Coverage Report

Created: 2019-07-24 05:18

/Users/buildslave/jenkins/workspace/clang-stage2-coverage-R/llvm/tools/clang/include/clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h
Line
Count
Source (jump to first uncovered line)
1
//===- CallEvent.h - Wrapper for all function and method calls --*- C++ -*-===//
2
//
3
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4
// See https://llvm.org/LICENSE.txt for license information.
5
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6
//
7
//===----------------------------------------------------------------------===//
8
//
9
/// \file This file defines CallEvent and its subclasses, which represent path-
10
/// sensitive instances of different kinds of function and method calls
11
/// (C, C++, and Objective-C).
12
//
13
//===----------------------------------------------------------------------===//
14
15
#ifndef LLVM_CLANG_STATICANALYZER_CORE_PATHSENSITIVE_CALLEVENT_H
16
#define LLVM_CLANG_STATICANALYZER_CORE_PATHSENSITIVE_CALLEVENT_H
17
18
#include "clang/AST/Decl.h"
19
#include "clang/AST/DeclBase.h"
20
#include "clang/AST/DeclCXX.h"
21
#include "clang/AST/DeclObjC.h"
22
#include "clang/AST/Expr.h"
23
#include "clang/AST/ExprCXX.h"
24
#include "clang/AST/ExprObjC.h"
25
#include "clang/AST/Stmt.h"
26
#include "clang/AST/Type.h"
27
#include "clang/Basic/IdentifierTable.h"
28
#include "clang/Basic/LLVM.h"
29
#include "clang/Basic/SourceLocation.h"
30
#include "clang/Basic/SourceManager.h"
31
#include "clang/StaticAnalyzer/Core/PathSensitive/ExprEngine.h"
32
#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h"
33
#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState_Fwd.h"
34
#include "clang/StaticAnalyzer/Core/PathSensitive/SVals.h"
35
#include "llvm/ADT/ArrayRef.h"
36
#include "llvm/ADT/IntrusiveRefCntPtr.h"
37
#include "llvm/ADT/PointerIntPair.h"
38
#include "llvm/ADT/PointerUnion.h"
39
#include "llvm/ADT/STLExtras.h"
40
#include "llvm/ADT/SmallVector.h"
41
#include "llvm/ADT/StringRef.h"
42
#include "llvm/Support/Allocator.h"
43
#include "llvm/Support/Casting.h"
44
#include "llvm/Support/ErrorHandling.h"
45
#include <cassert>
46
#include <limits>
47
#include <utility>
48
49
namespace clang {
50
51
class LocationContext;
52
class ProgramPoint;
53
class ProgramPointTag;
54
class StackFrameContext;
55
56
namespace ento {
57
58
enum CallEventKind {
59
  CE_Function,
60
  CE_CXXMember,
61
  CE_CXXMemberOperator,
62
  CE_CXXDestructor,
63
  CE_BEG_CXX_INSTANCE_CALLS = CE_CXXMember,
64
  CE_END_CXX_INSTANCE_CALLS = CE_CXXDestructor,
65
  CE_CXXConstructor,
66
  CE_CXXAllocator,
67
  CE_BEG_FUNCTION_CALLS = CE_Function,
68
  CE_END_FUNCTION_CALLS = CE_CXXAllocator,
69
  CE_Block,
70
  CE_ObjCMessage
71
};
72
73
class CallEvent;
74
class CallDescription;
75
76
template<typename T = CallEvent>
77
class CallEventRef : public IntrusiveRefCntPtr<const T> {
78
public:
79
916k
  CallEventRef(const T *Call) : IntrusiveRefCntPtr<const T>(Call) {}
clang::ento::CallEventRef<clang::ento::ObjCMethodCall>::CallEventRef(clang::ento::ObjCMethodCall const*)
Line
Count
Source
79
27.2k
  CallEventRef(const T *Call) : IntrusiveRefCntPtr<const T>(Call) {}
clang::ento::CallEventRef<clang::ento::CXXConstructorCall>::CallEventRef(clang::ento::CXXConstructorCall const*)
Line
Count
Source
79
35.0k
  CallEventRef(const T *Call) : IntrusiveRefCntPtr<const T>(Call) {}
clang::ento::CallEventRef<clang::ento::CXXDestructorCall>::CallEventRef(clang::ento::CXXDestructorCall const*)
Line
Count
Source
79
2.69k
  CallEventRef(const T *Call) : IntrusiveRefCntPtr<const T>(Call) {}
clang::ento::CallEventRef<clang::ento::CXXAllocatorCall>::CallEventRef(clang::ento::CXXAllocatorCall const*)
Line
Count
Source
79
2.81k
  CallEventRef(const T *Call) : IntrusiveRefCntPtr<const T>(Call) {}
clang::ento::CallEventRef<clang::ento::CallEvent>::CallEventRef(clang::ento::CallEvent const*)
Line
Count
Source
79
849k
  CallEventRef(const T *Call) : IntrusiveRefCntPtr<const T>(Call) {}
80
66.3k
  CallEventRef(const CallEventRef &Orig) : IntrusiveRefCntPtr<const T>(Orig) {}
81
82
41.0k
  CallEventRef<T> cloneWithState(ProgramStateRef State) const {
83
41.0k
    return this->get()->template cloneWithState<T>(State);
84
41.0k
  }
clang::ento::CallEventRef<clang::ento::CallEvent>::cloneWithState(llvm::IntrusiveRefCntPtr<clang::ento::ProgramState const>) const
Line
Count
Source
82
37.1k
  CallEventRef<T> cloneWithState(ProgramStateRef State) const {
83
37.1k
    return this->get()->template cloneWithState<T>(State);
84
37.1k
  }
clang::ento::CallEventRef<clang::ento::ObjCMethodCall>::cloneWithState(llvm::IntrusiveRefCntPtr<clang::ento::ProgramState const>) const
Line
Count
Source
82
3.89k
  CallEventRef<T> cloneWithState(ProgramStateRef State) const {
83
3.89k
    return this->get()->template cloneWithState<T>(State);
84
3.89k
  }
85
86
  // Allow implicit conversions to a superclass type, since CallEventRef
87
  // behaves like a pointer-to-const.
88
  template <typename SuperT>
89
18.7k
  operator CallEventRef<SuperT> () const {
90
18.7k
    return this->get();
91
18.7k
  }
clang::ento::CallEventRef<clang::ento::CXXConstructorCall>::operator clang::ento::CallEventRef<clang::ento::CallEvent><clang::ento::CallEvent>() const
Line
Count
Source
89
15.1k
  operator CallEventRef<SuperT> () const {
90
15.1k
    return this->get();
91
15.1k
  }
clang::ento::CallEventRef<clang::ento::CXXDestructorCall>::operator clang::ento::CallEventRef<clang::ento::CallEvent><clang::ento::CallEvent>() const
Line
Count
Source
89
1.38k
  operator CallEventRef<SuperT> () const {
90
1.38k
    return this->get();
91
1.38k
  }
clang::ento::CallEventRef<clang::ento::CXXAllocatorCall>::operator clang::ento::CallEventRef<clang::ento::CallEvent><clang::ento::CallEvent>() const
Line
Count
Source
89
741
  operator CallEventRef<SuperT> () const {
90
741
    return this->get();
91
741
  }
clang::ento::CallEventRef<clang::ento::ObjCMethodCall>::operator clang::ento::CallEventRef<clang::ento::CallEvent><clang::ento::CallEvent>() const
Line
Count
Source
89
1.46k
  operator CallEventRef<SuperT> () const {
90
1.46k
    return this->get();
91
1.46k
  }
92
};
93
94
/// \class RuntimeDefinition
95
/// Defines the runtime definition of the called function.
96
///
97
/// Encapsulates the information we have about which Decl will be used
98
/// when the call is executed on the given path. When dealing with dynamic
99
/// dispatch, the information is based on DynamicTypeInfo and might not be
100
/// precise.
101
class RuntimeDefinition {
102
  /// The Declaration of the function which could be called at runtime.
103
  /// NULL if not available.
104
  const Decl *D = nullptr;
105
106
  /// The region representing an object (ObjC/C++) on which the method is
107
  /// called. With dynamic dispatch, the method definition depends on the
108
  /// runtime type of this object. NULL when the DynamicTypeInfo is
109
  /// precise.
110
  const MemRegion *R = nullptr;
111
112
public:
113
31.9k
  RuntimeDefinition() = default;
114
34.7k
  RuntimeDefinition(const Decl *InD): D(InD) {}
115
2.68k
  RuntimeDefinition(const Decl *InD, const MemRegion *InR): D(InD), R(InR) {}
116
117
71.1k
  const Decl *getDecl() { return D; }
118
119
  /// Check if the definition we have is precise.
120
  /// If not, it is possible that the call dispatches to another definition at
121
  /// execution time.
