CallEvent.h revision 16e6a7cb41319459ded69b4d47f405c1035dd347
1//===- CallEvent.h - Wrapper for all function and method calls ----*- C++ -*--// 2// 3// The LLVM Compiler Infrastructure 4// 5// This file is distributed under the University of Illinois Open Source 6// License. See LICENSE.TXT for details. 7// 8//===----------------------------------------------------------------------===// 9// 10/// \file This file defines CallEvent and its subclasses, which represent path- 11/// sensitive instances of different kinds of function and method calls 12/// (C, C++, and Objective-C). 13// 14//===----------------------------------------------------------------------===// 15 16#ifndef LLVM_CLANG_STATICANALYZER_PATHSENSITIVE_CALL 17#define LLVM_CLANG_STATICANALYZER_PATHSENSITIVE_CALL 18 19#include "clang/Basic/SourceManager.h" 20#include "clang/AST/DeclCXX.h" 21#include "clang/AST/ExprCXX.h" 22#include "clang/AST/ExprObjC.h" 23#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h" 24#include "clang/StaticAnalyzer/Core/PathSensitive/SVals.h" 25#include "llvm/ADT/PointerIntPair.h" 26 27namespace clang { 28class ProgramPoint; 29class ProgramPointTag; 30 31namespace ento { 32 33enum CallEventKind { 34 CE_Function, 35 CE_Block, 36 CE_BEG_SIMPLE_CALLS = CE_Function, 37 CE_END_SIMPLE_CALLS = CE_Block, 38 CE_CXXMember, 39 CE_CXXMemberOperator, 40 CE_CXXDestructor, 41 CE_BEG_CXX_INSTANCE_CALLS = CE_CXXMember, 42 CE_END_CXX_INSTANCE_CALLS = CE_CXXDestructor, 43 CE_CXXConstructor, 44 CE_CXXAllocator, 45 CE_BEG_FUNCTION_CALLS = CE_Function, 46 CE_END_FUNCTION_CALLS = CE_CXXAllocator, 47 CE_ObjCMessage 48}; 49 50class CallEvent; 51class CallEventManager; 52 53template<typename T = CallEvent> 54class CallEventRef : public IntrusiveRefCntPtr<const T> { 55public: 56 CallEventRef(const T *Call) : IntrusiveRefCntPtr<const T>(Call) {} 57 CallEventRef(const CallEventRef &Orig) : IntrusiveRefCntPtr<const T>(Orig) {} 58 59 CallEventRef<T> cloneWithState(ProgramStateRef State) const { 60 return this->getPtr()->template cloneWithState<T>(State); 61 } 62 63 // Allow implicit conversions to a superclass type, since CallEventRef 64 // behaves like a pointer-to-const. 65 template <typename SuperT> 66 operator CallEventRef<SuperT> () const { 67 return this->getPtr(); 68 } 69}; 70 71/// \class RuntimeDefinition 72/// \brief Defines the runtime definition of the called function. 73/// 74/// Encapsulates the information we have about which Decl will be used 75/// when the call is executed on the given path. When dealing with dynamic 76/// dispatch, the information is based on DynamicTypeInfo and might not be 77/// precise. 78class RuntimeDefinition { 79 /// The Declaration of the function which could be called at runtime. 80 /// NULL if not available. 81 const Decl *D; 82 83 /// The region representing an object (ObjC/C++) on which the method is 84 /// called. With dynamic dispatch, the method definition depends on the 85 /// runtime type of this object. NULL when the DynamicTypeInfo is 86 /// precise. 87 const MemRegion *R; 88 89public: 90 RuntimeDefinition(): D(0), R(0) {} 91 RuntimeDefinition(const Decl *InD): D(InD), R(0) {} 92 RuntimeDefinition(const Decl *InD, const MemRegion *InR): D(InD), R(InR) {} 93 const Decl *getDecl() { return D; } 94 95 /// \brief Check if the definition we have is precise. 96 /// If not, it is possible that the call dispatches to another definition at 97 /// execution time. 98 bool mayHaveOtherDefinitions() { return R != 0; } 99 100 /// When other definitions are possible, returns the region whose runtime type 101 /// determines the method definition. 102 const MemRegion *getDispatchRegion() { return R; } 103}; 104 105/// \brief Represents an abstract call to a function or method along a 106/// particular path. 107/// 108/// CallEvents are created through the factory methods of CallEventManager. 109/// 110/// CallEvents should always be cheap to create and destroy. In order for 111/// CallEventManager to be able to re-use CallEvent-sized memory blocks, 112/// subclasses of CallEvent may not add any data members to the base class. 113/// Use the "Data" and "Location" fields instead. 