clang: include/clang/StaticAnalyzer/Core/PathSensitive/ExprEngine.h Source File (original) (raw)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15#ifndef LLVM_CLANG_STATICANALYZER_CORE_PATHSENSITIVE_EXPRENGINE_H
16#define LLVM_CLANG_STATICANALYZER_CORE_PATHSENSITIVE_EXPRENGINE_H
17
37#include "llvm/ADT/ArrayRef.h"
38#include
39#include
40#include
41
43
44class AnalysisDeclContextManager;
45class AnalyzerOptions;
46class ASTContext;
47class CFGBlock;
48class CFGElement;
49class ConstructionContext;
50class CXXBindTemporaryExpr;
51class CXXCatchStmt;
52class CXXConstructExpr;
53class CXXDeleteExpr;
54class CXXNewExpr;
55class CXXThisExpr;
57class DeclStmt;
58class GCCAsmStmt;
60class LocationContext;
61class MaterializeTemporaryExpr;
62class MSAsmStmt;
63class NamedDecl;
64class ObjCAtSynchronizedStmt;
65class ObjCForCollectionStmt;
66class ObjCIvarRefExpr;
67class ObjCMessageExpr;
68class ReturnStmt;
69class Stmt;
70
71namespace cross_tu {
72
73class CrossTranslationUnitContext;
74
75}
76
77namespace ento {
78
79class AnalysisManager;
80class BasicValueFactory;
81class CallEvent;
82class CheckerManager;
83class ConstraintManager;
84class ExplodedNodeSet;
85class ExplodedNode;
86class IndirectGotoNodeBuilder;
87class MemRegion;
88class NodeBuilderContext;
89class NodeBuilderWithSinks;
90class ProgramState;
91class ProgramStateManager;
92class RegionAndSymbolInvalidationTraits;
93class SymbolManager;
94class SwitchNodeBuilder;
95
96
98
99
101
102
103
105
106
108
109
110
111
113
114
115
116
117
118
120
122};
123
125 void anchor();
126
127public:
128
130
132
133
136
137private:
139 bool IsCTUEnabled;
140
142
144
146
147
149
150
152
153
155
156
158
159
161
162 unsigned int currStmtIdx = 0;
164
165
166
168
169
170
171
173
174
175
177
178
180
181public:
185
187
188
193 }
194
195
197
199
202 }
203
206 }
207
209
211
214 return &CTU;
215 }
216
218 assert(currBldrCtx);
219 return *currBldrCtx;
220 }
221
223
226 return (*G.roots_begin())->getLocation().getLocationContext();
227 }
228
230 const CFGBlock *blockPtr = currBldrCtx ? currBldrCtx->getBlock() : nullptr;
231 return {blockPtr, currStmtIdx};
232 }
233
234
235
236
238
239
240
241
244
245
246 void ViewGraph(bool trim = false);
247
248
249
251
252
253
255
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
286 const Stmt *DiagnosticStmt = nullptr,
288
289
290
292
293
294
297
299
301
303
305
307
318
319
323
324
325
326
327
331 std::optional IterationsCompletedInLoop);
332
333
334
335
341
342
343
350
351
352
354
355
356
358
359
360
364
365
366
370
371
375
376
379
380
381
383
384
386
387
388
390 bool assumption);
391
392
393
401
407 }
408
409
412 unsigned int Space, bool IsDot) const;
413
415
417
420 }
421
422
425 }
426
429
431
432
436
438
439public:
440
441
443
444
447
448
452
453
456
457
460
461
464
465
468
469
472
473
474
477
478
481
482
485
486
489
490
493
494
497
500
501
504
505
508
509
512
513
516
517
520
521
522
525
528
529
532
533
536
537
540
541
544
545
549
553
556
559
562
565
567 const Stmt *S, bool IsBaseDtor,
570
574
577
580
581
585
586
587
589 const Expr *Ex);
590
592
593 static std::pair<const ProgramPointTag *, const ProgramPointTag *>
595
601
604
605public:
608 return svalBuilder.evalBinOp(ST, Op, LHS, RHS, T);
609 }
610
611
612 static std::optional
615
616
617 static std::optional
620
621
622 static std::optional
625
626
627
628
629 static std::optional
633
634
639
640
641
642
649
650private:
651
652
654 SVal location, SVal Val, bool atDeclInit = false,
656
661
662
663
667
668public:
669
670
671
672
673
674
676 const Expr *NodeEx,
677 const Expr *BoundExpr,
680 SVal location,
683
684
685
689
690
691
693 return (*currBldrCtx->getBlock())[currStmtIdx];
694 }
695
696
697
701
702
703
706
707
711
712
713
714
715
716
717
718
719
720
721
722
723
724
726 const NodeBuilderContext *BldrCtx,
729 EvalCallOptions &CallOpts,
730 unsigned Idx = 0);
731
732
733
734
735
736
740
741
742
747
749 CallOpts, Idx);
751
752 return std::make_pair(State, V);
753 }
754
755private:
760
762 const Stmt *NodeEx,