122
32.2k
  bool mayHaveOtherDefinitions() { return R != nullptr; }
123
124
  /// When other definitions are possible, returns the region whose runtime type
125
  /// determines the method definition.
126
17
  const MemRegion *getDispatchRegion() { return R; }
127
};
128
129
/// Represents an abstract call to a function or method along a
130
/// particular path.
131
///
132
/// CallEvents are created through the factory methods of CallEventManager.
133
///
134
/// CallEvents should always be cheap to create and destroy. In order for
135
/// CallEventManager to be able to re-use CallEvent-sized memory blocks,
136
/// subclasses of CallEvent may not add any data members to the base class.
137
/// Use the "Data" and "Location" fields instead.
138
class CallEvent {
139
public:
140
  using Kind = CallEventKind;
141
142
private:
143
  ProgramStateRef State;
144
  const LocationContext *LCtx;
145
  llvm::PointerUnion<const Expr *, const Decl *> Origin;
146
147
protected:
148
  // This is user data for subclasses.
149
  const void *Data;
150
151
  // This is user data for subclasses.
152
  // This should come right before RefCount, so that the two fields can be
153
  // packed together on LP64 platforms.
154
  SourceLocation Location;
155
156
private:
157
  template <typename T> friend struct llvm::IntrusiveRefCntPtrInfo;
158
159
  mutable unsigned RefCount = 0;
160
161
968k
  void Retain() const { ++RefCount; }
162
  void Release() const;
163
164
protected:
165
  friend class CallEventManager;
166
167
  CallEvent(const Expr *E, ProgramStateRef state, const LocationContext *lctx)
168
169k
      : State(std::move(state)), LCtx(lctx), Origin(E) {}
169
170
  CallEvent(const Decl *D, ProgramStateRef state, const LocationContext *lctx)
171
2.69k
      : State(std::move(state)), LCtx(lctx), Origin(D) {}
172
173
  // DO NOT MAKE PUBLIC
174
  CallEvent(const CallEvent &Original)
175
      : State(Original.State), LCtx(Original.LCtx), Origin(Original.Origin),
176
175k
        Data(Original.Data), Location(Original.Location) {}
177
178
  /// Copies this CallEvent, with vtable intact, into a new block of memory.
179
  virtual void cloneTo(void *Dest) const = 0;
180
181
  /// Get the value of arbitrary expressions at this point in the path.
182
315k
  SVal getSVal(const Stmt *S) const {
183
315k
    return getState()->getSVal(S, getLocationContext());
184
315k
  }
185
186
  using ValueList = SmallVectorImpl<SVal>;
187
188
  /// Used to specify non-argument regions that will be invalidated as a
189
  /// result of this call.
190
  virtual void getExtraInvalidatedValues(ValueList &Values,
191
19.2k
                 RegionAndSymbolInvalidationTraits *ETraits) const {}
192
193
public:
194
  CallEvent &operator=(const CallEvent &) = delete;
195
347k
  virtual ~CallEvent() = default;
196
197
  /// Returns the kind of call this is.
198
  virtual Kind getKind() const = 0;
199
200
  /// Returns the declaration of the function or method that will be
201
  /// called. May be null.
202
32.1k
  virtual const Decl *getDecl() const {
203
32.1k
    return Origin.dyn_cast<const Decl *>();
204
32.1k
  }
205
206
  /// The state in which the call is being evaluated.
207
506k
  const ProgramStateRef &getState() const {
208
506k
    return State;
209
506k
  }
210
211
  /// The context in which the call is being evaluated.
212
1.18M
  const LocationContext *getLocationContext() const {
213
1.18M
    return LCtx;
214
1.18M
  }
215
216
  /// Returns the definition of the function or method that will be
217
  /// called.
218
  virtual RuntimeDefinition getRuntimeDefinition() const = 0;
219
220
  /// Returns the expression whose value will be the result of this call.
221
  /// May be null.
222
4.31M
  const Expr *getOriginExpr() const {
223
4.31M
    return Origin.dyn_cast<const Expr *>();
224
4.31M
  }
225
226
  /// Returns the number of arguments (explicit and implicit).
227
  ///
228
  /// Note that this may be greater than the number of parameters in the
229
  /// callee's declaration, and that it may include arguments not written in
230
  /// the source.
231
  virtual unsigned getNumArgs() const = 0;
232
233
  /// Returns true if the callee is known to be from a system header.
234
31.7k
  bool isInSystemHeader() const {
235
31.7k
    const Decl *D = getDecl();
236
31.7k
    if (!D)
237
74
      return false;
238
31.6k
239
31.6k
    SourceLocation Loc = D->getLocation();
240
31.6k
    if (Loc.isValid()) {
241
30.9k
      const SourceManager &SM =
242
30.9k
        getState()->getStateManager().getContext().getSourceManager();
243
30.9k
      return SM.isInSystemHeader(D->getLocation());
244
30.9k
    }
245
689
246
689
    // Special case for implicitly-declared global operator new/delete.
247
689
    // These should be considered system functions.
248
689
    if (const auto *FD = dyn_cast<FunctionDecl>(D))
249
689
      return FD->isOverloadedOperator() && 
FD->isImplicit()688
&&
FD->isGlobal()688
;
250
0
251
0
    return false;
252
0
  }
253
254
  /// Returns true if the CallEvent is a call to a function that matches
255
  /// the CallDescription.
256
  ///
257
  /// Note that this function is not intended to be used to match Obj-C method
258
  /// calls.
259
  bool isCalled(const CallDescription &CD) const;
260
261
  /// Returns a source range for the entire call, suitable for
262
  /// outputting in diagnostics.
263
68
  virtual SourceRange getSourceRange() const {
264
68
    return getOriginExpr()->getSourceRange();
265
68
  }
266
267
  /// Returns the value of a given argument at the time of the call.
268
  virtual SVal getArgSVal(unsigned Index) const;
269
270
  /// Returns the expression associated with a given argument.
271
  /// May be null if this expression does not appear in the source.
272
0
  virtual const Expr *getArgExpr(unsigned Index) const { return nullptr; }
273
274
  /// Returns the source range for errors associated with this argument.
275
  ///
276
  /// May be invalid if the argument is not written in the source.
277
  virtual SourceRange getArgSourceRange(unsigned Index) const;
278
279
  /// Returns the result type, adjusted for references.
280
  QualType getResultType() const;
281
282
  /// Returns the return value of the call.
283
  ///
284
  /// This should only be called if the CallEvent was created using a state in
285
  /// which the return value has already been bound to the origin expression.
286
  SVal getReturnValue() const;
287
288
  /// Returns true if the type of any of the non-null arguments satisfies
289
  /// the condition.
290
  bool hasNonNullArgumentsWithType(bool (*Condition)(QualType)) const;
291
292
  /// Returns true if any of the arguments appear to represent callbacks.
293
  bool hasNonZeroCallbackArg() const;
294
295
  /// Returns true if any of the arguments is void*.
296
  bool hasVoidPointerToNonConstArg() const;
297
298
  /// Returns true if any of the arguments are known to escape to long-
299
  /// term storage, even if this method will not modify them.
300
  // NOTE: The exact semantics of this are still being defined!
301
  // We don't really want a list of hardcoded exceptions in the long run,
302
  // but we don't want duplicated lists of known APIs in the short term either.
303
27.0k
  virtual bool argumentsMayEscape() const {
304
27.0k
    return hasNonZeroCallbackArg();
305
27.0k
  }
306
307
  /// Returns true if the callee is an externally-visible function in the
308
  /// top-level namespace, such as \c malloc.
309
  ///
310
  /// You can use this call to determine that a particular function really is
311
  /// a library function and not, say, a C++ member function with the same name.
312
  ///
313
  /// If a name is provided, the function must additionally match the given
314
  /// name.
315
  ///
316
  /// Note that this deliberately excludes C++ library functions in the \c std
317
  /// namespace, but will include C library functions accessed through the
318
  /// \c std namespace. This also does not check if the function is declared
319
  /// as 'extern "C"', or if it uses C++ name mangling.
320
  // FIXME: Add a helper for checking namespaces.
321
  // FIXME: Move this down to AnyFunctionCall once checkers have more
322
  // precise callbacks.
323
  bool isGlobalCFunction(StringRef SpecificName = StringRef()) const;
324
325
  /// Returns the name of the callee, if its name is a simple identifier.
326
  ///
327
  /// Note that this will fail for Objective-C methods, blocks, and C++
328
  /// overloaded operators. The former is named by a Selector rather than a
329
  /// simple identifier, and the latter two do not have names.
330
  // FIXME: Move this down to AnyFunctionCall once checkers have more
331
  // precise callbacks.
332
374k
  const IdentifierInfo *getCalleeIdentifier() const {
333
374k
    const auto *ND = dyn_cast_or_null<NamedDecl>(getDecl());
334
374k
    if (!ND)
335
3
      return nullptr;
336
374k
    return ND->getIdentifier();
337
374k
  }
338
339
  /// Returns an appropriate ProgramPoint for this call.
