Coverage Report

Created: 2020-02-15 09:57

/Users/buildslave/jenkins/workspace/coverage/llvm-project/clang/lib/StaticAnalyzer/Core/CallEvent.cpp
Line
Count
Source (jump to first uncovered line)
1
//===- CallEvent.cpp - Wrapper for all function and method calls ----------===//
2
//
3
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4
// See https://llvm.org/LICENSE.txt for license information.
5
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6
//
7
//===----------------------------------------------------------------------===//
8
//
9
/// \file This file defines CallEvent and its subclasses, which represent path-
10
/// sensitive instances of different kinds of function and method calls
11
/// (C, C++, and Objective-C).
12
//
13
//===----------------------------------------------------------------------===//
14
15
#include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h"
16
#include "clang/AST/ASTContext.h"
17
#include "clang/AST/Attr.h"
18
#include "clang/AST/Decl.h"
19
#include "clang/AST/DeclBase.h"
20
#include "clang/AST/DeclCXX.h"
21
#include "clang/AST/DeclObjC.h"
22
#include "clang/AST/Expr.h"
23
#include "clang/AST/ExprCXX.h"
24
#include "clang/AST/ExprObjC.h"
25
#include "clang/AST/ParentMap.h"
26
#include "clang/AST/Stmt.h"
27
#include "clang/AST/Type.h"
28
#include "clang/Analysis/AnalysisDeclContext.h"
29
#include "clang/Analysis/CFG.h"
30
#include "clang/Analysis/CFGStmtMap.h"
31
#include "clang/Analysis/PathDiagnostic.h"
32
#include "clang/Analysis/ProgramPoint.h"
33
#include "clang/Basic/IdentifierTable.h"
34
#include "clang/Basic/LLVM.h"
35
#include "clang/Basic/SourceLocation.h"
36
#include "clang/Basic/SourceManager.h"
37
#include "clang/Basic/Specifiers.h"
38
#include "clang/CrossTU/CrossTranslationUnit.h"
39
#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
40
#include "clang/StaticAnalyzer/Core/PathSensitive/DynamicType.h"
41
#include "clang/StaticAnalyzer/Core/PathSensitive/DynamicTypeInfo.h"
42
#include "clang/StaticAnalyzer/Core/PathSensitive/MemRegion.h"
43
#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h"
44
#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState_Fwd.h"
45
#include "clang/StaticAnalyzer/Core/PathSensitive/SValBuilder.h"
46
#include "clang/StaticAnalyzer/Core/PathSensitive/SVals.h"
47
#include "clang/StaticAnalyzer/Core/PathSensitive/Store.h"
48
#include "llvm/ADT/ArrayRef.h"
49
#include "llvm/ADT/DenseMap.h"
50
#include "llvm/ADT/None.h"
51
#include "llvm/ADT/Optional.h"
52
#include "llvm/ADT/PointerIntPair.h"
53
#include "llvm/ADT/SmallSet.h"
54
#include "llvm/ADT/SmallVector.h"
55
#include "llvm/ADT/StringExtras.h"
56
#include "llvm/ADT/StringRef.h"
57
#include "llvm/Support/Casting.h"
58
#include "llvm/Support/Compiler.h"
59
#include "llvm/Support/Debug.h"
60
#include "llvm/Support/ErrorHandling.h"
61
#include "llvm/Support/raw_ostream.h"
62
#include <cassert>
63
#include <utility>
64
65
#define DEBUG_TYPE "static-analyzer-call-event"
66
67
using namespace clang;
68
using namespace ento;
69
70
43.2k
QualType CallEvent::getResultType() const {
71
43.2k
  ASTContext &Ctx = getState()->getStateManager().getContext();
72
43.2k
  const Expr *E = getOriginExpr();
73
43.2k
  if (!E)
74
17
    return Ctx.VoidTy;
75
43.1k
  assert(E);
76
43.1k
77
43.1k
  QualType ResultTy = E->getType();
78
43.1k
79
43.1k
  // A function that returns a reference to 'int' will have a result type
80
43.1k
  // of simply 'int'. Check the origin expr's value kind to recover the
81
43.1k
  // proper type.
82
43.1k
  switch (E->getValueKind()) {
83
224
  case VK_LValue:
84
224
    ResultTy = Ctx.getLValueReferenceType(ResultTy);
85
224
    break;
86
20
  case VK_XValue:
87
20
    ResultTy = Ctx.getRValueReferenceType(ResultTy);
88
20
    break;
89
42.9k
  case VK_RValue:
90
42.9k
    // No adjustment is necessary.
91
42.9k
    break;
92
43.1k
  }
93
43.1k
94
43.1k
  return ResultTy;
95
43.1k
}
96
97
29.0k
static bool isCallback(QualType T) {
98
29.0k
  // If a parameter is a block or a callback, assume it can modify pointer.
99
29.0k
  if (T->isBlockPointerType() ||
100
29.0k
      
T->isFunctionPointerType()28.9k
||
101
29.0k
      
T->isObjCSelType()28.8k
)
102
258
    return true;
103
28.8k
104
28.8k
  // Check if a callback is passed inside a struct (for both, struct passed by
105
28.8k
  // reference and by value). Dig just one level into the struct for now.
106
28.8k
107
28.8k
  if (T->isAnyPointerType() || 
T->isReferenceType()19.5k
)
108
14.3k
    T = T->getPointeeType();
109
28.8k
110
28.8k
  if (const RecordType *RT = T->getAsStructureType()) {
111
14.4k
    const RecordDecl *RD = RT->getDecl();
112
16.4k
    for (const auto *I : RD->fields()) {
113
16.4k
      QualType FieldT = I->getType();
114
16.4k
      if (FieldT->isBlockPointerType() || FieldT->isFunctionPointerType())
115
9
        return true;
116
16.4k
    }
117
14.4k
  }
118
28.8k
  
return false28.7k
;
119
28.8k
}
120
121
24.8k
static bool isVoidPointerToNonConst(QualType T) {
122
24.8k
  if (const auto *PT = T->getAs<PointerType>()) {
123
6.65k
    QualType PointeeTy = PT->getPointeeType();
124
6.65k
    if (PointeeTy.isConstQualified())
125
2.53k
      return false;
126
4.11k
    return PointeeTy->isVoidType();
127
4.11k
  } else
128
18.2k
    return false;
129
24.8k
}
130
131
67.8k
bool CallEvent::hasNonNullArgumentsWithType(bool (*Condition)(QualType)) const {
132
67.8k
  unsigned NumOfArgs = getNumArgs();
133
67.8k
134
67.8k
  // If calling using a function pointer, assume the function does not
135
67.8k
  // satisfy the callback.
136
67.8k
  // TODO: We could check the types of the arguments here.
137
67.8k
  if (!getDecl())
138
77
    return false;
139
67.7k
140
67.7k
  unsigned Idx = 0;
141
67.7k
  for (CallEvent::param_type_iterator I = param_type_begin(),
142
67.7k
                                      E = param_type_end();
143
123k
       I != E && 
Idx < NumOfArgs56.8k
;
++I, ++Idx55.8k
) {
144
56.8k
    // If the parameter is 0, it's harmless.
145
56.8k
    if (getArgSVal(Idx).isZeroConstant())
146
2.89k
      continue;
147
53.9k
148
53.9k
    if (Condition(*I))
149
1.03k
      return true;
150
53.9k
  }
151
67.7k
  
