Coverage Report

Created: 2019-07-24 05:18

/Users/buildslave/jenkins/workspace/clang-stage2-coverage-R/llvm/tools/clang/lib/StaticAnalyzer/Core/CallEvent.cpp
Line
Count
Source (jump to first uncovered line)
1
//===- CallEvent.cpp - Wrapper for all function and method calls ----------===//
2
//
3
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4
// See https://llvm.org/LICENSE.txt for license information.
5
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6
//
7
//===----------------------------------------------------------------------===//
8
//
9
/// \file This file defines CallEvent and its subclasses, which represent path-
10
/// sensitive instances of different kinds of function and method calls
11
/// (C, C++, and Objective-C).
12
//
13
//===----------------------------------------------------------------------===//
14
15
#include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h"
16
#include "clang/AST/ASTContext.h"
17
#include "clang/AST/Decl.h"
18
#include "clang/AST/DeclBase.h"
19
#include "clang/AST/DeclCXX.h"
20
#include "clang/AST/DeclObjC.h"
21
#include "clang/AST/Expr.h"
22
#include "clang/AST/ExprCXX.h"
23
#include "clang/AST/ExprObjC.h"
24
#include "clang/AST/ParentMap.h"
25
#include "clang/AST/Stmt.h"
26
#include "clang/AST/Type.h"
27
#include "clang/Analysis/AnalysisDeclContext.h"
28
#include "clang/Analysis/CFG.h"
29
#include "clang/Analysis/CFGStmtMap.h"
30
#include "clang/Analysis/ProgramPoint.h"
31
#include "clang/CrossTU/CrossTranslationUnit.h"
32
#include "clang/Basic/IdentifierTable.h"
33
#include "clang/Basic/LLVM.h"
34
#include "clang/Basic/SourceLocation.h"
35
#include "clang/Basic/SourceManager.h"
36
#include "clang/Basic/Specifiers.h"
37
#include "clang/StaticAnalyzer/Core/BugReporter/PathDiagnostic.h"
38
#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
39
#include "clang/StaticAnalyzer/Core/PathSensitive/DynamicTypeInfo.h"
40
#include "clang/StaticAnalyzer/Core/PathSensitive/DynamicTypeMap.h"
41
#include "clang/StaticAnalyzer/Core/PathSensitive/MemRegion.h"
42
#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h"
43
#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState_Fwd.h"
44
#include "clang/StaticAnalyzer/Core/PathSensitive/SVals.h"
45
#include "clang/StaticAnalyzer/Core/PathSensitive/SValBuilder.h"
46
#include "clang/StaticAnalyzer/Core/PathSensitive/Store.h"
47
#include "llvm/ADT/ArrayRef.h"
48
#include "llvm/ADT/DenseMap.h"
49
#include "llvm/ADT/None.h"
50
#include "llvm/ADT/Optional.h"
51
#include "llvm/ADT/PointerIntPair.h"
52
#include "llvm/ADT/SmallSet.h"
53
#include "llvm/ADT/SmallVector.h"
54
#include "llvm/ADT/StringExtras.h"
55
#include "llvm/ADT/StringRef.h"
56
#include "llvm/Support/Casting.h"
57
#include "llvm/Support/Compiler.h"
58
#include "llvm/Support/Debug.h"
59
#include "llvm/Support/ErrorHandling.h"
60
#include "llvm/Support/raw_ostream.h"
61
#include <cassert>
62
#include <utility>
63
64
#define DEBUG_TYPE "static-analyzer-call-event"
65
66
using namespace clang;
67
using namespace ento;
68
69
30.9k
QualType CallEvent::getResultType() const {
70
30.9k
  ASTContext &Ctx = getState()->getStateManager().getContext();
71
30.9k
  const Expr *E = getOriginExpr();
72
30.9k
  if (!E)
73
1
    return Ctx.VoidTy;
74
30.9k
  assert(E);
75
30.9k
76
30.9k
  QualType ResultTy = E->getType();
77
30.9k
78
30.9k
  // A function that returns a reference to 'int' will have a result type
79
30.9k
  // of simply 'int'. Check the origin expr's value kind to recover the
80
30.9k
  // proper type.
81
30.9k
  switch (E->getValueKind()) {
82
30.9k
  case VK_LValue:
83
312
    ResultTy = Ctx.getLValueReferenceType(ResultTy);
84
312
    break;
85
30.9k
  case VK_XValue:
86
25
    ResultTy = Ctx.getRValueReferenceType(ResultTy);
87
25
    break;
88
30.9k
  case VK_RValue:
89
30.5k
    // No adjustment is necessary.
90
30.5k
    break;
91
30.9k
  }
92
30.9k
93
30.9k
  return ResultTy;
94
30.9k
}
95
96
24.0k
static bool isCallback(QualType T) {
97
24.0k
  // If a parameter is a block or a callback, assume it can modify pointer.
98
24.0k
  if (T->isBlockPointerType() ||
99
24.0k
      
T->isFunctionPointerType()23.8k
||
100
24.0k
      
T->isObjCSelType()23.8k
)
101
255
    return true;
102
23.7k
103
23.7k
  // Check if a callback is passed inside a struct (for both, struct passed by
104
23.7k
  // reference and by value). Dig just one level into the struct for now.
105
23.7k
106
23.7k
  if (T->isAnyPointerType() || 
T->isReferenceType()14.8k
)
107
9.90k
    T = T->getPointeeType();
108
23.7k
109
23.7k
  if (const RecordType *RT = T->getAsStructureType()) {
110
13.0k
    const RecordDecl *RD = RT->getDecl();
111
15.3k
    for (const auto *I : RD->fields()) {
112
15.3k
      QualType FieldT = I->getType();
113
15.3k
      if (FieldT->isBlockPointerType() || FieldT->isFunctionPointerType())
114
9
        return true;
115
15.3k
    }
116
13.0k
  }
117
23.7k
  
return false23.7k
;
118
23.7k
}
119
120
19.9k
static bool isVoidPointerToNonConst(QualType T) {
121
19.9k
  if (const auto *PT = T->getAs<PointerType>()) {
122
6.36k
    QualType PointeeTy = PT->getPointeeType();
123
6.36k
    if (PointeeTy.isConstQualified())
124
2.45k
      return false;
125
3.91k
    return PointeeTy->isVoidType();
126
3.91k
  } else
127
13.6k
    return false;
128
19.9k
}
129
130
54.7k
bool CallEvent::hasNonNullArgumentsWithType(bool (*Condition)(QualType)) const {
131
54.7k
  unsigned NumOfArgs = getNumArgs();
132
54.7k
133
54.7k
  // If calling using a function pointer, assume the function does not
134
54.7k
  // satisfy the callback.
135
54.7k
  // TODO: We could check the types of the arguments here.
136
54.7k
  if (!getDecl())
137
75
    return false;
138
54.6k
139
54.6k
  unsigned Idx = 0;
140
54.6k
  for (CallEvent::param_type_iterator I = param_type_begin(),
141
54.6k
                                      E = param_type_end();
142
100k
       I != E && 
Idx < NumOfArgs46.8k
;
++I, ++Idx45.8k
) {
143
46.8k
    // If the parameter is 0, it's harmless.
144
46.8k
    if (getArgSVal(Idx).isZeroConstant())
145
2.83k
      continue;
146
44.0k
147
44.0k
    if (Condition(*I))
148
1.02k
      return true;
149
44.0k
  }
150
54.6k
  