114class CallEvent { 115public: 116 typedef CallEventKind Kind; 117 118private: 119 ProgramStateRef State; 120 const LocationContext *LCtx; 121 llvm::PointerUnion<const Expr *, const Decl *> Origin; 122 123 // DO NOT IMPLEMENT 124 CallEvent &operator=(const CallEvent &); 125 126protected: 127 // This is user data for subclasses. 128 const void *Data; 129 130 // This is user data for subclasses. 131 // This should come right before RefCount, so that the two fields can be 132 // packed together on LP64 platforms. 133 SourceLocation Location; 134 135private: 136 mutable unsigned RefCount; 137 138 template <typename T> friend struct llvm::IntrusiveRefCntPtrInfo; 139 void Retain() const { ++RefCount; } 140 void Release() const; 141 142protected: 143 friend class CallEventManager; 144 145 CallEvent(const Expr *E, ProgramStateRef state, const LocationContext *lctx) 146 : State(state), LCtx(lctx), Origin(E), RefCount(0) {} 147 148 CallEvent(const Decl *D, ProgramStateRef state, const LocationContext *lctx) 149 : State(state), LCtx(lctx), Origin(D), RefCount(0) {} 150 151 // DO NOT MAKE PUBLIC 152 CallEvent(const CallEvent &Original) 153 : State(Original.State), LCtx(Original.LCtx), Origin(Original.Origin), 154 Data(Original.Data), Location(Original.Location), RefCount(0) {} 155 156 /// Copies this CallEvent, with vtable intact, into a new block of memory. 157 virtual void cloneTo(void *Dest) const = 0; 158 159 /// \brief Get the value of arbitrary expressions at this point in the path. 160 SVal getSVal(const Stmt *S) const { 161 return getState()->getSVal(S, getLocationContext()); 162 } 163 164 165 typedef SmallVectorImpl<const MemRegion *> RegionList; 166 167 /// \brief Used to specify non-argument regions that will be invalidated as a 168 /// result of this call. 169 virtual void getExtraInvalidatedRegions(RegionList &Regions) const {} 170 171public: 172 virtual ~CallEvent() {} 173 174 /// \brief Returns the kind of call this is. 175 virtual Kind getKind() const = 0; 176 177 /// \brief Returns the declaration of the function or method that will be 178 /// called. May be null. 179 virtual const Decl *getDecl() const { 180 return Origin.dyn_cast<const Decl *>(); 181 } 182 183 /// \brief The state in which the call is being evaluated. 184 ProgramStateRef getState() const { 185 return State; 186 } 187 188 /// \brief The context in which the call is being evaluated. 189 const LocationContext *getLocationContext() const { 190 return LCtx; 191 } 192 193 /// \brief Returns the definition of the function or method that will be 194 /// called. 195 virtual RuntimeDefinition getRuntimeDefinition() const = 0; 196 197 /// \brief Returns the expression whose value will be the result of this call. 198 /// May be null. 199 const Expr *getOriginExpr() const { 200 return Origin.dyn_cast<const Expr *>(); 201 } 202 203 /// \brief Returns the number of arguments (explicit and implicit). 204 /// 205 /// Note that this may be greater than the number of parameters in the 206 /// callee's declaration, and that it may include arguments not written in 207 /// the source. 208 virtual unsigned getNumArgs() const = 0; 209 210 /// \brief Returns true if the callee is known to be from a system header. 211 bool isInSystemHeader() const { 212 const Decl *D = getDecl(); 213 if (!D) 214 return false; 215 216 SourceLocation Loc = D->getLocation(); 217 if (Loc.isValid()) { 218 const SourceManager &SM = 219 getState()->getStateManager().getContext().getSourceManager(); 220 return SM.isInSystemHeader(D->getLocation()); 221 } 222 223 // Special case for implicitly-declared global operator new/delete. 224 // These should be considered system functions. 225 if (const FunctionDecl *FD = dyn_cast<FunctionDecl>(D)) 226 return FD->isOverloadedOperator() && FD->isImplicit() && FD->isGlobal(); 227 228 return false; 229 } 230 231 /// \brief Returns a source range for the entire call, suitable for 232 /// outputting in diagnostics. 233 virtual SourceRange getSourceRange() const { 234 return getOriginExpr()->getSourceRange(); 235 } 236 237 /// \brief Returns the value of a given argument at the time of the call. 238 virtual SVal getArgSVal(unsigned Index) const; 239 240 /// \brief Returns the expression associated with a given argument. 241 /// May be null if this expression does not appear in the source. 