ExprEngine.cpp revision 6a86082f3a06a2dcceaaf63f78a0e52d64bcbaa3 
16f71b09d7575db927c132c916484b0570420f30dmikesamuel//=-- ExprEngine.cpp - Path-Sensitive Expression-Level Dataflow ---*- C++ -*-=
26f71b09d7575db927c132c916484b0570420f30dmikesamuel//
36f71b09d7575db927c132c916484b0570420f30dmikesamuel//                     The LLVM Compiler Infrastructure
46f71b09d7575db927c132c916484b0570420f30dmikesamuel//
56f71b09d7575db927c132c916484b0570420f30dmikesamuel// This file is distributed under the University of Illinois Open Source
66f71b09d7575db927c132c916484b0570420f30dmikesamuel// License. See LICENSE.TXT for details.
76f71b09d7575db927c132c916484b0570420f30dmikesamuel//
86f71b09d7575db927c132c916484b0570420f30dmikesamuel//===----------------------------------------------------------------------===//
9w`�鑚)�����+�*���:�Ə�//
106f71b09d7575db927c132c916484b0570420f30dmikesamuel//  This file defines a meta-engine for path-sensitive dataflow analysis that
116f71b09d7575db927c132c916484b0570420f30dmikesamuel//  is built on GREngine, but provides the boilerplate to execute transfer
12w)�\�//  functions and build the ExplodedGraph at the expression level.
136f71b09d7575db927c132c916484b0570420f30dmikesamuel//
14u��//===----------------------------------------------------------------------===//
156f71b09d7575db927c132c916484b0570420f30dmikesamuel
166f71b09d7575db927c132c916484b0570420f30dmikesamuel#define DEBUG_TYPE "ExprEngine"
176f71b09d7575db927c132c916484b0570420f30dmikesamuel
186f71b09d7575db927c132c916484b0570420f30dmikesamuel#include "clang/StaticAnalyzer/Core/CheckerManager.h"
196f71b09d7575db927c132c916484b0570420f30dmikesamuel#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
206f71b09d7575db927c132c916484b0570420f30dmikesamuel#include "clang/StaticAnalyzer/Core/PathSensitive/AnalysisManager.h"
21tu�ޔ#include "clang/StaticAnalyzer/Core/PathSensitive/ExprEngine.h"
226f71b09d7575db927c132c916484b0570420f30dmikesamuel#include "clang/StaticAnalyzer/Core/PathSensitive/ObjCMessage.h"
236f71b09d7575db927c132c916484b0570420f30dmikesamuel#include "clang/AST/CharUnits.h"
246f71b09d7575db927c132c916484b0570420f30dmikesamuel#include "clang/AST/ParentMap.h"
25c#include "clang/AST/StmtObjC.h"
266f71b09d7575db927c132c916484b0570420f30dmikesamuel#include "clang/AST/StmtCXX.h"
276f71b09d7575db927c132c916484b0570420f30dmikesamuel#include "clang/AST/DeclCXX.h"
286f71b09d7575db927c132c916484b0570420f30dmikesamuel#include "clang/Basic/Builtins.h"
296f71b09d7575db927c132c916484b0570420f30dmikesamuel#include "clang/Basic/SourceManager.h"
306f71b09d7575db927c132c916484b0570420f30dmikesamuel#include "clang/Basic/PrettyStackTrace.h"
316f71b09d7575db927c132c916484b0570420f30dmikesamuel#include "llvm/Support/raw_ostream.h"
326f71b09d7575db927c132c916484b0570420f30dmikesamuel#include "llvm/ADT/ImmutableList.h"
336f71b09d7575db927c132c916484b0570420f30dmikesamuel#include "llvm/ADT/Statistic.h"
346f71b09d7575db927c132c916484b0570420f30dmikesamuel
356f71b09d7575db927c132c916484b0570420f30dmikesamuel#ifndef NDEBUG
366f71b09d7575db927c132c916484b0570420f30dmikesamuel#include "llvm/Support/GraphWriter.h"
376f71b09d7575db927c132c916484b0570420f30dmikesamuel#endif
386f71b09d7575db927c132c916484b0570420f30dmikesamuel
396f71b09d7575db927c132c916484b0570420f30dmikesamuelusing namespace clang;
406f71b09d7575db927c132c916484b0570420f30dmikesamuelusing namespace ento;
416f71b09d7575db927c132c916484b0570420f30dmikesamuelusing llvm::APSInt;
426f71b09d7575db927c132c916484b0570420f30dmikesamuel
436f71b09d7575db927c132c916484b0570420f30dmikesamuelSTATISTIC(NumRemoveDeadBindings,
446f71b09d7575db927c132c916484b0570420f30dmikesamuel            "The # of times RemoveDeadBindings is called");
456f71b09d7575db927c132c916484b0570420f30dmikesamuelSTATISTIC(NumRemoveDeadBindingsSkipped,
466f71b09d7575db927c132c916484b0570420f30dmikesamuel            "The # of times RemoveDeadBindings is skipped");
47CK���[U))f�/b~�i��F#��e�ԑ���=�STATISTIC(NumMaxBlockCountReached,
486f71b09d7575db927c132c916484b0570420f30dmikesamuel            "The # of aborted paths due to reaching the maximum block count in "
496f71b09d7575db927c132c916484b0570420f30dmikesamuel            "a top level function");
506f71b09d7575db927c132c916484b0570420f30dmikesamuelSTATISTIC(NumMaxBlockCountReachedInInlined,
516f71b09d7575db927c132c916484b0570420f30dmikesamuel            "The # of aborted paths due to reaching the maximum block count in "
526f71b09d7575db927c132c916484b0570420f30dmikesamuel            "an inlined function");
536f71b09d7575db927c132c916484b0570420f30dmikesamuelSTATISTIC(NumTimesRetriedWithoutInlining,
546f71b09d7575db927c132c916484b0570420f30dmikesamuel            "The # of times we re-evaluated a call without inlining");
556f71b09d7575db927c132c916484b0570420f30dmikesamuel
566f71b09d7575db927c132c916484b0570420f30dmikesamuel//===----------------------------------------------------------------------===//
576f71b09d7575db927c132c916484b0570420f30dmikesamuel// Utility functions.
586f71b09d7575db927c132c916484b0570420f30dmikesamuel//===----------------------------------------------------------------------===//
596f71b09d7575db927c132c916484b0570420f30dmikesamuel
606f71b09d7575db927c132c916484b0570420f30dmikesamuelstatic inline Selector GetNullarySelector(const char* name, ASTContext &Ctx) {
616f71b09d7575db927c132c916484b0570420f30dmikesamuel  IdentifierInfo* II = &Ctx.Idents.get(name);
626f71b09d7575db927c132c916484b0570420f30dmikesamuel  return Ctx.Selectors.getSelector(0, &II);
636f71b09d7575db927c132c916484b0570420f30dmikesamuel}
646f71b09d7575db927c132c916484b0570420f30dmikesamuel
65U�lMw���y*��y`�b�e�T�슓k��+�PaN��//===----------------------------------------------------------------------===//
666f71b09d7575db927c132c916484b0570420f30dmikesamuel// Engine construction and deletion.
676f71b09d7575db927c132c916484b0570420f30dmikesamuel//===----------------------------------------------------------------------===//
686f71b09d7575db927c132c916484b0570420f30dmikesamuel
696f71b09d7575db927c132c916484b0570420f30dmikesamuelExprEngine::ExprEngine(AnalysisManager &mgr, bool gcEnabled,
706f71b09d7575db927c132c916484b0570420f30dmikesamuel                       SetOfConstDecls *VisitedCallees,
71pZ                       FunctionSummariesTy *FS)
726f71b09d7575db927c132c916484b0570420f30dmikesamuel  : AMgr(mgr),
736f71b09d7575db927c132c916484b0570420f30dmikesamuel    AnalysisDeclContexts(mgr.getAnalysisDeclContextManager()),
746f71b09d7575db927c132c916484b0570420f30dmikesamuel    Engine(*this, VisitedCallees, FS),
756f71b09d7575db927c132c916484b0570420f30dmikesamuel    G(Engine.getGraph()),
76mL����&�w�w}��PHʍ    StateMgr(getContext(), mgr.getStoreManagerCreator(),
774+� ��·煫���{���\(Q�T��ꂒ�%�Ԕ             mgr.getConstraintManagerCreator(), G.getAllocator(),
786f71b09d7575db927c132c916484b0570420f30dmikesamuel             *this),
796f71b09d7575db927c132c916484b0570420f30dmikesamuel    SymMgr(StateMgr.getSymbolManager()),
806f71b09d7575db927c132c916484b0570420f30dmikesamuel    svalBuilder(StateMgr.getSValBuilder()),
816f71b09d7575db927c132c916484b0570420f30dmikesamuel    EntryNode(NULL),
826f71b09d7575db927c132c916484b0570420f30dmikesamuel    currentStmt(NULL), currentStmtIdx(0), currentBuilderContext(0),
836f71b09d7575db927c132c916484b0570420f30dmikesamuel    NSExceptionII(NULL), NSExceptionInstanceRaiseSelectors(NULL),
846f71b09d7575db927c132c916484b0570420f30dmikesamuel    RaiseSel(GetNullarySelector("raise", getContext())),
856f71b09d7575db927c132c916484b0570420f30dmikesamuel    ObjCGCEnabled(gcEnabled), BR(mgr, *this) {
86OIR[I���V:\Jyh��
876f71b09d7575db927c132c916484b0570420f30dmikesamuel  if (mgr.shouldEagerlyTrimExplodedGraph()) {
886f71b09d7575db927c132c916484b0570420f30dmikesamuel    // Enable eager node reclaimation when constructing the ExplodedGraph.
896f71b09d7575db927c132c916484b0570420f30dmikesamuel    G.enableNodeReclamation();
906f71b09d7575db927c132c916484b0570420f30dmikesamuel  }
916f71b09d7575db927c132c916484b0570420f30dmikesamuel}
92mnZ�-SW���Zm_�\+X���h
936f71b09d7575db927c132c916484b0570420f30dmikesamuelExprEngine::~ExprEngine() {
94Y��ߥ'G'��=�{M������  BR.FlushReports();
956f71b09d7575db927c132c916484b0570420f30dmikesamuel  delete [] NSExceptionInstanceRaiseSelectors;
966f71b09d7575db927c132c916484b0570420f30dmikesamuel}
976f71b09d7575db927c132c916484b0570420f30dmikesamuel
986f71b09d7575db927c132c916484b0570420f30dmikesamuel//===----------------------------------------------------------------------===//
996f71b09d7575db927c132c916484b0570420f30dmikesamuel// Utility methods.
1006f71b09d7575db927c132c916484b0570420f30dmikesamuel//===----------------------------------------------------------------------===//
1016f71b09d7575db927c132c916484b0570420f30dmikesamuel
1026f71b09d7575db927c132c916484b0570420f30dmikesamuelProgramStateRef ExprEngine::getInitialState(const LocationContext *InitLoc) {
1036f71b09d7575db927c132c916484b0570420f30dmikesamuel  ProgramStateRef state = StateMgr.getInitialState(InitLoc);
1046f71b09d7575db927c132c916484b0570420f30dmikesamuel  const Decl *D = InitLoc->getDecl();
1056f71b09d7575db927c132c916484b0570420f30dmikesamuel
1066f71b09d7575db927c132c916484b0570420f30dmikesamuel  // Preconditions.
1076f71b09d7575db927c132c916484b0570420f30dmikesamuel  // FIXME: It would be nice if we had a more general mechanism to add
108w����T�  // such preconditions.  Some day.
1096f71b09d7575db927c132c916484b0570420f30dmikesamuel  do {
1106f71b09d7575db927c132c916484b0570420f30dmikesamuel
1116f71b09d7575db927c132c916484b0570420f30dmikesamuel    if (const FunctionDecl *FD = dyn_cast<FunctionDecl>(D)) {
1126f71b09d7575db927c132c916484b0570420f30dmikesamuel      // Precondition: the first argument of 'main' is an integer guaranteed
1136f71b09d7575db927c132c916484b0570420f30dmikesamuel      //  to be > 0.
1146f71b09d7575db927c132c916484b0570420f30dmikesamuel      const IdentifierInfo *II = FD->getIdentifier();
1156f71b09d7575db927c132c916484b0570420f30dmikesamuel      if (!II || !(II->getName() == "main" && FD->getNumParams() > 0))
1166f71b09d7575db927c132c916484b0570420f30dmikesamuel        break;
117C07�@�Y�tV`c�:�f�gO=��=�U�
118tj�N�-Pz��D�      const ParmVarDecl *PD = FD->getParamDecl(0);
1196f71b09d7575db927c132c916484b0570420f30dmikesamuel      QualType T = PD->getType();
1206f71b09d7575db927c132c916484b0570420f30dmikesamuel      if (!T->isIntegerType())
1216f71b09d7575db927c132c916484b0570420f30dmikesamuel        break;
1226f71b09d7575db927c132c916484b0570420f30dmikesamuel
1236f71b09d7575db927c132c916484b0570420f30dmikesamuel      const MemRegion *R = state->getRegion(PD, InitLoc);
124R8F�]<�R}�      if (!R)
125gx�Fd-��q        break;
1266f71b09d7575db927c132c916484b0570420f30dmikesamuel
1276f71b09d7575db927c132c916484b0570420f30dmikesamuel      SVal V = state->getSVal(loc::MemRegionVal(R));
128g�}�`�-	~BO;�      SVal Constraint_untested = evalBinOp(state, BO_GT, V,
1296f71b09d7575db927c132c916484b0570420f30dmikesamuel                                           svalBuilder.makeZeroVal(T),
130pv�@��                                           getContext().IntTy);
1316f71b09d7575db927c132c916484b0570420f30dmikesamuel
1326f71b09d7575db927c132c916484b0570420f30dmikesamuel      DefinedOrUnknownSVal *Constraint =
1336f71b09d7575db927c132c916484b0570420f30dmikesamuel        dyn_cast<DefinedOrUnknownSVal>(&Constraint_untested);
1346f71b09d7575db927c132c916484b0570420f30dmikesamuel
1356f71b09d7575db927c132c916484b0570420f30dmikesamuel      if (!Constraint)
1366f71b09d7575db927c132c916484b0570420f30dmikesamuel        break;
1376f71b09d7575db927c132c916484b0570420f30dmikesamuel
1389��>��-��>q>,"����E�;&ܢWx�      if (ProgramStateRef newState = state->assume(*Constraint, true))
1391���Q�>(CIg����)���        state = newState;
1406f71b09d7575db927c132c916484b0570420f30dmikesamuel    }
1416f71b09d7575db927c132c916484b0570420f30dmikesamuel    break;
1426f71b09d7575db927c132c916484b0570420f30dmikesamuel  }
1436f71b09d7575db927c132c916484b0570420f30dmikesamuel  while (0);
1446f71b09d7575db927c132c916484b0570420f30dmikesamuel
1456f71b09d7575db927c132c916484b0570420f30dmikesamuel  if (const ObjCMethodDecl *MD = dyn_cast<ObjCMethodDecl>(D)) {
146vO�m���N{!Mc��    // Precondition: 'self' is always non-null upon entry to an Objective-C
1476f71b09d7575db927c132c916484b0570420f30dmikesamuel    // method.
148tiA�-��PK    const ImplicitParamDecl *SelfD = MD->getSelfDecl();
1496f71b09d7575db927c132c916484b0570420f30dmikesamuel    const MemRegion *R = state->getRegion(SelfD, InitLoc);
1506f71b09d7575db927c132c916484b0570420f30dmikesamuel    SVal V = state->getSVal(loc::MemRegionVal(R));
1516f71b09d7575db927c132c916484b0570420f30dmikesamuel
1526f71b09d7575db927c132c916484b0570420f30dmikesamuel    if (const Loc *LV = dyn_cast<Loc>(&V)) {
1536f71b09d7575db927c132c916484b0570420f30dmikesamuel      // Assume that the pointer value in 'self' is non-null.
1546f71b09d7575db927c132c916484b0570420f30dmikesamuel      state = state->assume(*LV, true);
1556f71b09d7575db927c132c916484b0570420f30dmikesamuel      assert(state && "'self' cannot be null");
1566f71b09d7575db927c132c916484b0570420f30dmikesamuel    }
1576f71b09d7575db927c132c916484b0570420f30dmikesamuel  }
1586f71b09d7575db927c132c916484b0570420f30dmikesamuel
1596f71b09d7575db927c132c916484b0570420f30dmikesamuel  if (const CXXMethodDecl *MD = dyn_cast<CXXMethodDecl>(D)) {
160TAC�    if (!MD->isStatic()) {
1616f71b09d7575db927c132c916484b0570420f30dmikesamuel      // Precondition: 'this' is always non-null upon entry to the
1626f71b09d7575db927c132c916484b0570420f30dmikesamuel      // top-level function.  This is our starting assumption for
1636f71b09d7575db927c132c916484b0570420f30dmikesamuel      // analyzing an "open" program.
1646f71b09d7575db927c132c916484b0570420f30dmikesamuel      const StackFrameContext *SFC = InitLoc->getCurrentStackFrame();
165c�l�#�<���$�      if (SFC->getParent() == 0) {
1666f71b09d7575db927c132c916484b0570420f30dmikesamuel        loc::MemRegionVal L(getCXXThisRegion(MD, SFC));
167d葇����b        SVal V = state->getSVal(L);
1681�+`��U        if (const Loc *LV = dyn_cast<Loc>(&V)) {
1696f71b09d7575db927c132c916484b0570420f30dmikesamuel          state = state->assume(*LV, true);
170I>!Sm�i�          assert(state && "'this' cannot be null");
1716f71b09d7575db927c132c916484b0570420f30dmikesamuel        }
172v�_y�*��i�r�*�ct�r���Kt��=���N��U�t�:��+i��D���S�h�z      }
1736f71b09d7575db927c132c916484b0570420f30dmikesamuel    }
1746f71b09d7575db927c132c916484b0570420f30dmikesamuel  }
1756f71b09d7575db927c132c916484b0570420f30dmikesamuel
1766f71b09d7575db927c132c916484b0570420f30dmikesamuel  return state;
1776f71b09d7575db927c132c916484b0570420f30dmikesamuel}
1786f71b09d7575db927c132c916484b0570420f30dmikesamuel
1796f71b09d7575db927c132c916484b0570420f30dmikesamuel//===----------------------------------------------------------------------===//
180hS;g��:촵��xZ=�¤�]gY�c�)kOD�X���������D�D��GK��S䜝// Top-level transfer function logic (Dispatcher).
1816f71b09d7575db927c132c916484b0570420f30dmikesamuel//===----------------------------------------------------------------------===//
1826f71b09d7575db927c132c916484b0570420f30dmikesamuel
1836f71b09d7575db927c132c916484b0570420f30dmikesamuel/// evalAssume - Called by ConstraintManager. Used to call checker-specific
1846f71b09d7575db927c132c916484b0570420f30dmikesamuel///  logic for handling assumptions on symbolic values.
1856f71b09d7575db927c132c916484b0570420f30dmikesamuelProgramStateRef ExprEngine::processAssume(ProgramStateRef state,
1865c����                                              SVal cond, bool assumption) {
187g뜾�"����fM��w��s�N���P���JgY�e�g�`j�  return getCheckerManager().runCheckersForEvalAssume(state, cond, assumption);
188h�<<���}
1896f71b09d7575db927c132c916484b0570420f30dmikesamuel
1906f71b09d7575db927c132c916484b0570420f30dmikesamuelbool ExprEngine::wantsRegionChangeUpdate(ProgramStateRef state) {
1914�)��hKi�B�*Քణn����a��P  return getCheckerManager().wantsRegionChangeUpdate(state);
1926f71b09d7575db927c132c916484b0570420f30dmikesamuel}
1936f71b09d7575db927c132c916484b0570420f30dmikesamuel
1946f71b09d7575db927c132c916484b0570420f30dmikesamuelProgramStateRef
1956f71b09d7575db927c132c916484b0570420f30dmikesamuelExprEngine::processRegionChanges(ProgramStateRef state,
19611��ƕ                            const StoreManager::InvalidatedSymbols *invalidated,
1976f71b09d7575db927c132c916484b0570420f30dmikesamuel                                 ArrayRef<const MemRegion *> Explicits,
1986f71b09d7575db927c132c916484b0570420f30dmikesamuel                                 ArrayRef<const MemRegion *> Regions,
1996f71b09d7575db927c132c916484b0570420f30dmikesamuel                                 const CallOrObjCMessage *Call) {
2006f71b09d7575db927c132c916484b0570420f30dmikesamuel  return getCheckerManager().runCheckersForRegionChanges(state, invalidated,
2016f71b09d7575db927c132c916484b0570420f30dmikesamuel                                                      Explicits, Regions, Call);
202D(Aj�BѠ�C�Q.[��>RQ�}
2036f71b09d7575db927c132c916484b0570420f30dmikesamuel
204kP��}:f���(N�(void ExprEngine::printState(raw_ostream &Out, ProgramStateRef State,
2056f71b09d7575db927c132c916484b0570420f30dmikesamuel                            const char *NL, const char *Sep) {
2066f71b09d7575db927c132c916484b0570420f30dmikesamuel  getCheckerManager().runCheckersForPrintState(Out, State, NL, Sep);
2076f71b09d7575db927c132c916484b0570420f30dmikesamuel}
208U�!E�
2096f71b09d7575db927c132c916484b0570420f30dmikesamuelvoid ExprEngine::processEndWorklist(bool hasWorkRemaining) {
2105��!�M%߂��HGW�!�O��^��L�h���w;����'l$�ѝ[�UA$Su��PO(�]|  getCheckerManager().runCheckersForEndAnalysis(G, BR, *this);
2116f71b09d7575db927c132c916484b0570420f30dmikesamuel}
2126f71b09d7575db927c132c916484b0570420f30dmikesamuel
2136f71b09d7575db927c132c916484b0570420f30dmikesamuelvoid ExprEngine::processCFGElement(const CFGElement E, ExplodedNode *Pred,
2146f71b09d7575db927c132c916484b0570420f30dmikesamuel                                   unsigned StmtIdx, NodeBuilderContext *Ctx) {
215q]��ki�G.C�.�.Z  currentStmtIdx = StmtIdx;
2166f71b09d7575db927c132c916484b0570420f30dmikesamuel  currentBuilderContext = Ctx;
2176f71b09d7575db927c132c916484b0570420f30dmikesamuel
2186f71b09d7575db927c132c916484b0570420f30dmikesamuel  switch (E.getKind()) {
2196f71b09d7575db927c132c916484b0570420f30dmikesamuel    case CFGElement::Invalid:
2206f71b09d7575db927c132c916484b0570420f30dmikesamuel      llvm_unreachable("Unexpected CFGElement kind.");
2216f71b09d7575db927c132c916484b0570420f30dmikesamuel    case CFGElement::Statement:
222c4���a�{E<{���#��JPن�#Zz�p�����?����@cB�e��*      ProcessStmt(const_cast<Stmt*>(E.getAs<CFGStmt>()->getStmt()), Pred);
2231��J���+��Z�      return;
224zMѣ&��    case CFGElement::Initializer:
2256f71b09d7575db927c132c916484b0570420f30dmikesamuel      ProcessInitializer(E.getAs<CFGInitializer>()->getInitializer(), Pred);
2266f71b09d7575db927c132c916484b0570420f30dmikesamuel      return;
227qC�Dܸ�;���sf�~|�����D�ĉ�&��K/��WBYh�b'�I�BU���+F����    case CFGElement::AutomaticObjectDtor:
2286f71b09d7575db927c132c916484b0570420f30dmikesamuel    case CFGElement::BaseDtor:
2296f71b09d7575db927c132c916484b0570420f30dmikesamuel    case CFGElement::MemberDtor:
2306f71b09d7575db927c132c916484b0570420f30dmikesamuel    case CFGElement::TemporaryDtor:
2316f71b09d7575db927c132c916484b0570420f30dmikesamuel      ProcessImplicitDtor(*E.getAs<CFGImplicitDtor>(), Pred);
2326f71b09d7575db927c132c916484b0570420f30dmikesamuel      return;
2336f71b09d7575db927c132c916484b0570420f30dmikesamuel  }
2346f71b09d7575db927c132c916484b0570420f30dmikesamuel}
2356f71b09d7575db927c132c916484b0570420f30dmikesamuel
2366f71b09d7575db927c132c916484b0570420f30dmikesamuelstatic bool shouldRemoveDeadBindings(AnalysisManager &AMgr,
2376f71b09d7575db927c132c916484b0570420f30dmikesamuel                                     const CFGStmt S,
2386f71b09d7575db927c132c916484b0570420f30dmikesamuel                                     const ExplodedNode *Pred,
2396f71b09d7575db927c132c916484b0570420f30dmikesamuel                                     const LocationContext *LC) {
2406f71b09d7575db927c132c916484b0570420f30dmikesamuel
241T�X�`K�/�z�  // Are we never purging state values?