763 const Stmt *BoundEx,
766 SVal location,
767 bool isLoad);
768
769
771 bool &IsRecursive, unsigned &StackDepth);
772
773 enum CallInlinePolicy {
774 CIP_Allowed,
775 CIP_DisallowedOnce,
776 CIP_DisallowedAlways
777 };
778
779
780
781 CallInlinePolicy mayInlineCallKind(const CallEvent &Call,
782 const ExplodedNode *Pred,
784 const EvalCallOptions &CallOpts);
785
786
787
788
789
790
792
793
794
796
797
798
800
801
802
804
805
806 bool shouldInlineCall(const CallEvent &Call, const Decl *D,
807 const ExplodedNode *Pred,
808 const EvalCallOptions &CallOpts = {});
809
810
811
812 bool shouldInlineArrayConstruction(const ProgramStateRef State,
813 const CXXConstructExpr *CE,
814 const LocationContext *LCtx);
815
816
817
818
819 bool shouldInlineArrayDestruction(uint64_t Size);
820
821
822
823
824
825
826
827
828
829
830
831
832 std::pair<ProgramStateRef, uint64_t> prepareStateForArrayDestruction(
834 const QualType &ElementTy, const LocationContext *LCtx,
835 SVal *ElementCountVal = nullptr);
836
837
838
839 bool shouldRepeatCtorCall(ProgramStateRef State, const CXXConstructExpr *E,
840 const LocationContext *LCtx);
841
842 void inlineCall(WorkList *WList, const CallEvent &Call, const Decl *D,
843 NodeBuilder &Bldr, ExplodedNode *Pred, ProgramStateRef State);
844
845 void ctuBifurcate(const CallEvent &Call, const Decl *D, NodeBuilder &Bldr,
847
848
849 bool isSecondPhaseCTU() { return IsCTUEnabled && !Engine.getCTUWorkList(); }
850
851
852
853 void conservativeEvalCall(const CallEvent &Call, NodeBuilder &Bldr,
855
856
857
858 void BifurcateCall(const MemRegion *BifurReg,
859 const CallEvent &Call, const Decl *D, NodeBuilder &Bldr,
860 ExplodedNode *Pred);
861
862 bool replayWithoutInlining(ExplodedNode *P, const LocationContext *CalleeLC);
863
864
865
866 void performTrivialCopy(NodeBuilder &Bldr, ExplodedNode *Pred,
867 const CallEvent &Call);
868
869
870
871
872
873
874
875
876
877
878
881 const Expr *InitWithAdjustments, const Expr *Result = nullptr,
882 const SubRegion **OutRegionWithAdjustments = nullptr);
883
884
885
886
887
888
889
890
891
892 static SVal makeElementRegion(ProgramStateRef State, SVal LValue,
893 QualType &Ty, bool &IsArray, unsigned Idx = 0);
894
895
896
897 void handleConstructor(const Expr *E, ExplodedNode *Pred,
898 ExplodedNodeSet &Dst);
899
900public:
901
902
903
906 const ObjCForCollectionStmt *O,
907 const LocationContext *LC, bool HasMoreIteraton);
908
911 const LocationContext *LC);
912
914 const ObjCForCollectionStmt *O,
915 const LocationContext *LC);
916
917private:
918
919
921 setIndexOfElementToConstruct(ProgramStateRef State, const CXXConstructExpr *E,
922 const LocationContext *LCtx, unsigned Idx);
923
926 const CXXConstructExpr *E,
927 const LocationContext *LCtx);
928
929
930
932 const LocationContext *LCtx,
933 unsigned Idx);
934
937 const LocationContext *LCtx);
938
939
941 const CXXConstructExpr *E,
942 const LocationContext *LCtx,
943 unsigned Idx);
944
946 const CXXConstructExpr *E,
947 const LocationContext *LCtx);
948
950 removeStateTraitsUsedForArrayEvaluation(ProgramStateRef State,
951 const CXXConstructExpr *E,
952 const LocationContext *LCtx);
953
954
955
956
957
958
959
960
963 const ConstructionContextItem &Item,
964 const LocationContext *LC, SVal V);
965
966
967
970 const ConstructionContextItem &Item,
971 const LocationContext *LC);
972
973
974
975
977 const CXXBindTemporaryExpr *BTE,
978 const LocationContext *LC);
979
980
983 const CXXBindTemporaryExpr *BTE,
984 const LocationContext *LC);
985
986
987
988
990 const CXXBindTemporaryExpr *BTE,
991 const LocationContext *LC);
992
993
994
995
996
997 static bool areAllObjectsFullyConstructed(ProgramStateRef State,
998 const LocationContext *FromLC,
999 const LocationContext *ToLC);
1000};
1001
1002
1003
1004
1005
1007template <>
1011};
1012
1013}
1014
1015}
1016
1017#endif
BoundNodesTreeBuilder Nodes
enum clang::sema::@1727::IndirectLocalPathEntry::EntryKind Kind
Forward-declares and imports various common LLVM datatypes that clang wants to use unqualified.