return false66.7k
;
152
67.7k
}
153
154
37.8k
bool CallEvent::hasNonZeroCallbackArg() const {
155
37.8k
  return hasNonNullArgumentsWithType(isCallback);
156
37.8k
}
157
158
29.9k
bool CallEvent::hasVoidPointerToNonConstArg() const {
159
29.9k
  return hasNonNullArgumentsWithType(isVoidPointerToNonConst);
160
29.9k
}
161
162
150k
bool CallEvent::isGlobalCFunction(StringRef FunctionName) const {
163
150k
  const auto *FD = dyn_cast_or_null<FunctionDecl>(getDecl());
164
150k
  if (!FD)
165
6.97k
    return false;
166
143k
167
143k
  return CheckerContext::isCLibraryFunction(FD, FunctionName);
168
143k
}
169
170
27.4k
AnalysisDeclContext *CallEvent::getCalleeAnalysisDeclContext() const {
171
27.4k
  const Decl *D = getDecl();
172
27.4k
  if (!D)
173
0
    return nullptr;
174
27.4k
175
27.4k
  // TODO: For now we skip functions without definitions, even if we have
176
27.4k
  // our own getDecl(), because it's hard to find out which re-declaration
177
27.4k
  // is going to be used, and usually clients don't really care about this
178
27.4k
  // situation because there's a loss of precision anyway because we cannot
179
27.4k
  // inline the call.
180
27.4k
  RuntimeDefinition RD = getRuntimeDefinition();
181
27.4k
  if (!RD.getDecl())
182
10.2k
    return nullptr;
183
17.2k
184
17.2k
  AnalysisDeclContext *ADC =
185
17.2k
      LCtx->getAnalysisDeclContext()->getManager()->getContext(D);
186
17.2k
187
17.2k
  // TODO: For now we skip virtual functions, because this also rises
188
17.2k
  // the problem of which decl to use, but now it's across different classes.
189
17.2k
  if (RD.mayHaveOtherDefinitions() || RD.getDecl() != ADC->getDecl())
190
9
    return nullptr;
191
17.2k
192
17.2k
  return ADC;
193
17.2k
}
194
195
const StackFrameContext *
196
27.4k
CallEvent::getCalleeStackFrame(unsigned BlockCount) const {
197
27.4k
  AnalysisDeclContext *ADC = getCalleeAnalysisDeclContext();
198
27.4k
  if (!ADC)
199
10.2k
    return nullptr;
200
17.2k
201
17.2k
  const Expr *E = getOriginExpr();
202
17.2k
  if (!E)
203
0
    return nullptr;
204
17.2k
205
17.2k
  // Recover CFG block via reverse lookup.
206
17.2k
  // TODO: If we were to keep CFG element information as part of the CallEvent
207
17.2k
  // instead of doing this reverse lookup, we would be able to build the stack
208
17.2k
  // frame for non-expression-based calls, and also we wouldn't need the reverse
209
17.2k
  // lookup.
210
17.2k
  CFGStmtMap *Map = LCtx->getAnalysisDeclContext()->getCFGStmtMap();
211
17.2k
  const CFGBlock *B = Map->getBlock(E);
212
17.2k
  assert(B);
213
17.2k
214
17.2k
  // Also recover CFG index by scanning the CFG block.
215
17.2k
  unsigned Idx = 0, Sz = B->size();
216
228k
  for (; Idx < Sz; 
++Idx211k
)
217
228k
    if (auto StmtElem = (*B)[Idx].getAs<CFGStmt>())
218
228k
      if (StmtElem->getStmt() == E)
219
17.2k
        break;
220
17.2k
  assert(Idx < Sz);
221
17.2k
222
17.2k
  return ADC->getManager()->getStackFrame(ADC, LCtx, E, B, BlockCount, Idx);
223
17.2k
}
224
225
const VarRegion *CallEvent::getParameterLocation(unsigned Index,
226
8.61k
                                                 unsigned BlockCount) const {
227
8.61k
  const StackFrameContext *SFC = getCalleeStackFrame(BlockCount);
228
8.61k
  // We cannot construct a VarRegion without a stack frame.
229
8.61k
  if (!SFC)
230
0
    return nullptr;
231
8.61k
232
8.61k
  // Retrieve parameters of the definition, which are different from
233
8.61k
  // CallEvent's parameters() because getDecl() isn't necessarily
234
8.61k
  // the definition. SFC contains the definition that would be used
235
8.61k
  // during analysis.
236
8.61k
  const Decl *D = SFC->getDecl();
237
8.61k
238
8.61k
  // TODO: Refactor into a virtual method of CallEvent, like parameters().
239
8.61k
  const ParmVarDecl *PVD = nullptr;
240
8.61k
  if (const auto *FD = dyn_cast<FunctionDecl>(D))
241
8.61k
    PVD = FD->parameters()[Index];
242
0
  else if (const auto *BD = dyn_cast<BlockDecl>(D))
243
0
    PVD = BD->parameters()[Index];
244
0
  else if (const auto *MD = dyn_cast<ObjCMethodDecl>(D))
245
0
    PVD = MD->parameters()[Index];
246
0
  else if (const auto *CD = dyn_cast<CXXConstructorDecl>(D))
247
0
    PVD = CD->parameters()[Index];
248
8.61k
  assert(PVD && "Unexpected Decl kind!");
249
8.61k
250
8.61k
  const VarRegion *VR =
251
8.61k
      State->getStateManager().getRegionManager().getVarRegion(PVD, SFC);
252
8.61k
253
8.61k
  // This sanity check would fail if our parameter declaration doesn't
254
8.61k
  // correspond to the stack frame's function declaration.
255
8.61k
  assert(VR->getStackFrame() == SFC);
256
8.61k
257
8.61k
  return VR;
258
8.61k
}
259
260
/// Returns true if a type is a pointer-to-const or reference-to-const
261
/// with no further indirection.
262
25.7k
static bool isPointerToConst(QualType Ty) {
263
25.7k
  QualType PointeeTy = Ty->getPointeeType();
264
25.7k
  if (PointeeTy == QualType())
265
13.7k
    return false;
266
12.0k
  if (!PointeeTy.isConstQualified())
267
7.67k
    return false;
268
4.41k
  if (PointeeTy->isAnyPointerType())
269
22
    return false;
270
4.39k
  return true;
271
4.39k
}
272
273
// Try to retrieve the function declaration and find the function parameter
274
// types which are pointers/references to a non-pointer const.
275
// We will not invalidate the corresponding argument regions.
276
static void findPtrToConstParams(llvm::SmallSet<unsigned, 4> &PreserveArgs,
277
32.4k
                                 const CallEvent &Call) {
278
32.4k
  unsigned Idx = 0;
279
32.4k
  for (CallEvent::param_type_iterator I = Call.param_type_begin(),
280
32.4k
                                      E = Call.param_type_end();
281
58.2k
       I != E; 
++I, ++Idx25.7k
) {
282
25.7k
    if (isPointerToConst(*I))
283
4.39k
      PreserveArgs.insert(Idx);
284
25.7k
  }
285
32.4k
}
286
287
ProgramStateRef CallEvent::invalidateRegions(unsigned BlockCount,
288
33.5k
                                             ProgramStateRef Orig) const {
289
33.5k
  ProgramStateRef Result = (Orig ? 
Orig33.5k
:
getState()7
);
290
33.5k
291
33.5k
  // Don't invalidate anything if the callee is marked pure/const.
292
33.5k
  if (const Decl *callee = getDecl())
293
33.4k
    if (callee->hasAttr<PureAttr>() || 
callee->hasAttr<ConstAttr>()33.4k
)
294
28
      return Result;
295
33.5k
296
33.5k
  SmallVector<SVal, 8> ValuesToInvalidate;
297
33.5k
  RegionAndSymbolInvalidationTraits ETraits;
298
33.5k
299
33.5k
  getExtraInvalidatedValues(ValuesToInvalidate, &ETraits);
300
33.5k
301
33.5k
  // Indexes of arguments whose values will be preserved by the call.
302
33.5k
  llvm::SmallSet<unsigned, 4> PreserveArgs;
303
33.5k
  if (!argumentsMayEscape())
304
32.4k
    findPtrToConstParams(PreserveArgs, *this);
305
33.5k
306
61.8k
  for (unsigned Idx = 0, Count = getNumArgs(); Idx != Count; 
++Idx28.3k
) {
307
28.3k
    // Mark this region for invalidation.  We batch invalidate regions
308
28.3k
    // below for efficiency.
309
28.3k
    if (PreserveArgs.count(Idx))
310
4.39k
      if (const MemRegion *MR = getArgSVal(Idx).getAsRegion())
311
3.71k
        ETraits.setTrait(MR->getBaseRegion(),
312
3.71k
                        RegionAndSymbolInvalidationTraits::TK_PreserveContents);
313
28.3k
        // TODO: Factor this out + handle the lower level const pointers.
314
28.3k
315
28.3k
    ValuesToInvalidate.push_back(getArgSVal(Idx));
316
28.3k
317
28.3k
    // If a function accepts an object by argument (which would of course be a
318
28.3k
    // temporary that isn't lifetime-extended), invalidate the object itself,
319
28.3k
    // not only other objects reachable from it. This is necessary because the
320
28.3k
    // destructor has access to the temporary object after the call.
321
28.3k
    // TODO: Support placement arguments once we start
322
28.3k
    // constructing them directly.
323
28.3k
    // TODO: This is unnecessary when there's no destructor, but that's
324
28.3k
    // currently hard to figure out.
325
28.3k
    if (getKind() != CE_CXXAllocator)
326
27.6k
      if (isArgumentConstructedDirectly(Idx))
327
15
        if (auto AdjIdx = getAdjustedParameterIndex(Idx))
328
15
          if (const VarRegion *VR = getParameterLocation(*AdjIdx, BlockCount))
329
15
            ValuesToInvalidate.push_back(loc::MemRegionVal(VR));
330
28.3k
  }
331
33.5k
332
33.5k
  // Invalidate designated regions using the batch invalidation API.
333
33.5k
  // NOTE: Even if RegionsToInvalidate is empty, we may still invalidate
334
33.5k
  //  global variables.
335
33.5k
  return Result->invalidateRegions(ValuesToInvalidate, getOriginExpr(),
336
33.5k
                                   BlockCount, getLocationContext(),
337
33.5k
                                   /*CausedByPointerEscape*/ true,
338
33.5k
                                   /*Symbols=*/nullptr, this, &ETraits);
339
33.5k
}
340
341
ProgramPoint CallEvent::getProgramPoint(bool IsPreVisit,
342
1.03M
                                        const ProgramPointTag *Tag) const {
343
1.03M
  if (const Expr *E = getOriginExpr()) {
344
1.02M
    if (IsPreVisit)
345
615k
      return PreStmt(E, getLocationContext(), Tag);
346
405k
    return PostStmt(E, getLocationContext(), Tag);
347
405k
  }
348
14.1k
349
14.1k
  const Decl *D = getDecl();
350
14.1k
  assert(D && "Cannot get a program point without a statement or decl");
351
14.1k
352
14.1k
  SourceLocation Loc = getSourceRange().getBegin();
353
14.1k
  if (IsPreVisit)
354
8.74k
    return PreImplicitCall(D, Loc, getLocationContext(), Tag);
355
5.43k
  return PostImplicitCall(D, Loc, getLocationContext(), Tag);
356
5.43k
}
357
358
586k
bool CallEvent::isCalled(const CallDescription &CD) const {
359
586k
  // FIXME: Add ObjC Message support.
360
586k
  if (getKind() == CE_ObjCMessage)
361
48
    return false;
362
586k
363
586k
  const IdentifierInfo *II = getCalleeIdentifier();
364
586k
  if (!II)
365
12.8k
    return false;
366
574k
  const FunctionDecl *FD = dyn_cast_or_null<FunctionDecl>(getDecl());
367
574k
  if (!FD)
368
0
    return false;
369
574k
370
574k
  if (CD.Flags & CDF_MaybeBuiltin) {
371
371k
    return CheckerContext::isCLibraryFunction(FD, CD.getFunctionName()) &&
372
371k
           
