Coverage Report

Created: 2020-02-25 14:32

/Users/buildslave/jenkins/workspace/coverage/llvm-project/clang/lib/StaticAnalyzer/Core/ExprEngine.cpp
Line
Count
Source (jump to first uncovered line)
1
//===- ExprEngine.cpp - Path-Sensitive Expression-Level Dataflow ----------===//
2
//
3
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4
// See https://llvm.org/LICENSE.txt for license information.
5
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6
//
7
//===----------------------------------------------------------------------===//
8
//
9
//  This file defines a meta-engine for path-sensitive dataflow analysis that
10
//  is built on GREngine, but provides the boilerplate to execute transfer
11
//  functions and build the ExplodedGraph at the expression level.
12
//
13
//===----------------------------------------------------------------------===//
14
15
#include "clang/StaticAnalyzer/Core/PathSensitive/ExprEngine.h"
16
#include "PrettyStackTraceLocationContext.h"
17
#include "clang/AST/ASTContext.h"
18
#include "clang/AST/Decl.h"
19
#include "clang/AST/DeclBase.h"
20
#include "clang/AST/DeclCXX.h"
21
#include "clang/AST/DeclObjC.h"
22
#include "clang/AST/Expr.h"
23
#include "clang/AST/ExprCXX.h"
24
#include "clang/AST/ExprObjC.h"
25
#include "clang/AST/ParentMap.h"
26
#include "clang/AST/PrettyPrinter.h"
27
#include "clang/AST/Stmt.h"
28
#include "clang/AST/StmtCXX.h"
29
#include "clang/AST/StmtObjC.h"
30
#include "clang/AST/Type.h"
31
#include "clang/Analysis/AnalysisDeclContext.h"
32
#include "clang/Analysis/CFG.h"
33
#include "clang/Analysis/ConstructionContext.h"
34
#include "clang/Analysis/ProgramPoint.h"
35
#include "clang/Basic/IdentifierTable.h"
36
#include "clang/Basic/JsonSupport.h"
37
#include "clang/Basic/LLVM.h"
38
#include "clang/Basic/LangOptions.h"
39
#include "clang/Basic/PrettyStackTrace.h"
40
#include "clang/Basic/SourceLocation.h"
41
#include "clang/Basic/SourceManager.h"
42
#include "clang/Basic/Specifiers.h"
43
#include "clang/StaticAnalyzer/Core/AnalyzerOptions.h"
44
#include "clang/StaticAnalyzer/Core/BugReporter/BugReporter.h"
45
#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
46
#include "clang/StaticAnalyzer/Core/CheckerManager.h"
47
#include "clang/StaticAnalyzer/Core/PathSensitive/AnalysisManager.h"
48
#include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h"
49
#include "clang/StaticAnalyzer/Core/PathSensitive/ConstraintManager.h"
50
#include "clang/StaticAnalyzer/Core/PathSensitive/CoreEngine.h"
51
#include "clang/StaticAnalyzer/Core/PathSensitive/ExplodedGraph.h"
52
#include "clang/StaticAnalyzer/Core/PathSensitive/LoopUnrolling.h"
53
#include "clang/StaticAnalyzer/Core/PathSensitive/LoopWidening.h"
54
#include "clang/StaticAnalyzer/Core/PathSensitive/MemRegion.h"
55
#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h"
56
#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramStateTrait.h"
57
#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState_Fwd.h"
58
#include "clang/StaticAnalyzer/Core/PathSensitive/SValBuilder.h"
59
#include "clang/StaticAnalyzer/Core/PathSensitive/SVals.h"
60
#include "clang/StaticAnalyzer/Core/PathSensitive/Store.h"
61
#include "clang/StaticAnalyzer/Core/PathSensitive/SymExpr.h"
62
#include "clang/StaticAnalyzer/Core/PathSensitive/SymbolManager.h"
63
#include "llvm/ADT/APSInt.h"
64
#include "llvm/ADT/DenseMap.h"
65
#include "llvm/ADT/ImmutableMap.h"
66
#include "llvm/ADT/ImmutableSet.h"
67
#include "llvm/ADT/Optional.h"
68
#include "llvm/ADT/SmallVector.h"
69
#include "llvm/ADT/Statistic.h"
70
#include "llvm/Support/Casting.h"
71
#include "llvm/Support/Compiler.h"
72
#include "llvm/Support/DOTGraphTraits.h"
73
#include "llvm/Support/ErrorHandling.h"
74
#include "llvm/Support/GraphWriter.h"
75
#include "llvm/Support/SaveAndRestore.h"
76
#include "llvm/Support/raw_ostream.h"
77
#include <cassert>
78
#include <cstdint>
79
#include <memory>
80
#include <string>
81
#include <tuple>
82
#include <utility>
83
#include <vector>
84
85
using namespace clang;
86
using namespace ento;
87
88
#define DEBUG_TYPE "ExprEngine"
89
90
STATISTIC(NumRemoveDeadBindings,
91
            "The # of times RemoveDeadBindings is called");
92
STATISTIC(NumMaxBlockCountReached,
93
            "The # of aborted paths due to reaching the maximum block count in "
94
            "a top level function");
95
STATISTIC(NumMaxBlockCountReachedInInlined,
96
            "The # of aborted paths due to reaching the maximum block count in "
97
            "an inlined function");
98
STATISTIC(NumTimesRetriedWithoutInlining,
99
            "The # of times we re-evaluated a call without inlining");
100
101
//===----------------------------------------------------------------------===//
102
// Internal program state traits.
103
//===----------------------------------------------------------------------===//
104
105
namespace {
106
107
// When modeling a C++ constructor, for a variety of reasons we need to track
108
// the location of the object for the duration of its ConstructionContext.
109
// ObjectsUnderConstruction maps statements within the construction context
110
// to the object's location, so that on every such statement the location
111
// could have been retrieved.
112
113
/// ConstructedObjectKey is used for being able to find the path-sensitive
114
/// memory region of a freshly constructed object while modeling the AST node
115
/// that syntactically represents the object that is being constructed.
116
/// Semantics of such nodes may sometimes require access to the region that's
117
/// not otherwise present in the program state, or to the very fact that
118
/// the construction context was present and contained references to these
119
/// AST nodes.
120
class ConstructedObjectKey {
121
  typedef std::pair<ConstructionContextItem, const LocationContext *>
122
      ConstructedObjectKeyImpl;
123
124
  const ConstructedObjectKeyImpl Impl;
125
126
0
  const void *getAnyASTNodePtr() const {
127
0
    if (const Stmt *S = getItem().getStmtOrNull())
128
0
      return S;
129
0
    else
130
0
      return getItem().getCXXCtorInitializer();
131
0
  }
132
133
public:
134
  explicit ConstructedObjectKey(const ConstructionContextItem &Item,
135
                       const LocationContext *LC)
136
410k
      : Impl(Item, LC) {}
137
138
612
  const ConstructionContextItem &getItem() const { return Impl.first; }
139
157k
  const LocationContext *getLocationContext() const { return Impl.second; }
140
141
40
  ASTContext &getASTContext() const {
142
40
    return getLocationContext()->getDecl()->getASTContext();
143
40
  }
144
145
  void printJson(llvm::raw_ostream &Out, PrinterHelper *Helper,
146
40
                 PrintingPolicy &PP) const {
147
40
    const Stmt *S = getItem().getStmtOrNull();
148
40
    const CXXCtorInitializer *I = nullptr;
149
40
    if (!S)
150
5
      I = getItem().getCXXCtorInitializer();
151
40
152
40
    if (S)
153
35
      Out << "\"stmt_id\": " << S->getID(getASTContext());
154
5
    else
155
5
      Out << "\"init_id\": " << I->getID(getASTContext());
156
40
157
40
    // Kind
158
40
    Out << ", \"kind\": \"" << getItem().getKindAsString()
159
40
        << "\", \"argument_index\": ";
160
40
161
40
    if (getItem().getKind() == ConstructionContextItem::ArgumentKind)
162
0
      Out << getItem().getIndex();
163
40
    else
164
40
      Out << "null";
165
40
166
40
    // Pretty-print
167
40
    Out << ", \"pretty\": ";
168
40
169
40
    if (S) {
170
35
      S->printJson(Out, Helper, PP, /*AddQuotes=*/true);
171
35
    } else {
172
5
      Out << '\"' << I->getAnyMember()->getNameAsString() << '\"';
173
5
    }
174
40
  }
175
176
139k
  void Profile(llvm::FoldingSetNodeID &ID) const {
177
139k
    ID.Add(Impl.first);
178
139k
    ID.AddPointer(Impl.second);
179
139k
  }
180
181
663k
  bool operator==(const ConstructedObjectKey &RHS) const {
182
663k
    return Impl == RHS.Impl;
183
663k
  }
184
185
372k
  bool operator<(const ConstructedObjectKey &RHS) const {
186
372k
    return Impl < RHS.Impl;
187
372k
  }
188
};
189
} // namespace
190
191
typedef llvm::ImmutableMap<ConstructedObjectKey, SVal>
192
    ObjectsUnderConstructionMap;
193
REGISTER_TRAIT_WITH_PROGRAMSTATE(ObjectsUnderConstruction,
194
                                 ObjectsUnderConstructionMap)
195
196
//===----------------------------------------------------------------------===//
197
// Engine construction and deletion.
198
//===----------------------------------------------------------------------===//
199
200
static const char* TagProviderName = "ExprEngine";
201
202
ExprEngine::ExprEngine(cross_tu::CrossTranslationUnitContext &CTU,
203
                       AnalysisManager &mgr,
204
                       SetOfConstDecls *VisitedCalleesIn,
205
                       FunctionSummariesTy *FS,
206
                       InliningModes HowToInlineIn)
207
    : CTU(CTU), AMgr(mgr),
208
      AnalysisDeclContexts(mgr.getAnalysisDeclContextManager()),
209
      Engine(*this, FS, mgr.getAnalyzerOptions()), G(Engine.getGraph()),
210
      StateMgr(getContext(), mgr.getStoreManagerCreator(),
211
               mgr.getConstraintManagerCreator(), G.getAllocator(),
212
               this),
213
      SymMgr(StateMgr.getSymbolManager()),
214
      MRMgr(StateMgr.getRegionManager()),
215
      svalBuilder(StateMgr.getSValBuilder()),
216
      ObjCNoRet(mgr.getASTContext()),
217
      BR(mgr, *this),
218
      VisitedCallees(VisitedCalleesIn),
219
      HowToInline(HowToInlineIn)
220
12.6k
  {
221
12.6k
  unsigned TrimInterval = mgr.options.GraphTrimInterval;
222
12.6k
  if (TrimInterval != 0) {
223
12.6k
    // Enable eager node reclamation when constructing the ExplodedGraph.
224
12.6k
    G.enableNodeReclamation(TrimInterval);
225
12.6k
  }
226
12.6k
}
227
228
//===----------------------------------------------------------------------===//
229
// Utility methods.
230
//===----------------------------------------------------------------------===//
231
232
12.6k
ProgramStateRef ExprEngine::getInitialState(const LocationContext *InitLoc) {
233
12.6k
  ProgramStateRef state = StateMgr.getInitialState(InitLoc);
234
12.6k
  const Decl *D = InitLoc->getDecl();
235
12.6k
236
12.6k
  // Preconditions.
237
12.6k
  // FIXME: It would be nice if we had a more general mechanism to add
238
12.6k
  // such preconditions.  Some day.
239
12.6k
  do {
240
12.6k
    if (const auto *FD = dyn_cast<FunctionDecl>(D)) {
241
11.4k
      // Precondition: the first argument of 'main' is an integer guaranteed
242
11.4k
      //  to be > 0.
243
11.4k
      const IdentifierInfo *II = FD->getIdentifier();
244
11.4k
      if (!II || 
!(10.2k
II->getName() == "main"10.2k
&&
FD->getNumParams() > 059
))
245
11.4k
        break;
246
5
247
5
      const ParmVarDecl *PD = FD->getParamDecl(0);
248
5
      QualType T = PD->getType();
249
5
      const auto *BT = dyn_cast<BuiltinType>(T);
250
5
      if (!BT || !BT->isInteger())
251
0
        break;
252
5
253
5
      const MemRegion *R = state->getRegion(PD, InitLoc);
254
5
      if (!R)
255
0
        break;
256
5
257
5
      SVal V = state->getSVal(loc::MemRegionVal(R));
258
5
      SVal Constraint_untested = evalBinOp(state, BO_GT, V,
259
5
                                           svalBuilder.makeZeroVal(T),
260
5
                                           svalBuilder.getConditionType());
261
5
262
5
      Optional<DefinedOrUnknownSVal> Constraint =
263
5
          Constraint_untested.getAs<DefinedOrUnknownSVal>();
264
5
265
5
      if (!Constraint)
266
0
        break;
267
5
268
5
      if (ProgramStateRef newState = state->assume(*Constraint, true))
269
5
        state = newState;
270
5
    }
271
12.6k
    
