918 // FIXME: Move all post/pre visits to ::Visit(). 919 getCheckerManager().runCheckersForPostStmt(Dst, Tmp, LE, *this); 920 } 921