C Language Family Type Representation.
Holds long-lived AST nodes (such as types and decls) that can be referred to throughout the semantic ...
AnalysisDeclContext contains the context data for the function, method or block under analysis.
Stores options for the analyzer from the command line.
Represents a loop initializing the elements of an array.
ArraySubscriptExpr - [C99 6.5.2.1] Array Subscripting.
AtomicExpr - Variadic atomic builtins: __atomic_exchange, __atomic_fetch_*, __atomic_load,...
A builtin binary operation expression such as "x + y" or "x <= y".
BlockExpr - Adaptor class for mixing a BlockDecl with expressions.
Represents C++ object destructor implicitly generated for automatic object or temporary bound to cons...
Represents C++ object destructor implicitly generated for base object in destructor.
Represents a single basic block in a source-level CFG.
ElementRefImpl< true > ConstCFGElementRef
Represents C++ object destructor generated from a call to delete.
Represents a top-level expression in a basic block.
Represents C++ object destructor implicitly generated by compiler on various occasions.
Represents C++ base or member initializer from constructor's initialization list.
Represents C++ object destructor implicitly generated for member object in destructor.
Represents C++ object destructor implicitly generated at the end of full expression for temporary obj...
Represents binding an expression to a temporary.
CXXCatchStmt - This represents a C++ catch block.
Represents a call to a C++ constructor.
Represents a delete expression for memory deallocation and destructor calls, e.g.
Represents a call to an inherited base class constructor from an inheriting constructor.
Represents a new-expression for memory allocation and constructor calls, e.g: "new CXXNewExpr(foo)".
Represents the this expression in C++.
Represents a point when we begin processing an inlined call.
CallExpr - Represents a function call (C99 6.5.2.2, C++ [expr.call]).
CastExpr - Base class for type casts, including both implicit casts (ImplicitCastExpr) and explicit c...
CompoundLiteralExpr - [C99 6.5.2.5].
Represents a single point (AST node) in the program that requires attention during construction of an...
ConstructionContext's subclasses describe different ways of constructing an object in C++.
DeclStmt - Adaptor class for mixing declarations with statements and expressions.
Decl - This represents one declaration (or definition), e.g.
This represents one expression.
This represents a GCC inline-assembly statement extension.
Describes an C or C++ initializer list.
A C++ lambda expression, which produces a function object (of unspecified type) that can be invoked l...
It wraps the AnalysisDeclContext to represent both the call stack with the help of StackFrameContext ...
const Decl * getDecl() const
virtual bool inTopFrame() const
This represents a Microsoft inline-assembly statement extension.
Represents a prvalue temporary that is written into memory so that a reference can bind to it.
MemberExpr - [C99 6.5.2.3] Structure and Union Members.
This represents a decl that may have a name.
Represents Objective-C's @synchronized statement.
Represents Objective-C's collection statement.
ObjCIvarRefExpr - A reference to an ObjC instance variable.
An expression that sends a message to the given Objective-C object or class.
OffsetOfExpr - [C99 7.17] - This represents an expression of the form offsetof(record-type,...
ProgramPoints can be "tagged" as representing points specific to a given analysis entity.
@ PreStmtPurgeDeadSymbolsKind
A (possibly-)qualified type.