2426f71b09d7575db927c132c916484b0570420f30dmikesamuel  if (AMgr.getPurgeMode() == PurgeNone)
2436f71b09d7575db927c132c916484b0570420f30dmikesamuel    return false;
244G*�uc���S��i����gq*�c����-lo��P��*٢?)�擐N��n�~��vZ�;�ҦC�������S���U	V�i��q����\�E���CY��k	/
2456f71b09d7575db927c132c916484b0570420f30dmikesamuel  // Is this the beginning of a basic block?
2466f71b09d7575db927c132c916484b0570420f30dmikesamuel  if (isa<BlockEntrance>(Pred->getLocation()))
2476f71b09d7575db927c132c916484b0570420f30dmikesamuel    return true;
2480��PK
2496f71b09d7575db927c132c916484b0570420f30dmikesamuel  // Is this on a non-expression?
2506f71b09d7575db927c132c916484b0570420f30dmikesamuel  if (!isa<Expr>(S.getStmt()))
2516f71b09d7575db927c132c916484b0570420f30dmikesamuel    return true;
2526f71b09d7575db927c132c916484b0570420f30dmikesamuel
2536f71b09d7575db927c132c916484b0570420f30dmikesamuel  // Run before processing a call.
2546f71b09d7575db927c132c916484b0570420f30dmikesamuel  if (isa<CallExpr>(S.getStmt()))
2556f71b09d7575db927c132c916484b0570420f30dmikesamuel    return true;
2566f71b09d7575db927c132c916484b0570420f30dmikesamuel
2576f71b09d7575db927c132c916484b0570420f30dmikesamuel  // Is this an expression that is consumed by another expression?  If so,
2586f71b09d7575db927c132c916484b0570420f30dmikesamuel  // postpone cleaning out the state.
2596f71b09d7575db927c132c916484b0570420f30dmikesamuel  ParentMap &PM = LC->getAnalysisDeclContext()->getParentMap();
2606f71b09d7575db927c132c916484b0570420f30dmikesamuel  return !PM.isConsumedExpr(cast<Expr>(S.getStmt()));
2616f71b09d7575db927c132c916484b0570420f30dmikesamuel}
2626f71b09d7575db927c132c916484b0570420f30dmikesamuel
2636f71b09d7575db927c132c916484b0570420f30dmikesamuelvoid ExprEngine::ProcessStmt(const CFGStmt S,
264Ay�                             ExplodedNode *Pred) {
265Z�m�HkDG!��&jvQX���C�h}:Eh�AYNj  // Reclaim any unnecessary nodes in the ExplodedGraph.
2666f71b09d7575db927c132c916484b0570420f30dmikesamuel  G.reclaimRecentlyAllocatedNodes();
267R�ԃw!�G���ۥ*�@%�S,�����
268S  currentStmt = S.getStmt();
2696f71b09d7575db927c132c916484b0570420f30dmikesamuel  PrettyStackTraceLoc CrashInfo(getContext().getSourceManager(),
2706f71b09d7575db927c132c916484b0570420f30dmikesamuel                                currentStmt->getLocStart(),
2716f71b09d7575db927c132c916484b0570420f30dmikesamuel                                "Error evaluating statement");
272d^WSRZ
273gݮ[  EntryNode = Pred;
2746f71b09d7575db927c132c916484b0570420f30dmikesamuel
2756f71b09d7575db927c132c916484b0570420f30dmikesamuel  ProgramStateRef EntryState = EntryNode->getState();
276a�​�  CleanedState = EntryState;
2776f71b09d7575db927c132c916484b0570420f30dmikesamuel
278U?]�  // Create the cleaned state.
2796f71b09d7575db927c132c916484b0570420f30dmikesamuel  const LocationContext *LC = EntryNode->getLocationContext();
2806f71b09d7575db927c132c916484b0570420f30dmikesamuel  SymbolReaper SymReaper(LC, currentStmt, SymMgr, getStoreManager());
2816f71b09d7575db927c132c916484b0570420f30dmikesamuel
2826f71b09d7575db927c132c916484b0570420f30dmikesamuel  if (shouldRemoveDeadBindings(AMgr, S, Pred, LC)) {
2836f71b09d7575db927c132c916484b0570420f30dmikesamuel    NumRemoveDeadBindings++;
2846f71b09d7575db927c132c916484b0570420f30dmikesamuel    getCheckerManager().runCheckersForLiveSymbols(CleanedState, SymReaper);
285EN�*�jb �)�H�X��&�A[h�CN�>N�h����<
286x���=��@��oX<��C<����~ +�    const StackFrameContext *SFC = LC->getCurrentStackFrame();
2876f71b09d7575db927c132c916484b0570420f30dmikesamuel
2886f71b09d7575db927c132c916484b0570420f30dmikesamuel    // Create a state in which dead bindings are removed from the environment
2897�w�@f�F�!<    // and the store. TODO: The function should just return new env and store,
2906f71b09d7575db927c132c916484b0570420f30dmikesamuel    // not a new state.
2916f71b09d7575db927c132c916484b0570420f30dmikesamuel    CleanedState = StateMgr.removeDeadBindings(CleanedState, SFC, SymReaper);
2926f71b09d7575db927c132c916484b0570420f30dmikesamuel  } else {
2936f71b09d7575db927c132c916484b0570420f30dmikesamuel    NumRemoveDeadBindingsSkipped++;
2946f71b09d7575db927c132c916484b0570420f30dmikesamuel  }
295MЌ����(�\�(x�K��/�]��n
2966f71b09d7575db927c132c916484b0570420f30dmikesamuel  // Process any special transfer function for dead symbols.
2976f71b09d7575db927c132c916484b0570420f30dmikesamuel  ExplodedNodeSet Tmp;
2986f71b09d7575db927c132c916484b0570420f30dmikesamuel  // A tag to track convenience transitions, which can be removed at cleanup.
2996f71b09d7575db927c132c916484b0570420f30dmikesamuel  static SimpleProgramPointTag cleanupTag("ExprEngine : Clean Node");
3006f71b09d7575db927c132c916484b0570420f30dmikesamuel
3016f71b09d7575db927c132c916484b0570420f30dmikesamuel  if (!SymReaper.hasDeadSymbols()) {
3026f71b09d7575db927c132c916484b0570420f30dmikesamuel    // Generate a CleanedNode that has the environment and store cleaned
303nSy�"�����    // up. Since no symbols are dead, we can optimize and not clean out
3046f71b09d7575db927c132c916484b0570420f30dmikesamuel    // the constraint manager.
3056f71b09d7575db927c132c916484b0570420f30dmikesamuel    StmtNodeBuilder Bldr(Pred, Tmp, *currentBuilderContext);
3063�Cke�    Bldr.generateNode(currentStmt, EntryNode, CleanedState, false, &cleanupTag);
307D#o`
3081�(��p��K������M�S���GRB��  } else {
3096f71b09d7575db927c132c916484b0570420f30dmikesamuel    // Call checkers with the non-cleaned state so that they could query the
310cb��B��� �!�z	��!��PK    // values of the soon to be dead symbols.
3116f71b09d7575db927c132c916484b0570420f30dmikesamuel    ExplodedNodeSet CheckedSet;
312be�{Q$�A��D���ǡ;�P�BW�!we�����/�ƪ�@��'�t�!����`�]��'#q    getCheckerManager().runCheckersForDeadSymbols(CheckedSet, EntryNode,
3136f71b09d7575db927c132c916484b0570420f30dmikesamuel                                                 SymReaper, currentStmt, *this);
3146f71b09d7575db927c132c916484b0570420f30dmikesamuel
3156f71b09d7575db927c132c916484b0570420f30dmikesamuel    // For each node in CheckedSet, generate CleanedNodes that have the
3166f71b09d7575db927c132c916484b0570420f30dmikesamuel    // environment, the store, and the constraints cleaned up but have the
317d���p��L�ꘀ�qC�M�q|��—:n���    // user-supplied states as the predecessors.
3186f71b09d7575db927c132c916484b0570420f30dmikesamuel    StmtNodeBuilder Bldr(CheckedSet, Tmp, *currentBuilderContext);
3196f71b09d7575db927c132c916484b0570420f30dmikesamuel    for (ExplodedNodeSet::const_iterator
3206f71b09d7575db927c132c916484b0570420f30dmikesamuel          I = CheckedSet.begin(), E = CheckedSet.end(); I != E; ++I) {
3216f71b09d7575db927c132c916484b0570420f30dmikesamuel      ProgramStateRef CheckerState = (*I)->getState();
3226f71b09d7575db927c132c916484b0570420f30dmikesamuel
3236f71b09d7575db927c132c916484b0570420f30dmikesamuel      // The constraint manager has not been cleaned up yet, so clean up now.
3246f71b09d7575db927c132c916484b0570420f30dmikesamuel      CheckerState = getConstraintManager().removeDeadBindings(CheckerState,
3256f71b09d7575db927c132c916484b0570420f30dmikesamuel                                                               SymReaper);
3266f71b09d7575db927c132c916484b0570420f30dmikesamuel
3276f71b09d7575db927c132c916484b0570420f30dmikesamuel      assert(StateMgr.haveEqualEnvironments(CheckerState, EntryState) &&
3286f71b09d7575db927c132c916484b0570420f30dmikesamuel        "Checkers are not allowed to modify the Environment as a part of "
3296f71b09d7575db927c132c916484b0570420f30dmikesamuel        "checkDeadSymbols processing.");
3306f71b09d7575db927c132c916484b0570420f30dmikesamuel      assert(StateMgr.haveEqualStores(CheckerState, EntryState) &&
331xbn8˯QQ��j�pʕ�Ⱦ�Au%        "Checkers are not allowed to modify the Store as a part of "
3326f71b09d7575db927c132c916484b0570420f30dmikesamuel        "checkDeadSymbols processing.");
333zv��P�T�K����������
3346f71b09d7575db927c132c916484b0570420f30dmikesamuel      // Create a state based on CleanedState with CheckerState GDM and
3356f71b09d7575db927c132c916484b0570420f30dmikesamuel      // generate a transition to that state.
3366f71b09d7575db927c132c916484b0570420f30dmikesamuel      ProgramStateRef CleanedCheckerSt =
3376f71b09d7575db927c132c916484b0570420f30dmikesamuel        StateMgr.getPersistentStateWithGDM(CleanedState, CheckerState);
3386f71b09d7575db927c132c916484b0570420f30dmikesamuel      Bldr.generateNode(currentStmt, *I, CleanedCheckerSt, false, &cleanupTag,
3396f71b09d7575db927c132c916484b0570420f30dmikesamuel                        ProgramPoint::PostPurgeDeadSymbolsKind);
340R��\�y+�z�������n�	:����=�.R    }
3416f71b09d7575db927c132c916484b0570420f30dmikesamuel  }
3426f71b09d7575db927c132c916484b0570420f30dmikesamuel
343F,�r�zm/j�G���$��  ExplodedNodeSet Dst;
3446f71b09d7575db927c132c916484b0570420f30dmikesamuel  for (ExplodedNodeSet::iterator I=Tmp.begin(), E=Tmp.end(); I!=E; ++I) {
3456f71b09d7575db927c132c916484b0570420f30dmikesamuel    ExplodedNodeSet DstI;
3466f71b09d7575db927c132c916484b0570420f30dmikesamuel    // Visit the statement.
3476f71b09d7575db927c132c916484b0570420f30dmikesamuel    Visit(currentStmt, *I, DstI);
3486f71b09d7575db927c132c916484b0570420f30dmikesamuel    Dst.insert(DstI);
349Na��U.  }
3506f71b09d7575db927c132c916484b0570420f30dmikesamuel
3516f71b09d7575db927c132c916484b0570420f30dmikesamuel  // Enqueue the new nodes onto the work list.
352i\b~J�  Engine.enqueue(Dst, currentBuilderContext->getBlock(), currentStmtIdx);
3536f71b09d7575db927c132c916484b0570420f30dmikesamuel
3546f71b09d7575db927c132c916484b0570420f30dmikesamuel  // NULL out these variables to cleanup.
3556f71b09d7575db927c132c916484b0570420f30dmikesamuel  CleanedState = NULL;
3566f71b09d7575db927c132c916484b0570420f30dmikesamuel  EntryNode = NULL;
3576f71b09d7575db927c132c916484b0570420f30dmikesamuel  currentStmt = 0;
3586f71b09d7575db927c132c916484b0570420f30dmikesamuel}
3596f71b09d7575db927c132c916484b0570420f30dmikesamuel
3606f71b09d7575db927c132c916484b0570420f30dmikesamuelvoid ExprEngine::ProcessInitializer(const CFGInitializer Init,
3616f71b09d7575db927c132c916484b0570420f30dmikesamuel                                    ExplodedNode *Pred) {
3626f71b09d7575db927c132c916484b0570420f30dmikesamuel  ExplodedNodeSet Dst;
3636f71b09d7575db927c132c916484b0570420f30dmikesamuel
364M�w&���/w�ܹ���;������  // We don't set EntryNode and currentStmt. And we don't clean up state.
365M+�m+sd�  const CXXCtorInitializer *BMI = Init.getInitializer();
366S0iem��R�/�W%_ȯ���ESp�`  const StackFrameContext *stackFrame =
3676f71b09d7575db927c132c916484b0570420f30dmikesamuel                           cast<StackFrameContext>(Pred->getLocationContext());
3686f71b09d7575db927c132c916484b0570420f30dmikesamuel  const CXXConstructorDecl *decl =
3696f71b09d7575db927c132c916484b0570420f30dmikesamuel                           cast<CXXConstructorDecl>(stackFrame->getDecl());
3706f71b09d7575db927c132c916484b0570420f30dmikesamuel  const CXXThisRegion *thisReg = getCXXThisRegion(decl, stackFrame);
3716f71b09d7575db927c132c916484b0570420f30dmikesamuel
3726f71b09d7575db927c132c916484b0570420f30dmikesamuel  SVal thisVal = Pred->getState()->getSVal(thisReg);
3736f71b09d7575db927c132c916484b0570420f30dmikesamuel
3746f71b09d7575db927c132c916484b0570420f30dmikesamuel  if (BMI->isAnyMemberInitializer()) {
375Xe    // Evaluate the initializer.
376Ih�„I
377EX� ;��    StmtNodeBuilder Bldr(Pred, Dst, *currentBuilderContext);
3786f71b09d7575db927c132c916484b0570420f30dmikesamuel    ProgramStateRef state = Pred->getState();
3796f71b09d7575db927c132c916484b0570420f30dmikesamuel
380hK��a��Y�c���}����'����F�    const FieldDecl *FD = BMI->getAnyMember();
3816f71b09d7575db927c132c916484b0570420f30dmikesamuel
382oTn������x`�pR��b)    SVal FieldLoc = state->getLValue(FD, thisVal);
383wߪ�x    SVal InitVal = state->getSVal(BMI->getInit(), Pred->getLocationContext());
384_���\X*$���E����I.    state = state->bindLoc(FieldLoc, InitVal);
3856f71b09d7575db927c132c916484b0570420f30dmikesamuel
3866f71b09d7575db927c132c916484b0570420f30dmikesamuel    // Use a custom node building process.
3876f71b09d7575db927c132c916484b0570420f30dmikesamuel    PostInitializer PP(BMI, stackFrame);
3886f71b09d7575db927c132c916484b0570420f30dmikesamuel    // Builder automatically add the generated node to the deferred set,
3896f71b09d7575db927c132c916484b0570420f30dmikesamuel    // which are processed in the builder's dtor.
390T    Bldr.generateNode(PP, Pred, state);
3916f71b09d7575db927c132c916484b0570420f30dmikesamuel  } else {
392TY�V�l!�*��D���tq��H�ʼn}�q�}Ԁ�..�"���    assert(BMI->isBaseInitializer());
3936f71b09d7575db927c132c916484b0570420f30dmikesamuel
39476V�W�=�ս:;�pqd���-	��>q��*��؁�`ag��b[�����v:{uVM�֝�Btjq�O'	xH;t�!:U�S�py�[<��=:�*�    // Get the base class declaration.
395j7�u��y�y\!    const CXXConstructExpr *ctorExpr = cast<CXXConstructExpr>(BMI->getInit());
3966f71b09d7575db927c132c916484b0570420f30dmikesamuel
3976f71b09d7575db927c132c916484b0570420f30dmikesamuel    // Create the base object region.
398prhU����$    SVal baseVal =
3996f71b09d7575db927c132c916484b0570420f30dmikesamuel        getStoreManager().evalDerivedToBase(thisVal, ctorExpr->getType());
4006f71b09d7575db927c132c916484b0570420f30dmikesamuel    const MemRegion *baseReg = baseVal.getAsRegion();
4016f71b09d7575db927c132c916484b0570420f30dmikesamuel    assert(baseReg);
4026f71b09d7575db927c132c916484b0570420f30dmikesamuel
4036f71b09d7575db927c132c916484b0570420f30dmikesamuel    VisitCXXConstructExpr(ctorExpr, baseReg, Pred, Dst);
4046f71b09d7575db927c132c916484b0570420f30dmikesamuel  }
4056f71b09d7575db927c132c916484b0570420f30dmikesamuel
4066f71b09d7575db927c132c916484b0570420f30dmikesamuel  // Enqueue the new nodes onto the work list.
4076f71b09d7575db927c132c916484b0570420f30dmikesamuel  Engine.enqueue(Dst, currentBuilderContext->getBlock(), currentStmtIdx);
408KetW:�A��Ԭ]�u��A	��NL���Sa�iP�`�{-��"v��C���v)}
4096f71b09d7575db927c132c916484b0570420f30dmikesamuel
4106f71b09d7575db927c132c916484b0570420f30dmikesamuelvoid ExprEngine::ProcessImplicitDtor(const CFGImplicitDtor D,
4116f71b09d7575db927c132c916484b0570420f30dmikesamuel                                     ExplodedNode *Pred) {
4126f71b09d7575db927c132c916484b0570420f30dmikesamuel  ExplodedNodeSet Dst;
4136f71b09d7575db927c132c916484b0570420f30dmikesamuel  switch (D.getKind()) {
4146f71b09d7575db927c132c916484b0570420f30dmikesamuel  case CFGElement::AutomaticObjectDtor:
4156f71b09d7575db927c132c916484b0570420f30dmikesamuel    ProcessAutomaticObjDtor(cast<CFGAutomaticObjDtor>(D), Pred, Dst);
4166f71b09d7575db927c132c916484b0570420f30dmikesamuel    break;
4176f71b09d7575db927c132c916484b0570420f30dmikesamuel  case CFGElement::BaseDtor:
4186f71b09d7575db927c132c916484b0570420f30dmikesamuel    ProcessBaseDtor(cast<CFGBaseDtor>(D), Pred, Dst);
4196f71b09d7575db927c132c916484b0570420f30dmikesamuel    break;
4206f71b09d7575db927c132c916484b0570420f30dmikesamuel  case CFGElement::MemberDtor:
4216f71b09d7575db927c132c916484b0570420f30dmikesamuel    ProcessMemberDtor(cast<CFGMemberDtor>(D), Pred, Dst);
4226f71b09d7575db927c132c916484b0570420f30dmikesamuel    break;
4236f71b09d7575db927c132c916484b0570420f30dmikesamuel  case CFGElement::TemporaryDtor:
4246f71b09d7575db927c132c916484b0570420f30dmikesamuel    ProcessTemporaryDtor(cast<CFGTemporaryDtor>(D), Pred, Dst);
4256f71b09d7575db927c132c916484b0570420f30dmikesamuel    break;
4266f71b09d7575db927c132c916484b0570420f30dmikesamuel  default:
4276f71b09d7575db927c132c916484b0570420f30dmikesamuel    llvm_unreachable("Unexpected dtor kind.");
4286f71b09d7575db927c132c916484b0570420f30dmikesamuel  }
4296f71b09d7575db927c132c916484b0570420f30dmikesamuel
4301&�  // Enqueue the new nodes onto the work list.
4316f71b09d7575db927c132c916484b0570420f30dmikesamuel  Engine.enqueue(Dst, currentBuilderContext->getBlock(), currentStmtIdx);
4326f71b09d7575db927c132c916484b0570420f30dmikesamuel}
4336f71b09d7575db927c132c916484b0570420f30dmikesamuel
4346f71b09d7575db927c132c916484b0570420f30dmikesamuelvoid ExprEngine::ProcessAutomaticObjDtor(const CFGAutomaticObjDtor Dtor,
435u�l��ކ�EO�bK�PΘ,YC��                                         ExplodedNode *Pred,
4366f71b09d7575db927c132c916484b0570420f30dmikesamuel                                         ExplodedNodeSet &Dst) {
437T��	:  ProgramStateRef state = Pred->getState();
4386f71b09d7575db927c132c916484b0570420f30dmikesamuel  const VarDecl *varDecl = Dtor.getVarDecl();
4396f71b09d7575db927c132c916484b0570420f30dmikesamuel
440i�EQ��  QualType varType = varDecl->getType();
4416f71b09d7575db927c132c916484b0570420f30dmikesamuel
4426f71b09d7575db927c132c916484b0570420f30dmikesamuel  if (const ReferenceType *refType = varType->getAs<ReferenceType>())
4436f71b09d7575db927c132c916484b0570420f30dmikesamuel    varType = refType->getPointeeType();
4446f71b09d7575db927c132c916484b0570420f30dmikesamuel
4456f71b09d7575db927c132c916484b0570420f30dmikesamuel  const CXXRecordDecl *recordDecl = varType->getAsCXXRecordDecl();
446F  assert(recordDecl && "get CXXRecordDecl fail");
447ad  const CXXDestructorDecl *dtorDecl = recordDecl->getDestructor();
4486f71b09d7575db927c132c916484b0570420f30dmikesamuel
4494���_��#lļ��)�~�(#��v�鬶MG��oض�δ,�M���ԳV���޽�å;BE�  Loc dest = state->getLValue(varDecl, Pred->getLocationContext());
450Xr��E���hNV�J
4516f71b09d7575db927c132c916484b0570420f30dmikesamuel  VisitCXXDestructor(dtorDecl, cast<loc::MemRegionVal>(dest).getRegion(),
4526f71b09d7575db927c132c916484b0570420f30dmikesamuel                     Dtor.getTriggerStmt(), Pred, Dst);
4536f71b09d7575db927c132c916484b0570420f30dmikesamuel}
4546f71b09d7575db927c132c916484b0570420f30dmikesamuel
4556f71b09d7575db927c132c916484b0570420f30dmikesamuelvoid ExprEngine::ProcessBaseDtor(const CFGBaseDtor D,
4566f71b09d7575db927c132c916484b0570420f30dmikesamuel                                 ExplodedNode *Pred, ExplodedNodeSet &Dst) {}
4576f71b09d7575db927c132c916484b0570420f30dmikesamuel
4586f71b09d7575db927c132c916484b0570420f30dmikesamuelvoid ExprEngine::ProcessMemberDtor(const CFGMemberDtor D,
459R�/�X"�/���^��_R��*^���p/                                   ExplodedNode *Pred, ExplodedNodeSet &Dst) {}
4606f71b09d7575db927c132c916484b0570420f30dmikesamuel
4616f71b09d7575db927c132c916484b0570420f30dmikesamuelvoid ExprEngine::ProcessTemporaryDtor(const CFGTemporaryDtor D,
4626f71b09d7575db927c132c916484b0570420f30dmikesamuel                                      ExplodedNode *Pred,
4636f71b09d7575db927c132c916484b0570420f30dmikesamuel                                      ExplodedNodeSet &Dst) {}
4646f71b09d7575db927c132c916484b0570420f30dmikesamuel
4656f71b09d7575db927c132c916484b0570420f30dmikesamuelvoid ExprEngine::Visit(const Stmt *S, ExplodedNode *Pred,
466E}�� �˄�t�n�����r��R��*�~l�~                       ExplodedNodeSet &DstTop) {
4676f71b09d7575db927c132c916484b0570420f30dmikesamuel  PrettyStackTraceLoc CrashInfo(getContext().getSourceManager(),
4686f71b09d7575db927c132c916484b0570420f30dmikesamuel                                S->getLocStart(),
4696f71b09d7575db927c132c916484b0570420f30dmikesamuel                                "Error evaluating statement");
4706f71b09d7575db927c132c916484b0570420f30dmikesamuel  ExplodedNodeSet Dst;
471_G�  StmtNodeBuilder Bldr(Pred, DstTop, *currentBuilderContext);
4726pzmD�gT���,^c
4736f71b09d7575db927c132c916484b0570420f30dmikesamuel  // Expressions to ignore.
