CoreEngine.cpp revision 437ee81e54f39c2363d5fe0ea155604c28adc615
1//==- CoreEngine.cpp - Path-Sensitive Dataflow Engine ------------*- C++ -*-// 2// 3// The LLVM Compiler Infrastructure 4// 5// This file is distributed under the University of Illinois Open Source 6// License. See LICENSE.TXT for details. 7// 8//===----------------------------------------------------------------------===// 9// 10// This file defines a generic engine for intraprocedural, path-sensitive, 11// dataflow analysis via graph reachability engine. 12// 13//===----------------------------------------------------------------------===// 14 15#include "clang/StaticAnalyzer/Core/PathSensitive/AnalysisManager.h" 16#include "clang/StaticAnalyzer/Core/PathSensitive/CoreEngine.h" 17#include "clang/StaticAnalyzer/Core/PathSensitive/ExprEngine.h" 18#include "clang/Index/TranslationUnit.h" 19#include "clang/AST/Expr.h" 20#include "clang/AST/StmtCXX.h" 21#include "llvm/Support/Casting.h" 22#include "llvm/ADT/DenseMap.h" 23using namespace clang; 24using namespace ento; 25 26//===----------------------------------------------------------------------===// 27// Worklist classes for exploration of reachable states. 28//===----------------------------------------------------------------------===// 29 30WorkList::Visitor::~Visitor() {} 31 32namespace { 33class DFS : public WorkList { 34 SmallVector<WorkListUnit,20> Stack; 35public: 36 virtual bool hasWork() const { 37 return !Stack.empty(); 38 } 39 40 virtual void enqueue(const WorkListUnit& U) { 41 Stack.push_back(U); 42 } 43 44 virtual WorkListUnit dequeue() { 45 assert (!Stack.empty()); 46 const WorkListUnit& U = Stack.back(); 47 Stack.pop_back(); // This technically "invalidates" U, but we are fine. 48 return U; 49 } 50 51 virtual bool visitItemsInWorkList(Visitor &V) { 52 for (SmallVectorImpl<WorkListUnit>::iterator 53 I = Stack.begin(), E = Stack.end(); I != E; ++I) { 54 if (V.visit(*I)) 55 return true; 56 } 57 return false; 58 } 59}; 60 61class BFS : public WorkList { 62 std::deque<WorkListUnit> Queue; 63public: 64 virtual bool hasWork() const { 65 return !Queue.empty(); 66 } 67 68 virtual void enqueue(const WorkListUnit& U) { 69 Queue.push_front(U); 70 } 71 72 virtual WorkListUnit dequeue() { 73 WorkListUnit U = Queue.front(); 74 Queue.pop_front(); 75 return U; 76 } 77 78 virtual bool visitItemsInWorkList(Visitor &V) { 79 for (std::deque<WorkListUnit>::iterator 80 I = Queue.begin(), E = Queue.end(); I != E; ++I) { 81 if (V.visit(*I)) 82 return true; 83 } 84 return false; 85 } 86}; 87 88} // end anonymous namespace 89 90// Place the dstor for WorkList here because it contains virtual member 91// functions, and we the code for the dstor generated in one compilation unit. 92WorkList::~WorkList() {} 93 94WorkList *WorkList::makeDFS() { return new DFS(); } 95WorkList *WorkList::makeBFS() { return new BFS(); } 96 97namespace { 98 class BFSBlockDFSContents : public WorkList { 99 std::deque<WorkListUnit> Queue; 100 SmallVector<WorkListUnit,20> Stack; 101 public: 102 virtual bool hasWork() const { 103 return !Queue.empty() || !Stack.empty(); 104 } 105 106 virtual void enqueue(const WorkListUnit& U) { 107 if (isa<BlockEntrance>(U.getNode()->getLocation())) 108 Queue.push_front(U); 109 else 110 Stack.push_back(U); 111 } 112 113 virtual WorkListUnit dequeue() { 114 // Process all basic blocks to completion. 