return false53.6k
;
151
54.6k
}
152
153
31.2k
bool CallEvent::hasNonZeroCallbackArg() const {
154
31.2k
  return hasNonNullArgumentsWithType(isCallback);
155
31.2k
}
156
157
23.4k
bool CallEvent::hasVoidPointerToNonConstArg() const {
158
23.4k
  return hasNonNullArgumentsWithType(isVoidPointerToNonConst);
159
23.4k
}
160
161
89.5k
bool CallEvent::isGlobalCFunction(StringRef FunctionName) const {
162
89.5k
  const auto *FD = dyn_cast_or_null<FunctionDecl>(getDecl());
163
89.5k
  if (!FD)
164
5.82k
    return false;
165
83.6k
166
83.6k
  return CheckerContext::isCLibraryFunction(FD, FunctionName);
167
83.6k
}
168
169
11.3k
AnalysisDeclContext *CallEvent::getCalleeAnalysisDeclContext() const {
170
11.3k
  const Decl *D = getDecl();
171
11.3k
  if (!D)
172
0
    return nullptr;
173
11.3k
174
11.3k
  // TODO: For now we skip functions without definitions, even if we have
175
11.3k
  // our own getDecl(), because it's hard to find out which re-declaration
176
11.3k
  // is going to be used, and usually clients don't really care about this
177
11.3k
  // situation because there's a loss of precision anyway because we cannot
178
11.3k
  // inline the call.
179
11.3k
  RuntimeDefinition RD = getRuntimeDefinition();
180
11.3k
  if (!RD.getDecl())
181
9.52k
    return nullptr;
182
1.78k
183
1.78k
  AnalysisDeclContext *ADC =
184
1.78k
      LCtx->getAnalysisDeclContext()->getManager()->getContext(D);
185
1.78k
186
1.78k
  // TODO: For now we skip virtual functions, because this also rises
187
1.78k
  // the problem of which decl to use, but now it's across different classes.
188
1.78k
  if (RD.mayHaveOtherDefinitions() || RD.getDecl() != ADC->getDecl())
189
9
    return nullptr;
190
1.77k
191
1.77k
  return ADC;
192
1.77k
}
193
194
11.3k
const StackFrameContext *CallEvent::getCalleeStackFrame() const {
195
11.3k
  AnalysisDeclContext *ADC = getCalleeAnalysisDeclContext();
196
11.3k
  if (!ADC)
197
9.53k
    return nullptr;
198
1.77k
199
1.77k
  const Expr *E = getOriginExpr();
200
1.77k
  if (!E)
201
0
    return nullptr;
202
1.77k
203
1.77k
  // Recover CFG block via reverse lookup.
204
1.77k
  // TODO: If we were to keep CFG element information as part of the CallEvent
205
1.77k
  // instead of doing this reverse lookup, we would be able to build the stack
206
1.77k
  // frame for non-expression-based calls, and also we wouldn't need the reverse
207
1.77k
  // lookup.
208
1.77k
  CFGStmtMap *Map = LCtx->getAnalysisDeclContext()->getCFGStmtMap();
209
1.77k
  const CFGBlock *B = Map->getBlock(E);
210
1.77k
  assert(B);
211
1.77k
212
1.77k
  // Also recover CFG index by scanning the CFG block.
213
1.77k
  unsigned Idx = 0, Sz = B->size();
214
21.2k
  for (; Idx < Sz; 
++Idx19.4k
)
215
21.2k
    if (auto StmtElem = (*B)[Idx].getAs<CFGStmt>())
216
21.1k
      if (StmtElem->getStmt() == E)
217
1.77k
        break;
218
1.77k
  assert(Idx < Sz);
219
1.77k
220
1.77k
  return ADC->getManager()->getStackFrame(ADC, LCtx, E, B, Idx);
221
1.77k
}
222
223
896
const VarRegion *CallEvent::getParameterLocation(unsigned Index) const {
224
896
  const StackFrameContext *SFC = getCalleeStackFrame();
225
896
  // We cannot construct a VarRegion without a stack frame.
226
896
  if (!SFC)
227
0
    return nullptr;
228
896
229
896
  // Retrieve parameters of the definition, which are different from
230
896
  // CallEvent's parameters() because getDecl() isn't necessarily
231
896
  // the definition. SFC contains the definition that would be used
232
896
  // during analysis.
233
896
  const Decl *D = SFC->getDecl();
234
896
235
896
  // TODO: Refactor into a virtual method of CallEvent, like parameters().
236
896
  const ParmVarDecl *PVD = nullptr;
237
896
  if (const auto *FD = dyn_cast<FunctionDecl>(D))
238
896
    PVD = FD->parameters()[Index];
239
0
  else if (const auto *BD = dyn_cast<BlockDecl>(D))
240
0
    PVD = BD->parameters()[Index];
241
0
  else if (const auto *MD = dyn_cast<ObjCMethodDecl>(D))
242
0
    PVD = MD->parameters()[Index];
243
0
  else if (const auto *CD = dyn_cast<CXXConstructorDecl>(D))
244
0
    PVD = CD->parameters()[Index];
245
896
  assert(PVD && "Unexpected Decl kind!");
246
896
247
896
  const VarRegion *VR =
248
896
      State->getStateManager().getRegionManager().getVarRegion(PVD, SFC);
249
896
250
896
  // This sanity check would fail if our parameter declaration doesn't
251
896
  // correspond to the stack frame's function declaration.
252
896
  assert(VR->getStackFrame() == SFC);
253
896
254
896
  return VR;
255
896
}
256
257
/// Returns true if a type is a pointer-to-const or reference-to-const
258
/// with no further indirection.
259
20.8k
static bool isPointerToConst(QualType Ty) {
260
20.8k
  QualType PointeeTy = Ty->getPointeeType();
261
20.8k
  if (PointeeTy == QualType())
262
13.1k
    return false;
263
7.67k
  if (!PointeeTy.isConstQualified())
264
4.55k
    return false;
265
3.11k
  if (PointeeTy->isAnyPointerType())
266
20
    return false;
267
3.09k
  return true;
268
3.09k
}
269
270
// Try to retrieve the function declaration and find the function parameter
271
// types which are pointers/references to a non-pointer const.
272
// We will not invalidate the corresponding argument regions.
273
static void findPtrToConstParams(llvm::SmallSet<unsigned, 4> &PreserveArgs,
274
25.9k
                                 const CallEvent &Call) {
275
25.9k
  unsigned Idx = 0;
276
25.9k
  for (CallEvent::param_type_iterator I = Call.param_type_begin(),
277
25.9k
                                      E = Call.param_type_end();
278
46.8k
       I != E; 
++I, ++Idx20.8k
) {
279
20.8k
    if (isPointerToConst(*I))
280
3.09k
      PreserveArgs.insert(Idx);
281
20.8k
  }
282
25.9k
}
283
284
ProgramStateRef CallEvent::invalidateRegions(unsigned BlockCount,
285
27.0k
                                             ProgramStateRef Orig) const {
286
27.0k
  ProgramStateRef Result = (Orig ? 
Orig27.0k
:
getState()7
);
287
27.0k
288
27.0k
  // Don't invalidate anything if the callee is marked pure/const.
289
27.0k
  if (const Decl *callee = getDecl())
290
26.9k
    if (callee->hasAttr<PureAttr>() || 
callee->hasAttr<ConstAttr>()26.9k
)
291
28
      return Result;
292
26.9k
293
26.9k
  SmallVector<SVal, 8> ValuesToInvalidate;
294
26.9k
  RegionAndSymbolInvalidationTraits ETraits;
295
26.9k
296
26.9k
  getExtraInvalidatedValues(ValuesToInvalidate, &ETraits);
297
26.9k
298
26.9k
  // Indexes of arguments whose values will be preserved by the call.
299
26.9k
  llvm::SmallSet<unsigned, 4> PreserveArgs;
300
26.9k
  if (!argumentsMayEscape())
301
25.9k
    findPtrToConstParams(PreserveArgs, *this);
302
26.9k
303
50.3k
  for (unsigned Idx = 0, Count = getNumArgs(); Idx != Count; 
++Idx23.4k
) {
304
23.4k
    // Mark this region for invalidation.  We batch invalidate regions
305
23.4k
    // below for efficiency.
306
23.4k
    if (PreserveArgs.count(Idx))
307
3.09k
      if (const MemRegion *MR = getArgSVal(Idx).getAsRegion())
308
2.44k
        ETraits.setTrait(MR->getBaseRegion(),
309
2.44k
                        RegionAndSymbolInvalidationTraits::TK_PreserveContents);
310
23.4k
        // TODO: Factor this out + handle the lower level const pointers.
311
23.4k
312
23.4k
    ValuesToInvalidate.push_back(getArgSVal(Idx));
313
23.4k
314
23.4k
    // If a function accepts an object by argument (which would of course be a
315
23.4k
    // temporary that isn't lifetime-extended), invalidate the object itself,
316
23.4k
    // not only other objects reachable from it. This is necessary because the
317
23.4k
    // destructor has access to the temporary object after the call.
318
23.4k
    // TODO: Support placement arguments once we start
319
23.4k
    // constructing them directly.
320
23.4k
    // TODO: This is unnecessary when there's no destructor, but that's
321
23.4k
    // currently hard to figure out.
322
23.4k
    if (getKind() != CE_CXXAllocator)
323
22.6k
      if (isArgumentConstructedDirectly(Idx))
324
17
        if (auto AdjIdx = getAdjustedParameterIndex(Idx))
325
17
          if (const VarRegion *VR = getParameterLocation(*AdjIdx))
326
17
            ValuesToInvalidate.push_back(loc::MemRegionVal(VR));
327
23.4k
  }
328
26.9k
329
26.9k
  // Invalidate designated regions using the batch invalidation API.
330
26.9k
  // NOTE: Even if RegionsToInvalidate is empty, we may still invalidate
331
26.9k
  //  global variables.
332
26.9k
  return Result->invalidateRegions(ValuesToInvalidate, getOriginExpr(),
333
26.9k
                                   BlockCount, getLocationContext(),
334
26.9k
                                   /*CausedByPointerEscape*/ true,
335
26.9k
                                   /*Symbols=*/nullptr, this, &ETraits);
336
26.9k
}
337
338
ProgramPoint CallEvent::getProgramPoint(bool IsPreVisit,
339
639k
                                        const ProgramPointTag *Tag) const {
340
639k
  if (const Expr *E = getOriginExpr()) {
341
629k
    if (IsPreVisit)
342
373k
      return PreStmt(E, getLocationContext(), Tag);
343
255k
    return PostStmt(E, getLocationContext(), Tag);
344
255k
  }
345
10.3k
346
10.3k
  const Decl *D = getDecl();
347
10.3k
  assert(D && "Cannot get a program point without a statement or decl");
348
10.3k
349
10.3k
  SourceLocation Loc = getSourceRange().getBegin();
350
10.3k
  if (IsPreVisit)
351
6.35k
    return PreImplicitCall(D, Loc, getLocationContext(), Tag);
352
4.00k
  return PostImplicitCall(D, Loc, getLocationContext(), Tag);
353
4.00k
}
354
355
334k
bool CallEvent::isCalled(const CallDescription &CD) const {
356
334k
  // FIXME: Add ObjC Message support.
357
334k
  if (getKind() == CE_ObjCMessage)
358
48
    return false;
359
334k
360
334k
  const IdentifierInfo *II = getCalleeIdentifier();
361
334k
  if (!II)
362
7.09k
    return false;
363
327k
  const FunctionDecl *FD = dyn_cast_or_null<FunctionDecl>(getDecl());
364
327k
  if (!FD)
365
0
    return false;
366
327k
367
327k
  if (CD.Flags & CDF_MaybeBuiltin) {
368
278k
    return CheckerContext::isCLibraryFunction(FD, CD.getFunctionName()) &&
369
278k
           