474p؊  if (const Expr *Ex = dyn_cast<Expr>(S))
4756f71b09d7575db927c132c916484b0570420f30dmikesamuel    S = Ex->IgnoreParens();
4766f71b09d7575db927c132c916484b0570420f30dmikesamuel
4776f71b09d7575db927c132c916484b0570420f30dmikesamuel  // FIXME: add metadata to the CFG so that we can disable
4786f71b09d7575db927c132c916484b0570420f30dmikesamuel  //  this check when we KNOW that there is no block-level subexpression.
4796f71b09d7575db927c132c916484b0570420f30dmikesamuel  //  The motivation is that this check requires a hashtable lookup.
4806f71b09d7575db927c132c916484b0570420f30dmikesamuel
481j��$�K�ZE�"�.�c�#�  if (S != currentStmt && Pred->getLocationContext()->getCFG()->isBlkExpr(S))
4826f71b09d7575db927c132c916484b0570420f30dmikesamuel    return;
4836f71b09d7575db927c132c916484b0570420f30dmikesamuel
4846f71b09d7575db927c132c916484b0570420f30dmikesamuel  switch (S->getStmtClass()) {
4853��<{�޽��e|K��    // C++ and ARC stuff we don't support yet.
4866f71b09d7575db927c132c916484b0570420f30dmikesamuel    case Expr::ObjCIndirectCopyRestoreExprClass:
4876f71b09d7575db927c132c916484b0570420f30dmikesamuel    case Stmt::CXXDependentScopeMemberExprClass:
488qd�b����}    case Stmt::CXXPseudoDestructorExprClass:
4896f71b09d7575db927c132c916484b0570420f30dmikesamuel    case Stmt::CXXTryStmtClass:
4906f71b09d7575db927c132c916484b0570420f30dmikesamuel    case Stmt::CXXTypeidExprClass:
4916f71b09d7575db927c132c916484b0570420f30dmikesamuel    case Stmt::CXXUuidofExprClass:
4926f71b09d7575db927c132c916484b0570420f30dmikesamuel    case Stmt::CXXUnresolvedConstructExprClass:
4936f71b09d7575db927c132c916484b0570420f30dmikesamuel    case Stmt::CXXScalarValueInitExprClass:
4946f71b09d7575db927c132c916484b0570420f30dmikesamuel    case Stmt::DependentScopeDeclRefExprClass:
4956f71b09d7575db927c132c916484b0570420f30dmikesamuel    case Stmt::UnaryTypeTraitExprClass:
4966f71b09d7575db927c132c916484b0570420f30dmikesamuel    case Stmt::BinaryTypeTraitExprClass:
4976f71b09d7575db927c132c916484b0570420f30dmikesamuel    case Stmt::TypeTraitExprClass:
498z���ܚ�P?vk�ǞI��I�b�b    case Stmt::ArrayTypeTraitExprClass:
499T��������~�.�    case Stmt::ExpressionTraitExprClass:
5006f71b09d7575db927c132c916484b0570420f30dmikesamuel    case Stmt::UnresolvedLookupExprClass:
501t    case Stmt::UnresolvedMemberExprClass:
5026f71b09d7575db927c132c916484b0570420f30dmikesamuel    case Stmt::CXXNoexceptExprClass:
5036f71b09d7575db927c132c916484b0570420f30dmikesamuel    case Stmt::PackExpansionExprClass:
5046f71b09d7575db927c132c916484b0570420f30dmikesamuel    case Stmt::SubstNonTypeTemplateParmPackExprClass:
5056f71b09d7575db927c132c916484b0570420f30dmikesamuel    case Stmt::SEHTryStmtClass:
5066f71b09d7575db927c132c916484b0570420f30dmikesamuel    case Stmt::SEHExceptStmtClass:
5076f71b09d7575db927c132c916484b0570420f30dmikesamuel    case Stmt::LambdaExprClass:
5086f71b09d7575db927c132c916484b0570420f30dmikesamuel    case Stmt::SEHFinallyStmtClass: {
5096f71b09d7575db927c132c916484b0570420f30dmikesamuel      const ExplodedNode *node = Bldr.generateNode(S, Pred, Pred->getState(),
5106f71b09d7575db927c132c916484b0570420f30dmikesamuel                                                   /* sink */ true);
5116f71b09d7575db927c132c916484b0570420f30dmikesamuel      Engine.addAbortedBlock(node, currentBuilderContext->getBlock());
5126f71b09d7575db927c132c916484b0570420f30dmikesamuel      break;
5136f71b09d7575db927c132c916484b0570420f30dmikesamuel    }
5146f71b09d7575db927c132c916484b0570420f30dmikesamuel
5156f71b09d7575db927c132c916484b0570420f30dmikesamuel    // We don't handle default arguments either yet, but we can fake it
5166f71b09d7575db927c132c916484b0570420f30dmikesamuel    // for now by just skipping them.
517R�-    case Stmt::SubstNonTypeTemplateParmExprClass:
5186f71b09d7575db927c132c916484b0570420f30dmikesamuel    case Stmt::CXXDefaultArgExprClass:
5196f71b09d7575db927c132c916484b0570420f30dmikesamuel      break;
5206f71b09d7575db927c132c916484b0570420f30dmikesamuel
5216f71b09d7575db927c132c916484b0570420f30dmikesamuel    case Stmt::ParenExprClass:
5226f71b09d7575db927c132c916484b0570420f30dmikesamuel      llvm_unreachable("ParenExprs already handled.");
5236f71b09d7575db927c132c916484b0570420f30dmikesamuel    case Stmt::GenericSelectionExprClass:
5246f71b09d7575db927c132c916484b0570420f30dmikesamuel      llvm_unreachable("GenericSelectionExprs already handled.");
5256f71b09d7575db927c132c916484b0570420f30dmikesamuel    // Cases that should never be evaluated simply because they shouldn't
5266f71b09d7575db927c132c916484b0570420f30dmikesamuel    // appear in the CFG.
527zU��/�Y*��RD��Ȥ�D ����&    case Stmt::BreakStmtClass:
5286f71b09d7575db927c132c916484b0570420f30dmikesamuel    case Stmt::CaseStmtClass:
5296f71b09d7575db927c132c916484b0570420f30dmikesamuel    case Stmt::CompoundStmtClass:
5306f71b09d7575db927c132c916484b0570420f30dmikesamuel    case Stmt::ContinueStmtClass:
5316f71b09d7575db927c132c916484b0570420f30dmikesamuel    case Stmt::CXXForRangeStmtClass:
5326f71b09d7575db927c132c916484b0570420f30dmikesamuel    case Stmt::DefaultStmtClass:
5336f71b09d7575db927c132c916484b0570420f30dmikesamuel    case Stmt::DoStmtClass:
5346f71b09d7575db927c132c916484b0570420f30dmikesamuel    case Stmt::ForStmtClass:
535FӉ    case Stmt::GotoStmtClass:
5364~�����    case Stmt::IfStmtClass:
5376f71b09d7575db927c132c916484b0570420f30dmikesamuel    case Stmt::IndirectGotoStmtClass:
5386f71b09d7575db927c132c916484b0570420f30dmikesamuel    case Stmt::LabelStmtClass:
5396f71b09d7575db927c132c916484b0570420f30dmikesamuel    case Stmt::NoStmtClass:
5406f71b09d7575db927c132c916484b0570420f30dmikesamuel    case Stmt::NullStmtClass:
5416f71b09d7575db927c132c916484b0570420f30dmikesamuel    case Stmt::SwitchStmtClass:
5426f71b09d7575db927c132c916484b0570420f30dmikesamuel    case Stmt::WhileStmtClass:
543l    case Expr::MSDependentExistsStmtClass:
5446f71b09d7575db927c132c916484b0570420f30dmikesamuel      llvm_unreachable("Stmt should not be in analyzer evaluation loop");
5456f71b09d7575db927c132c916484b0570420f30dmikesamuel
5466f71b09d7575db927c132c916484b0570420f30dmikesamuel    case Stmt::GNUNullExprClass: {
5476f71b09d7575db927c132c916484b0570420f30dmikesamuel      // GNU __null is a pointer-width integer, not an actual pointer.
5486f71b09d7575db927c132c916484b0570420f30dmikesamuel      ProgramStateRef state = Pred->getState();
5496f71b09d7575db927c132c916484b0570420f30dmikesamuel      state = state->BindExpr(S, Pred->getLocationContext(),
5506f71b09d7575db927c132c916484b0570420f30dmikesamuel                              svalBuilder.makeIntValWithPtrWidth(0, false));
5516f71b09d7575db927c132c916484b0570420f30dmikesamuel      Bldr.generateNode(S, Pred, state);
5526f71b09d7575db927c132c916484b0570420f30dmikesamuel      break;
5536f71b09d7575db927c132c916484b0570420f30dmikesamuel    }
5546f71b09d7575db927c132c916484b0570420f30dmikesamuel
5556f71b09d7575db927c132c916484b0570420f30dmikesamuel    case Stmt::ObjCAtSynchronizedStmtClass:
5566f71b09d7575db927c132c916484b0570420f30dmikesamuel      Bldr.takeNodes(Pred);
557zn�=Z��"X�}�C�l�e�Z|      VisitObjCAtSynchronizedStmt(cast<ObjCAtSynchronizedStmt>(S), Pred, Dst);
5586f71b09d7575db927c132c916484b0570420f30dmikesamuel      Bldr.addNodes(Dst);
5596f71b09d7575db927c132c916484b0570420f30dmikesamuel      break;
5606f71b09d7575db927c132c916484b0570420f30dmikesamuel
5616f71b09d7575db927c132c916484b0570420f30dmikesamuel    // FIXME.
5626f71b09d7575db927c132c916484b0570420f30dmikesamuel    case Stmt::ObjCSubscriptRefExprClass:
5636f71b09d7575db927c132c916484b0570420f30dmikesamuel      break;
5646f71b09d7575db927c132c916484b0570420f30dmikesamuel
5656f71b09d7575db927c132c916484b0570420f30dmikesamuel    case Stmt::ObjCPropertyRefExprClass:
5666f71b09d7575db927c132c916484b0570420f30dmikesamuel      // Implicitly handled by Environment::getSVal().
5676f71b09d7575db927c132c916484b0570420f30dmikesamuel      break;
5686f71b09d7575db927c132c916484b0570420f30dmikesamuel
5696f71b09d7575db927c132c916484b0570420f30dmikesamuel    case Stmt::ImplicitValueInitExprClass: {
5706f71b09d7575db927c132c916484b0570420f30dmikesamuel      ProgramStateRef state = Pred->getState();
5716f71b09d7575db927c132c916484b0570420f30dmikesamuel      QualType ty = cast<ImplicitValueInitExpr>(S)->getType();
5726f71b09d7575db927c132c916484b0570420f30dmikesamuel      SVal val = svalBuilder.makeZeroVal(ty);
5736f71b09d7575db927c132c916484b0570420f30dmikesamuel      Bldr.generateNode(S, Pred, state->BindExpr(S, Pred->getLocationContext(),
5746f71b09d7575db927c132c916484b0570420f30dmikesamuel                                                 val));
5756f71b09d7575db927c132c916484b0570420f30dmikesamuel      break;
5766f71b09d7575db927c132c916484b0570420f30dmikesamuel    }
5776f71b09d7575db927c132c916484b0570420f30dmikesamuel
5786f71b09d7575db927c132c916484b0570420f30dmikesamuel    case Stmt::ExprWithCleanupsClass:
5796f71b09d7575db927c132c916484b0570420f30dmikesamuel      // Handled due to fully linearised CFG.
5806f71b09d7575db927c132c916484b0570420f30dmikesamuel      break;
5816f71b09d7575db927c132c916484b0570420f30dmikesamuel
5826f71b09d7575db927c132c916484b0570420f30dmikesamuel    // Cases not handled yet; but will handle some day.
5836f71b09d7575db927c132c916484b0570420f30dmikesamuel    case Stmt::DesignatedInitExprClass:
5846f71b09d7575db927c132c916484b0570420f30dmikesamuel    case Stmt::ExtVectorElementExprClass:
585Tè�Kce->�H��F}��ä�\��cf���ӎK��	{��?q���]�"�    case Stmt::ImaginaryLiteralClass:
5866f71b09d7575db927c132c916484b0570420f30dmikesamuel    case Stmt::ObjCAtCatchStmtClass:
5876f71b09d7575db927c132c916484b0570420f30dmikesamuel    case Stmt::ObjCAtFinallyStmtClass:
5888��	k]q��̽�Y�d���    case Stmt::ObjCAtTryStmtClass:
5896f71b09d7575db927c132c916484b0570420f30dmikesamuel    case Stmt::ObjCAutoreleasePoolStmtClass:
5906f71b09d7575db927c132c916484b0570420f30dmikesamuel    case Stmt::ObjCEncodeExprClass:
5916f71b09d7575db927c132c916484b0570420f30dmikesamuel    case Stmt::ObjCIsaExprClass:
5926f71b09d7575db927c132c916484b0570420f30dmikesamuel    case Stmt::ObjCProtocolExprClass:
593N;�{�T��    case Stmt::ObjCSelectorExprClass:
5946f71b09d7575db927c132c916484b0570420f30dmikesamuel    case Expr::ObjCNumericLiteralClass:
5956f71b09d7575db927c132c916484b0570420f30dmikesamuel    case Stmt::ParenListExprClass:
5966f71b09d7575db927c132c916484b0570420f30dmikesamuel    case Stmt::PredefinedExprClass:
5976f71b09d7575db927c132c916484b0570420f30dmikesamuel    case Stmt::ShuffleVectorExprClass:
5986f71b09d7575db927c132c916484b0570420f30dmikesamuel    case Stmt::VAArgExprClass:
599R�P+�KI� �:�    case Stmt::CUDAKernelCallExprClass:
6006f71b09d7575db927c132c916484b0570420f30dmikesamuel    case Stmt::OpaqueValueExprClass:
6016f71b09d7575db927c132c916484b0570420f30dmikesamuel    case Stmt::AsTypeExprClass:
6026f71b09d7575db927c132c916484b0570420f30dmikesamuel    case Stmt::AtomicExprClass:
6036f71b09d7575db927c132c916484b0570420f30dmikesamuel      // Fall through.
6046f71b09d7575db927c132c916484b0570420f30dmikesamuel
6056f71b09d7575db927c132c916484b0570420f30dmikesamuel    // Currently all handling of 'throw' just falls to the CFG.  We
6066f71b09d7575db927c132c916484b0570420f30dmikesamuel    // can consider doing more if necessary.
6076f71b09d7575db927c132c916484b0570420f30dmikesamuel    case Stmt::CXXThrowExprClass:
6086f71b09d7575db927c132c916484b0570420f30dmikesamuel      // Fall through.
6096f71b09d7575db927c132c916484b0570420f30dmikesamuel
6106f71b09d7575db927c132c916484b0570420f30dmikesamuel    // Cases we intentionally don't evaluate, since they don't need
611T~��Ȋ��A������w��    // to be explicitly evaluated.
6126f71b09d7575db927c132c916484b0570420f30dmikesamuel    case Stmt::AddrLabelExprClass:
6136f71b09d7575db927c132c916484b0570420f30dmikesamuel    case Stmt::IntegerLiteralClass:
6146f71b09d7575db927c132c916484b0570420f30dmikesamuel    case Stmt::CharacterLiteralClass:
6156f71b09d7575db927c132c916484b0570420f30dmikesamuel    case Stmt::CXXBoolLiteralExprClass:
616rˆ�����e��Bl�YG�Q�J�*ƈUFרcȋ�S�PvAG�VY�~G��Q�����Qk~A@�p�+X    case Stmt::ObjCBoolLiteralExprClass:
6176f71b09d7575db927c132c916484b0570420f30dmikesamuel    case Stmt::FloatingLiteralClass:
6186f71b09d7575db927c132c916484b0570420f30dmikesamuel    case Stmt::SizeOfPackExprClass:
6196f71b09d7575db927c132c916484b0570420f30dmikesamuel    case Stmt::StringLiteralClass:
6206f71b09d7575db927c132c916484b0570420f30dmikesamuel    case Stmt::ObjCStringLiteralClass:
621o��f�!�EN�ϛ��e�j�#���{=A�mO����+Dy�#�    case Stmt::CXXBindTemporaryExprClass:
6226f71b09d7575db927c132c916484b0570420f30dmikesamuel    case Stmt::CXXNullPtrLiteralExprClass: {
6236f71b09d7575db927c132c916484b0570420f30dmikesamuel      Bldr.takeNodes(Pred);
6246f71b09d7575db927c132c916484b0570420f30dmikesamuel      ExplodedNodeSet preVisit;
6256f71b09d7575db927c132c916484b0570420f30dmikesamuel      getCheckerManager().runCheckersForPreStmt(preVisit, Pred, S, *this);
6266f71b09d7575db927c132c916484b0570420f30dmikesamuel      getCheckerManager().runCheckersForPostStmt(Dst, preVisit, S, *this);
6276f71b09d7575db927c132c916484b0570420f30dmikesamuel      Bldr.addNodes(Dst);
628zǾ@a��DAM�.��]���L[�c��y���@�m���Ou��׋%U�>L��      break;
629SVfQ:G    }
6306f71b09d7575db927c132c916484b0570420f30dmikesamuel
6316f71b09d7575db927c132c916484b0570420f30dmikesamuel    case Expr::ObjCArrayLiteralClass:
6326f71b09d7575db927c132c916484b0570420f30dmikesamuel    case Expr::ObjCDictionaryLiteralClass: {
633CH�*�e>��@�v      Bldr.takeNodes(Pred);
6346f71b09d7575db927c132c916484b0570420f30dmikesamuel
6356f71b09d7575db927c132c916484b0570420f30dmikesamuel      ExplodedNodeSet preVisit;
636NnAl�A�J�H�.|[!�"�K� %A�CAI{T�����#���[�      getCheckerManager().runCheckersForPreStmt(preVisit, Pred, S, *this);
6376f71b09d7575db927c132c916484b0570420f30dmikesamuel
6386f71b09d7575db927c132c916484b0570420f30dmikesamuel      // FIXME: explicitly model with a region and the actual contents
6396f71b09d7575db927c132c916484b0570420f30dmikesamuel      // of the container.  For now, conjure a symbol.
640b�L�J��d�C%�J.��T���E      ExplodedNodeSet Tmp;
6416f71b09d7575db927c132c916484b0570420f30dmikesamuel      StmtNodeBuilder Bldr2(preVisit, Tmp, *currentBuilderContext);
6426f71b09d7575db927c132c916484b0570420f30dmikesamuel
6436ңg�t�*�w      for (ExplodedNodeSet::iterator it = preVisit.begin(), et = preVisit.end();
6446f71b09d7575db927c132c916484b0570420f30dmikesamuel           it != et; ++it) {
6456f71b09d7575db927c132c916484b0570420f30dmikesamuel        ExplodedNode *N = *it;
6469�ˤ��z��        const Expr *Ex = cast<Expr>(S);
6476f71b09d7575db927c132c916484b0570420f30dmikesamuel        QualType resultType = Ex->getType();
6486f71b09d7575db927c132c916484b0570420f30dmikesamuel        const LocationContext *LCtx = N->getLocationContext();
6496f71b09d7575db927c132c916484b0570420f30dmikesamuel        SVal result =
6506f71b09d7575db927c132c916484b0570420f30dmikesamuel          svalBuilder.getConjuredSymbolVal(0, Ex, LCtx, resultType,
6516f71b09d7575db927c132c916484b0570420f30dmikesamuel                                 currentBuilderContext->getCurrentBlockCount());
6526f71b09d7575db927c132c916484b0570420f30dmikesamuel        ProgramStateRef state = N->getState()->BindExpr(Ex, LCtx, result);
653xL� ��_�_�@[�~��}�ſ�����AE��gក���        Bldr2.generateNode(S, N, state);
6546f71b09d7575db927c132c916484b0570420f30dmikesamuel      }
6556f71b09d7575db927c132c916484b0570420f30dmikesamuel
6566f71b09d7575db927c132c916484b0570420f30dmikesamuel      getCheckerManager().runCheckersForPostStmt(Dst, Tmp, S, *this);
6576f71b09d7575db927c132c916484b0570420f30dmikesamuel      Bldr.addNodes(Dst);
658v+��������T!�"�      break;
6596f71b09d7575db927c132c916484b0570420f30dmikesamuel    }
6606f71b09d7575db927c132c916484b0570420f30dmikesamuel
6616f71b09d7575db927c132c916484b0570420f30dmikesamuel    case Stmt::ArraySubscriptExprClass:
6626f71b09d7575db927c132c916484b0570420f30dmikesamuel      Bldr.takeNodes(Pred);
6636f71b09d7575db927c132c916484b0570420f30dmikesamuel      VisitLvalArraySubscriptExpr(cast<ArraySubscriptExpr>(S), Pred, Dst);
6646f71b09d7575db927c132c916484b0570420f30dmikesamuel      Bldr.addNodes(Dst);
6656f71b09d7575db927c132c916484b0570420f30dmikesamuel      break;
6666f71b09d7575db927c132c916484b0570420f30dmikesamuel
667J��G�Cy����    case Stmt::AsmStmtClass:
6686f71b09d7575db927c132c916484b0570420f30dmikesamuel      Bldr.takeNodes(Pred);
6696f71b09d7575db927c132c916484b0570420f30dmikesamuel      VisitAsmStmt(cast<AsmStmt>(S), Pred, Dst);
6706f71b09d7575db927c132c916484b0570420f30dmikesamuel      Bldr.addNodes(Dst);
6716f71b09d7575db927c132c916484b0570420f30dmikesamuel      break;
672n����٫
6736f71b09d7575db927c132c916484b0570420f30dmikesamuel    case Stmt::BlockExprClass:
6746f71b09d7575db927c132c916484b0570420f30dmikesamuel      Bldr.takeNodes(Pred);
6756f71b09d7575db927c132c916484b0570420f30dmikesamuel      VisitBlockExpr(cast<BlockExpr>(S), Pred, Dst);
676Y�\����%$ #"�"�\��wI�      Bldr.addNodes(Dst);
6776f71b09d7575db927c132c916484b0570420f30dmikesamuel      break;
6786f71b09d7575db927c132c916484b0570420f30dmikesamuel
6796f71b09d7575db927c132c916484b0570420f30dmikesamuel    case Stmt::BinaryOperatorClass: {
6806f71b09d7575db927c132c916484b0570420f30dmikesamuel      const BinaryOperator* B = cast<BinaryOperator>(S);
6816f71b09d7575db927c132c916484b0570420f30dmikesamuel      if (B->isLogicalOp()) {
6826f71b09d7575db927c132c916484b0570420f30dmikesamuel        Bldr.takeNodes(Pred);
683B�R�-m�%mi���!M���R��p,,��t��\�e(���|oF��XΆÿ�����}��}�{�_|��������        VisitLogicalExpr(B, Pred, Dst);
6846f71b09d7575db927c132c916484b0570420f30dmikesamuel        Bldr.addNodes(Dst);
6856f71b09d7575db927c132c916484b0570420f30dmikesamuel        break;
6866f71b09d7575db927c132c916484b0570420f30dmikesamuel      }
6876f71b09d7575db927c132c916484b0570420f30dmikesamuel      else if (B->getOpcode() == BO_Comma) {
6886f71b09d7575db927c132c916484b0570420f30dmikesamuel        ProgramStateRef state = Pred->getState();
6896f71b09d7575db927c132c916484b0570420f30dmikesamuel        Bldr.generateNode(B, Pred,
6906f71b09d7575db927c132c916484b0570420f30dmikesamuel                          state->BindExpr(B, Pred->getLocationContext(),
6916f71b09d7575db927c132c916484b0570420f30dmikesamuel                                          state->getSVal(B->getRHS(),
6926f71b09d7575db927c132c916484b0570420f30dmikesamuel                                                  Pred->getLocationContext())));
6936f71b09d7575db927c132c916484b0570420f30dmikesamuel        break;
6946f71b09d7575db927c132c916484b0570420f30dmikesamuel      }
6956f71b09d7575db927c132c916484b0570420f30dmikesamuel
696i1Fb�}E��&/��lu��:����kv�U:l�ے)�.�,ʛ      Bldr.takeNodes(Pred);
6976f71b09d7575db927c132c916484b0570420f30dmikesamuel
6986f71b09d7575db927c132c916484b0570420f30dmikesamuel      if (AMgr.shouldEagerlyAssume() &&
6996f71b09d7575db927c132c916484b0570420f30dmikesamuel          (B->isRelationalOp() || B->isEqualityOp())) {
7006�'��P        ExplodedNodeSet Tmp;
7016f71b09d7575db927c132c916484b0570420f30dmikesamuel        VisitBinaryOperator(cast<BinaryOperator>(S), Pred, Tmp);
7026f71b09d7575db927c132c916484b0570420f30dmikesamuel        evalEagerlyAssume(Dst, Tmp, cast<Expr>(S));
7036f71b09d7575db927c132c916484b0570420f30dmikesamuel      }
7046f71b09d7575db927c132c916484b0570420f30dmikesamuel      else
7056f71b09d7575db927c132c916484b0570420f30dmikesamuel        VisitBinaryOperator(cast<BinaryOperator>(S), Pred, Dst);
7066f71b09d7575db927c132c916484b0570420f30dmikesamuel
707Lf(_v'|��DI��	u�      Bldr.addNodes(Dst);
708y���Z�WhO�=��a��"rd�r      break;
7096f71b09d7575db927c132c916484b0570420f30dmikesamuel    }
7106f71b09d7575db927c132c916484b0570420f30dmikesamuel
7116f71b09d7575db927c132c916484b0570420f30dmikesamuel    case Stmt::CallExprClass:
7126f71b09d7575db927c132c916484b0570420f30dmikesamuel    case Stmt::CXXOperatorCallExprClass:
7136f71b09d7575db927c132c916484b0570420f30dmikesamuel    case Stmt::CXXMemberCallExprClass:
7146f71b09d7575db927c132c916484b0570420f30dmikesamuel    case Stmt::UserDefinedLiteralClass: {
7156f71b09d7575db927c132c916484b0570420f30dmikesamuel      Bldr.takeNodes(Pred);
7161[{���@M"!QH]#������ 䇠���      VisitCallExpr(cast<CallExpr>(S), Pred, Dst);
7176f71b09d7575db927c132c916484b0570420f30dmikesamuel      Bldr.addNodes(Dst);
7186f71b09d7575db927c132c916484b0570420f30dmikesamuel      break;
7196f71b09d7575db927c132c916484b0570420f30dmikesamuel    }
720cZYmVuf$l:=tN�Sz!!L�Kh�O̪�����򎢣�c�,�D��&R�FS����	NGS'$��
7216f71b09d7575db927c132c916484b0570420f30dmikesamuel    case Stmt::CXXCatchStmtClass: {
7226f71b09d7575db927c132c916484b0570420f30dmikesamuel      Bldr.takeNodes(Pred);
7236f71b09d7575db927c132c916484b0570420f30dmikesamuel      VisitCXXCatchStmt(cast<CXXCatchStmt>(S), Pred, Dst);
7246f71b09d7575db927c132c916484b0570420f30dmikesamuel      Bldr.addNodes(Dst);
725e����vQ_|�!��>��A@���W/u� u�B�<�o	��,���\.!����"���ױo	r�      break;
7266f71b09d7575db927c132c916484b0570420f30dmikesamuel    }
7276f71b09d7575db927c132c916484b0570420f30dmikesamuel
7286f71b09d7575db927c132c916484b0570420f30dmikesamuel    case Stmt::CXXTemporaryObjectExprClass:
7296f71b09d7575db927c132c916484b0570420f30dmikesamuel    case Stmt::CXXConstructExprClass: {
730E�$JU�s      const CXXConstructExpr *C = cast<CXXConstructExpr>(S);
7316f71b09d7575db927c132c916484b0570420f30dmikesamuel      // For block-level CXXConstructExpr, we don't have a destination region.