340
  ProgramPoint getProgramPoint(bool IsPreVisit = false,
341
                               const ProgramPointTag *Tag = nullptr) const;
342
343
  /// Returns a new state with all argument regions invalidated.
344
  ///
345
  /// This accepts an alternate state in case some processing has already
346
  /// occurred.
347
  ProgramStateRef invalidateRegions(unsigned BlockCount,
348
                                    ProgramStateRef Orig = nullptr) const;
349
350
  using FrameBindingTy = std::pair<Loc, SVal>;
351
  using BindingsTy = SmallVectorImpl<FrameBindingTy>;
352
353
  /// Populates the given SmallVector with the bindings in the callee's stack
354
  /// frame at the start of this call.
355
  virtual void getInitialStackFrameContents(const StackFrameContext *CalleeCtx,
356
                                            BindingsTy &Bindings) const = 0;
357
358
  /// Returns a copy of this CallEvent, but using the given state.
359
  template <typename T>
360
  CallEventRef<T> cloneWithState(ProgramStateRef NewState) const;
361
362
  /// Returns a copy of this CallEvent, but using the given state.
363
652k
  CallEventRef<> cloneWithState(ProgramStateRef NewState) const {
364
652k
    return cloneWithState<CallEvent>(NewState);
365
652k
  }
366
367
  /// Returns true if this is a statement is a function or method call
368
  /// of some kind.
369
  static bool isCallStmt(const Stmt *S);
370
371
  /// Returns the result type of a function or method declaration.
372
  ///
373
  /// This will return a null QualType if the result type cannot be determined.
374
  static QualType getDeclaredResultType(const Decl *D);
375
376
  /// Returns true if the given decl is known to be variadic.
377
  ///
378
  /// \p D must not be null.
379
  static bool isVariadic(const Decl *D);
380
381
  /// Returns AnalysisDeclContext for the callee stack frame.
382
  /// Currently may fail; returns null on failure.
383
  AnalysisDeclContext *getCalleeAnalysisDeclContext() const;
384
385
  /// Returns the callee stack frame. That stack frame will only be entered
386
  /// during analysis if the call is inlined, but it may still be useful
387
  /// in intermediate calculations even if the call isn't inlined.
388
  /// May fail; returns null on failure.
389
  const StackFrameContext *getCalleeStackFrame() const;
390
391
  /// Returns memory location for a parameter variable within the callee stack
392
  /// frame. May fail; returns null on failure.
393
  const VarRegion *getParameterLocation(unsigned Index) const;
394
395
  /// Returns true if on the current path, the argument was constructed by
396
  /// calling a C++ constructor over it. This is an internal detail of the
397
  /// analysis which doesn't necessarily represent the program semantics:
398
  /// if we are supposed to construct an argument directly, we may still
399
  /// not do that because we don't know how (i.e., construction context is
400
  /// unavailable in the CFG or not supported by the analyzer).
401
45.1k
  bool isArgumentConstructedDirectly(unsigned Index) const {
402
45.1k
    // This assumes that the object was not yet removed from the state.
403
45.1k
    return ExprEngine::getObjectUnderConstruction(
404
45.1k
        getState(), {getOriginExpr(), Index}, getLocationContext()).hasValue();
405
45.1k
  }
406
407
  /// Some calls have parameter numbering mismatched from argument numbering.
408
  /// This function converts an argument index to the corresponding
409
  /// parameter index. Returns None is the argument doesn't correspond
410
  /// to any parameter variable.
411
  virtual Optional<unsigned>
412
892
  getAdjustedParameterIndex(unsigned ASTArgumentIndex) const {
413
892
    return ASTArgumentIndex;
414
892
  }
415
416
  /// Some call event sub-classes conveniently adjust mismatching AST indices
417
  /// to match parameter indices. This function converts an argument index
418
  /// as understood by CallEvent to the argument index as understood by the AST.
419
71.1k
  virtual unsigned getASTArgumentIndex(unsigned CallArgumentIndex) const {
420
71.1k
    return CallArgumentIndex;
421
71.1k
  }
422
423
  // Iterator access to formal parameters and their types.
424
private:
425
  struct GetTypeFn {
426
64.8k
    QualType operator()(ParmVarDecl *PD) const { return PD->getType(); }
427
  };
428
429
public:
430
  /// Return call's formal parameters.
431
  ///
432
  /// Remember that the number of formal parameters may not match the number
433
  /// of arguments for all calls. However, the first parameter will always
434
  /// correspond with the argument value returned by \c getArgSVal(0).
435
  virtual ArrayRef<ParmVarDecl *> parameters() const = 0;
436
437
  using param_type_iterator =
438
      llvm::mapped_iterator<ArrayRef<ParmVarDecl *>::iterator, GetTypeFn>;
439
440
  /// Returns an iterator over the types of the call's formal parameters.
441
  ///
442
  /// This uses the callee decl found by default name lookup rather than the
443
  /// definition because it represents a public interface, and probably has
444
  /// more annotations.
445
80.6k
  param_type_iterator param_type_begin() const {
446
80.6k
    return llvm::map_iterator(parameters().begin(), GetTypeFn());
447
80.6k
  }
448
  /// \sa param_type_begin()
449
80.6k
  param_type_iterator param_type_end() const {
450
80.6k
    return llvm::map_iterator(parameters().end(), GetTypeFn());
451
80.6k
  }
452
453
  // For debugging purposes only
454
  void dump(raw_ostream &Out) const;
455
  void dump() const;
456
};
457
458
/// Represents a call to any sort of function that might have a
459
/// FunctionDecl.
460
class AnyFunctionCall : public CallEvent {
461
protected:
462
  AnyFunctionCall(const Expr *E, ProgramStateRef St,
463
                  const LocationContext *LCtx)
464
163k
      : CallEvent(E, St, LCtx) {}
465
  AnyFunctionCall(const Decl *D, ProgramStateRef St,
466
                  const LocationContext *LCtx)
467
2.69k
      : CallEvent(D, St, LCtx) {}
468
145k
  AnyFunctionCall(const AnyFunctionCall &Other) = default;
469
470
public:
471
  // This function is overridden by subclasses, but they must return
472
  // a FunctionDecl.
473
32.1k
  const FunctionDecl *getDecl() const override {
474
32.1k
    return cast<FunctionDecl>(CallEvent::getDecl());
475
32.1k
  }
476
477
  RuntimeDefinition getRuntimeDefinition() const override;
478
479
  bool argumentsMayEscape() const override;
480
481
  void getInitialStackFrameContents(const StackFrameContext *CalleeCtx,
482
                                    BindingsTy &Bindings) const override;
483
484
  ArrayRef<ParmVarDecl *> parameters() const override;
485
486
75.7k
  static bool classof(const CallEvent *CA) {
487
75.7k
    return CA->getKind() >= CE_BEG_FUNCTION_CALLS &&
488
75.7k
           CA->getKind() <= CE_END_FUNCTION_CALLS;
489
75.7k
  }
490
};
491
492
/// Represents a C function or static C++ member function call.
493
///
494
/// Example: \c fun()
495
class SimpleFunctionCall : public AnyFunctionCall {
496
  friend class CallEventManager;
497
498
protected:
499
  SimpleFunctionCall(const CallExpr *CE, ProgramStateRef St,
500
                     const LocationContext *LCtx)
501
106k
      : AnyFunctionCall(CE, St, LCtx) {}
502
72.7k
  SimpleFunctionCall(const SimpleFunctionCall &Other) = default;
503
504
72.7k
  void cloneTo(void *Dest) const override {
505
72.7k
    new (Dest) SimpleFunctionCall(*this);
506
72.7k
  }
507
508
public:
509
1.90M
  virtual const CallExpr *getOriginExpr() const {
510
1.90M
    return cast<CallExpr>(AnyFunctionCall::getOriginExpr());
511
1.90M
  }
512
513
  const FunctionDecl *getDecl() const override;
514
515
321k
  unsigned getNumArgs() const override { return getOriginExpr()->getNumArgs(); }
516
517
243k
  const Expr *getArgExpr(unsigned Index) const override {
518
243k
    return getOriginExpr()->getArg(Index);
519
243k
  }
520
521
897k
  Kind getKind() const override { return CE_Function; }
522
523
1.24k
  static bool classof(const CallEvent *CA) {
524
1.24k
    return CA->getKind() == CE_Function;
525
1.24k
  }
526
};
527
528
/// Represents a call to a block.