(2.02k
!CD.RequiredArgs2.02k
||
CD.RequiredArgs <= getNumArgs()2.02k
);
370
278k
  }
371
48.9k
372
48.9k
  if (!CD.IsLookupDone) {
373
921
    CD.IsLookupDone = true;
374
921
    CD.II = &getState()->getStateManager().getContext().Idents.get(
375
921
        CD.getFunctionName());
376
921
  }
377
48.9k
378
48.9k
  if (II != CD.II)
379
48.1k
    return false;
380
736
381
736
  // If CallDescription provides prefix names, use them to improve matching
382
736
  // accuracy.
383
736
  if (CD.QualifiedName.size() > 1 && 
FD121
) {
384
121
    const DeclContext *Ctx = FD->getDeclContext();
385
121
    // See if we'll be able to match them all.
386
121
    size_t NumUnmatched = CD.QualifiedName.size() - 1;
387
322
    for (; Ctx && isa<NamedDecl>(Ctx); 
Ctx = Ctx->getParent()201
) {
388
207
      if (NumUnmatched == 0)
389
6
        break;
390
201
391
201
      if (const auto *ND = dyn_cast<NamespaceDecl>(Ctx)) {
392
111
        if (ND->getName() == CD.QualifiedName[NumUnmatched - 1])
393
86
          --NumUnmatched;
394
111
        continue;
395
111
      }
396
90
397
90
      if (const auto *RD = dyn_cast<RecordDecl>(Ctx)) {
398
90
        if (RD->getName() == CD.QualifiedName[NumUnmatched - 1])
399
65
          --NumUnmatched;
400
90
        continue;
401
90
      }
402
90
    }
403
121
404
121
    if (NumUnmatched > 0)
405
26
      return false;
406
710
  }
407
710
408
710
  return (!CD.RequiredArgs || 
CD.RequiredArgs == getNumArgs()545
);
409
710
}
410
411
241k
SVal CallEvent::getArgSVal(unsigned Index) const {
412
241k
  const Expr *ArgE = getArgExpr(Index);
413
241k
  if (!ArgE)
414
4.20k
    return UnknownVal();
415
237k
  return getSVal(ArgE);
416
237k
}
417
418
64.5k
SourceRange CallEvent::getArgSourceRange(unsigned Index) const {
419
64.5k
  const Expr *ArgE = getArgExpr(Index);
420
64.5k
  if (!ArgE)
421
1.00k
    return {};
422
63.5k
  return ArgE->getSourceRange();
423
63.5k
}
424
425
16.9k
SVal CallEvent::getReturnValue() const {
426
16.9k
  const Expr *E = getOriginExpr();
427
16.9k
  if (!E)
428
9
    return UndefinedVal();
429
16.9k
  return getSVal(E);
430
16.9k
}
431
432
0
LLVM_DUMP_METHOD void CallEvent::dump() const { dump(llvm::errs()); }
433
434
0
void CallEvent::dump(raw_ostream &Out) const {
435
0
  ASTContext &Ctx = getState()->getStateManager().getContext();
436
0
  if (const Expr *E = getOriginExpr()) {
437
0
    E->printPretty(Out, nullptr, Ctx.getPrintingPolicy());
438
0
    Out << "\n";
439
0
    return;
440
0
  }
441
0
442
0
  if (const Decl *D = getDecl()) {
443
0
    Out << "Call to ";
444
0
    D->print(Out, Ctx.getPrintingPolicy());
445
0
    return;
446
0
  }
447
0
448
0
  // FIXME: a string representation of the kind would be nice.
449
0
  Out << "Unknown call (type " << getKind() << ")";
450
0
}
451
452
1.10M
bool CallEvent::isCallStmt(const Stmt *S) {
453
1.10M
  return isa<CallExpr>(S) || 
isa<ObjCMessageExpr>(S)1.02M
454
1.10M
                          || 
isa<CXXConstructExpr>(S)1.02M
455
1.10M
                          || 
isa<CXXNewExpr>(S)992k
;
456
1.10M
}
457
458
18.4k
QualType CallEvent::getDeclaredResultType(const Decl *D) {
459
18.4k
  assert(D);
460
18.4k
  if (const auto *FD = dyn_cast<FunctionDecl>(D))
461
17.4k
    return FD->getReturnType();
462
952
  if (const auto *MD = dyn_cast<ObjCMethodDecl>(D))
463
917
    return MD->getReturnType();
464
35
  if (const auto *BD = dyn_cast<BlockDecl>(D)) {
465
35
    // Blocks are difficult because the return type may not be stored in the
466
35
    // BlockDecl itself. The AST should probably be enhanced, but for now we
467
35
    // just do what we can.
468
35
    // If the block is declared without an explicit argument list, the
469
35
    // signature-as-written just includes the return type, not the entire
470
35
    // function type.
471
35
    // FIXME: All blocks should have signatures-as-written, even if the return
472
35
    // type is inferred. (That's signified with a dependent result type.)
473
35
    if (const TypeSourceInfo *TSI = BD->getSignatureAsWritten()) {
474
31
      QualType Ty = TSI->getType();
475
31
      if (const FunctionType *FT = Ty->getAs<FunctionType>())
476
27
        Ty = FT->getReturnType();
477
31
      if (!Ty->isDependentType())
478
15
        return Ty;
479
20
    }
480
20
481
20
    return {};
482
20
  }
483
0
484
0
  llvm_unreachable("unknown callable kind");
485
0
}
486
487
5.31k
bool CallEvent::isVariadic(const Decl *D) {
488
5.31k
  assert(D);
489
5.31k
490
5.31k
  if (const auto *FD = dyn_cast<FunctionDecl>(D))
491
4.88k
    return FD->isVariadic();
492
424
  if (const auto *MD = dyn_cast<ObjCMethodDecl>(D))
493
299
    return MD->isVariadic();
494
125
  if (const auto *BD = dyn_cast<BlockDecl>(D))
495
125
    return BD->isVariadic();
496
0
497
0
  llvm_unreachable("unknown callable kind");
498
0
}
499
500
static void addParameterValuesToBindings(const StackFrameContext *CalleeCtx,
501
                                         CallEvent::BindingsTy &Bindings,
502
                                         SValBuilder &SVB,
503
                                         const CallEvent &Call,
504
30.4k
                                         ArrayRef<ParmVarDecl*> parameters) {
505
30.4k
  MemRegionManager &MRMgr = SVB.getRegionManager();
506
30.4k
507
30.4k
  // If the function has fewer parameters than the call has arguments, we simply
508
30.4k
  // do not bind any values to them.
509
30.4k
  unsigned NumArgs = Call.getNumArgs();
510
30.4k
  unsigned Idx = 0;
511
30.4k
  ArrayRef<ParmVarDecl*>::iterator I = parameters.begin(), E = parameters.end();
512
53.6k
  for (; I != E && 
Idx < NumArgs23.1k
;
++I, ++Idx23.1k
) {
513
23.1k
    const ParmVarDecl *ParamDecl = *I;
514
23.1k
    assert(ParamDecl && "Formal parameter has no decl?");
515
23.1k
516
23.1k
    // TODO: Support allocator calls.
517
23.1k
    if (Call.getKind() != CE_CXXAllocator)
518
22.4k
      if (Call.isArgumentConstructedDirectly(Idx))
519
848
        continue;
520
22.2k
521
22.2k
    // TODO: Allocators should receive the correct size and possibly alignment,
522
22.2k
    // determined in compile-time but not represented as arg-expressions,
523
22.2k
    // which makes getArgSVal() fail and return UnknownVal.
524
22.2k
    SVal ArgVal = Call.getArgSVal(Idx);
525
22.2k
    if (!ArgVal.isUnknown()) {
526
20.4k
      Loc ParamLoc = SVB.makeLoc(MRMgr.getVarRegion(ParamDecl, CalleeCtx));
527
20.4k
      Bindings.push_back(std::make_pair(ParamLoc, ArgVal));
528
20.4k
    }
529
22.2k
  }
530
30.4k
531
30.4k
  // FIXME: Variadic arguments are not handled at all right now.
532
30.4k
}
533
534
289k
ArrayRef<ParmVarDecl*> AnyFunctionCall::parameters() const {
535
289k
  const FunctionDecl *D = getDecl();
536
289k
  if (!D)
537
0
    return None;
538
289k
  return D->parameters();
539
289k
}
540
541
65.0k
RuntimeDefinition AnyFunctionCall::getRuntimeDefinition() const {
542
65.0k
  const FunctionDecl *FD = getDecl();
543
65.0k
  if (!FD)
544
21
    return {};
545
65.0k
546
65.0k
  // Note that the AnalysisDeclContext will have the FunctionDecl with
547
65.0k
  // the definition (if one exists).
548
65.0k
  AnalysisDeclContext *AD =
549
65.0k
    getLocationContext()->getAnalysisDeclContext()->
550
65.0k
    getManager()->getContext(FD);
551
65.0k
  bool IsAutosynthesized;
552
65.0k
  Stmt* Body = AD->getBody(IsAutosynthesized);
553
65.0k
  LLVM_DEBUG({
554
65.0k
    if (IsAutosynthesized)
555
65.0k
      llvm::dbgs() << "Using autosynthesized body for " << FD->getName()
556
65.0k
                   << "\n";
557
65.0k
  });
558
65.0k
  if (Body) {
559
33.4k
    const Decl* Decl = AD->getDecl();
560
33.4k
    return RuntimeDefinition(Decl);
561
33.4k
  }
562
31.5k
563
31.5k
  SubEngine &Engine = getState()->getStateManager().getOwningEngine();
564
31.5k
  AnalyzerOptions &Opts = Engine.getAnalysisManager().options;
565
31.5k
566
31.5k
  // Try to get CTU definition only if CTUDir is provided.
567
31.5k
  if (!Opts.IsNaiveCTUEnabled)
568
31.4k
    return {};
569
42
570
42
  cross_tu::CrossTranslationUnitContext &CTUCtx =
571
42
      *Engine.getCrossTranslationUnitContext();
572
42
  llvm::Expected<const FunctionDecl *> CTUDeclOrError =
573
42
      CTUCtx.getCrossTUDefinition(FD, Opts.CTUDir, Opts.CTUIndexName,
574
42
                                  Opts.DisplayCTUProgress);
575
42
576
42
  if (!CTUDeclOrError) {
577
8
    handleAllErrors(CTUDeclOrError.takeError(),
578
8
                    [&](const cross_tu::IndexError &IE) {
579
8
                      CTUCtx.emitCrossTUDiagnostics(IE);
580
8
                    });
581
8
    return {};
582
8
  }
583
34
584
34
  return RuntimeDefinition(*CTUDeclOrError);
585
34
}
586
587
void AnyFunctionCall::getInitialStackFrameContents(
588
                                        const StackFrameContext *CalleeCtx,
589
29.8k
                                        BindingsTy &Bindings) const {
590
29.8k
  const auto *D = cast<FunctionDecl>(CalleeCtx->getDecl());
591
29.8k
  SValBuilder &SVB = getState()->getStateManager().getSValBuilder();
592
29.8k
  addParameterValuesToBindings(CalleeCtx, Bindings, SVB, *this,
593
29.8k
                               D->parameters());
594
29.8k
}
595
596
23.6k
bool AnyFunctionCall::argumentsMayEscape() const {
597
23.6k
  if (CallEvent::argumentsMayEscape() || 
hasVoidPointerToNonConstArg()23.4k
)
598
924
    return true;
599
22.6k
600
22.6k
  const FunctionDecl *D = getDecl();
601
22.6k
  if (!D)
602
22
    return true;
603
22.6k
604
22.6k
  const IdentifierInfo *II = D->getIdentifier();
605
22.6k
  if (!II)
606
2.70k
    return false;
607
19.9k
608
19.9k
  // This set of "escaping" APIs is
609
19.9k
610
19.9k
  // - 'int pthread_setspecific(ptheread_key k, const void *)' stores a
611
19.9k
  //   value into thread local storage. The value can later be retrieved with
612
19.9k
  //   'void *ptheread_getspecific(pthread_key)'. So even thought the
613
19.9k
  //   parameter is 'const void *', the region escapes through the call.
614
19.9k
  if (II->isStr("pthread_setspecific"))
615
5
    return true;
616
19.9k
617
19.9k
  // - xpc_connection_set_context stores a value which can be retrieved later
618
19.9k
  //   with xpc_connection_get_context.
619
19.9k
  if (II->isStr("xpc_connection_set_context"))
620
0
    return true;
621
19.9k
622
19.9k
  // - funopen - sets a buffer for future IO calls.
623
19.9k
  if (II->isStr("funopen"))
624
1
    return true;
625
19.9k
626
19.9k
  // - __cxa_demangle - can reallocate memory and can return the pointer to
627
19.9k
  // the input buffer.
628
19.9k
  if (II->isStr("__cxa_demangle"))
629
8
    return true;
630
19.9k
631
19.9k
  StringRef FName = II->getName();
632
19.9k
633
19.9k
  // - CoreFoundation functions that end with "NoCopy" can free a passed-in
634
19.9k
  //   buffer even if it is const.
635
19.9k
  if (FName.endswith("NoCopy"))
636
10
    return true;
637
19.9k
638
19.9k
  // - NSXXInsertXX, for example NSMapInsertIfAbsent, since they can
639
19.9k
  //   be deallocated by NSMapRemove.
640
19.9k
  if (FName.startswith("NS") && 
(FName.find("Insert") != StringRef::npos)78
)
641
4
    return true;
642
19.9k
643
19.9k
  // - Many CF containers allow objects to escape through custom
644
19.9k
  //   allocators/deallocators upon container construction. (PR12101)
645
19.9k
  if (FName.startswith("CF") || 
FName.startswith("CG")19.2k
) {
646
675
    return StrInStrNoCase(FName, "InsertValue")  != StringRef::npos ||
647
675
           StrInStrNoCase(FName, "AddValue")     != StringRef::npos ||
648
675
           StrInStrNoCase(FName, "SetValue")     != StringRef::npos ||
649
675
           