242 virtual const Expr *getArgExpr(unsigned Index) const { return 0; } 243 244 /// \brief Returns the source range for errors associated with this argument. 245 /// 246 /// May be invalid if the argument is not written in the source. 247 virtual SourceRange getArgSourceRange(unsigned Index) const; 248 249 /// \brief Returns the result type, adjusted for references. 250 QualType getResultType() const; 251 252 /// \brief Returns true if any of the arguments appear to represent callbacks. 253 bool hasNonZeroCallbackArg() const; 254 255 /// \brief Returns true if any of the arguments are known to escape to long- 256 /// term storage, even if this method will not modify them. 257 // NOTE: The exact semantics of this are still being defined! 258 // We don't really want a list of hardcoded exceptions in the long run, 259 // but we don't want duplicated lists of known APIs in the short term either. 260 virtual bool argumentsMayEscape() const { 261 return hasNonZeroCallbackArg(); 262 } 263 264 /// \brief Returns an appropriate ProgramPoint for this call. 265 ProgramPoint getProgramPoint(bool IsPreVisit = false, 266 const ProgramPointTag *Tag = 0) const; 267 268 /// \brief Returns a new state with all argument regions invalidated. 269 /// 270 /// This accepts an alternate state in case some processing has already 271 /// occurred. 272 ProgramStateRef invalidateRegions(unsigned BlockCount, 273 ProgramStateRef Orig = 0) const; 274 275 typedef std::pair<Loc, SVal> FrameBindingTy; 276 typedef SmallVectorImpl<FrameBindingTy> BindingsTy; 277 278 /// Populates the given SmallVector with the bindings in the callee's stack 279 /// frame at the start of this call. 280 virtual void getInitialStackFrameContents(const StackFrameContext *CalleeCtx, 281 BindingsTy &Bindings) const = 0; 282 283 /// Returns a copy of this CallEvent, but using the given state. 284 template <typename T> 285 CallEventRef<T> cloneWithState(ProgramStateRef NewState) const; 286 287 /// Returns a copy of this CallEvent, but using the given state. 288 CallEventRef<> cloneWithState(ProgramStateRef NewState) const { 289 return cloneWithState<CallEvent>(NewState); 290 } 291 292 /// \brief Returns true if this is a statement is a function or method call 293 /// of some kind. 294 static bool isCallStmt(const Stmt *S); 295 296 /// \brief Returns the result type of a function, method declaration. 297 static QualType getDeclaredResultType(const Decl *D); 298 299 // Iterator access to formal parameters and their types. 300private: 301 typedef std::const_mem_fun_t<QualType, ParmVarDecl> get_type_fun; 302 303public: 304 typedef const ParmVarDecl * const *param_iterator; 305 306 /// Returns an iterator over the call's formal parameters. 307 /// 308 /// If UseDefinitionParams is set, this will return the parameter decls 309 /// used in the callee's definition (suitable for inlining). Most of the 310 /// time it is better to use the decl found by name lookup, which likely 311 /// carries more annotations. 312 /// 313 /// Remember that the number of formal parameters may not match the number 314 /// of arguments for all calls. However, the first parameter will always 315 /// correspond with the argument value returned by \c getArgSVal(0). 316 /// 317 /// If the call has no accessible declaration (or definition, if 318 /// \p UseDefinitionParams is set), \c param_begin() will be equal to 319 /// \c param_end(). 320 virtual param_iterator param_begin() const =0; 321 /// \sa param_begin() 322 virtual param_iterator param_end() const = 0; 323 324 typedef llvm::mapped_iterator<param_iterator, get_type_fun> 325 param_type_iterator; 326 327 /// Returns an iterator over the types of the call's formal parameters. 328 /// 329 /// This uses the callee decl found by default name lookup rather than the 330 /// definition because it represents a public interface, and probably has 331 /// more annotations. 332 param_type_iterator param_type_begin() const { 333 return llvm::map_iterator(param_begin(), 334 get_type_fun(&ParmVarDecl::getType)); 335 } 336 /// \sa param_type_begin() 337 param_type_iterator param_type_end() const { 338 return llvm::map_iterator(param_end(), get_type_fun(&ParmVarDecl::getType)); 339 } 340 341 // For debugging purposes only 342 void dump(raw_ostream &Out) const; 343 LLVM_ATTRIBUTE_USED void dump() const; 344 345 static bool classof(const CallEvent *) { return true; } 346}; 347 348 349/// \brief Represents a call to any sort of function that might have a 350/// FunctionDecl. 