529
///
530
/// Example: <tt>^{ /* ... */ }()</tt>
531
class BlockCall : public CallEvent {
532
  friend class CallEventManager;
533
534
protected:
535
  BlockCall(const CallExpr *CE, ProgramStateRef St,
536
            const LocationContext *LCtx)
537
573
      : CallEvent(CE, St, LCtx) {}
538
243
  BlockCall(const BlockCall &Other) = default;
539
540
243
  void cloneTo(void *Dest) const override { new (Dest) BlockCall(*this); }
541
542
  void getExtraInvalidatedValues(ValueList &Values,
543
         RegionAndSymbolInvalidationTraits *ETraits) const override;
544
545
public:
546
4.17k
  virtual const CallExpr *getOriginExpr() const {
547
4.17k
    return cast<CallExpr>(CallEvent::getOriginExpr());
548
4.17k
  }
549
550
1.18k
  unsigned getNumArgs() const override { return getOriginExpr()->getNumArgs(); }
551
552
337
  const Expr *getArgExpr(unsigned Index) const override {
553
337
    return getOriginExpr()->getArg(Index);
554
337
  }
555
556
  /// Returns the region associated with this instance of the block.
557
  ///
558
  /// This may be NULL if the block's origin is unknown.
559
  const BlockDataRegion *getBlockRegion() const;
560
561
2.45k
  const BlockDecl *getDecl() const override {
562
2.45k
    const BlockDataRegion *BR = getBlockRegion();
563
2.45k
    if (!BR)
564
104
      return nullptr;
565
2.35k
    return BR->getDecl();
566
2.35k
  }
567
568
543
  bool isConversionFromLambda() const {
569
543
    const BlockDecl *BD = getDecl();
570
543
    if (!BD)
571
10
      return false;
572
533
573
533
    return BD->isConversionFromLambda();
574
533
  }
575
576
  /// For a block converted from a C++ lambda, returns the block
577
  /// VarRegion for the variable holding the captured C++ lambda record.
578
14
  const VarRegion *getRegionStoringCapturedLambda() const {
579
14
    assert(isConversionFromLambda());
580
14
    const BlockDataRegion *BR = getBlockRegion();
581
14
    assert(BR && "Block converted from lambda must have a block region");
582
14
583
14
    auto I = BR->referenced_vars_begin();
584
14
    assert(I != BR->referenced_vars_end());
585
14
586
14
    return I.getCapturedRegion();
587
14
  }
588
589
195
  RuntimeDefinition getRuntimeDefinition() const override {
590
195
    if (!isConversionFromLambda())
591
188
      return RuntimeDefinition(getDecl());
592
7
593
7
    // Clang converts lambdas to blocks with an implicit user-defined
594
7
    // conversion operator method on the lambda record that looks (roughly)
595
7
    // like:
596
7
    //
597
7
    // typedef R(^block_type)(P1, P2, ...);
598
7
    // operator block_type() const {
599
7
    //   auto Lambda = *this;
600
7
    //   return ^(P1 p1, P2 p2, ...){
601
7
    //     /* return Lambda(p1, p2, ...); */
602
7
    //   };
603
7
    // }
604
7
    //
605
7
    // Here R is the return type of the lambda and P1, P2, ... are
606
7
    // its parameter types. 'Lambda' is a fake VarDecl captured by the block
607
7
    // that is initialized to a copy of the lambda.
608
7
    //
609
7
    // Sema leaves the body of a lambda-converted block empty (it is
610
7
    // produced by CodeGen), so we can't analyze it directly. Instead, we skip
611
7
    // the block body and analyze the operator() method on the captured lambda.
612
7
    const VarDecl *LambdaVD = getRegionStoringCapturedLambda()->getDecl();
613
7
    const CXXRecordDecl *LambdaDecl = LambdaVD->getType()->getAsCXXRecordDecl();
614
7
    CXXMethodDecl* LambdaCallOperator = LambdaDecl->getLambdaCallOperator();
615
7
616
7
    return RuntimeDefinition(LambdaCallOperator);
617
7
  }
618
619
18
  bool argumentsMayEscape() const override {
620
18
    return true;
621
18
  }
622
623
  void getInitialStackFrameContents(const StackFrameContext *CalleeCtx,
624
                                    BindingsTy &Bindings) const override;
625
626
  ArrayRef<ParmVarDecl*> parameters() const override;
627
628
2.43k
  Kind getKind() const override { return CE_Block; }
629
630
0
  static bool classof(const CallEvent *CA) {
631
0
    return CA->getKind() == CE_Block;
632
0
  }
633
};
634
635
/// Represents a non-static C++ member function call, no matter how
636
/// it is written.
637
class CXXInstanceCall : public AnyFunctionCall {
638
protected:
639
  CXXInstanceCall(const CallExpr *CE, ProgramStateRef St,
640
                  const LocationContext *LCtx)
641
19.1k
      : AnyFunctionCall(CE, St, LCtx) {}
642
  CXXInstanceCall(const FunctionDecl *D, ProgramStateRef St,
643
                  const LocationContext *LCtx)
644
2.69k
      : AnyFunctionCall(D, St, LCtx) {}
645
18.5k
  CXXInstanceCall(const CXXInstanceCall &Other) = default;
646
647
  void getExtraInvalidatedValues(ValueList &Values,
648
         RegionAndSymbolInvalidationTraits *ETraits) const override;
649
650
public:
651
  /// Returns the expression representing the implicit 'this' object.
652
60
  virtual const Expr *getCXXThisExpr() const { return nullptr; }
653
654
  /// Returns the value of the implicit 'this' object.
655
  virtual SVal getCXXThisVal() const;
656
657
  const FunctionDecl *getDecl() const override;
658
659
  RuntimeDefinition getRuntimeDefinition() const override;
660
661
  void getInitialStackFrameContents(const StackFrameContext *CalleeCtx,
662
                                    BindingsTy &Bindings) const override;
663
664
217k
  static bool classof(const CallEvent *CA) {
665
217k
    return CA->getKind() >= CE_BEG_CXX_INSTANCE_CALLS &&
666
217k
           
CA->getKind() <= CE_END_CXX_INSTANCE_CALLS92.7k
;
667
217k
  }
668
};
669
670
/// Represents a non-static C++ member function call.
671
///
672
/// Example: \c obj.fun()
673
class CXXMemberCall : public CXXInstanceCall {
674
  friend class CallEventManager;
675
676
protected:
677
  CXXMemberCall(const CXXMemberCallExpr *CE, ProgramStateRef St,
678
                const LocationContext *LCtx)
679
12.9k
      : CXXInstanceCall(CE, St, LCtx) {}
680
11.3k
  CXXMemberCall(const CXXMemberCall &Other) = default;
681
682
11.3k
  void cloneTo(void *Dest) const override { new (Dest) CXXMemberCall(*this); }
683
684
public:
685
78.4k
  virtual const CXXMemberCallExpr *getOriginExpr() const {
686
78.4k
    return cast<CXXMemberCallExpr>(CXXInstanceCall::getOriginExpr());
687
78.4k
  }
688
689
38.1k
  unsigned getNumArgs() const override {
690
38.1k
    if (const CallExpr *CE = getOriginExpr())
691
38.1k
      return CE->getNumArgs();
692
0
    return 0;
693
0
  }
694
695
12.4k
  const Expr *getArgExpr(unsigned Index) const override {
696
12.4k
    return getOriginExpr()->getArg(Index);
697
12.4k
  }
698
699
  const Expr *getCXXThisExpr() const override;
700
701
  RuntimeDefinition getRuntimeDefinition() const override;
702
703
137k
  Kind getKind() const override { return CE_CXXMember; }
704
705
1.81k
  static bool classof(const CallEvent *CA) {
706
1.81k
    return CA->getKind() == CE_CXXMember;
707
1.81k
  }
708
};
709
710
/// Represents a C++ overloaded operator call where the operator is
711
/// implemented as a non-static member function.
712
///
713
/// Example: <tt>iter + 1</tt>
714
class CXXMemberOperatorCall : public CXXInstanceCall {
715
  friend class CallEventManager;
716
717
protected:
718
  CXXMemberOperatorCall(const CXXOperatorCallExpr *CE, ProgramStateRef St,
719
                        const LocationContext *LCtx)
720
6.18k
      : CXXInstanceCall(CE, St, LCtx) {}
721
4.95k
  CXXMemberOperatorCall(const CXXMemberOperatorCall &Other) = default;
722
723
4.95k
  void cloneTo(void *Dest) const override {
724
4.95k
    new (Dest) CXXMemberOperatorCall(*this);
725
4.95k
  }
726
727
public:
728
42.0k
  virtual const CXXOperatorCallExpr *getOriginExpr() const {
729
42.0k
    return cast<CXXOperatorCallExpr>(CXXInstanceCall::getOriginExpr());
730
42.0k
  }
731
732
15.5k
  unsigned getNumArgs() const override {
733
15.5k
    return getOriginExpr()->getNumArgs() - 1;
734
15.5k
  }
735
736
15.0k
  const Expr *getArgExpr(unsigned Index) const override {
737
15.0k
    return getOriginExpr()->getArg(Index + 1);
738
15.0k
  }
739
740
  const Expr *getCXXThisExpr() const override;
741
742
56.5k
  Kind getKind() const override { return CE_CXXMemberOperator; }
743
744
1.28k
  static bool classof(const CallEvent *CA) {
745
1.28k
    return CA->getKind() == CE_CXXMemberOperator;
746
1.28k
  }
747
748
  Optional<unsigned>
749
4
  getAdjustedParameterIndex(unsigned ASTArgumentIndex) const override {
750
4
    // For member operator calls argument 0 on the expression corresponds
751
4
    // to implicit this-parameter on the declaration.