(2.06k
!CD.RequiredArgs2.06k
||
CD.RequiredArgs <= getNumArgs()2.06k
) &&
373
371k
           
(2.06k
!CD.RequiredParams2.06k
||
CD.RequiredParams <= parameters().size()2.06k
);
374
371k
  }
375
202k
376
202k
  if (!CD.IsLookupDone) {
377
3.52k
    CD.IsLookupDone = true;
378
3.52k
    CD.II = &getState()->getStateManager().getContext().Idents.get(
379
3.52k
        CD.getFunctionName());
380
3.52k
  }
381
202k
382
202k
  if (II != CD.II)
383
199k
    return false;
384
3.43k
385
3.43k
  // If CallDescription provides prefix names, use them to improve matching
386
3.43k
  // accuracy.
387
3.43k
  if (CD.QualifiedName.size() > 1 && 
FD249
) {
388
249
    const DeclContext *Ctx = FD->getDeclContext();
389
249
    // See if we'll be able to match them all.
390
249
    size_t NumUnmatched = CD.QualifiedName.size() - 1;
391
585
    for (; Ctx && isa<NamedDecl>(Ctx); 
Ctx = Ctx->getParent()336
) {
392
342
      if (NumUnmatched == 0)
393
6
        break;
394
336
395
336
      if (const auto *ND = dyn_cast<NamespaceDecl>(Ctx)) {
396
239
        if (ND->getName() == CD.QualifiedName[NumUnmatched - 1])
397
212
          --NumUnmatched;
398
239
        continue;
399
239
      }
400
97
401
97
      if (const auto *RD = dyn_cast<RecordDecl>(Ctx)) {
402
97
        if (RD->getName() == CD.QualifiedName[NumUnmatched - 1])
403
65
          --NumUnmatched;
404
97
        continue;
405
97
      }
406
97
    }
407
249
408
249
    if (NumUnmatched > 0)
409
28
      return false;
410
3.40k
  }
411
3.40k
412
3.40k
  return (!CD.RequiredArgs || 
CD.RequiredArgs == getNumArgs()3.22k
) &&
413
3.40k
         
(3.33k
!CD.RequiredParams3.33k
||
CD.RequiredParams == parameters().size()3.15k
);
414
3.40k
}
415
416
373k
SVal CallEvent::getArgSVal(unsigned Index) const {
417
373k
  const Expr *ArgE = getArgExpr(Index);
418
373k
  if (!ArgE)
419
15.0k
    return UnknownVal();
420
358k
  return getSVal(ArgE);
421
358k
}
422
423
113k
SourceRange CallEvent::getArgSourceRange(unsigned Index) const {
424
113k
  const Expr *ArgE = getArgExpr(Index);
425
113k
  if (!ArgE)
426
6.39k
    return {};
427
106k
  return ArgE->getSourceRange();
428
106k
}
429
430
21.6k
SVal CallEvent::getReturnValue() const {
431
21.6k
  const Expr *E = getOriginExpr();
432
21.6k
  if (!E)
433
11
    return UndefinedVal();
434
21.6k
  return getSVal(E);
435
21.6k
}
436
437
0
LLVM_DUMP_METHOD void CallEvent::dump() const { dump(llvm::errs()); }
438
439
0
void CallEvent::dump(raw_ostream &Out) const {
440
0
  ASTContext &Ctx = getState()->getStateManager().getContext();
441
0
  if (const Expr *E = getOriginExpr()) {
442
0
    E->printPretty(Out, nullptr, Ctx.getPrintingPolicy());
443
0
    Out << "\n";
444
0
    return;
445
0
  }
446
0
447
0
  if (const Decl *D = getDecl()) {
448
0
    Out << "Call to ";
449
0
    D->print(Out, Ctx.getPrintingPolicy());
450
0
    return;
451
0
  }
452
0
453
0
  // FIXME: a string representation of the kind would be nice.
454
0
  Out << "Unknown call (type " << getKind() << ")";
455
0
}
456
457
1.47M
bool CallEvent::isCallStmt(const Stmt *S) {
458
1.47M
  return isa<CallExpr>(S) || 
isa<ObjCMessageExpr>(S)1.36M
459
1.47M
                          || 
isa<CXXConstructExpr>(S)1.35M
460
1.47M
                          || 
isa<CXXNewExpr>(S)1.29M
;
461
1.47M
}
462
463
24.4k
QualType CallEvent::getDeclaredResultType(const Decl *D) {
464
24.4k
  assert(D);
465
24.4k
  if (const auto *FD = dyn_cast<FunctionDecl>(D))
466
23.4k
    return FD->getReturnType();
467
1.00k
  if (const auto *MD = dyn_cast<ObjCMethodDecl>(D))
468
965
    return MD->getReturnType();
469
35
  if (const auto *BD = dyn_cast<BlockDecl>(D)) {
470
35
    // Blocks are difficult because the return type may not be stored in the
471
35
    // BlockDecl itself. The AST should probably be enhanced, but for now we
472
35
    // just do what we can.
473
35
    // If the block is declared without an explicit argument list, the
474
35
    // signature-as-written just includes the return type, not the entire
475
35
    // function type.
476
35
    // FIXME: All blocks should have signatures-as-written, even if the return
477
35
    // type is inferred. (That's signified with a dependent result type.)
478
35
    if (const TypeSourceInfo *TSI = BD->getSignatureAsWritten()) {
479
31
      QualType Ty = TSI->getType();
480
31
      if (const FunctionType *FT = Ty->getAs<FunctionType>())
481
27
        Ty = FT->getReturnType();
482
31
      if (!Ty->isDependentType())
483
15
        return Ty;
484
20
    }
485
20
486
20
    return {};
487
20
  }
488
0
489
0
  llvm_unreachable("unknown callable kind");
490
0
}
491
492
13.3k
bool CallEvent::isVariadic(const Decl *D) {
493
13.3k
  assert(D);
494
13.3k
495
13.3k
  if (const auto *FD = dyn_cast<FunctionDecl>(D))
496
12.9k
    return FD->isVariadic();
497
429
  if (const auto *MD = dyn_cast<ObjCMethodDecl>(D))
498
304
    return MD->isVariadic();
499
125
  if (const auto *BD = dyn_cast<BlockDecl>(D))
500
125
    return BD->isVariadic();
501
0
502
0
  llvm_unreachable("unknown callable kind");
503
0
}
504
505
static void addParameterValuesToBindings(const StackFrameContext *CalleeCtx,
506
                                         CallEvent::BindingsTy &Bindings,
507
                                         SValBuilder &SVB,
508
                                         const CallEvent &Call,
509
63.7k
                                         ArrayRef<ParmVarDecl*> parameters) {
510
63.7k
  MemRegionManager &MRMgr = SVB.getRegionManager();
511
63.7k
512
63.7k
  // If the function has fewer parameters than the call has arguments, we simply
513
63.7k
  // do not bind any values to them.
514
63.7k
  unsigned NumArgs = Call.getNumArgs();
515
63.7k
  unsigned Idx = 0;
516
63.7k
  ArrayRef<ParmVarDecl*>::iterator I = parameters.begin(), E = parameters.end();
517
117k
  for (; I != E && 
Idx < NumArgs53.6k
;
++I, ++Idx53.6k
) {
518
53.6k
    const ParmVarDecl *ParamDecl = *I;
519
53.6k
    assert(ParamDecl && "Formal parameter has no decl?");
520
53.6k
521
53.6k
    // TODO: Support allocator calls.
522
53.6k
    if (Call.getKind() != CE_CXXAllocator)
523
42.2k
      if (Call.isArgumentConstructedDirectly(Call.getASTArgumentIndex(Idx)))
524
8.57k
        continue;
525
45.0k
526
45.0k
    // TODO: Allocators should receive the correct size and possibly alignment,
527
45.0k
    // determined in compile-time but not represented as arg-expressions,
528
45.0k
    // which makes getArgSVal() fail and return UnknownVal.
529
45.0k
    SVal ArgVal = Call.getArgSVal(Idx);
530
45.0k
    if (!ArgVal.isUnknown()) {
531
37.8k
      Loc ParamLoc = SVB.makeLoc(MRMgr.getVarRegion(ParamDecl, CalleeCtx));
532
37.8k
      Bindings.push_back(std::make_pair(ParamLoc, ArgVal));
533
37.8k
    }
534
45.0k
  }
535
63.7k
536
63.7k
  // FIXME: Variadic arguments are not handled at all right now.
537
63.7k
}
538
539
478k
ArrayRef<ParmVarDecl*> AnyFunctionCall::parameters() const {
540
478k
  const FunctionDecl *D = getDecl();
541
478k
  if (!D)
542
23
    return None;
543
478k
  return D->parameters();
544
478k
}
545
546
121k
RuntimeDefinition AnyFunctionCall::getRuntimeDefinition() const {
547
121k
  const FunctionDecl *FD = getDecl();
548
121k
  if (!FD)
549
22
    return {};
550
121k
551
121k
  // Note that the AnalysisDeclContext will have the FunctionDecl with
552
121k
  // the definition (if one exists).
553
121k
  AnalysisDeclContext *AD =
554
121k
    getLocationContext()->getAnalysisDeclContext()->
555
121k
    getManager()->getContext(FD);
556
121k
  bool IsAutosynthesized;
557
121k
  Stmt* Body = AD->getBody(IsAutosynthesized);
558
121k
  LLVM_DEBUG({
559
121k
    if (IsAutosynthesized)
560
121k
      llvm::dbgs() << "Using autosynthesized body for " << FD->getName()
561
121k
                   << "\n";
562
121k
  });
563
121k
  if (Body) {
564
83.2k
    const Decl* Decl = AD->getDecl();
565
83.2k
    return RuntimeDefinition(Decl);
566
83.2k
  }
567
37.7k
568
37.7k
  SubEngine &Engine = getState()->getStateManager().getOwningEngine();
569
37.7k
  AnalyzerOptions &Opts = Engine.getAnalysisManager().options;
570
37.7k
571
37.7k
  // Try to get CTU definition only if CTUDir is provided.
572
37.7k
  if (!Opts.IsNaiveCTUEnabled)
573
37.7k
    return {};
574
50
575
50
  cross_tu::CrossTranslationUnitContext &CTUCtx =
576
50
      *Engine.getCrossTranslationUnitContext();
577
50
  llvm::Expected<const FunctionDecl *> CTUDeclOrError =
578
50
      CTUCtx.getCrossTUDefinition(FD, Opts.CTUDir, Opts.CTUIndexName,
579
50
                                  Opts.DisplayCTUProgress);
580
50
581
50
  if (!CTUDeclOrError) {
582
8
    handleAllErrors(CTUDeclOrError.takeError(),
583
8
                    [&](const cross_tu::IndexError &IE) {
584
8
                      CTUCtx.emitCrossTUDiagnostics(IE);
585
8
                    });
586
8
    return {};
587
8
  }
588
42
589
42
  return RuntimeDefinition(*CTUDeclOrError);
590
42
}
591
592
void AnyFunctionCall::getInitialStackFrameContents(
593
                                        const StackFrameContext *CalleeCtx,
594
63.0k
                                        BindingsTy &Bindings) const {
595
63.0k
  const auto *D = cast<FunctionDecl>(CalleeCtx->getDecl());
596
63.0k
  SValBuilder &SVB = getState()->getStateManager().getSValBuilder();
597
63.0k
  addParameterValuesToBindings(CalleeCtx, Bindings, SVB, *this,
598
63.0k
                               D->parameters());
599
63.0k
}
600
601
30.1k
bool AnyFunctionCall::argumentsMayEscape() const {
602
30.1k
  if (CallEvent::argumentsMayEscape() || 
hasVoidPointerToNonConstArg()29.9k
)
603
926
    return true;
604
29.1k
605
29.1k
  const FunctionDecl *D = getDecl();
606
29.1k
  if (!D)
607
23
    return true;
608
29.1k
609
29.1k
  const IdentifierInfo *II = D->getIdentifier();
610
29.1k
  if (!II)
611
3.93k
    return false;
612
25.2k
613
25.2k
  // This set of "escaping" APIs is
614
25.2k
615
25.2k
  // - 'int pthread_setspecific(ptheread_key k, const void *)' stores a
616
25.2k
  //   value into thread local storage. The value can later be retrieved with
617
25.2k
  //   'void *ptheread_getspecific(pthread_key)'. So even thought the
618
25.2k
  //   parameter is 'const void *', the region escapes through the call.
619
25.2k
  if (II->isStr("pthread_setspecific"))
620
5
    return true;
621
25.2k
622
25.2k
  // - xpc_connection_set_context stores a value which can be retrieved later
623
25.2k
  //   with xpc_connection_get_context.
624
25.2k
  if (II->isStr("xpc_connection_set_context"))
625
0
    return true;
626
25.2k
627
25.2k
  // - funopen - sets a buffer for future IO calls.
628
25.2k
  if (II->isStr("funopen"))
629
1
    return true;
630
25.2k
631
25.2k
  // - __cxa_demangle - can reallocate memory and can return the pointer to
632
25.2k
  // the input buffer.
633
25.2k
  if (II->isStr("__cxa_demangle"))
634
8
    return true;
635
25.2k
636
25.2k
  StringRef FName = II->getName();
637
25.2k
638
25.2k
  // - CoreFoundation functions that end with "NoCopy" can free a passed-in
639
25.2k
  //   buffer even if it is const.
640
25.2k
  if (FName.endswith("NoCopy"))
641
10
    return true;
642
25.1k
643
25.1k
  // - NSXXInsertXX, for example NSMapInsertIfAbsent, since they can
644
25.1k
  //   be deallocated by NSMapRemove.
645
25.1k
  if (FName.startswith("NS") && 
(FName.find("Insert") != StringRef::npos)78
)
646
4
    return true;
647
25.1k
648
25.1k
  // - Many CF containers allow objects to escape through custom
649
25.1k
  //   allocators/deallocators upon container construction. (PR12101)
650
25.1k
  if (FName.startswith("CF") || 
FName.startswith("CG")24.5k
) {
651
675
    return StrInStrNoCase(FName, "InsertValue")  != StringRef::npos ||
652
675
           StrInStrNoCase(FName, "AddValue")     != StringRef::npos ||
653
675
           StrInStrNoCase(FName, "SetValue")     != StringRef::npos ||
654
675
           