StrInStrNoCase(FName, "WithData") != StringRef::npos673
||
650
675
           
StrInStrNoCase(FName, "AppendValue") != StringRef::npos667
||
651
675
           
StrInStrNoCase(FName, "SetAttribute") != StringRef::npos661
;
652
675
  }
653
19.2k
654
19.2k
  return false;
655
19.2k
}
656
657
1.33M
const FunctionDecl *SimpleFunctionCall::getDecl() const {
658
1.33M
  const FunctionDecl *D = getOriginExpr()->getDirectCallee();
659
1.33M
  if (D)
660
1.32M
    return D;
661
7.20k
662
7.20k
  return getSVal(getOriginExpr()->getCallee()).getAsFunctionDecl();
663
7.20k
}
664
665
262k
const FunctionDecl *CXXInstanceCall::getDecl() const {
666
262k
  const auto *CE = cast_or_null<CallExpr>(getOriginExpr());
667
262k
  if (!CE)
668
32.1k
    return AnyFunctionCall::getDecl();
669
230k
670
230k
  const FunctionDecl *D = CE->getDirectCallee();
671
230k
  if (D)
672
230k
    return D;
673
165
674
165
  return getSVal(CE->getCallee()).getAsFunctionDecl();
675
165
}
676
677
void CXXInstanceCall::getExtraInvalidatedValues(
678
3.41k
    ValueList &Values, RegionAndSymbolInvalidationTraits *ETraits) const {
679
3.41k
  SVal ThisVal = getCXXThisVal();
680
3.41k
  Values.push_back(ThisVal);
681
3.41k
682
3.41k
  // Don't invalidate if the method is const and there are no mutable fields.
683
3.41k
  if (const auto *D = cast_or_null<CXXMethodDecl>(getDecl())) {
684
3.41k
    if (!D->isConst())
685
1.65k
      return;
686
1.75k
    // Get the record decl for the class of 'This'. D->getParent() may return a
687
1.75k
    // base class decl, rather than the class of the instance which needs to be
688
1.75k
    // checked for mutable fields.
689
1.75k
    // TODO: We might as well look at the dynamic type of the object.
690
1.75k
    const Expr *Ex = getCXXThisExpr()->ignoreParenBaseCasts();
691
1.75k
    QualType T = Ex->getType();
692
1.75k
    if (T->isPointerType()) // Arrow or implicit-this syntax?
693
35
      T = T->getPointeeType();
694
1.75k
    const CXXRecordDecl *ParentRecord = T->getAsCXXRecordDecl();
695
1.75k
    assert(ParentRecord);
696
1.75k
    if (ParentRecord->hasMutableFields())
697
3
      return;
698
1.75k
    // Preserve CXXThis.
699
1.75k
    const MemRegion *ThisRegion = ThisVal.getAsRegion();
700
1.75k
    if (!ThisRegion)
701
1
      return;
702
1.75k
703
1.75k
    ETraits->setTrait(ThisRegion->getBaseRegion(),
704
1.75k
                      RegionAndSymbolInvalidationTraits::TK_PreserveContents);
705
1.75k
  }
706
3.41k
}
707
708
29.3k
SVal CXXInstanceCall::getCXXThisVal() const {
709
29.3k
  const Expr *Base = getCXXThisExpr();
710
29.3k
  // FIXME: This doesn't handle an overloaded ->* operator.
711
29.3k
  if (!Base)
712
0
    return UnknownVal();
713
29.3k
714
29.3k
  SVal ThisVal = getSVal(Base);
715
29.3k
  assert(ThisVal.isUnknownOrUndef() || ThisVal.getAs<Loc>());
716
29.3k
  return ThisVal;
717
29.3k
}
718
719
9.88k
RuntimeDefinition CXXInstanceCall::getRuntimeDefinition() const {
720
9.88k
  // Do we have a decl at all?
721
9.88k
  const Decl *D = getDecl();
722
9.88k
  if (!D)
723
1
    return {};
724
9.88k
725
9.88k
  // If the method is non-virtual, we know we can inline it.
726
9.88k
  const auto *MD = cast<CXXMethodDecl>(D);
727
9.88k
  if (!MD->isVirtual())
728
9.65k
    return AnyFunctionCall::getRuntimeDefinition();
729
226
730
226
  // Do we know the implicit 'this' object being called?
731
226
  const MemRegion *R = getCXXThisVal().getAsRegion();
732
226
  if (!R)
733
7
    return {};
734
219
735
219
  // Do we know anything about the type of 'this'?
736
219
  DynamicTypeInfo DynType = getDynamicTypeInfo(getState(), R);
737
219
  if (!DynType.isValid())
738
0
    return {};
739
219
740
219
  // Is the type a C++ class? (This is mostly a defensive check.)
741
219
  QualType RegionType = DynType.getType()->getPointeeType();
742
219
  assert(!RegionType.isNull() && "DynamicTypeInfo should always be a pointer.");
743
219
744
219
  const CXXRecordDecl *RD = RegionType->getAsCXXRecordDecl();
745
219
  if (!RD || !RD->hasDefinition())
746
0
    return {};
747
219
748
219
  // Find the decl for this method in that class.
749
219
  const CXXMethodDecl *Result = MD->getCorrespondingMethodInClass(RD, true);
750
219
  if (!Result) {
751
3
    // We might not even get the original statically-resolved method due to
752
3
    // some particularly nasty casting (e.g. casts to sister classes).
753
3
    // However, we should at least be able to search up and down our own class
754
3
    // hierarchy, and some real bugs have been caught by checking this.
755
3
    assert(!RD->isDerivedFrom(MD->getParent()) && "Couldn't find known method");
756
3
757
3
    // FIXME: This is checking that our DynamicTypeInfo is at least as good as
758
3
    // the static type. However, because we currently don't update
759
3
    // DynamicTypeInfo when an object is cast, we can't actually be sure the
760
3
    // DynamicTypeInfo is up to date. This assert should be re-enabled once
761
3
    // this is fixed. <rdar://problem/12287087>
762
3
    //assert(!MD->getParent()->isDerivedFrom(RD) && "Bad DynamicTypeInfo");
763
3
764
3
    return {};
765
3
  }
766
216
767
216
  // Does the decl that we found have an implementation?
768
216
  const FunctionDecl *Definition;
769
216
  if (!Result->hasBody(Definition)) {
770
105
    if (!DynType.canBeASubClass())
771
76
      return AnyFunctionCall::getRuntimeDefinition();
772
29
    return {};
773
29
  }
774
111
775
111
  // We found a definition. If we're not sure that this devirtualization is
776
111
  // actually what will happen at runtime, make sure to provide the region so
777
111
  // that ExprEngine can decide what to do with it.
778
111
  if (DynType.canBeASubClass())
779
10
    return RuntimeDefinition(Definition, R->StripCasts());
780
101
  return RuntimeDefinition(Definition, /*DispatchRegion=*/nullptr);
781
101
}
782
783
void CXXInstanceCall::getInitialStackFrameContents(
784
                                            const StackFrameContext *CalleeCtx,
785
5.53k
                                            BindingsTy &Bindings) const {
786
5.53k
  AnyFunctionCall::getInitialStackFrameContents(CalleeCtx, Bindings);
787
5.53k
788
5.53k
  // Handle the binding of 'this' in the new stack frame.
789
5.53k
  SVal ThisVal = getCXXThisVal();
790
5.53k
  if (!ThisVal.isUnknown()) {
791
5.53k
    ProgramStateManager &StateMgr = getState()->getStateManager();
792
5.53k
    SValBuilder &SVB = StateMgr.getSValBuilder();
793
5.53k
794
5.53k
    const auto *MD = cast<CXXMethodDecl>(CalleeCtx->getDecl());
795
5.53k
    Loc ThisLoc = SVB.getCXXThis(MD, CalleeCtx);
796
5.53k
797
5.53k
    // If we devirtualized to a different member function, we need to make sure
798
5.53k
    // we have the proper layering of CXXBaseObjectRegions.
799
5.53k
    if (MD->getCanonicalDecl() != getDecl()->getCanonicalDecl()) {
800
31
      ASTContext &Ctx = SVB.getContext();
801
31
      const CXXRecordDecl *Class = MD->getParent();
802
31
      QualType Ty = Ctx.getPointerType(Ctx.getRecordType(Class));
803
31
804
31
      // FIXME: CallEvent maybe shouldn't be directly accessing StoreManager.
805
31
      bool Failed;
806
31
      ThisVal = StateMgr.getStoreManager().attemptDownCast(ThisVal, Ty, Failed);
807
31
      if (Failed) {
808
2
        // We might have suffered some sort of placement new earlier, so
809
2
        // we're constructing in a completely unexpected storage.
810
2
        // Fall back to a generic pointer cast for this-value.
811
2
        const CXXMethodDecl *StaticMD = cast<CXXMethodDecl>(getDecl());
812
2
        const CXXRecordDecl *StaticClass = StaticMD->getParent();
813
2
        QualType StaticTy = Ctx.getPointerType(Ctx.getRecordType(StaticClass));
814
2
        ThisVal = SVB.evalCast(ThisVal, Ty, StaticTy);