752
4
    return (ASTArgumentIndex > 0) ? Optional<unsigned>(ASTArgumentIndex - 1)
753
4
                                  : 
None0
;
754
4
  }
755
756
1.79k
  unsigned getASTArgumentIndex(unsigned CallArgumentIndex) const override {
757
1.79k
    // For member operator calls argument 0 on the expression corresponds
758
1.79k
    // to implicit this-parameter on the declaration.
759
1.79k
    return CallArgumentIndex + 1;
760
1.79k
  }
761
};
762
763
/// Represents an implicit call to a C++ destructor.
764
///
765
/// This can occur at the end of a scope (for automatic objects), at the end
766
/// of a full-expression (for temporaries), or as part of a delete.
767
class CXXDestructorCall : public CXXInstanceCall {
768
  friend class CallEventManager;
769
770
protected:
771
  using DtorDataTy = llvm::PointerIntPair<const MemRegion *, 1, bool>;
772
773
  /// Creates an implicit destructor.
774
  ///
775
  /// \param DD The destructor that will be called.
776
  /// \param Trigger The statement whose completion causes this destructor call.
777
  /// \param Target The object region to be destructed.
778
  /// \param St The path-sensitive state at this point in the program.
779
  /// \param LCtx The location context at this point in the program.
780
  CXXDestructorCall(const CXXDestructorDecl *DD, const Stmt *Trigger,
781
                    const MemRegion *Target, bool IsBaseDestructor,
782
                    ProgramStateRef St, const LocationContext *LCtx)
783
2.69k
      : CXXInstanceCall(DD, St, LCtx) {
784
2.69k
    Data = DtorDataTy(Target, IsBaseDestructor).getOpaqueValue();
785
2.69k
    Location = Trigger->getEndLoc();
786
2.69k
  }
787
788
2.18k
  CXXDestructorCall(const CXXDestructorCall &Other) = default;
789
790
2.18k
  void cloneTo(void *Dest) const override {new (Dest) CXXDestructorCall(*this);}
791
792
public:
793
11.6k
  SourceRange getSourceRange() const override { return Location; }
794
7.57k
  unsigned getNumArgs() const override { return 0; }
795
796
  RuntimeDefinition getRuntimeDefinition() const override;
797
798
  /// Returns the value of the implicit 'this' object.
799
  SVal getCXXThisVal() const override;
800
801
  /// Returns true if this is a call to a base class destructor.
802
2.54k
  bool isBaseDestructor() const {
803
2.54k
    return DtorDataTy::getFromOpaqueValue(Data).getInt();
804
2.54k
  }
805
806
20.4k
  Kind getKind() const override { return CE_CXXDestructor; }
807
808
88.6k
  static bool classof(const CallEvent *CA) {
809
88.6k
    return CA->getKind() == CE_CXXDestructor;
810
88.6k
  }
811
};
812
813
/// Represents a call to a C++ constructor.
814
///
815
/// Example: \c T(1)
816
class CXXConstructorCall : public AnyFunctionCall {
817
  friend class CallEventManager;
818
819
protected:
820
  /// Creates a constructor call.
821
  ///
822
  /// \param CE The constructor expression as written in the source.
823
  /// \param Target The region where the object should be constructed. If NULL,
824
  ///               a new symbolic region will be used.
825
  /// \param St The path-sensitive state at this point in the program.
826
  /// \param LCtx The location context at this point in the program.
827
  CXXConstructorCall(const CXXConstructExpr *CE, const MemRegion *Target,
828
                     ProgramStateRef St, const LocationContext *LCtx)
829
35.0k
      : AnyFunctionCall(CE, St, LCtx) {
830
35.0k
    Data = Target;
831
35.0k
  }
832
833
52.2k
  CXXConstructorCall(const CXXConstructorCall &Other) = default;
834
835
52.2k
  void cloneTo(void *Dest) const override { new (Dest) CXXConstructorCall(*this); }
836
837
  void getExtraInvalidatedValues(ValueList &Values,
838
         RegionAndSymbolInvalidationTraits *ETraits) const override;
839
840
public:
841
495k
  virtual const CXXConstructExpr *getOriginExpr() const {
842
495k
    return cast<CXXConstructExpr>(AnyFunctionCall::getOriginExpr());
843
495k
  }
844
845
213k
  const CXXConstructorDecl *getDecl() const override {
846
213k
    return getOriginExpr()->getConstructor();
847
213k
  }
848
849
117k
  unsigned getNumArgs() const override { return getOriginExpr()->getNumArgs(); }
850
851
117k
  const Expr *getArgExpr(unsigned Index) const override {
852
117k
    return getOriginExpr()->getArg(Index);
853
117k
  }
854
855
  /// Returns the value of the implicit 'this' object.
856
  SVal getCXXThisVal() const;
857
858
  void getInitialStackFrameContents(const StackFrameContext *CalleeCtx,
859
                                    BindingsTy &Bindings) const override;
860
861
306k
  Kind getKind() const override { return CE_CXXConstructor; }
862
863
236k
  static bool classof(const CallEvent *CA) {
864
236k
    return CA->getKind() == CE_CXXConstructor;
865
236k
  }
866
};
867
868
/// Represents the memory allocation call in a C++ new-expression.
869
///
870
/// This is a call to "operator new".
871
class CXXAllocatorCall : public AnyFunctionCall {
872
  friend class CallEventManager;
873
874
protected:
875
  CXXAllocatorCall(const CXXNewExpr *E, ProgramStateRef St,
876
                   const LocationContext *LCtx)
877
2.81k
      : AnyFunctionCall(E, St, LCtx) {}
878
1.90k
  CXXAllocatorCall(const CXXAllocatorCall &Other) = default;
879
880
1.90k
  void cloneTo(void *Dest) const override { new (Dest) CXXAllocatorCall(*this); }
881
882
public:
883
42.9k
  virtual const CXXNewExpr *getOriginExpr() const {
884
42.9k
    return cast<CXXNewExpr>(AnyFunctionCall::getOriginExpr());
885
42.9k
  }
886
887
17.0k
  const FunctionDecl *getDecl() const override {
888
17.0k
    return getOriginExpr()->getOperatorNew();
889
17.0k
  }
890
891
  /// Number of non-placement arguments to the call. It is equal to 2 for
892
  /// C++17 aligned operator new() calls that have alignment implicitly
893
  /// passed as the second argument, and to 1 for other operator new() calls.
894
16.9k
  unsigned getNumImplicitArgs() const {
895
16.9k
    return getOriginExpr()->passAlignment() ? 
219
:
116.9k
;
896
16.9k
  }
897
898
7.20k
  unsigned getNumArgs() const override {
899
7.20k
    return getOriginExpr()->getNumPlacementArgs() + getNumImplicitArgs();
900
7.20k
  }
901
902
7.97k
  const Expr *getArgExpr(unsigned Index) const override {
903
7.97k
    // The first argument of an allocator call is the size of the allocation.
904
7.97k
    if (Index < getNumImplicitArgs())
905
6.21k
      return nullptr;
906
1.75k
    return getOriginExpr()->getPlacementArg(Index - getNumImplicitArgs());
907
1.75k
  }
908
909
  /// Number of placement arguments to the operator new() call. For example,
910
  /// standard std::nothrow operator new and standard placement new both have
911
  /// 1 implicit argument (size) and 1 placement argument, while regular
912
  /// operator new() has 1 implicit argument and 0 placement arguments.
913
0
  const Expr *getPlacementArgExpr(unsigned Index) const {
914
0
    return getOriginExpr()->getPlacementArg(Index);
915
0
  }
916
917
17.0k
  Kind getKind() const override { return CE_CXXAllocator; }
918
919
0
  static bool classof(const CallEvent *CE) {
920
0
    return CE->getKind() == CE_CXXAllocator;
921
0
  }
922
};
923
924
/// Represents the ways an Objective-C message send can occur.
925
//
926
// Note to maintainers: OCM_Message should always be last, since it does not
927
// need to fit in the Data field's low bits.
928
enum ObjCMessageKind {
929
  OCM_PropertyAccess,
930
  OCM_Subscript,
931
  OCM_Message
932
};
933
934
/// Represents any expression that calls an Objective-C method.
935
///
936
/// This includes all of the kinds listed in ObjCMessageKind.