StrInStrNoCase(FName, "WithData") != StringRef::npos673
||
655
675
           
StrInStrNoCase(FName, "AppendValue") != StringRef::npos667
||
656
675
           
StrInStrNoCase(FName, "SetAttribute") != StringRef::npos661
;
657
675
  }
658
24.5k
659
24.5k
  return false;
660
24.5k
}
661
662
1.86M
const FunctionDecl *SimpleFunctionCall::getDecl() const {
663
1.86M
  const FunctionDecl *D = getOriginExpr()->getDirectCallee();
664
1.86M
  if (D)
665
1.84M
    return D;
666
18.9k
667
18.9k
  return getSVal(getOriginExpr()->getCallee()).getAsFunctionDecl();
668
18.9k
}
669
670
776k
const FunctionDecl *CXXInstanceCall::getDecl() const {
671
776k
  const auto *CE = cast_or_null<CallExpr>(getOriginExpr());
672
776k
  if (!CE)
673
46.7k
    return AnyFunctionCall::getDecl();
674
729k
675
729k
  const FunctionDecl *D = CE->getDirectCallee();
676
729k
  if (D)
677
728k
    return D;
678
370
679
370
  return getSVal(CE->getCallee()).getAsFunctionDecl();
680
370
}
681
682
void CXXInstanceCall::getExtraInvalidatedValues(
683
7.89k
    ValueList &Values, RegionAndSymbolInvalidationTraits *ETraits) const {
684
7.89k
  SVal ThisVal = getCXXThisVal();
685
7.89k
  Values.push_back(ThisVal);
686
7.89k
687
7.89k
  // Don't invalidate if the method is const and there are no mutable fields.
688
7.89k
  if (const auto *D = cast_or_null<CXXMethodDecl>(getDecl())) {
689
7.88k
    if (!D->isConst())
690
5.57k
      return;
691
2.31k
    // Get the record decl for the class of 'This'. D->getParent() may return a
692
2.31k
    // base class decl, rather than the class of the instance which needs to be
693
2.31k
    // checked for mutable fields.
694
2.31k
    // TODO: We might as well look at the dynamic type of the object.
695
2.31k
    const Expr *Ex = getCXXThisExpr()->ignoreParenBaseCasts();
696
2.31k
    QualType T = Ex->getType();
697
2.31k
    if (T->isPointerType()) // Arrow or implicit-this syntax?
698
41
      T = T->getPointeeType();
699
2.31k
    const CXXRecordDecl *ParentRecord = T->getAsCXXRecordDecl();
700
2.31k
    assert(ParentRecord);
701
2.31k
    if (ParentRecord->hasMutableFields())
702
3
      return;
703
2.31k
    // Preserve CXXThis.
704
2.31k
    const MemRegion *ThisRegion = ThisVal.getAsRegion();
705
2.31k
    if (!ThisRegion)
706
1
      return;
707
2.31k
708
2.31k
    ETraits->setTrait(ThisRegion->getBaseRegion(),
709
2.31k
                      RegionAndSymbolInvalidationTraits::TK_PreserveContents);
710
2.31k
  }
711
7.89k
}
712
713
80.2k
SVal CXXInstanceCall::getCXXThisVal() const {
714
80.2k
  const Expr *Base = getCXXThisExpr();
715
80.2k
  // FIXME: This doesn't handle an overloaded ->* operator.
716
80.2k
  if (!Base)
717
0
    return UnknownVal();
718
80.2k
719
80.2k
  SVal ThisVal = getSVal(Base);
720
80.2k
  assert(ThisVal.isUnknownOrUndef() || ThisVal.getAs<Loc>());
721
80.2k
  return ThisVal;
722
80.2k
}
723
724
47.8k
RuntimeDefinition CXXInstanceCall::getRuntimeDefinition() const {
725
47.8k
  // Do we have a decl at all?
726
47.8k
  const Decl *D = getDecl();
727
47.8k
  if (!D)
728
1
    return {};
729
47.8k
730
47.8k
  // If the method is non-virtual, we know we can inline it.
731
47.8k
  const auto *MD = cast<CXXMethodDecl>(D);
732
47.8k
  if (!MD->isVirtual())
733
47.5k
    return AnyFunctionCall::getRuntimeDefinition();
734
300
735
300
  // Do we know the implicit 'this' object being called?
736
300
  const MemRegion *R = getCXXThisVal().getAsRegion();
737
300
  if (!R)
738
7
    return {};
739
293
740
293
  // Do we know anything about the type of 'this'?
741
293
  DynamicTypeInfo DynType = getDynamicTypeInfo(getState(), R);
742
293
  if (!DynType.isValid())
743
0
    return {};
744
293
745
293
  // Is the type a C++ class? (This is mostly a defensive check.)
746
293
  QualType RegionType = DynType.getType()->getPointeeType();
747
293
  assert(!RegionType.isNull() && "DynamicTypeInfo should always be a pointer.");
748
293
749
293
  const CXXRecordDecl *RD = RegionType->getAsCXXRecordDecl();
750
293
  if (!RD || !RD->hasDefinition())
751
0
    return {};
752
293
753
293
  // Find the decl for this method in that class.
754
293
  const CXXMethodDecl *Result = MD->getCorrespondingMethodInClass(RD, true);
755
293
  if (!Result) {
756
3
    // We might not even get the original statically-resolved method due to
757
3
    // some particularly nasty casting (e.g. casts to sister classes).
758
3
    // However, we should at least be able to search up and down our own class
759
3
    // hierarchy, and some real bugs have been caught by checking this.
760
3
    assert(!RD->isDerivedFrom(MD->getParent()) && "Couldn't find known method");
761
3
762
3
    // FIXME: This is checking that our DynamicTypeInfo is at least as good as
763
3
    // the static type. However, because we currently don't update
764
3
    // DynamicTypeInfo when an object is cast, we can't actually be sure the
765
3
    // DynamicTypeInfo is up to date. This assert should be re-enabled once
766
3
    // this is fixed. <rdar://problem/12287087>
767
3
    //assert(!MD->getParent()->isDerivedFrom(RD) && "Bad DynamicTypeInfo");
768
3
769
3
    return {};
770
3
  }
771
290
772
290
  // Does the decl that we found have an implementation?
773
290
  const FunctionDecl *Definition;
774
290
  if (!Result->hasBody(Definition)) {
775
171
    if (!DynType.canBeASubClass())
776
148
      return AnyFunctionCall::getRuntimeDefinition();
777
23
    return {};
778
23
  }
779
119
780
119
  // We found a definition. If we're not sure that this devirtualization is
781
119
  // actually what will happen at runtime, make sure to provide the region so
782
119
  // that ExprEngine can decide what to do with it.
783
119
  if (DynType.canBeASubClass())
784
8
    return RuntimeDefinition(Definition, R->StripCasts());
785
111
  return RuntimeDefinition(Definition, /*DispatchRegion=*/nullptr);
786
111
}
787
788
void CXXInstanceCall::getInitialStackFrameContents(
789
                                            const StackFrameContext *CalleeCtx,
790
23.4k
                                            BindingsTy &Bindings) const {
791
23.4k
  AnyFunctionCall::getInitialStackFrameContents(CalleeCtx, Bindings);
792
23.4k
793
23.4k
  // Handle the binding of 'this' in the new stack frame.
794
23.4k
  SVal ThisVal = getCXXThisVal();
795
23.4k
  if (!ThisVal.isUnknown()) {
796
23.4k
    ProgramStateManager &StateMgr = getState()->getStateManager();
797
23.4k
    SValBuilder &SVB = StateMgr.getSValBuilder();
798
23.4k
799
23.4k
    const auto *MD = cast<CXXMethodDecl>(CalleeCtx->getDecl());
800
23.4k
    Loc ThisLoc = SVB.getCXXThis(MD, CalleeCtx);
801
23.4k
802
23.4k
    // If we devirtualized to a different member function, we need to make sure
803
23.4k
    // we have the proper layering of CXXBaseObjectRegions.
804
23.4k
    if (MD->getCanonicalDecl() != getDecl()->getCanonicalDecl()) {
805
31
      ASTContext &Ctx = SVB.getContext();
806
31
      const CXXRecordDecl *Class = MD->getParent();
807
31
      QualType Ty = Ctx.getPointerType(Ctx.getRecordType(Class));
808
31
809
31
      // FIXME: CallEvent maybe shouldn't be directly accessing StoreManager.
810
31
      bool Failed;
811
31
      ThisVal = StateMgr.getStoreManager().attemptDownCast(ThisVal, Ty, Failed);
812
31
      if (Failed) {
813
2
        // We might have suffered some sort of placement new earlier, so
814
2
        // we're constructing in a completely unexpected storage.
815
2
        // Fall back to a generic pointer cast for this-value.
816
2
        const CXXMethodDecl *StaticMD = cast<CXXMethodDecl>(getDecl());
817
2
        const CXXRecordDecl *StaticClass = StaticMD->getParent();
818
2
        QualType StaticTy = Ctx.getPointerType(Ctx.getRecordType(StaticClass));
819
2
        ThisVal = SVB.evalCast(ThisVal, Ty, StaticTy);