815
2
      }
816
31
    }
817
5.53k
818
5.53k
    if (!ThisVal.isUnknown())
819
5.52k
      Bindings.push_back(std::make_pair(ThisLoc, ThisVal));
820
5.53k
  }
821
5.53k
}
822
823
21.3k
const Expr *CXXMemberCall::getCXXThisExpr() const {
824
21.3k
  return getOriginExpr()->getImplicitObjectArgument();
825
21.3k
}
826
827
6.50k
RuntimeDefinition CXXMemberCall::getRuntimeDefinition() const {
828
6.50k
  // C++11 [expr.call]p1: ...If the selected function is non-virtual, or if the
829
6.50k
  // id-expression in the class member access expression is a qualified-id,
830
6.50k
  // that function is called. Otherwise, its final overrider in the dynamic type
831
6.50k
  // of the object expression is called.
832
6.50k
  if (const auto *ME = dyn_cast<MemberExpr>(getOriginExpr()->getCallee()))
833
6.49k
    if (ME->hasQualifier())
834
133
      return AnyFunctionCall::getRuntimeDefinition();
835
6.37k
836
6.37k
  return CXXInstanceCall::getRuntimeDefinition();
837
6.37k
}
838
839
10.7k
const Expr *CXXMemberOperatorCall::getCXXThisExpr() const {
840
10.7k
  return getOriginExpr()->getArg(0);
841
10.7k
}
842
843
2.65k
const BlockDataRegion *BlockCall::getBlockRegion() const {
844
2.65k
  const Expr *Callee = getOriginExpr()->getCallee();
845
2.65k
  const MemRegion *DataReg = getSVal(Callee).getAsRegion();
846
2.65k
847
2.65k
  return dyn_cast_or_null<BlockDataRegion>(DataReg);
848
2.65k
}
849
850
463
ArrayRef<ParmVarDecl*> BlockCall::parameters() const {
851
463
  const BlockDecl *D = getDecl();
852
463
  if (!D)
853
1
    return None;
854
462
  return D->parameters();
855
462
}
856
857
void BlockCall::getExtraInvalidatedValues(ValueList &Values,
858
18
                  RegionAndSymbolInvalidationTraits *ETraits) const {
859
18
  // FIXME: This also needs to invalidate captured globals.
860
18
  if (const MemRegion *R = getBlockRegion())
861
8
    Values.push_back(loc::MemRegionVal(R));
862
18
}
863
864
void BlockCall::getInitialStackFrameContents(const StackFrameContext *CalleeCtx,
865
174
                                             BindingsTy &Bindings) const {
866
174
  SValBuilder &SVB = getState()->getStateManager().getSValBuilder();
867
174
  ArrayRef<ParmVarDecl*> Params;
868
174
  if (isConversionFromLambda()) {
869
7
    auto *LambdaOperatorDecl = cast<CXXMethodDecl>(CalleeCtx->getDecl());
870
7
    Params = LambdaOperatorDecl->parameters();
871
7
872
7
    // For blocks converted from a C++ lambda, the callee declaration is the
873
7
    // operator() method on the lambda so we bind "this" to
874
7
    // the lambda captured by the block.
875
7
    const VarRegion *CapturedLambdaRegion = getRegionStoringCapturedLambda();
876
7
    SVal ThisVal = loc::MemRegionVal(CapturedLambdaRegion);
877
7
    Loc ThisLoc = SVB.getCXXThis(LambdaOperatorDecl, CalleeCtx);
878
7
    Bindings.push_back(std::make_pair(ThisLoc, ThisVal));
879
167
  } else {
880
167
    Params = cast<BlockDecl>(CalleeCtx->getDecl())->parameters();
881
167
  }
882
174
883
174
  addParameterValuesToBindings(CalleeCtx, Bindings, SVB, *this,
884
174
                               Params);
885
174
}
886
887
44.7k
SVal CXXConstructorCall::getCXXThisVal() const {
888
44.7k
  if (Data)
889
44.7k
    return loc::MemRegionVal(static_cast<const MemRegion *>(Data));
890
0
  return UnknownVal();
891
0
}
892
893
void CXXConstructorCall::getExtraInvalidatedValues(ValueList &Values,
894
868
                           RegionAndSymbolInvalidationTraits *ETraits) const {
895
868
  if (Data) {
896
868
    loc::MemRegionVal MV(static_cast<const MemRegion *>(Data));
897
868
    if (SymbolRef Sym = MV.getAsSymbol(true))
898
99
      ETraits->setTrait(Sym,
899
99
                        RegionAndSymbolInvalidationTraits::TK_SuppressEscape);
900
868
    Values.push_back(MV);
901
868
  }
902
868
}
903
904
void CXXConstructorCall::getInitialStackFrameContents(
905
                                             const StackFrameContext *CalleeCtx,
906
7.30k
                                             BindingsTy &Bindings) const {
907
7.30k
  AnyFunctionCall::getInitialStackFrameContents(CalleeCtx, Bindings);
908
7.30k
909
7.30k
  SVal ThisVal = getCXXThisVal();
910
7.30k
  if (!ThisVal.isUnknown()) {
911
7.30k
    SValBuilder &SVB = getState()->getStateManager().getSValBuilder();
912
7.30k
    const auto *MD = cast<CXXMethodDecl>(CalleeCtx->getDecl());
913
7.30k
    Loc ThisLoc = SVB.getCXXThis(MD, CalleeCtx);
914
7.30k
    Bindings.push_back(std::make_pair(ThisLoc, ThisVal));
915
7.30k
  }
916
7.30k
}
917
918
4.23k
SVal CXXDestructorCall::getCXXThisVal() const {
919
4.23k
  if (Data)
920
3.67k
    return loc::MemRegionVal(DtorDataTy::getFromOpaqueValue(Data).getPointer());
921
557
  return UnknownVal();
922
557
}
923
924
1.29k
RuntimeDefinition CXXDestructorCall::getRuntimeDefinition() const {
925
1.29k
  // Base destructors are always called non-virtually.
926
1.29k
  // Skip CXXInstanceCall's devirtualization logic in this case.
927
1.29k
  if (isBaseDestructor())
928
104
    return AnyFunctionCall::getRuntimeDefinition();
929
1.19k
930
1.19k
  return CXXInstanceCall::getRuntimeDefinition();
931
1.19k
}
932
933
21.6k
ArrayRef<ParmVarDecl*> ObjCMethodCall::parameters() const {
934
21.6k
  const ObjCMethodDecl *D = getDecl();
935
21.6k
  if (!D)
936
42
    return None;
937
21.6k
  return D->parameters();
938
21.6k
}
939
940
void ObjCMethodCall::getExtraInvalidatedValues(
941
3.41k
    ValueList &Values, RegionAndSymbolInvalidationTraits *ETraits) const {
942
3.41k
943
3.41k
  // If the method call is a setter for property known to be backed by
944
3.41k
  // an instance variable, don't invalidate the entire receiver, just
945
3.41k
  // the storage for that instance variable.
946
3.41k
  if (const ObjCPropertyDecl *PropDecl = getAccessedProperty()) {
947
147
    if (const ObjCIvarDecl *PropIvar = PropDecl->getPropertyIvarDecl()) {
948
62
      SVal IvarLVal = getState()->getLValue(PropIvar, getReceiverSVal());
949
62
      if (const MemRegion *IvarRegion = IvarLVal.getAsRegion()) {
950
61
        ETraits->setTrait(
951
61
          IvarRegion,
952
61
          RegionAndSymbolInvalidationTraits::TK_DoNotInvalidateSuperRegion);
953
61
        ETraits->setTrait(
954
61
          IvarRegion,
955
61
          RegionAndSymbolInvalidationTraits::TK_SuppressEscape);
956
61
        Values.push_back(IvarLVal);
957
61
      }
958
62
      return;
959
62
    }
960
3.34k
  }
961
3.34k
962
3.34k
  Values.push_back(getReceiverSVal());
963
3.34k
}
964
965
2.30k
SVal ObjCMethodCall::getSelfSVal() const {
966
2.30k
  const LocationContext *LCtx = getLocationContext();
967
2.30k
  const ImplicitParamDecl *SelfDecl = LCtx->getSelfDecl();
968
2.30k
  if (!SelfDecl)
969
315
    return SVal();
970
1.99k
  return getState()->getSVal(getState()->getRegion(SelfDecl, LCtx));
971
1.99k
}
972
973
27.1k
SVal ObjCMethodCall::getReceiverSVal() const {
974
27.1k
  // FIXME: Is this the best way to handle class receivers?
975
27.1k
  if (!isInstanceMessage())
976
4.09k
    return UnknownVal();
977
23.0k
978
23.0k
  if (const Expr *RecE = getOriginExpr()->getInstanceReceiver())
979
21.2k
    return getSVal(RecE);
980
1.75k
981
1.75k
  // An instance message with no expression means we are sending to super.
982
1.75k
  // In this case the object reference is the same as 'self'.
983
1.75k
  assert(getOriginExpr()->getReceiverKind() == ObjCMessageExpr::SuperInstance);
984
1.75k
  SVal SelfVal = getSelfSVal();
985
1.75k
  assert(SelfVal.isValid() && "Calling super but not in ObjC method");
986
1.75k
  return SelfVal;
987
1.75k
}
988
989
701
bool ObjCMethodCall::isReceiverSelfOrSuper() const {
990
701
  if (getOriginExpr()->getReceiverKind() == ObjCMessageExpr::SuperInstance ||
991
701
      