351class AnyFunctionCall : public CallEvent { 352protected: 353 AnyFunctionCall(const Expr *E, ProgramStateRef St, 354 const LocationContext *LCtx) 355 : CallEvent(E, St, LCtx) {} 356 AnyFunctionCall(const Decl *D, ProgramStateRef St, 357 const LocationContext *LCtx) 358 : CallEvent(D, St, LCtx) {} 359 AnyFunctionCall(const AnyFunctionCall &Other) : CallEvent(Other) {} 360 361public: 362 // This function is overridden by subclasses, but they must return 363 // a FunctionDecl. 364 virtual const FunctionDecl *getDecl() const { 365 return cast<FunctionDecl>(CallEvent::getDecl()); 366 } 367 368 virtual RuntimeDefinition getRuntimeDefinition() const { 369 const FunctionDecl *FD = getDecl(); 370 // Note that hasBody() will fill FD with the definition FunctionDecl. 371 if (FD && FD->hasBody(FD)) 372 return RuntimeDefinition(FD); 373 return RuntimeDefinition(); 374 } 375 376 virtual bool argumentsMayEscape() const; 377 378 virtual void getInitialStackFrameContents(const StackFrameContext *CalleeCtx, 379 BindingsTy &Bindings) const; 380 381 virtual param_iterator param_begin() const; 382 virtual param_iterator param_end() const; 383 384 static bool classof(const CallEvent *CA) { 385 return CA->getKind() >= CE_BEG_FUNCTION_CALLS && 386 CA->getKind() <= CE_END_FUNCTION_CALLS; 387 } 388}; 389 390/// \brief Represents a call to a non-C++ function, written as a CallExpr. 391class SimpleCall : public AnyFunctionCall { 392protected: 393 SimpleCall(const CallExpr *CE, ProgramStateRef St, 394 const LocationContext *LCtx) 395 : AnyFunctionCall(CE, St, LCtx) {} 396 SimpleCall(const SimpleCall &Other) : AnyFunctionCall(Other) {} 397 398public: 399 virtual const CallExpr *getOriginExpr() const { 400 return cast<CallExpr>(AnyFunctionCall::getOriginExpr()); 401 } 402 403 virtual const FunctionDecl *getDecl() const; 404 405 virtual unsigned getNumArgs() const { return getOriginExpr()->getNumArgs(); } 406 407 virtual const Expr *getArgExpr(unsigned Index) const { 408 return getOriginExpr()->getArg(Index); 409 } 410 411 static bool classof(const CallEvent *CA) { 412 return CA->getKind() >= CE_BEG_SIMPLE_CALLS && 413 CA->getKind() <= CE_END_SIMPLE_CALLS; 414 } 415}; 416 417/// \brief Represents a C function or static C++ member function call. 418/// 419/// Example: \c fun() 420class FunctionCall : public SimpleCall { 421 friend class CallEventManager; 422 423protected: 424 FunctionCall(const CallExpr *CE, ProgramStateRef St, 425 const LocationContext *LCtx) 426 : SimpleCall(CE, St, LCtx) {} 427 428 FunctionCall(const FunctionCall &Other) : SimpleCall(Other) {} 429 virtual void cloneTo(void *Dest) const { new (Dest) FunctionCall(*this); } 430 431public: 432 virtual Kind getKind() const { return CE_Function; } 433 434 static bool classof(const CallEvent *CA) { 435 return CA->getKind() == CE_Function; 436 } 437}; 438 439/// \brief Represents a call to a block. 440/// 441/// Example: <tt>^{ /* ... */ }()</tt> 442class BlockCall : public SimpleCall { 443 friend class CallEventManager; 444 445protected: 446 BlockCall(const CallExpr *CE, ProgramStateRef St, 447 const LocationContext *LCtx) 448 : SimpleCall(CE, St, LCtx) {} 449 450 BlockCall(const BlockCall &Other) : SimpleCall(Other) {} 451 virtual void cloneTo(void *Dest) const { new (Dest) BlockCall(*this); } 452 453 virtual void getExtraInvalidatedRegions(RegionList &Regions) const; 454 455public: 456 /// \brief Returns the region associated with this instance of the block. 457 /// 458 /// This may be NULL if the block's origin is unknown. 459 const BlockDataRegion *getBlockRegion() const; 460 461 /// \brief Gets the declaration of the block. 462 /// 463 /// This is not an override of getDecl() because AnyFunctionCall has already 464 /// assumed that it's a FunctionDecl. 