820
2
      }
821
31
    }
822
23.4k
823
23.4k
    if (!ThisVal.isUnknown())
824
23.4k
      Bindings.push_back(std::make_pair(ThisLoc, ThisVal));
825
23.4k
  }
826
23.4k
}
827
828
72.2k
const Expr *CXXMemberCall::getCXXThisExpr() const {
829
72.2k
  return getOriginExpr()->getImplicitObjectArgument();
830
72.2k
}
831
832
43.6k
RuntimeDefinition CXXMemberCall::getRuntimeDefinition() const {
833
43.6k
  // C++11 [expr.call]p1: ...If the selected function is non-virtual, or if the
834
43.6k
  // id-expression in the class member access expression is a qualified-id,
835
43.6k
  // that function is called. Otherwise, its final overrider in the dynamic type
836
43.6k
  // of the object expression is called.
837
43.6k
  if (const auto *ME = dyn_cast<MemberExpr>(getOriginExpr()->getCallee()))
838
43.6k
    if (ME->hasQualifier())
839
149
      return AnyFunctionCall::getRuntimeDefinition();
840
43.5k
841
43.5k
  return CXXInstanceCall::getRuntimeDefinition();
842
43.5k
}
843
844
12.1k
const Expr *CXXMemberOperatorCall::getCXXThisExpr() const {
845
12.1k
  return getOriginExpr()->getArg(0);
846
12.1k
}
847
848
2.69k
const BlockDataRegion *BlockCall::getBlockRegion() const {
849
2.69k
  const Expr *Callee = getOriginExpr()->getCallee();
850
2.69k
  const MemRegion *DataReg = getSVal(Callee).getAsRegion();
851
2.69k
852
2.69k
  return dyn_cast_or_null<BlockDataRegion>(DataReg);
853
2.69k
}
854
855
482
ArrayRef<ParmVarDecl*> BlockCall::parameters() const {
856
482
  const BlockDecl *D = getDecl();
857
482
  if (!D)
858
11
    return None;
859
471
  return D->parameters();
860
471
}
861
862
void BlockCall::getExtraInvalidatedValues(ValueList &Values,
863
18
                  RegionAndSymbolInvalidationTraits *ETraits) const {
864
18
  // FIXME: This also needs to invalidate captured globals.
865
18
  if (const MemRegion *R = getBlockRegion())
866
8
    Values.push_back(loc::MemRegionVal(R));
867
18
}
868
869
void BlockCall::getInitialStackFrameContents(const StackFrameContext *CalleeCtx,
870
174
                                             BindingsTy &Bindings) const {
871
174
  SValBuilder &SVB = getState()->getStateManager().getSValBuilder();
872
174
  ArrayRef<ParmVarDecl*> Params;
873
174
  if (isConversionFromLambda()) {
874
7
    auto *LambdaOperatorDecl = cast<CXXMethodDecl>(CalleeCtx->getDecl());
875
7
    Params = LambdaOperatorDecl->parameters();
876
7
877
7
    // For blocks converted from a C++ lambda, the callee declaration is the
878
7
    // operator() method on the lambda so we bind "this" to
879
7
    // the lambda captured by the block.
880
7
    const VarRegion *CapturedLambdaRegion = getRegionStoringCapturedLambda();
881
7
    SVal ThisVal = loc::MemRegionVal(CapturedLambdaRegion);
882
7
    Loc ThisLoc = SVB.getCXXThis(LambdaOperatorDecl, CalleeCtx);
883
7
    Bindings.push_back(std::make_pair(ThisLoc, ThisVal));
884
167
  } else {
885
167
    Params = cast<BlockDecl>(CalleeCtx->getDecl())->parameters();
886
167
  }
887
174
888
174
  addParameterValuesToBindings(CalleeCtx, Bindings, SVB, *this,
889
174
                               Params);
890
174
}
891
892
68.5k
SVal CXXConstructorCall::getCXXThisVal() const {
893
68.5k
  if (Data)
894
68.5k
    return loc::MemRegionVal(static_cast<const MemRegion *>(Data));
895
0
  return UnknownVal();
896
0
}
897
898
void CXXConstructorCall::getExtraInvalidatedValues(ValueList &Values,
899
1.36k
                           RegionAndSymbolInvalidationTraits *ETraits) const {
900
1.36k
  if (Data) {
901
1.36k
    loc::MemRegionVal MV(static_cast<const MemRegion *>(Data));
902
1.36k
    if (SymbolRef Sym = MV.getAsSymbol(true))
903
116
      ETraits->setTrait(Sym,
904
116
                        RegionAndSymbolInvalidationTraits::TK_SuppressEscape);
905
1.36k
    Values.push_back(MV);
906
1.36k
  }
907
1.36k
}
908
909
void CXXConstructorCall::getInitialStackFrameContents(
910
                                             const StackFrameContext *CalleeCtx,
911
16.9k
                                             BindingsTy &Bindings) const {
912
16.9k
  AnyFunctionCall::getInitialStackFrameContents(CalleeCtx, Bindings);
913
16.9k
914
16.9k
  SVal ThisVal = getCXXThisVal();
915
16.9k
  if (!ThisVal.isUnknown()) {
916
16.9k
    SValBuilder &SVB = getState()->getStateManager().getSValBuilder();
917
16.9k
    const auto *MD = cast<CXXMethodDecl>(CalleeCtx->getDecl());
918
16.9k
    Loc ThisLoc = SVB.getCXXThis(MD, CalleeCtx);
919
16.9k
    Bindings.push_back(std::make_pair(ThisLoc, ThisVal));
920
16.9k
  }
921
16.9k
}
922
923
5.13k
SVal CXXDestructorCall::getCXXThisVal() const {
924
5.13k
  if (Data)
925
5.13k
    return loc::MemRegionVal(DtorDataTy::getFromOpaqueValue(Data).getPointer());
926
0
  return UnknownVal();
927
0
}
928
929
1.77k
RuntimeDefinition CXXDestructorCall::getRuntimeDefinition() const {
930
1.77k
  // Base destructors are always called non-virtually.
931
1.77k
  // Skip CXXInstanceCall's devirtualization logic in this case.
932
1.77k
  if (isBaseDestructor())
933
117
    return AnyFunctionCall::getRuntimeDefinition();
934
1.65k
935
1.65k
  return CXXInstanceCall::getRuntimeDefinition();
936
1.65k
}
937
938
22.0k
ArrayRef<ParmVarDecl*> ObjCMethodCall::parameters() const {
939
22.0k
  const ObjCMethodDecl *D = getDecl();
940
22.0k
  if (!D)
941
42
    return None;
942
22.0k
  return D->parameters();
943
22.0k
}
944
945
void ObjCMethodCall::getExtraInvalidatedValues(
946
3.42k
    ValueList &Values, RegionAndSymbolInvalidationTraits *ETraits) const {
947
3.42k
948
3.42k
  // If the method call is a setter for property known to be backed by
949
3.42k
  // an instance variable, don't invalidate the entire receiver, just
950
3.42k
  // the storage for that instance variable.
951
3.42k
  if (const ObjCPropertyDecl *PropDecl = getAccessedProperty()) {
952
147
    if (const ObjCIvarDecl *PropIvar = PropDecl->getPropertyIvarDecl()) {
953
62
      SVal IvarLVal = getState()->getLValue(PropIvar, getReceiverSVal());
954
62
      if (const MemRegion *IvarRegion = IvarLVal.getAsRegion()) {
955
61
        ETraits->setTrait(
956
61
          IvarRegion,
957
61
          RegionAndSymbolInvalidationTraits::TK_DoNotInvalidateSuperRegion);
958
61
        ETraits->setTrait(
959
61
          IvarRegion,
960
61
          RegionAndSymbolInvalidationTraits::TK_SuppressEscape);
961
61
        Values.push_back(IvarLVal);
962
61
      }
963
62
      return;
964
62
    }
965
3.36k
  }
966
3.36k
967
3.36k
  Values.push_back(getReceiverSVal());
968
3.36k
}
969
970
2.32k
SVal ObjCMethodCall::getSelfSVal() const {
971
2.32k
  const LocationContext *LCtx = getLocationContext();
972
2.32k
  const ImplicitParamDecl *SelfDecl = LCtx->getSelfDecl();
973
2.32k
  if (!SelfDecl)
974
318
    return SVal();
975
2.00k
  return getState()->getSVal(getState()->getRegion(SelfDecl, LCtx));
976
2.00k
}
977
978
27.6k
SVal ObjCMethodCall::getReceiverSVal() const {
979
27.6k
  // FIXME: Is this the best way to handle class receivers?
980
27.6k
  if (!isInstanceMessage())
981
4.11k
    return UnknownVal();
982
23.5k
983
23.5k
  if (const Expr *RecE = getOriginExpr()->getInstanceReceiver())
984
21.8k
    return getSVal(RecE);
985
1.75k
986
1.75k
  // An instance message with no expression means we are sending to super.
987
1.75k
  // In this case the object reference is the same as 'self'.
988
1.75k
  assert(getOriginExpr()->getReceiverKind() == ObjCMessageExpr::SuperInstance);
989
1.75k
  SVal SelfVal = getSelfSVal();
990
1.75k
  assert(SelfVal.isValid() && "Calling super but not in ObjC method");
991
1.75k
  return SelfVal;
992
1.75k
}
993
994
719
bool ObjCMethodCall::isReceiverSelfOrSuper() const {
995
719
  if (getOriginExpr()->getReceiverKind() == ObjCMessageExpr::SuperInstance ||
996
719
      