ReturnStmt - This represents a return, optionally of an expression: return; return 4;.
Stmt - This represents one statement.
UnaryExprOrTypeTraitExpr - expression with either a type or (unevaluated) expression operand.
UnaryOperator - This represents the unary-expression's (except sizeof and alignof),...
This class is used for tools that requires cross translation unit capability.
ASTContext & getASTContext() override
AnalysisDeclContextManager & getAnalysisDeclContextManager()
CheckerManager * getCheckerManager() const
BugReporter is a utility class for generating PathDiagnostics for analysis.
void setAnalysisEntryPoint(const Decl *EntryPoint)
Represents an abstract call to a function or method along a particular path.
CoreEngine - Implements the core logic of the graph-reachability analysis.
DataTag::Factory & getDataTags()
WorkList * getCTUWorkList() const
bool wasBlocksExhausted() const
WorkList * getWorkList() const
bool ExecuteWorkList(const LocationContext *L, unsigned Steps, ProgramStateRef InitState)
ExecuteWorkList - Run the worklist algorithm for a maximum number of steps.
bool hasWorkRemaining() const
roots_iterator roots_end()
roots_iterator roots_begin()
void processEndOfFunction(NodeBuilderContext &BC, ExplodedNode *Pred, const ReturnStmt *RS=nullptr)
Called by CoreEngine.
void VisitBinaryOperator(const BinaryOperator *B, ExplodedNode *Pred, ExplodedNodeSet &Dst)
VisitBinaryOperator - Transfer function logic for binary operators.
ProgramStateManager & getStateManager()
void VisitArraySubscriptExpr(const ArraySubscriptExpr *Ex, ExplodedNode *Pred, ExplodedNodeSet &Dst)
VisitArraySubscriptExpr - Transfer function for array accesses.
void VisitCommonDeclRefExpr(const Expr *DR, const NamedDecl *D, ExplodedNode *Pred, ExplodedNodeSet &Dst)
Transfer function logic for DeclRefExprs and BlockDeclRefExprs.
void ProcessInitializer(const CFGInitializer I, ExplodedNode *Pred)
void VisitObjCMessage(const ObjCMessageExpr *ME, ExplodedNode *Pred, ExplodedNodeSet &Dst)
void ProcessTemporaryDtor(const CFGTemporaryDtor D, ExplodedNode *Pred, ExplodedNodeSet &Dst)
void VisitGuardedExpr(const Expr *Ex, const Expr *L, const Expr *R, ExplodedNode *Pred, ExplodedNodeSet &Dst)
VisitGuardedExpr - Transfer function logic for ?, __builtin_choose.
void processCallEnter(NodeBuilderContext &BC, CallEnter CE, ExplodedNode *Pred)
Generate the entry node of the callee.
void processBeginOfFunction(NodeBuilderContext &BC, ExplodedNode *Pred, ExplodedNodeSet &Dst, const BlockEdge &L)
Called by CoreEngine.
void VisitCast(const CastExpr *CastE, const Expr *Ex, ExplodedNode *Pred, ExplodedNodeSet &Dst)
VisitCast - Transfer function logic for all casts (implicit and explicit).
void removeDead(ExplodedNode *Node, ExplodedNodeSet &Out, const Stmt *ReferenceStmt, const LocationContext *LC, const Stmt *DiagnosticStmt=nullptr, ProgramPoint::Kind K=ProgramPoint::PreStmtPurgeDeadSymbolsKind)
Run the analyzer's garbage collection - remove dead symbols and bindings from the state.
BasicValueFactory & getBasicVals()
void VisitLogicalExpr(const BinaryOperator *B, ExplodedNode *Pred, ExplodedNodeSet &Dst)
VisitLogicalExpr - Transfer function logic for '&&', '||'.
std::pair< ProgramStateRef, SVal > handleConstructionContext(const Expr *E, ProgramStateRef State, const NodeBuilderContext *BldrCtx, const LocationContext *LCtx, const ConstructionContext *CC, EvalCallOptions &CallOpts, unsigned Idx=0)
A convenient wrapper around computeObjectUnderConstruction and updateObjectsUnderConstruction.
void VisitCXXDestructor(QualType ObjectType, const MemRegion *Dest, const Stmt *S, bool IsBaseDtor, ExplodedNode *Pred, ExplodedNodeSet &Dst, EvalCallOptions &Options)
void evalEagerlyAssumeBifurcation(ExplodedNodeSet &Dst, ExplodedNodeSet &Src, const Expr *Ex)
evalEagerlyAssumeBifurcation - Given the nodes in 'Src', eagerly assume concrete boolean values for '...