465 const BlockDecl *getBlockDecl() const { 466 const BlockDataRegion *BR = getBlockRegion(); 467 if (!BR) 468 return 0; 469 return BR->getDecl(); 470 } 471 472 virtual RuntimeDefinition getRuntimeDefinition() const { 473 return RuntimeDefinition(getBlockDecl()); 474 } 475 476 virtual void getInitialStackFrameContents(const StackFrameContext *CalleeCtx, 477 BindingsTy &Bindings) const; 478 479 virtual param_iterator param_begin() const; 480 virtual param_iterator param_end() const; 481 482 virtual Kind getKind() const { return CE_Block; } 483 484 static bool classof(const CallEvent *CA) { 485 return CA->getKind() == CE_Block; 486 } 487}; 488 489/// \brief Represents a non-static C++ member function call, no matter how 490/// it is written. 491class CXXInstanceCall : public AnyFunctionCall { 492protected: 493 virtual void getExtraInvalidatedRegions(RegionList &Regions) const; 494 495 CXXInstanceCall(const CallExpr *CE, ProgramStateRef St, 496 const LocationContext *LCtx) 497 : AnyFunctionCall(CE, St, LCtx) {} 498 CXXInstanceCall(const FunctionDecl *D, ProgramStateRef St, 499 const LocationContext *LCtx) 500 : AnyFunctionCall(D, St, LCtx) {} 501 502 503 CXXInstanceCall(const CXXInstanceCall &Other) : AnyFunctionCall(Other) {} 504 505public: 506 /// \brief Returns the expression representing the implicit 'this' object. 507 virtual const Expr *getCXXThisExpr() const { return 0; } 508 509 /// \brief Returns the value of the implicit 'this' object. 510 virtual SVal getCXXThisVal() const; 511 512 virtual const FunctionDecl *getDecl() const; 513 514 virtual RuntimeDefinition getRuntimeDefinition() const; 515 516 virtual void getInitialStackFrameContents(const StackFrameContext *CalleeCtx, 517 BindingsTy &Bindings) const; 518 519 static bool classof(const CallEvent *CA) { 520 return CA->getKind() >= CE_BEG_CXX_INSTANCE_CALLS && 521 CA->getKind() <= CE_END_CXX_INSTANCE_CALLS; 522 } 523}; 524 525/// \brief Represents a non-static C++ member function call. 526/// 527/// Example: \c obj.fun() 528class CXXMemberCall : public CXXInstanceCall { 529 friend class CallEventManager; 530 531protected: 532 CXXMemberCall(const CXXMemberCallExpr *CE, ProgramStateRef St, 533 const LocationContext *LCtx) 534 : CXXInstanceCall(CE, St, LCtx) {} 535 536 CXXMemberCall(const CXXMemberCall &Other) : CXXInstanceCall(Other) {} 537 virtual void cloneTo(void *Dest) const { new (Dest) CXXMemberCall(*this); } 538 539public: 540 virtual const CXXMemberCallExpr *getOriginExpr() const { 541 return cast<CXXMemberCallExpr>(CXXInstanceCall::getOriginExpr()); 542 } 543 544 virtual unsigned getNumArgs() const { 545 if (const CallExpr *CE = getOriginExpr()) 546 return CE->getNumArgs(); 547 return 0; 548 } 549 550 virtual const Expr *getArgExpr(unsigned Index) const { 551 return getOriginExpr()->getArg(Index); 552 } 553 554 virtual const Expr *getCXXThisExpr() const; 555 556 virtual RuntimeDefinition getRuntimeDefinition() const; 557 558 virtual Kind getKind() const { return CE_CXXMember; } 559 560 static bool classof(const CallEvent *CA) { 561 return CA->getKind() == CE_CXXMember; 562 } 563}; 564 565/// \brief Represents a C++ overloaded operator call where the operator is 566/// implemented as a non-static member function. 567/// 568/// Example: <tt>iter + 1</tt> 569class CXXMemberOperatorCall : public CXXInstanceCall { 570 friend class CallEventManager; 571 572protected: 573 CXXMemberOperatorCall(const CXXOperatorCallExpr *CE, ProgramStateRef St, 574 const LocationContext *LCtx) 575 : CXXInstanceCall(CE, St, LCtx) {} 576 577 CXXMemberOperatorCall(const CXXMemberOperatorCall &Other) 578 : CXXInstanceCall(Other) {} 579 virtual void cloneTo(void *Dest) const { 580 new (Dest) CXXMemberOperatorCall(*this); 581 } 582 583public: 584 virtual const CXXOperatorCallExpr *getOriginExpr() const { 585 return cast<CXXOperatorCallExpr>(CXXInstanceCall::getOriginExpr()); 586 } 587 588 virtual unsigned getNumArgs() const { 589 return getOriginExpr()->getNumArgs() - 1; 590 } 591 virtual const Expr *getArgExpr(unsigned Index) const { 592 return getOriginExpr()->getArg(Index + 1); 593 } 594 595 virtual const Expr *getCXXThisExpr() const; 596 597 virtual Kind getKind() const { return CE_CXXMemberOperator; } 598 599 static bool classof(const CallEvent *CA) { 600 return CA->getKind() == CE_CXXMemberOperator; 601 } 602}; 603 604/// \brief Represents an implicit call to a C++ destructor. 605/// 606/// This can occur at the end of a scope (for automatic objects), at the end 607/// of a full-expression (for temporaries), or as part of a delete. 