break1.22k
;
272
0
  }
273
0
  while (false);
274
12.6k
275
12.6k
  if (const auto *
MD0
= dyn_cast<ObjCMethodDecl>(D)) {
276
993
    // Precondition: 'self' is always non-null upon entry to an Objective-C
277
993
    // method.
278
993
    const ImplicitParamDecl *SelfD = MD->getSelfDecl();
279
993
    const MemRegion *R = state->getRegion(SelfD, InitLoc);
280
993
    SVal V = state->getSVal(loc::MemRegionVal(R));
281
993
282
993
    if (Optional<Loc> LV = V.getAs<Loc>()) {
283
993
      // Assume that the pointer value in 'self' is non-null.
284
993
      state = state->assume(*LV, true);
285
993
      assert(state && "'self' cannot be null");
286
993
    }
287
993
  }
288
12.6k
289
12.6k
  if (const auto *
MD0
= dyn_cast<CXXMethodDecl>(D)) {
290
1.40k
    if (!MD->isStatic()) {
291
1.39k
      // Precondition: 'this' is always non-null upon entry to the
292
1.39k
      // top-level function.  This is our starting assumption for
293
1.39k
      // analyzing an "open" program.
294
1.39k
      const StackFrameContext *SFC = InitLoc->getStackFrame();
295
1.39k
      if (SFC->getParent() == nullptr) {
296
1.39k
        loc::MemRegionVal L = svalBuilder.getCXXThis(MD, SFC);
297
1.39k
        SVal V = state->getSVal(L);
298
1.39k
        if (Optional<Loc> LV = V.getAs<Loc>()) {
299
1.39k
          state = state->assume(*LV, true);
300
1.39k
          assert(state && "'this' cannot be null");
301
1.39k
        }
302
1.39k
      }
303
1.39k
    }
304
1.40k
  }
305
12.6k
306
12.6k
  return state;
307
12.6k
}
308
309
ProgramStateRef ExprEngine::createTemporaryRegionIfNeeded(
310
    ProgramStateRef State, const LocationContext *LC,
311
    const Expr *InitWithAdjustments, const Expr *Result,
312
92.5k
    const SubRegion **OutRegionWithAdjustments) {
313
92.5k
  // FIXME: This function is a hack that works around the quirky AST
314
92.5k
  // we're often having with respect to C++ temporaries. If only we modelled
315
92.5k
  // the actual execution order of statements properly in the CFG,
316
92.5k
  // all the hassle with adjustments would not be necessary,
317
92.5k
  // and perhaps the whole function would be removed.
318
92.5k
  SVal InitValWithAdjustments = State->getSVal(InitWithAdjustments, LC);
319
92.5k
  if (!Result) {
320
81.3k
    // If we don't have an explicit result expression, we're in "if needed"
321
81.3k
    // mode. Only create a region if the current value is a NonLoc.
322
81.3k
    if (!InitValWithAdjustments.getAs<NonLoc>()) {
323
81.2k
      if (OutRegionWithAdjustments)
324
51.1k
        *OutRegionWithAdjustments = nullptr;
325
81.2k
      return State;
326
81.2k
    }
327
48
    Result = InitWithAdjustments;
328
11.2k
  } else {
329
11.2k
    // We need to create a region no matter what. For sanity, make sure we don't
330
11.2k
    // try to stuff a Loc into a non-pointer temporary region.
331
11.2k
    assert(!InitValWithAdjustments.getAs<Loc>() ||
332
11.2k
           Loc::isLocType(Result->getType()) ||
333
11.2k
           Result->getType()->isMemberPointerType());
334
11.2k
  }
335
92.5k
336
92.5k
  ProgramStateManager &StateMgr = State->getStateManager();
337
11.2k
  MemRegionManager &MRMgr = StateMgr.getRegionManager();
338
11.2k
  StoreManager &StoreMgr = StateMgr.getStoreManager();
339
11.2k
340
11.2k
  // MaterializeTemporaryExpr may appear out of place, after a few field and
341
11.2k
  // base-class accesses have been made to the object, even though semantically
342
11.2k
  // it is the whole object that gets materialized and lifetime-extended.
343
11.2k
  //
344
11.2k
  // For example:
345
11.2k
  //
346
11.2k
  //   `-MaterializeTemporaryExpr
347
11.2k
  //     `-MemberExpr
348
11.2k
  //       `-CXXTemporaryObjectExpr
349
11.2k
  //
350
11.2k
  // instead of the more natural
351
11.2k
  //
352
11.2k
  //   `-MemberExpr
353
11.2k
  //     `-MaterializeTemporaryExpr
354
11.2k
  //       `-CXXTemporaryObjectExpr
355
11.2k
  //
356
11.2k
  // Use the usual methods for obtaining the expression of the base object,
357
11.2k
  // and record the adjustments that we need to make to obtain the sub-object
358
11.2k
  // that the whole expression 'Ex' refers to. This trick is usual,
359
11.2k
  // in the sense that CodeGen takes a similar route.
360
11.2k
361
11.2k
  SmallVector<const Expr *, 2> CommaLHSs;
362
11.2k
  SmallVector<SubobjectAdjustment, 2> Adjustments;
363
11.2k
364
11.2k
  const Expr *Init = InitWithAdjustments->skipRValueSubobjectAdjustments(
365
11.2k
      CommaLHSs, Adjustments);
366
11.2k
367
11.2k
  // Take the region for Init, i.e. for the whole object. If we do not remember
368
11.2k
  // the region in which the object originally was constructed, come up with
369
11.2k
  // a new temporary region out of thin air and copy the contents of the object
370
11.2k
  // (which are currently present in the Environment, because Init is an rvalue)
371
11.2k
  // into that region. This is not correct, but it is better than nothing.
372
11.2k
  const TypedValueRegion *TR = nullptr;
373
11.2k
  if (const auto *MT = dyn_cast<MaterializeTemporaryExpr>(Result)) {
374
11.1k
    if (Optional<SVal> V = getObjectUnderConstruction(State, MT, LC)) {
375
8.41k
      State = finishObjectConstruction(State, MT, LC);
376
8.41k
      State = State->BindExpr(Result, LC, *V);
377
8.41k
      return State;
378
8.41k
    } else {
379
2.74k
      StorageDuration SD = MT->getStorageDuration();
380
2.74k
      // If this object is bound to a reference with static storage duration, we
381
2.74k
      // put it in a different region to prevent "address leakage" warnings.
382
2.74k
      if (SD == SD_Static || 
SD == SD_Thread2.74k
) {
383
1
        TR = MRMgr.getCXXStaticTempObjectRegion(Init);
384
2.74k
      } else {
385
2.74k
        TR = MRMgr.getCXXTempObjectRegion(Init, LC);
386
2.74k
      }
387
2.74k
    }
388
11.1k
  } else {
389
86
    TR = MRMgr.getCXXTempObjectRegion(Init, LC);
390
86
  }
391
11.2k
392
11.2k
  SVal Reg = loc::MemRegionVal(TR);
393
2.83k
  SVal BaseReg = Reg;
394
2.83k
395
2.83k
  // Make the necessary adjustments to obtain the sub-object.
396
2.83k
  for (auto I = Adjustments.rbegin(), E = Adjustments.rend(); I != E; 
++I5
) {
397
5
    const SubobjectAdjustment &Adj = *I;
398
5
    switch (Adj.Kind) {
399
1
    case SubobjectAdjustment::DerivedToBaseAdjustment:
400
1
      Reg = StoreMgr.evalDerivedToBase(Reg, Adj.DerivedToBase.BasePath);
401
1
      break;
402
4
    case SubobjectAdjustment::FieldAdjustment:
403
4
      Reg = StoreMgr.getLValueField(Adj.Field, Reg);
404
4
      break;
405
0
    case SubobjectAdjustment::MemberPointerAdjustment:
406
0
      // FIXME: Unimplemented.
407
0
      State = State->invalidateRegions(Reg, InitWithAdjustments,
408
0
                                       currBldrCtx->blockCount(), LC, true,
409
0
                                       nullptr, nullptr, nullptr);
410
0
      return State;
411
5
    }
412
5
  }
413
2.83k
414
2.83k
  // What remains is to copy the value of the object to the new region.
415
2.83k
  // FIXME: In other words, what we should always do is copy value of the
416
2.83k
  // Init expression (which corresponds to the bigger object) to the whole
417
2.83k
  // temporary region TR. However, this value is often no longer present
418
2.83k
  // in the Environment. If it has disappeared, we instead invalidate TR.
419
2.83k
  // Still, what we can do is assign the value of expression Ex (which
420
2.83k
  // corresponds to the sub-object) to the TR's sub-region Reg. At least,
421
2.83k
  // values inside Reg would be correct.
422
2.83k
  SVal InitVal = State->getSVal(Init, LC);
423
2.83k
  if (InitVal.isUnknown()) {
424
2.15k
    InitVal = getSValBuilder().conjureSymbolVal(Result, LC, Init->getType(),
425
2.15k
                                                currBldrCtx->blockCount());
426
2.15k
    State = State->bindLoc(BaseReg.castAs<Loc>(), InitVal, LC, false);
427
2.15k
428
2.15k
    // Then we'd need to take the value that certainly exists and bind it
429
2.15k
    // over.
430
2.15k
    if (InitValWithAdjustments.isUnknown()) {
431
2.15k
      // Try to recover some path sensitivity in case we couldn't
432
2.15k
      // compute the value.
433
2.15k
      InitValWithAdjustments = getSValBuilder().conjureSymbolVal(
434
2.15k
          Result, LC, InitWithAdjustments->getType(),
435
2.15k
          currBldrCtx->blockCount());
436
2.15k
    }
437
2.15k
    State =
438
2.15k
        State->bindLoc(Reg.castAs<Loc>(), InitValWithAdjustments, LC, false);
439
2.15k
  } else {
440
677
    State = State->bindLoc(BaseReg.castAs<Loc>(), InitVal, LC, false);
441
677
  }
442
2.83k
443
2.83k
  // The result expression would now point to the correct sub-region of the
444
2.83k
  // newly created temporary region. Do this last in order to getSVal of Init
445
2.83k
  // correctly in case (Result == Init).
446
2.83k
  if (Result->isGLValue()) {
447
2.78k
    State = State->BindExpr(Result, LC, Reg);
448
2.78k
  } else {
449
48
    State = State->BindExpr(Result, LC, InitValWithAdjustments);
450
48
  }
451
2.83k
452
2.83k
  // Notify checkers once for two bindLoc()s.
453
2.83k
  State = processRegionChange(State, TR, LC);
454
2.83k
455
2.83k
  if (OutRegionWithAdjustments)
456
48
    *OutRegionWithAdjustments = cast<SubRegion>(Reg.getAsRegion());
457
2.83k
  return State;
458
2.83k
}
459
460
ProgramStateRef
461
ExprEngine::addObjectUnderConstruction(ProgramStateRef State,
462
                                       const ConstructionContextItem &Item,
463
46.1k
                                       const LocationContext *LC, SVal V) {
464
46.1k
  ConstructedObjectKey Key(Item, LC->getStackFrame());
465
46.1k
  // FIXME: Currently the state might already contain the marker due to
466
46.1k
  // incorrect handling of temporaries bound to default parameters.
467
46.1k
  assert(!State->get<ObjectsUnderConstruction>(Key) ||
468
46.1k
         Key.getItem().getKind() ==
469
46.1k
             ConstructionContextItem::TemporaryDestructorKind);
470
46.1k
  return State->set<ObjectsUnderConstruction>(Key, V);
471
46.1k
}
472
473
Optional<SVal>
474
ExprEngine::getObjectUnderConstruction(ProgramStateRef State,
475
                                       const ConstructionContextItem &Item,
476
312k
                                       const LocationContext *LC) {
477
312k
  ConstructedObjectKey Key(Item, LC->getStackFrame());
478
312k
  return Optional<SVal>::create(State->get<ObjectsUnderConstruction>(Key));
479
312k
}
480
481
ProgramStateRef
482
ExprEngine::finishObjectConstruction(ProgramStateRef State,
483
                                     const ConstructionContextItem &Item,
484
50.8k
                                     const LocationContext *LC) {
485
50.8k
  ConstructedObjectKey Key(Item, LC->getStackFrame());
486
50.8k
  assert(State->contains<ObjectsUnderConstruction>(Key));
487
50.8k
  return State->remove<ObjectsUnderConstruction>(Key);
488
50.8k
}
489
490
ProgramStateRef ExprEngine::elideDestructor(ProgramStateRef State,
491
                                            const CXXBindTemporaryExpr *BTE,
492
317
                                            const LocationContext *LC) {
493
317
  ConstructedObjectKey Key({BTE, /*IsElided=*/true}, LC);
494
317
  // FIXME: Currently the state might already contain the marker due to
495
317
  // incorrect handling of temporaries bound to default parameters.
496
317
  return State->set<ObjectsUnderConstruction>(Key, UnknownVal());
497
317
}
498
499
ProgramStateRef
500
ExprEngine::cleanupElidedDestructor(ProgramStateRef State,
501
                                    const CXXBindTemporaryExpr *BTE,
502
149
                                    const LocationContext *LC) {
503
149
  ConstructedObjectKey Key({BTE, /*IsElided=*/true}, LC);
504
149
  assert(State->contains<ObjectsUnderConstruction>(Key));
505
149
  return State->remove<ObjectsUnderConstruction>(Key);
506
149
}
507
508
bool ExprEngine::isDestructorElided(ProgramStateRef State,
509
                                    const CXXBindTemporaryExpr *BTE,
510
1.05k
                                    const LocationContext *LC) {
511
1.05k
  ConstructedObjectKey Key({BTE, /*IsElided=*/true}, LC);
512
1.05k
  return State->contains<ObjectsUnderConstruction>(Key);
513
1.05k
}
514
515
bool ExprEngine::areAllObjectsFullyConstructed(ProgramStateRef State,
516
                                               const LocationContext *FromLC,
517
99.9k
                                               const LocationContext *ToLC) {
518
99.9k
  const LocationContext *LC = FromLC;
519
199k
  while (LC != ToLC) {
520
99.9k
    assert(LC && "ToLC must be a parent of FromLC!");
521
99.9k
    for (auto I : State->get<ObjectsUnderConstruction>())
522
78.3k
      if (I.first.getLocationContext() == LC)
523
0
        return false;
524
99.9k
525
99.9k
    LC = LC->getParent();
526
99.9k
  }
527
99.9k
  return true;
528
99.9k
}
529
530
531
//===----------------------------------------------------------------------===//
532
// Top-level transfer function logic (Dispatcher).
533
//===----------------------------------------------------------------------===//
534
535
/// evalAssume - Called by ConstraintManager. Used to call checker-specific
536
///  logic for handling assumptions on symbolic values.
537
ProgramStateRef ExprEngine::processAssume(ProgramStateRef state,
538
888k
                                              SVal cond, bool assumption) {
539
888k
  return getCheckerManager().runCheckersForEvalAssume(state, cond, assumption);
540
888k
}
541
542
ProgramStateRef
543
ExprEngine::processRegionChanges(ProgramStateRef state,
544
                                 const InvalidatedSymbols *invalidated,
545
                                 ArrayRef<const MemRegion *> Explicits,
546
                                 ArrayRef<const MemRegion *> Regions,
547
                                 const LocationContext *LCtx,
548
152k
                                 const CallEvent *Call) {
549
152k
  return getCheckerManager().runCheckersForRegionChanges(state, invalidated,
550
152k
                                                         Explicits, Regions,
551
152k
                                                         LCtx, Call);
552
152k
}
553
554
static void
555
printObjectsUnderConstructionJson(raw_ostream &Out, ProgramStateRef State,
556
                                  const char *NL, const LocationContext *LCtx,
557
40
                                  unsigned int Space = 0, bool IsDot = false) {
558
40
  PrintingPolicy PP =
559
40
      LCtx->getAnalysisDeclContext()->getASTContext().getPrintingPolicy();
560
40
561
40
  ++Space;
562
40
  bool HasItem = false;
563
40
564
40
  // Store the last key.
565
40
  const ConstructedObjectKey *LastKey = nullptr;
566
56
  for (const auto &I : State->get<ObjectsUnderConstruction>()) {
567
56
    const ConstructedObjectKey &Key = I.first;
568
56
    if (Key.getLocationContext() != LCtx)
569
16
      continue;
570
40
571
40
    if (!HasItem) {
572
34
      Out << "[" << NL;
573
34
      HasItem = true;
574
34
    }
575
40
576
40
    LastKey = &Key;
577
40
  }
578
40
579
56
  for (const auto &I : State->get<ObjectsUnderConstruction>()) {
580
56
    const ConstructedObjectKey &Key = I.first;
581
56
    SVal Value = I.second;
582
56
    if (Key.getLocationContext() != LCtx)
583
16
      continue;
584
40
585
40
    Indent(Out, Space, IsDot) << "{ ";
586
40
    Key.printJson(Out, nullptr, PP);
587
40
    Out << ", \"value\": \"" << Value << "\" }";
588
40
589
40
    if (&Key != LastKey)
590
6
      Out << ',';
591
40
    Out << NL;
592
40
  }
593
40
594
40
  if (HasItem)
595
34
    Indent(Out, --Space, IsDot) << ']'; // End of "location_context".
596
6
  else {
597
6
    Out << "null ";
598
6
  }
599
40
}
600
601
void ExprEngine::printJson(raw_ostream &Out, ProgramStateRef State,
602
                           const LocationContext *LCtx, const char *NL,
603
107
                           unsigned int Space, bool IsDot) const {
604
107
  Indent(Out, Space, IsDot) << "\"constructing_objects\": ";
605
107
606
107
  if (LCtx && 
!State->get<ObjectsUnderConstruction>().isEmpty()88
) {
607
29
    ++Space;
608
29
    Out << '[' << NL;
609
40
    LCtx->printJson(Out, NL, Space, IsDot, [&](const LocationContext *LC) {
610
40
      printObjectsUnderConstructionJson(Out, State, NL, LC, Space, IsDot);
611
40
    });
612
29
613
29
    --Space;
614
29
    Indent(Out, Space, IsDot) << "]," << NL; // End of "constructing_objects".
615
78
  } else {
616
78
    Out << "null," << NL;
617
78
  }
618
107
619
107
  getCheckerManager().runCheckersForPrintStateJson(Out, State, NL, Space,
620
107
                                                   IsDot);
621
107
}
622
623
12.6k
void ExprEngine::processEndWorklist() {
624
12.6k
  getCheckerManager().runCheckersForEndAnalysis(G, BR, *this);
625
12.6k
}
626
627
void ExprEngine::processCFGElement(const CFGElement E, ExplodedNode *Pred,
628
1.19M
                                   unsigned StmtIdx, NodeBuilderContext *Ctx) {
629
1.19M
  PrettyStackTraceLocationContext CrashInfo(Pred->getLocationContext());
630
1.19M
  currStmtIdx = StmtIdx;
631
1.19M
  currBldrCtx = Ctx;
632
1.19M
633
1.19M
  switch (E.getKind()) {
634
1.16M
    case CFGElement::Statement:
635
1.16M
    case CFGElement::Constructor:
636
1.16M
    case CFGElement::CXXRecordTypedCall:
637
1.16M
      ProcessStmt(E.castAs<CFGStmt>().getStmt(), Pred);
638
1.16M
      return;
639
1.16M
    case CFGElement::Initializer:
640
13.2k
      ProcessInitializer(E.castAs<CFGInitializer>(), Pred);
641
13.2k
      return;
642
1.16M
    case CFGElement::NewAllocator:
643
6.43k
      ProcessNewAllocator(E.castAs<CFGNewAllocator>().getAllocatorExpr(),
644
6.43k
                          Pred);
645
6.43k
      return;
646
1.16M
    case CFGElement::AutomaticObjectDtor:
647
1.96k
    case CFGElement::DeleteDtor:
648
1.96k
    case CFGElement::BaseDtor:
649
1.96k
    case CFGElement::MemberDtor:
650
1.96k
    case CFGElement::TemporaryDtor:
651
1.96k
      ProcessImplicitDtor(E.castAs<CFGImplicitDtor>(), Pred);
652
1.96k
      return;
653
1.96k
    case CFGElement::LoopExit:
654
142
      ProcessLoopExit(E.castAs<CFGLoopExit>().getLoopStmt(), Pred);
655
142
      return;
656
1.96k
    case CFGElement::LifetimeEnds:
657
0
    case CFGElement::ScopeBegin:
658
0
    case CFGElement::ScopeEnd:
659
0
      return;
660
1.19M
  }
661
1.19M
}
662
663
static bool shouldRemoveDeadBindings(AnalysisManager &AMgr,
664
                                     const Stmt *S,
665
                                     const ExplodedNode *Pred,
666
1.16M
                                     const LocationContext *LC) {
667
1.16M
  // Are we never purging state values?
668
1.16M
  if (AMgr.options.AnalysisPurgeOpt == PurgeNone)
669
739
    return false;
670
1.16M
671
1.16M
  // Is this the beginning of a basic block?
672
1.16M
  if (Pred->getLocation().getAs<BlockEntrance>())
673
135k
    return true;
674
1.03M
675
1.03M
  // Is this on a non-expression?
676
1.03M
  if (!isa<Expr>(S))
677
66.5k
    return true;
678
966k
679
966k
  // Run before processing a call.
680
966k
  if (CallEvent::isCallStmt(S))
681
135k
    return true;
682
831k
683
831k
  // Is this an expression that is consumed by another expression?  If so,
684
831k
  // postpone cleaning out the state.
685
831k
  ParentMap &PM = LC->getAnalysisDeclContext()->getParentMap();
686
831k
  return !PM.isConsumedExpr(cast<Expr>(S));
687
831k
}
688
689
void ExprEngine::removeDead(ExplodedNode *Pred, ExplodedNodeSet &Out,
690
                            const Stmt *ReferenceStmt,
691
                            const LocationContext *LC,
692
                            const Stmt *DiagnosticStmt,
693
470k
                            ProgramPoint::Kind K) {
694
470k
  assert((K == ProgramPoint::PreStmtPurgeDeadSymbolsKind ||
695
470k
          ReferenceStmt == nullptr || isa<ReturnStmt>(ReferenceStmt))
696
470k
          && "PostStmt is not generally supported by the SymbolReaper yet");
697
470k
  assert(LC && "Must pass the current (or expiring) LocationContext");
698
470k
699
470k
  if (!DiagnosticStmt) {
700
382k
    DiagnosticStmt = ReferenceStmt;
701
382k
    assert(DiagnosticStmt && "Required for clearing a LocationContext");
702
382k
  }
703
470k
704
470k
  NumRemoveDeadBindings++;
705
470k
  ProgramStateRef CleanedState = Pred->getState();
706
470k
707
470k
  // LC is the location context being destroyed, but SymbolReaper wants a
708
470k
  // location context that is still live. (If this is the top-level stack
709
470k
  // frame, this will be null.)
710
470k
  if (!ReferenceStmt) {
711
81.9k
    assert(K == ProgramPoint::PostStmtPurgeDeadSymbolsKind &&
712
81.9k
           "Use PostStmtPurgeDeadSymbolsKind for clearing a LocationContext");
713
81.9k
    LC = LC->getParent();
714
81.9k
  }
715
470k
716
470k
  const StackFrameContext *SFC = LC ? 
LC->getStackFrame()455k
:
nullptr14.9k
;
717
470k
  SymbolReaper SymReaper(SFC, ReferenceStmt, SymMgr, getStoreManager());
718
470k
719
470k
  for (auto I : CleanedState->get<ObjectsUnderConstruction>()) {
720
303k
    if (SymbolRef Sym = I.second.getAsSymbol())
721
2.21k
      SymReaper.markLive(Sym);
722
303k
    if (const MemRegion *MR = I.second.getAsRegion())
723
292k
      SymReaper.markLive(MR);
724
303k
  }
725
470k
726
470k
  getCheckerManager().runCheckersForLiveSymbols(CleanedState, SymReaper);
727
470k
728
470k
  // Create a state in which dead bindings are removed from the environment
729
470k
  // and the store. TODO: The function should just return new env and store,
730
470k
  // not a new state.
731
470k
  CleanedState = StateMgr.removeDeadBindingsFromEnvironmentAndStore(
732
470k
      CleanedState, SFC, SymReaper);
733
470k
734
470k
  // Process any special transfer function for dead symbols.
735
470k
  // A tag to track convenience transitions, which can be removed at cleanup.
736
470k
  static SimpleProgramPointTag cleanupTag(TagProviderName, "Clean Node");
737
470k
  // Call checkers with the non-cleaned state so that they could query the
738
470k
  // values of the soon to be dead symbols.
739
470k
  ExplodedNodeSet CheckedSet;
740
470k
  getCheckerManager().runCheckersForDeadSymbols(CheckedSet, Pred, SymReaper,
741
470k
                                                DiagnosticStmt, *this, K);
742
470k
743
470k
  // For each node in CheckedSet, generate CleanedNodes that have the
744
470k
  // environment, the store, and the constraints cleaned up but have the
745
470k
  // user-supplied states as the predecessors.
746
470k
  StmtNodeBuilder Bldr(CheckedSet, Out, *currBldrCtx);
747
470k
  for (const auto I : CheckedSet) {
748
470k
    ProgramStateRef CheckerState = I->getState();
749
470k
750
470k
    // The constraint manager has not been cleaned up yet, so clean up now.
751
470k
    CheckerState =
752
470k
        getConstraintManager().removeDeadBindings(CheckerState, SymReaper);
753
470k
754
470k
    assert(StateMgr.haveEqualEnvironments(CheckerState, Pred->getState()) &&
755
470k
           "Checkers are not allowed to modify the Environment as a part of "
756
470k
           "checkDeadSymbols processing.");
757
470k
    assert(StateMgr.haveEqualStores(CheckerState, Pred->getState()) &&
758
470k
           "Checkers are not allowed to modify the Store as a part of "
759
470k
           "checkDeadSymbols processing.");
760
470k
761
470k
    // Create a state based on CleanedState with CheckerState GDM and
762
470k
    // generate a transition to that state.
763
470k
    ProgramStateRef CleanedCheckerSt =
764
470k
        StateMgr.getPersistentStateWithGDM(CleanedState, CheckerState);
765
470k
    Bldr.generateNode(DiagnosticStmt, I, CleanedCheckerSt, &cleanupTag, K);
766
470k
  }
767
470k
}
768
769
1.16M
void ExprEngine::ProcessStmt(const Stmt *currStmt, ExplodedNode *Pred) {
770
1.16M
  // Reclaim any unnecessary nodes in the ExplodedGraph.
771
1.16M
  G.reclaimRecentlyAllocatedNodes();
772
1.16M
773
1.16M
  PrettyStackTraceLoc CrashInfo(getContext().getSourceManager(),
774
1.16M
                                currStmt->getBeginLoc(),
775
1.16M
                                "Error evaluating statement");
776
1.16M
777
1.16M
  // Remove dead bindings and symbols.
778
1.16M
  ExplodedNodeSet CleanedStates;
779
1.16M
  if (shouldRemoveDeadBindings(AMgr, currStmt, Pred,
780
1.16M
                               Pred->getLocationContext())) {
781
382k
    removeDead(Pred, CleanedStates, currStmt,
782
382k
                                    Pred->getLocationContext());
783
382k
  } else
784
787k
    CleanedStates.Add(Pred);
785
1.16M
786
1.16M
  // Visit the statement.
787
1.16M
  ExplodedNodeSet Dst;
788
1.16M
  for (const auto I : CleanedStates) {
789
1.16M
    ExplodedNodeSet DstI;
790
1.16M
    // Visit the statement.
791
1.16M
    Visit(currStmt, I, DstI);
792
1.16M
    Dst.insert(DstI);
793
1.16M
  }
794
1.16M
795
1.16M
  // Enqueue the new nodes onto the work list.
796
1.16M
  Engine.enqueue(Dst, currBldrCtx->getBlock(), currStmtIdx);
797
1.16M
}
798
799
142
void ExprEngine::ProcessLoopExit(const Stmt* S, ExplodedNode *Pred) {
800
142
  PrettyStackTraceLoc CrashInfo(getContext().getSourceManager(),
801
142
                                S->getBeginLoc(),
802
142
                                "Error evaluating end of the loop");
803
142
  ExplodedNodeSet Dst;
804
142
  Dst.Add(Pred);
805
142
  NodeBuilder Bldr(Pred, Dst, *currBldrCtx);
806
142
  ProgramStateRef NewState = Pred->getState();
807
142
808
142
  if(AMgr.options.ShouldUnrollLoops)
809
142
    NewState = processLoopEnd(S, NewState);
810
142
811
142
  LoopExit PP(S, Pred->getLocationContext());
812
142
  Bldr.generateNode(PP, NewState, Pred);
813
142
  // Enqueue the new nodes onto the work list.
814
142
  Engine.enqueue(Dst, currBldrCtx->getBlock(), currStmtIdx);
815
142
}
816
817
void ExprEngine::ProcessInitializer(const CFGInitializer CFGInit,
818
13.2k
                                    ExplodedNode *Pred) {
819
13.2k
  const CXXCtorInitializer *BMI = CFGInit.getInitializer();
820
13.2k
  const Expr *Init = BMI->getInit()->IgnoreImplicit();
821
13.2k
  const LocationContext *LC = Pred->getLocationContext();
822
13.2k
823
13.2k
  PrettyStackTraceLoc CrashInfo(getContext().getSourceManager(),
824
13.2k
                                BMI->getSourceLocation(),
825
13.2k
                                "Error evaluating initializer");
826
13.2k
827
13.2k
  // We don't clean up dead bindings here.
828
13.2k
  const auto *stackFrame = cast<StackFrameContext>(Pred->getLocationContext());
829
13.2k
  const auto *decl = cast<CXXConstructorDecl>(stackFrame->getDecl());
830
13.2k
831
13.2k
  ProgramStateRef State = Pred->getState();
832
13.2k
  SVal thisVal = State->getSVal(svalBuilder.getCXXThis(decl, stackFrame));
833
13.2k
834
13.2k
  ExplodedNodeSet Tmp;
835
13.2k
  SVal FieldLoc;
836
13.2k
837
13.2k
  // Evaluate the initializer, if necessary
838
13.2k
  if (BMI->isAnyMemberInitializer()) {
839
12.5k
    // Constructors build the object directly in the field,
840
12.5k
    // but non-objects must be copied in from the initializer.
841
12.5k
    if (getObjectUnderConstruction(State, BMI, LC)) {
842
2.53k
      // The field was directly constructed, so there is no need to bind.
843
2.53k
      // But we still need to stop tracking the object under construction.
844
2.53k
      State = finishObjectConstruction(State, BMI, LC);
845
2.53k
      NodeBuilder Bldr(Pred, Tmp, *currBldrCtx);
846
2.53k
      PostStore PS(Init, LC, /*Loc*/ nullptr, /*tag*/ nullptr);
847
2.53k
      Bldr.generateNode(PS, State, Pred);
848
9.98k
    } else {
849
9.98k
      const ValueDecl *Field;
850
9.98k
      if (BMI->isIndirectMemberInitializer()) {
851
4
        Field = BMI->getIndirectMember();
852
4
        FieldLoc = State->getLValue(BMI->getIndirectMember(), thisVal);
853
9.98k
      } else {
854
9.98k
        Field = BMI->getMember();
855
9.98k
        FieldLoc = State->getLValue(BMI->getMember(), thisVal);
856
9.98k
      }
857
9.98k
858
9.98k
      SVal InitVal;
859
9.98k
      if (Init->getType()->isArrayType()) {
860
41
        // Handle arrays of trivial type. We can represent this with a
861
41
        // primitive load/copy from the base array region.
862
41
        const ArraySubscriptExpr *ASE;
863
41
        while ((ASE = dyn_cast<ArraySubscriptExpr>(Init)))
864
0
          Init = ASE->getBase()->IgnoreImplicit();
865
41
866
41
        SVal LValue = State->getSVal(Init, stackFrame);
867
41
        if (!Field->getType()->isReferenceType())
868
37
          if (Optional<Loc> LValueLoc = LValue.getAs<Loc>())
869
6
            InitVal = State->getSVal(*LValueLoc);
870
41
871
41
        // If we fail to get the value for some reason, use a symbolic value.
872
41
        if (InitVal.isUnknownOrUndef()) {
873
35
          SValBuilder &SVB = getSValBuilder();
874
35
          InitVal = SVB.conjureSymbolVal(BMI->getInit(), stackFrame,
875
35
                                         Field->getType(),
876
35
                                         currBldrCtx->blockCount());
877
35
        }
878
9.94k
      } else {
879
9.94k
        InitVal = State->getSVal(BMI->getInit(), stackFrame);
880
9.94k
      }
881
9.98k
882
9.98k
      PostInitializer PP(BMI, FieldLoc.getAsRegion(), stackFrame);
883
9.98k
      evalBind(Tmp, Init, Pred, FieldLoc, InitVal, /*isInit=*/true, &PP);
884
9.98k
    }
885
12.5k
  } else {
886
744
    assert(BMI->isBaseInitializer() || BMI->isDelegatingInitializer());
887
744
    Tmp.insert(Pred);
888
744
    // We already did all the work when visiting the CXXConstructExpr.
889
744
  }
890
13.2k
891
13.2k
  // Construct PostInitializer nodes whether the state changed or not,
892
13.2k
  // so that the diagnostics don't get confused.
893
13.2k
  PostInitializer PP(BMI, FieldLoc.getAsRegion(), stackFrame);
894
13.2k
  ExplodedNodeSet Dst;
895
13.2k
  NodeBuilder Bldr(Tmp, Dst, *currBldrCtx);
896
13.2k
  for (const auto I : Tmp) {
897
13.2k
    ProgramStateRef State = I->getState();
898
13.2k
    Bldr.generateNode(PP, State, I);
899
13.2k
  }
900
13.2k
901
13.2k
  // Enqueue the new nodes onto the work list.
902
13.2k
  Engine.enqueue(Dst, currBldrCtx->getBlock(), currStmtIdx);
903
13.2k
}
904
905
void ExprEngine::ProcessImplicitDtor(const CFGImplicitDtor D,
906
1.96k
                                     ExplodedNode *Pred) {
907
1.96k
  ExplodedNodeSet Dst;
908
1.96k
  switch (D.getKind()) {
909
621
  case CFGElement::AutomaticObjectDtor:
910
621
    ProcessAutomaticObjDtor(D.castAs<CFGAutomaticObjDtor>(), Pred, Dst);
911
621
    break;
912
122
  case CFGElement::BaseDtor:
913
122
    ProcessBaseDtor(D.castAs<CFGBaseDtor>(), Pred, Dst);
914
122
    break;
915
54
  case CFGElement::MemberDtor:
916
54
    ProcessMemberDtor(D.castAs<CFGMemberDtor>(), Pred, Dst);
917
54
    break;
918
1.05k
  case CFGElement::TemporaryDtor:
919
1.05k
    ProcessTemporaryDtor(D.castAs<CFGTemporaryDtor>(), Pred, Dst);
920
1.05k
    break;
921
106
  case CFGElement::DeleteDtor:
922
106
    ProcessDeleteDtor(D.castAs<CFGDeleteDtor>(), Pred, Dst);
923
106
    break;
924
0
  default:
925
0
    llvm_unreachable("Unexpected dtor kind.");
926
1.96k
  }
927
1.96k
928
1.96k
  // Enqueue the new nodes onto the work list.
929
1.96k
  Engine.enqueue(Dst, currBldrCtx->getBlock(), currStmtIdx);
930
1.96k
}
931
932
void ExprEngine::ProcessNewAllocator(const CXXNewExpr *NE,
933
6.43k
                                     ExplodedNode *Pred) {
934
6.43k
  ExplodedNodeSet Dst;
935
6.43k
  AnalysisManager &AMgr = getAnalysisManager();
936
6.43k
  AnalyzerOptions &Opts = AMgr.options;
937
6.43k
  // TODO: We're not evaluating allocators for all cases just yet as
938
6.43k
  // we're not handling the return value correctly, which causes false
939
6.43k
  // positives when the alpha.cplusplus.NewDeleteLeaks check is on.
940
6.43k
  if (Opts.MayInlineCXXAllocator)
941
6.42k
    VisitCXXNewAllocatorCall(NE, Pred, Dst);
942
7
  else {
943
7
    NodeBuilder Bldr(Pred, Dst, *currBldrCtx);
944
7
    const LocationContext *LCtx = Pred->getLocationContext();
945
7
    PostImplicitCall PP(NE->getOperatorNew(), NE->getBeginLoc(), LCtx);
946
7
    Bldr.generateNode(PP, Pred->getState(), Pred);
947
7
  }
948
6.43k
  Engine.enqueue(Dst, currBldrCtx->getBlock(), currStmtIdx);
949
6.43k
}
950
951
void ExprEngine::ProcessAutomaticObjDtor(const CFGAutomaticObjDtor Dtor,
952
                                         ExplodedNode *Pred,
953
621
                                         ExplodedNodeSet &Dst) {
954
621
  const VarDecl *varDecl = Dtor.getVarDecl();
955
621
  QualType varType = varDecl->getType();
956
621
957
621
  ProgramStateRef state = Pred->getState();
958
621
  SVal dest = state->getLValue(varDecl, Pred->getLocationContext());
959
621
  const MemRegion *Region = dest.castAs<loc::MemRegionVal>().getRegion();
960
621
961
621
  if (varType->isReferenceType()) {
962
103
    const MemRegion *ValueRegion = state->getSVal(Region).getAsRegion();
963
103
    if (!ValueRegion) {
964
4
      // FIXME: This should not happen. The language guarantees a presence
965
4
      // of a valid initializer here, so the reference shall not be undefined.
966
4
      // It seems that we're calling destructors over variables that
967
4
      // were not initialized yet.
968
4
      return;
969
4
    }
970
99
    Region = ValueRegion->getBaseRegion();
971
99
    varType = cast<TypedValueRegion>(Region)->getValueType();
972
99
  }
973
621
974
621
  // FIXME: We need to run the same destructor on every element of the array.
975
621
  // This workaround will just run the first destructor (which will still
976
621
  // invalidate the entire array).
977
621
  EvalCallOptions CallOpts;
978
617
  Region = makeZeroElementRegion(state, loc::MemRegionVal(Region), varType,
979
617
                                 CallOpts.IsArrayCtorOrDtor).getAsRegion();
980
617
981
617
  VisitCXXDestructor(varType, Region, Dtor.getTriggerStmt(),
982
617
                     /*IsBase=*/false, Pred, Dst, CallOpts);
983
617
}
984
985
void ExprEngine::ProcessDeleteDtor(const CFGDeleteDtor Dtor,
986
                                   ExplodedNode *Pred,
987
106
                                   ExplodedNodeSet &Dst) {
988
106
  ProgramStateRef State = Pred->getState();
989
106
  const LocationContext *LCtx = Pred->getLocationContext();
990
106
  const CXXDeleteExpr *DE = Dtor.getDeleteExpr();
991
106
  const Stmt *Arg = DE->getArgument();
992
106
  QualType DTy = DE->getDestroyedType();
993
106
  SVal ArgVal = State->getSVal(Arg, LCtx);
994
106
995
106
  // If the argument to delete is known to be a null value,
996
106
  // don't run destructor.
997
106
  if (State->isNull(ArgVal).isConstrainedTrue()) {
998
9
    QualType BTy = getContext().getBaseElementType(DTy);
999
9
    const CXXRecordDecl *RD = BTy->getAsCXXRecordDecl();
1000
9
    const CXXDestructorDecl *Dtor = RD->getDestructor();
1001
9
1002
9
    PostImplicitCall PP(Dtor, DE->getBeginLoc(), LCtx);
1003
9
    NodeBuilder Bldr(Pred, Dst, *currBldrCtx);
1004
9
    Bldr.generateNode(PP, Pred->getState(), Pred);
1005
9
    return;
1006
9
  }
1007
97
1008
97
  EvalCallOptions CallOpts;
1009
97
  const MemRegion *ArgR = ArgVal.getAsRegion();
1010
97
  if (DE->isArrayForm()) {
1011
12
    // FIXME: We need to run the same destructor on every element of the array.
1012
12
    // This workaround will just run the first destructor (which will still
1013
12
    // invalidate the entire array).
1014
12
    CallOpts.IsArrayCtorOrDtor = true;
1015
12
    // Yes, it may even be a multi-dimensional array.
1016
20
    while (const auto *AT = getContext().getAsArrayType(DTy))
1017
8
      DTy = AT->getElementType();
1018
12
    if (ArgR)
1019
12
      ArgR = getStoreManager().GetElementZeroRegion(cast<SubRegion>(ArgR), DTy);
1020
12
  }
1021
97
1022
97
  VisitCXXDestructor(DTy, ArgR, DE, /*IsBase=*/false, Pred, Dst, CallOpts);
1023
97
}
1024
1025
void ExprEngine::ProcessBaseDtor(const CFGBaseDtor D,
1026
122
                                 ExplodedNode *Pred, ExplodedNodeSet &Dst) {
1027
122
  const LocationContext *LCtx = Pred->getLocationContext();
1028
122
1029
122
  const auto *CurDtor = cast<CXXDestructorDecl>(LCtx->getDecl());
1030
122
  Loc ThisPtr = getSValBuilder().getCXXThis(CurDtor,
1031
122
                                            LCtx->getStackFrame());
1032
122
  SVal ThisVal = Pred->getState()->getSVal(ThisPtr);
1033
122
1034
122
  // Create the base object region.
1035
122
  const CXXBaseSpecifier *Base = D.getBaseSpecifier();
1036
122
  QualType BaseTy = Base->getType();
1037
122
  SVal BaseVal = getStoreManager().evalDerivedToBase(ThisVal, BaseTy,
1038
122
                                                     Base->isVirtual());
1039
122
1040
122
  EvalCallOptions CallOpts;
1041
122
  VisitCXXDestructor(BaseTy, BaseVal.getAsRegion(), CurDtor->getBody(),
1042
122
                     /*IsBase=*/true, Pred, Dst, CallOpts);
1043
122
}
1044
1045
void ExprEngine::ProcessMemberDtor(const CFGMemberDtor D,
1046
54
                                   ExplodedNode *Pred, ExplodedNodeSet &Dst) {
1047
54
  const FieldDecl *Member = D.getFieldDecl();
1048
54
  QualType T = Member->getType();
1049
54
  ProgramStateRef State = Pred->getState();
1050
54
  const LocationContext *LCtx = Pred->getLocationContext();
1051
54
1052
54
  const auto *CurDtor = cast<CXXDestructorDecl>(LCtx->getDecl());
1053
54
  Loc ThisStorageLoc =
1054
54
      getSValBuilder().getCXXThis(CurDtor, LCtx->getStackFrame());
1055
54
  Loc ThisLoc = State->getSVal(ThisStorageLoc).castAs<Loc>();
1056
54
  SVal FieldVal = State->getLValue(Member, ThisLoc);
1057
54
1058
54
  // FIXME: We need to run the same destructor on every element of the array.
1059
54
  // This workaround will just run the first destructor (which will still
1060
54
  // invalidate the entire array).
1061
54
  EvalCallOptions CallOpts;
1062
54
  FieldVal = makeZeroElementRegion(State, FieldVal, T,
1063
54
                                   CallOpts.IsArrayCtorOrDtor);
1064
54
1065
54
  VisitCXXDestructor(T, FieldVal.getAsRegion(), CurDtor->getBody(),
1066
54
                     /*IsBase=*/false, Pred, Dst, CallOpts);
1067
54
}
1068
1069
void ExprEngine::ProcessTemporaryDtor(const CFGTemporaryDtor D,
1070
                                      ExplodedNode *Pred,
1071
1.05k
                                      ExplodedNodeSet &Dst) {
1072
1.05k
  const CXXBindTemporaryExpr *BTE = D.getBindTemporaryExpr();
1073
1.05k
  ProgramStateRef State = Pred->getState();
1074
1.05k
  const LocationContext *LC = Pred->getLocationContext();
1075
1.05k
  const MemRegion *MR = nullptr;
1076
1.05k
1077
1.05k
  if (Optional<SVal> V =
1078
1.00k
          getObjectUnderConstruction(State, D.getBindTemporaryExpr(),
1079
1.00k
                                     Pred->getLocationContext())) {
1080
1.00k
    // FIXME: Currently we insert temporary destructors for default parameters,
1081
1.00k
    // but we don't insert the constructors, so the entry in
1082
1.00k
    // ObjectsUnderConstruction may be missing.
1083
1.00k
    State = finishObjectConstruction(State, D.getBindTemporaryExpr(),
1084
1.00k
                                     Pred->getLocationContext());
1085
1.00k
    MR = V->getAsRegion();
1086
1.00k
  }
1087
1.05k
1088
1.05k
  // If copy elision has occurred, and the constructor corresponding to the
1089
1.05k
  // destructor was elided, we need to skip the destructor as well.
1090
1.05k
  if (isDestructorElided(State, BTE, LC)) {
1091
149
    State = cleanupElidedDestructor(State, BTE, LC);
1092
149
    NodeBuilder Bldr(Pred, Dst, *currBldrCtx);
1093
149
    PostImplicitCall PP(D.getDestructorDecl(getContext()),
1094
149
                        D.getBindTemporaryExpr()->getBeginLoc(),
1095
149
                        Pred->getLocationContext());
1096
149
    Bldr.generateNode(PP, State, Pred);
1097
149
    return;
1098
149
  }
1099
910
1100
910
  ExplodedNodeSet CleanDtorState;
1101
910
  StmtNodeBuilder StmtBldr(Pred, CleanDtorState, *currBldrCtx);
1102
910
  StmtBldr.generateNode(D.getBindTemporaryExpr(), Pred, State);
1103
910
1104
910
  QualType T = D.getBindTemporaryExpr()->getSubExpr()->getType();
1105
910
  // FIXME: Currently CleanDtorState can be empty here due to temporaries being
1106
910
  // bound to default parameters.
1107
910
  assert(CleanDtorState.size() <= 1);
1108
910
  ExplodedNode *CleanPred =
1109
910
      CleanDtorState.empty() ? 
Pred0
: *CleanDtorState.begin();
1110
910
1111
910
  EvalCallOptions CallOpts;
1112
910
  CallOpts.IsTemporaryCtorOrDtor = true;
1113
910
  if (!MR) {
1114
337
    // If we have no MR, we still need to unwrap the array to avoid destroying
1115
337
    // the whole array at once. Regardless, we'd eventually need to model array
1116
337
    // destructors properly, element-by-element.
1117
339
    while (const ArrayType *AT = getContext().getAsArrayType(T)) {
1118
2
      T = AT->getElementType();
1119
2
      CallOpts.IsArrayCtorOrDtor = true;
1120
2
    }
1121
573
  } else {
1122
573
    // We'd eventually need to makeZeroElementRegion() trick here,
1123
573
    // but for now we don't have the respective construction contexts,
1124
573
    // so MR would always be null in this case. Do nothing for now.
1125
573
  }
1126
910
  VisitCXXDestructor(T, MR, D.getBindTemporaryExpr(),
1127
910
                     /*IsBase=*/false, CleanPred, Dst, CallOpts);
1128
910
}
1129
1130
void ExprEngine::processCleanupTemporaryBranch(const CXXBindTemporaryExpr *BTE,
1131
                                               NodeBuilderContext &BldCtx,
1132
                                               ExplodedNode *Pred,
1133
                                               ExplodedNodeSet &Dst,
1134
                                               const CFGBlock *DstT,
1135
607
                                               const CFGBlock *DstF) {
1136
607
  BranchNodeBuilder TempDtorBuilder(Pred, Dst, BldCtx, DstT, DstF);
1137
607
  ProgramStateRef State = Pred->getState();
1138
607
  const LocationContext *LC = Pred->getLocationContext();
1139
607
  if (getObjectUnderConstruction(State, BTE, LC)) {
1140
402
    TempDtorBuilder.markInfeasible(false);
1141
402
    TempDtorBuilder.generateNode(State, true, Pred);
1142
402
  } else {
1143
205
    TempDtorBuilder.markInfeasible(true);
1144
205
    TempDtorBuilder.generateNode(State, false, Pred);
1145
205
  }
1146
607
}
1147
1148
void ExprEngine::VisitCXXBindTemporaryExpr(const CXXBindTemporaryExpr *BTE,
1149
                                           ExplodedNodeSet &PreVisit,
1150
1.41k
                                           ExplodedNodeSet &Dst) {
1151
1.41k
  // This is a fallback solution in case we didn't have a construction
1152
1.41k
  // context when we were constructing the temporary. Otherwise the map should
1153
1.41k
  // have been populated there.
1154
1.41k
  if (!getAnalysisManager().options.ShouldIncludeTemporaryDtorsInCFG) {
1155
244
    // In case we don't have temporary destructors in the CFG, do not mark
1156
244
    // the initialization - we would otherwise never clean it up.
1157
244
    Dst = PreVisit;
1158
244
    return;
1159
244
  }
1160
1.17k
  StmtNodeBuilder StmtBldr(PreVisit, Dst, *currBldrCtx);
1161
1.17k
  for (ExplodedNode *Node : PreVisit) {
1162
1.17k
    ProgramStateRef State = Node->getState();
1163
1.17k
    const LocationContext *LC = Node->getLocationContext();
1164
1.17k
    if (!getObjectUnderConstruction(State, BTE, LC)) {
1165
578
      // FIXME: Currently the state might also already contain the marker due to
1166
578
      // incorrect handling of temporaries bound to default parameters; for
1167
578
      // those, we currently skip the CXXBindTemporaryExpr but rely on adding
1168
578
      // temporary destructor nodes.
1169
578
      State = addObjectUnderConstruction(State, BTE, LC, UnknownVal());
1170
578
    }
1171
1.17k
    StmtBldr.generateNode(BTE, Node, State);
1172
1.17k
  }
1173
1.17k
}
1174
1175
ProgramStateRef ExprEngine::escapeValues(ProgramStateRef State,
1176
                                         ArrayRef<SVal> Vs,
1177
                                         PointerEscapeKind K,
1178
7.30k
                                         const CallEvent *Call) const {
1179
7.30k
  class CollectReachableSymbolsCallback final : public SymbolVisitor {
1180
7.30k
    InvalidatedSymbols &Symbols;
1181
7.30k
1182
7.30k
  public:
1183
7.30k
    explicit CollectReachableSymbolsCallback(InvalidatedSymbols &Symbols)
1184
7.30k
        : Symbols(Symbols) {}
1185
7.30k
1186
7.30k
    const InvalidatedSymbols &getSymbols() const { return Symbols; }
1187
7.30k
1188
7.30k
    bool VisitSymbol(SymbolRef Sym) override {
1189
3.62k
      Symbols.insert(Sym);
1190
3.62k
      return true;
1191
3.62k
    }
1192
7.30k
  };
1193
7.30k
  InvalidatedSymbols Symbols;
1194
7.30k
  CollectReachableSymbolsCallback CallBack(Symbols);
1195
7.30k
  for (SVal V : Vs)
1196
7.43k
    State->scanReachableSymbols(V, CallBack);
1197
7.30k
1198
7.30k
  return getCheckerManager().runCheckersForPointerEscape(
1199
7.30k
      State, CallBack.getSymbols(), Call, K, nullptr);
1200
7.30k
}
1201
1202
void ExprEngine::Visit(const Stmt *S, ExplodedNode *Pred,
1203
1.16M
                       ExplodedNodeSet &DstTop) {
1204
1.16M
  PrettyStackTraceLoc CrashInfo(getContext().getSourceManager(),
1205
1.16M
                                S->getBeginLoc(), "Error evaluating statement");
1206
1.16M
  ExplodedNodeSet Dst;
1207
1.16M
  StmtNodeBuilder Bldr(Pred, DstTop, *currBldrCtx);
1208
1.16M
1209
1.16M
  assert(!isa<Expr>(S) || S == cast<Expr>(S)->IgnoreParens());
1210
1.16M
1211
1.16M
  switch (S->getStmtClass()) {
1212
0
    // C++, OpenMP and ARC stuff we don't support yet.
1213
1
    case Expr::ObjCIndirectCopyRestoreExprClass:
1214
1
    case Stmt::CXXDependentScopeMemberExprClass:
1215
1
    case Stmt::CXXTryStmtClass:
1216
1
    case Stmt::CXXTypeidExprClass:
1217
1
    case Stmt::CXXUuidofExprClass:
1218
1
    case Stmt::CXXFoldExprClass:
1219
1
    case Stmt::MSPropertyRefExprClass:
1220
1
    case Stmt::MSPropertySubscriptExprClass:
1221
1
    case Stmt::CXXUnresolvedConstructExprClass:
1222
1
    case Stmt::DependentScopeDeclRefExprClass:
1223
1
    case Stmt::ArrayTypeTraitExprClass:
1224
1
    case Stmt::ExpressionTraitExprClass:
1225
1
    case Stmt::UnresolvedLookupExprClass:
1226
1
    case Stmt::UnresolvedMemberExprClass:
1227
1
    case Stmt::TypoExprClass:
1228
1
    case Stmt::CXXNoexceptExprClass:
1229
1
    case Stmt::PackExpansionExprClass:
1230
1
    case Stmt::SubstNonTypeTemplateParmPackExprClass:
1231
1
    case Stmt::FunctionParmPackExprClass:
1232
1
    case Stmt::CoroutineBodyStmtClass:
1233
1
    case Stmt::CoawaitExprClass:
1234
1
    case Stmt::DependentCoawaitExprClass:
1235
1
    case Stmt::CoreturnStmtClass:
1236
1
    case Stmt::CoyieldExprClass:
1237
1
    case Stmt::SEHTryStmtClass:
1238
1
    case Stmt::SEHExceptStmtClass:
1239
1
    case Stmt::SEHLeaveStmtClass:
1240
1
    case Stmt::SEHFinallyStmtClass:
1241
1
    case Stmt::OMPParallelDirectiveClass:
1242
1
    case Stmt::OMPSimdDirectiveClass:
1243
1
    case Stmt::OMPForDirectiveClass:
1244
1
    case Stmt::OMPForSimdDirectiveClass:
1245
1
    case Stmt::OMPSectionsDirectiveClass:
1246
1
    case Stmt::OMPSectionDirectiveClass:
1247
1
    case Stmt::OMPSingleDirectiveClass:
1248
1
    case Stmt::OMPMasterDirectiveClass:
1249
1
    case Stmt::OMPCriticalDirectiveClass:
1250
1
    case Stmt::OMPParallelForDirectiveClass:
1251
1
    case Stmt::OMPParallelForSimdDirectiveClass:
1252
1
    case Stmt::OMPParallelSectionsDirectiveClass:
1253
1
    case Stmt::OMPParallelMasterDirectiveClass:
1254
1
    case Stmt::OMPTaskDirectiveClass:
1255
1
    case Stmt::OMPTaskyieldDirectiveClass:
1256
1
    case Stmt::OMPBarrierDirectiveClass:
1257
1
    case Stmt::OMPTaskwaitDirectiveClass:
1258
1
    case Stmt::OMPTaskgroupDirectiveClass:
1259
1
    case Stmt::OMPFlushDirectiveClass:
1260
1
    case Stmt::OMPOrderedDirectiveClass:
1261
1
    case Stmt::OMPAtomicDirectiveClass:
1262
1
    case Stmt::OMPTargetDirectiveClass:
1263
1
    case Stmt::OMPTargetDataDirectiveClass:
1264
1
    case Stmt::OMPTargetEnterDataDirectiveClass:
1265
1
    case Stmt::OMPTargetExitDataDirectiveClass:
1266
1
    case Stmt::OMPTargetParallelDirectiveClass:
1267
1
    case Stmt::OMPTargetParallelForDirectiveClass:
1268
1
    case Stmt::OMPTargetUpdateDirectiveClass:
1269
1
    case Stmt::OMPTeamsDirectiveClass:
1270
1
    case Stmt::OMPCancellationPointDirectiveClass:
1271
1
    case Stmt::OMPCancelDirectiveClass:
1272
1
    case Stmt::OMPTaskLoopDirectiveClass:
1273
1
    case Stmt::OMPTaskLoopSimdDirectiveClass:
1274
1
    case Stmt::OMPMasterTaskLoopDirectiveClass:
1275
1
    case Stmt::OMPMasterTaskLoopSimdDirectiveClass:
1276
1
    case Stmt::OMPParallelMasterTaskLoopDirectiveClass:
1277
1
    case Stmt::OMPParallelMasterTaskLoopSimdDirectiveClass:
1278
1
    case Stmt::OMPDistributeDirectiveClass:
1279
1
    case Stmt::OMPDistributeParallelForDirectiveClass:
1280
1
    case Stmt::OMPDistributeParallelForSimdDirectiveClass:
1281
1
    case Stmt::OMPDistributeSimdDirectiveClass:
1282
1
    case Stmt::OMPTargetParallelForSimdDirectiveClass:
1283
1
    case Stmt::OMPTargetSimdDirectiveClass:
1284
1
    case Stmt::OMPTeamsDistributeDirectiveClass:
1285
1
    case Stmt::OMPTeamsDistributeSimdDirectiveClass:
1286
1
    case Stmt::OMPTeamsDistributeParallelForSimdDirectiveClass:
1287
1
    case Stmt::OMPTeamsDistributeParallelForDirectiveClass:
1288
1
    case Stmt::OMPTargetTeamsDirectiveClass:
1289
1
    case Stmt::OMPTargetTeamsDistributeDirectiveClass:
1290
1
    case Stmt::OMPTargetTeamsDistributeParallelForDirectiveClass:
1291
1
    case Stmt::OMPTargetTeamsDistributeParallelForSimdDirectiveClass:
1292
1
    case Stmt::OMPTargetTeamsDistributeSimdDirectiveClass:
1293
1
    case Stmt::CapturedStmtClass: {
1294
1
      const ExplodedNode *node = Bldr.generateSink(S, Pred, Pred->getState());
1295
1
      Engine.addAbortedBlock(node, currBldrCtx->getBlock());
1296
1
      break;
1297
1
    }
1298
1
1299
1
    case Stmt::ParenExprClass:
1300
0
      llvm_unreachable("ParenExprs already handled.");
1301
1
    case Stmt::GenericSelectionExprClass:
1302
0
      llvm_unreachable("GenericSelectionExprs already handled.");
1303
1
    // Cases that should never be evaluated simply because they shouldn't
1304
1
    // appear in the CFG.
1305
1
    case Stmt::BreakStmtClass:
1306
0
    case Stmt::CaseStmtClass:
1307
0
    case Stmt::CompoundStmtClass:
1308
0
    case Stmt::ContinueStmtClass:
1309
0
    case Stmt::CXXForRangeStmtClass:
1310
0
    case Stmt::DefaultStmtClass:
1311
0
    case Stmt::DoStmtClass:
1312
0
    case Stmt::ForStmtClass:
1313
0
    case Stmt::GotoStmtClass:
1314
0
    case Stmt::IfStmtClass:
1315
0
    case Stmt::IndirectGotoStmtClass:
1316
0
    case Stmt::LabelStmtClass:
1317
0
    case Stmt::NoStmtClass:
1318
0
    case Stmt::NullStmtClass:
1319
0
    case Stmt::SwitchStmtClass:
1320
0
    case Stmt::WhileStmtClass:
1321
0
    case Expr::MSDependentExistsStmtClass:
1322
0
      llvm_unreachable("Stmt should not be in analyzer evaluation loop");
1323
0
    case Stmt::ImplicitValueInitExprClass:
1324
0
      // These nodes are shared in the CFG and would case caching out.
1325
0
      // Moreover, no additional evaluation required for them, the
1326
0
      // analyzer can reconstruct these values from the AST.
1327
0
      llvm_unreachable("Should be pruned from CFG");
1328
0
1329
0
    case Stmt::ObjCSubscriptRefExprClass:
1330
0
    case Stmt::ObjCPropertyRefExprClass:
1331
0
      llvm_unreachable("These are handled by PseudoObjectExpr");
1332
0
1333
9
    case Stmt::GNUNullExprClass: {
1334
9
      // GNU __null is a pointer-width integer, not an actual pointer.
1335
9
      ProgramStateRef state = Pred->getState();
1336
9
      state = state->BindExpr(S, Pred->getLocationContext(),
1337
9
                              svalBuilder.makeIntValWithPtrWidth(0, false));
1338
9
      Bldr.generateNode(S, Pred, state);
1339
9
      break;
1340
0
    }
1341
0
1342
19
    case Stmt::ObjCAtSynchronizedStmtClass:
1343
19
      Bldr.takeNodes(Pred);
1344
19
      VisitObjCAtSynchronizedStmt(cast<ObjCAtSynchronizedStmt>(S), Pred, Dst);
1345
19
      Bldr.addNodes(Dst);
1346
19
      break;
1347
0
1348
0
    case Expr::ConstantExprClass:
1349
0
    case Stmt::ExprWithCleanupsClass:
1350
0
      // Handled due to fully linearised CFG.
1351
0
      break;
1352
0
1353
1.41k
    case Stmt::CXXBindTemporaryExprClass: {
1354
1.41k
      Bldr.takeNodes(Pred);
1355
1.41k
      ExplodedNodeSet PreVisit;
1356
1.41k
      getCheckerManager().runCheckersForPreStmt(PreVisit, Pred, S, *this);
1357
1.41k
      ExplodedNodeSet Next;
1358
1.41k
      VisitCXXBindTemporaryExpr(cast<CXXBindTemporaryExpr>(S), PreVisit, Next);
1359
1.41k
      getCheckerManager().runCheckersForPostStmt(Dst, Next, S, *this);
1360
1.41k
      Bldr.addNodes(Dst);
1361
1.41k
      break;
1362
0
    }
1363
0
1364
0
    // Cases not handled yet; but will handle some day.
1365
63.5k
    case Stmt::DesignatedInitExprClass:
1366
63.5k
    case Stmt::DesignatedInitUpdateExprClass:
1367
63.5k
    case Stmt::ArrayInitLoopExprClass:
1368
63.5k
    case Stmt::ArrayInitIndexExprClass:
1369
63.5k
    case Stmt::ExtVectorElementExprClass:
1370
63.5k
    case Stmt::ImaginaryLiteralClass:
1371
63.5k
    case Stmt::ObjCAtCatchStmtClass:
1372
63.5k
    case Stmt::ObjCAtFinallyStmtClass:
1373
63.5k
    case Stmt::ObjCAtTryStmtClass:
1374
63.5k
    case Stmt::ObjCAutoreleasePoolStmtClass:
1375
63.5k
    case Stmt::ObjCEncodeExprClass:
1376
63.5k
    case Stmt::ObjCIsaExprClass:
1377
63.5k
    case Stmt::ObjCProtocolExprClass:
1378
63.5k
    case Stmt::ObjCSelectorExprClass:
1379
63.5k
    case Stmt::ParenListExprClass:
1380
63.5k
    case Stmt::ShuffleVectorExprClass:
1381
63.5k
    case Stmt::ConvertVectorExprClass:
1382
63.5k
    case Stmt::VAArgExprClass:
1383
63.5k
    case Stmt::CUDAKernelCallExprClass:
1384
63.5k
    case Stmt::OpaqueValueExprClass:
1385
63.5k
    case Stmt::AsTypeExprClass:
1386
63.5k
    case Stmt::ConceptSpecializationExprClass:
1387
63.5k
    case Stmt::CXXRewrittenBinaryOperatorClass:
1388
63.5k
    case Stmt::RequiresExprClass:
1389
63.5k
      // Fall through.
1390
63.5k
1391
63.5k
    // Cases we intentionally don't evaluate, since they don't need
1392
63.5k
    // to be explicitly evaluated.
1393
63.5k
    case Stmt::PredefinedExprClass:
1394
63.5k
    case Stmt::AddrLabelExprClass:
1395
63.5k
    case Stmt::AttributedStmtClass:
1396
63.5k
    case Stmt::IntegerLiteralClass:
1397
63.5k
    case Stmt::FixedPointLiteralClass:
1398
63.5k
    case Stmt::CharacterLiteralClass:
1399
63.5k
    case Stmt::CXXScalarValueInitExprClass:
1400
63.5k
    case Stmt::CXXBoolLiteralExprClass:
1401
63.5k
    case Stmt::ObjCBoolLiteralExprClass:
1402
63.5k
    case Stmt::ObjCAvailabilityCheckExprClass:
1403
63.5k
    case Stmt::FloatingLiteralClass:
1404
63.5k
    case Stmt::NoInitExprClass:
1405
63.5k
    case Stmt::SizeOfPackExprClass:
1406
63.5k
    case Stmt::StringLiteralClass:
1407
63.5k
    case Stmt::SourceLocExprClass:
1408
63.5k
    case Stmt::ObjCStringLiteralClass:
1409
63.5k
    case Stmt::CXXPseudoDestructorExprClass:
1410
63.5k
    case Stmt::SubstNonTypeTemplateParmExprClass:
1411
63.5k
    case Stmt::CXXNullPtrLiteralExprClass:
1412
63.5k
    case Stmt::OMPArraySectionExprClass:
1413
63.5k
    case Stmt::TypeTraitExprClass: {
1414
63.5k
      Bldr.takeNodes(Pred);
1415
63.5k
      ExplodedNodeSet preVisit;
1416
63.5k
      getCheckerManager().runCheckersForPreStmt(preVisit, Pred, S, *this);
1417
63.5k
      getCheckerManager().runCheckersForPostStmt(Dst, preVisit, S, *this);
1418
63.5k
      Bldr.addNodes(Dst);
1419
63.5k
      break;
1420
63.5k
    }
1421
63.5k
1422
63.5k
    case Stmt::CXXDefaultArgExprClass:
1423
3.19k
    case Stmt::CXXDefaultInitExprClass: {
1424
3.19k
      Bldr.takeNodes(Pred);
1425
3.19k
      ExplodedNodeSet PreVisit;
1426
3.19k
      getCheckerManager().runCheckersForPreStmt(PreVisit, Pred, S, *this);
1427
3.19k
1428
3.19k
      ExplodedNodeSet Tmp;
1429
3.19k
      StmtNodeBuilder Bldr2(PreVisit, Tmp, *currBldrCtx);
1430
3.19k
1431
3.19k
      const Expr *ArgE;
1432
3.19k
      if (const auto *DefE = dyn_cast<CXXDefaultArgExpr>(S))
1433
3.00k
        ArgE = DefE->getExpr();
1434
199
      else if (const auto *DefE = dyn_cast<CXXDefaultInitExpr>(S))
1435
199
        ArgE = DefE->getExpr();
1436
199
      else
1437
199
        