115 if (!Stack.empty()) { 116 const WorkListUnit& U = Stack.back(); 117 Stack.pop_back(); // This technically "invalidates" U, but we are fine. 118 return U; 119 } 120 121 assert(!Queue.empty()); 122 // Don't use const reference. The subsequent pop_back() might make it 123 // unsafe. 124 WorkListUnit U = Queue.front(); 125 Queue.pop_front(); 126 return U; 127 } 128 virtual bool visitItemsInWorkList(Visitor &V) { 129 for (SmallVectorImpl<WorkListUnit>::iterator 130 I = Stack.begin(), E = Stack.end(); I != E; ++I) { 131 if (V.visit(*I)) 132 return true; 133 } 134 for (std::deque<WorkListUnit>::iterator 135 I = Queue.begin(), E = Queue.end(); I != E; ++I) { 136 if (V.visit(*I)) 137 return true; 138 } 139 return false; 140 } 141 142 }; 143} // end anonymous namespace 144 145WorkList* WorkList::makeBFSBlockDFSContents() { 146 return new BFSBlockDFSContents(); 147} 148 149//===----------------------------------------------------------------------===// 150// Core analysis engine. 151//===----------------------------------------------------------------------===// 152 153/// ExecuteWorkList - Run the worklist algorithm for a maximum number of steps. 154bool CoreEngine::ExecuteWorkList(const LocationContext *L, unsigned Steps, 155 ProgramStateRef InitState) { 156 157 if (G->num_roots() == 0) { // Initialize the analysis by constructing 158 // the root if none exists. 159 160 const CFGBlock *Entry = &(L->getCFG()->getEntry()); 161 162 assert (Entry->empty() && 163 "Entry block must be empty."); 164 165 assert (Entry->succ_size() == 1 && 166 "Entry block must have 1 successor."); 167 168 // Get the solitary successor. 169 const CFGBlock *Succ = *(Entry->succ_begin()); 170 171 // Construct an edge representing the 172 // starting location in the function. 173 BlockEdge StartLoc(Entry, Succ, L); 174 175 // Set the current block counter to being empty. 176 WList->setBlockCounter(BCounterFactory.GetEmptyCounter()); 177 178 if (!InitState) 179 // Generate the root. 180 generateNode(StartLoc, SubEng.getInitialState(L), 0); 181 else 182 generateNode(StartLoc, InitState, 0); 183 } 184 185 // Check if we have a steps limit 186 bool UnlimitedSteps = Steps == 0; 187 188 while (WList->hasWork()) { 189 if (!UnlimitedSteps) { 190 if (Steps == 0) 191 break; 192 --Steps; 193 } 194 195 getGraph().reclaimChangedNodes(); 196 const WorkListUnit& WU = WList->dequeue(); 197 198 // Set the current block counter. 