608class CXXDestructorCall : public CXXInstanceCall { 609 friend class CallEventManager; 610 611protected: 612 typedef llvm::PointerIntPair<const MemRegion *, 1, bool> DtorDataTy; 613 614 /// Creates an implicit destructor. 615 /// 616 /// \param DD The destructor that will be called. 617 /// \param Trigger The statement whose completion causes this destructor call. 618 /// \param Target The object region to be destructed. 619 /// \param St The path-sensitive state at this point in the program. 620 /// \param LCtx The location context at this point in the program. 621 CXXDestructorCall(const CXXDestructorDecl *DD, const Stmt *Trigger, 622 const MemRegion *Target, bool IsBaseDestructor, 623 ProgramStateRef St, const LocationContext *LCtx) 624 : CXXInstanceCall(DD, St, LCtx) { 625 Data = DtorDataTy(Target, IsBaseDestructor).getOpaqueValue(); 626 Location = Trigger->getLocEnd(); 627 } 628 629 CXXDestructorCall(const CXXDestructorCall &Other) : CXXInstanceCall(Other) {} 630 virtual void cloneTo(void *Dest) const { new (Dest) CXXDestructorCall(*this); } 631 632public: 633 virtual SourceRange getSourceRange() const { return Location; } 634 virtual unsigned getNumArgs() const { return 0; } 635 636 virtual RuntimeDefinition getRuntimeDefinition() const; 637 638 /// \brief Returns the value of the implicit 'this' object. 639 virtual SVal getCXXThisVal() const; 640 641 /// Returns true if this is a call to a base class destructor. 642 bool isBaseDestructor() const { 643 return DtorDataTy::getFromOpaqueValue(Data).getInt(); 644 } 645 646 virtual Kind getKind() const { return CE_CXXDestructor; } 647 648 static bool classof(const CallEvent *CA) { 649 return CA->getKind() == CE_CXXDestructor; 650 } 651}; 652 653/// \brief Represents a call to a C++ constructor. 654/// 655/// Example: \c T(1) 656class CXXConstructorCall : public AnyFunctionCall { 657 friend class CallEventManager; 658 659protected: 660 /// Creates a constructor call. 661 /// 662 /// \param CE The constructor expression as written in the source. 663 /// \param Target The region where the object should be constructed. If NULL, 664 /// a new symbolic region will be used. 665 /// \param St The path-sensitive state at this point in the program. 666 /// \param LCtx The location context at this point in the program. 667 CXXConstructorCall(const CXXConstructExpr *CE, const MemRegion *Target, 668 ProgramStateRef St, const LocationContext *LCtx) 669 : AnyFunctionCall(CE, St, LCtx) { 670 Data = Target; 671 } 672 673 CXXConstructorCall(const CXXConstructorCall &Other) : AnyFunctionCall(Other){} 674 virtual void cloneTo(void *Dest) const { new (Dest) CXXConstructorCall(*this); } 675 676 virtual void getExtraInvalidatedRegions(RegionList &Regions) const; 677 678public: 679 virtual const CXXConstructExpr *getOriginExpr() const { 680 return cast<CXXConstructExpr>(AnyFunctionCall::getOriginExpr()); 681 } 682 683 virtual const CXXConstructorDecl *getDecl() const { 684 return getOriginExpr()->getConstructor(); 685 } 686 687 virtual unsigned getNumArgs() const { return getOriginExpr()->getNumArgs(); } 688 689 virtual const Expr *getArgExpr(unsigned Index) const { 690 return getOriginExpr()->getArg(Index); 691 } 692 693 /// \brief Returns the value of the implicit 'this' object. 694 SVal getCXXThisVal() const; 695 696 virtual void getInitialStackFrameContents(const StackFrameContext *CalleeCtx, 697 BindingsTy &Bindings) const; 698 699 virtual Kind getKind() const { return CE_CXXConstructor; } 700 701 static bool classof(const CallEvent *CA) { 702 return CA->getKind() == CE_CXXConstructor; 703 } 704}; 705 706/// \brief Represents the memory allocation call in a C++ new-expression. 707/// 708/// This is a call to "operator new". 709class CXXAllocatorCall : public AnyFunctionCall { 710 friend class CallEventManager; 711 712protected: 713 CXXAllocatorCall(const CXXNewExpr *E, ProgramStateRef St, 714 const LocationContext *LCtx) 715 : AnyFunctionCall(E, St, LCtx) {} 716 717 CXXAllocatorCall(const CXXAllocatorCall &Other) : AnyFunctionCall(Other) {} 718 virtual void cloneTo(void *Dest) const { new (Dest) CXXAllocatorCall(*this); } 719 720public: 721 virtual const CXXNewExpr *getOriginExpr() const { 722 return cast<CXXNewExpr>(AnyFunctionCall::getOriginExpr()); 723 } 724 725 virtual const FunctionDecl *getDecl() const { 726 return getOriginExpr()->getOperatorNew(); 727 } 728 729 virtual unsigned getNumArgs() const { 730 return getOriginExpr()->getNumPlacementArgs() + 1; 731 } 732 733 virtual const Expr *getArgExpr(unsigned Index) const { 734 // The first argument of an allocator call is the size of the allocation. 