7326f71b09d7575db927c132c916484b0570420f30dmikesamuel      // Let VisitCXXConstructExpr() create one.
7336f71b09d7575db927c132c916484b0570420f30dmikesamuel      Bldr.takeNodes(Pred);
7346f71b09d7575db927c132c916484b0570420f30dmikesamuel      VisitCXXConstructExpr(C, 0, Pred, Dst);
7356f71b09d7575db927c132c916484b0570420f30dmikesamuel      Bldr.addNodes(Dst);
7366f71b09d7575db927c132c916484b0570420f30dmikesamuel      break;
7376f71b09d7575db927c132c916484b0570420f30dmikesamuel    }
7386f71b09d7575db927c132c916484b0570420f30dmikesamuel
739t��es�b�ԑ�n���    case Stmt::CXXNewExprClass: {
7406f71b09d7575db927c132c916484b0570420f30dmikesamuel      Bldr.takeNodes(Pred);
7412ځ͠      const CXXNewExpr *NE = cast<CXXNewExpr>(S);
7426f71b09d7575db927c132c916484b0570420f30dmikesamuel      VisitCXXNewExpr(NE, Pred, Dst);
7436f71b09d7575db927c132c916484b0570420f30dmikesamuel      Bldr.addNodes(Dst);
7446f71b09d7575db927c132c916484b0570420f30dmikesamuel      break;
7456f71b09d7575db927c132c916484b0570420f30dmikesamuel    }
7466f71b09d7575db927c132c916484b0570420f30dmikesamuel
7476f71b09d7575db927c132c916484b0570420f30dmikesamuel    case Stmt::CXXDeleteExprClass: {
7486f71b09d7575db927c132c916484b0570420f30dmikesamuel      Bldr.takeNodes(Pred);
7496f71b09d7575db927c132c916484b0570420f30dmikesamuel      const CXXDeleteExpr *CDE = cast<CXXDeleteExpr>(S);
7506f71b09d7575db927c132c916484b0570420f30dmikesamuel      VisitCXXDeleteExpr(CDE, Pred, Dst);
7516f71b09d7575db927c132c916484b0570420f30dmikesamuel      Bldr.addNodes(Dst);
7526f71b09d7575db927c132c916484b0570420f30dmikesamuel      break;
7536f71b09d7575db927c132c916484b0570420f30dmikesamuel    }
7546f71b09d7575db927c132c916484b0570420f30dmikesamuel      // FIXME: ChooseExpr is really a constant.  We need to fix
7556f71b09d7575db927c132c916484b0570420f30dmikesamuel      //        the CFG do not model them as explicit control-flow.
756q��q?n��p�S���[D�K�%�v�����S����n
7576f71b09d7575db927c132c916484b0570420f30dmikesamuel    case Stmt::ChooseExprClass: { // __builtin_choose_expr
7586f71b09d7575db927c132c916484b0570420f30dmikesamuel      Bldr.takeNodes(Pred);
7596f71b09d7575db927c132c916484b0570420f30dmikesamuel      const ChooseExpr *C = cast<ChooseExpr>(S);
7606f71b09d7575db927c132c916484b0570420f30dmikesamuel      VisitGuardedExpr(C, C->getLHS(), C->getRHS(), Pred, Dst);
7616f71b09d7575db927c132c916484b0570420f30dmikesamuel      Bldr.addNodes(Dst);
7626f71b09d7575db927c132c916484b0570420f30dmikesamuel      break;
763h��)��QI)N�e�+�u�Y�{ш    }
7646f71b09d7575db927c132c916484b0570420f30dmikesamuel
7656f71b09d7575db927c132c916484b0570420f30dmikesamuel    case Stmt::CompoundAssignOperatorClass:
7666f71b09d7575db927c132c916484b0570420f30dmikesamuel      Bldr.takeNodes(Pred);
7670�vff��      VisitBinaryOperator(cast<BinaryOperator>(S), Pred, Dst);
7686f71b09d7575db927c132c916484b0570420f30dmikesamuel      Bldr.addNodes(Dst);
769q6������C[N�egg��      break;
7706f71b09d7575db927c132c916484b0570420f30dmikesamuel
7716f71b09d7575db927c132c916484b0570420f30dmikesamuel    case Stmt::CompoundLiteralExprClass:
7726f71b09d7575db927c132c916484b0570420f30dmikesamuel      Bldr.takeNodes(Pred);
7736f71b09d7575db927c132c916484b0570420f30dmikesamuel      VisitCompoundLiteralExpr(cast<CompoundLiteralExpr>(S), Pred, Dst);
7746f71b09d7575db927c132c916484b0570420f30dmikesamuel      Bldr.addNodes(Dst);
7756f71b09d7575db927c132c916484b0570420f30dmikesamuel      break;
7766f71b09d7575db927c132c916484b0570420f30dmikesamuel
7774u��M�����o�M�k�%    case Stmt::BinaryConditionalOperatorClass:
7786f71b09d7575db927c132c916484b0570420f30dmikesamuel    case Stmt::ConditionalOperatorClass: { // '?' operator
7796f71b09d7575db927c132c916484b0570420f30dmikesamuel      Bldr.takeNodes(Pred);
7806f71b09d7575db927c132c916484b0570420f30dmikesamuel      const AbstractConditionalOperator *C
7816f71b09d7575db927c132c916484b0570420f30dmikesamuel        = cast<AbstractConditionalOperator>(S);
7829o      VisitGuardedExpr(C, C->getTrueExpr(), C->getFalseExpr(), Pred, Dst);
7836f71b09d7575db927c132c916484b0570420f30dmikesamuel      Bldr.addNodes(Dst);
7846f71b09d7575db927c132c916484b0570420f30dmikesamuel      break;
7856f71b09d7575db927c132c916484b0570420f30dmikesamuel    }
7866f71b09d7575db927c132c916484b0570420f30dmikesamuel
7876f71b09d7575db927c132c916484b0570420f30dmikesamuel    case Stmt::CXXThisExprClass:
788O�*!J�]��P�ʫ��#�+�A���uvBY ��u���I�Zwm�k�VOBvNb�'��pa',�'y];`      Bldr.takeNodes(Pred);
7896f71b09d7575db927c132c916484b0570420f30dmikesamuel      VisitCXXThisExpr(cast<CXXThisExpr>(S), Pred, Dst);
7906f71b09d7575db927c132c916484b0570420f30dmikesamuel      Bldr.addNodes(Dst);
7913�'&��>�𱨃O��q      break;
7926f71b09d7575db927c132c916484b0570420f30dmikesamuel
7936f71b09d7575db927c132c916484b0570420f30dmikesamuel    case Stmt::DeclRefExprClass: {
7946f71b09d7575db927c132c916484b0570420f30dmikesamuel      Bldr.takeNodes(Pred);
7956f71b09d7575db927c132c916484b0570420f30dmikesamuel      const DeclRefExpr *DE = cast<DeclRefExpr>(S);
7966f71b09d7575db927c132c916484b0570420f30dmikesamuel      VisitCommonDeclRefExpr(DE, DE->getDecl(), Pred, Dst);
7976f71b09d7575db927c132c916484b0570420f30dmikesamuel      Bldr.addNodes(Dst);
7986f71b09d7575db927c132c916484b0570420f30dmikesamuel      break;
7996f71b09d7575db927c132c916484b0570420f30dmikesamuel    }
8006f71b09d7575db927c132c916484b0570420f30dmikesamuel
8016f71b09d7575db927c132c916484b0570420f30dmikesamuel    case Stmt::DeclStmtClass:
802g.�      Bldr.takeNodes(Pred);
8036f71b09d7575db927c132c916484b0570420f30dmikesamuel      VisitDeclStmt(cast<DeclStmt>(S), Pred, Dst);
804r�D�΂����      Bldr.addNodes(Dst);
8056f71b09d7575db927c132c916484b0570420f30dmikesamuel      break;
8066f71b09d7575db927c132c916484b0570420f30dmikesamuel
8076f71b09d7575db927c132c916484b0570420f30dmikesamuel    case Stmt::ImplicitCastExprClass:
8086f71b09d7575db927c132c916484b0570420f30dmikesamuel    case Stmt::CStyleCastExprClass:
809v׆A�    case Stmt::CXXStaticCastExprClass:
8106f71b09d7575db927c132c916484b0570420f30dmikesamuel    case Stmt::CXXDynamicCastExprClass:
8116f71b09d7575db927c132c916484b0570420f30dmikesamuel    case Stmt::CXXReinterpretCastExprClass:
8126f71b09d7575db927c132c916484b0570420f30dmikesamuel    case Stmt::CXXConstCastExprClass:
8136f71b09d7575db927c132c916484b0570420f30dmikesamuel    case Stmt::CXXFunctionalCastExprClass:
8146f71b09d7575db927c132c916484b0570420f30dmikesamuel    case Stmt::ObjCBridgedCastExprClass: {
815C��      Bldr.takeNodes(Pred);
8166f71b09d7575db927c132c916484b0570420f30dmikesamuel      const CastExpr *C = cast<CastExpr>(S);
817lvi��G�L��,�m      // Handle the previsit checks.
8186f71b09d7575db927c132c916484b0570420f30dmikesamuel      ExplodedNodeSet dstPrevisit;
819qq�      getCheckerManager().runCheckersForPreStmt(dstPrevisit, Pred, C, *this);
820u�zW��Lj�{+�A�
8216f71b09d7575db927c132c916484b0570420f30dmikesamuel      // Handle the expression itself.
8226f71b09d7575db927c132c916484b0570420f30dmikesamuel      ExplodedNodeSet dstExpr;
8236f71b09d7575db927c132c916484b0570420f30dmikesamuel      for (ExplodedNodeSet::iterator i = dstPrevisit.begin(),
8246f71b09d7575db927c132c916484b0570420f30dmikesamuel                                     e = dstPrevisit.end(); i != e ; ++i) {
8256f71b09d7575db927c132c916484b0570420f30dmikesamuel        VisitCast(C, C->getSubExpr(), *i, dstExpr);
8266f71b09d7575db927c132c916484b0570420f30dmikesamuel      }
8276f71b09d7575db927c132c916484b0570420f30dmikesamuel
8286f71b09d7575db927c132c916484b0570420f30dmikesamuel      // Handle the postvisit checks.
8296f71b09d7575db927c132c916484b0570420f30dmikesamuel      getCheckerManager().runCheckersForPostStmt(Dst, dstExpr, C, *this);
8306f71b09d7575db927c132c916484b0570420f30dmikesamuel      Bldr.addNodes(Dst);
8316f71b09d7575db927c132c916484b0570420f30dmikesamuel      break;
8326f71b09d7575db927c132c916484b0570420f30dmikesamuel    }
8336f71b09d7575db927c132c916484b0570420f30dmikesamuel
8346f71b09d7575db927c132c916484b0570420f30dmikesamuel    case Expr::MaterializeTemporaryExprClass: {
8356f71b09d7575db927c132c916484b0570420f30dmikesamuel      Bldr.takeNodes(Pred);
8366f71b09d7575db927c132c916484b0570420f30dmikesamuel      const MaterializeTemporaryExpr *Materialize
8376f71b09d7575db927c132c916484b0570420f30dmikesamuel                                            = cast<MaterializeTemporaryExpr>(S);
8386f71b09d7575db927c132c916484b0570420f30dmikesamuel      if (Materialize->getType()->isRecordType())
8396f71b09d7575db927c132c916484b0570420f30dmikesamuel        Dst.Add(Pred);
8406f71b09d7575db927c132c916484b0570420f30dmikesamuel      else
8416f71b09d7575db927c132c916484b0570420f30dmikesamuel        CreateCXXTemporaryObject(Materialize, Pred, Dst);
8426f71b09d7575db927c132c916484b0570420f30dmikesamuel      Bldr.addNodes(Dst);
8436f71b09d7575db927c132c916484b0570420f30dmikesamuel      break;
8446f71b09d7575db927c132c916484b0570420f30dmikesamuel    }
8457#�>���r������� +⺌
8466f71b09d7575db927c132c916484b0570420f30dmikesamuel    case Stmt::InitListExprClass:
8476f71b09d7575db927c132c916484b0570420f30dmikesamuel      Bldr.takeNodes(Pred);
8486f71b09d7575db927c132c916484b0570420f30dmikesamuel      VisitInitListExpr(cast<InitListExpr>(S), Pred, Dst);
8496f71b09d7575db927c132c916484b0570420f30dmikesamuel      Bldr.addNodes(Dst);
8506f71b09d7575db927c132c916484b0570420f30dmikesamuel      break;
8516f71b09d7575db927c132c916484b0570420f30dmikesamuel
8526f71b09d7575db927c132c916484b0570420f30dmikesamuel    case Stmt::MemberExprClass:
8536f71b09d7575db927c132c916484b0570420f30dmikesamuel      Bldr.takeNodes(Pred);
854P      VisitMemberExpr(cast<MemberExpr>(S), Pred, Dst);
8556f71b09d7575db927c132c916484b0570420f30dmikesamuel      Bldr.addNodes(Dst);
856UUm�ͦ���f�I%jSy      break;
8576f71b09d7575db927c132c916484b0570420f30dmikesamuel
8586f71b09d7575db927c132c916484b0570420f30dmikesamuel    case Stmt::ObjCIvarRefExprClass:
859YА'�� ��      Bldr.takeNodes(Pred);
860Y���|Wy ���ˮ�����瞶Lc���A�      VisitLvalObjCIvarRefExpr(cast<ObjCIvarRefExpr>(S), Pred, Dst);
861n�t�WQ�      Bldr.addNodes(Dst);
8626f71b09d7575db927c132c916484b0570420f30dmikesamuel      break;
8636f71b09d7575db927c132c916484b0570420f30dmikesamuel
8646f71b09d7575db927c132c916484b0570420f30dmikesamuel    case Stmt::ObjCForCollectionStmtClass:
8656f71b09d7575db927c132c916484b0570420f30dmikesamuel      Bldr.takeNodes(Pred);
8666f71b09d7575db927c132c916484b0570420f30dmikesamuel      VisitObjCForCollectionStmt(cast<ObjCForCollectionStmt>(S), Pred, Dst);
8676f71b09d7575db927c132c916484b0570420f30dmikesamuel      Bldr.addNodes(Dst);
8686f71b09d7575db927c132c916484b0570420f30dmikesamuel      break;
8696f71b09d7575db927c132c916484b0570420f30dmikesamuel
8706f71b09d7575db927c132c916484b0570420f30dmikesamuel    case Stmt::ObjCMessageExprClass: {
8716f71b09d7575db927c132c916484b0570420f30dmikesamuel      Bldr.takeNodes(Pred);
8726f71b09d7575db927c132c916484b0570420f30dmikesamuel      // Is this a property access?
8736f71b09d7575db927c132c916484b0570420f30dmikesamuel      const ParentMap &PM = Pred->getLocationContext()->getParentMap();
8743g�$��ELAL��      const ObjCMessageExpr *ME = cast<ObjCMessageExpr>(S);
875ev�RQ"c      bool evaluated = false;
8766f71b09d7575db927c132c916484b0570420f30dmikesamuel
8776f71b09d7575db927c132c916484b0570420f30dmikesamuel      if (const PseudoObjectExpr *PO =
8786f71b09d7575db927c132c916484b0570420f30dmikesamuel          dyn_cast_or_null<PseudoObjectExpr>(PM.getParent(S))) {
879H        const Expr *syntactic = PO->getSyntacticForm();
880l�\��O����iM        if (const ObjCPropertyRefExpr *PR =
8816f71b09d7575db927c132c916484b0570420f30dmikesamuel              dyn_cast<ObjCPropertyRefExpr>(syntactic)) {
8826f71b09d7575db927c132c916484b0570420f30dmikesamuel          bool isSetter = ME->getNumArgs() > 0;
8836f71b09d7575db927c132c916484b0570420f30dmikesamuel          VisitObjCMessage(ObjCMessage(ME, PR, isSetter), Pred, Dst);
8846f71b09d7575db927c132c916484b0570420f30dmikesamuel          evaluated = true;
8856f71b09d7575db927c132c916484b0570420f30dmikesamuel        }
8866f71b09d7575db927c132c916484b0570420f30dmikesamuel        else if (isa<BinaryOperator>(syntactic)) {
8876f71b09d7575db927c132c916484b0570420f30dmikesamuel          VisitObjCMessage(ObjCMessage(ME, 0, true), Pred, Dst);
8886f71b09d7575db927c132c916484b0570420f30dmikesamuel        }
88966z���'�qS      }
8906f71b09d7575db927c132c916484b0570420f30dmikesamuel
8916f71b09d7575db927c132c916484b0570420f30dmikesamuel      if (!evaluated)
8926f71b09d7575db927c132c916484b0570420f30dmikesamuel        VisitObjCMessage(ME, Pred, Dst);
8936f71b09d7575db927c132c916484b0570420f30dmikesamuel
8946f71b09d7575db927c132c916484b0570420f30dmikesamuel      Bldr.addNodes(Dst);
8956f71b09d7575db927c132c916484b0570420f30dmikesamuel      break;
896JTܠu���Hb���=Q�����H�Ώk�BۺN�m���׶�)�G�D��fi��A�A�"�PK    }
8976f71b09d7575db927c132c916484b0570420f30dmikesamuel
8986f71b09d7575db927c132c916484b0570420f30dmikesamuel    case Stmt::ObjCAtThrowStmtClass: {
8996f71b09d7575db927c132c916484b0570420f30dmikesamuel      // FIXME: This is not complete.  We basically treat @throw as
9006f71b09d7575db927c132c916484b0570420f30dmikesamuel      // an abort.
9016f71b09d7575db927c132c916484b0570420f30dmikesamuel      Bldr.generateNode(S, Pred, Pred->getState());
9026f71b09d7575db927c132c916484b0570420f30dmikesamuel      break;
9036f71b09d7575db927c132c916484b0570420f30dmikesamuel    }
9046f71b09d7575db927c132c916484b0570420f30dmikesamuel
9056f71b09d7575db927c132c916484b0570420f30dmikesamuel    case Stmt::ReturnStmtClass:
9066f71b09d7575db927c132c916484b0570420f30dmikesamuel      Bldr.takeNodes(Pred);
9076f71b09d7575db927c132c916484b0570420f30dmikesamuel      VisitReturnStmt(cast<ReturnStmt>(S), Pred, Dst);
9086f71b09d7575db927c132c916484b0570420f30dmikesamuel      Bldr.addNodes(Dst);
9096f71b09d7575db927c132c916484b0570420f30dmikesamuel      break;
9106f71b09d7575db927c132c916484b0570420f30dmikesamuel
9116f71b09d7575db927c132c916484b0570420f30dmikesamuel    case Stmt::OffsetOfExprClass:
9126f71b09d7575db927c132c916484b0570420f30dmikesamuel      Bldr.takeNodes(Pred);
9136f71b09d7575db927c132c916484b0570420f30dmikesamuel      VisitOffsetOfExpr(cast<OffsetOfExpr>(S), Pred, Dst);
9146f71b09d7575db927c132c916484b0570420f30dmikesamuel      Bldr.addNodes(Dst);
915yf�:      break;
9166f71b09d7575db927c132c916484b0570420f30dmikesamuel
9176f71b09d7575db927c132c916484b0570420f30dmikesamuel    case Stmt::UnaryExprOrTypeTraitExprClass:
9186f71b09d7575db927c132c916484b0570420f30dmikesamuel      Bldr.takeNodes(Pred);
9196f71b09d7575db927c132c916484b0570420f30dmikesamuel      VisitUnaryExprOrTypeTraitExpr(cast<UnaryExprOrTypeTraitExpr>(S),
9206f71b09d7575db927c132c916484b0570420f30dmikesamuel                                    Pred, Dst);
9216f71b09d7575db927c132c916484b0570420f30dmikesamuel      Bldr.addNodes(Dst);
9226f71b09d7575db927c132c916484b0570420f30dmikesamuel      break;
9236f71b09d7575db927c132c916484b0570420f30dmikesamuel
9246f71b09d7575db927c132c916484b0570420f30dmikesamuel    case Stmt::StmtExprClass: {
9256f71b09d7575db927c132c916484b0570420f30dmikesamuel      const StmtExpr *SE = cast<StmtExpr>(S);
9266f71b09d7575db927c132c916484b0570420f30dmikesamuel
9276f71b09d7575db927c132c916484b0570420f30dmikesamuel      if (SE->getSubStmt()->body_empty()) {
9286f71b09d7575db927c132c916484b0570420f30dmikesamuel        // Empty statement expression.