llvm_unreachable0
("unknown constant wrapper kind");
1438
3.19k
1439
3.19k
      bool IsTemporary = false;
1440
3.19k
      if (const auto *MTE = dyn_cast<MaterializeTemporaryExpr>(ArgE)) {
1441
38
        ArgE = MTE->getSubExpr();
1442
38
        IsTemporary = true;
1443
38
      }
1444
3.19k
1445
3.19k
      Optional<SVal> ConstantVal = svalBuilder.getConstantVal(ArgE);
1446
3.19k
      if (!ConstantVal)
1447
1.50k
        ConstantVal = UnknownVal();
1448
3.19k
1449
3.19k
      const LocationContext *LCtx = Pred->getLocationContext();
1450
3.19k
      for (const auto I : PreVisit) {
1451
3.19k
        ProgramStateRef State = I->getState();
1452
3.19k
        State = State->BindExpr(S, LCtx, *ConstantVal);
1453
3.19k
        if (IsTemporary)
1454
38
          State = createTemporaryRegionIfNeeded(State, LCtx,
1455
38
                                                cast<Expr>(S),
1456
38
                                                cast<Expr>(S));
1457
3.19k
        Bldr2.generateNode(S, I, State);
1458
3.19k
      }
1459
3.19k
1460
3.19k
      getCheckerManager().runCheckersForPostStmt(Dst, Tmp, S, *this);
1461
3.19k
      Bldr.addNodes(Dst);
1462
3.19k
      break;
1463
3.19k
    }
1464
3.19k
1465
3.19k
    // Cases we evaluate as opaque expressions, conjuring a symbol.
1466
3.19k
    case Stmt::CXXStdInitializerListExprClass:
1467
117
    case Expr::ObjCArrayLiteralClass:
1468
117
    case Expr::ObjCDictionaryLiteralClass:
1469
117
    case Expr::ObjCBoxedExprClass: {
1470
117
      Bldr.takeNodes(Pred);
1471
117
1472
117
      ExplodedNodeSet preVisit;
1473
117
      getCheckerManager().runCheckersForPreStmt(preVisit, Pred, S, *this);
1474
117
1475
117
      ExplodedNodeSet Tmp;
1476
117
      StmtNodeBuilder Bldr2(preVisit, Tmp, *currBldrCtx);
1477
117
1478
117
      const auto *Ex = cast<Expr>(S);
1479
117
      QualType resultType = Ex->getType();
1480
117
1481
117
      for (const auto N : preVisit) {
1482
117
        const LocationContext *LCtx = N->getLocationContext();
1483
117
        SVal result = svalBuilder.conjureSymbolVal(nullptr, Ex, LCtx,
1484
117
                                                   resultType,
1485
117
                                                   currBldrCtx->blockCount());
1486
117
        ProgramStateRef State = N->getState()->BindExpr(Ex, LCtx, result);
1487
117
1488
117
        // Escape pointers passed into the list, unless it's an ObjC boxed
1489
117
        // expression which is not a boxable C structure.
1490
117
        if (!(isa<ObjCBoxedExpr>(Ex) &&
1491
117
              !cast<ObjCBoxedExpr>(Ex)->getSubExpr()
1492
35
                                      ->getType()->isRecordType()))
1493
106
          