735 if (Index == 0) 736 return 0; 737 return getOriginExpr()->getPlacementArg(Index - 1); 738 } 739 740 virtual Kind getKind() const { return CE_CXXAllocator; } 741 742 static bool classof(const CallEvent *CE) { 743 return CE->getKind() == CE_CXXAllocator; 744 } 745}; 746 747/// \brief Represents the ways an Objective-C message send can occur. 748// 749// Note to maintainers: OCM_Message should always be last, since it does not 750// need to fit in the Data field's low bits. 751enum ObjCMessageKind { 752 OCM_PropertyAccess, 753 OCM_Subscript, 754 OCM_Message 755}; 756 757/// \brief Represents any expression that calls an Objective-C method. 758/// 759/// This includes all of the kinds listed in ObjCMessageKind. 760class ObjCMethodCall : public CallEvent { 761 friend class CallEventManager; 762 763 const PseudoObjectExpr *getContainingPseudoObjectExpr() const; 764 765protected: 766 ObjCMethodCall(const ObjCMessageExpr *Msg, ProgramStateRef St, 767 const LocationContext *LCtx) 768 : CallEvent(Msg, St, LCtx) { 769 Data = 0; 770 } 771 772 ObjCMethodCall(const ObjCMethodCall &Other) : CallEvent(Other) {} 773 virtual void cloneTo(void *Dest) const { new (Dest) ObjCMethodCall(*this); } 774 775 virtual void getExtraInvalidatedRegions(RegionList &Regions) const; 776 777 /// Check if the selector may have multiple definitions (may have overrides). 778 virtual bool canBeOverridenInSubclass(ObjCInterfaceDecl *IDecl, 779 Selector Sel) const; 780 781public: 782 virtual const ObjCMessageExpr *getOriginExpr() const { 783 return cast<ObjCMessageExpr>(CallEvent::getOriginExpr()); 784 } 785 virtual const ObjCMethodDecl *getDecl() const { 786 return getOriginExpr()->getMethodDecl(); 787 } 788 virtual unsigned getNumArgs() const { 789 return getOriginExpr()->getNumArgs(); 790 } 791 virtual const Expr *getArgExpr(unsigned Index) const { 792 return getOriginExpr()->getArg(Index); 793 } 794 795 bool isInstanceMessage() const { 796 return getOriginExpr()->isInstanceMessage(); 797 } 798 ObjCMethodFamily getMethodFamily() const { 799 return getOriginExpr()->getMethodFamily(); 800 } 801 Selector getSelector() const { 802 return getOriginExpr()->getSelector(); 803 } 804 805 virtual SourceRange getSourceRange() const; 806 807 /// \brief Returns the value of the receiver at the time of this call. 808 SVal getReceiverSVal() const; 809 810 /// \brief Return the value of 'self' if available. 811 SVal getSelfSVal() const; 812 813 /// \brief Get the interface for the receiver. 814 /// 815 /// This works whether this is an instance message or a class message. 816 /// However, it currently just uses the static type of the receiver. 817 const ObjCInterfaceDecl *getReceiverInterface() const { 818 return getOriginExpr()->getReceiverInterface(); 819 } 820 821 /// \brief Checks if the receiver refers to 'self' or 'super'. 822 bool isReceiverSelfOrSuper() const; 823 824 /// Returns how the message was written in the source (property access, 825 /// subscript, or explicit message send). 826 ObjCMessageKind getMessageKind() const; 827 828 /// Returns true if this property access or subscript is a setter (has the 829 /// form of an assignment). 830 bool isSetter() const { 831 switch (getMessageKind()) { 832 case OCM_Message: 833 llvm_unreachable("This is not a pseudo-object access!"); 834 case OCM_PropertyAccess: 835 return getNumArgs() > 0; 836 case OCM_Subscript: 837 return getNumArgs() > 1; 838 } 839 llvm_unreachable("Unknown message kind"); 840 } 841 842 virtual RuntimeDefinition getRuntimeDefinition() const; 843 844 virtual void getInitialStackFrameContents(const StackFrameContext *CalleeCtx, 845 BindingsTy &Bindings) const; 846 847 virtual param_iterator param_begin() const; 848 virtual param_iterator param_end() const; 849 850 virtual Kind getKind() const { return CE_ObjCMessage; } 851 852 static bool classof(const CallEvent *CA) { 853 return CA->getKind() == CE_ObjCMessage; 854 } 855}; 856 857 858/// \brief Manages the lifetime of CallEvent objects. 