void VisitObjCAtSynchronizedStmt(const ObjCAtSynchronizedStmt *S, ExplodedNode *Pred, ExplodedNodeSet &Dst)
Transfer function logic for ObjCAtSynchronizedStmts.
void VisitReturnStmt(const ReturnStmt *R, ExplodedNode *Pred, ExplodedNodeSet &Dst)
VisitReturnStmt - Transfer function logic for return statements.
const CoreEngine & getCoreEngine() const
SVal evalBinOp(ProgramStateRef ST, BinaryOperator::Opcode Op, SVal LHS, SVal RHS, QualType T)
void VisitCXXNewExpr(const CXXNewExpr *CNE, ExplodedNode *Pred, ExplodedNodeSet &Dst)
ProgramStateRef processRegionChange(ProgramStateRef state, const MemRegion *MR, const LocationContext *LCtx)
void VisitLambdaExpr(const LambdaExpr *LE, ExplodedNode *Pred, ExplodedNodeSet &Dst)
VisitLambdaExpr - Transfer function logic for LambdaExprs.
void ProcessImplicitDtor(const CFGImplicitDtor D, ExplodedNode *Pred)
void VisitObjCForCollectionStmt(const ObjCForCollectionStmt *S, ExplodedNode *Pred, ExplodedNodeSet &Dst)
VisitObjCForCollectionStmt - Transfer function logic for ObjCForCollectionStmt.
void VisitUnaryOperator(const UnaryOperator *B, ExplodedNode *Pred, ExplodedNodeSet &Dst)
VisitUnaryOperator - Transfer function logic for unary operators.
ProgramStateRef getInitialState(const LocationContext *InitLoc)
getInitialState - Return the initial state used for the root vertex in the ExplodedGraph.
void VisitLvalObjCIvarRefExpr(const ObjCIvarRefExpr *DR, ExplodedNode *Pred, ExplodedNodeSet &Dst)
Transfer function logic for computing the lvalue of an Objective-C ivar.
static bool hasMoreIteration(ProgramStateRef State, const ObjCForCollectionStmt *O, const LocationContext *LC)
void VisitDeclStmt(const DeclStmt *DS, ExplodedNode *Pred, ExplodedNodeSet &Dst)
VisitDeclStmt - Transfer function logic for DeclStmts.
void processCallExit(ExplodedNode *Pred)
Generate the sequence of nodes that simulate the call exit and the post visit for CallExpr.
ProgramStateRef handleLValueBitCast(ProgramStateRef state, const Expr *Ex, const LocationContext *LCtx, QualType T, QualType ExTy, const CastExpr *CastE, StmtNodeBuilder &Bldr, ExplodedNode *Pred)
void VisitMSAsmStmt(const MSAsmStmt *A, ExplodedNode *Pred, ExplodedNodeSet &Dst)
VisitMSAsmStmt - Transfer function logic for MS inline asm.
static std::optional< SVal > getObjectUnderConstruction(ProgramStateRef State, const ConstructionContextItem &Item, const LocationContext *LC)
By looking at a certain item that may be potentially part of an object's ConstructionContext,...
CFGElement getCurrentCFGElement()
Return the CFG element corresponding to the worklist element that is currently being processed by Exp...
std::string DumpGraph(bool trim=false, StringRef Filename="")
Dump graph to the specified filename.
bool hasWorkRemaining() const
void printJson(raw_ostream &Out, ProgramStateRef State, const LocationContext *LCtx, const char *NL, unsigned int Space, bool IsDot) const
printJson - Called by ProgramStateManager to print checker-specific data.
virtual ~ExprEngine()=default
InliningModes
The modes of inlining, which override the default analysis-wide settings.
@ Inline_Minimal
Do minimal inlining of callees.
@ Inline_Regular
Follow the default settings for inlining callees.
ProgramStateRef processPointerEscapedOnBind(ProgramStateRef State, ArrayRef< std::pair< SVal, SVal > > LocAndVals, const LocationContext *LCtx, PointerEscapeKind Kind, const CallEvent *Call)
Call PointerEscape callback when a value escapes as a result of bind.