9296f71b09d7575db927c132c916484b0570420f30dmikesamuel        assert(SE->getType() == getContext().VoidTy
9306f71b09d7575db927c132c916484b0570420f30dmikesamuel               && "Empty statement expression must have void type.");
931I���Q�{)%��Nez�$���R}"I� t`_���}�        break;
9326f71b09d7575db927c132c916484b0570420f30dmikesamuel      }
9336f71b09d7575db927c132c916484b0570420f30dmikesamuel
9343�^����!W�[�\      if (Expr *LastExpr = dyn_cast<Expr>(*SE->getSubStmt()->body_rbegin())) {
9356f71b09d7575db927c132c916484b0570420f30dmikesamuel        ProgramStateRef state = Pred->getState();
9366f71b09d7575db927c132c916484b0570420f30dmikesamuel        Bldr.generateNode(SE, Pred,
9376f71b09d7575db927c132c916484b0570420f30dmikesamuel                          state->BindExpr(SE, Pred->getLocationContext(),
9386f71b09d7575db927c132c916484b0570420f30dmikesamuel                                          state->getSVal(LastExpr,
9396f71b09d7575db927c132c916484b0570420f30dmikesamuel                                                  Pred->getLocationContext())));
9406f71b09d7575db927c132c916484b0570420f30dmikesamuel      }
9416f71b09d7575db927c132c916484b0570420f30dmikesamuel      break;
9426f71b09d7575db927c132c916484b0570420f30dmikesamuel    }
9436f71b09d7575db927c132c916484b0570420f30dmikesamuel
9446f71b09d7575db927c132c916484b0570420f30dmikesamuel    case Stmt::UnaryOperatorClass: {
9456f71b09d7575db927c132c916484b0570420f30dmikesamuel      Bldr.takeNodes(Pred);
9466f71b09d7575db927c132c916484b0570420f30dmikesamuel      const UnaryOperator *U = cast<UnaryOperator>(S);
947OT      if (AMgr.shouldEagerlyAssume() && (U->getOpcode() == UO_LNot)) {
9486f71b09d7575db927c132c916484b0570420f30dmikesamuel        ExplodedNodeSet Tmp;
9496f71b09d7575db927c132c916484b0570420f30dmikesamuel        VisitUnaryOperator(U, Pred, Tmp);
9506f71b09d7575db927c132c916484b0570420f30dmikesamuel        evalEagerlyAssume(Dst, Tmp, U);
951xb̻՗��ԙ	��GPي��a�l	�"�      }
9526f71b09d7575db927c132c916484b0570420f30dmikesamuel      else
953O�����QWC�/        VisitUnaryOperator(U, Pred, Dst);
9546f71b09d7575db927c132c916484b0570420f30dmikesamuel      Bldr.addNodes(Dst);
9556f71b09d7575db927c132c916484b0570420f30dmikesamuel      break;
9566f71b09d7575db927c132c916484b0570420f30dmikesamuel    }
957K�@bn�<>���q�˥ ���/�
9586f71b09d7575db927c132c916484b0570420f30dmikesamuel    case Stmt::PseudoObjectExprClass: {
9596f71b09d7575db927c132c916484b0570420f30dmikesamuel      Bldr.takeNodes(Pred);
9606f71b09d7575db927c132c916484b0570420f30dmikesamuel      ProgramStateRef state = Pred->getState();
961Eh9�+ؤz;���������!�g$����cJ�#a�����������~�TN��%JѰ{'=��(H��b\��V^>�h�~��vm�XH��      const PseudoObjectExpr *PE = cast<PseudoObjectExpr>(S);
962W�|�r&⑧����      if (const Expr *Result = PE->getResultExpr()) {
9636f71b09d7575db927c132c916484b0570420f30dmikesamuel        SVal V = state->getSVal(Result, Pred->getLocationContext());
9646f71b09d7575db927c132c916484b0570420f30dmikesamuel        Bldr.generateNode(S, Pred,
9656f71b09d7575db927c132c916484b0570420f30dmikesamuel                          state->BindExpr(S, Pred->getLocationContext(), V));
9666f71b09d7575db927c132c916484b0570420f30dmikesamuel      }
9676f71b09d7575db927c132c916484b0570420f30dmikesamuel      else
9686f71b09d7575db927c132c916484b0570420f30dmikesamuel        Bldr.generateNode(S, Pred,
9696f71b09d7575db927c132c916484b0570420f30dmikesamuel                          state->BindExpr(S, Pred->getLocationContext(),
9706f71b09d7575db927c132c916484b0570420f30dmikesamuel                                                   UnknownVal()));
9716f71b09d7575db927c132c916484b0570420f30dmikesamuel
9726f71b09d7575db927c132c916484b0570420f30dmikesamuel      Bldr.addNodes(Dst);
9736f71b09d7575db927c132c916484b0570420f30dmikesamuel      break;
9746f71b09d7575db927c132c916484b0570420f30dmikesamuel    }
9756f71b09d7575db927c132c916484b0570420f30dmikesamuel  }
9766f71b09d7575db927c132c916484b0570420f30dmikesamuel}
9776f71b09d7575db927c132c916484b0570420f30dmikesamuel
9786f71b09d7575db927c132c916484b0570420f30dmikesamuelbool ExprEngine::replayWithoutInlining(ExplodedNode *N,
9796f71b09d7575db927c132c916484b0570420f30dmikesamuel                                       const LocationContext *CalleeLC) {
9806f71b09d7575db927c132c916484b0570420f30dmikesamuel  const StackFrameContext *CalleeSF = CalleeLC->getCurrentStackFrame();
9816f71b09d7575db927c132c916484b0570420f30dmikesamuel  const StackFrameContext *CallerSF = CalleeSF->getParent()->getCurrentStackFrame();
9826f71b09d7575db927c132c916484b0570420f30dmikesamuel  assert(CalleeSF && CallerSF);
9836f71b09d7575db927c132c916484b0570420f30dmikesamuel  ExplodedNode *BeforeProcessingCall = 0;
9846f71b09d7575db927c132c916484b0570420f30dmikesamuel
9856f71b09d7575db927c132c916484b0570420f30dmikesamuel  // Find the first node before we started processing the call expression.
9866f71b09d7575db927c132c916484b0570420f30dmikesamuel  while (N) {
9876f71b09d7575db927c132c916484b0570420f30dmikesamuel    ProgramPoint L = N->getLocation();
9886f71b09d7575db927c132c916484b0570420f30dmikesamuel    BeforeProcessingCall = N;
9896f71b09d7575db927c132c916484b0570420f30dmikesamuel    N = N->pred_empty() ? NULL : *(N->pred_begin());
9906f71b09d7575db927c132c916484b0570420f30dmikesamuel
9916f71b09d7575db927c132c916484b0570420f30dmikesamuel    // Skip the nodes corresponding to the inlined code.
9926f71b09d7575db927c132c916484b0570420f30dmikesamuel    if (L.getLocationContext()->getCurrentStackFrame() != CallerSF)
9936f71b09d7575db927c132c916484b0570420f30dmikesamuel      continue;
9946f71b09d7575db927c132c916484b0570420f30dmikesamuel    // We reached the caller. Find the node right before we started
9956f71b09d7575db927c132c916484b0570420f30dmikesamuel    // processing the CallExpr.
996hL<�!��    if (isa<PostPurgeDeadSymbols>(L))
997cc>O#��.�c�*}FP� ��y��,lԘ�{$�xS      continue;
9986f71b09d7575db927c132c916484b0570420f30dmikesamuel    if (const StmtPoint *SP = dyn_cast<StmtPoint>(&L))
9996f71b09d7575db927c132c916484b0570420f30dmikesamuel      if (SP->getStmt() == CalleeSF->getCallSite())
10006f71b09d7575db927c132c916484b0570420f30dmikesamuel        continue;
10016f71b09d7575db927c132c916484b0570420f30dmikesamuel    break;
10026f71b09d7575db927c132c916484b0570420f30dmikesamuel  }
1003wJ$�!l^.
10046f71b09d7575db927c132c916484b0570420f30dmikesamuel  if (!BeforeProcessingCall)
10056f71b09d7575db927c132c916484b0570420f30dmikesamuel    return false;
10066f71b09d7575db927c132c916484b0570420f30dmikesamuel
1007eiK��@���Uk��r�O��� ��  // TODO: Clean up the unneeded nodes.
10086f71b09d7575db927c132c916484b0570420f30dmikesamuel
10096f71b09d7575db927c132c916484b0570420f30dmikesamuel  // Build an Epsilon node from which we will restart the analyzes.
10106f71b09d7575db927c132c916484b0570420f30dmikesamuel  const Stmt *CE = CalleeSF->getCallSite();
10116f71b09d7575db927c132c916484b0570420f30dmikesamuel  ProgramPoint NewNodeLoc =
10126f71b09d7575db927c132c916484b0570420f30dmikesamuel               EpsilonPoint(BeforeProcessingCall->getLocationContext(), CE);
10136f71b09d7575db927c132c916484b0570420f30dmikesamuel  // Add the special flag to GDM to signal retrying with no inlining.
10146f71b09d7575db927c132c916484b0570420f30dmikesamuel  // Note, changing the state ensures that we are not going to cache out.
10156f71b09d7575db927c132c916484b0570420f30dmikesamuel  ProgramStateRef NewNodeState = BeforeProcessingCall->getState();
10166f71b09d7575db927c132c916484b0570420f30dmikesamuel  NewNodeState = NewNodeState->set<ReplayWithoutInlining>((void*)CE);
10176f71b09d7575db927c132c916484b0570420f30dmikesamuel
10186f71b09d7575db927c132c916484b0570420f30dmikesamuel  // Make the new node a successor of BeforeProcessingCall.
10196f71b09d7575db927c132c916484b0570420f30dmikesamuel  bool IsNew = false;
10206f71b09d7575db927c132c916484b0570420f30dmikesamuel  ExplodedNode *NewNode = G.getNode(NewNodeLoc, NewNodeState, false, &IsNew);
1021U��j����g  // We cached out at this point. Caching out is common due to us backtracking
10226f71b09d7575db927c132c916484b0570420f30dmikesamuel  // from the inlined function, which might spawn several paths.
10236f71b09d7575db927c132c916484b0570420f30dmikesamuel  if (!IsNew)
1024DX�L�}P!�j    return true;
10256f71b09d7575db927c132c916484b0570420f30dmikesamuel
10266f71b09d7575db927c132c916484b0570420f30dmikesamuel  NewNode->addPredecessor(BeforeProcessingCall, G);
10276f71b09d7575db927c132c916484b0570420f30dmikesamuel
10286f71b09d7575db927c132c916484b0570420f30dmikesamuel  // Add the new node to the work list.
10296f71b09d7575db927c132c916484b0570420f30dmikesamuel  Engine.enqueueStmtNode(NewNode, CalleeSF->getCallSiteBlock(),
10306f71b09d7575db927c132c916484b0570420f30dmikesamuel                                  CalleeSF->getIndex());
10316f71b09d7575db927c132c916484b0570420f30dmikesamuel  NumTimesRetriedWithoutInlining++;
10326f71b09d7575db927c132c916484b0570420f30dmikesamuel  return true;
1033ED�Y�A�Ѝ�PK}
10346f71b09d7575db927c132c916484b0570420f30dmikesamuel
10356f71b09d7575db927c132c916484b0570420f30dmikesamuel/// Block entrance.  (Update counters).
10366f71b09d7575db927c132c916484b0570420f30dmikesamuelvoid ExprEngine::processCFGBlockEntrance(const BlockEdge &L,
10376f71b09d7575db927c132c916484b0570420f30dmikesamuel                                         NodeBuilderWithSinks &nodeBuilder) {
10386f71b09d7575db927c132c916484b0570420f30dmikesamuel
10396f71b09d7575db927c132c916484b0570420f30dmikesamuel  // FIXME: Refactor this into a checker.
10406f71b09d7575db927c132c916484b0570420f30dmikesamuel  ExplodedNode *pred = nodeBuilder.getContext().getPred();
10416f71b09d7575db927c132c916484b0570420f30dmikesamuel
10426f71b09d7575db927c132c916484b0570420f30dmikesamuel  if (nodeBuilder.getContext().getCurrentBlockCount() >= AMgr.getMaxVisit()) {
10436f71b09d7575db927c132c916484b0570420f30dmikesamuel    static SimpleProgramPointTag tag("ExprEngine : Block count exceeded");
10446f71b09d7575db927c132c916484b0570420f30dmikesamuel    const ExplodedNode *Sink =
1045y�E����]wL�ё񰣌�e=y                   nodeBuilder.generateNode(pred->getState(), pred, &tag, true);
10466f71b09d7575db927c132c916484b0570420f30dmikesamuel
10476f71b09d7575db927c132c916484b0570420f30dmikesamuel    // Check if we stopped at the top level function or not.
10486f71b09d7575db927c132c916484b0570420f30dmikesamuel    // Root node should have the location context of the top most function.
1049U�fG�R;G	۞x;��NB���'Ig�M��p����ar��    const LocationContext *CalleeLC = pred->getLocation().getLocationContext();
10506f71b09d7575db927c132c916484b0570420f30dmikesamuel    const LocationContext *CalleeSF = CalleeLC->getCurrentStackFrame();
10516f71b09d7575db927c132c916484b0570420f30dmikesamuel    const LocationContext *RootLC =
1052SK~���!�                        (*G.roots_begin())->getLocation().getLocationContext();
10536f71b09d7575db927c132c916484b0570420f30dmikesamuel    if (RootLC->getCurrentStackFrame() != CalleeSF) {
10546f71b09d7575db927c132c916484b0570420f30dmikesamuel      Engine.FunctionSummaries->markReachedMaxBlockCount(CalleeSF->getDecl());
1055khXtn���B*�
10566f71b09d7575db927c132c916484b0570420f30dmikesamuel      // Re-run the call evaluation without inlining it, by storing the
1057_?K���!��(�      // no-inlining policy in the state and enqueuing the new work item on
10586f71b09d7575db927c132c916484b0570420f30dmikesamuel      // the list. Replay should almost never fail. Use the stats to catch it
1059iD9�lͺ̺|/�����a�ɇ`J�u�Nh�UZ�#͖      // if it does.
10606f71b09d7575db927c132c916484b0570420f30dmikesamuel      if ((!AMgr.NoRetryExhausted && replayWithoutInlining(pred, CalleeLC)))
1061XGi��I�&\aL��e,�o�<�'o!�zG�.�"]Pñiش�{`r?,t�%�S���        return;
10626f71b09d7575db927c132c916484b0570420f30dmikesamuel      NumMaxBlockCountReachedInInlined++;
10636f71b09d7575db927c132c916484b0570420f30dmikesamuel    } else
10646f71b09d7575db927c132c916484b0570420f30dmikesamuel      NumMaxBlockCountReached++;
10656f71b09d7575db927c132c916484b0570420f30dmikesamuel
10666f71b09d7575db927c132c916484b0570420f30dmikesamuel    // Make sink nodes as exhausted(for stats) only if retry failed.
10679��hs�,���    Engine.blocksExhausted.push_back(std::make_pair(L, Sink));
10686f71b09d7575db927c132c916484b0570420f30dmikesamuel  }
10692�k}
10706f71b09d7575db927c132c916484b0570420f30dmikesamuel
10716f71b09d7575db927c132c916484b0570420f30dmikesamuel//===----------------------------------------------------------------------===//
10726f71b09d7575db927c132c916484b0570420f30dmikesamuel// Branch processing.
10736f71b09d7575db927c132c916484b0570420f30dmikesamuel//===----------------------------------------------------------------------===//
1074ceoI$�C�)n�f!�����vΚ�V���-=���f�m��tV,�NJ��֑H���#p
10756f71b09d7575db927c132c916484b0570420f30dmikesamuelProgramStateRef ExprEngine::MarkBranch(ProgramStateRef state,
10766f71b09d7575db927c132c916484b0570420f30dmikesamuel                                           const Stmt *Terminator,
10776f71b09d7575db927c132c916484b0570420f30dmikesamuel                                           const LocationContext *LCtx,
10786f71b09d7575db927c132c916484b0570420f30dmikesamuel                                           bool branchTaken) {
10796f71b09d7575db927c132c916484b0570420f30dmikesamuel
10806f71b09d7575db927c132c916484b0570420f30dmikesamuel  switch (Terminator->getStmtClass()) {
10816f71b09d7575db927c132c916484b0570420f30dmikesamuel    default:
10821�I`��      return state;
10836f71b09d7575db927c132c916484b0570420f30dmikesamuel
10846f71b09d7575db927c132c916484b0570420f30dmikesamuel    case Stmt::BinaryOperatorClass: { // '&&' and '||'
10856f71b09d7575db927c132c916484b0570420f30dmikesamuel
10866f71b09d7575db927c132c916484b0570420f30dmikesamuel      const BinaryOperator* B = cast<BinaryOperator>(Terminator);
10876f71b09d7575db927c132c916484b0570420f30dmikesamuel      BinaryOperator::Opcode Op = B->getOpcode();
10886f71b09d7575db927c132c916484b0570420f30dmikesamuel
10896f71b09d7575db927c132c916484b0570420f30dmikesamuel      assert (Op == BO_LAnd || Op == BO_LOr);
10906f71b09d7575db927c132c916484b0570420f30dmikesamuel
10916f71b09d7575db927c132c916484b0570420f30dmikesamuel      // For &&, if we take the true branch, then the value of the whole
10926f71b09d7575db927c132c916484b0570420f30dmikesamuel      // expression is that of the RHS expression.
10936f71b09d7575db927c132c916484b0570420f30dmikesamuel      //
10946f71b09d7575db927c132c916484b0570420f30dmikesamuel      // For ||, if we take the false branch, then the value of the whole
10956f71b09d7575db927c132c916484b0570420f30dmikesamuel      // expression is that of the RHS expression.
10966f71b09d7575db927c132c916484b0570420f30dmikesamuel
10976f71b09d7575db927c132c916484b0570420f30dmikesamuel      const Expr *Ex = (Op == BO_LAnd && branchTaken) ||
10986f71b09d7575db927c132c916484b0570420f30dmikesamuel                       (Op == BO_LOr && !branchTaken)
10996f71b09d7575db927c132c916484b0570420f30dmikesamuel                       ? B->getRHS() : B->getLHS();
11006f71b09d7575db927c132c916484b0570420f30dmikesamuel
1101Z      return state->BindExpr(B, LCtx, UndefinedVal(Ex));
11026f71b09d7575db927c132c916484b0570420f30dmikesamuel    }
11036f71b09d7575db927c132c916484b0570420f30dmikesamuel
11046f71b09d7575db927c132c916484b0570420f30dmikesamuel    case Stmt::BinaryConditionalOperatorClass:
11056f71b09d7575db927c132c916484b0570420f30dmikesamuel    case Stmt::ConditionalOperatorClass: { // ?:
11066f71b09d7575db927c132c916484b0570420f30dmikesamuel      const AbstractConditionalOperator* C
11076f71b09d7575db927c132c916484b0570420f30dmikesamuel        = cast<AbstractConditionalOperator>(Terminator);
11086f71b09d7575db927c132c916484b0570420f30dmikesamuel
1109cg�      // For ?, if branchTaken == true then the value is either the LHS or
11106f71b09d7575db927c132c916484b0570420f30dmikesamuel      // the condition itself. (GNU extension).
1111vkT�
1112Sѷ����%����c�F�$Xx�u��\�n��l�|扫��cxђ-�%�cԐ��l���Z�CvZr���!�((�z�u      const Expr *Ex;
11136f71b09d7575db927c132c916484b0570420f30dmikesamuel
11146f71b09d7575db927c132c916484b0570420f30dmikesamuel      if (branchTaken)
1115i�}R        Ex = C->getTrueExpr();
1116pp      else
11176f71b09d7575db927c132c916484b0570420f30dmikesamuel        Ex = C->getFalseExpr();
11186f71b09d7575db927c132c916484b0570420f30dmikesamuel
11196f71b09d7575db927c132c916484b0570420f30dmikesamuel      return state->BindExpr(C, LCtx, UndefinedVal(Ex));
11206f71b09d7575db927c132c916484b0570420f30dmikesamuel    }
11216f71b09d7575db927c132c916484b0570420f30dmikesamuel
11226f71b09d7575db927c132c916484b0570420f30dmikesamuel    case Stmt::ChooseExprClass: { // ?:
11236f71b09d7575db927c132c916484b0570420f30dmikesamuel
11246f71b09d7575db927c132c916484b0570420f30dmikesamuel      const ChooseExpr *C = cast<ChooseExpr>(Terminator);
11256f71b09d7575db927c132c916484b0570420f30dmikesamuel
11266f71b09d7575db927c132c916484b0570420f30dmikesamuel      const Expr *Ex = branchTaken ? C->getLHS() : C->getRHS();
11276f71b09d7575db927c132c916484b0570420f30dmikesamuel      return state->BindExpr(C, LCtx, UndefinedVal(Ex));
1128Mi    }
11296f71b09d7575db927c132c916484b0570420f30dmikesamuel  }
1130a�;*��)W�=��^�lU�	�e<��y|_�[p��T��hi�XO�����"&��aPŏ��>��?��T��}
11316f71b09d7575db927c132c916484b0570420f30dmikesamuel
11326f71b09d7575db927c132c916484b0570420f30dmikesamuel/// RecoverCastedSymbol - A helper function for ProcessBranch that is used
11336f71b09d7575db927c132c916484b0570420f30dmikesamuel/// to try to recover some path-sensitivity for casts of symbolic
11346f71b09d7575db927c132c916484b0570420f30dmikesamuel/// integers that promote their values (which are currently not tracked well).
1135pQ;�R�,�/// This function returns the SVal bound to Condition->IgnoreCasts if all the
1136kG{+�y�//  cast(s) did was sign-extend the original value.
1137nq*��p���k.�L� ��static SVal RecoverCastedSymbol(ProgramStateManager& StateMgr,
11386f71b09d7575db927c132c916484b0570420f30dmikesamuel                                ProgramStateRef state,
11396f71b09d7575db927c132c916484b0570420f30dmikesamuel                                const Stmt *Condition,
11406f71b09d7575db927c132c916484b0570420f30dmikesamuel                                const LocationContext *LCtx,
11416f71b09d7575db927c132c916484b0570420f30dmikesamuel                                ASTContext &Ctx) {
11426f71b09d7575db927c132c916484b0570420f30dmikesamuel
11436f71b09d7575db927c132c916484b0570420f30dmikesamuel  const Expr *Ex = dyn_cast<Expr>(Condition);
11446f71b09d7575db927c132c916484b0570420f30dmikesamuel  if (!Ex)
1145D���Zmu�l��d    return UnknownVal();
11466f71b09d7575db927c132c916484b0570420f30dmikesamuel
11478k���<  uint64_t bits = 0;
11486f71b09d7575db927c132c916484b0570420f30dmikesamuel  bool bitsInit = false;
11496f71b09d7575db927c132c916484b0570420f30dmikesamuel
11506f71b09d7575db927c132c916484b0570420f30dmikesamuel  while (const CastExpr *CE = dyn_cast<CastExpr>(Ex)) {
11516f71b09d7575db927c132c916484b0570420f30dmikesamuel    QualType T = CE->getType();
1152x���;�-
11536f71b09d7575db927c132c916484b0570420f30dmikesamuel    if (!T->isIntegerType())
11546f71b09d7575db927c132c916484b0570420f30dmikesamuel      return UnknownVal();
11556f71b09d7575db927c132c916484b0570420f30dmikesamuel
1156d�j$}+�-��H    uint64_t newBits = Ctx.getTypeSize(T);
11576f71b09d7575db927c132c916484b0570420f30dmikesamuel    if (!bitsInit || newBits < bits) {
11586f71b09d7575db927c132c916484b0570420f30dmikesamuel      bitsInit = true;
11596f71b09d7575db927c132c916484b0570420f30dmikesamuel      bits = newBits;
11606f71b09d7575db927c132c916484b0570420f30dmikesamuel    }
11616f71b09d7575db927c132c916484b0570420f30dmikesamuel
1162tn��X�}>�	�%B�    Ex = CE->getSubExpr();
11636f71b09d7575db927c132c916484b0570420f30dmikesamuel  }
1164D�s����
11656f71b09d7575db927c132c916484b0570420f30dmikesamuel  // We reached a non-cast.  Is it a symbolic value?