for (auto Child : Ex->children())84
{
1494
106
            assert(Child);
1495
106
            SVal Val = State->getSVal(Child, LCtx);
1496
106
            State = escapeValues(State, Val, PSK_EscapeOther);
1497
106
          }
1498
117
1499
117
        Bldr2.generateNode(S, N, State);
1500
117
      }
1501
117
1502
117
      getCheckerManager().runCheckersForPostStmt(Dst, Tmp, S, *this);
1503
117
      Bldr.addNodes(Dst);
1504
117
      break;
1505
117
    }
1506
117
1507
10.0k
    case Stmt::ArraySubscriptExprClass:
1508
10.0k
      Bldr.takeNodes(Pred);
1509
10.0k
      VisitArraySubscriptExpr(cast<ArraySubscriptExpr>(S), Pred, Dst);
1510
10.0k
      Bldr.addNodes(Dst);
1511
10.0k
      break;
1512
117
1513
117
    case Stmt::GCCAsmStmtClass:
1514
2
      Bldr.takeNodes(Pred);
1515
2
      VisitGCCAsmStmt(cast<GCCAsmStmt>(S), Pred, Dst);
1516
2
      Bldr.addNodes(Dst);
1517
2
      break;
1518
117
1519
117
    case Stmt::MSAsmStmtClass:
1520
0
      Bldr.takeNodes(Pred);
1521
0
      VisitMSAsmStmt(cast<MSAsmStmt>(S), Pred, Dst);
1522
0
      Bldr.addNodes(Dst);
1523
0
      break;
1524
117
1525
376
    case Stmt::BlockExprClass:
1526
376
      Bldr.takeNodes(Pred);
1527
376
      VisitBlockExpr(cast<BlockExpr>(S), Pred, Dst);
1528
376
      Bldr.addNodes(Dst);
1529
376
      break;
1530
117
1531
192
    case Stmt::LambdaExprClass:
1532
192
      if (AMgr.options.ShouldInlineLambdas) {
1533
191
        Bldr.takeNodes(Pred);
1534
191
        VisitLambdaExpr(cast<LambdaExpr>(S), Pred, Dst);
1535
191
        Bldr.addNodes(Dst);
1536
191
      } else {
1537
1
        const ExplodedNode *node = Bldr.generateSink(S, Pred, Pred->getState());
1538
1
        Engine.addAbortedBlock(node, currBldrCtx->getBlock());
1539
1
      }
1540
192
      break;
1541
117
1542
73.7k
    case Stmt::BinaryOperatorClass: {
1543
73.7k
      const auto *B = cast<BinaryOperator>(S);
1544
73.7k
      if (B->isLogicalOp()) {
1545
1.15k
        Bldr.takeNodes(Pred);
1546
1.15k
        VisitLogicalExpr(B, Pred, Dst);
1547
1.15k
        Bldr.addNodes(Dst);
1548
1.15k
        break;
1549
1.15k
      }
1550
72.6k
      else if (B->getOpcode() == BO_Comma) {
1551
320
        ProgramStateRef state = Pred->getState();
1552
320
        Bldr.generateNode(B, Pred,
1553
320
                          state->BindExpr(B, Pred->getLocationContext(),
1554
320
                                          state->getSVal(B->getRHS(),
1555
320
                                                  Pred->getLocationContext())));
1556
320
        break;
1557
320
      }
1558
72.2k
1559
72.2k
      Bldr.takeNodes(Pred);
1560
72.2k
1561
72.2k
      if (AMgr.options.ShouldEagerlyAssume &&
1562
72.2k
          