SVal computeObjectUnderConstruction(const Expr *E, ProgramStateRef State, const NodeBuilderContext *BldrCtx, const LocationContext *LCtx, const ConstructionContext *CC, EvalCallOptions &CallOpts, unsigned Idx=0)
Find location of the object that is being constructed by a given constructor.
const LocationContext * getRootLocationContext() const
static ProgramStateRef removeIterationState(ProgramStateRef State, const ObjCForCollectionStmt *O, const LocationContext *LC)
const ExplodedGraph & getGraph() const
ProgramStateRef processAssume(ProgramStateRef state, SVal cond, bool assumption)
evalAssume - Callback function invoked by the ConstraintManager when making assumptions about state v...
AnalysisDeclContextManager & getAnalysisDeclContextManager()
static std::optional< unsigned > getIndexOfElementToConstruct(ProgramStateRef State, const CXXConstructExpr *E, const LocationContext *LCtx)
Retreives which element is being constructed in a non-POD type array.
void VisitBlockExpr(const BlockExpr *BE, ExplodedNode *Pred, ExplodedNodeSet &Dst)
VisitBlockExpr - Transfer function logic for BlockExprs.
void ProcessBaseDtor(const CFGBaseDtor D, ExplodedNode *Pred, ExplodedNodeSet &Dst)
static std::pair< const ProgramPointTag *, const ProgramPointTag * > getEagerlyAssumeBifurcationTags()
void VisitIncrementDecrementOperator(const UnaryOperator *U, ExplodedNode *Pred, ExplodedNodeSet &Dst)
Handle ++ and – (both pre- and post-increment).
void VisitCallExpr(const CallExpr *CE, ExplodedNode *Pred, ExplodedNodeSet &Dst)
VisitCall - Transfer function for function calls.
ASTContext & getContext() const
getContext - Return the ASTContext associated with this analysis.
StoreManager & getStoreManager()
void VisitCXXNewAllocatorCall(const CXXNewExpr *CNE, ExplodedNode *Pred, ExplodedNodeSet &Dst)
void CreateCXXTemporaryObject(const MaterializeTemporaryExpr *ME, ExplodedNode *Pred, ExplodedNodeSet &Dst)
Create a C++ temporary object for an rvalue.
CFGBlock::ConstCFGElementRef getCFGElementRef() const
void evalCall(ExplodedNodeSet &Dst, ExplodedNode *Pred, const CallEvent &Call)
Evaluate a call, running pre- and post-call checkers and allowing checkers to be responsible for hand...
void VisitGCCAsmStmt(const GCCAsmStmt *A, ExplodedNode *Pred, ExplodedNodeSet &Dst)
VisitGCCAsmStmt - Transfer function logic for inline asm.
BugReporter & getBugReporter()
void processCFGBlockEntrance(const BlockEdge &L, NodeBuilderWithSinks &nodeBuilder, ExplodedNode *Pred)
Called by CoreEngine when processing the entrance of a CFGBlock.
void VisitInitListExpr(const InitListExpr *E, ExplodedNode *Pred, ExplodedNodeSet &Dst)
bool hasEmptyWorkList() const
ProgramStateRef processRegionChanges(ProgramStateRef state, const InvalidatedSymbols *invalidated, ArrayRef< const MemRegion * > ExplicitRegions, ArrayRef< const MemRegion * > Regions, const LocationContext *LCtx, const CallEvent *Call)
processRegionChanges - Called by ProgramStateManager whenever a change is made to the store.
void ProcessStmt(const Stmt *S, ExplodedNode *Pred)
void ViewGraph(bool trim=false)
Visualize the ExplodedGraph created by executing the simulation.
static std::optional< unsigned > getPendingArrayDestruction(ProgramStateRef State, const LocationContext *LCtx)
Retreives which element is being destructed in a non-POD type array.
ProgramStateRef notifyCheckersOfPointerEscape(ProgramStateRef State, const InvalidatedSymbols *Invalidated, ArrayRef< const MemRegion * > ExplicitRegions, const CallEvent *Call, RegionAndSymbolInvalidationTraits &ITraits)
Call PointerEscape callback when a value escapes as a result of region invalidation.
static const ProgramPointTag * cleanupNodeTag()
A tag to track convenience transitions, which can be removed at cleanup.
void processCFGElement(const CFGElement E, ExplodedNode *Pred, unsigned StmtIdx, NodeBuilderContext *Ctx)
processCFGElement - Called by CoreEngine.