199 WList->setBlockCounter(WU.getBlockCounter()); 200 201 // Retrieve the node. 202 ExplodedNode *Node = WU.getNode(); 203 204 // Dispatch on the location type. 205 switch (Node->getLocation().getKind()) { 206 case ProgramPoint::BlockEdgeKind: 207 HandleBlockEdge(cast<BlockEdge>(Node->getLocation()), Node); 208 break; 209 210 case ProgramPoint::BlockEntranceKind: 211 HandleBlockEntrance(cast<BlockEntrance>(Node->getLocation()), Node); 212 break; 213 214 case ProgramPoint::BlockExitKind: 215 assert (false && "BlockExit location never occur in forward analysis."); 216 break; 217 218 case ProgramPoint::CallEnterKind: 219 SubEng.processCallEnter(cast<CallEnter>(Node->getLocation()), Node); 220 break; 221 222 case ProgramPoint::CallExitKind: 223 SubEng.processCallExit(Node); 224 break; 225 226 default: 227 assert(isa<PostStmt>(Node->getLocation()) || 228 isa<PostInitializer>(Node->getLocation())); 229 HandlePostStmt(WU.getBlock(), WU.getIndex(), Node); 230 break; 231 } 232 } 233 234 SubEng.processEndWorklist(hasWorkRemaining()); 235 return WList->hasWork(); 236} 237 238void CoreEngine::ExecuteWorkListWithInitialState(const LocationContext *L, 239 unsigned Steps, 240 ProgramStateRef InitState, 241 ExplodedNodeSet &Dst) { 242 ExecuteWorkList(L, Steps, InitState); 243 for (ExplodedGraph::eop_iterator I = G->eop_begin(), 244 E = G->eop_end(); I != E; ++I) { 245 Dst.Add(*I); 246 } 247} 248 249void CoreEngine::HandleBlockEdge(const BlockEdge &L, ExplodedNode *Pred) { 250 251 const CFGBlock *Blk = L.getDst(); 252 NodeBuilderContext BuilderCtx(*this, Blk, Pred); 253 254 // Check if we are entering the EXIT block. 255 if (Blk == &(L.getLocationContext()->getCFG()->getExit())) { 256 257 assert (L.getLocationContext()->getCFG()->getExit().size() == 0 258 && "EXIT block cannot contain Stmts."); 259 260 // Process the final state transition. 261 SubEng.processEndOfFunction(BuilderCtx); 262 263 // This path is done. Don't enqueue any more nodes. 264 return; 265 } 266 267 // Call into the SubEngine to process entering the CFGBlock. 268 ExplodedNodeSet dstNodes; 269 BlockEntrance BE(Blk, Pred->getLocationContext()); 270 NodeBuilderWithSinks nodeBuilder(Pred, dstNodes, BuilderCtx, BE); 271 SubEng.processCFGBlockEntrance(nodeBuilder); 272 273 // Auto-generate a node. 274 if (!nodeBuilder.hasGeneratedNodes()) { 275 nodeBuilder.generateNode(Pred->State, Pred); 276 } 277 278 // Enqueue nodes onto the worklist. 279 enqueue(dstNodes); 280 281 // Make sink nodes as exhausted. 282 const SmallVectorImpl<ExplodedNode*> &Sinks = nodeBuilder.getSinks(); 283 for (SmallVectorImpl<ExplodedNode*>::const_iterator 284 I =Sinks.begin(), E = Sinks.end(); I != E; ++I) { 285 blocksExhausted.push_back(std::make_pair(L, *I)); 286 } 287} 288 289void CoreEngine::HandleBlockEntrance(const BlockEntrance &L, 290 ExplodedNode *Pred) { 291 292 // Increment the block counter. 293 BlockCounter Counter = WList->getBlockCounter(); 294 Counter = BCounterFactory.IncrementCount(Counter, 295 Pred->getLocationContext()->getCurrentStackFrame(), 296 L.getBlock()->getBlockID()); 297 WList->setBlockCounter(Counter); 298 299 // Process the entrance of the block. 