937
class ObjCMethodCall : public CallEvent {
938
  friend class CallEventManager;
939
940
  const PseudoObjectExpr *getContainingPseudoObjectExpr() const;
941
942
protected:
943
  ObjCMethodCall(const ObjCMessageExpr *Msg, ProgramStateRef St,
944
                 const LocationContext *LCtx)
945
5.75k
      : CallEvent(Msg, St, LCtx) {
946
5.75k
    Data = nullptr;
947
5.75k
  }
948
949
29.8k
  ObjCMethodCall(const ObjCMethodCall &Other) = default;
950
951
29.8k
  void cloneTo(void *Dest) const override { new (Dest) ObjCMethodCall(*this); }
952
953
  void getExtraInvalidatedValues(ValueList &Values,
954
         RegionAndSymbolInvalidationTraits *ETraits) const override;
955
956
  /// Check if the selector may have multiple definitions (may have overrides).
957
  virtual bool canBeOverridenInSubclass(ObjCInterfaceDecl *IDecl,
958
                                        Selector Sel) const;
959
960
public:
961
198k
  virtual const ObjCMessageExpr *getOriginExpr() const {
962
198k
    return cast<ObjCMessageExpr>(CallEvent::getOriginExpr());
963
198k
  }
964
965
68.2k
  const ObjCMethodDecl *getDecl() const override {
966
68.2k
    return getOriginExpr()->getMethodDecl();
967
68.2k
  }
968
969
28.8k
  unsigned getNumArgs() const override {
970
28.8k
    return getOriginExpr()->getNumArgs();
971
28.8k
  }
972
973
7.09k
  const Expr *getArgExpr(unsigned Index) const override {
974
7.09k
    return getOriginExpr()->getArg(Index);
975
7.09k
  }
976
977
43.0k
  bool isInstanceMessage() const {
978
43.0k
    return getOriginExpr()->isInstanceMessage();
979
43.0k
  }
980
981
7.37k
  ObjCMethodFamily getMethodFamily() const {
982
7.37k
    return getOriginExpr()->getMethodFamily();
983
7.37k
  }
984
985
2.12k
  Selector getSelector() const {
986
2.12k
    return getOriginExpr()->getSelector();
987
2.12k
  }
988
989
  SourceRange getSourceRange() const override;
990
991
  /// Returns the value of the receiver at the time of this call.
992
  SVal getReceiverSVal() const;
993
994
  /// Return the value of 'self' if available.
995
  SVal getSelfSVal() const;
996
997
  /// Get the interface for the receiver.
998
  ///
999
  /// This works whether this is an instance message or a class message.
1000
  /// However, it currently just uses the static type of the receiver.
1001
3.77k
  const ObjCInterfaceDecl *getReceiverInterface() const {
1002
3.77k
    return getOriginExpr()->getReceiverInterface();
1003
3.77k
  }
1004
1005
  /// Checks if the receiver refers to 'self' or 'super'.
1006
  bool isReceiverSelfOrSuper() const;
1007
1008
  /// Returns how the message was written in the source (property access,
1009
  /// subscript, or explicit message send).
1010
  ObjCMessageKind getMessageKind() const;
1011
1012
  /// Returns true if this property access or subscript is a setter (has the
1013
  /// form of an assignment).
1014
6
  bool isSetter() const {
1015
6
    switch (getMessageKind()) {
1016
6
    case OCM_Message:
1017
0
      llvm_unreachable("This is not a pseudo-object access!");
1018
6
    case OCM_PropertyAccess:
1019
0
      return getNumArgs() > 0;
1020
6
    case OCM_Subscript:
1021
6
      return getNumArgs() > 1;
1022
0
    }
1023
0
    llvm_unreachable("Unknown message kind");
1024
0
  }
1025
1026
  // Returns the property accessed by this method, either explicitly via
1027
  // property syntax or implicitly via a getter or setter method. Returns
1028
  // nullptr if the call is not a prooperty access.
1029
  const ObjCPropertyDecl *getAccessedProperty() const;
1030
1031
  RuntimeDefinition getRuntimeDefinition() const override;
1032
1033
  bool argumentsMayEscape() const override;
1034
1035
  void getInitialStackFrameContents(const StackFrameContext *CalleeCtx,
1036
                                    BindingsTy &Bindings) const override;
1037
1038
  ArrayRef<ParmVarDecl*> parameters() const override;
1039
1040
41.8k
  Kind getKind() const override { return CE_ObjCMessage; }
1041
1042
245k
  static bool classof(const CallEvent *CA) {
1043
245k
    return CA->getKind() == CE_ObjCMessage;
1044
245k
  }
1045
};
1046
1047
enum CallDescriptionFlags : int {
1048
  /// Describes a C standard function that is sometimes implemented as a macro
1049
  /// that expands to a compiler builtin with some __builtin prefix.
1050
  /// The builtin may as well have a few extra arguments on top of the requested
1051
  /// number of arguments.
1052
  CDF_MaybeBuiltin = 1 << 0,
1053
};
1054
1055
/// This class represents a description of a function call using the number of
1056
/// arguments and the name of the function.
1057
class CallDescription {
1058
  friend CallEvent;
1059
1060
  mutable IdentifierInfo *II = nullptr;
1061
  mutable bool IsLookupDone = false;
1062
  // The list of the qualified names used to identify the specified CallEvent,
1063
  // e.g. "{a, b}" represent the qualified names, like "a::b".
1064
  std::vector<const char *> QualifiedName;
1065
  Optional<unsigned> RequiredArgs;
1066
  int Flags;
1067
1068
public:
1069
  /// Constructs a CallDescription object.
1070
  ///
1071
  /// @param QualifiedName The list of the name qualifiers of the function that
1072
  /// will be matched. The user is allowed to skip any of the qualifiers.
1073
  /// For example, {"std", "basic_string", "c_str"} would match both
1074
  /// std::basic_string<...>::c_str() and std::__1::basic_string<...>::c_str().
1075
  ///
1076
  /// @param RequiredArgs The number of arguments that is expected to match a
1077
  /// call. Omit this parameter to match every occurrence of call with a given
1078
  /// name regardless the number of arguments.
1079
  CallDescription(int Flags, ArrayRef<const char *> QualifiedName,
1080
                  Optional<unsigned> RequiredArgs = None)
1081
      : QualifiedName(QualifiedName), RequiredArgs(RequiredArgs),
1082
987k
        Flags(Flags) {}
1083
1084
  /// Construct a CallDescription with default flags.
1085
  CallDescription(ArrayRef<const char *> QualifiedName,
1086
                  Optional<unsigned> RequiredArgs = None)
1087
982k
      : CallDescription(0, QualifiedName, RequiredArgs) {}
Unexecuted instantiation: clang::ento::CallDescription::CallDescription(llvm::ArrayRef<char const*>, llvm::Optional<unsigned int>)
clang::ento::CallDescription::CallDescription(llvm::ArrayRef<char const*>, llvm::Optional<unsigned int>)
Line
Count
Source
1087
982k
      : CallDescription(0, QualifiedName, RequiredArgs) {}
1088
1089
  /// Get the name of the function that this object matches.
1090
279k
  StringRef getFunctionName() const { return QualifiedName.back(); }
1091
};
1092
1093
/// An immutable map from CallDescriptions to arbitrary data. Provides a unified
1094
/// way for checkers to react on function calls.
1095
template <typename T> class CallDescriptionMap {
1096
  // Some call descriptions aren't easily hashable (eg., the ones with qualified
1097
  // names in which some sections are omitted), so let's put them
1098
  // in a simple vector and use linear lookup.
1099
  // TODO: Implement an actual map for fast lookup for "hashable" call
1100
  // descriptions (eg., the ones for C functions that just match the name).