void processStaticInitializer(const DeclStmt *DS, NodeBuilderContext &BuilderCtx, ExplodedNode *Pred, ExplodedNodeSet &Dst, const CFGBlock *DstT, const CFGBlock *DstF)
Called by CoreEngine.
void VisitUnaryExprOrTypeTraitExpr(const UnaryExprOrTypeTraitExpr *Ex, ExplodedNode *Pred, ExplodedNodeSet &Dst)
VisitUnaryExprOrTypeTraitExpr - Transfer function for sizeof.
cross_tu::CrossTranslationUnitContext * getCrossTranslationUnitContext()
void processBranch(const Stmt *Condition, NodeBuilderContext &BuilderCtx, ExplodedNode *Pred, ExplodedNodeSet &Dst, const CFGBlock *DstT, const CFGBlock *DstF, std::optional< unsigned > IterationsCompletedInLoop)
ProcessBranch - Called by CoreEngine.
void ProcessLoopExit(const Stmt *S, ExplodedNode *Pred)
void processSwitch(SwitchNodeBuilder &builder)
ProcessSwitch - Called by CoreEngine.
void processEndWorklist()
Called by CoreEngine when the analysis worklist has terminated.
CheckerManager & getCheckerManager() const
SymbolManager & getSymbolManager()
void VisitAtomicExpr(const AtomicExpr *E, ExplodedNode *Pred, ExplodedNodeSet &Dst)
VisitAtomicExpr - Transfer function for builtin atomic expressions.
bool wasBlocksExhausted() const
MemRegionManager & getRegionManager()
ProgramStateRef bindReturnValue(const CallEvent &Call, const LocationContext *LCtx, ProgramStateRef State)
Create a new state in which the call return value is binded to the call origin expression.
void ProcessMemberDtor(const CFGMemberDtor D, ExplodedNode *Pred, ExplodedNodeSet &Dst)
void VisitCXXThisExpr(const CXXThisExpr *TE, ExplodedNode *Pred, ExplodedNodeSet &Dst)
void VisitCXXDeleteExpr(const CXXDeleteExpr *CDE, ExplodedNode *Pred, ExplodedNodeSet &Dst)
void VisitMemberExpr(const MemberExpr *M, ExplodedNode *Pred, ExplodedNodeSet &Dst)
VisitMemberExpr - Transfer function for member expressions.
void VisitCXXConstructExpr(const CXXConstructExpr *E, ExplodedNode *Pred, ExplodedNodeSet &Dst)
void VisitCXXInheritedCtorInitExpr(const CXXInheritedCtorInitExpr *E, ExplodedNode *Pred, ExplodedNodeSet &Dst)
bool didEagerlyAssumeBifurcateAt(ProgramStateRef State, const Expr *Ex) const
ConstraintManager & getConstraintManager()
DataTag::Factory & getDataTags()
void processCleanupTemporaryBranch(const CXXBindTemporaryExpr *BTE, NodeBuilderContext &BldCtx, ExplodedNode *Pred, ExplodedNodeSet &Dst, const CFGBlock *DstT, const CFGBlock *DstF)
Called by CoreEngine.
void ProcessAutomaticObjDtor(const CFGAutomaticObjDtor D, ExplodedNode *Pred, ExplodedNodeSet &Dst)
const Stmt * getStmt() const
void VisitOffsetOfExpr(const OffsetOfExpr *Ex, ExplodedNode *Pred, ExplodedNodeSet &Dst)
VisitOffsetOfExpr - Transfer function for offsetof.
void evalLoad(ExplodedNodeSet &Dst, const Expr *NodeEx, const Expr *BoundExpr, ExplodedNode *Pred, ProgramStateRef St, SVal location, const ProgramPointTag *tag=nullptr, QualType LoadTy=QualType())
Simulate a read of the result of Ex.
void handleUOExtension(ExplodedNode *N, const UnaryOperator *U, StmtNodeBuilder &Bldr)
void removeDeadOnEndOfFunction(NodeBuilderContext &BC, ExplodedNode *Pred, ExplodedNodeSet &Dst)
Remove dead bindings/symbols before exiting a function.
void Visit(const Stmt *S, ExplodedNode *Pred, ExplodedNodeSet &Dst)
Visit - Transfer function logic for all statements.
void defaultEvalCall(NodeBuilder &B, ExplodedNode *Pred, const CallEvent &Call, const EvalCallOptions &CallOpts={})
Default implementation of call evaluation.