getOriginExpr()->getReceiverKind() == ObjCMessageExpr::SuperClass528
)
997
191
      return true;
998
528
999
528
  if (!isInstanceMessage())
1000
13
    return false;
1001
515
1002
515
  SVal RecVal = getSVal(getOriginExpr()->getInstanceReceiver());
1003
515
1004
515
  return (RecVal == getSelfSVal());
1005
515
}
1006
1007
13
SourceRange ObjCMethodCall::getSourceRange() const {
1008
13
  switch (getMessageKind()) {
1009
13
  case OCM_Message:
1010
13
    return getOriginExpr()->getSourceRange();
1011
0
  case OCM_PropertyAccess:
1012
0
  case OCM_Subscript:
1013
0
    return getContainingPseudoObjectExpr()->getSourceRange();
1014
0
  }
1015
0
  llvm_unreachable("unknown message kind");
1016
0
}
1017
1018
using ObjCMessageDataTy = llvm::PointerIntPair<const PseudoObjectExpr *, 2>;
1019
1020
117
const PseudoObjectExpr *ObjCMethodCall::getContainingPseudoObjectExpr() const {
1021
117
  assert(Data && "Lazy lookup not yet performed.");
1022
117
  assert(getMessageKind() != OCM_Message && "Explicit message send.");
1023
117
  return ObjCMessageDataTy::getFromOpaqueValue(Data).getPointer();
1024
117
}
1025
1026
static const Expr *
1027
282
getSyntacticFromForPseudoObjectExpr(const PseudoObjectExpr *POE) {
1028
282
  const Expr *Syntactic = POE->getSyntacticForm();
1029
282
1030
282
  // This handles the funny case of assigning to the result of a getter.
1031
282
  // This can happen if the getter returns a non-const reference.
1032
282
  if (const auto *BO = dyn_cast<BinaryOperator>(Syntactic))
1033
140
    Syntactic = BO->getLHS();
1034
282
1035
282
  return Syntactic;
1036
282
}
1037
1038
7.83k
ObjCMessageKind ObjCMethodCall::getMessageKind() const {
1039
7.83k
  if (!Data) {
1040
3.75k
    // Find the parent, ignoring implicit casts.
1041
3.75k
    const ParentMap &PM = getLocationContext()->getParentMap();
1042
3.75k
    const Stmt *S = PM.getParentIgnoreParenCasts(getOriginExpr());
1043
3.75k
1044
3.75k
    // Check if parent is a PseudoObjectExpr.
1045
3.75k
    if (const auto *POE = dyn_cast_or_null<PseudoObjectExpr>(S)) {
1046
165
      const Expr *Syntactic = getSyntacticFromForPseudoObjectExpr(POE);
1047
165
1048
165
      ObjCMessageKind K;
1049
165
      switch (Syntactic->getStmtClass()) {
1050
126
      case Stmt::ObjCPropertyRefExprClass:
1051
126
        K = OCM_PropertyAccess;
1052
126
        break;
1053
38
      case Stmt::ObjCSubscriptRefExprClass:
1054
38
        K = OCM_Subscript;
1055
38
        break;
1056
1
      default:
1057
1
        // FIXME: Can this ever happen?
1058
1
        K = OCM_Message;
1059
1
        break;
1060
165
      }
1061
165
1062
165
      if (K != OCM_Message) {
1063
164
        const_cast<ObjCMethodCall *>(this)->Data
1064
164
          = ObjCMessageDataTy(POE, K).getOpaqueValue();
1065
164
        assert(getMessageKind() == K);
1066
164
        return K;
1067
164
      }
1068
3.59k
    }
1069
3.59k
1070
3.59k
    const_cast<ObjCMethodCall *>(this)->Data
1071
3.59k
      = ObjCMessageDataTy(nullptr, 1).getOpaqueValue();
1072
3.59k
    assert(getMessageKind() == OCM_Message);
1073
3.59k
    return OCM_Message;
1074
3.59k
  }
1075
4.08k
1076
4.08k
  ObjCMessageDataTy Info = ObjCMessageDataTy::getFromOpaqueValue(Data);
1077
4.08k
  if (!Info.getPointer())
1078
3.78k
    return OCM_Message;
1079
304
  return static_cast<ObjCMessageKind>(Info.getInt());
1080
304
}
1081
1082
3.44k
const ObjCPropertyDecl *ObjCMethodCall::getAccessedProperty() const {
1083
3.44k
  // Look for properties accessed with property syntax (foo.bar = ...)
1084
3.44k
  if (getMessageKind() == OCM_PropertyAccess) {
1085
117
    const PseudoObjectExpr *POE = getContainingPseudoObjectExpr();
1086
117
    assert(POE && "Property access without PseudoObjectExpr?");
1087
117
1088
117
    const Expr *Syntactic = getSyntacticFromForPseudoObjectExpr(POE);
1089
117
    auto *RefExpr = cast<ObjCPropertyRefExpr>(Syntactic);
1090
117
1091
117
    if (RefExpr->isExplicitProperty())
1092
99
      return RefExpr->getExplicitProperty();
1093
3.34k
  }
1094
3.34k
1095
3.34k
  // Look for properties accessed with method syntax ([foo setBar:...]).
1096
3.34k
  const ObjCMethodDecl *MD = getDecl();
1097
3.34k
  if (!MD || 
!MD->isPropertyAccessor()3.32k
)
1098
3.28k
    return nullptr;
1099
65
1100
65
  // Note: This is potentially quite slow.
1101
65
  return MD->findPropertyDecl();
1102
65
}
1103
1104
bool ObjCMethodCall::canBeOverridenInSubclass(ObjCInterfaceDecl *IDecl,
1105
1.37k
                                             Selector Sel) const {
1106
1.37k
  assert(IDecl);
1107
1.37k
  AnalysisManager &AMgr =
1108
1.37k
      getState()->getStateManager().getOwningEngine().getAnalysisManager();
1109
1.37k
  // If the class interface is declared inside the main file, assume it is not
1110
1.37k
  // subcassed.
1111
1.37k
  // TODO: It could actually be subclassed if the subclass is private as well.
1112
1.37k
  // This is probably very rare.
1113
1.37k
  SourceLocation InterfLoc = IDecl->getEndOfDefinitionLoc();
1114
1.37k
  if (InterfLoc.isValid() && AMgr.isInCodeFile(InterfLoc))
1115
1.23k
    return false;
1116
140
1117
140
  // Assume that property accessors are not overridden.
1118
140
  if (getMessageKind() == OCM_PropertyAccess)
1119
7
    return false;
1120
133
1121
133
  // We assume that if the method is public (declared outside of main file) or
1122
133
  // has a parent which publicly declares the method, the method could be
1123
133
  // overridden in a subclass.
1124
133
1125
133
  // Find the first declaration in the class hierarchy that declares
1126
133
  // the selector.
1127
133
  ObjCMethodDecl *D = nullptr;
1128
137
  while (true) {
1129
137
    D = IDecl->lookupMethod(Sel, true);
1130
137
1131
137
    // Cannot find a public definition.
1132
137
    if (!D)
1133
2
      return false;
1134
135
1135
135
    // If outside the main file,
1136
135
    if (D->getLocation().isValid() && !AMgr.isInCodeFile(D->getLocation()))
1137
128
      return true;
1138
7
1139
7
    if (D->isOverriding()) {
1140
4
      // Search in the superclass on the next iteration.
1141
4
      IDecl = D->getClassInterface();
1142
4
      if (!IDecl)
1143
0
        return false;
1144
4
1145
4
      IDecl = IDecl->getSuperClass();
1146
4
      if (!IDecl)
1147
0
        return false;
1148
4
1149
4
      continue;
1150
4
    }
1151
3
1152
3
    return false;
1153
3
  };
1154
0
1155
0
  llvm_unreachable("The while loop should always terminate.");
1156
133
}
1157
1158
20
static const ObjCMethodDecl *findDefiningRedecl(const ObjCMethodDecl *MD) {
1159
20
  if (!MD)
1160
0
    return MD;
1161
20
1162
20
  // Find the redeclaration that defines the method.
1163
20
  if (!MD->hasBody()) {
1164
20
    for (auto I : MD->redecls())
1165
29
      if (I->hasBody())
1166
9
        MD = cast<ObjCMethodDecl>(I);
1167
20
  }
1168
20
  return MD;
1169
20
}
1170
1171
737
static bool isCallToSelfClass(const ObjCMessageExpr *ME) {
1172
737
  const Expr* InstRec = ME->getInstanceReceiver();
1173
737
  if (!InstRec)
1174
668
    return false;
1175
69
  const auto *InstRecIg = dyn_cast<DeclRefExpr>(InstRec->IgnoreParenImpCasts());
1176
69
1177
69
  // Check that receiver is called 'self'.
1178
69
  if (!InstRecIg || 
!InstRecIg->getFoundDecl()21
||
1179
69
      