300 if (CFGElement E = L.getFirstElement()) { 301 NodeBuilderContext Ctx(*this, L.getBlock(), Pred); 302 SubEng.processCFGElement(E, Pred, 0, &Ctx); 303 } 304 else 305 HandleBlockExit(L.getBlock(), Pred); 306} 307 308void CoreEngine::HandleBlockExit(const CFGBlock * B, ExplodedNode *Pred) { 309 310 if (const Stmt *Term = B->getTerminator()) { 311 switch (Term->getStmtClass()) { 312 default: 313 llvm_unreachable("Analysis for this terminator not implemented."); 314 315 case Stmt::BinaryOperatorClass: // '&&' and '||' 316 HandleBranch(cast<BinaryOperator>(Term)->getLHS(), Term, B, Pred); 317 return; 318 319 case Stmt::BinaryConditionalOperatorClass: 320 case Stmt::ConditionalOperatorClass: 321 HandleBranch(cast<AbstractConditionalOperator>(Term)->getCond(), 322 Term, B, Pred); 323 return; 324 325 // FIXME: Use constant-folding in CFG construction to simplify this 326 // case. 327 328 case Stmt::ChooseExprClass: 329 HandleBranch(cast<ChooseExpr>(Term)->getCond(), Term, B, Pred); 330 return; 331 332 case Stmt::DoStmtClass: 333 HandleBranch(cast<DoStmt>(Term)->getCond(), Term, B, Pred); 334 return; 335 336 case Stmt::CXXForRangeStmtClass: 337 HandleBranch(cast<CXXForRangeStmt>(Term)->getCond(), Term, B, Pred); 338 return; 339 340 case Stmt::ForStmtClass: 341 HandleBranch(cast<ForStmt>(Term)->getCond(), Term, B, Pred); 342 return; 343 344 case Stmt::ContinueStmtClass: 345 case Stmt::BreakStmtClass: 346 case Stmt::GotoStmtClass: 347 break; 348 349 case Stmt::IfStmtClass: 350 HandleBranch(cast<IfStmt>(Term)->getCond(), Term, B, Pred); 351 return; 352 353 case Stmt::IndirectGotoStmtClass: { 354 // Only 1 successor: the indirect goto dispatch block. 355 assert (B->succ_size() == 1); 356 357 IndirectGotoNodeBuilder 358 builder(Pred, B, cast<IndirectGotoStmt>(Term)->getTarget(), 359 *(B->succ_begin()), this); 360 361 SubEng.processIndirectGoto(builder); 362 return; 363 } 364 365 case Stmt::ObjCForCollectionStmtClass: { 366 // In the case of ObjCForCollectionStmt, it appears twice in a CFG: 367 // 368 // (1) inside a basic block, which represents the binding of the 369 // 'element' variable to a value. 370 // (2) in a terminator, which represents the branch. 371 // 372 // For (1), subengines will bind a value (i.e., 0 or 1) indicating 373 // whether or not collection contains any more elements. We cannot 374 // just test to see if the element is nil because a container can 375 // contain nil elements. 376 HandleBranch(Term, Term, B, Pred); 377 return; 378 } 379 380 case Stmt::SwitchStmtClass: { 381 SwitchNodeBuilder builder(Pred, B, cast<SwitchStmt>(Term)->getCond(), 382 this); 383 384 SubEng.processSwitch(builder); 385 return; 386 } 387 388 case Stmt::WhileStmtClass: 389 HandleBranch(cast<WhileStmt>(Term)->getCond(), Term, B, Pred); 390 return; 391 } 392 } 393 394 assert (B->succ_size() == 1 && 395 "Blocks with no terminator should have at most 1 successor."); 396 397 generateNode(BlockEdge(B, *(B->succ_begin()), Pred->getLocationContext()), 398 Pred->State, Pred); 399} 400 401void CoreEngine::HandleBranch(const Stmt *Cond, const Stmt *Term, 402 const CFGBlock * B, ExplodedNode *Pred) { 403 assert(B->succ_size() == 2); 404 NodeBuilderContext Ctx(*this, B, Pred); 405 ExplodedNodeSet Dst; 406 SubEng.processBranch(Cond, Term, Ctx, Pred, Dst, 407 *(B->succ_begin()), *(B->succ_begin()+1)); 408 // Enqueue the new frontier onto the worklist. 