getOriginExpr()->getReceiverKind() == ObjCMessageExpr::SuperClass510
)
992
191
      return true;
993
510
994
510
  if (!isInstanceMessage())
995
13
    return false;
996
497
997
497
  SVal RecVal = getSVal(getOriginExpr()->getInstanceReceiver());
998
497
999
497
  return (RecVal == getSelfSVal());
1000
497
}
1001
1002
13
SourceRange ObjCMethodCall::getSourceRange() const {
1003
13
  switch (getMessageKind()) {
1004
13
  case OCM_Message:
1005
13
    return getOriginExpr()->getSourceRange();
1006
13
  case OCM_PropertyAccess:
1007
0
  case OCM_Subscript:
1008
0
    return getContainingPseudoObjectExpr()->getSourceRange();
1009
0
  }
1010
0
  llvm_unreachable("unknown message kind");
1011
0
}
1012
1013
using ObjCMessageDataTy = llvm::PointerIntPair<const PseudoObjectExpr *, 2>;
1014
1015
117
const PseudoObjectExpr *ObjCMethodCall::getContainingPseudoObjectExpr() const {
1016
117
  assert(Data && "Lazy lookup not yet performed.");
1017
117
  assert(getMessageKind() != OCM_Message && "Explicit message send.");
1018
117
  return ObjCMessageDataTy::getFromOpaqueValue(Data).getPointer();
1019
117
}
1020
1021
static const Expr *
1022
270
getSyntacticFromForPseudoObjectExpr(const PseudoObjectExpr *POE) {
1023
270
  const Expr *Syntactic = POE->getSyntacticForm();
1024
270
1025
270
  // This handles the funny case of assigning to the result of a getter.
1026
270
  // This can happen if the getter returns a non-const reference.
1027
270
  if (const auto *BO = dyn_cast<BinaryOperator>(Syntactic))
1028
134
    Syntactic = BO->getLHS();
1029
270
1030
270
  return Syntactic;
1031
270
}
1032
1033
3.93k
ObjCMessageKind ObjCMethodCall::getMessageKind() const {
1034
3.93k
  if (!Data) {
1035
3.72k
    // Find the parent, ignoring implicit casts.
1036
3.72k
    ParentMap &PM = getLocationContext()->getParentMap();
1037
3.72k
    const Stmt *S = PM.getParentIgnoreParenCasts(getOriginExpr());
1038
3.72k
1039
3.72k
    // Check if parent is a PseudoObjectExpr.
1040
3.72k
    if (const auto *POE = dyn_cast_or_null<PseudoObjectExpr>(S)) {
1041
153
      const Expr *Syntactic = getSyntacticFromForPseudoObjectExpr(POE);
1042
153
1043
153
      ObjCMessageKind K;
1044
153
      switch (Syntactic->getStmtClass()) {
1045
153
      case Stmt::ObjCPropertyRefExprClass:
1046
116
        K = OCM_PropertyAccess;
1047
116
        break;
1048
153
      case Stmt::ObjCSubscriptRefExprClass:
1049
36
        K = OCM_Subscript;
1050
36
        break;
1051
153
      default:
1052
1
        // FIXME: Can this ever happen?
1053
1
        K = OCM_Message;
1054
1
        break;
1055
153
      }
1056
153
1057
153
      if (K != OCM_Message) {
1058
152
        const_cast<ObjCMethodCall *>(this)->Data
1059
152
          = ObjCMessageDataTy(POE, K).getOpaqueValue();
1060
152
        assert(getMessageKind() == K);
1061
152
        return K;
1062
152
      }
1063
3.57k
    }
1064
3.57k
1065
3.57k
    const_cast<ObjCMethodCall *>(this)->Data
1066
3.57k
      = ObjCMessageDataTy(nullptr, 1).getOpaqueValue();
1067
3.57k
    assert(getMessageKind() == OCM_Message);
1068
3.57k
    return OCM_Message;
1069
3.57k
  }
1070
206
1071
206
  ObjCMessageDataTy Info = ObjCMessageDataTy::getFromOpaqueValue(Data);
1072
206
  if (!Info.getPointer())
1073
184
    return OCM_Message;
1074
22
  return static_cast<ObjCMessageKind>(Info.getInt());
1075
22
}
1076
1077
3.42k
const ObjCPropertyDecl *ObjCMethodCall::getAccessedProperty() const {
1078
3.42k
  // Look for properties accessed with property syntax (foo.bar = ...)
1079
3.42k
  if ( getMessageKind() == OCM_PropertyAccess) {
1080
117
    const PseudoObjectExpr *POE = getContainingPseudoObjectExpr();
1081
117
    assert(POE && "Property access without PseudoObjectExpr?");
1082
117
1083
117
    const Expr *Syntactic = getSyntacticFromForPseudoObjectExpr(POE);
1084
117
    auto *RefExpr = cast<ObjCPropertyRefExpr>(Syntactic);
1085
117
1086
117
    if (RefExpr->isExplicitProperty())
1087
99
      return RefExpr->getExplicitProperty();
1088
3.33k
  }
1089
3.33k
1090
3.33k
  // Look for properties accessed with method syntax ([foo setBar:...]).
1091
3.33k
  const ObjCMethodDecl *MD = getDecl();
1092
3.33k
  if (!MD || 
!MD->isPropertyAccessor()3.30k
)
1093
3.26k
    return nullptr;
1094
65
1095
65
  // Note: This is potentially quite slow.
1096
65
  return MD->findPropertyDecl();
1097
65
}
1098
1099
bool ObjCMethodCall::canBeOverridenInSubclass(ObjCInterfaceDecl *IDecl,
1100
1.26k
                                             Selector Sel) const {
1101
1.26k
  assert(IDecl);
1102
1.26k
  AnalysisManager &AMgr =
1103
1.26k
      getState()->getStateManager().getOwningEngine().getAnalysisManager();
1104
1.26k
  // If the class interface is declared inside the main file, assume it is not
1105
1.26k
  // subcassed.
1106
1.26k
  // TODO: It could actually be subclassed if the subclass is private as well.
1107
1.26k
  // This is probably very rare.
1108
1.26k
  SourceLocation InterfLoc = IDecl->getEndOfDefinitionLoc();
1109
1.26k
  if (InterfLoc.isValid() && AMgr.isInCodeFile(InterfLoc))
1110
1.13k
    return false;
1111
138
1112
138
  // Assume that property accessors are not overridden.
1113
138
  if (getMessageKind() == OCM_PropertyAccess)
1114
7
    return false;
1115
131
1116
131
  // We assume that if the method is public (declared outside of main file) or
1117
131
  // has a parent which publicly declares the method, the method could be
1118
131
  // overridden in a subclass.
1119
131
1120
131
  // Find the first declaration in the class hierarchy that declares
1121
131
  // the selector.
1122
131
  ObjCMethodDecl *D = nullptr;
1123
134
  while (true) {
1124
134
    D = IDecl->lookupMethod(Sel, true);
1125
134
1126
134
    // Cannot find a public definition.
1127
134
    if (!D)
1128
2
      return false;
1129
132
1130
132
    // If outside the main file,
1131
132
    if (D->getLocation().isValid() && !AMgr.isInCodeFile(D->getLocation()))
1132
126
      return true;
1133
6
1134
6
    if (D->isOverriding()) {
1135
3
      // Search in the superclass on the next iteration.
1136
3
      IDecl = D->getClassInterface();
1137
3
      if (!IDecl)
1138
0
        return false;
1139
3
1140
3
      IDecl = IDecl->getSuperClass();
1141
3
      if (!IDecl)
1142
0
        return false;
1143
3
1144
3
      continue;
1145
3
    }
1146
3
1147
3
    return false;
1148
3
  };
1149
0
1150
0
  llvm_unreachable("The while loop should always terminate.");
1151
131
}
1152
1153
20
static const ObjCMethodDecl *findDefiningRedecl(const ObjCMethodDecl *MD) {
1154
20
  if (!MD)
1155
0
    return MD;
1156
20
1157
20
  // Find the redeclaration that defines the method.
1158
20
  if (!MD->hasBody()) {
1159
20
    for (auto I : MD->redecls())
1160
29
      if (I->hasBody())
1161
9
        MD = cast<ObjCMethodDecl>(I);
1162
20
  }
1163
20
  return MD;
1164
20
}
1165
1166
732
static bool isCallToSelfClass(const ObjCMessageExpr *ME) {
1167
732
  const Expr* InstRec = ME->getInstanceReceiver();
1168
732
  if (!InstRec)
1169
663
    return false;
1170
69
  const auto *InstRecIg = dyn_cast<DeclRefExpr>(InstRec->IgnoreParenImpCasts());
1171
69
1172
69
  // Check that receiver is called 'self'.
1173
69
  if (!InstRecIg || 
!InstRecIg->getFoundDecl()21
||
1174
69
      