(60.2k
B->isRelationalOp()60.2k
||
B->isEqualityOp()54.8k
)) {
1563
9.14k
        ExplodedNodeSet Tmp;
1564
9.14k
        VisitBinaryOperator(cast<BinaryOperator>(S), Pred, Tmp);
1565
9.14k
        evalEagerlyAssumeBinOpBifurcation(Dst, Tmp, cast<Expr>(S));
1566
9.14k
      }
1567
63.1k
      else
1568
63.1k
        VisitBinaryOperator(cast<BinaryOperator>(S), Pred, Dst);
1569
72.2k
1570
72.2k
      Bldr.addNodes(Dst);
1571
72.2k
      break;
1572
72.2k
    }
1573
72.2k
1574
72.2k
    case Stmt::CXXOperatorCallExprClass: {
1575
2.79k
      const auto *OCE = cast<CXXOperatorCallExpr>(S);
1576
2.79k
1577
2.79k
      // For instance method operators, make sure the 'this' argument has a
1578
2.79k
      // valid region.
1579
2.79k
      const Decl *Callee = OCE->getCalleeDecl();
1580
2.79k
      if (const auto *MD = dyn_cast_or_null<CXXMethodDecl>(Callee)) {
1581
2.76k
        if (MD->isInstance()) {
1582
2.76k
          ProgramStateRef State = Pred->getState();
1583
2.76k
          const LocationContext *LCtx = Pred->getLocationContext();
1584
2.76k
          ProgramStateRef NewState =
1585
2.76k
            createTemporaryRegionIfNeeded(State, LCtx, OCE->getArg(0));
1586
2.76k
          if (NewState != State) {
1587
0
            Pred = Bldr.generateNode(OCE, Pred, NewState, /*tag=*/nullptr,
1588
0
                                     ProgramPoint::PreStmtKind);
1589
0
            // Did we cache out?
1590
0
            if (!Pred)
1591
0
              break;
1592
2.79k
          }
1593
2.76k
        }
1594
2.76k
      }
1595
2.79k
      // FALLTHROUGH
1596
2.79k
      LLVM_FALLTHROUGH;
1597
2.79k
    }
1598
2.79k
1599
82.3k
    case Stmt::CallExprClass:
1600
82.3k
    case Stmt::CXXMemberCallExprClass:
1601
82.3k
    case Stmt::UserDefinedLiteralClass:
1602
82.3k
      Bldr.takeNodes(Pred);
1603
82.3k
      VisitCallExpr(cast<CallExpr>(S), Pred, Dst);
1604
82.3k
      Bldr.addNodes(Dst);
1605
82.3k
      break;
1606
82.3k
1607
82.3k
    case Stmt::CXXCatchStmtClass:
1608
0
      Bldr.takeNodes(Pred);
1609
0
      VisitCXXCatchStmt(cast<CXXCatchStmt>(S), Pred, Dst);
1610
0
      Bldr.addNodes(Dst);
1611
0
      break;
1612
82.3k
1613
82.3k
    case Stmt::CXXTemporaryObjectExprClass:
1614
44.7k
    case Stmt::CXXConstructExprClass:
1615
44.7k
      Bldr.takeNodes(Pred);
1616
44.7k
      VisitCXXConstructExpr(cast<CXXConstructExpr>(S), Pred, Dst);
1617
44.7k
      Bldr.addNodes(Dst);
1618
44.7k
      break;
1619
44.7k
1620
44.7k
    case Stmt::CXXInheritedCtorInitExprClass:
1621
5
      Bldr.takeNodes(Pred);
1622
5
      VisitCXXInheritedCtorInitExpr(cast<CXXInheritedCtorInitExpr>(S), Pred,
1623
5
                                    Dst);
1624
5
      Bldr.addNodes(Dst);
1625
5
      break;
1626
44.7k
1627
44.7k
    case Stmt::CXXNewExprClass: {
1628
6.42k
      Bldr.takeNodes(Pred);
1629
6.42k
1630
6.42k
      ExplodedNodeSet PreVisit;
1631
6.42k
      getCheckerManager().runCheckersForPreStmt(PreVisit, Pred, S, *this);
1632
6.42k
1633
6.42k
      ExplodedNodeSet PostVisit;
1634
6.42k
      for (const auto i : PreVisit)
1635
6.41k
        VisitCXXNewExpr(cast<CXXNewExpr>(S), i, PostVisit);
1636
6.42k
1637
6.42k
      getCheckerManager().runCheckersForPostStmt(Dst, PostVisit, S, *this);
1638
6.42k
      Bldr.addNodes(Dst);
1639
6.42k
      break;
1640
44.7k
    }
1641
44.7k
1642
44.7k
    case Stmt::CXXDeleteExprClass: {
1643
507
      Bldr.takeNodes(Pred);
1644
507
      ExplodedNodeSet PreVisit;
1645
507
      const auto *CDE = cast<CXXDeleteExpr>(S);
1646
507
      getCheckerManager().runCheckersForPreStmt(PreVisit, Pred, S, *this);
1647
507
1648
507
      for (const auto i : PreVisit)
1649
392
        VisitCXXDeleteExpr(CDE, i, Dst);
1650
507
1651
507
      Bldr.addNodes(Dst);
1652
507
      break;
1653
44.7k
    }
1654
44.7k
      // FIXME: ChooseExpr is really a constant.  We need to fix
1655
44.7k
      //        the CFG do not model them as explicit control-flow.
1656
44.7k
1657
44.7k
    case Stmt::ChooseExprClass: { // __builtin_choose_expr
1658
0
      Bldr.takeNodes(Pred);
1659
0
      const auto *C = cast<ChooseExpr>(S);
1660
0
      VisitGuardedExpr(C, C->getLHS(), C->getRHS(), Pred, Dst);
1661
0
      Bldr.addNodes(Dst);
1662
0
      break;
1663
44.7k
    }
1664
44.7k
1665
44.7k
    case Stmt::CompoundAssignOperatorClass:
1666
739
      Bldr.takeNodes(Pred);
1667
739
      VisitBinaryOperator(cast<BinaryOperator>(S), Pred, Dst);
1668
739
      Bldr.addNodes(Dst);
1669
739
      break;
1670
44.7k
1671
44.7k
    case Stmt::CompoundLiteralExprClass:
1672
62
      Bldr.takeNodes(Pred);
1673
62
      VisitCompoundLiteralExpr(cast<CompoundLiteralExpr>(S), Pred, Dst);
1674
62
      Bldr.addNodes(Dst);
1675
62
      break;
1676
44.7k
1677
44.7k
    case Stmt::BinaryConditionalOperatorClass:
1678
904
    case Stmt::ConditionalOperatorClass: { // '?' operator
1679
904
      Bldr.takeNodes(Pred);
1680
904
      const auto *C = cast<AbstractConditionalOperator>(S);
1681
904
      VisitGuardedExpr(C, C->getTrueExpr(), C->getFalseExpr(), Pred, Dst);
1682
904
      Bldr.addNodes(Dst);
1683
904
      break;
1684
904
    }
1685
904
1686
26.8k
    case Stmt::CXXThisExprClass:
1687
26.8k
      Bldr.takeNodes(Pred);
1688
26.8k
      VisitCXXThisExpr(cast<CXXThisExpr>(S), Pred, Dst);
1689
26.8k
      Bldr.addNodes(Dst);
1690
26.8k
      break;
1691
904
1692
260k
    case Stmt::DeclRefExprClass: {
1693
260k
      Bldr.takeNodes(Pred);
1694
260k
      const auto *DE = cast<DeclRefExpr>(S);
1695
260k
      VisitCommonDeclRefExpr(DE, DE->getDecl(), Pred, Dst);
1696
260k
      Bldr.addNodes(Dst);
1697
260k
      break;
1698
904
    }
1699
904
1700
42.3k
    case Stmt::DeclStmtClass:
1701
42.3k
      Bldr.takeNodes(Pred);
1702
42.3k
      VisitDeclStmt(cast<DeclStmt>(S), Pred, Dst);
1703
42.3k
      Bldr.addNodes(Dst);
1704
42.3k
      break;
1705
904
1706
385k
    case Stmt::ImplicitCastExprClass:
1707
385k
    case Stmt::CStyleCastExprClass:
1708
385k
    case Stmt::CXXStaticCastExprClass:
1709
385k
    case Stmt::CXXDynamicCastExprClass:
1710
385k
    case Stmt::CXXReinterpretCastExprClass:
1711
385k
    case Stmt::CXXConstCastExprClass:
1712
385k
    case Stmt::CXXFunctionalCastExprClass:
1713
385k
    case Stmt::BuiltinBitCastExprClass:
1714
385k
    case Stmt::ObjCBridgedCastExprClass: {
1715
385k
      Bldr.takeNodes(Pred);
1716
385k
      const auto *C = cast<CastExpr>(S);
1717
385k
      ExplodedNodeSet dstExpr;
1718
385k
      VisitCast(C, C->getSubExpr(), Pred, dstExpr);
1719
385k
1720
385k
      // Handle the postvisit checks.
1721
385k
      getCheckerManager().runCheckersForPostStmt(Dst, dstExpr, C, *this);
1722
385k
      Bldr.addNodes(Dst);
1723
385k
      break;
1724
385k
    }
1725
385k
1726
385k
    case Expr::MaterializeTemporaryExprClass: {
1727
11.1k
      Bldr.takeNodes(Pred);
1728
11.1k
      const auto *MTE = cast<MaterializeTemporaryExpr>(S);
1729
11.1k
      ExplodedNodeSet dstPrevisit;
1730
11.1k
      getCheckerManager().runCheckersForPreStmt(dstPrevisit, Pred, MTE, *this);
1731
11.1k
      ExplodedNodeSet dstExpr;
1732
11.1k
      for (const auto i : dstPrevisit)
1733
11.1k
        CreateCXXTemporaryObject(MTE, i, dstExpr);
1734
11.1k
      getCheckerManager().runCheckersForPostStmt(Dst, dstExpr, MTE, *this);
1735
11.1k
      Bldr.addNodes(Dst);
1736
11.1k
      break;
1737
385k
    }
1738
385k
1739
385k
    case Stmt::InitListExprClass:
1740
1.18k
      Bldr.takeNodes(Pred);
1741
1.18k
      VisitInitListExpr(cast<InitListExpr>(S), Pred, Dst);
1742
1.18k
      Bldr.addNodes(Dst);
1743
1.18k
      break;
1744
385k
1745
385k
    case Stmt::MemberExprClass:
1746
78.5k
      Bldr.takeNodes(Pred);
1747
78.5k
      VisitMemberExpr(cast<MemberExpr>(S), Pred, Dst);
1748
78.5k
      Bldr.addNodes(Dst);
1749
78.5k
      break;
1750
385k
1751
385k
    case Stmt::AtomicExprClass:
1752
54
      Bldr.takeNodes(Pred);
1753
54
      VisitAtomicExpr(cast<AtomicExpr>(S), Pred, Dst);
1754
54
      Bldr.addNodes(Dst);
1755
54
      break;
1756
385k
1757
385k
    case Stmt::ObjCIvarRefExprClass:
1758
1.03k
      Bldr.takeNodes(Pred);
1759
1.03k
      VisitLvalObjCIvarRefExpr(cast<ObjCIvarRefExpr>(S), Pred, Dst);
1760
1.03k
      Bldr.addNodes(Dst);
1761
1.03k
      break;
1762
385k
1763
385k
    case Stmt::ObjCForCollectionStmtClass:
1764
258
      Bldr.takeNodes(Pred);
1765
258
      VisitObjCForCollectionStmt(cast<ObjCForCollectionStmt>(S), Pred, Dst);
1766
258
      Bldr.addNodes(Dst);
1767
258
      break;
1768
385k
1769
385k
    case Stmt::ObjCMessageExprClass:
1770
4.12k
      Bldr.takeNodes(Pred);
1771
4.12k
      VisitObjCMessage(cast<ObjCMessageExpr>(S), Pred, Dst);
1772
4.12k
      Bldr.addNodes(Dst);
1773
4.12k
      break;
1774
385k
1775
385k
    case Stmt::ObjCAtThrowStmtClass:
1776
10
    case Stmt::CXXThrowExprClass:
1777
10
      // FIXME: This is not complete.  We basically treat @throw as
1778
10
      // an abort.
1779
10
      Bldr.generateSink(S, Pred, Pred->getState());
1780
10
      break;
1781
10
1782
27.4k
    case Stmt::ReturnStmtClass:
1783
27.4k
      Bldr.takeNodes(Pred);
1784
27.4k
      VisitReturnStmt(cast<ReturnStmt>(S), Pred, Dst);
1785
27.4k
      Bldr.addNodes(Dst);
1786
27.4k
      break;
1787
10
1788
21
    case Stmt::OffsetOfExprClass: {
1789
21
      Bldr.takeNodes(Pred);
1790
21
      ExplodedNodeSet PreVisit;
1791
21
      getCheckerManager().runCheckersForPreStmt(PreVisit, Pred, S, *this);
1792
21
1793
21
      ExplodedNodeSet PostVisit;
1794
21
      for (const auto Node : PreVisit)
1795
21
        VisitOffsetOfExpr(cast<OffsetOfExpr>(S), Node, PostVisit);
1796
21
1797
21
      getCheckerManager().runCheckersForPostStmt(Dst, PostVisit, S, *this);
1798
21
      Bldr.addNodes(Dst);
1799
21
      break;
1800
10
    }
1801
10
1802
943
    case Stmt::UnaryExprOrTypeTraitExprClass:
1803
943
      Bldr.takeNodes(Pred);
1804
943
      VisitUnaryExprOrTypeTraitExpr(cast<UnaryExprOrTypeTraitExpr>(S),
1805
943
                                    Pred, Dst);
1806
943
      Bldr.addNodes(Dst);
1807
943
      break;
1808
10
1809
55
    case Stmt::StmtExprClass: {
1810
55
      const auto *SE = cast<StmtExpr>(S);
1811
55
1812
55
      if (SE->getSubStmt()->body_empty()) {
1813
2
        // Empty statement expression.
1814
2
        assert(SE->getType() == getContext().VoidTy
1815
2
               && "Empty statement expression must have void type.");
1816
2
        break;
1817
2
      }
1818
53
1819
53
      if (const auto *LastExpr =
1820
53
              dyn_cast<Expr>(*SE->getSubStmt()->body_rbegin())) {
1821
53
        ProgramStateRef state = Pred->getState();
1822
53
        Bldr.generateNode(SE, Pred,
1823
53
                          state->BindExpr(SE, Pred->getLocationContext(),
1824
53
                                          state->getSVal(LastExpr,
1825
53
                                                  Pred->getLocationContext())));
1826
53
      }
1827
53
      break;
1828
53
    }
1829
53
1830
38.7k
    case Stmt::UnaryOperatorClass: {
1831
38.7k
      Bldr.takeNodes(Pred);
1832
38.7k
      const auto *U = cast<UnaryOperator>(S);
1833
38.7k
      if (AMgr.options.ShouldEagerlyAssume && 
(U->getOpcode() == UO_LNot)34.5k
) {
1834
855
        ExplodedNodeSet Tmp;
1835
855
        VisitUnaryOperator(U, Pred, Tmp);
1836
855
        evalEagerlyAssumeBinOpBifurcation(Dst, Tmp, U);
1837
855
      }
1838
37.8k
      else
1839
37.8k
        VisitUnaryOperator(U, Pred, Dst);
1840
38.7k
      Bldr.addNodes(Dst);
1841
38.7k
      break;
1842
53
    }
1843
53
1844
362
    case Stmt::PseudoObjectExprClass: {
1845
362
      Bldr.takeNodes(Pred);
1846
362
      ProgramStateRef state = Pred->getState();
1847
362
      const auto *PE = cast<PseudoObjectExpr>(S);
1848
362
      if (const Expr *Result = PE->getResultExpr()) {
1849
362
        SVal V = state->getSVal(Result, Pred->getLocationContext());
1850
362
        Bldr.generateNode(S, Pred,
1851
362
                          state->BindExpr(S, Pred->getLocationContext(), V));
1852
362
      }
1853
0
      else
1854
0
        Bldr.generateNode(S, Pred,
1855
0
                          state->BindExpr(S, Pred->getLocationContext(),
1856
0
                                                   UnknownVal()));
1857
362
1858
362
      Bldr.addNodes(Dst);
1859
362
      break;
1860
53
    }
1861
1.16M
  }
1862
1.16M
}
1863
1864
bool ExprEngine::replayWithoutInlining(ExplodedNode *N,
1865
37
                                       const LocationContext *CalleeLC) {
1866
37
  const StackFrameContext *CalleeSF = CalleeLC->getStackFrame();
1867
37
  const StackFrameContext *CallerSF = CalleeSF->getParent()->getStackFrame();
1868
37
  assert(CalleeSF && CallerSF);
1869
37
  ExplodedNode *BeforeProcessingCall = nullptr;
1870
37
  const Stmt *CE = CalleeSF->getCallSite();
1871
37
1872
37
  // Find the first node before we started processing the call expression.
1873
26.4k
  while (N) {
1874
26.4k
    ProgramPoint L = N->getLocation();
1875
26.4k
    BeforeProcessingCall = N;
1876
26.4k
    N = N->pred_empty() ? 
nullptr0
: *(N->pred_begin());
1877
26.4k
1878
26.4k
    // Skip the nodes corresponding to the inlined code.
1879
26.4k
    if (L.getStackFrame() != CallerSF)
1880
26.3k
      continue;
1881
110
    // We reached the caller. Find the node right before we started
1882
110
    // processing the call.
1883
110
    if (L.isPurgeKind())
1884
36
      continue;
1885
74
    if (L.getAs<PreImplicitCall>())
1886
0
      continue;
1887
74
    if (L.getAs<CallEnter>())
1888
37
      continue;
1889
37
    if (Optional<StmtPoint> SP = L.getAs<StmtPoint>())
1890
37
      if (SP->getStmt() == CE)
1891
0
        continue;
1892
37
    break;
1893
37
  }
1894
37
1895
37
  if (!BeforeProcessingCall)
1896
0
    return false;
1897
37
1898
37
  // TODO: Clean up the unneeded nodes.
1899
37
1900
37
  // Build an Epsilon node from which we will restart the analyzes.
1901
37
  // Note that CE is permitted to be NULL!
1902
37
  ProgramPoint NewNodeLoc =
1903
37
               EpsilonPoint(BeforeProcessingCall->getLocationContext(), CE);
1904
37
  // Add the special flag to GDM to signal retrying with no inlining.
1905
37
  // Note, changing the state ensures that we are not going to cache out.
1906
37
  ProgramStateRef NewNodeState = BeforeProcessingCall->getState();
1907
37
  NewNodeState =
1908
37
    NewNodeState->set<ReplayWithoutInlining>(const_cast<Stmt *>(CE));
1909
37
1910
37
  // Make the new node a successor of BeforeProcessingCall.
1911
37
  bool IsNew = false;
1912
37
  ExplodedNode *NewNode = G.getNode(NewNodeLoc, NewNodeState, false, &IsNew);
1913
37
  // We cached out at this point. Caching out is common due to us backtracking
1914
37
  // from the inlined function, which might spawn several paths.
1915
37
  if (!IsNew)
1916
4
    return true;
1917
33
1918
33
  NewNode->addPredecessor(BeforeProcessingCall, G);
1919
33
1920
33
  // Add the new node to the work list.
1921
33
  Engine.enqueueStmtNode(NewNode, CalleeSF->getCallSiteBlock(),
1922
33
                                  CalleeSF->getIndex());
1923
33
  NumTimesRetriedWithoutInlining++;
1924
33
  return true;
1925
33
}
1926
1927
/// Block entrance.  (Update counters).
1928
void ExprEngine::processCFGBlockEntrance(const BlockEdge &L,
1929
                                         NodeBuilderWithSinks &nodeBuilder,
1930
167k
                                         ExplodedNode *Pred) {
1931
167k
  PrettyStackTraceLocationContext CrashInfo(Pred->getLocationContext());
1932
167k
  // If we reach a loop which has a known bound (and meets
1933
167k
  // other constraints) then consider completely unrolling it.
1934
167k
  if(AMgr.options.ShouldUnrollLoops) {
1935
5.62k
    unsigned maxBlockVisitOnPath = AMgr.options.maxBlockVisitOnPath;
1936
5.62k
    const Stmt *Term = nodeBuilder.getContext().getBlock()->getTerminatorStmt();
1937
5.62k
    if (Term) {
1938
1.99k
      ProgramStateRef NewState = updateLoopStack(Term, AMgr.getASTContext(),
1939
1.99k
                                                 Pred, maxBlockVisitOnPath);
1940
1.99k
      if (NewState != Pred->getState()) {
1941
185
        ExplodedNode *UpdatedNode = nodeBuilder.generateNode(NewState, Pred);
1942
185
        if (!UpdatedNode)
1943
0
          return;
1944
185
        Pred = UpdatedNode;
1945
185
      }
1946
1.99k
    }
1947
5.62k
    // Is we are inside an unrolled loop then no need the check the counters.
1948
5.62k
    if(isUnrolledState(Pred->getState()))
1949
4.29k
      return;
1950
162k
  }
1951
162k
1952
162k
  // If this block is terminated by a loop and it has already been visited the
1953
162k
  // maximum number of times, widen the loop.
1954
162k
  unsigned int BlockCount = nodeBuilder.getContext().blockCount();
1955
162k
  if (BlockCount == AMgr.options.maxBlockVisitOnPath - 1 &&
1956
162k
      
AMgr.options.ShouldWidenLoops3.67k
) {
1957
136
    const Stmt *Term = nodeBuilder.getContext().getBlock()->getTerminatorStmt();
1958
136
    if (!(Term &&
1959
136
          