1101
  std::vector<std::pair<CallDescription, T>> LinearMap;
1102
1103
public:
1104
  CallDescriptionMap(
1105
      std::initializer_list<std::pair<CallDescription, T>> &&List)
1106
227
      : LinearMap(List) {}
CStringChecker.cpp:clang::ento::CallDescriptionMap<void ((anonymous namespace)::CStringChecker::*)(clang::ento::CheckerContext&, clang::CallExpr const*) const>::CallDescriptionMap(std::initializer_list<std::__1::pair<clang::ento::CallDescription, void ((anonymous namespace)::CStringChecker::*)(clang::ento::CheckerContext&, clang::CallExpr const*) const> >&&)
Line
Count
Source
1106
198
      : LinearMap(List) {}
CastValueChecker.cpp:clang::ento::CallDescriptionMap<std::__1::function<void ((anonymous namespace)::CastValueChecker const*, clang::CallExpr const*, clang::ento::DefinedOrUnknownSVal, clang::ento::CheckerContext&)> >::CallDescriptionMap(std::initializer_list<std::__1::pair<clang::ento::CallDescription, std::__1::function<void ((anonymous namespace)::CastValueChecker const*, clang::CallExpr const*, clang::ento::DefinedOrUnknownSVal, clang::ento::CheckerContext&)> > >&&)
Line
Count
Source
1106
12
      : LinearMap(List) {}
clang::ento::CallDescriptionMap<bool>::CallDescriptionMap(std::initializer_list<std::__1::pair<clang::ento::CallDescription, bool> >&&)
Line
Count
Source
1106
17
      : LinearMap(List) {}
1107
1108
227
  ~CallDescriptionMap() = default;
CStringChecker.cpp:clang::ento::CallDescriptionMap<void ((anonymous namespace)::CStringChecker::*)(clang::ento::CheckerContext&, clang::CallExpr const*) const>::~CallDescriptionMap()
Line
Count
Source
1108
198
  ~CallDescriptionMap() = default;
CastValueChecker.cpp:clang::ento::CallDescriptionMap<std::__1::function<void ((anonymous namespace)::CastValueChecker const*, clang::CallExpr const*, clang::ento::DefinedOrUnknownSVal, clang::ento::CheckerContext&)> >::~CallDescriptionMap()
Line
Count
Source
1108
12
  ~CallDescriptionMap() = default;
clang::ento::CallDescriptionMap<bool>::~CallDescriptionMap()
Line
Count
Source
1108
17
  ~CallDescriptionMap() = default;
1109
1110
  // These maps are usually stored once per checker, so let's make sure
1111
  // we don't do redundant copies.
1112
  CallDescriptionMap(const CallDescriptionMap &) = delete;
1113
  CallDescriptionMap &operator=(const CallDescription &) = delete;
1114
1115
13.1k
  const T *lookup(const CallEvent &Call) const {
1116
13.1k
    // Slow path: linear lookup.
1117
13.1k
    // TODO: Implement some sort of fast path.
1118
13.1k
    for (const std::pair<CallDescription, T> &I : LinearMap)
1119
284k
      if (Call.isCalled(I.first))
1120
2.04k
        return &I.second;
1121
13.1k
1122
13.1k
    
return nullptr11.0k
;
1123
13.1k
  }
CStringChecker.cpp:clang::ento::CallDescriptionMap<void ((anonymous namespace)::CStringChecker::*)(clang::ento::CheckerContext&, clang::CallExpr const*) const>::lookup(clang::ento::CallEvent const&) const
Line
Count
Source
1115
12.7k
  const T *lookup(const CallEvent &Call) const {
1116
12.7k
    // Slow path: linear lookup.
1117
12.7k
    // TODO: Implement some sort of fast path.
1118
12.7k
    for (const std::pair<CallDescription, T> &I : LinearMap)
1119
281k
      if (Call.isCalled(I.first))
1120
2.01k
        return &I.second;
1121
12.7k
1122
12.7k
    
return nullptr10.7k
;
1123
12.7k
  }
CastValueChecker.cpp:clang::ento::CallDescriptionMap<std::__1::function<void ((anonymous namespace)::CastValueChecker const*, clang::CallExpr const*, clang::ento::DefinedOrUnknownSVal, clang::ento::CheckerContext&)> >::lookup(clang::ento::CallEvent const&) const
Line
Count
Source
1115
196
  const T *lookup(const CallEvent &Call) const {
1116
196
    // Slow path: linear lookup.
1117
196
    // TODO: Implement some sort of fast path.
1118
196
    for (const std::pair<CallDescription, T> &I : LinearMap)
1119
772
      if (Call.isCalled(I.first))
1120
18
        return &I.second;
1121
196
1122
196
    
return nullptr178
;
1123
196
  }
clang::ento::CallDescriptionMap<bool>::lookup(clang::ento::CallEvent const&) const
Line
Count
Source
1115
174
  const T *lookup(const CallEvent &Call) const {
1116
174
    // Slow path: linear lookup.
1117
174
    // TODO: Implement some sort of fast path.
1118
174
    for (const std::pair<CallDescription, T> &I : LinearMap)
1119
2.63k
      if (Call.isCalled(I.first))
1120
12
        return &I.second;
1121
174
1122
174
    
return nullptr162
;
1123
174
  }
1124
};
1125
1126
/// Manages the lifetime of CallEvent objects.
1127
///
1128
/// CallEventManager provides a way to create arbitrary CallEvents "on the
1129
/// stack" as if they were value objects by keeping a cache of CallEvent-sized
1130
/// memory blocks. The CallEvents created by CallEventManager are only valid
1131
/// for the lifetime of the OwnedCallEvent that holds them; right now these
1132
/// objects cannot be copied and ownership cannot be transferred.
1133
class CallEventManager {
1134
  friend class CallEvent;
1135
1136
  llvm::BumpPtrAllocator &Alloc;
1137
  SmallVector<void *, 8> Cache;
1138
1139
  using CallEventTemplateTy = SimpleFunctionCall;
1140
1141
347k
  void reclaim(const void *Memory) {
1142
347k
    Cache.push_back(const_cast<void *>(Memory));
1143
347k
  }
1144
1145
  /// Returns memory that can be initialized as a CallEvent.
1146
347k
  void *allocate() {
1147
347k
    if (Cache.empty())
1148
17.1k
      return Alloc.Allocate<CallEventTemplateTy>();
1149
330k
    else
1150
330k
      return Cache.pop_back_val();
1151
347k
  }
1152
1153
  template <typename T, typename Arg>
1154
134k
  T *create(Arg A, ProgramStateRef St, const LocationContext *LCtx) {
1155
134k
    static_assert(sizeof(T) == sizeof(CallEventTemplateTy),
1156
134k
                  "CallEvent subclasses are not all the same size");
1157
134k
    return new (allocate()) T(A, St, LCtx);
1158
134k
  }
clang::ento::ObjCMethodCall* clang::ento::CallEventManager::create<clang::ento::ObjCMethodCall, clang::ObjCMessageExpr const*>(clang::ObjCMessageExpr const*, llvm::IntrusiveRefCntPtr<clang::ento::ProgramState const>, clang::LocationContext const*)
Line
Count
Source
1154
5.75k
  T *create(Arg A, ProgramStateRef St, const LocationContext *LCtx) {
1155
5.75k
    static_assert(sizeof(T) == sizeof(CallEventTemplateTy),
1156
5.75k
                  "CallEvent subclasses are not all the same size");
1157
5.75k
    return new (allocate()) T(A, St, LCtx);
1158
5.75k
  }
clang::ento::CXXAllocatorCall* clang::ento::CallEventManager::create<clang::ento::CXXAllocatorCall, clang::CXXNewExpr const*>(clang::CXXNewExpr const*, llvm::IntrusiveRefCntPtr<clang::ento::ProgramState const>, clang::LocationContext const*)
Line
Count
Source
1154
2.81k
  T *create(Arg A, ProgramStateRef St, const LocationContext *LCtx) {
1155
2.81k
    static_assert(sizeof(T) == sizeof(CallEventTemplateTy),
1156
2.81k
                  "CallEvent subclasses are not all the same size");
1157
2.81k
    return new (allocate()) T(A, St, LCtx);
1158
2.81k
  }
clang::ento::CXXMemberCall* clang::ento::CallEventManager::create<clang::ento::CXXMemberCall, clang::CXXMemberCallExpr const*>(clang::CXXMemberCallExpr const*, llvm::IntrusiveRefCntPtr<clang::ento::ProgramState const>, clang::LocationContext const*)
Line
Count
Source
1154
12.9k
  T *create(Arg A, ProgramStateRef St, const LocationContext *LCtx) {
1155
12.9k
    static_assert(sizeof(T) == sizeof(CallEventTemplateTy),
1156
12.9k
                  "CallEvent subclasses are not all the same size");
1157
12.9k
    return new (allocate()) T(A, St, LCtx);
1158
12.9k
  }
clang::ento::CXXMemberOperatorCall* clang::ento::CallEventManager::create<clang::ento::CXXMemberOperatorCall, clang::CXXOperatorCallExpr const*>(clang::CXXOperatorCallExpr const*, llvm::IntrusiveRefCntPtr<clang::ento::ProgramState const>, clang::LocationContext const*)
Line
Count
Source
1154
6.18k
  T *create(Arg A, ProgramStateRef St, const LocationContext *LCtx) {
1155
6.18k
    static_assert(sizeof(T) == sizeof(CallEventTemplateTy),
1156
6.18k
                  "CallEvent subclasses are not all the same size");
1157
6.18k
    return new (allocate()) T(A, St, LCtx);
1158
6.18k
  }
clang::ento::BlockCall* clang::ento::CallEventManager::create<clang::ento::BlockCall, clang::CallExpr const*>(clang::CallExpr const*, llvm::IntrusiveRefCntPtr<clang::ento::ProgramState const>, clang::LocationContext const*)
Line
Count
Source
1154
573
  T *create(Arg A, ProgramStateRef St, const LocationContext *LCtx) {
1155
573
    static_assert(sizeof(T) == sizeof(CallEventTemplateTy),
1156
573
                  "CallEvent subclasses are not all the same size");
1157
573
    return new (allocate()) T(A, St, LCtx);
1158
573
  }
clang::ento::SimpleFunctionCall* clang::ento::CallEventManager::create<clang::ento::SimpleFunctionCall, clang::CallExpr const*>(clang::CallExpr const*, llvm::IntrusiveRefCntPtr<clang::ento::ProgramState const>, clang::LocationContext const*)
Line
Count
Source
1154
106k
  T *create(Arg A, ProgramStateRef St, const LocationContext *LCtx) {
1155
106k
    static_assert(sizeof(T) == sizeof(CallEventTemplateTy),
1156
106k
                  "CallEvent subclasses are not all the same size");
1157
106k
    return new (allocate()) T(A, St, LCtx);
1158
106k
  }
1159
1160
  template <typename T, typename Arg1, typename Arg2>
1161
35.0k
  T *create(Arg1 A1, Arg2 A2, ProgramStateRef St, const LocationContext *LCtx) {
1162
35.0k
    static_assert(sizeof(T) == sizeof(CallEventTemplateTy),
1163
35.0k
                  "CallEvent subclasses are not all the same size");
1164
35.0k
    return new (allocate()) T(A1, A2, St, LCtx);
1165
35.0k
  }
1166
1167
  template <typename T, typename Arg1, typename Arg2, typename Arg3>
1168
  T *create(Arg1 A1, Arg2 A2, Arg3 A3, ProgramStateRef St,
1169
            const LocationContext *LCtx) {
1170
    static_assert(sizeof(T) == sizeof(CallEventTemplateTy),
1171
                  "CallEvent subclasses are not all the same size");
1172
    return new (allocate()) T(A1, A2, A3, St, LCtx);
1173
  }
1174
1175
  template <typename T, typename Arg1, typename Arg2, typename Arg3,
1176
            typename Arg4>
1177
  T *create(Arg1 A1, Arg2 A2, Arg3 A3, Arg4 A4, ProgramStateRef St,
1178
2.69k
            const LocationContext *LCtx) {
1179
2.69k
    static_assert(sizeof(T) == sizeof(CallEventTemplateTy),
1180
2.69k
                  "CallEvent subclasses are not all the same size");
1181
2.69k
    return new (allocate()) T(A1, A2, A3, A4, St, LCtx);
1182
2.69k
  }
1183
1184
public:
1185
10.8k
  CallEventManager(llvm::BumpPtrAllocator &alloc) : Alloc(alloc) {}
1186
1187
  /// Gets an outside caller given a callee context.