409 enqueue(Dst); 410} 411 412void CoreEngine::HandlePostStmt(const CFGBlock *B, unsigned StmtIdx, 413 ExplodedNode *Pred) { 414 assert(B); 415 assert(!B->empty()); 416 417 if (StmtIdx == B->size()) 418 HandleBlockExit(B, Pred); 419 else { 420 NodeBuilderContext Ctx(*this, B, Pred); 421 SubEng.processCFGElement((*B)[StmtIdx], Pred, StmtIdx, &Ctx); 422 } 423} 424 425/// generateNode - Utility method to generate nodes, hook up successors, 426/// and add nodes to the worklist. 427void CoreEngine::generateNode(const ProgramPoint &Loc, 428 ProgramStateRef State, 429 ExplodedNode *Pred) { 430 431 bool IsNew; 432 ExplodedNode *Node = G->getNode(Loc, State, false, &IsNew); 433 434 if (Pred) 435 Node->addPredecessor(Pred, *G); // Link 'Node' with its predecessor. 436 else { 437 assert (IsNew); 438 G->addRoot(Node); // 'Node' has no predecessor. Make it a root. 439 } 440 441 // Only add 'Node' to the worklist if it was freshly generated. 442 if (IsNew) WList->enqueue(Node); 443} 444 445void CoreEngine::enqueueStmtNode(ExplodedNode *N, 446 const CFGBlock *Block, unsigned Idx) { 447 assert(Block); 448 assert (!N->isSink()); 449 450 // Check if this node entered a callee. 451 if (isa<CallEnter>(N->getLocation())) { 452 // Still use the index of the CallExpr. It's needed to create the callee 453 // StackFrameContext. 454 WList->enqueue(N, Block, Idx); 455 return; 456 } 457 458 // Do not create extra nodes. Move to the next CFG element. 459 if (isa<PostInitializer>(N->getLocation())) { 460 WList->enqueue(N, Block, Idx+1); 461 return; 462 } 463 464 const CFGStmt *CS = (*Block)[Idx].getAs<CFGStmt>(); 465 const Stmt *St = CS ? CS->getStmt() : 0; 466 PostStmt Loc(St, N->getLocationContext()); 467 468 if (Loc == N->getLocation()) { 469 // Note: 'N' should be a fresh node because otherwise it shouldn't be 470 // a member of Deferred. 471 WList->enqueue(N, Block, Idx+1); 472 return; 473 } 474 475 bool IsNew; 476 ExplodedNode *Succ = G->getNode(Loc, N->getState(), false, &IsNew); 477 Succ->addPredecessor(N, *G); 478 479 if (IsNew) 480 WList->enqueue(Succ, Block, Idx+1); 481} 482 483ExplodedNode *CoreEngine::generateCallExitNode(ExplodedNode *N) { 484 // Create a CallExit node and enqueue it. 485 const StackFrameContext *LocCtx 486 = cast<StackFrameContext>(N->getLocationContext()); 487 const Stmt *CE = LocCtx->getCallSite(); 488 489 // Use the the callee location context. 490 CallExit Loc(CE, LocCtx); 491 492 bool isNew; 493 ExplodedNode *Node = G->getNode(Loc, N->getState(), false, &isNew); 494 Node->addPredecessor(N, *G); 495 return isNew ? Node : 0; 496} 497 498 499void CoreEngine::enqueue(ExplodedNodeSet &Set) { 500 for (ExplodedNodeSet::iterator I = Set.begin(), 501 E = Set.end(); I != E; ++I) { 502 WList->enqueue(*I); 503 } 504} 505 506void CoreEngine::enqueue(ExplodedNodeSet &Set, 507 const CFGBlock *Block, unsigned Idx) { 508 for (ExplodedNodeSet::iterator I = Set.begin(), 509 E = Set.end(); I != E; ++I) { 510 enqueueStmtNode(*I, Block, Idx); 511 } 512} 513 514void CoreEngine::enqueueEndOfFunction(ExplodedNodeSet &Set) { 515 for (ExplodedNodeSet::iterator I = Set.begin(), E = Set.end(); I != E; ++I) { 516 ExplodedNode *N = *I; 517 // If we are in an inlined call, generate CallExit node. 518 if (N->getLocationContext()->getParent()) { 519 N = generateCallExitNode(N); 520 if (N) 521 WList->enqueue(N); 522 } else 523 G->addEndOfPath(N); 524 } 525} 526 527 528void NodeBuilder::anchor() { } 529 530ExplodedNode* NodeBuilder::generateNodeImpl(const ProgramPoint &Loc, 531 ProgramStateRef State, 532 ExplodedNode *FromN, 533 bool MarkAsSink) { 534 HasGeneratedNodes = true; 535 bool IsNew; 536 ExplodedNode *N = C.Eng.G->getNode(Loc, State, MarkAsSink, &IsNew); 537 N->addPredecessor(FromN, *C.Eng.G); 538 Frontier.erase(FromN); 539 540 if (!IsNew) 541 return 0; 542 543 if (!MarkAsSink) 544 Frontier.Add(N); 545 546 return N; 547} 548 549void NodeBuilderWithSinks::anchor() { } 550 551StmtNodeBuilder::~StmtNodeBuilder() { 552 if (EnclosingBldr) 553 for (ExplodedNodeSet::iterator I = Frontier.begin(), 554 E = Frontier.end(); I != E; ++I ) 555 EnclosingBldr->addNodes(*I); 556} 557 558void BranchNodeBuilder::anchor() { } 559 560ExplodedNode *BranchNodeBuilder::generateNode(ProgramStateRef State, 561 bool branch, 562 ExplodedNode *NodePred) { 563 // If the branch has been marked infeasible we should not generate a node. 564 if (!isFeasible(branch)) 565 return NULL; 566 567 ProgramPoint Loc = BlockEdge(C.Block, branch ? DstT:DstF, 568 NodePred->getLocationContext()); 569 ExplodedNode *Succ = generateNodeImpl(Loc, State, NodePred); 570 return Succ; 571} 572 573ExplodedNode* 574IndirectGotoNodeBuilder::generateNode(const iterator &I, 575 ProgramStateRef St, 576 bool IsSink) { 577 bool IsNew; 578 ExplodedNode *Succ = Eng.G->getNode(BlockEdge(Src, I.getBlock(), 579 Pred->getLocationContext()), St, 580 IsSink, &IsNew); 581 Succ->addPredecessor(Pred, *Eng.G); 582 583 if (!IsNew) 584 return 0; 585 586 if (!IsSink) 587 Eng.WList->enqueue(Succ); 588 589 return Succ; 590} 591 592 593ExplodedNode* 594SwitchNodeBuilder::generateCaseStmtNode(const iterator &I, 595 ProgramStateRef St) { 596 597 bool IsNew; 598 ExplodedNode *Succ = Eng.G->getNode(BlockEdge(Src, I.getBlock(), 599 Pred->getLocationContext()), St, 600 false, &IsNew); 601 Succ->addPredecessor(Pred, *Eng.G); 602 if (!IsNew) 603 return 0; 604 605 Eng.WList->enqueue(Succ); 606 return Succ; 607} 608 609 610ExplodedNode* 611SwitchNodeBuilder::generateDefaultCaseNode(ProgramStateRef St, 612 bool IsSink) { 613 // Get the block for the default case. 614 assert(Src->succ_rbegin() != Src->succ_rend()); 615 CFGBlock *DefaultBlock = *Src->succ_rbegin(); 616 617 // Sanity check for default blocks that are unreachable and not caught 618 // by earlier stages. 619 if (!DefaultBlock) 620 return NULL; 621 622 bool IsNew; 623 ExplodedNode *Succ = Eng.G->getNode(BlockEdge(Src, DefaultBlock, 624 Pred->getLocationContext()), St, 625 IsSink, &IsNew); 626 Succ->addPredecessor(Pred, *Eng.G); 627 628 if (!IsNew) 629 return 0; 630 631 if (!IsSink) 632 Eng.WList->enqueue(Succ); 633 634 return Succ; 635} 636