(60
isa<ForStmt>(Term)60
||
isa<WhileStmt>(Term)33
||
isa<DoStmt>(Term)14
)))
1960
86
      return;
1961
50
    // Widen.
1962
50
    const LocationContext *LCtx = Pred->getLocationContext();
1963
50
    ProgramStateRef WidenedState =
1964
50
        getWidenedLoopState(Pred->getState(), LCtx, BlockCount, Term);
1965
50
    nodeBuilder.generateNode(WidenedState, Pred);
1966
50
    return;
1967
50
  }
1968
162k
1969
162k
  // FIXME: Refactor this into a checker.
1970
162k
  if (BlockCount >= AMgr.options.maxBlockVisitOnPath) {
1971
1.11k
    static SimpleProgramPointTag tag(TagProviderName, "Block count exceeded");
1972
1.11k
    const ExplodedNode *Sink =
1973
1.11k
                   nodeBuilder.generateSink(Pred->getState(), Pred, &tag);
1974
1.11k
1975
1.11k
    // Check if we stopped at the top level function or not.
1976
1.11k
    // Root node should have the location context of the top most function.
1977
1.11k
    const LocationContext *CalleeLC = Pred->getLocation().getLocationContext();
1978
1.11k
    const LocationContext *CalleeSF = CalleeLC->getStackFrame();
1979
1.11k
    const LocationContext *RootLC =
1980
1.11k
                        (*G.roots_begin())->getLocation().getLocationContext();
1981
1.11k
    if (RootLC->getStackFrame() != CalleeSF) {
1982
42
      Engine.FunctionSummaries->markReachedMaxBlockCount(CalleeSF->getDecl());
1983
42
1984
42
      // Re-run the call evaluation without inlining it, by storing the
1985
42
      // no-inlining policy in the state and enqueuing the new work item on
1986
42
      // the list. Replay should almost never fail. Use the stats to catch it
1987
42
      // if it does.
1988
42
      if ((!AMgr.options.NoRetryExhausted &&
1989
42
           
replayWithoutInlining(Pred, CalleeLC)37
))
1990
37
        return;
1991
5
      NumMaxBlockCountReachedInInlined++;
1992
5
    } else
1993
1.07k
      NumMaxBlockCountReached++;
1994
1.11k
1995
1.11k
    // Make sink nodes as exhausted(for stats) only if retry failed.
1996
1.11k
    Engine.blocksExhausted.push_back(std::make_pair(L, Sink));
1997
1.07k
  }
1998
162k
}
1999
2000
//===----------------------------------------------------------------------===//
2001
// Branch processing.
2002
//===----------------------------------------------------------------------===//
2003
2004
/// RecoverCastedSymbol - A helper function for ProcessBranch that is used
2005
/// to try to recover some path-sensitivity for casts of symbolic
2006
/// integers that promote their values (which are currently not tracked well).
2007
/// This function returns the SVal bound to Condition->IgnoreCasts if all the
2008
//  cast(s) did was sign-extend the original value.
2009
static SVal RecoverCastedSymbol(ProgramStateRef state,
2010
                                const Stmt *Condition,
2011
                                const LocationContext *LCtx,
2012
5.03k
                                ASTContext &Ctx) {
2013
5.03k
2014
5.03k
  const auto *Ex = dyn_cast<Expr>(Condition);
2015
5.03k
  if (!Ex)
2016
0
    return UnknownVal();
2017
5.03k
2018
5.03k
  uint64_t bits = 0;
2019
5.03k
  bool bitsInit = false;
2020
5.03k
2021
9.91k
  while (const auto *CE = dyn_cast<CastExpr>(Ex)) {
2022
4.88k
    QualType T = CE->getType();
2023
4.88k
2024
4.88k
    if (!T->isIntegralOrEnumerationType())
2025
2
      return UnknownVal();
2026
4.88k
2027
4.88k
    uint64_t newBits = Ctx.getTypeSize(T);
2028
4.88k
    if (!bitsInit || 
newBits < bits1
) {
2029
4.88k
      bitsInit = true;
2030
4.88k
      bits = newBits;
2031
4.88k
    }
2032
4.88k
2033
4.88k
    Ex = CE->getSubExpr();
2034
4.88k
  }
2035
5.03k
2036
5.03k
  // We reached a non-cast.  Is it a symbolic value?
2037
5.03k
  QualType T = Ex->getType();
2038
5.02k
2039
5.02k
  if (!bitsInit || 
!T->isIntegralOrEnumerationType()4.88k
||
2040
5.02k
      
Ctx.getTypeSize(T) > bits4.88k
)
2041
5.01k
    return UnknownVal();
2042
10
2043
10
  return state->getSVal(Ex, LCtx);
2044
10
}
2045
2046
#ifndef NDEBUG
2047
10.0k
static const Stmt *getRightmostLeaf(const Stmt *Condition) {
2048
20.0k
  while (Condition) {
2049
20.0k
    const auto *BO = dyn_cast<BinaryOperator>(Condition);
2050
20.0k
    if (!BO || 
!BO->isLogicalOp()10.4k
) {
2051
10.0k
      return Condition;
2052
10.0k
    }
2053
10.0k
    Condition = BO->getRHS()->IgnoreParens();
2054
10.0k
  }
2055
10.0k
  
return nullptr0
;
2056
10.0k
}
2057
#endif
2058
2059
// Returns the condition the branch at the end of 'B' depends on and whose value
2060
// has been evaluated within 'B'.
2061
// In most cases, the terminator condition of 'B' will be evaluated fully in
2062
// the last statement of 'B'; in those cases, the resolved condition is the
2063
// given 'Condition'.
2064
// If the condition of the branch is a logical binary operator tree, the CFG is
2065
// optimized: in that case, we know that the expression formed by all but the
2066
// rightmost leaf of the logical binary operator tree must be true, and thus
2067
// the branch condition is at this point equivalent to the truth value of that
2068
// rightmost leaf; the CFG block thus only evaluates this rightmost leaf
2069
// expression in its final statement. As the full condition in that case was
2070
// not evaluated, and is thus not in the SVal cache, we need to use that leaf
2071
// expression to evaluate the truth value of the condition in the current state
2072
// space.
2073
static const Stmt *ResolveCondition(const Stmt *Condition,
2074
47.2k
                                    const CFGBlock *B) {
2075
47.2k
  if (const auto *Ex = dyn_cast<Expr>(Condition))
2076
46.8k
    Condition = Ex->IgnoreParens();
2077
47.2k
2078
47.2k
  const auto *BO = dyn_cast<BinaryOperator>(Condition);
2079
47.2k
  if (!BO || 
!BO->isLogicalOp()22.5k
)
2080
37.2k
    return Condition;
2081
10.0k
2082
10.0k
  assert(B->getTerminator().isStmtBranch() &&
2083
10.0k
         "Other kinds of branches are handled separately!");
2084
10.0k
2085
10.0k
  // For logical operations, we still have the case where some branches
2086
10.0k
  // use the traditional "merge" approach and others sink the branch
2087
10.0k
  // directly into the basic blocks representing the logical operation.
2088
10.0k
  // We need to distinguish between those two cases here.
2089
10.0k
2090
10.0k
  // The invariants are still shifting, but it is possible that the
2091
10.0k
  // last element in a CFGBlock is not a CFGStmt.  Look for the last
2092
10.0k
  // CFGStmt as the value of the condition.
2093
10.0k
  CFGBlock::const_reverse_iterator I = B->rbegin(), E = B->rend();
2094
10.0k
  for (; I != E; 
++I0
) {
2095
10.0k
    CFGElement Elem = *I;
2096
10.0k
    Optional<CFGStmt> CS = Elem.getAs<CFGStmt>();
2097
10.0k
    if (!CS)
2098
0
      continue;
2099
10.0k
    const Stmt *LastStmt = CS->getStmt();
2100
10.0k
    assert(LastStmt == Condition || LastStmt == getRightmostLeaf(Condition));
2101
10.0k
    return LastStmt;
2102
10.0k
  }
2103
10.0k
  
llvm_unreachable0
("could not resolve condition");
2104
10.0k
}
2105
2106
void ExprEngine::processBranch(const Stmt *Condition,
2107
                               NodeBuilderContext& BldCtx,
2108
                               ExplodedNode *Pred,
2109
                               ExplodedNodeSet &Dst,
2110
                               const CFGBlock *DstT,
2111
47.4k
                               const CFGBlock *DstF) {
2112
47.4k
  assert((!Condition || !isa<CXXBindTemporaryExpr>(Condition)) &&
2113
47.4k
         "CXXBindTemporaryExprs are handled by processBindTemporary.");
2114
47.4k
  const LocationContext *LCtx = Pred->getLocationContext();
2115
47.4k
  PrettyStackTraceLocationContext StackCrashInfo(LCtx);
2116
47.4k
  currBldrCtx = &BldCtx;
2117
47.4k
2118
47.4k
  // Check for NULL conditions; e.g. "for(;;)"
2119
47.4k
  if (!Condition) {
2120
154
    BranchNodeBuilder NullCondBldr(Pred, Dst, BldCtx, DstT, DstF);
2121
154
    NullCondBldr.markInfeasible(false);
2122
154
    NullCondBldr.generateNode(Pred->getState(), true, Pred);
2123
154
    return;
2124
154
  }
2125
47.2k
2126
47.2k
  if (const auto *Ex = dyn_cast<Expr>(Condition))
2127
46.8k
    Condition = Ex->IgnoreParens();
2128
47.2k
2129
47.2k
  Condition = ResolveCondition(Condition, BldCtx.getBlock());
2130
47.2k
  PrettyStackTraceLoc CrashInfo(getContext().getSourceManager(),
2131
47.2k
                                Condition->getBeginLoc(),
2132
47.2k
                                "Error evaluating branch");
2133
47.2k
2134
47.2k
  ExplodedNodeSet CheckersOutSet;
2135
47.2k
  getCheckerManager().runCheckersForBranchCondition(Condition, CheckersOutSet,
2136
47.2k
                                                    Pred, *this);
2137
47.2k
  // We generated only sinks.
2138
47.2k
  if (CheckersOutSet.empty())
2139
57
    return;
2140
47.2k
2141
47.2k
  BranchNodeBuilder builder(CheckersOutSet, Dst, BldCtx, DstT, DstF);
2142
47.2k
  for (const auto PredI : CheckersOutSet) {
2143
47.2k
    if (PredI->isSink())
2144
0
      continue;
2145
47.2k
2146
47.2k
    ProgramStateRef PrevState = PredI->getState();
2147
47.2k
    SVal X = PrevState->getSVal(Condition, PredI->getLocationContext());
2148
47.2k
2149
47.2k
    if (X.isUnknownOrUndef()) {
2150
5.03k
      // Give it a chance to recover from unknown.
2151
5.03k
      if (const auto *Ex = dyn_cast<Expr>(Condition)) {
2152
5.03k
        if (Ex->getType()->isIntegralOrEnumerationType()) {
2153
5.03k
          // Try to recover some path-sensitivity.  Right now casts of symbolic
2154
5.03k
          // integers that promote their values are currently not tracked well.
2155
5.03k
          // If 'Condition' is such an expression, try and recover the
2156
5.03k
          // underlying value and use that instead.
2157
5.03k
          SVal recovered = RecoverCastedSymbol(PrevState, Condition,
2158
5.03k
                                               PredI->getLocationContext(),
2159
5.03k
                                               getContext());
2160
5.03k
2161
5.03k
          if (!recovered.isUnknown()) {
2162
10
            X = recovered;
2163
10
          }
2164
5.03k
        }
2165
5.03k
      }
2166
5.03k
    }
2167
47.2k
2168
47.2k
    // If the condition is still unknown, give up.
2169
47.2k
    if (X.isUnknownOrUndef()) {
2170
5.02k
      builder.generateNode(PrevState, true, PredI);
2171
5.02k
      builder.generateNode(PrevState, false, PredI);
2172
5.02k
      continue;
2173
5.02k
    }
2174
42.2k
2175
42.2k
    DefinedSVal V = X.castAs<DefinedSVal>();
2176
42.2k
2177
42.2k
    ProgramStateRef StTrue, StFalse;
2178
42.2k
    std::tie(StTrue, StFalse) = PrevState->assume(V);
2179
42.2k
2180
42.2k
    // Process the true branch.
2181
42.2k
    if (builder.isFeasible(true)) {
2182
42.0k
      if (StTrue)
2183
35.8k
        builder.generateNode(StTrue, true, PredI);
2184
6.19k
      else
2185
6.19k
        builder.markInfeasible(true);
2186
42.0k
    }
2187
42.2k
2188
42.2k
    // Process the false branch.
2189
42.2k
    if (builder.isFeasible(false)) {
2190
41.3k
      if (StFalse)
2191
32.5k
        builder.generateNode(StFalse, false, PredI);
2192
8.73k
      else
2193
8.73k
        builder.markInfeasible(false);
2194
41.3k
    }
2195
42.2k
  }
2196
47.2k
  currBldrCtx = nullptr;
2197
47.2k
}
2198
2199
/// The GDM component containing the set of global variables which have been
2200
/// previously initialized with explicit initializers.
2201
REGISTER_TRAIT_WITH_PROGRAMSTATE(InitializedGlobalsSet,
2202
                                 llvm::ImmutableSet<const VarDecl *>)
2203
2204
void ExprEngine::processStaticInitializer(const DeclStmt *DS,
2205
                                          NodeBuilderContext &BuilderCtx,
2206
                                          ExplodedNode *Pred,
2207
                                          ExplodedNodeSet &Dst,
2208
                                          const CFGBlock *DstT,
2209
198
                                          const CFGBlock *DstF) {
2210
198
  PrettyStackTraceLocationContext CrashInfo(Pred->getLocationContext());
2211
198
  currBldrCtx = &BuilderCtx;
2212
198
2213
198
  const auto *VD = cast<VarDecl>(DS->getSingleDecl());
2214
198
  ProgramStateRef state = Pred->getState();
2215
198
  bool initHasRun = state->contains<InitializedGlobalsSet>(VD);
2216
198
  BranchNodeBuilder builder(Pred, Dst, BuilderCtx, DstT, DstF);
2217
198
2218
198
  if (!initHasRun) {
2219
193
    state = state->add<InitializedGlobalsSet>(VD);
2220
193
  }
2221
198
2222
198
  builder.generateNode(state, initHasRun, Pred);
2223
198
  builder.markInfeasible(!initHasRun);
2224
198
2225
198
  currBldrCtx = nullptr;
2226
198
}
2227
2228
/// processIndirectGoto - Called by CoreEngine.  Used to generate successor
2229
///  nodes by processing the 'effects' of a computed goto jump.
2230
8
void ExprEngine::processIndirectGoto(IndirectGotoNodeBuilder &builder) {
2231
8
  ProgramStateRef state = builder.getState();
2232
8
  SVal V = state->getSVal(builder.getTarget(), builder.getLocationContext());
2233
8
2234
8
  // Three possibilities:
2235
8
  //
2236
8
  //   (1) We know the computed label.
2237
8
  //   (2) The label is NULL (or some other constant), or Undefined.
2238
8
  //   (3) We have no clue about the label.  Dispatch to all targets.
2239
8
  //
2240
8
2241
8
  using iterator = IndirectGotoNodeBuilder::iterator;
2242
8
2243
8
  if (Optional<loc::GotoLabel> LV = V.getAs<loc::GotoLabel>()) {
2244
0
    const LabelDecl *L = LV->getLabel();
2245
0
2246
0
    for (iterator I = builder.begin(), E = builder.end(); I != E; ++I) {
2247
0
      if (I.getLabel() == L) {
2248
0
        builder.generateNode(I, state);
2249
0
        return;
2250
0
      }
2251
0
    }
2252
0
2253
0
    llvm_unreachable("No block with label.");
2254
8
  }
2255
8
2256
8
  if (V.getAs<loc::ConcreteInt>() || V.getAs<UndefinedVal>()) {
2257
0
    // Dispatch to the first target and mark it as a sink.
2258
0
    //ExplodedNode* N = builder.generateNode(builder.begin(), state, true);
2259
0
    // FIXME: add checker visit.
2260
0
    //    UndefBranches.insert(N);
2261
0
    return;
2262
0
  }
2263
8
2264
8
  // This is really a catch-all.  We don't support symbolics yet.
2265
8
  // FIXME: Implement dispatch for symbolic pointers.
2266
8
2267
16
  
for (iterator I = builder.begin(), E = builder.end(); 8
I != E;
++I8
)
2268
8
    builder.generateNode(I, state);
2269
8
}
2270
2271
void ExprEngine::processBeginOfFunction(NodeBuilderContext &BC,
2272
                                        ExplodedNode *Pred,
2273
                                        ExplodedNodeSet &Dst,
2274
76.4k
                                        const BlockEdge &L) {
2275
76.4k
  SaveAndRestore<const NodeBuilderContext *> NodeContextRAII(currBldrCtx, &BC);
2276
76.4k
  getCheckerManager().runCheckersForBeginFunction(Dst, L, Pred, *this);
2277
76.4k
}
2278
2279
/// ProcessEndPath - Called by CoreEngine.  Used to generate end-of-path
2280
///  nodes when the control reaches the end of a function.
2281
void ExprEngine::processEndOfFunction(NodeBuilderContext& BC,
2282
                                      ExplodedNode *Pred,
2283
99.9k
                                      const ReturnStmt *RS) {
2284
99.9k
  ProgramStateRef State = Pred->getState();
2285
99.9k
2286
99.9k
  if (!Pred->getStackFrame()->inTopFrame())
2287
78.0k
    State = finishArgumentConstruction(
2288
78.0k
        State, *getStateManager().getCallEventManager().getCaller(
2289
78.0k
                   Pred->getStackFrame(), Pred->getState()));
2290
99.9k
2291
99.9k
  // FIXME: We currently cannot assert that temporaries are clear, because
2292
99.9k
  // lifetime extended temporaries are not always modelled correctly. In some
2293
99.9k
  // cases when we materialize the temporary, we do
2294
99.9k
  // createTemporaryRegionIfNeeded(), and the region changes, and also the
2295
99.9k
  // respective destructor becomes automatic from temporary. So for now clean up
2296
99.9k
  // the state manually before asserting. Ideally, this braced block of code
2297
99.9k
  // should go away.
2298
99.9k
  {
2299
99.9k
    const LocationContext *FromLC = Pred->getLocationContext();
2300
99.9k
    const LocationContext *ToLC = FromLC->getStackFrame()->getParent();
2301
99.9k
    const LocationContext *LC = FromLC;
2302
199k
    while (LC != ToLC) {
2303
99.9k
      assert(LC && "ToLC must be a parent of FromLC!");
2304
99.9k
      for (auto I : State->get<ObjectsUnderConstruction>())
2305
78.6k
        if (I.first.getLocationContext() == LC) {
2306
354
          // The comment above only pardons us for not cleaning up a
2307
354
          // temporary destructor. If any other statements are found here,
2308
354
          // it must be a separate problem.
2309
354
          assert(I.first.getItem().getKind() ==
2310
354
                     ConstructionContextItem::TemporaryDestructorKind ||
2311
354
                 I.first.getItem().getKind() ==
2312
354
                     ConstructionContextItem::ElidedDestructorKind);
2313
354
          State = State->remove<ObjectsUnderConstruction>(I.first);
2314
354
        }
2315
99.9k
      LC = LC->getParent();
2316
99.9k
    }
2317
99.9k
  }
2318
99.9k
2319
99.9k
  // Perform the transition with cleanups.
2320
99.9k
  if (State != Pred->getState()) {
2321
11.9k
    ExplodedNodeSet PostCleanup;
2322
11.9k
    NodeBuilder Bldr(Pred, PostCleanup, BC);
2323
11.9k
    Pred = Bldr.generateNode(Pred->getLocation(), State, Pred);
2324
11.9k
    if (!Pred) {
2325
4
      // The node with clean temporaries already exists. We might have reached
2326
4
      // it on a path on which we initialize different temporaries.
2327
4
      return;
2328
4
    }
2329
99.9k
  }
2330
99.9k
2331
99.9k
  assert(areAllObjectsFullyConstructed(Pred->getState(),
2332
99.9k
                                       Pred->getLocationContext(),
2333
99.9k
                                       Pred->getStackFrame()->getParent()));
2334
99.9k
2335
99.9k
  PrettyStackTraceLocationContext CrashInfo(Pred->getLocationContext());
2336
99.9k
2337
99.9k
  ExplodedNodeSet Dst;
2338
99.9k
  if (Pred->getLocationContext()->inTopFrame()) {
2339
21.8k
    // Remove dead symbols.
2340
21.8k
    ExplodedNodeSet AfterRemovedDead;
2341
21.8k
    removeDeadOnEndOfFunction(BC, Pred, AfterRemovedDead);
2342
21.8k
2343
21.8k
    // Notify checkers.
2344
21.8k
    for (const auto I : AfterRemovedDead)
2345
20.9k
      getCheckerManager().runCheckersForEndFunction(BC, Dst, I, *this, RS);
2346
78.0k
  } else {
2347
78.0k
    getCheckerManager().runCheckersForEndFunction(BC, Dst, Pred, *this, RS);
2348
78.0k
  }
2349
99.9k
2350
99.9k
  Engine.enqueueEndOfFunction(Dst, RS);
2351
99.9k
}
2352
2353
/// ProcessSwitch - Called by CoreEngine.  Used to generate successor
2354
///  nodes by processing the 'effects' of a switch statement.
2355
241
void ExprEngine::processSwitch(SwitchNodeBuilder& builder) {
2356
241
  using iterator = SwitchNodeBuilder::iterator;
2357
241
2358
241
  ProgramStateRef state = builder.getState();
2359
241
  const Expr *CondE = builder.getCondition();
2360
241
  SVal  CondV_untested = state->getSVal(CondE, builder.getLocationContext());
2361
241
2362
241
  if (CondV_untested.isUndef()) {
2363
0
    //ExplodedNode* N = builder.generateDefaultCaseNode(state, true);
2364
0
    // FIXME: add checker
2365
0
    //UndefBranches.insert(N);
2366
0
2367
0
    return;
2368
0
  }
2369
241
  DefinedOrUnknownSVal CondV = CondV_untested.castAs<DefinedOrUnknownSVal>();
2370
241
2371
241
  ProgramStateRef DefaultSt = state;
2372
241
2373
241
  iterator I = builder.begin(), EI = builder.end();
2374
241
  bool defaultIsFeasible = I == EI;
2375
241
2376
703
  for ( ; I != EI; 
++I462
) {
2377
546
    // Successor may be pruned out during CFG construction.
2378
546
    if (!I.getBlock())
2379
2
      continue;
2380
544
2381
544
    const CaseStmt *Case = I.getCase();
2382
544
2383
544
    // Evaluate the LHS of the case value.
2384
544
    llvm::APSInt V1 = Case->getLHS()->EvaluateKnownConstInt(getContext());
2385
544
    assert(V1.getBitWidth() == getContext().getIntWidth(CondE->getType()));
2386
544
2387
544
    // Get the RHS of the case, if it exists.
2388
544
    llvm::APSInt V2;
2389
544
    if (const Expr *E = Case->getRHS())
2390
28
      V2 = E->EvaluateKnownConstInt(getContext());
2391
516
    else
2392
516
      V2 = V1;
2393
544
2394
544
    ProgramStateRef StateCase;
2395
544
    if (Optional<NonLoc> NL = CondV.getAs<NonLoc>())
2396
544
      std::tie(StateCase, DefaultSt) =
2397
544
          DefaultSt->assumeInclusiveRange(*NL, V1, V2);
2398
0
    else // UnknownVal
2399
0
      StateCase = DefaultSt;
2400
544
2401
544
    if (StateCase)
2402
401
      builder.generateCaseStmtNode(I, StateCase);
2403
544
2404
544
    // Now "assume" that the case doesn't match.  Add this state
2405
544
    // to the default state (if it is feasible).
2406
544
    if (DefaultSt)
2407
460
      defaultIsFeasible = true;
2408
84
    else {
2409
84
      defaultIsFeasible = false;
2410
84
      break;
2411
84
    }
2412
544
  }
2413
241
2414
241
  if (!defaultIsFeasible)
2415
84
    return;
2416
157
2417
157
  // If we have switch(enum value), the default branch is not
2418
157
  // feasible if all of the enum constants not covered by 'case:' statements
2419
157
  // are not feasible values for the switch condition.
2420
157
  //
2421
157
  // Note that this isn't as accurate as it could be.  Even if there isn't
2422
157
  // a case for a particular enum value as long as that enum value isn't
2423
157
  // feasible then it shouldn't be considered for making 'default:' reachable.
2424
157
  const SwitchStmt *SS = builder.getSwitch();
2425
157
  const Expr *CondExpr = SS->getCond()->IgnoreParenImpCasts();
2426
157
  if (CondExpr->getType()->getAs<EnumType>()) {
2427
11
    if (SS->isAllEnumCasesCovered())
2428
6
      return;
2429
151
  }
2430
151
2431
151
  builder.generateDefaultCaseNode(DefaultSt);
2432
151
}
2433
2434
//===----------------------------------------------------------------------===//
2435
// Transfer functions: Loads and stores.
2436
//===----------------------------------------------------------------------===//
2437
2438
void ExprEngine::VisitCommonDeclRefExpr(const Expr *Ex, const NamedDecl *D,
2439
                                        ExplodedNode *Pred,
2440
260k
                                        ExplodedNodeSet &Dst) {
2441
260k
  StmtNodeBuilder Bldr(Pred, Dst, *currBldrCtx);
2442
260k
2443
260k
  ProgramStateRef state = Pred->getState();
2444
260k
  const LocationContext *LCtx = Pred->getLocationContext();
2445
260k
2446
260k
  if (const auto *VD = dyn_cast<VarDecl>(D)) {
2447
205k
    // C permits "extern void v", and if you cast the address to a valid type,
2448
205k
    // you can even do things with it. We simply pretend
2449
205k
    assert(Ex->isGLValue() || VD->getType()->isVoidType());
2450
205k
    const LocationContext *LocCtxt = Pred->getLocationContext();
2451
205k
    const Decl *D = LocCtxt->getDecl();
2452
205k
    const auto *MD = dyn_cast_or_null<CXXMethodDecl>(D);
2453
205k
    const auto *DeclRefEx = dyn_cast<DeclRefExpr>(Ex);
2454
205k
    Optional<std::pair<SVal, QualType>> VInfo;
2455
205k
2456
205k
    if (AMgr.options.ShouldInlineLambdas && 
DeclRefEx205k
&&
2457
205k
        