AnalysisManager & getAnalysisManager()
ExplodedGraph & getGraph()
void ProcessDeleteDtor(const CFGDeleteDtor D, ExplodedNode *Pred, ExplodedNodeSet &Dst)
void VisitCXXCatchStmt(const CXXCatchStmt *CS, ExplodedNode *Pred, ExplodedNodeSet &Dst)
void VisitCompoundLiteralExpr(const CompoundLiteralExpr *CL, ExplodedNode *Pred, ExplodedNodeSet &Dst)
VisitCompoundLiteralExpr - Transfer function logic for compound literals.
SValBuilder & getSValBuilder()
void VisitArrayInitLoopExpr(const ArrayInitLoopExpr *Ex, ExplodedNode *Pred, ExplodedNodeSet &Dst)
VisitArrayInitLoopExpr - Transfer function for array init loop.
ProgramStateRef updateObjectsUnderConstruction(SVal V, const Expr *E, ProgramStateRef State, const LocationContext *LCtx, const ConstructionContext *CC, const EvalCallOptions &CallOpts)
Update the program state with all the path-sensitive information that's necessary to perform construc...
bool ExecuteWorkList(const LocationContext *L, unsigned Steps=150000)
Returns true if there is still simulation state on the worklist.
void evalStore(ExplodedNodeSet &Dst, const Expr *AssignE, const Expr *StoreE, ExplodedNode *Pred, ProgramStateRef St, SVal TargetLV, SVal Val, const ProgramPointTag *tag=nullptr)
evalStore - Handle the semantics of a store via an assignment.
void VisitCXXBindTemporaryExpr(const CXXBindTemporaryExpr *BTE, ExplodedNodeSet &PreVisit, ExplodedNodeSet &Dst)
void processIndirectGoto(IndirectGotoNodeBuilder &builder)
processIndirectGoto - Called by CoreEngine.
const NodeBuilderContext & getBuilderContext()
static ProgramStateRef setWhetherHasMoreIteration(ProgramStateRef State, const ObjCForCollectionStmt *O, const LocationContext *LC, bool HasMoreIteraton)
Note whether this loop has any more iteratios to model.
static std::optional< unsigned > getPendingInitLoop(ProgramStateRef State, const CXXConstructExpr *E, const LocationContext *LCtx)
Retreives the size of the array in the pending ArrayInitLoopExpr.
void ProcessNewAllocator(const CXXNewExpr *NE, ExplodedNode *Pred)
MemRegion - The root abstract class for all memory regions.
const CFGBlock * getBlock() const
Return the CFGBlock associated with this builder.
This node builder keeps track of the generated sink nodes.
This is the simplest builder which generates nodes in the ExplodedGraph.
GRBugReporter is used for generating path-sensitive reports.
BasicValueFactory & getBasicVals()
StoreManager & getStoreManager()
ConstraintManager & getConstraintManager()
Information about invalidation for a particular region/symbol.
SVal evalBinOp(ProgramStateRef state, BinaryOperator::Opcode op, SVal lhs, SVal rhs, QualType type)
SVal - This represents a symbolic expression, which can be either an L-value or an R-value.
This builder class is useful for generating nodes that resulted from visiting a statement.
virtual bool hasWork() const =0
@ Decl
The l-value was an access to a declared entity or something equivalently strong, like the address of ...
llvm::DenseSet< const Decl * > SetOfConstDecls
PointerEscapeKind
Describes the different reasons a pointer escapes during analysis.
IntrusiveRefCntPtr< const ProgramState > ProgramStateRef
llvm::DenseSet< SymbolRef > InvalidatedSymbols
The JSON file list parser is used to communicate input to InstallAPI.
@ Result
The result type of a method or function.
const FunctionProtoType * T
Hints for figuring out of a call should be inlined during evalCall().
bool IsTemporaryLifetimeExtendedViaAggregate
This call is a constructor for a temporary that is lifetime-extended by binding it to a reference-typ...
bool IsTemporaryCtorOrDtor
This call is a constructor or a destructor of a temporary value.
bool IsArrayCtorOrDtor
This call is a constructor or a destructor for a single element within an array, a part of array cons...
bool IsElidableCtorThatHasNotBeenElided
This call is a pre-C++17 elidable constructor that we failed to elide because we failed to compute th...
bool IsCtorOrDtorWithImproperlyModeledTargetRegion
This call is a constructor or a destructor for which we do not currently compute the this-region corr...
Traits for storing the call processing policy inside GDM.