11666f71b09d7575db927c132c916484b0570420f30dmikesamuel  QualType T = Ex->getType();
11676f71b09d7575db927c132c916484b0570420f30dmikesamuel
11686f71b09d7575db927c132c916484b0570420f30dmikesamuel  if (!bitsInit || !T->isIntegerType() || Ctx.getTypeSize(T) > bits)
11696f71b09d7575db927c132c916484b0570420f30dmikesamuel    return UnknownVal();
1170r�A����"<Ex;����룏��T]
1171O�QqU�:�J�i�N�j_  return state->getSVal(Ex, LCtx);
11726f71b09d7575db927c132c916484b0570420f30dmikesamuel}
1173j�~�-�
11746f71b09d7575db927c132c916484b0570420f30dmikesamuelvoid ExprEngine::processBranch(const Stmt *Condition, const Stmt *Term,
11756f71b09d7575db927c132c916484b0570420f30dmikesamuel                               NodeBuilderContext& BldCtx,
1176bhpxB{�O��E�����A�u��D�+�C��yQ�$;�|�ן�����ss����[�x�aU�{��$�q�n-�cX�o��ާZ�uOCc��U�d�������R`#��                               ExplodedNode *Pred,
11776f71b09d7575db927c132c916484b0570420f30dmikesamuel                               ExplodedNodeSet &Dst,
11786f71b09d7575db927c132c916484b0570420f30dmikesamuel                               const CFGBlock *DstT,
11796f71b09d7575db927c132c916484b0570420f30dmikesamuel                               const CFGBlock *DstF) {
11806f71b09d7575db927c132c916484b0570420f30dmikesamuel  currentBuilderContext = &BldCtx;
11816f71b09d7575db927c132c916484b0570420f30dmikesamuel
11826f71b09d7575db927c132c916484b0570420f30dmikesamuel  // Check for NULL conditions; e.g. "for(;;)"
11834lbKS��i�F�>�R��ifZ�n	<�:,�K���n��mSmn��%n  if (!Condition) {
11846f71b09d7575db927c132c916484b0570420f30dmikesamuel    BranchNodeBuilder NullCondBldr(Pred, Dst, BldCtx, DstT, DstF);
11856f71b09d7575db927c132c916484b0570420f30dmikesamuel    NullCondBldr.markInfeasible(false);
11866f71b09d7575db927c132c916484b0570420f30dmikesamuel    NullCondBldr.generateNode(Pred->getState(), true, Pred);
1187Tcz#�qYBr+@d��_F\    return;
1188Mwtݭ�U��Bk����č�m��$VѾ�>u$�vx��Qn�,�  }
11896f71b09d7575db927c132c916484b0570420f30dmikesamuel
11906f71b09d7575db927c132c916484b0570420f30dmikesamuel  PrettyStackTraceLoc CrashInfo(getContext().getSourceManager(),
11916f71b09d7575db927c132c916484b0570420f30dmikesamuel                                Condition->getLocStart(),
11926f71b09d7575db927c132c916484b0570420f30dmikesamuel                                "Error evaluating branch");
11936f71b09d7575db927c132c916484b0570420f30dmikesamuel
11946f71b09d7575db927c132c916484b0570420f30dmikesamuel  ExplodedNodeSet CheckersOutSet;
11956f71b09d7575db927c132c916484b0570420f30dmikesamuel  getCheckerManager().runCheckersForBranchCondition(Condition, CheckersOutSet,
11966f71b09d7575db927c132c916484b0570420f30dmikesamuel                                                    Pred, *this);
11976f71b09d7575db927c132c916484b0570420f30dmikesamuel  // We generated only sinks.
11986f71b09d7575db927c132c916484b0570420f30dmikesamuel  if (CheckersOutSet.empty())
11996f71b09d7575db927c132c916484b0570420f30dmikesamuel    return;
12006f71b09d7575db927c132c916484b0570420f30dmikesamuel
12016f71b09d7575db927c132c916484b0570420f30dmikesamuel  BranchNodeBuilder builder(CheckersOutSet, Dst, BldCtx, DstT, DstF);
12026f71b09d7575db927c132c916484b0570420f30dmikesamuel  for (NodeBuilder::iterator I = CheckersOutSet.begin(),
12036f71b09d7575db927c132c916484b0570420f30dmikesamuel                             E = CheckersOutSet.end(); E != I; ++I) {
12046f71b09d7575db927c132c916484b0570420f30dmikesamuel    ExplodedNode *PredI = *I;
12056f71b09d7575db927c132c916484b0570420f30dmikesamuel
12066f71b09d7575db927c132c916484b0570420f30dmikesamuel    if (PredI->isSink())
12076f71b09d7575db927c132c916484b0570420f30dmikesamuel      continue;
12086f71b09d7575db927c132c916484b0570420f30dmikesamuel
12096f71b09d7575db927c132c916484b0570420f30dmikesamuel    ProgramStateRef PrevState = Pred->getState();
12106f71b09d7575db927c132c916484b0570420f30dmikesamuel    SVal X = PrevState->getSVal(Condition, Pred->getLocationContext());
12117b����;���X
12126f71b09d7575db927c132c916484b0570420f30dmikesamuel    if (X.isUnknownOrUndef()) {
12136f71b09d7575db927c132c916484b0570420f30dmikesamuel      // Give it a chance to recover from unknown.
12146f71b09d7575db927c132c916484b0570420f30dmikesamuel      if (const Expr *Ex = dyn_cast<Expr>(Condition)) {
12156f71b09d7575db927c132c916484b0570420f30dmikesamuel        if (Ex->getType()->isIntegerType()) {
12166f71b09d7575db927c132c916484b0570420f30dmikesamuel          // Try to recover some path-sensitivity.  Right now casts of symbolic
1217U�,���*��T�_�o�����_��S�k�N�E&i��u@�aH/RA=�$�          // integers that promote their values are currently not tracked well.
1218J��          // If 'Condition' is such an expression, try and recover the
12190�Y          // underlying value and use that instead.
12206f71b09d7575db927c132c916484b0570420f30dmikesamuel          SVal recovered = RecoverCastedSymbol(getStateManager(),
1221Hvx��/ͥ�˔�ltN)�֥�                                               PrevState, Condition,
12226f71b09d7575db927c132c916484b0570420f30dmikesamuel                                               Pred->getLocationContext(),
12236f71b09d7575db927c132c916484b0570420f30dmikesamuel                                               getContext());
12246�����C�H����-I�x�P�P����c)'�Ⱥ�C
12256f71b09d7575db927c132c916484b0570420f30dmikesamuel          if (!recovered.isUnknown()) {
12266f71b09d7575db927c132c916484b0570420f30dmikesamuel            X = recovered;
12276f71b09d7575db927c132c916484b0570420f30dmikesamuel          }
1228d�I��D�        }
12296f71b09d7575db927c132c916484b0570420f30dmikesamuel      }
12306f71b09d7575db927c132c916484b0570420f30dmikesamuel    }
12316f71b09d7575db927c132c916484b0570420f30dmikesamuel
12326f71b09d7575db927c132c916484b0570420f30dmikesamuel    const LocationContext *LCtx = PredI->getLocationContext();
12336f71b09d7575db927c132c916484b0570420f30dmikesamuel
12346f71b09d7575db927c132c916484b0570420f30dmikesamuel    // If the condition is still unknown, give up.
12356f71b09d7575db927c132c916484b0570420f30dmikesamuel    if (X.isUnknownOrUndef()) {
12366f71b09d7575db927c132c916484b0570420f30dmikesamuel      builder.generateNode(MarkBranch(PrevState, Term, LCtx, true),
12376f71b09d7575db927c132c916484b0570420f30dmikesamuel                           true, PredI);
12386f71b09d7575db927c132c916484b0570420f30dmikesamuel      builder.generateNode(MarkBranch(PrevState, Term, LCtx, false),
12396f71b09d7575db927c132c916484b0570420f30dmikesamuel                           false, PredI);
12406f71b09d7575db927c132c916484b0570420f30dmikesamuel      continue;
12416f71b09d7575db927c132c916484b0570420f30dmikesamuel    }
12426f71b09d7575db927c132c916484b0570420f30dmikesamuel
12436f71b09d7575db927c132c916484b0570420f30dmikesamuel    DefinedSVal V = cast<DefinedSVal>(X);
12446f71b09d7575db927c132c916484b0570420f30dmikesamuel
12456f71b09d7575db927c132c916484b0570420f30dmikesamuel    // Process the true branch.
12466f71b09d7575db927c132c916484b0570420f30dmikesamuel    if (builder.isFeasible(true)) {
12476f71b09d7575db927c132c916484b0570420f30dmikesamuel      if (ProgramStateRef state = PrevState->assume(V, true))
12486f71b09d7575db927c132c916484b0570420f30dmikesamuel        builder.generateNode(MarkBranch(state, Term, LCtx, true),
12496f71b09d7575db927c132c916484b0570420f30dmikesamuel                             true, PredI);
12506f71b09d7575db927c132c916484b0570420f30dmikesamuel      else
1251i*|MU\mI�        builder.markInfeasible(true);
1252g`T�ǀ��اbv�    }
12536f71b09d7575db927c132c916484b0570420f30dmikesamuel
12546f71b09d7575db927c132c916484b0570420f30dmikesamuel    // Process the false branch.
12556f71b09d7575db927c132c916484b0570420f30dmikesamuel    if (builder.isFeasible(false)) {
12566f71b09d7575db927c132c916484b0570420f30dmikesamuel      if (ProgramStateRef state = PrevState->assume(V, false))
12576f71b09d7575db927c132c916484b0570420f30dmikesamuel        builder.generateNode(MarkBranch(state, Term, LCtx, false),
12586f71b09d7575db927c132c916484b0570420f30dmikesamuel                             false, PredI);
12596f71b09d7575db927c132c916484b0570420f30dmikesamuel      else
12606f71b09d7575db927c132c916484b0570420f30dmikesamuel        builder.markInfeasible(false);
12616f71b09d7575db927c132c916484b0570420f30dmikesamuel    }
12626f71b09d7575db927c132c916484b0570420f30dmikesamuel  }
12636f71b09d7575db927c132c916484b0570420f30dmikesamuel  currentBuilderContext = 0;
12646f71b09d7575db927c132c916484b0570420f30dmikesamuel}
1265T(�`�/M��"�V!���x=)��c�E�
12666f71b09d7575db927c132c916484b0570420f30dmikesamuel/// processIndirectGoto - Called by CoreEngine.  Used to generate successor
12673a�~��k°�?h�#��a?�b+(ߘn-�C,��CL��PH�?///  nodes by processing the 'effects' of a computed goto jump.
12686f71b09d7575db927c132c916484b0570420f30dmikesamuelvoid ExprEngine::processIndirectGoto(IndirectGotoNodeBuilder &builder) {
12696f71b09d7575db927c132c916484b0570420f30dmikesamuel
12706f71b09d7575db927c132c916484b0570420f30dmikesamuel  ProgramStateRef state = builder.getState();
12716f71b09d7575db927c132c916484b0570420f30dmikesamuel  SVal V = state->getSVal(builder.getTarget(), builder.getLocationContext());
12726f71b09d7575db927c132c916484b0570420f30dmikesamuel
1273Vـ�  // Three possibilities:
12746f71b09d7575db927c132c916484b0570420f30dmikesamuel  //
12756f71b09d7575db927c132c916484b0570420f30dmikesamuel  //   (1) We know the computed label.
12766f71b09d7575db927c132c916484b0570420f30dmikesamuel  //   (2) The label is NULL (or some other constant), or Undefined.
12776f71b09d7575db927c132c916484b0570420f30dmikesamuel  //   (3) We have no clue about the label.  Dispatch to all targets.
1278T���M}��,  //
12796f71b09d7575db927c132c916484b0570420f30dmikesamuel
12806f71b09d7575db927c132c916484b0570420f30dmikesamuel  typedef IndirectGotoNodeBuilder::iterator iterator;
12816f71b09d7575db927c132c916484b0570420f30dmikesamuel
12826f71b09d7575db927c132c916484b0570420f30dmikesamuel  if (isa<loc::GotoLabel>(V)) {
1283cZB�K��>���F�L�̇HE^�m�;r#�ؽ���    const LabelDecl *L = cast<loc::GotoLabel>(V).getLabel();
12846f71b09d7575db927c132c916484b0570420f30dmikesamuel
1285e�i��ci��ࡌ/T<�u�����/U|��U���[�����%n��    for (iterator I = builder.begin(), E = builder.end(); I != E; ++I) {
1286J�;�ͤ��[����      if (I.getLabel() == L) {
12876f71b09d7575db927c132c916484b0570420f30dmikesamuel        builder.generateNode(I, state);
12886f71b09d7575db927c132c916484b0570420f30dmikesamuel        return;
12896f71b09d7575db927c132c916484b0570420f30dmikesamuel      }
1290yTC!T�W��.{p$��P� j��%�f_��],r]Sp]�o^�Afއy�S�LH�X�-��D/�N.��	�Ī)W��    }
12916f71b09d7575db927c132c916484b0570420f30dmikesamuel
12926f71b09d7575db927c132c916484b0570420f30dmikesamuel    llvm_unreachable("No block with label.");
12936f71b09d7575db927c132c916484b0570420f30dmikesamuel  }
12946f71b09d7575db927c132c916484b0570420f30dmikesamuel
12956f71b09d7575db927c132c916484b0570420f30dmikesamuel  if (isa<loc::ConcreteInt>(V) || isa<UndefinedVal>(V)) {
12966f71b09d7575db927c132c916484b0570420f30dmikesamuel    // Dispatch to the first target and mark it as a sink.
12976f71b09d7575db927c132c916484b0570420f30dmikesamuel    //ExplodedNode* N = builder.generateNode(builder.begin(), state, true);
12986f71b09d7575db927c132c916484b0570420f30dmikesamuel    // FIXME: add checker visit.
12996f71b09d7575db927c132c916484b0570420f30dmikesamuel    //    UndefBranches.insert(N);
13006f71b09d7575db927c132c916484b0570420f30dmikesamuel    return;
13016f71b09d7575db927c132c916484b0570420f30dmikesamuel  }
13026f71b09d7575db927c132c916484b0570420f30dmikesamuel
13036f71b09d7575db927c132c916484b0570420f30dmikesamuel  // This is really a catch-all.  We don't support symbolics yet.
1304Ntrk  // FIXME: Implement dispatch for symbolic pointers.
13056f71b09d7575db927c132c916484b0570420f30dmikesamuel
13066f71b09d7575db927c132c916484b0570420f30dmikesamuel  for (iterator I=builder.begin(), E=builder.end(); I != E; ++I)
1307W�He��    builder.generateNode(I, state);
13086f71b09d7575db927c132c916484b0570420f30dmikesamuel}
13096f71b09d7575db927c132c916484b0570420f30dmikesamuel
13106f71b09d7575db927c132c916484b0570420f30dmikesamuel/// ProcessEndPath - Called by CoreEngine.  Used to generate end-of-path
1311IJDbes��e����ҽ�պЊg����///  nodes when the control reaches the end of a function.
13126f71b09d7575db927c132c916484b0570420f30dmikesamuelvoid ExprEngine::processEndOfFunction(NodeBuilderContext& BC) {
13136f71b09d7575db927c132c916484b0570420f30dmikesamuel  StateMgr.EndPath(BC.Pred->getState());
13146f71b09d7575db927c132c916484b0570420f30dmikesamuel  ExplodedNodeSet Dst;
13156f71b09d7575db927c132c916484b0570420f30dmikesamuel  getCheckerManager().runCheckersForEndPath(BC, Dst, *this);
13166f71b09d7575db927c132c916484b0570420f30dmikesamuel  Engine.enqueueEndOfFunction(Dst);
13176f71b09d7575db927c132c916484b0570420f30dmikesamuel}
13186f71b09d7575db927c132c916484b0570420f30dmikesamuel
13196f71b09d7575db927c132c916484b0570420f30dmikesamuel/// ProcessSwitch - Called by CoreEngine.  Used to generate successor
1320F�ϕ��T��)��K�q�///  nodes by processing the 'effects' of a switch statement.
13216f71b09d7575db927c132c916484b0570420f30dmikesamuelvoid ExprEngine::processSwitch(SwitchNodeBuilder& builder) {
13226f71b09d7575db927c132c916484b0570420f30dmikesamuel  typedef SwitchNodeBuilder::iterator iterator;
13236f71b09d7575db927c132c916484b0570420f30dmikesamuel  ProgramStateRef state = builder.getState();
13246f71b09d7575db927c132c916484b0570420f30dmikesamuel  const Expr *CondE = builder.getCondition();
13256f71b09d7575db927c132c916484b0570420f30dmikesamuel  SVal  CondV_untested = state->getSVal(CondE, builder.getLocationContext());
13266f71b09d7575db927c132c916484b0570420f30dmikesamuel
1327P�l  if (CondV_untested.isUndef()) {
13286f71b09d7575db927c132c916484b0570420f30dmikesamuel    //ExplodedNode* N = builder.generateDefaultCaseNode(state, true);
13296f71b09d7575db927c132c916484b0570420f30dmikesamuel    // FIXME: add checker
13306f71b09d7575db927c132c916484b0570420f30dmikesamuel    //UndefBranches.insert(N);
13316f71b09d7575db927c132c916484b0570420f30dmikesamuel
13326f71b09d7575db927c132c916484b0570420f30dmikesamuel    return;
13338o���W��}���vNތ��C{%uZ+G  }
1334P�t�Dg!���گ�g��^�֡��Of��$"����Ay��)���*o)���@?&*�  DefinedOrUnknownSVal CondV = cast<DefinedOrUnknownSVal>(CondV_untested);
13356f71b09d7575db927c132c916484b0570420f30dmikesamuel
13366f71b09d7575db927c132c916484b0570420f30dmikesamuel  ProgramStateRef DefaultSt = state;
13376f71b09d7575db927c132c916484b0570420f30dmikesamuel
13386f71b09d7575db927c132c916484b0570420f30dmikesamuel  iterator I = builder.begin(), EI = builder.end();
13396f71b09d7575db927c132c916484b0570420f30dmikesamuel  bool defaultIsFeasible = I == EI;
13406f71b09d7575db927c132c916484b0570420f30dmikesamuel
13416f71b09d7575db927c132c916484b0570420f30dmikesamuel  for ( ; I != EI; ++I) {
13426f71b09d7575db927c132c916484b0570420f30dmikesamuel    // Successor may be pruned out during CFG construction.
1343m    if (!I.getBlock())
1344gX��L=ߣ�"��      continue;
13453U��L�?����=b�>�Ԕ��͝џ	w���PK
13466f71b09d7575db927c132c916484b0570420f30dmikesamuel    const CaseStmt *Case = I.getCase();
13476f71b09d7575db927c132c916484b0570420f30dmikesamuel
13486f71b09d7575db927c132c916484b0570420f30dmikesamuel    // Evaluate the LHS of the case value.
13496f71b09d7575db927c132c916484b0570420f30dmikesamuel    llvm::APSInt V1 = Case->getLHS()->EvaluateKnownConstInt(getContext());
1350Rs�YuD�Y�R��}��G�����q�	><�Cޔ�CLI��'~*�-\��    assert(V1.getBitWidth() == getContext().getTypeSize(CondE->getType()));
13516f71b09d7575db927c132c916484b0570420f30dmikesamuel
13526f71b09d7575db927c132c916484b0570420f30dmikesamuel    // Get the RHS of the case, if it exists.
13536f71b09d7575db927c132c916484b0570420f30dmikesamuel    llvm::APSInt V2;
13544v,ֹO,�ol�|����r    if (const Expr *E = Case->getRHS())
13556f71b09d7575db927c132c916484b0570420f30dmikesamuel      V2 = E->EvaluateKnownConstInt(getContext());
1356l�Q    else
1357n�T�p��:��N�I���B��D.P      V2 = V1;
13586f71b09d7575db927c132c916484b0570420f30dmikesamuel
13596f71b09d7575db927c132c916484b0570420f30dmikesamuel    // FIXME: Eventually we should replace the logic below with a range
13606f71b09d7575db927c132c916484b0570420f30dmikesamuel    //  comparison, rather than concretize the values within the range.
13616f71b09d7575db927c132c916484b0570420f30dmikesamuel    //  This should be easy once we have "ranges" for NonLVals.
13626f71b09d7575db927c132c916484b0570420f30dmikesamuel
1363iJ#���<h�˛�    do {
13646f71b09d7575db927c132c916484b0570420f30dmikesamuel      nonloc::ConcreteInt CaseVal(getBasicVals().getValue(V1));
1365Az6f���vb��iq�]��x��f      DefinedOrUnknownSVal Res = svalBuilder.evalEQ(DefaultSt ? DefaultSt : state,
13669^�|�z�Pu�m                                               CondV, CaseVal);
13676f71b09d7575db927c132c916484b0570420f30dmikesamuel
13686f71b09d7575db927c132c916484b0570420f30dmikesamuel      // Now "assume" that the case matches.
13695vj�fH�g\��n��ʚmZ��}�@�t�ؕr�}U�������a�܌d�b�      if (ProgramStateRef stateNew = state->assume(Res, true)) {
13706f71b09d7575db927c132c916484b0570420f30dmikesamuel        builder.generateCaseStmtNode(I, stateNew);
13716f71b09d7575db927c132c916484b0570420f30dmikesamuel
13726f71b09d7575db927c132c916484b0570420f30dmikesamuel        // If CondV evaluates to a constant, then we know that this
13736f71b09d7575db927c132c916484b0570420f30dmikesamuel        // is the *only* case that we can take, so stop evaluating the
13746f71b09d7575db927c132c916484b0570420f30dmikesamuel        // others.
13756f71b09d7575db927c132c916484b0570420f30dmikesamuel        if (isa<nonloc::ConcreteInt>(CondV))
13766f71b09d7575db927c132c916484b0570420f30dmikesamuel          return;
13776f71b09d7575db927c132c916484b0570420f30dmikesamuel      }
13786f71b09d7575db927c132c916484b0570420f30dmikesamuel
13796f71b09d7575db927c132c916484b0570420f30dmikesamuel      // Now "assume" that the case doesn't match.  Add this state
1380b      // to the default state (if it is feasible).
13816f71b09d7575db927c132c916484b0570420f30dmikesamuel      if (DefaultSt) {
13826f71b09d7575db927c132c916484b0570420f30dmikesamuel        if (ProgramStateRef stateNew = DefaultSt->assume(Res, false)) {
13836f71b09d7575db927c132c916484b0570420f30dmikesamuel          defaultIsFeasible = true;
13846f71b09d7575db927c132c916484b0570420f30dmikesamuel          DefaultSt = stateNew;
13856f71b09d7575db927c132c916484b0570420f30dmikesamuel        }
13866f71b09d7575db927c132c916484b0570420f30dmikesamuel        else {
13876f71b09d7575db927c132c916484b0570420f30dmikesamuel          defaultIsFeasible = false;
13886f71b09d7575db927c132c916484b0570420f30dmikesamuel          DefaultSt = NULL;
13896f71b09d7575db927c132c916484b0570420f30dmikesamuel        }
1390KLPaL�)�~�ҒZ��~S�oXj�&�y�	/��<��`ea;�      }
1391P����.v{�„��
13926f71b09d7575db927c132c916484b0570420f30dmikesamuel      // Concretize the next value in the range.