DeclRefEx->refersToEnclosingVariableOrCapture()205k
&&
MD677
&&
2458
205k
        
MD->getParent()->isLambda()270
) {
2459
270
      // Lookup the field of the lambda.
2460
270
      const CXXRecordDecl *CXXRec = MD->getParent();
2461
270
      llvm::DenseMap<const VarDecl *, FieldDecl *> LambdaCaptureFields;
2462
270
      FieldDecl *LambdaThisCaptureField;
2463
270
      CXXRec->getCaptureFields(LambdaCaptureFields, LambdaThisCaptureField);
2464
270
2465
270
      // Sema follows a sequence of complex rules to determine whether the
2466
270
      // variable should be captured.
2467
270
      if (const FieldDecl *FD = LambdaCaptureFields[VD]) {
2468
262
        Loc CXXThis =
2469
262
            svalBuilder.getCXXThis(MD, LocCtxt->getStackFrame());
2470
262
        SVal CXXThisVal = state->getSVal(CXXThis);
2471
262
        VInfo = std::make_pair(state->getLValue(FD, CXXThisVal), FD->getType());
2472
262
      }
2473
270
    }
2474
205k
2475
205k
    if (!VInfo)
2476
204k
      VInfo = std::make_pair(state->getLValue(VD, LocCtxt), VD->getType());
2477
205k
2478
205k
    SVal V = VInfo->first;
2479
205k
    bool IsReference = VInfo->second->isReferenceType();
2480
205k
2481
205k
    // For references, the 'lvalue' is the pointer address stored in the
2482
205k
    // reference region.
2483
205k
    if (IsReference) {
2484
29.6k
      if (const MemRegion *R = V.getAsRegion())
2485
29.6k
        V = state->getSVal(R);
2486
0
      else
2487
0
        V = UnknownVal();
2488
29.6k
    }
2489
205k
2490
205k
    Bldr.generateNode(Ex, Pred, state->BindExpr(Ex, LCtx, V), nullptr,
2491
205k
                      ProgramPoint::PostLValueKind);
2492
205k
    return;
2493
205k
  }
2494
55.1k
  if (const auto *ED = dyn_cast<EnumConstantDecl>(D)) {
2495
261
    assert(!Ex->isGLValue());
2496
261
    SVal V = svalBuilder.makeIntVal(ED->getInitVal());
2497
261
    Bldr.generateNode(Ex, Pred, state->BindExpr(Ex, LCtx, V));
2498
261
    return;
2499
261
  }
2500
54.8k
  if (const auto *FD = dyn_cast<FunctionDecl>(D)) {
2501
54.8k
    SVal V = svalBuilder.getFunctionPointer(FD);
2502
54.8k
    Bldr.generateNode(Ex, Pred, state->BindExpr(Ex, LCtx, V), nullptr,
2503
54.8k
                      ProgramPoint::PostLValueKind);
2504
54.8k
    return;
2505
54.8k
  }
2506
42
  if (isa<FieldDecl>(D) || 
isa<IndirectFieldDecl>(D)24
) {
2507
24
    // FIXME: Compute lvalue of field pointers-to-member.
2508
24
    // Right now we just use a non-null void pointer, so that it gives proper
2509
24
    // results in boolean contexts.
2510
24
    // FIXME: Maybe delegate this to the surrounding operator&.
2511
24
    // Note how this expression is lvalue, however pointer-to-member is NonLoc.
2512
24
    SVal V = svalBuilder.conjureSymbolVal(Ex, LCtx, getContext().VoidPtrTy,
2513
24
                                          currBldrCtx->blockCount());
2514
24
    state = state->assume(V.castAs<DefinedOrUnknownSVal>(), true);
2515
24
    Bldr.generateNode(Ex, Pred, state->BindExpr(Ex, LCtx, V), nullptr,
2516
24
                      ProgramPoint::PostLValueKind);
2517
24
    return;
2518
24
  }
2519
18
  if (isa<BindingDecl>(D)) {
2520
18
    // FIXME: proper support for bound declarations.
2521
18
    // For now, let's just prevent crashing.
2522
18
    return;
2523
18
  }
2524
0
2525
0
  llvm_unreachable("Support for this Decl not implemented.");
2526
0
}
2527
2528
/// VisitArraySubscriptExpr - Transfer function for array accesses
2529
void ExprEngine::VisitArraySubscriptExpr(const ArraySubscriptExpr *A,
2530
                                             ExplodedNode *Pred,
2531
10.0k
                                             ExplodedNodeSet &Dst){
2532
10.0k
  const Expr *Base = A->getBase()->IgnoreParens();
2533
10.0k
  const Expr *Idx  = A->getIdx()->IgnoreParens();
2534
10.0k
2535
10.0k
  ExplodedNodeSet CheckerPreStmt;
2536
10.0k
  getCheckerManager().runCheckersForPreStmt(CheckerPreStmt, Pred, A, *this);
2537
10.0k
2538
10.0k
  ExplodedNodeSet EvalSet;
2539
10.0k
  StmtNodeBuilder Bldr(CheckerPreStmt, EvalSet, *currBldrCtx);
2540
10.0k
2541
10.0k
  bool IsVectorType = A->getBase()->getType()->isVectorType();
2542
10.0k
2543
10.0k
  // The "like" case is for situations where C standard prohibits the type to
2544
10.0k
  // be an lvalue, e.g. taking the address of a subscript of an expression of
2545
10.0k
  // type "void *".
2546
10.0k
  bool IsGLValueLike = A->isGLValue() ||
2547
10.0k
    