!InstRecIg->getFoundDecl()->getName().equals("self")21
)
1180
55
    return false;
1181
14
1182
14
  // Check that the method name is 'class'.
1183
14
  if (ME->getSelector().getNumArgs() != 0 ||
1184
14
      !ME->getSelector().getNameForSlot(0).equals("class"))
1185
11
    return false;
1186
3
1187
3
  return true;
1188
3
}
1189
1190
4.07k
RuntimeDefinition ObjCMethodCall::getRuntimeDefinition() const {
1191
4.07k
  const ObjCMessageExpr *E = getOriginExpr();
1192
4.07k
  assert(E);
1193
4.07k
  Selector Sel = E->getSelector();
1194
4.07k
1195
4.07k
  if (E->isInstanceMessage()) {
1196
3.08k
    // Find the receiver type.
1197
3.08k
    const ObjCObjectPointerType *ReceiverT = nullptr;
1198
3.08k
    bool CanBeSubClassed = false;
1199
3.08k
    QualType SupersType = E->getSuperType();
1200
3.08k
    const MemRegion *Receiver = nullptr;
1201
3.08k
1202
3.08k
    if (!SupersType.isNull()) {
1203
317
      // The receiver is guaranteed to be 'super' in this case.
1204
317
      // Super always means the type of immediate predecessor to the method
1205
317
      // where the call occurs.
1206
317
      ReceiverT = cast<ObjCObjectPointerType>(SupersType);
1207
2.76k
    } else {
1208
2.76k
      Receiver = getReceiverSVal().getAsRegion();
1209
2.76k
      if (!Receiver)
1210
6
        return {};
1211
2.76k
1212
2.76k
      DynamicTypeInfo DTI = getDynamicTypeInfo(getState(), Receiver);
1213
2.76k
      if (!DTI.isValid()) {
1214
1
        assert(isa<AllocaRegion>(Receiver) &&
1215
1
               "Unhandled untyped region class!");
1216
1
        return {};
1217
1
      }
1218
2.76k
1219
2.76k
      QualType DynType = DTI.getType();
1220
2.76k
      CanBeSubClassed = DTI.canBeASubClass();
1221
2.76k
      ReceiverT = dyn_cast<ObjCObjectPointerType>(DynType.getCanonicalType());
1222
2.76k
1223
2.76k
      if (ReceiverT && 
CanBeSubClassed2.63k
)
1224
1.63k
        if (ObjCInterfaceDecl *IDecl = ReceiverT->getInterfaceDecl())
1225
1.37k
          if (!canBeOverridenInSubclass(IDecl, Sel))
1226
1.24k
            CanBeSubClassed = false;
1227
2.76k
    }
1228
3.08k
1229
3.08k
    // Handle special cases of '[self classMethod]' and
1230
3.08k
    // '[[self class] classMethod]', which are treated by the compiler as
1231
3.08k
    // instance (not class) messages. We will statically dispatch to those.
1232
3.08k
    
if (auto *3.07k
PT3.07k
= dyn_cast_or_null<ObjCObjectPointerType>(ReceiverT)) {
1233
2.95k
      // For [self classMethod], return the compiler visible declaration.
1234
2.95k
      if (PT->getObjectType()->isObjCClass() &&
1235
2.95k
          
Receiver == getSelfSVal().getAsRegion()30
)
1236
17
        return RuntimeDefinition(findDefiningRedecl(E->getMethodDecl()));
1237
2.93k
1238
2.93k
      // Similarly, handle [[self class] classMethod].
1239
2.93k
      // TODO: We are currently doing a syntactic match for this pattern with is
1240
2.93k
      // limiting as the test cases in Analysis/inlining/InlineObjCClassMethod.m
1241
2.93k
      // shows. A better way would be to associate the meta type with the symbol
1242
2.93k
      // using the dynamic type info tracking and use it here. We can add a new
1243
2.93k
      // SVal for ObjC 'Class' values that know what interface declaration they
1244
2.93k
      // come from. Then 'self' in a class method would be filled in with
1245
2.93k
      // something meaningful in ObjCMethodCall::getReceiverSVal() and we could
1246
2.93k
      // do proper dynamic dispatch for class methods just like we do for
1247
2.93k
      // instance methods now.
1248
2.93k
      if (E->getInstanceReceiver())
1249
2.61k
        if (const auto *M = dyn_cast<ObjCMessageExpr>(E->getInstanceReceiver()))
1250
737
          if (isCallToSelfClass(M))
1251
3
            return RuntimeDefinition(findDefiningRedecl(E->getMethodDecl()));
1252
3.05k
    }
1253
3.05k
1254
3.05k
    // Lookup the instance method implementation.
1255
3.05k
    if (ReceiverT)
1256
2.93k
      if (ObjCInterfaceDecl *IDecl = ReceiverT->getInterfaceDecl()) {
1257
2.69k
        // Repeatedly calling lookupPrivateMethod() is expensive, especially
1258
2.69k
        // when in many cases it returns null.  We cache the results so
1259
2.69k
        // that repeated queries on the same ObjCIntefaceDecl and Selector
1260
2.69k
        // don't incur the same cost.  On some test cases, we can see the
1261
2.69k
        // same query being issued thousands of times.
1262
2.69k
        //
1263
2.69k
        // NOTE: This cache is essentially a "global" variable, but it
1264
2.69k
        // only gets lazily created when we get here.  The value of the
1265
2.69k
        // cache probably comes from it being global across ExprEngines,
1266
2.69k
        // where the same queries may get issued.  If we are worried about
1267
2.69k
        // concurrency, or possibly loading/unloading ASTs, etc., we may
1268
2.69k
        // need to revisit this someday.  In terms of memory, this table
1269
2.69k
        // stays around until clang quits, which also may be bad if we
1270
2.69k
        // need to release memory.
1271
2.69k
        using PrivateMethodKey = std::pair<const ObjCInterfaceDecl *, Selector>;
1272
2.69k
        using PrivateMethodCache =
1273
2.69k
            llvm::DenseMap<PrivateMethodKey, Optional<const ObjCMethodDecl *>>;
1274
2.69k
1275
2.69k
        static PrivateMethodCache PMC;
1276
2.69k
        Optional<const ObjCMethodDecl *> &Val = PMC[std::make_pair(IDecl, Sel)];
1277
2.69k
1278
2.69k
        // Query lookupPrivateMethod() if the cache does not hit.
1279
2.69k
        if (!Val.hasValue()) {
1280
933
          Val = IDecl->lookupPrivateMethod(Sel);
1281
933
1282
933
          // If the method is a property accessor, we should try to "inline" it
1283
933
          // even if we don't actually have an implementation.
1284
933
          if (!*Val)
1285
654
            if (const ObjCMethodDecl *CompileTimeMD = E->getMethodDecl())
1286
648
              if (CompileTimeMD->isPropertyAccessor()) {
1287
28
                if (!CompileTimeMD->getSelfDecl() &&
1288
28
                    