13936f71b09d7575db927c132c916484b0570420f30dmikesamuel      if (V1 == V2)
13946f71b09d7575db927c132c916484b0570420f30dmikesamuel        break;
13954��gZ
1396r��)��O�u���$=���������      ++V1;
13976f71b09d7575db927c132c916484b0570420f30dmikesamuel      assert (V1 <= V2);
13986f71b09d7575db927c132c916484b0570420f30dmikesamuel
13996f71b09d7575db927c132c916484b0570420f30dmikesamuel    } while (true);
14006f71b09d7575db927c132c916484b0570420f30dmikesamuel  }
14016f71b09d7575db927c132c916484b0570420f30dmikesamuel
14026f71b09d7575db927c132c916484b0570420f30dmikesamuel  if (!defaultIsFeasible)
14036f71b09d7575db927c132c916484b0570420f30dmikesamuel    return;
14046f71b09d7575db927c132c916484b0570420f30dmikesamuel
14056f71b09d7575db927c132c916484b0570420f30dmikesamuel  // If we have switch(enum value), the default branch is not
14066f71b09d7575db927c132c916484b0570420f30dmikesamuel  // feasible if all of the enum constants not covered by 'case:' statements
14076f71b09d7575db927c132c916484b0570420f30dmikesamuel  // are not feasible values for the switch condition.
14086f71b09d7575db927c132c916484b0570420f30dmikesamuel  //
14096f71b09d7575db927c132c916484b0570420f30dmikesamuel  // Note that this isn't as accurate as it could be.  Even if there isn't
14106f71b09d7575db927c132c916484b0570420f30dmikesamuel  // a case for a particular enum value as long as that enum value isn't
14116f71b09d7575db927c132c916484b0570420f30dmikesamuel  // feasible then it shouldn't be considered for making 'default:' reachable.
14126f71b09d7575db927c132c916484b0570420f30dmikesamuel  const SwitchStmt *SS = builder.getSwitch();
14136f71b09d7575db927c132c916484b0570420f30dmikesamuel  const Expr *CondExpr = SS->getCond()->IgnoreParenImpCasts();
14146f71b09d7575db927c132c916484b0570420f30dmikesamuel  if (CondExpr->getType()->getAs<EnumType>()) {
14156f71b09d7575db927c132c916484b0570420f30dmikesamuel    if (SS->isAllEnumCasesCovered())
1416qR      return;
14176f71b09d7575db927c132c916484b0570420f30dmikesamuel  }
14186f71b09d7575db927c132c916484b0570420f30dmikesamuel
14196f71b09d7575db927c132c916484b0570420f30dmikesamuel  builder.generateDefaultCaseNode(DefaultSt);
14206f71b09d7575db927c132c916484b0570420f30dmikesamuel}
1421r��}U\��_�
14226f71b09d7575db927c132c916484b0570420f30dmikesamuel//===----------------------------------------------------------------------===//
14236f71b09d7575db927c132c916484b0570420f30dmikesamuel// Transfer functions: Loads and stores.
14246f71b09d7575db927c132c916484b0570420f30dmikesamuel//===----------------------------------------------------------------------===//
14256f71b09d7575db927c132c916484b0570420f30dmikesamuel
14266f71b09d7575db927c132c916484b0570420f30dmikesamuelvoid ExprEngine::VisitCommonDeclRefExpr(const Expr *Ex, const NamedDecl *D,
14276f71b09d7575db927c132c916484b0570420f30dmikesamuel                                        ExplodedNode *Pred,
14286f71b09d7575db927c132c916484b0570420f30dmikesamuel                                        ExplodedNodeSet &Dst) {
14296f71b09d7575db927c132c916484b0570420f30dmikesamuel  StmtNodeBuilder Bldr(Pred, Dst, *currentBuilderContext);
14306f71b09d7575db927c132c916484b0570420f30dmikesamuel
14316f71b09d7575db927c132c916484b0570420f30dmikesamuel  ProgramStateRef state = Pred->getState();
14326f71b09d7575db927c132c916484b0570420f30dmikesamuel  const LocationContext *LCtx = Pred->getLocationContext();
14336f71b09d7575db927c132c916484b0570420f30dmikesamuel
14346f71b09d7575db927c132c916484b0570420f30dmikesamuel  if (const VarDecl *VD = dyn_cast<VarDecl>(D)) {
14356f71b09d7575db927c132c916484b0570420f30dmikesamuel    assert(Ex->isLValue());
14366f71b09d7575db927c132c916484b0570420f30dmikesamuel    SVal V = state->getLValue(VD, Pred->getLocationContext());
14376f71b09d7575db927c132c916484b0570420f30dmikesamuel
14386f71b09d7575db927c132c916484b0570420f30dmikesamuel    // For references, the 'lvalue' is the pointer address stored in the
14396f71b09d7575db927c132c916484b0570420f30dmikesamuel    // reference region.
14406f71b09d7575db927c132c916484b0570420f30dmikesamuel    if (VD->getType()->isReferenceType()) {
14416f71b09d7575db927c132c916484b0570420f30dmikesamuel      if (const MemRegion *R = V.getAsRegion())
14426f71b09d7575db927c132c916484b0570420f30dmikesamuel        V = state->getSVal(R);
14436f71b09d7575db927c132c916484b0570420f30dmikesamuel      else
14446f71b09d7575db927c132c916484b0570420f30dmikesamuel        V = UnknownVal();
1445oض���ǻ    }
14466f71b09d7575db927c132c916484b0570420f30dmikesamuel
14476f71b09d7575db927c132c916484b0570420f30dmikesamuel    Bldr.generateNode(Ex, Pred, state->BindExpr(Ex, LCtx, V), false, 0,
14486f71b09d7575db927c132c916484b0570420f30dmikesamuel                      ProgramPoint::PostLValueKind);
14498CjOT��=ɞچ���Ŀ��t@��zc    return;
14506f71b09d7575db927c132c916484b0570420f30dmikesamuel  }
14516f71b09d7575db927c132c916484b0570420f30dmikesamuel  if (const EnumConstantDecl *ED = dyn_cast<EnumConstantDecl>(D)) {
14526f71b09d7575db927c132c916484b0570420f30dmikesamuel    assert(!Ex->isLValue());
1453Z�Un��JUhk�XN��rj�S����]����    SVal V = svalBuilder.makeIntVal(ED->getInitVal());
14546f71b09d7575db927c132c916484b0570420f30dmikesamuel    Bldr.generateNode(Ex, Pred, state->BindExpr(Ex, LCtx, V));
14556f71b09d7575db927c132c916484b0570420f30dmikesamuel    return;
14566f71b09d7575db927c132c916484b0570420f30dmikesamuel  }
14576f71b09d7575db927c132c916484b0570420f30dmikesamuel  if (const FunctionDecl *FD = dyn_cast<FunctionDecl>(D)) {
1458g���)[|���    SVal V = svalBuilder.getFunctionPointer(FD);
14596f71b09d7575db927c132c916484b0570420f30dmikesamuel    Bldr.generateNode(Ex, Pred, state->BindExpr(Ex, LCtx, V), false, 0,
14606f71b09d7575db927c132c916484b0570420f30dmikesamuel                      ProgramPoint::PostLValueKind);
14616f71b09d7575db927c132c916484b0570420f30dmikesamuel    return;
1462pW�f$׼L^�#��/PK  }
14636f71b09d7575db927c132c916484b0570420f30dmikesamuel  if (isa<FieldDecl>(D)) {
1464v-}ԍ    // FIXME: Compute lvalue of fields.
14656f71b09d7575db927c132c916484b0570420f30dmikesamuel    Bldr.generateNode(Ex, Pred, state->BindExpr(Ex, LCtx, UnknownVal()),
14666f71b09d7575db927c132c916484b0570420f30dmikesamuel		      false, 0, ProgramPoint::PostLValueKind);
14676f71b09d7575db927c132c916484b0570420f30dmikesamuel    return;
14686f71b09d7575db927c132c916484b0570420f30dmikesamuel  }
14696f71b09d7575db927c132c916484b0570420f30dmikesamuel
1470Rcx�ᛇ|�{|��|��Ox�g%|�*�kv���%���U�OX�adݰ�.�/�^�є��:�Tְ��z��W�ՂI'����fN�|��WF�a-��e��T�F��kEE  assert (false &&
1471uRY��          "ValueDecl support for this ValueDecl not implemented.");
1472Bu=�}
14736f71b09d7575db927c132c916484b0570420f30dmikesamuel
14746f71b09d7575db927c132c916484b0570420f30dmikesamuel/// VisitArraySubscriptExpr - Transfer function for array accesses
14756f71b09d7575db927c132c916484b0570420f30dmikesamuelvoid ExprEngine::VisitLvalArraySubscriptExpr(const ArraySubscriptExpr *A,
14766f71b09d7575db927c132c916484b0570420f30dmikesamuel                                             ExplodedNode *Pred,
14776f71b09d7575db927c132c916484b0570420f30dmikesamuel                                             ExplodedNodeSet &Dst){
14786f71b09d7575db927c132c916484b0570420f30dmikesamuel
1479z�s�K�!/��JE�C~�!������d�z���R�t���c��F��+  const Expr *Base = A->getBase()->IgnoreParens();
14806f71b09d7575db927c132c916484b0570420f30dmikesamuel  const Expr *Idx  = A->getIdx()->IgnoreParens();
14816f71b09d7575db927c132c916484b0570420f30dmikesamuel
14826f71b09d7575db927c132c916484b0570420f30dmikesamuel
1483p  ExplodedNodeSet checkerPreStmt;
1484E�w.�O���T�������^�����,�k�!ԝ糅Җ�����dlӤ�%���	E���L�P�p�xSEjTN���^oܾT'Ru�M����Ĩ  getCheckerManager().runCheckersForPreStmt(checkerPreStmt, Pred, A, *this);
14856f71b09d7575db927c132c916484b0570420f30dmikesamuel
14866f71b09d7575db927c132c916484b0570420f30dmikesamuel  StmtNodeBuilder Bldr(checkerPreStmt, Dst, *currentBuilderContext);
1487Z����Ij����s�������??���
14886f71b09d7575db927c132c916484b0570420f30dmikesamuel  for (ExplodedNodeSet::iterator it = checkerPreStmt.begin(),
1489mWt@!���.Dڠ�������`��q�jg{�WĮ�g�Hk���f����U�r�                                 ei = checkerPreStmt.end(); it != ei; ++it) {
1490XW�������    const LocationContext *LCtx = (*it)->getLocationContext();
14916f71b09d7575db927c132c916484b0570420f30dmikesamuel    ProgramStateRef state = (*it)->getState();
14926f71b09d7575db927c132c916484b0570420f30dmikesamuel    SVal V = state->getLValue(A->getType(),
14936f71b09d7575db927c132c916484b0570420f30dmikesamuel                              state->getSVal(Idx, LCtx),
14946f71b09d7575db927c132c916484b0570420f30dmikesamuel                              state->getSVal(Base, LCtx));
14956f71b09d7575db927c132c916484b0570420f30dmikesamuel    assert(A->isLValue());
1496uD�=�jAp�m�h�t�~��q����YfV�]�.��B�%���	Q���kP�G�f�\;i    Bldr.generateNode(A, *it, state->BindExpr(A, LCtx, V),
14976f71b09d7575db927c132c916484b0570420f30dmikesamuel                      false, 0, ProgramPoint::PostLValueKind);
14986f71b09d7575db927c132c916484b0570420f30dmikesamuel  }
14996f71b09d7575db927c132c916484b0570420f30dmikesamuel}
15006f71b09d7575db927c132c916484b0570420f30dmikesamuel
15016f71b09d7575db927c132c916484b0570420f30dmikesamuel/// VisitMemberExpr - Transfer function for member expressions.
15026f71b09d7575db927c132c916484b0570420f30dmikesamuelvoid ExprEngine::VisitMemberExpr(const MemberExpr *M, ExplodedNode *Pred,
15036f71b09d7575db927c132c916484b0570420f30dmikesamuel                                 ExplodedNodeSet &TopDst) {
15046f71b09d7575db927c132c916484b0570420f30dmikesamuel
15056f71b09d7575db927c132c916484b0570420f30dmikesamuel  StmtNodeBuilder Bldr(Pred, TopDst, *currentBuilderContext);
15066f71b09d7575db927c132c916484b0570420f30dmikesamuel  ExplodedNodeSet Dst;
15076f71b09d7575db927c132c916484b0570420f30dmikesamuel  Decl *member = M->getMemberDecl();
15086f71b09d7575db927c132c916484b0570420f30dmikesamuel  if (VarDecl *VD = dyn_cast<VarDecl>(member)) {
15096f71b09d7575db927c132c916484b0570420f30dmikesamuel    assert(M->isLValue());
15106f71b09d7575db927c132c916484b0570420f30dmikesamuel    Bldr.takeNodes(Pred);
15119���J    VisitCommonDeclRefExpr(M, VD, Pred, Dst);
15126f71b09d7575db927c132c916484b0570420f30dmikesamuel    Bldr.addNodes(Dst);
15136f71b09d7575db927c132c916484b0570420f30dmikesamuel    return;
15146f71b09d7575db927c132c916484b0570420f30dmikesamuel  }
15156f71b09d7575db927c132c916484b0570420f30dmikesamuel
1516Sy  FieldDecl *field = dyn_cast<FieldDecl>(member);
15176f71b09d7575db927c132c916484b0570420f30dmikesamuel  if (!field) // FIXME: skipping member expressions for non-fields
15186f71b09d7575db927c132c916484b0570420f30dmikesamuel    return;
15196f71b09d7575db927c132c916484b0570420f30dmikesamuel
15206f71b09d7575db927c132c916484b0570420f30dmikesamuel  Expr *baseExpr = M->getBase()->IgnoreParens();
15216f71b09d7575db927c132c916484b0570420f30dmikesamuel  ProgramStateRef state = Pred->getState();
15226f71b09d7575db927c132c916484b0570420f30dmikesamuel  const LocationContext *LCtx = Pred->getLocationContext();
15236f71b09d7575db927c132c916484b0570420f30dmikesamuel  SVal baseExprVal = state->getSVal(baseExpr, Pred->getLocationContext());
15246f71b09d7575db927c132c916484b0570420f30dmikesamuel  if (isa<nonloc::LazyCompoundVal>(baseExprVal) ||
15256f71b09d7575db927c132c916484b0570420f30dmikesamuel      isa<nonloc::CompoundVal>(baseExprVal) ||
15266f71b09d7575db927c132c916484b0570420f30dmikesamuel      // FIXME: This can originate by conjuring a symbol for an unknown
1527p�C���%�M���K��K�      // temporary struct object, see test/Analysis/fields.c:
1528U��&��&�o�D��:H�      // (p = getit()).x
15296f71b09d7575db927c132c916484b0570420f30dmikesamuel      isa<nonloc::SymbolVal>(baseExprVal)) {
15306f71b09d7575db927c132c916484b0570420f30dmikesamuel    Bldr.generateNode(M, Pred, state->BindExpr(M, LCtx, UnknownVal()));
15310V�ZY�̚��    return;
15326f71b09d7575db927c132c916484b0570420f30dmikesamuel  }
15336f71b09d7575db927c132c916484b0570420f30dmikesamuel
15346f71b09d7575db927c132c916484b0570420f30dmikesamuel  // FIXME: Should we insert some assumption logic in here to determine
15356f71b09d7575db927c132c916484b0570420f30dmikesamuel  // if "Base" is a valid piece of memory?  Before we put this assumption
15366f71b09d7575db927c132c916484b0570420f30dmikesamuel  // later when using FieldOffset lvals (which we no longer have).
15376f71b09d7575db927c132c916484b0570420f30dmikesamuel
15386f71b09d7575db927c132c916484b0570420f30dmikesamuel  // For all other cases, compute an lvalue.
15396f71b09d7575db927c132c916484b0570420f30dmikesamuel  SVal L = state->getLValue(field, baseExprVal);
15406f71b09d7575db927c132c916484b0570420f30dmikesamuel  if (M->isLValue())
1541D�OU,��垃�Vn]�[q-�ɣ��E�����s��    Bldr.generateNode(M, Pred, state->BindExpr(M, LCtx, L), false, 0,
15426f71b09d7575db927c132c916484b0570420f30dmikesamuel                      ProgramPoint::PostLValueKind);
15436f71b09d7575db927c132c916484b0570420f30dmikesamuel  else {
15446f71b09d7575db927c132c916484b0570420f30dmikesamuel    Bldr.takeNodes(Pred);
15456f71b09d7575db927c132c916484b0570420f30dmikesamuel    evalLoad(Dst, M, M, Pred, state, L);
15466f71b09d7575db927c132c916484b0570420f30dmikesamuel    Bldr.addNodes(Dst);
15476f71b09d7575db927c132c916484b0570420f30dmikesamuel  }
15486f71b09d7575db927c132c916484b0570420f30dmikesamuel}
1549N>�]
15506f71b09d7575db927c132c916484b0570420f30dmikesamuel/// evalBind - Handle the semantics of binding a value to a specific location.
15516f71b09d7575db927c132c916484b0570420f30dmikesamuel///  This method is used by evalStore and (soon) VisitDeclStmt, and others.
15526f71b09d7575db927c132c916484b0570420f30dmikesamuelvoid ExprEngine::evalBind(ExplodedNodeSet &Dst, const Stmt *StoreE,
15536f71b09d7575db927c132c916484b0570420f30dmikesamuel                          ExplodedNode *Pred,
15546f71b09d7575db927c132c916484b0570420f30dmikesamuel                          SVal location, SVal Val, bool atDeclInit) {
15556f71b09d7575db927c132c916484b0570420f30dmikesamuel
15566f71b09d7575db927c132c916484b0570420f30dmikesamuel  // Do a previsit of the bind.
15576f71b09d7575db927c132c916484b0570420f30dmikesamuel  ExplodedNodeSet CheckedSet;
15586f71b09d7575db927c132c916484b0570420f30dmikesamuel  getCheckerManager().runCheckersForBind(CheckedSet, Pred, location, Val,
15596f71b09d7575db927c132c916484b0570420f30dmikesamuel                                         StoreE, *this,
15606f71b09d7575db927c132c916484b0570420f30dmikesamuel                                         ProgramPoint::PostStmtKind);
15616f71b09d7575db927c132c916484b0570420f30dmikesamuel
1562M��uVp�q�ީp�߭�(D�[�$.^�@�J�f  ExplodedNodeSet TmpDst;
15636f71b09d7575db927c132c916484b0570420f30dmikesamuel  StmtNodeBuilder Bldr(CheckedSet, TmpDst, *currentBuilderContext);
15646f71b09d7575db927c132c916484b0570420f30dmikesamuel
15656f71b09d7575db927c132c916484b0570420f30dmikesamuel  const LocationContext *LC = Pred->getLocationContext();
15663�`�I%K�rls������	g��\U���ֳ��"�I}�  for (ExplodedNodeSet::iterator I = CheckedSet.begin(), E = CheckedSet.end();
15676f71b09d7575db927c132c916484b0570420f30dmikesamuel       I!=E; ++I) {
15686f71b09d7575db927c132c916484b0570420f30dmikesamuel    ExplodedNode *PredI = *I;
15696f71b09d7575db927c132c916484b0570420f30dmikesamuel    ProgramStateRef state = PredI->getState();
15706f71b09d7575db927c132c916484b0570420f30dmikesamuel
15716f71b09d7575db927c132c916484b0570420f30dmikesamuel    if (atDeclInit) {
15726f71b09d7575db927c132c916484b0570420f30dmikesamuel      const VarRegion *VR =
15736f71b09d7575db927c132c916484b0570420f30dmikesamuel        cast<VarRegion>(cast<loc::MemRegionVal>(location).getRegion());
15746f71b09d7575db927c132c916484b0570420f30dmikesamuel
15756f71b09d7575db927c132c916484b0570420f30dmikesamuel      state = state->bindDecl(VR, Val);
1576n��>����!    } else {
1577LqD�Y��D{=ꖻE˩�����L�%Ơ��oR���$��	��܏'Q�PK      state = state->bindLoc(location, Val);
15786f71b09d7575db927c132c916484b0570420f30dmikesamuel    }
15796f71b09d7575db927c132c916484b0570420f30dmikesamuel
15806f71b09d7575db927c132c916484b0570420f30dmikesamuel    const MemRegion *LocReg = 0;
15816f71b09d7575db927c132c916484b0570420f30dmikesamuel    if (loc::MemRegionVal *LocRegVal = dyn_cast<loc::MemRegionVal>(&location))
15826f71b09d7575db927c132c916484b0570420f30dmikesamuel      LocReg = LocRegVal->getRegion();
15836f71b09d7575db927c132c916484b0570420f30dmikesamuel
15846f71b09d7575db927c132c916484b0570420f30dmikesamuel    const ProgramPoint L = PostStore(StoreE, LC, LocReg, 0);
15856f71b09d7575db927c132c916484b0570420f30dmikesamuel    Bldr.generateNode(L, PredI, state, false);
15866f71b09d7575db927c132c916484b0570420f30dmikesamuel  }
15876f71b09d7575db927c132c916484b0570420f30dmikesamuel
15886f71b09d7575db927c132c916484b0570420f30dmikesamuel  Dst.insert(TmpDst);
15894NCh�%��|�t���铬�r�}
15906f71b09d7575db927c132c916484b0570420f30dmikesamuel
15916f71b09d7575db927c132c916484b0570420f30dmikesamuel/// evalStore - Handle the semantics of a store via an assignment.
15926f71b09d7575db927c132c916484b0570420f30dmikesamuel///  @param Dst The node set to store generated state nodes
15936f71b09d7575db927c132c916484b0570420f30dmikesamuel///  @param AssignE The assignment expression if the store happens in an
15946f71b09d7575db927c132c916484b0570420f30dmikesamuel///         assignment.
15956f71b09d7575db927c132c916484b0570420f30dmikesamuel///  @param LocatioinE The location expression that is stored to.
15966f71b09d7575db927c132c916484b0570420f30dmikesamuel///  @param state The current simulation state
15976f71b09d7575db927c132c916484b0570420f30dmikesamuel///  @param location The location to store the value
15986f71b09d7575db927c132c916484b0570420f30dmikesamuel///  @param Val The value to be stored
15996f71b09d7575db927c132c916484b0570420f30dmikesamuelvoid ExprEngine::evalStore(ExplodedNodeSet &Dst, const Expr *AssignE,
16006f71b09d7575db927c132c916484b0570420f30dmikesamuel                             const Expr *LocationE,
16016f71b09d7575db927c132c916484b0570420f30dmikesamuel                             ExplodedNode *Pred,
16026f71b09d7575db927c132c916484b0570420f30dmikesamuel                             ProgramStateRef state, SVal location, SVal Val,
16036f71b09d7575db927c132c916484b0570420f30dmikesamuel                             const ProgramPointTag *tag) {
16046f71b09d7575db927c132c916484b0570420f30dmikesamuel  // Proceed with the store.  We use AssignE as the anchor for the PostStore
16056f71b09d7575db927c132c916484b0570420f30dmikesamuel  // ProgramPoint if it is non-NULL, and LocationE otherwise.
16066f71b09d7575db927c132c916484b0570420f30dmikesamuel  const Expr *StoreE = AssignE ? AssignE : LocationE;
1607z�#�!"�/�
16086f71b09d7575db927c132c916484b0570420f30dmikesamuel  if (isa<loc::ObjCPropRef>(location)) {
16096f71b09d7575db927c132c916484b0570420f30dmikesamuel    assert(false);
16106f71b09d7575db927c132c916484b0570420f30dmikesamuel  }
16116f71b09d7575db927c132c916484b0570420f30dmikesamuel
1612z��S+�  // Evaluate the location (checks for bad dereferences).