(6
A->getType().isCForbiddenLValueType()6
&&
!AMgr.getLangOpts().CPlusPlus4
);
2548
10.0k
2549
10.0k
  for (auto *Node : CheckerPreStmt) {
2550
9.99k
    const LocationContext *LCtx = Node->getLocationContext();
2551
9.99k
    ProgramStateRef state = Node->getState();
2552
9.99k
2553
9.99k
    if (IsGLValueLike) {
2554
9.99k
      QualType T = A->getType();
2555
9.99k
2556
9.99k
      // One of the forbidden LValue types! We still need to have sensible
2557
9.99k
      // symbolic locations to represent this stuff. Note that arithmetic on
2558
9.99k
      // void pointers is a GCC extension.
2559
9.99k
      if (T->isVoidType())
2560
4
        T = getContext().CharTy;
2561
9.99k
2562
9.99k
      SVal V = state->getLValue(T,
2563
9.99k
                                state->getSVal(Idx, LCtx),
2564
9.99k
                                state->getSVal(Base, LCtx));
2565
9.99k
      Bldr.generateNode(A, Node, state->BindExpr(A, LCtx, V), nullptr,
2566
9.99k
          ProgramPoint::PostLValueKind);
2567
9.99k
    } else 
if (2
IsVectorType2
) {
2568
2
      // FIXME: non-glvalue vector reads are not modelled.
2569
2
      Bldr.generateNode(A, Node, state, nullptr);
2570
2
    } else {
2571
0
      llvm_unreachable("Array subscript should be an lValue when not \
2572
0
a vector and not a forbidden lvalue type");
2573
0
    }
2574
9.99k
  }
2575
10.0k
2576
10.0k
  getCheckerManager().runCheckersForPostStmt(Dst, EvalSet, A, *this);
2577
10.0k
}
2578
2579
/// VisitMemberExpr - Transfer function for member expressions.
2580
void ExprEngine::VisitMemberExpr(const MemberExpr *M, ExplodedNode *Pred,
2581
78.5k
                                 ExplodedNodeSet &Dst) {
2582
78.5k
  // FIXME: Prechecks eventually go in ::Visit().
2583
78.5k
  ExplodedNodeSet CheckedSet;
2584
78.5k
  getCheckerManager().runCheckersForPreStmt(CheckedSet, Pred, M, *this);
2585
78.5k
2586
78.5k
  ExplodedNodeSet EvalSet;
2587
78.5k
  ValueDecl *Member = M->getMemberDecl();
2588
78.5k
2589
78.5k
  // Handle static member variables and enum constants accessed via
2590
78.5k
  // member syntax.
2591
78.5k
  if (isa<VarDecl>(Member) || 
isa<EnumConstantDecl>(Member)78.5k
) {
2592
7
    for (const auto I : CheckedSet)
2593
7
      VisitCommonDeclRefExpr(M, Member, I, EvalSet);
2594
78.5k
  } else {
2595
78.5k
    StmtNodeBuilder Bldr(CheckedSet, EvalSet, *currBldrCtx);
2596
78.5k
    ExplodedNodeSet Tmp;
2597
78.5k
2598
78.5k
    for (const auto I : CheckedSet) {
2599
78.5k
      ProgramStateRef state = I->getState();
2600
78.5k
      const LocationContext *LCtx = I->getLocationContext();
2601
78.5k
      Expr *BaseExpr = M->getBase();
2602
78.5k
2603
78.5k
      // Handle C++ method calls.
2604
78.5k
      if (const auto *MD = dyn_cast<CXXMethodDecl>(Member)) {
2605
27.3k
        if (MD->isInstance())
2606
27.3k
          state = createTemporaryRegionIfNeeded(state, LCtx, BaseExpr);
2607
27.3k
2608
27.3k
        SVal MDVal = svalBuilder.getFunctionPointer(MD);
2609
27.3k
        state = state->BindExpr(M, LCtx, MDVal);
2610
27.3k
2611
27.3k
        Bldr.generateNode(M, I, state);
2612
27.3k
        continue;
2613
27.3k
      }
2614
51.2k
2615
51.2k
      // Handle regular struct fields / member variables.
2616
51.2k
      const SubRegion *MR = nullptr;
2617
51.2k
      state = createTemporaryRegionIfNeeded(state, LCtx, BaseExpr,
2618
51.2k
                                            /*Result=*/nullptr,
2619
51.2k
                                            /*OutRegionWithAdjustments=*/&MR);
2620
51.2k
      SVal baseExprVal =
2621
51.2k
          MR ? 
loc::MemRegionVal(MR)48
:
state->getSVal(BaseExpr, LCtx)51.1k
;
2622
51.2k
2623
51.2k
      const auto *field = cast<FieldDecl>(Member);
2624
51.2k
      SVal L = state->getLValue(field, baseExprVal);
2625
51.2k
2626
51.2k
      if (M->isGLValue() || 
M->getType()->isArrayType()48
) {
2627
51.1k
        // We special-case rvalues of array type because the analyzer cannot
2628
51.1k
        // reason about them, since we expect all regions to be wrapped in Locs.
2629
51.1k
        // We instead treat these as lvalues and assume that they will decay to
2630
51.1k
        // pointers as soon as they are used.
2631
51.1k
        if (!M->isGLValue()) {
2632
3
          assert(M->getType()->isArrayType());
2633
3
          const auto *PE =
2634
3
            dyn_cast<ImplicitCastExpr>(I->getParentMap().getParentIgnoreParens(M));
2635
3
          if (!PE || PE->getCastKind() != CK_ArrayToPointerDecay) {
2636
0
            llvm_unreachable("should always be wrapped in ArrayToPointerDecay");
2637
0
          }
2638
51.1k
        }
2639
51.1k
2640
51.1k
        if (field->getType()->isReferenceType()) {
2641
354
          if (const MemRegion *R = L.getAsRegion())
2642
354
            L = state->getSVal(R);
2643
0
          else
2644
0
            L = UnknownVal();
2645
354
        }
2646
51.1k
2647
51.1k
        Bldr.generateNode(M, I, state->BindExpr(M, LCtx, L), nullptr,
2648
51.1k
                          ProgramPoint::PostLValueKind);
2649
51.1k
      } else {
2650
45
        Bldr.takeNodes(I);
2651
45
        evalLoad(Tmp, M, M, I, state, L);
2652
45
        Bldr.addNodes(Tmp);
2653
45
      }
2654
51.2k
    }
2655
78.5k
  }
2656
78.5k
2657
78.5k
  getCheckerManager().runCheckersForPostStmt(Dst, EvalSet, M, *this);
2658
78.5k
}
2659
2660
void ExprEngine::VisitAtomicExpr(const AtomicExpr *AE, ExplodedNode *Pred,
2661
54
                                 ExplodedNodeSet &Dst) {
2662
54
  ExplodedNodeSet AfterPreSet;
2663
54
  getCheckerManager().runCheckersForPreStmt(AfterPreSet, Pred, AE, *this);
2664
54
2665
54
  // For now, treat all the arguments to C11 atomics as escaping.
2666
54
  // FIXME: Ideally we should model the behavior of the atomics precisely here.
2667
54
2668
54
  ExplodedNodeSet AfterInvalidateSet;
2669
54
  StmtNodeBuilder Bldr(AfterPreSet, AfterInvalidateSet, *currBldrCtx);
2670
54
2671
54
  for (const auto I : AfterPreSet) {
2672
54
    ProgramStateRef State = I->getState();
2673
54
    const LocationContext *LCtx = I->getLocationContext();
2674
54
2675
54
    SmallVector<SVal, 8> ValuesToInvalidate;
2676
219
    for (unsigned SI = 0, Count = AE->getNumSubExprs(); SI != Count; 
SI++165
) {
2677
165
      const Expr *SubExpr = AE->getSubExprs()[SI];
2678
165
      SVal SubExprVal = State->getSVal(SubExpr, LCtx);
2679
165
      ValuesToInvalidate.push_back(SubExprVal);
2680
165
    }
2681
54
2682
54
    State = State->invalidateRegions(ValuesToInvalidate, AE,
2683
54
                                    currBldrCtx->blockCount(),
2684
54
                                    LCtx,
2685
54
                                    /*CausedByPointerEscape*/true,
2686
54
                                    /*Symbols=*/nullptr);
2687
54
2688
54
    SVal ResultVal = UnknownVal();
2689
54
    State = State->BindExpr(AE, LCtx, ResultVal);
2690
54
    Bldr.generateNode(AE, I, State, nullptr,
2691
54
                      ProgramPoint::PostStmtKind);
2692
54
  }
2693
54
2694
54
  getCheckerManager().runCheckersForPostStmt(Dst, AfterInvalidateSet, AE, *this);
2695
54
}
2696
2697
// A value escapes in four possible cases:
2698
// (1) We are binding to something that is not a memory region.
2699
// (2) We are binding to a MemRegion that does not have stack storage.
2700
// (3) We are binding to a top-level parameter region with a non-trivial
2701
//     destructor. We won't see the destructor during analysis, but it's there.
2702
// (4) We are binding to a MemRegion with stack storage that the store
2703
//     does not understand.
2704
ProgramStateRef ExprEngine::processPointerEscapedOnBind(
2705
    ProgramStateRef State, ArrayRef<std::pair<SVal, SVal>> LocAndVals,
2706
    const LocationContext *LCtx, PointerEscapeKind Kind,
2707
123k
    const CallEvent *Call) {
2708
123k
  SmallVector<SVal, 8> Escaped;
2709
123k
  for (const std::pair<SVal, SVal> &LocAndVal : LocAndVals) {
2710
89.2k
    // Cases (1) and (2).
2711
89.2k
    const MemRegion *MR = LocAndVal.first.getAsRegion();
2712
89.2k
    if (!MR || 
!MR->hasStackStorage()89.1k
) {
2713
5.32k
      Escaped.push_back(LocAndVal.second);
2714
5.32k
      continue;
2715
5.32k
    }
2716
83.8k
2717
83.8k
    // Case (3).
2718
83.8k
    if (const auto *VR = dyn_cast<VarRegion>(MR->getBaseRegion()))
2719
71.5k
      if (VR->hasStackParametersStorage() && 
VR->getStackFrame()->inTopFrame()11.0k
)
2720
5.37k
        if (const auto *RD = VR->getValueType()->getAsCXXRecordDecl())
2721
17
          if (!RD->hasTrivialDestructor()) {
2722
4
            Escaped.push_back(LocAndVal.second);
2723
4
            continue;
2724
4
          }
2725
83.8k
2726
83.8k
    // Case (4): in order to test that, generate a new state with the binding
2727
83.8k
    // added. If it is the same state, then it escapes (since the store cannot
2728
83.8k
    // represent the binding).
2729
83.8k
    // Do this only if we know that the store is not supposed to generate the
2730
83.8k
    // same state.
2731
83.8k
    SVal StoredVal = State->getSVal(MR);
2732
83.8k
    if (StoredVal != LocAndVal.second)
2733
76.9k
      if (State ==
2734
76.9k
          (State->bindLoc(loc::MemRegionVal(MR), LocAndVal.second, LCtx)))
2735
153
        Escaped.push_back(LocAndVal.second);
2736
83.8k
  }
2737
123k
2738
123k
  if (Escaped.empty())
2739
118k
    return State;
2740
5.35k
2741
5.35k
  return escapeValues(State, Escaped, Kind, Call);
2742
5.35k
}
2743
2744
ProgramStateRef
2745
ExprEngine::processPointerEscapedOnBind(ProgramStateRef State, SVal Loc,
2746
83.3k
                                        SVal Val, const LocationContext *LCtx) {
2747
83.3k
  std::pair<SVal, SVal> LocAndVal(Loc, Val);
2748
83.3k
  return processPointerEscapedOnBind(State, LocAndVal, LCtx, PSK_EscapeOnBind,
2749
83.3k
                                     nullptr);
2750
83.3k
}
2751
2752
ProgramStateRef
2753
ExprEngine::notifyCheckersOfPointerEscape(ProgramStateRef State,
2754
    const InvalidatedSymbols *Invalidated,
2755
    ArrayRef<const MemRegion *> ExplicitRegions,
2756
    const CallEvent *Call,
2757
34.0k
    RegionAndSymbolInvalidationTraits &ITraits) {
2758
34.0k
  if (!Invalidated || Invalidated->empty())
2759
5.01k
    return State;
2760
29.0k
2761
29.0k
  if (!Call)
2762
233
    return getCheckerManager().runCheckersForPointerEscape(State,
2763
233
                                                           *Invalidated,
2764
233
                                                           nullptr,
2765
233
                                                           PSK_EscapeOther,
2766
233
                                                           &ITraits);
2767
28.8k
2768
28.8k
  // If the symbols were invalidated by a call, we want to find out which ones
2769
28.8k
  // were invalidated directly due to being arguments to the call.
2770
28.8k
  InvalidatedSymbols SymbolsDirectlyInvalidated;
2771
28.8k
  for (const auto I : ExplicitRegions) {
2772
21.6k
    if (const SymbolicRegion *R = I->StripCasts()->getAs<SymbolicRegion>())
2773
7.02k
      SymbolsDirectlyInvalidated.insert(R->getSymbol());
2774
21.6k
  }
2775
28.8k
2776
28.8k
  InvalidatedSymbols SymbolsIndirectlyInvalidated;
2777
69.2k
  for (const auto &sym : *Invalidated) {
2778
69.2k
    if (SymbolsDirectlyInvalidated.count(sym))
2779
6.98k
      continue;
2780
62.2k
    SymbolsIndirectlyInvalidated.insert(sym);
2781
62.2k
  }
2782
28.8k
2783
28.8k
  if (!SymbolsDirectlyInvalidated.empty())
2784
6.29k
    State = getCheckerManager().runCheckersForPointerEscape(State,
2785
6.29k
        SymbolsDirectlyInvalidated, Call, PSK_DirectEscapeOnCall, &ITraits);
2786
28.8k
2787
28.8k
  // Notify about the symbols that get indirectly invalidated by the call.
2788
28.8k
  if (!SymbolsIndirectlyInvalidated.empty())
2789
27.4k
    State = getCheckerManager().runCheckersForPointerEscape(State,
2790
27.4k
        SymbolsIndirectlyInvalidated, Call, PSK_IndirectEscapeOnCall, &ITraits);
2791
28.8k
2792
28.8k
  return State;
2793
28.8k
}
2794
2795
/// evalBind - Handle the semantics of binding a value to a specific location.
2796
///  This method is used by evalStore and (soon) VisitDeclStmt, and others.
2797
void ExprEngine::evalBind(ExplodedNodeSet &Dst, const Stmt *StoreE,
2798
                          ExplodedNode *Pred,
2799
                          SVal location, SVal Val,
2800
83.7k
                          bool atDeclInit, const ProgramPoint *PP) {
2801
83.7k
  const LocationContext *LC = Pred->getLocationContext();
2802
83.7k
  PostStmt PS(StoreE, LC);
2803
83.7k
  if (!PP)
2804
73.7k
    PP = &PS;
2805
83.7k
2806
83.7k
  // Do a previsit of the bind.
2807
83.7k
  ExplodedNodeSet CheckedSet;
2808
83.7k
  getCheckerManager().runCheckersForBind(CheckedSet, Pred, location, Val,
2809
83.7k
                                         StoreE, *this, *PP);
2810
83.7k
2811
83.7k
  StmtNodeBuilder Bldr(CheckedSet, Dst, *currBldrCtx);
2812
83.7k
2813
83.7k
  // If the location is not a 'Loc', it will already be handled by
2814
83.7k
  // the checkers.  There is nothing left to do.
2815
83.7k
  if (!location.getAs<Loc>()) {
2816
48
    const ProgramPoint L = PostStore(StoreE, LC, /*Loc*/nullptr,
2817
48
                                     /*tag*/nullptr);
2818
48
    ProgramStateRef state = Pred->getState();
2819
48
    state = processPointerEscapedOnBind(state, location, Val, LC);
2820
48
    Bldr.generateNode(L, state, Pred);
2821
48
    return;
2822
48
  }
2823
83.6k
2824
83.6k
  for (const auto PredI : CheckedSet) {
2825
83.3k
    ProgramStateRef state = PredI->getState();
2826
83.3k
2827
83.3k
    state = processPointerEscapedOnBind(state, location, Val, LC);
2828
83.3k
2829
83.3k
    // When binding the value, pass on the hint that this is a initialization.
2830
83.3k
    // For initializations, we do not need to inform clients of region
2831
83.3k
    // changes.
2832
83.3k
    state = state->bindLoc(location.castAs<Loc>(),
2833
83.3k
                           Val, LC, /* notifyChanges = */ !atDeclInit);
2834
83.3k
2835
83.3k
    const MemRegion *LocReg = nullptr;
2836
83.3k
    if (Optional<loc::MemRegionVal> LocRegVal =
2837
83.3k
            location.getAs<loc::MemRegionVal>()) {
2838
83.3k
      LocReg = LocRegVal->getRegion();
2839
83.3k
    }
2840
83.3k
2841
83.3k
    const ProgramPoint L = PostStore(StoreE, LC, LocReg, nullptr);
2842
83.3k
    Bldr.generateNode(L, state, PredI);
2843
83.3k
  }
2844
83.6k
}
2845
2846
/// evalStore - Handle the semantics of a store via an assignment.
2847
///  @param Dst The node set to store generated state nodes
2848
///  @param AssignE The assignment expression if the store happens in an
2849
///         assignment.
2850
///  @param LocationE The location expression that is stored to.
2851
///  @param state The current simulation state
2852
///  @param location The location to store the value
2853
///  @param Val The value to be stored
2854
void ExprEngine::evalStore(ExplodedNodeSet &Dst, const Expr *AssignE,
2855
                             const Expr *LocationE,
2856
                             ExplodedNode *Pred,
2857
                             ProgramStateRef state, SVal location, SVal Val,
2858
31.4k
                             const ProgramPointTag *tag) {
2859
31.4k
  // Proceed with the store.  We use AssignE as the anchor for the PostStore
2860
31.4k
  // ProgramPoint if it is non-NULL, and LocationE otherwise.
2861
31.4k
  const Expr *StoreE = AssignE ? AssignE : 
LocationE0
;
2862
31.4k
2863
31.4k
  // Evaluate the location (checks for bad dereferences).
2864
31.4k
  ExplodedNodeSet Tmp;
2865
31.4k
  evalLocation(Tmp, AssignE, LocationE, Pred, state, location, false);
2866
31.4k
2867
31.4k
  if (Tmp.empty())
2868
741
    return;
2869
30.7k
2870
30.7k
  if (location.isUndef())
2871
1
    return;
2872
30.7k
2873
30.7k
  for (const auto I : Tmp)
2874
30.7k
    evalBind(Dst, StoreE, I, location, Val, false);
2875
30.7k
}
2876
2877
void ExprEngine::evalLoad(ExplodedNodeSet &Dst,
2878
                          const Expr *NodeEx,
2879
                          const Expr *BoundEx,
2880
                          ExplodedNode *Pred,
2881
                          ProgramStateRef state,
2882
                          SVal location,
2883
                          const ProgramPointTag *tag,
2884
179k
                          QualType LoadTy) {
2885
179k
  assert(!location.getAs<NonLoc>() && "location cannot be a NonLoc.");
2886
179k
  assert(NodeEx);
2887
179k
  assert(BoundEx);
2888
179k
  // Evaluate the location (checks for bad dereferences).
2889
179k
  ExplodedNodeSet Tmp;
2890
179k
  evalLocation(Tmp, NodeEx, BoundEx, Pred, state, location, true);
2891
179k
  if (Tmp.empty())
2892
248
    return;
2893
179k
2894
179k
  StmtNodeBuilder Bldr(Tmp, Dst, *currBldrCtx);
2895
179k
  if (location.isUndef())
2896
1
    return;
2897
179k
2898
179k
  // Proceed with the load.
2899
179k
  for (const auto I : Tmp) {
2900
179k
    state = I->getState();
2901
179k
    const LocationContext *LCtx = I->getLocationContext();
2902
179k
2903
179k
    SVal V = UnknownVal();
2904
179k
    if (location.isValid()) {
2905
178k
      if (LoadTy.isNull())
2906
178k
        LoadTy = BoundEx->getType();
2907
178k
      V = state->getSVal(location.castAs<Loc>(), LoadTy);
2908
178k
    }
2909
179k
2910
179k
    Bldr.generateNode(NodeEx, I, state->BindExpr(BoundEx, LCtx, V), tag,
2911
179k
                      ProgramPoint::PostLoadKind);
2912
179k
  }
2913
179k
}
2914
2915
void ExprEngine::evalLocation(ExplodedNodeSet &Dst,
2916
                              const Stmt *NodeEx,
2917
                              const Stmt *BoundEx,
2918
                              ExplodedNode *Pred,
2919
                              ProgramStateRef state,
2920
                              SVal location,
2921
211k
                              bool isLoad) {
2922
211k
  StmtNodeBuilder BldrTop(Pred, Dst, *currBldrCtx);
2923
211k
  // Early checks for performance reason.
2924
211k
  if (location.isUnknown()) {
2925
844
    return;
2926
844
  }
2927
210k
2928
210k
  ExplodedNodeSet Src;
2929
210k
  BldrTop.takeNodes(Pred);
2930
210k
  StmtNodeBuilder Bldr(Pred, Src, *currBldrCtx);
2931
210k
  if (Pred->getState() != state) {
2932
31.3k
    // Associate this new state with an ExplodedNode.
2933
31.3k
    // FIXME: If I pass null tag, the graph is incorrect, e.g for
2934
31.3k
    //   int *p;
2935
31.3k
    //   p = 0;
2936
31.3k
    //   *p = 0xDEADBEEF;
2937
31.3k
    // "p = 0" is not noted as "Null pointer value stored to 'p'" but
2938
31.3k
    // instead "int *p" is noted as
2939
31.3k
    // "Variable 'p' initialized to a null pointer value"
2940
31.3k
2941
31.3k
    static SimpleProgramPointTag tag(TagProviderName, "Location");
2942
31.3k
    Bldr.generateNode(NodeEx, Pred, state, &tag);
2943
31.3k
  }
2944
210k
  ExplodedNodeSet Tmp;
2945
210k
  getCheckerManager().runCheckersForLocation(Tmp, Src, location, isLoad,
2946
210k
                                             NodeEx, BoundEx, *this);
2947
210k
  BldrTop.addNodes(Tmp);
2948
210k
}
2949
2950
std::pair<const ProgramPointTag *, const ProgramPointTag*>
2951
1.27M
ExprEngine::geteagerlyAssumeBinOpBifurcationTags() {
2952
1.27M
  static SimpleProgramPointTag
2953
1.27M
         eagerlyAssumeBinOpBifurcationTrue(TagProviderName,
2954
1.27M
                                           "Eagerly Assume True"),
2955
1.27M
         eagerlyAssumeBinOpBifurcationFalse(TagProviderName,
2956
1.27M
                                            "Eagerly Assume False");
2957
1.27M
  return std::make_pair(&eagerlyAssumeBinOpBifurcationTrue,
2958
1.27M
                        &eagerlyAssumeBinOpBifurcationFalse);
2959
1.27M
}
2960
2961
void ExprEngine::evalEagerlyAssumeBinOpBifurcation(ExplodedNodeSet &Dst,
2962
                                                   ExplodedNodeSet &Src,
2963
10.0k
                                                   const Expr *Ex) {
2964
10.0k
  StmtNodeBuilder Bldr(Src, Dst, *currBldrCtx);
2965
10.0k
2966
10.0k
  for (const auto Pred : Src) {
2967
9.98k
    // Test if the previous node was as the same expression.  This can happen
2968
9.98k
    // when the expression fails to evaluate to anything meaningful and
2969
9.98k
    // (as an optimization) we don't generate a node.
2970
9.98k
    ProgramPoint P = Pred->getLocation();
2971
9.98k
    if (!P.getAs<PostStmt>() || P.castAs<PostStmt>().getStmt() != Ex) {
2972
0
      continue;
2973
0
    }
2974
9.98k
2975
9.98k
    ProgramStateRef state = Pred->getState();
2976
9.98k
    SVal V = state->getSVal(Ex, Pred->getLocationContext());
2977
9.98k
    Optional<nonloc::SymbolVal> SEV = V.getAs<nonloc::SymbolVal>();
2978
9.98k
    if (SEV && 
SEV->isExpression()4.82k
) {
2979
4.82k
      const std::pair<const ProgramPointTag *, const ProgramPointTag*> &tags =
2980
4.82k
        geteagerlyAssumeBinOpBifurcationTags();
2981
4.82k
2982
4.82k
      ProgramStateRef StateTrue, StateFalse;
2983
4.82k
      std::tie(StateTrue, StateFalse) = state->assume(*SEV);
2984
4.82k
2985
4.82k
      // First assume that the condition is true.
2986
4.82k
      if (StateTrue) {
2987
4.35k
        SVal Val = svalBuilder.makeIntVal(1U, Ex->getType());
2988
4.35k
        StateTrue = StateTrue->BindExpr(Ex, Pred->getLocationContext(), Val);
2989
4.35k
        Bldr.generateNode(Ex, Pred, StateTrue, tags.first);
2990
4.35k
      }
2991
4.82k
2992
4.82k
      // Next, assume that the condition is false.
2993
4.82k
      if (StateFalse) {
2994
4.59k
        SVal Val = svalBuilder.makeIntVal(0U, Ex->getType());
2995
4.59k
        StateFalse = StateFalse->BindExpr(Ex, Pred->getLocationContext(), Val);
2996
4.59k
        Bldr.generateNode(Ex, Pred, StateFalse, tags.second);
2997
4.59k
      }
2998
4.82k
    }
2999
9.98k
  }
3000
10.0k
}
3001
3002
void ExprEngine::VisitGCCAsmStmt(const GCCAsmStmt *A, ExplodedNode *Pred,
3003
2
                                 ExplodedNodeSet &Dst) {
3004
2
  StmtNodeBuilder Bldr(Pred, Dst, *currBldrCtx);
3005
2
  // We have processed both the inputs and the outputs.  All of the outputs
3006
2
  // should evaluate to Locs.  Nuke all of their values.
3007
2
3008
2
  // FIXME: Some day in the future it would be nice to allow a "plug-in"
3009
2
  // which interprets the inline asm and stores proper results in the
3010
2
  // outputs.
3011
2
3012
2
  ProgramStateRef state = Pred->getState();
3013
2
3014
2
  for (const Expr *O : A->outputs()) {
3015
2
    SVal X = state->getSVal(O, Pred->getLocationContext());
3016
2
    assert(!X.getAs<NonLoc>());  // Should be an Lval, or unknown, undef.
3017
2
3018
2
    if (Optional<Loc> LV = X.getAs<Loc>())
3019
2
      state = state->bindLoc(*LV, UnknownVal(), Pred->getLocationContext());
3020
2
  }
3021
2
3022
2
  Bldr.generateNode(A, Pred, state);
3023
2
}
3024
3025
void ExprEngine::VisitMSAsmStmt(const MSAsmStmt *A, ExplodedNode *Pred,
3026
0
                                ExplodedNodeSet &Dst) {
3027
0
  StmtNodeBuilder Bldr(Pred, Dst, *currBldrCtx);
3028
0
  Bldr.generateNode(A, Pred, Pred->getState());
3029
0
}
3030
3031
//===----------------------------------------------------------------------===//
3032
// Visualization.
3033
//===----------------------------------------------------------------------===//
3034
3035
#ifndef NDEBUG
3036
namespace llvm {
3037
3038
template<>
3039
struct DOTGraphTraits<ExplodedGraph*> : public DefaultDOTGraphTraits {
3040
16
  DOTGraphTraits (bool isSimple = false) : DefaultDOTGraphTraits(isSimple) {}
3041
3042
177
  static bool nodeHasBugReport(const ExplodedNode *N) {
3043
177
    BugReporter &BR = static_cast<ExprEngine &>(
3044
177
      N->getState()->getStateManager().getOwningEngine()).getBugReporter();
3045
177
3046
177
    const auto EQClasses =
3047
177
        llvm::make_range(BR.EQClasses_begin(), BR.EQClasses_end());
3048
177
3049
177
    for (const auto &EQ : EQClasses) {
3050
48
      for (const auto &I : EQ.getReports()) {
3051
48
        const auto *PR = dyn_cast<PathSensitiveBugReport>(I.get());
3052
48
        if (!PR)
3053
0
          continue;
3054
48
        const ExplodedNode *EN = PR->getErrorNode();
3055
48
        if (EN->getState() == N->getState() &&
3056
48
            
EN->getLocation() == N->getLocation()4
)
3057
2
          return true;
3058
48
      }
3059
48
    }
3060
177
    
return false175
;
3061
177
  }
3062
3063
  /// \p PreCallback: callback before break.
3064
  /// \p PostCallback: callback after break.
3065
  /// \p Stop: stop iteration if returns {@code true}
3066
  /// \return Whether {@code Stop} ever returned {@code true}.
3067
  static bool traverseHiddenNodes(
3068
      const ExplodedNode *N,
3069
      llvm::function_ref<void(const ExplodedNode *)> PreCallback,
3070
      llvm::function_ref<void(const ExplodedNode *)> PostCallback,
3071
88
      llvm::function_ref<bool(const ExplodedNode *)> Stop) {
3072
177
    while (true) {
3073
177
      PreCallback(N);
3074
177
      if (Stop(N))
3075
0
        return true;
3076
177
3077
177
      if (N->succ_size() != 1 || 
!isNodeHidden(N->getFirstSucc())169
)
3078
88
        break;
3079
89
      PostCallback(N);
3080
89
3081
89
      N = N->getFirstSucc();
3082
89
    }
3083
88
    return false;
3084
88
  }
3085
3086
337
  static bool isNodeHidden(const ExplodedNode *N) {
3087
337
    return N->isTrivial();
3088
337
  }
3089
3090
88
  static std::string getNodeLabel(const ExplodedNode *N, ExplodedGraph *G){
3091
88
    std::string Buf;
3092
88
    llvm::raw_string_ostream Out(Buf);
3093
88
3094
88
    const bool IsDot = true;
3095
88
    const unsigned int Space = 1;
3096
88
    ProgramStateRef State = N->getState();
3097
88
3098
88
    Out << "{ \"state_id\": " << State->getID()
3099
88
        << ",\\l";
3100
88
3101
88
    Indent(Out, Space, IsDot) << "\"program_points\": [\\l";
3102
88
3103
88
    // Dump program point for all the previously skipped nodes.
3104
88
    traverseHiddenNodes(
3105
88
        N,
3106
177
        [&](const ExplodedNode *OtherNode) {
3107
177
          Indent(Out, Space + 1, IsDot) << "{ ";
3108
177
          OtherNode->getLocation().printJson(Out, /*NL=*/"\\l");
3109
177
          Out << ", \"tag\": ";
3110
177
          if (const ProgramPointTag *Tag = OtherNode->getLocation().getTag())
3111
47
            Out << '\"' << Tag->getTagDescription() << "\"";
3112
130
          else
3113
130
            Out << "null";
3114
177
          Out << ", \"node_id\": " << OtherNode->getID() <<
3115
177
                 ", \"is_sink\": " << OtherNode->isSink() <<
3116
177
                 ", \"has_report\": " << nodeHasBugReport(OtherNode) << " }";
3117
177
        },
3118
88
        // Adds a comma and a new-line between each program point.
3119
89
        [&](const ExplodedNode *) { Out << ",\\l"; },
3120
177
        [&](const ExplodedNode *) { return false; });
3121
88
3122
88
    Out << "\\l"; // Adds a new-line to the last program point.
3123
88
    Indent(Out, Space, IsDot) << "],\\l";
3124
88
3125
88
    State->printDOT(Out, N->getLocationContext(), Space);
3126
88
3127
88
    Out << "\\l}\\l";
3128
88
    return Out.str();
3129
88
  }
3130
};
3131
3132
} // namespace llvm
3133
#endif
3134
3135
0
void ExprEngine::ViewGraph(bool trim) {
3136
0
#ifndef NDEBUG
3137
0
  std::string Filename = DumpGraph(trim);
3138
0
  llvm::DisplayGraph(Filename, false, llvm::GraphProgram::DOT);
3139
0
#endif
3140
0
  llvm::errs() << "Warning: viewing graph requires assertions" << "\n";
3141
0
}
3142
3143
3144
0
void ExprEngine::ViewGraph(ArrayRef<const ExplodedNode*> Nodes) {
3145
0
#ifndef NDEBUG
3146
0
  std::string Filename = DumpGraph(Nodes);
3147
0
  llvm::DisplayGraph(Filename, false, llvm::GraphProgram::DOT);
3148
0
#endif
3149
0
  llvm::errs() << "Warning: viewing graph requires assertions" << "\n";
3150
0
}
3151
3152
8
std::string ExprEngine::DumpGraph(bool trim, StringRef Filename) {
3153
8
#ifndef NDEBUG
3154
8
  if (trim) {
3155
1
    std::vector<const ExplodedNode *> Src;
3156
1
3157
1
    // Iterate through the reports and get their nodes.
3158
1
    for (BugReporter::EQClasses_iterator
3159
2
           EI = BR.EQClasses_begin(), EE = BR.EQClasses_end(); EI != EE; 
++EI1
) {
3160
1
      const auto *R =
3161
1
          dyn_cast<PathSensitiveBugReport>(EI->getReports()[0].get());
3162
1
      if (!R)
3163
0
        continue;
3164
1
      const auto *N = const_cast<ExplodedNode *>(R->getErrorNode());
3165
1
      Src.push_back(N);
3166
1
    }
3167
1
    return DumpGraph(Src, Filename);
3168
7
  } else {
3169
7
    return llvm::WriteGraph(&G, "ExprEngine", /*ShortNames=*/false,
3170
7
                            /*Title=*/"Exploded Graph",
3171
7
                            /*Filename=*/std::string(Filename));
3172
7
  }
3173
0
#endif
3174
0
  llvm::errs() << "Warning: dumping graph requires assertions" << "\n";
3175
0
  return "";
3176
0
}
3177
3178
std::string ExprEngine::DumpGraph(ArrayRef<const ExplodedNode*> Nodes,
3179
1
                                  StringRef Filename) {
3180
1
#ifndef NDEBUG
3181
1
  std::unique_ptr<ExplodedGraph> TrimmedG(G.trim(Nodes));
3182
1
3183
1
  if (!TrimmedG.get()) {
3184
0
    llvm::errs() << "warning: Trimmed ExplodedGraph is empty.\n";
3185
1
  } else {
3186
1
    return llvm::WriteGraph(TrimmedG.get(), "TrimmedExprEngine",
3187
1
                            /*ShortNames=*/false,
3188
1
                            /*Title=*/"Trimmed Exploded Graph",
3189
1
                            /*Filename=*/std::string(Filename));
3190
1
  }
3191
0
#endif
3192
0
  llvm::errs() << "Warning: dumping graph requires assertions" << "\n";
3193
0
  return "";
3194
0
}
3195
3196
97.4k
void *ProgramStateTrait<ReplayWithoutInlining>::GDMIndex() {
3197
97.4k
  static int index = 0;
3198
97.4k
  return &index;
3199
97.4k
}