isa<ObjCCategoryDecl>(CompileTimeMD->getDeclContext())0
) {
1289
0
                  // If the method is an accessor in a category, and it doesn't
1290
0
                  // have a self declaration, first
1291
0
                  // try to find the method in a class extension. This
1292
0
                  // works around a bug in Sema where multiple accessors
1293
0
                  // are synthesized for properties in class
1294
0
                  // extensions that are redeclared in a category and the
1295
0
                  // the implicit parameters are not filled in for
1296
0
                  // the method on the category.
1297
0
                  // This ensures we find the accessor in the extension, which
1298
0
                  // has the implicit parameters filled in.
1299
0
                  auto *ID = CompileTimeMD->getClassInterface();
1300
0
                  for (auto *CatDecl : ID->visible_extensions()) {
1301
0
                    Val = CatDecl->getMethod(Sel,
1302
0
                                             CompileTimeMD->isInstanceMethod());
1303
0
                    if (*Val)
1304
0
                      break;
1305
0
                  }
1306
0
                }
1307
28
                if (!*Val)
1308
28
                  Val = IDecl->lookupInstanceMethod(Sel);
1309
28
              }
1310
933
        }
1311
2.69k
1312
2.69k
        const ObjCMethodDecl *MD = Val.getValue();
1313
2.69k
        if (MD && 
!MD->hasBody()721
)
1314
398
          MD = MD->getCanonicalDecl();
1315
2.69k
        if (CanBeSubClassed)
1316
128
          return RuntimeDefinition(MD, Receiver);
1317
2.56k
        else
1318
2.56k
          return RuntimeDefinition(MD, nullptr);
1319
987
      }
1320
987
  } else {
1321
987
    // This is a class method.
1322
987
    // If we have type info for the receiver class, we are calling via
1323
987
    // class name.
1324
987
    if (ObjCInterfaceDecl *IDecl = E->getReceiverInterface()) {
1325
987
      // Find/Return the method implementation.
1326
987
      return RuntimeDefinition(IDecl->lookupPrivateClassMethod(Sel));
1327
987
    }
1328
364
  }
1329
364
1330
364
  return {};
1331
364
}
1332
1333
3.48k
bool ObjCMethodCall::argumentsMayEscape() const {
1334
3.48k
  if (isInSystemHeader() && 
!isInstanceMessage()458
) {
1335
121
    Selector Sel = getSelector();
1336
121
    if (Sel.getNumArgs() == 1 &&
1337
121
        
Sel.getIdentifierInfoForSlot(0)->isStr("valueWithPointer")5
)
1338
2
      return true;
1339
3.48k
  }
1340
3.48k
1341
3.48k
  return CallEvent::argumentsMayEscape();
1342
3.48k
}
1343
1344
void ObjCMethodCall::getInitialStackFrameContents(
1345
                                             const StackFrameContext *CalleeCtx,
1346
520
                                             BindingsTy &Bindings) const {
1347
520
  const auto *D = cast<ObjCMethodDecl>(CalleeCtx->getDecl());
1348
520
  SValBuilder &SVB = getState()->getStateManager().getSValBuilder();
1349
520
  addParameterValuesToBindings(CalleeCtx, Bindings, SVB, *this,
1350
520
                               D->parameters());
1351
520
1352
520
  SVal SelfVal = getReceiverSVal();
1353
520
  if (!SelfVal.isUnknown()) {
1354
472
    const VarDecl *SelfD = CalleeCtx->getAnalysisDeclContext()->getSelfDecl();
1355
472
    MemRegionManager &MRMgr = SVB.getRegionManager();
1356
472
    Loc SelfLoc = SVB.makeLoc(MRMgr.getVarRegion(SelfD, CalleeCtx));
1357
472
    Bindings.push_back(std::make_pair(SelfLoc, SelfVal));
1358
472
  }
1359
520
}
1360
1361
CallEventRef<>
1362
CallEventManager::getSimpleCall(const CallExpr *CE, ProgramStateRef State,
1363
207k
                                const LocationContext *LCtx) {
1364
207k
  if (const auto *MCE = dyn_cast<CXXMemberCallExpr>(CE))
1365
84.0k
    return create<CXXMemberCall>(MCE, State, LCtx);
1366
123k
1367
123k
  if (const auto *OpCE = dyn_cast<CXXOperatorCallExpr>(CE)) {
1368
6.85k
    const FunctionDecl *DirectCallee = OpCE->getDirectCallee();
1369
6.85k
    if (const auto *MD = dyn_cast<CXXMethodDecl>(DirectCallee))
1370
6.74k
      if (MD->isInstance())
1371
6.74k
        return create<CXXMemberOperatorCall>(OpCE, State, LCtx);
1372
116k
1373
116k
  } else if (CE->getCallee()->getType()->isBlockPointerType()) {
1374
576
    return create<BlockCall>(CE, State, LCtx);
1375
576
  }
1376
116k
1377
116k
  // Otherwise, it's a normal function call, static member function call, or
1378
116k
  // something we can't reason about.
1379
116k
  return create<SimpleFunctionCall>(CE, State, LCtx);
1380
116k
}
1381
1382
CallEventRef<>
1383
CallEventManager::getCaller(const StackFrameContext *CalleeCtx,
1384
158k
                            ProgramStateRef State) {
1385
158k
  const LocationContext *ParentCtx = CalleeCtx->getParent();
1386
158k
  const LocationContext *CallerCtx = ParentCtx->getStackFrame();
1387
158k
  assert(CallerCtx && "This should not be used for top-level stack frames");
1388
158k
1389
158k
  const Stmt *CallSite = CalleeCtx->getCallSite();
1390
158k
1391
158k
  if (CallSite) {
1392
157k
    if (CallEventRef<> Out = getCall(CallSite, State, CallerCtx))
1393
119k
      return Out;
1394
38.0k
1395
38.0k
    // All other cases are handled by getCall.
1396
38.0k
    assert(isa<CXXConstructExpr>(CallSite) &&
1397
38.0k
           "This is not an inlineable statement");
1398
38.0k
1399
38.0k
    SValBuilder &SVB = State->getStateManager().getSValBuilder();
1400
38.0k
    const auto *Ctor = cast<CXXMethodDecl>(CalleeCtx->getDecl());
1401
38.0k
    Loc ThisPtr = SVB.getCXXThis(Ctor, CalleeCtx);
1402
38.0k
    SVal ThisVal = State->getSVal(ThisPtr);
1403
38.0k
1404
38.0k
    return getCXXConstructorCall(cast<CXXConstructExpr>(CallSite),
1405
38.0k
                                 ThisVal.getAsRegion(), State, CallerCtx);
1406
38.0k
  }
1407
1.42k
1408
1.42k
  // Fall back to the CFG. The only thing we haven't handled yet is
1409
1.42k
  // destructors, though this could change in the future.
1410
1.42k
  const CFGBlock *B = CalleeCtx->getCallSiteBlock();
1411
1.42k
  CFGElement E = (*B)[CalleeCtx->getIndex()];
1412
1.42k
  assert((E.getAs<CFGImplicitDtor>() || E.getAs<CFGTemporaryDtor>()) &&
1413
1.42k
         "All other CFG elements should have exprs");
1414
1.42k
1415
1.42k
  SValBuilder &SVB = State->getStateManager().getSValBuilder();
1416
1.42k
  const auto *Dtor = cast<CXXDestructorDecl>(CalleeCtx->getDecl());
1417
1.42k
  Loc ThisPtr = SVB.getCXXThis(Dtor, CalleeCtx);
1418
1.42k
  SVal ThisVal = State->getSVal(ThisPtr);
1419
1.42k
1420
1.42k
  const Stmt *Trigger;
1421
1.42k
  if (Optional<CFGAutomaticObjDtor> AutoDtor = E.getAs<CFGAutomaticObjDtor>())
1422
841
    Trigger = AutoDtor->getTriggerStmt();
1423
582
  else if (Optional<CFGDeleteDtor> DeleteDtor = E.getAs<CFGDeleteDtor>())
1424
100
    Trigger = DeleteDtor->getDeleteExpr();
1425
482
  else
1426
482
    Trigger = Dtor->getBody();
1427
1.42k
1428
1.42k
  return getCXXDestructorCall(Dtor, Trigger, ThisVal.getAsRegion(),
1429
1.42k
                              E.getAs<CFGBaseDtor>().hasValue(), State,
1430
1.42k
                              CallerCtx);
1431
1.42k
}
1432
1433
CallEventRef<> CallEventManager::getCall(const Stmt *S, ProgramStateRef State,
1434
157k
                                         const LocationContext *LC) {
1435
157k
  if (const auto *CE = dyn_cast<CallExpr>(S)) {
1436
106k
    return getSimpleCall(CE, State, LC);
1437
106k
  } else 
if (const auto *51.2k
NE51.2k
= dyn_cast<CXXNewExpr>(S)) {
1438
11.4k
    return getCXXAllocatorCall(NE, State, LC);
1439
39.7k
  } else if (const auto *ME = dyn_cast<ObjCMessageExpr>(S)) {
1440
1.72k
    return getObjCMethodCall(ME, State, LC);
1441
38.0k
  } else {
1442
38.0k
    return nullptr;
1443
38.0k
  }
1444
157k
}