!InstRecIg->getFoundDecl()->getName().equals("self")21
)
1175
55
    return false;
1176
14
1177
14
  // Check that the method name is 'class'.
1178
14
  if (ME->getSelector().getNumArgs() != 0 ||
1179
14
      !ME->getSelector().getNameForSlot(0).equals("class"))
1180
11
    return false;
1181
3
1182
3
  return true;
1183
3
}
1184
1185
3.95k
RuntimeDefinition ObjCMethodCall::getRuntimeDefinition() const {
1186
3.95k
  const ObjCMessageExpr *E = getOriginExpr();
1187
3.95k
  assert(E);
1188
3.95k
  Selector Sel = E->getSelector();
1189
3.95k
1190
3.95k
  if (E->isInstanceMessage()) {
1191
2.96k
    // Find the receiver type.
1192
2.96k
    const ObjCObjectPointerType *ReceiverT = nullptr;
1193
2.96k
    bool CanBeSubClassed = false;
1194
2.96k
    QualType SupersType = E->getSuperType();
1195
2.96k
    const MemRegion *Receiver = nullptr;
1196
2.96k
1197
2.96k
    if (!SupersType.isNull()) {
1198
317
      // The receiver is guaranteed to be 'super' in this case.
1199
317
      // Super always means the type of immediate predecessor to the method
1200
317
      // where the call occurs.
1201
317
      ReceiverT = cast<ObjCObjectPointerType>(SupersType);
1202
2.65k
    } else {
1203
2.65k
      Receiver = getReceiverSVal().getAsRegion();
1204
2.65k
      if (!Receiver)
1205
6
        return {};
1206
2.64k
1207
2.64k
      DynamicTypeInfo DTI = getDynamicTypeInfo(getState(), Receiver);
1208
2.64k
      if (!DTI.isValid()) {
1209
1
        assert(isa<AllocaRegion>(Receiver) &&
1210
1
               "Unhandled untyped region class!");
1211
1
        return {};
1212
1
      }
1213
2.64k
1214
2.64k
      QualType DynType = DTI.getType();
1215
2.64k
      CanBeSubClassed = DTI.canBeASubClass();
1216
2.64k
      ReceiverT = dyn_cast<ObjCObjectPointerType>(DynType.getCanonicalType());
1217
2.64k
1218
2.64k
      if (ReceiverT && 
CanBeSubClassed2.52k
)
1219
1.52k
        if (ObjCInterfaceDecl *IDecl = ReceiverT->getInterfaceDecl())
1220
1.26k
          if (!canBeOverridenInSubclass(IDecl, Sel))
1221
1.14k
            CanBeSubClassed = false;
1222
2.64k
    }
1223
2.96k
1224
2.96k
    // Handle special cases of '[self classMethod]' and
1225
2.96k
    // '[[self class] classMethod]', which are treated by the compiler as
1226
2.96k
    // instance (not class) messages. We will statically dispatch to those.
1227
2.96k
    
if (auto *2.96k
PT2.96k
= dyn_cast_or_null<ObjCObjectPointerType>(ReceiverT)) {
1228
2.83k
      // For [self classMethod], return the compiler visible declaration.
1229
2.83k
      if (PT->getObjectType()->isObjCClass() &&
1230
2.83k
          
Receiver == getSelfSVal().getAsRegion()30
)
1231
17
        return RuntimeDefinition(findDefiningRedecl(E->getMethodDecl()));
1232
2.82k
1233
2.82k
      // Similarly, handle [[self class] classMethod].
1234
2.82k
      // TODO: We are currently doing a syntactic match for this pattern with is
1235
2.82k
      // limiting as the test cases in Analysis/inlining/InlineObjCClassMethod.m
1236
2.82k
      // shows. A better way would be to associate the meta type with the symbol
1237
2.82k
      // using the dynamic type info tracking and use it here. We can add a new
1238
2.82k
      // SVal for ObjC 'Class' values that know what interface declaration they
1239
2.82k
      // come from. Then 'self' in a class method would be filled in with
1240
2.82k
      // something meaningful in ObjCMethodCall::getReceiverSVal() and we could
1241
2.82k
      // do proper dynamic dispatch for class methods just like we do for
1242
2.82k
      // instance methods now.
1243
2.82k
      if (E->getInstanceReceiver())
1244
2.50k
        if (const auto *M = dyn_cast<ObjCMessageExpr>(E->getInstanceReceiver()))
1245
732
          if (isCallToSelfClass(M))
1246
3
            return RuntimeDefinition(findDefiningRedecl(E->getMethodDecl()));
1247
2.94k
    }
1248
2.94k
1249
2.94k
    // Lookup the instance method implementation.
1250
2.94k
    if (ReceiverT)
1251
2.81k
      if (ObjCInterfaceDecl *IDecl = ReceiverT->getInterfaceDecl()) {
1252
2.57k
        // Repeatedly calling lookupPrivateMethod() is expensive, especially
1253
2.57k
        // when in many cases it returns null.  We cache the results so
1254
2.57k
        // that repeated queries on the same ObjCIntefaceDecl and Selector
1255
2.57k
        // don't incur the same cost.  On some test cases, we can see the
1256
2.57k
        // same query being issued thousands of times.
1257
2.57k
        //
1258
2.57k
        // NOTE: This cache is essentially a "global" variable, but it
1259
2.57k
        // only gets lazily created when we get here.  The value of the
1260
2.57k
        // cache probably comes from it being global across ExprEngines,
1261
2.57k
        // where the same queries may get issued.  If we are worried about
1262
2.57k
        // concurrency, or possibly loading/unloading ASTs, etc., we may
1263
2.57k
        // need to revisit this someday.  In terms of memory, this table
1264
2.57k
        // stays around until clang quits, which also may be bad if we
1265
2.57k
        // need to release memory.
1266
2.57k
        using PrivateMethodKey = std::pair<const ObjCInterfaceDecl *, Selector>;
1267
2.57k
        using PrivateMethodCache =
1268
2.57k
            llvm::DenseMap<PrivateMethodKey, Optional<const ObjCMethodDecl *>>;
1269
2.57k
1270
2.57k
        static PrivateMethodCache PMC;
1271
2.57k
        Optional<const ObjCMethodDecl *> &Val = PMC[std::make_pair(IDecl, Sel)];
1272
2.57k
1273
2.57k
        // Query lookupPrivateMethod() if the cache does not hit.
1274
2.57k
        if (!Val.hasValue()) {
1275
917
          Val = IDecl->lookupPrivateMethod(Sel);
1276
917
1277
917
          // If the method is a property accessor, we should try to "inline" it
1278
917
          // even if we don't actually have an implementation.
1279
917
          if (!*Val)
1280
748
            if (const ObjCMethodDecl *CompileTimeMD = E->getMethodDecl())
1281
742
              if (CompileTimeMD->isPropertyAccessor()) {
1282
124
                if (!CompileTimeMD->getSelfDecl() &&
1283
124
                    