1188
  CallEventRef<>
1189
  getCaller(const StackFrameContext *CalleeCtx, ProgramStateRef State);
1190
1191
  /// Gets a call event for a function call, Objective-C method call,
1192
  /// or a 'new' call.
1193
  CallEventRef<>
1194
  getCall(const Stmt *S, ProgramStateRef State,
1195
          const LocationContext *LC);
1196
1197
  CallEventRef<>
1198
  getSimpleCall(const CallExpr *E, ProgramStateRef State,
1199
                const LocationContext *LCtx);
1200
1201
  CallEventRef<ObjCMethodCall>
1202
  getObjCMethodCall(const ObjCMessageExpr *E, ProgramStateRef State,
1203
5.75k
                    const LocationContext *LCtx) {
1204
5.75k
    return create<ObjCMethodCall>(E, State, LCtx);
1205
5.75k
  }
1206
1207
  CallEventRef<CXXConstructorCall>
1208
  getCXXConstructorCall(const CXXConstructExpr *E, const MemRegion *Target,
1209
35.0k
                        ProgramStateRef State, const LocationContext *LCtx) {
1210
35.0k
    return create<CXXConstructorCall>(E, Target, State, LCtx);
1211
35.0k
  }
1212
1213
  CallEventRef<CXXDestructorCall>
1214
  getCXXDestructorCall(const CXXDestructorDecl *DD, const Stmt *Trigger,
1215
                       const MemRegion *Target, bool IsBase,
1216
2.69k
                       ProgramStateRef State, const LocationContext *LCtx) {
1217
2.69k
    return create<CXXDestructorCall>(DD, Trigger, Target, IsBase, State, LCtx);
1218
2.69k
  }
1219
1220
  CallEventRef<CXXAllocatorCall>
1221
  getCXXAllocatorCall(const CXXNewExpr *E, ProgramStateRef State,
1222
2.81k
                      const LocationContext *LCtx) {
1223
2.81k
    return create<CXXAllocatorCall>(E, State, LCtx);
1224
2.81k
  }
1225
};
1226
1227
template <typename T>
1228
711k
CallEventRef<T> CallEvent::cloneWithState(ProgramStateRef NewState) const {
1229
711k
  assert(isa<T>(*this) && "Cloning to unrelated type");
1230
711k
  static_assert(sizeof(T) == sizeof(CallEvent),
1231
711k
                "Subclasses may not add fields");
1232
711k
1233
711k
  if (NewState == State)
1234
535k
    return cast<T>(this);
1235
175k
1236
175k
  CallEventManager &Mgr = State->getStateManager().getCallEventManager();
1237
175k
  T *Copy = static_cast<T *>(Mgr.allocate());
1238
175k
  cloneTo(Copy);
1239
175k
  assert(Copy->getKind() == this->getKind() && "Bad copy");
1240
175k
1241
175k
  Copy->State = NewState;
1242
175k
  return Copy;
1243
175k
}
clang::ento::CallEventRef<clang::ento::CallEvent> clang::ento::CallEvent::cloneWithState<clang::ento::CallEvent>(llvm::IntrusiveRefCntPtr<clang::ento::ProgramState const>) const
Line
Count
Source
1228
689k
CallEventRef<T> CallEvent::cloneWithState(ProgramStateRef NewState) const {
1229
689k
  assert(isa<T>(*this) && "Cloning to unrelated type");
1230
689k
  static_assert(sizeof(T) == sizeof(CallEvent),
1231
689k
                "Subclasses may not add fields");
1232
689k
1233
689k
  if (NewState == State)
1234
528k
    return cast<T>(this);
1235
161k
1236
161k
  CallEventManager &Mgr = State->getStateManager().getCallEventManager();
1237
161k
  T *Copy = static_cast<T *>(Mgr.allocate());
1238
161k
  cloneTo(Copy);
1239
161k
  assert(Copy->getKind() == this->getKind() && "Bad copy");
1240
161k
1241
161k
  Copy->State = NewState;
1242
161k
  return Copy;
1243
161k
}
clang::ento::CallEventRef<clang::ento::ObjCMethodCall> clang::ento::CallEvent::cloneWithState<clang::ento::ObjCMethodCall>(llvm::IntrusiveRefCntPtr<clang::ento::ProgramState const>) const
Line
Count
Source
1228
21.5k
CallEventRef<T> CallEvent::cloneWithState(ProgramStateRef NewState) const {
1229
21.5k
  assert(isa<T>(*this) && "Cloning to unrelated type");
1230
21.5k
  static_assert(sizeof(T) == sizeof(CallEvent),
1231
21.5k
                "Subclasses may not add fields");
1232
21.5k
1233
21.5k
  if (NewState == State)
1234
7.39k
    return cast<T>(this);
1235
14.1k
1236
14.1k
  CallEventManager &Mgr = State->getStateManager().getCallEventManager();
1237
14.1k
  T *Copy = static_cast<T *>(Mgr.allocate());
1238
14.1k
  cloneTo(Copy);
1239
14.1k
  assert(Copy->getKind() == this->getKind() && "Bad copy");
1240
14.1k
1241
14.1k
  Copy->State = NewState;
1242
14.1k
  return Copy;
1243
14.1k
}
1244
1245
968k
inline void CallEvent::Release() const {
1246
968k
  assert(RefCount > 0 && "Reference count is already zero.");
1247
968k
  --RefCount;
1248
968k
1249
968k
  if (RefCount > 0)
1250
620k
    return;
1251
347k
1252
347k
  CallEventManager &Mgr = State->getStateManager().getCallEventManager();
1253
347k
  Mgr.reclaim(this);
1254
347k
1255
347k
  this->~CallEvent();
1256
347k
}
1257
1258
} // namespace ento
1259
1260
} // namespace clang
1261
1262
namespace llvm {
1263
1264
// Support isa<>, cast<>, and dyn_cast<> for CallEventRef.
1265
template<class T> struct simplify_type< clang::ento::CallEventRef<T>> {
1266
  using SimpleType = const T *;
1267
1268
  static SimpleType
1269
39.2k
  getSimplifiedValue(clang::ento::CallEventRef<T> Val) {
1270
39.2k
    return Val.get();
1271
39.2k
  }
1272
};
1273
1274
} // namespace llvm
1275
1276
#endif // LLVM_CLANG_STATICANALYZER_CORE_PATHSENSITIVE_CALLEVENT_H