859/// 860/// CallEventManager provides a way to create arbitrary CallEvents "on the 861/// stack" as if they were value objects by keeping a cache of CallEvent-sized 862/// memory blocks. The CallEvents created by CallEventManager are only valid 863/// for the lifetime of the OwnedCallEvent that holds them; right now these 864/// objects cannot be copied and ownership cannot be transferred. 865class CallEventManager { 866 friend class CallEvent; 867 868 llvm::BumpPtrAllocator &Alloc; 869 SmallVector<void *, 8> Cache; 870 871 void reclaim(const void *Memory) { 872 Cache.push_back(const_cast<void *>(Memory)); 873 } 874 875 /// Returns memory that can be initialized as a CallEvent. 876 void *allocate() { 877 if (Cache.empty()) 878 return Alloc.Allocate<FunctionCall>(); 879 else 880 return Cache.pop_back_val(); 881 } 882 883 template <typename T, typename Arg> 884 T *create(Arg A, ProgramStateRef St, const LocationContext *LCtx) { 885 return new (allocate()) T(A, St, LCtx); 886 } 887 888 template <typename T, typename Arg1, typename Arg2> 889 T *create(Arg1 A1, Arg2 A2, ProgramStateRef St, const LocationContext *LCtx) { 890 return new (allocate()) T(A1, A2, St, LCtx); 891 } 892 893 template <typename T, typename Arg1, typename Arg2, typename Arg3> 894 T *create(Arg1 A1, Arg2 A2, Arg3 A3, ProgramStateRef St, 895 const LocationContext *LCtx) { 896 return new (allocate()) T(A1, A2, A3, St, LCtx); 897 } 898 899 template <typename T, typename Arg1, typename Arg2, typename Arg3, 900 typename Arg4> 901 T *create(Arg1 A1, Arg2 A2, Arg3 A3, Arg4 A4, ProgramStateRef St, 902 const LocationContext *LCtx) { 903 return new (allocate()) T(A1, A2, A3, A4, St, LCtx); 904 } 905 906public: 907 CallEventManager(llvm::BumpPtrAllocator &alloc) : Alloc(alloc) {} 908 909 910 CallEventRef<> 911 getCaller(const StackFrameContext *CalleeCtx, ProgramStateRef State); 912 913 914 CallEventRef<> 915 getSimpleCall(const CallExpr *E, ProgramStateRef State, 916 const LocationContext *LCtx); 917 918 CallEventRef<ObjCMethodCall> 919 getObjCMethodCall(const ObjCMessageExpr *E, ProgramStateRef State, 920 const LocationContext *LCtx) { 921 return create<ObjCMethodCall>(E, State, LCtx); 922 } 923 924 CallEventRef<CXXConstructorCall> 925 getCXXConstructorCall(const CXXConstructExpr *E, const MemRegion *Target, 926 ProgramStateRef State, const LocationContext *LCtx) { 927 return create<CXXConstructorCall>(E, Target, State, LCtx); 928 } 929 930 CallEventRef<CXXDestructorCall> 931 getCXXDestructorCall(const CXXDestructorDecl *DD, const Stmt *Trigger, 932 const MemRegion *Target, bool IsBase, 933 ProgramStateRef State, const LocationContext *LCtx) { 934 return create<CXXDestructorCall>(DD, Trigger, Target, IsBase, State, LCtx); 935 } 936 937 CallEventRef<CXXAllocatorCall> 938 getCXXAllocatorCall(const CXXNewExpr *E, ProgramStateRef State, 939 const LocationContext *LCtx) { 940 return create<CXXAllocatorCall>(E, State, LCtx); 941 } 942}; 943 944 945template <typename T> 946CallEventRef<T> CallEvent::cloneWithState(ProgramStateRef NewState) const { 947 assert(isa<T>(*this) && "Cloning to unrelated type"); 948 assert(sizeof(T) == sizeof(CallEvent) && "Subclasses may not add fields"); 949 950 if (NewState == State) 951 return cast<T>(this); 952 953 CallEventManager &Mgr = State->getStateManager().getCallEventManager(); 954 T *Copy = static_cast<T *>(Mgr.allocate()); 955 cloneTo(Copy); 956 assert(Copy->getKind() == this->getKind() && "Bad copy"); 957 958 Copy->State = NewState; 959 return Copy; 960} 961 962inline void CallEvent::Release() const { 963 assert(RefCount > 0 && "Reference count is already zero."); 964 --RefCount; 965 966 if (RefCount > 0) 967 return; 968 969 CallEventManager &Mgr = State->getStateManager().getCallEventManager(); 970 Mgr.reclaim(this); 971 972 this->~CallEvent(); 973} 974 975} // end namespace ento 976} // end namespace clang 977 978namespace llvm { 979 // Support isa<>, cast<>, and dyn_cast<> for CallEventRef. 980 template<class T> struct simplify_type< clang::ento::CallEventRef<T> > { 981 typedef const T *SimpleType; 982 983 static SimpleType 984 getSimplifiedValue(const clang::ento::CallEventRef<T>& Val) { 985 return Val.getPtr(); 986 } 987 }; 988} 989 990#endif 991