isa<ObjCCategoryDecl>(CompileTimeMD->getDeclContext())38
) {
1284
14
                  // If the method is an accessor in a category, and it doesn't
1285
14
                  // have a self declaration, first
1286
14
                  // try to find the method in a class extension. This
1287
14
                  // works around a bug in Sema where multiple accessors
1288
14
                  // are synthesized for properties in class
1289
14
                  // extensions that are redeclared in a category and the
1290
14
                  // the implicit parameters are not filled in for
1291
14
                  // the method on the category.
1292
14
                  // This ensures we find the accessor in the extension, which
1293
14
                  // has the implicit parameters filled in.
1294
14
                  auto *ID = CompileTimeMD->getClassInterface();
1295
14
                  for (auto *CatDecl : ID->visible_extensions()) {
1296
10
                    Val = CatDecl->getMethod(Sel,
1297
10
                                             CompileTimeMD->isInstanceMethod());
1298
10
                    if (*Val)
1299
8
                      break;
1300
10
                  }
1301
14
                }
1302
124
                if (!*Val)
1303
116
                  Val = IDecl->lookupInstanceMethod(Sel);
1304
124
              }
1305
917
        }
1306
2.57k
1307
2.57k
        const ObjCMethodDecl *MD = Val.getValue();
1308
2.57k
        if (CanBeSubClassed)
1309
126
          return RuntimeDefinition(MD, Receiver);
1310
2.45k
        else
1311
2.45k
          return RuntimeDefinition(MD, nullptr);
1312
985
      }
1313
985
  } else {
1314
985
    // This is a class method.
1315
985
    // If we have type info for the receiver class, we are calling via
1316
985
    // class name.
1317
985
    if (ObjCInterfaceDecl *IDecl = E->getReceiverInterface()) {
1318
985
      // Find/Return the method implementation.
1319
985
      return RuntimeDefinition(IDecl->lookupPrivateClassMethod(Sel));
1320
985
    }
1321
364
  }
1322
364
1323
364
  return {};
1324
364
}
1325
1326
3.46k
bool ObjCMethodCall::argumentsMayEscape() const {
1327
3.46k
  if (isInSystemHeader() && 
!isInstanceMessage()452
) {
1328
119
    Selector Sel = getSelector();
1329
119
    if (Sel.getNumArgs() == 1 &&
1330
119
        
Sel.getIdentifierInfoForSlot(0)->isStr("valueWithPointer")5
)
1331
2
      return true;
1332
3.46k
  }
1333
3.46k
1334
3.46k
  return CallEvent::argumentsMayEscape();
1335
3.46k
}
1336
1337
void ObjCMethodCall::getInitialStackFrameContents(
1338
                                             const StackFrameContext *CalleeCtx,
1339
481
                                             BindingsTy &Bindings) const {
1340
481
  const auto *D = cast<ObjCMethodDecl>(CalleeCtx->getDecl());
1341
481
  SValBuilder &SVB = getState()->getStateManager().getSValBuilder();
1342
481
  addParameterValuesToBindings(CalleeCtx, Bindings, SVB, *this,
1343
481
                               D->parameters());
1344
481
1345
481
  SVal SelfVal = getReceiverSVal();
1346
481
  if (!SelfVal.isUnknown()) {
1347
433
    const VarDecl *SelfD = CalleeCtx->getAnalysisDeclContext()->getSelfDecl();
1348
433
    MemRegionManager &MRMgr = SVB.getRegionManager();
1349
433
    Loc SelfLoc = SVB.makeLoc(MRMgr.getVarRegion(SelfD, CalleeCtx));
1350
433
    Bindings.push_back(std::make_pair(SelfLoc, SelfVal));
1351
433
  }
1352
481
}
1353
1354
CallEventRef<>
1355
CallEventManager::getSimpleCall(const CallExpr *CE, ProgramStateRef State,
1356
125k
                                const LocationContext *LCtx) {
1357
125k
  if (const auto *MCE = dyn_cast<CXXMemberCallExpr>(CE))
1358
12.9k
    return create<CXXMemberCall>(MCE, State, LCtx);
1359
112k
1360
112k
  if (const auto *OpCE = dyn_cast<CXXOperatorCallExpr>(CE)) {
1361
6.28k
    const FunctionDecl *DirectCallee = OpCE->getDirectCallee();
1362
6.28k
    if (const auto *MD = dyn_cast<CXXMethodDecl>(DirectCallee))
1363
6.18k
      if (MD->isInstance())
1364
6.18k
        return create<CXXMemberOperatorCall>(OpCE, State, LCtx);
1365
106k
1366
106k
  } else if (CE->getCallee()->getType()->isBlockPointerType()) {
1367
573
    return create<BlockCall>(CE, State, LCtx);
1368
573
  }
1369
106k
1370
106k
  // Otherwise, it's a normal function call, static member function call, or
1371
106k
  // something we can't reason about.
1372
106k
  return create<SimpleFunctionCall>(CE, State, LCtx);
1373
106k
}
1374
1375
CallEventRef<>
1376
CallEventManager::getCaller(const StackFrameContext *CalleeCtx,
1377
79.7k
                            ProgramStateRef State) {
1378
79.7k
  const LocationContext *ParentCtx = CalleeCtx->getParent();
1379
79.7k
  const LocationContext *CallerCtx = ParentCtx->getStackFrame();
1380
79.7k
  assert(CallerCtx && "This should not be used for top-level stack frames");
1381
79.7k
1382
79.7k
  const Stmt *CallSite = CalleeCtx->getCallSite();
1383
79.7k
1384
79.7k
  if (CallSite) {
1385
78.3k
    if (CallEventRef<> Out = getCall(CallSite, State, CallerCtx))
1386
63.2k
      return Out;
1387
15.0k
1388
15.0k
    // All other cases are handled by getCall.
1389
15.0k
    assert(isa<CXXConstructExpr>(CallSite) &&
1390
15.0k
           "This is not an inlineable statement");
1391
15.0k
1392
15.0k
    SValBuilder &SVB = State->getStateManager().getSValBuilder();
1393
15.0k
    const auto *Ctor = cast<CXXMethodDecl>(CalleeCtx->getDecl());
1394
15.0k
    Loc ThisPtr = SVB.getCXXThis(Ctor, CalleeCtx);
1395
15.0k
    SVal ThisVal = State->getSVal(ThisPtr);
1396
15.0k
1397
15.0k
    return getCXXConstructorCall(cast<CXXConstructExpr>(CallSite),
1398
15.0k
                                 ThisVal.getAsRegion(), State, CallerCtx);
1399
15.0k
  }
1400
1.38k
1401
1.38k
  // Fall back to the CFG. The only thing we haven't handled yet is
1402
1.38k
  // destructors, though this could change in the future.
1403
1.38k
  const CFGBlock *B = CalleeCtx->getCallSiteBlock();
1404
1.38k
  CFGElement E = (*B)[CalleeCtx->getIndex()];
1405
1.38k
  assert((E.getAs<CFGImplicitDtor>() || E.getAs<CFGTemporaryDtor>()) &&
1406
1.38k
         "All other CFG elements should have exprs");
1407
1.38k
1408
1.38k
  SValBuilder &SVB = State->getStateManager().getSValBuilder();
1409
1.38k
  const auto *Dtor = cast<CXXDestructorDecl>(CalleeCtx->getDecl());
1410
1.38k
  Loc ThisPtr = SVB.getCXXThis(Dtor, CalleeCtx);
1411
1.38k
  SVal ThisVal = State->getSVal(ThisPtr);
1412
1.38k
1413
1.38k
  const Stmt *Trigger;
1414
1.38k
  if (Optional<CFGAutomaticObjDtor> AutoDtor = E.getAs<CFGAutomaticObjDtor>())
1415
797
    Trigger = AutoDtor->getTriggerStmt();
1416
588
  else if (Optional<CFGDeleteDtor> DeleteDtor = E.getAs<CFGDeleteDtor>())
1417
98
    Trigger = DeleteDtor->getDeleteExpr();
1418
490
  else
1419
490
    Trigger = Dtor->getBody();
1420
1.38k
1421
1.38k
  return getCXXDestructorCall(Dtor, Trigger, ThisVal.getAsRegion(),
1422
1.38k
                              E.getAs<CFGBaseDtor>().hasValue(), State,
1423
1.38k
                              CallerCtx);
1424
1.38k
}
1425
1426
CallEventRef<> CallEventManager::getCall(const Stmt *S, ProgramStateRef State,
1427
78.8k
                                         const LocationContext *LC) {
1428
78.8k
  if (const auto *CE = dyn_cast<CallExpr>(S)) {
1429
61.5k
    return getSimpleCall(CE, State, LC);
1430
61.5k
  } else 
if (const auto *17.2k
NE17.2k
= dyn_cast<CXXNewExpr>(S)) {
1431
741
    return getCXXAllocatorCall(NE, State, LC);
1432
16.5k
  } else if (const auto *ME = dyn_cast<ObjCMessageExpr>(S)) {
1433
1.45k
    return getObjCMethodCall(ME, State, LC);
1434
15.0k
  } else {
1435
15.0k
    return nullptr;
1436
15.0k
  }
1437
78.8k
}