16136f71b09d7575db927c132c916484b0570420f30dmikesamuel  ExplodedNodeSet Tmp;
16146f71b09d7575db927c132c916484b0570420f30dmikesamuel  evalLocation(Tmp, AssignE, LocationE, Pred, state, location, tag, false);
16156f71b09d7575db927c132c916484b0570420f30dmikesamuel
16166f71b09d7575db927c132c916484b0570420f30dmikesamuel  if (Tmp.empty())
1617Ld�㇒��    return;
16186f71b09d7575db927c132c916484b0570420f30dmikesamuel
1619WpUd��\�  if (location.isUndef())
16206f71b09d7575db927c132c916484b0570420f30dmikesamuel    return;
16216f71b09d7575db927c132c916484b0570420f30dmikesamuel
16226f71b09d7575db927c132c916484b0570420f30dmikesamuel  for (ExplodedNodeSet::iterator NI=Tmp.begin(), NE=Tmp.end(); NI!=NE; ++NI)
16236f71b09d7575db927c132c916484b0570420f30dmikesamuel    evalBind(Dst, StoreE, *NI, location, Val, false);
16246f71b09d7575db927c132c916484b0570420f30dmikesamuel}
16256f71b09d7575db927c132c916484b0570420f30dmikesamuel
16266f71b09d7575db927c132c916484b0570420f30dmikesamuelvoid ExprEngine::evalLoad(ExplodedNodeSet &Dst,
16276f71b09d7575db927c132c916484b0570420f30dmikesamuel                          const Expr *NodeEx,
16286f71b09d7575db927c132c916484b0570420f30dmikesamuel                          const Expr *BoundEx,
16296f71b09d7575db927c132c916484b0570420f30dmikesamuel                          ExplodedNode *Pred,
16306f71b09d7575db927c132c916484b0570420f30dmikesamuel                          ProgramStateRef state,
16316f71b09d7575db927c132c916484b0570420f30dmikesamuel                          SVal location,
16326f71b09d7575db927c132c916484b0570420f30dmikesamuel                          const ProgramPointTag *tag,
1633a2�C^x�YP+                          QualType LoadTy)
16346f71b09d7575db927c132c916484b0570420f30dmikesamuel{
16356f71b09d7575db927c132c916484b0570420f30dmikesamuel  assert(!isa<NonLoc>(location) && "location cannot be a NonLoc.");
16366f71b09d7575db927c132c916484b0570420f30dmikesamuel  assert(!isa<loc::ObjCPropRef>(location));
16376f71b09d7575db927c132c916484b0570420f30dmikesamuel
16386f71b09d7575db927c132c916484b0570420f30dmikesamuel  // Are we loading from a region?  This actually results in two loads; one
1639x����`u]]hIc�Y�>��޸�?�Fz,  // to fetch the address of the referenced value and one to fetch the
16406f71b09d7575db927c132c916484b0570420f30dmikesamuel  // referenced value.
16416f71b09d7575db927c132c916484b0570420f30dmikesamuel  if (const TypedValueRegion *TR =
1642Y�**��        dyn_cast_or_null<TypedValueRegion>(location.getAsRegion())) {
1643FqT�E�)���J�
16446f71b09d7575db927c132c916484b0570420f30dmikesamuel    QualType ValTy = TR->getValueType();
16456f71b09d7575db927c132c916484b0570420f30dmikesamuel    if (const ReferenceType *RT = ValTy->getAs<ReferenceType>()) {
16466f71b09d7575db927c132c916484b0570420f30dmikesamuel      static SimpleProgramPointTag
16476f71b09d7575db927c132c916484b0570420f30dmikesamuel             loadReferenceTag("ExprEngine : Load Reference");
16486f71b09d7575db927c132c916484b0570420f30dmikesamuel      ExplodedNodeSet Tmp;
1649bv      evalLoadCommon(Tmp, NodeEx, BoundEx, Pred, state,
16506f71b09d7575db927c132c916484b0570420f30dmikesamuel                     location, &loadReferenceTag,
16516f71b09d7575db927c132c916484b0570420f30dmikesamuel                     getContext().getPointerType(RT->getPointeeType()));
16526f71b09d7575db927c132c916484b0570420f30dmikesamuel
16536f71b09d7575db927c132c916484b0570420f30dmikesamuel      // Perform the load from the referenced value.
16546f71b09d7575db927c132c916484b0570420f30dmikesamuel      for (ExplodedNodeSet::iterator I=Tmp.begin(), E=Tmp.end() ; I!=E; ++I) {
16556f71b09d7575db927c132c916484b0570420f30dmikesamuel        state = (*I)->getState();
16566f71b09d7575db927c132c916484b0570420f30dmikesamuel        location = state->getSVal(BoundEx, (*I)->getLocationContext());
16576f71b09d7575db927c132c916484b0570420f30dmikesamuel        evalLoadCommon(Dst, NodeEx, BoundEx, *I, state, location, tag, LoadTy);
16586f71b09d7575db927c132c916484b0570420f30dmikesamuel      }
16596f71b09d7575db927c132c916484b0570420f30dmikesamuel      return;
16606f71b09d7575db927c132c916484b0570420f30dmikesamuel    }
16616f71b09d7575db927c132c916484b0570420f30dmikesamuel  }
16626f71b09d7575db927c132c916484b0570420f30dmikesamuel
1663ZFO6�ݩ�iXV�Yx�Wv  evalLoadCommon(Dst, NodeEx, BoundEx, Pred, state, location, tag, LoadTy);
16646f71b09d7575db927c132c916484b0570420f30dmikesamuel}
16656f71b09d7575db927c132c916484b0570420f30dmikesamuel
16666f71b09d7575db927c132c916484b0570420f30dmikesamuelvoid ExprEngine::evalLoadCommon(ExplodedNodeSet &Dst,
16676f71b09d7575db927c132c916484b0570420f30dmikesamuel                                const Expr *NodeEx,
16686f71b09d7575db927c132c916484b0570420f30dmikesamuel                                const Expr *BoundEx,
16696f71b09d7575db927c132c916484b0570420f30dmikesamuel                                ExplodedNode *Pred,
16706f71b09d7575db927c132c916484b0570420f30dmikesamuel                                ProgramStateRef state,
1671cx_x�����>|����)������a�(�L��                                SVal location,
1672o�Յ���c�ǵ>�'-�M�!�%K�N�%�{;�a����$���D:U�t���R�\]�RZ]ӫ�                                const ProgramPointTag *tag,
1673H�����W���'�����h#�c�:N�C�et�L�N���@�r�@                                QualType LoadTy) {
16746f71b09d7575db927c132c916484b0570420f30dmikesamuel  assert(NodeEx);
16755�~]Rn,�n*�n.n)n-�	��|��� ��޾����PK  assert(BoundEx);
16766f71b09d7575db927c132c916484b0570420f30dmikesamuel  // Evaluate the location (checks for bad dereferences).
16776f71b09d7575db927c132c916484b0570420f30dmikesamuel  ExplodedNodeSet Tmp;
1678u-��  evalLocation(Tmp, NodeEx, BoundEx, Pred, state, location, tag, true);
1679h)uS���U����H��h�%��  if (Tmp.empty())
16806f71b09d7575db927c132c916484b0570420f30dmikesamuel    return;
16816f71b09d7575db927c132c916484b0570420f30dmikesamuel
16826f71b09d7575db927c132c916484b0570420f30dmikesamuel  StmtNodeBuilder Bldr(Tmp, Dst, *currentBuilderContext);
16836f71b09d7575db927c132c916484b0570420f30dmikesamuel  if (location.isUndef())
16843��$����$�    return;
1685x�Z���
16866f71b09d7575db927c132c916484b0570420f30dmikesamuel  // Proceed with the load.
16876f71b09d7575db927c132c916484b0570420f30dmikesamuel  for (ExplodedNodeSet::iterator NI=Tmp.begin(), NE=Tmp.end(); NI!=NE; ++NI) {
16886f71b09d7575db927c132c916484b0570420f30dmikesamuel    state = (*NI)->getState();
16896f71b09d7575db927c132c916484b0570420f30dmikesamuel    const LocationContext *LCtx = (*NI)->getLocationContext();
16906f71b09d7575db927c132c916484b0570420f30dmikesamuel
16916f71b09d7575db927c132c916484b0570420f30dmikesamuel    if (location.isUnknown()) {
16926f71b09d7575db927c132c916484b0570420f30dmikesamuel      // This is important.  We must nuke the old binding.
16936f71b09d7575db927c132c916484b0570420f30dmikesamuel      Bldr.generateNode(NodeEx, *NI,
16946f71b09d7575db927c132c916484b0570420f30dmikesamuel                        state->BindExpr(BoundEx, LCtx, UnknownVal()),
16956f71b09d7575db927c132c916484b0570420f30dmikesamuel                        false, tag,
16966f71b09d7575db927c132c916484b0570420f30dmikesamuel                        ProgramPoint::PostLoadKind);
16976f71b09d7575db927c132c916484b0570420f30dmikesamuel    }
16986f71b09d7575db927c132c916484b0570420f30dmikesamuel    else {
16996f71b09d7575db927c132c916484b0570420f30dmikesamuel      if (LoadTy.isNull())
17006f71b09d7575db927c132c916484b0570420f30dmikesamuel        LoadTy = BoundEx->getType();
17016f71b09d7575db927c132c916484b0570420f30dmikesamuel      SVal V = state->getSVal(cast<Loc>(location), LoadTy);
17026f71b09d7575db927c132c916484b0570420f30dmikesamuel      Bldr.generateNode(NodeEx, *NI,
17035g��,                        state->bindExprAndLocation(BoundEx, LCtx, location, V),
17046f71b09d7575db927c132c916484b0570420f30dmikesamuel                        false, tag, ProgramPoint::PostLoadKind);
17056f71b09d7575db927c132c916484b0570420f30dmikesamuel    }
17066f71b09d7575db927c132c916484b0570420f30dmikesamuel  }
17076f71b09d7575db927c132c916484b0570420f30dmikesamuel}
17086f71b09d7575db927c132c916484b0570420f30dmikesamuel
1709p��L�V.U�R�.��void ExprEngine::evalLocation(ExplodedNodeSet &Dst,
17106f71b09d7575db927c132c916484b0570420f30dmikesamuel                              const Stmt *NodeEx,
17116f71b09d7575db927c132c916484b0570420f30dmikesamuel                              const Stmt *BoundEx,
17126f71b09d7575db927c132c916484b0570420f30dmikesamuel                              ExplodedNode *Pred,
1713Nrv';�H*�ﰲn~��                              ProgramStateRef state,
17146f71b09d7575db927c132c916484b0570420f30dmikesamuel                              SVal location,
1715_f                              const ProgramPointTag *tag,
17166f71b09d7575db927c132c916484b0570420f30dmikesamuel                              bool isLoad) {
17176f71b09d7575db927c132c916484b0570420f30dmikesamuel  StmtNodeBuilder BldrTop(Pred, Dst, *currentBuilderContext);
17186f71b09d7575db927c132c916484b0570420f30dmikesamuel  // Early checks for performance reason.
17196f71b09d7575db927c132c916484b0570420f30dmikesamuel  if (location.isUnknown()) {
17206f71b09d7575db927c132c916484b0570420f30dmikesamuel    return;
1721wr���`�x�g�Za�E�*�jO� /  }
17226f71b09d7575db927c132c916484b0570420f30dmikesamuel
1723q8��  ExplodedNodeSet Src;
17240^�L)�  BldrTop.takeNodes(Pred);
17256f71b09d7575db927c132c916484b0570420f30dmikesamuel  StmtNodeBuilder Bldr(Pred, Src, *currentBuilderContext);
17266f71b09d7575db927c132c916484b0570420f30dmikesamuel  if (Pred->getState() != state) {
17276f71b09d7575db927c132c916484b0570420f30dmikesamuel    // Associate this new state with an ExplodedNode.
1728y.F�R���    // FIXME: If I pass null tag, the graph is incorrect, e.g for
17296f71b09d7575db927c132c916484b0570420f30dmikesamuel    //   int *p;
17306f71b09d7575db927c132c916484b0570420f30dmikesamuel    //   p = 0;
17316f71b09d7575db927c132c916484b0570420f30dmikesamuel    //   *p = 0xDEADBEEF;
17326f71b09d7575db927c132c916484b0570420f30dmikesamuel    // "p = 0" is not noted as "Null pointer value stored to 'p'" but
17336f71b09d7575db927c132c916484b0570420f30dmikesamuel    // instead "int *p" is noted as
1734comz饗	z�A�&��p��!=�@���    // "Variable 'p' initialized to a null pointer value"
17356f71b09d7575db927c132c916484b0570420f30dmikesamuel
17366f71b09d7575db927c132c916484b0570420f30dmikesamuel    // FIXME: why is 'tag' not used instead of etag?
17376f71b09d7575db927c132c916484b0570420f30dmikesamuel    static SimpleProgramPointTag etag("ExprEngine: Location");
1738Khdɰb�+    Bldr.generateNode(NodeEx, Pred, state, false, &etag);
17396f71b09d7575db927c132c916484b0570420f30dmikesamuel  }
17406f71b09d7575db927c132c916484b0570420f30dmikesamuel  ExplodedNodeSet Tmp;
17416f71b09d7575db927c132c916484b0570420f30dmikesamuel  getCheckerManager().runCheckersForLocation(Tmp, Src, location, isLoad,
17426f71b09d7575db927c132c916484b0570420f30dmikesamuel                                             NodeEx, BoundEx, *this);
17436f71b09d7575db927c132c916484b0570420f30dmikesamuel  BldrTop.addNodes(Tmp);
17446f71b09d7575db927c132c916484b0570420f30dmikesamuel}
17456f71b09d7575db927c132c916484b0570420f30dmikesamuel
17466f71b09d7575db927c132c916484b0570420f30dmikesamuelstd::pair<const ProgramPointTag *, const ProgramPointTag*>
1747zV�O`:m�\���hn���m�K��Jӓg���"��#ExprEngine::getEagerlyAssumeTags() {
17486f71b09d7575db927c132c916484b0570420f30dmikesamuel  static SimpleProgramPointTag
17496f71b09d7575db927c132c916484b0570420f30dmikesamuel         EagerlyAssumeTrue("ExprEngine : Eagerly Assume True"),
17506f71b09d7575db927c132c916484b0570420f30dmikesamuel         EagerlyAssumeFalse("ExprEngine : Eagerly Assume False");
17516f71b09d7575db927c132c916484b0570420f30dmikesamuel  return std::make_pair(&EagerlyAssumeTrue, &EagerlyAssumeFalse);
17526f71b09d7575db927c132c916484b0570420f30dmikesamuel}
17536f71b09d7575db927c132c916484b0570420f30dmikesamuel
17546f71b09d7575db927c132c916484b0570420f30dmikesamuelvoid ExprEngine::evalEagerlyAssume(ExplodedNodeSet &Dst, ExplodedNodeSet &Src,
17556f71b09d7575db927c132c916484b0570420f30dmikesamuel                                   const Expr *Ex) {
17566f71b09d7575db927c132c916484b0570420f30dmikesamuel  StmtNodeBuilder Bldr(Src, Dst, *currentBuilderContext);
17576f71b09d7575db927c132c916484b0570420f30dmikesamuel
17586f71b09d7575db927c132c916484b0570420f30dmikesamuel  for (ExplodedNodeSet::iterator I=Src.begin(), E=Src.end(); I!=E; ++I) {
17596f71b09d7575db927c132c916484b0570420f30dmikesamuel    ExplodedNode *Pred = *I;
17606f71b09d7575db927c132c916484b0570420f30dmikesamuel    // Test if the previous node was as the same expression.  This can happen
17616f71b09d7575db927c132c916484b0570420f30dmikesamuel    // when the expression fails to evaluate to anything meaningful and
17626f71b09d7575db927c132c916484b0570420f30dmikesamuel    // (as an optimization) we don't generate a node.
17636f71b09d7575db927c132c916484b0570420f30dmikesamuel    ProgramPoint P = Pred->getLocation();
17646f71b09d7575db927c132c916484b0570420f30dmikesamuel    if (!isa<PostStmt>(P) || cast<PostStmt>(P).getStmt() != Ex) {
17656f71b09d7575db927c132c916484b0570420f30dmikesamuel      continue;
17666f71b09d7575db927c132c916484b0570420f30dmikesamuel    }
1767E{ �A������
17686f71b09d7575db927c132c916484b0570420f30dmikesamuel    ProgramStateRef state = Pred->getState();
17696f71b09d7575db927c132c916484b0570420f30dmikesamuel    SVal V = state->getSVal(Ex, Pred->getLocationContext());
17706f71b09d7575db927c132c916484b0570420f30dmikesamuel    nonloc::SymbolVal *SEV = dyn_cast<nonloc::SymbolVal>(&V);
17716f71b09d7575db927c132c916484b0570420f30dmikesamuel    if (SEV && SEV->isExpression()) {
1772FK�q��#X������      const std::pair<const ProgramPointTag *, const ProgramPointTag*> &tags =
17736f71b09d7575db927c132c916484b0570420f30dmikesamuel        getEagerlyAssumeTags();
17746f71b09d7575db927c132c916484b0570420f30dmikesamuel
17756f71b09d7575db927c132c916484b0570420f30dmikesamuel      // First assume that the condition is true.
17766f71b09d7575db927c132c916484b0570420f30dmikesamuel      if (ProgramStateRef StateTrue = state->assume(*SEV, true)) {
17776f71b09d7575db927c132c916484b0570420f30dmikesamuel        SVal Val = svalBuilder.makeIntVal(1U, Ex->getType());
17786f71b09d7575db927c132c916484b0570420f30dmikesamuel        StateTrue = StateTrue->BindExpr(Ex, Pred->getLocationContext(), Val);
17796f71b09d7575db927c132c916484b0570420f30dmikesamuel        Bldr.generateNode(Ex, Pred, StateTrue, false, tags.first);
17806f71b09d7575db927c132c916484b0570420f30dmikesamuel      }
17816f71b09d7575db927c132c916484b0570420f30dmikesamuel
17828�IOI��לpm�;�ua�d����;�t��      // Next, assume that the condition is false.
17836f71b09d7575db927c132c916484b0570420f30dmikesamuel      if (ProgramStateRef StateFalse = state->assume(*SEV, false)) {
17848���l%fp\�        SVal Val = svalBuilder.makeIntVal(0U, Ex->getType());
1785n+���Y���麽;��Yc��S�w^�|���        StateFalse = StateFalse->BindExpr(Ex, Pred->getLocationContext(), Val);
17866f71b09d7575db927c132c916484b0570420f30dmikesamuel        Bldr.generateNode(Ex, Pred, StateFalse, false, tags.second);
1787ql�z�ŀӼa�}rr�������Lz���ҫ)ݎj|�t���Մ�      }
17886f71b09d7575db927c132c916484b0570420f30dmikesamuel    }
17896f71b09d7575db927c132c916484b0570420f30dmikesamuel  }
17906f71b09d7575db927c132c916484b0570420f30dmikesamuel}
17916f71b09d7575db927c132c916484b0570420f30dmikesamuel
17926f71b09d7575db927c132c916484b0570420f30dmikesamuelvoid ExprEngine::VisitAsmStmt(const AsmStmt *A, ExplodedNode *Pred,
17936f71b09d7575db927c132c916484b0570420f30dmikesamuel                              ExplodedNodeSet &Dst) {
17946f71b09d7575db927c132c916484b0570420f30dmikesamuel  StmtNodeBuilder Bldr(Pred, Dst, *currentBuilderContext);
17956f71b09d7575db927c132c916484b0570420f30dmikesamuel  // We have processed both the inputs and the outputs.  All of the outputs
17966f71b09d7575db927c132c916484b0570420f30dmikesamuel  // should evaluate to Locs.  Nuke all of their values.
17976f71b09d7575db927c132c916484b0570420f30dmikesamuel
17986f71b09d7575db927c132c916484b0570420f30dmikesamuel  // FIXME: Some day in the future it would be nice to allow a "plug-in"
17996f71b09d7575db927c132c916484b0570420f30dmikesamuel  // which interprets the inline asm and stores proper results in the
18006f71b09d7575db927c132c916484b0570420f30dmikesamuel  // outputs.
18016f71b09d7575db927c132c916484b0570420f30dmikesamuel
1802m��\���u�Ϛ�[<����d��}����Z����F������]��ň�L���Y�~Q�o��o��cb^���x�D-^ԏ琢����Cm~�Ϳ���*�  ProgramStateRef state = Pred->getState();
1803xE�
18046f71b09d7575db927c132c916484b0570420f30dmikesamuel  for (AsmStmt::const_outputs_iterator OI = A->begin_outputs(),
18056f71b09d7575db927c132c916484b0570420f30dmikesamuel       OE = A->end_outputs(); OI != OE; ++OI) {
18066f71b09d7575db927c132c916484b0570420f30dmikesamuel    SVal X = state->getSVal(*OI, Pred->getLocationContext());
180755���w�v;��H�K���e�    assert (!isa<NonLoc>(X));  // Should be an Lval, or unknown, undef.
18086f71b09d7575db927c132c916484b0570420f30dmikesamuel
18096f71b09d7575db927c132c916484b0570420f30dmikesamuel    if (isa<Loc>(X))
18106f71b09d7575db927c132c916484b0570420f30dmikesamuel      state = state->bindLoc(cast<Loc>(X), UnknownVal());
18116f71b09d7575db927c132c916484b0570420f30dmikesamuel  }
18126f71b09d7575db927c132c916484b0570420f30dmikesamuel
1813g���Aܫ��Hq��I+d]�L  Bldr.generateNode(A, Pred, state);
18146f71b09d7575db927c132c916484b0570420f30dmikesamuel}
18156f71b09d7575db927c132c916484b0570420f30dmikesamuel
18166f71b09d7575db927c132c916484b0570420f30dmikesamuel//===----------------------------------------------------------------------===//
18176f71b09d7575db927c132c916484b0570420f30dmikesamuel// Visualization.
18186f71b09d7575db927c132c916484b0570420f30dmikesamuel//===----------------------------------------------------------------------===//
18196f71b09d7575db927c132c916484b0570420f30dmikesamuel
1820SZ_�.���j,��#��\-��	j�m�q�ǘ��B�c�D�#ifndef NDEBUG
18216f71b09d7575db927c132c916484b0570420f30dmikesamuelstatic ExprEngine* GraphPrintCheckerState;
18226f71b09d7575db927c132c916484b0570420f30dmikesamuelstatic SourceManager* GraphPrintSourceManager;
1823fNK
18246f71b09d7575db927c132c916484b0570420f30dmikesamuelnamespace llvm {
18256f71b09d7575db927c132c916484b0570420f30dmikesamueltemplate<>
18266f71b09d7575db927c132c916484b0570420f30dmikesamuelstruct DOTGraphTraits<ExplodedNode*> :
18276f71b09d7575db927c132c916484b0570420f30dmikesamuel  public DefaultDOTGraphTraits {
1828ZQ�E�<G�=����ݙ�>�*�xz:s�ν��������͓�>�(�ex%�����#��
18296f71b09d7575db927c132c916484b0570420f30dmikesamuel  DOTGraphTraits (bool isSimple=false) : DefaultDOTGraphTraits(isSimple) {}
18306f71b09d7575db927c132c916484b0570420f30dmikesamuel
18316f71b09d7575db927c132c916484b0570420f30dmikesamuel  // FIXME: Since we do not cache error nodes in ExprEngine now, this does not
1832_�O&�t  // work.
18336f71b09d7575db927c132c916484b0570420f30dmikesamuel  static std::string getNodeAttributes(const ExplodedNode *N, void*) {
18346f71b09d7575db927c132c916484b0570420f30dmikesamuel
18356f71b09d7575db927c132c916484b0570420f30dmikesamuel#if 0
18366f71b09d7575db927c132c916484b0570420f30dmikesamuel      // FIXME: Replace with a general scheme to tell if the node is
18376f71b09d7575db927c132c916484b0570420f30dmikesamuel      // an error node.
18386f71b09d7575db927c132c916484b0570420f30dmikesamuel    if (GraphPrintCheckerState->isImplicitNullDeref(N) ||
18396f71b09d7575db927c132c916484b0570420f30dmikesamuel        GraphPrintCheckerState->isExplicitNullDeref(N) ||
18406f71b09d7575db927c132c916484b0570420f30dmikesamuel        GraphPrintCheckerState->isUndefDeref(N) ||
18416f71b09d7575db927c132c916484b0570420f30dmikesamuel        GraphPrintCheckerState->isUndefStore(N) ||
18426f71b09d7575db927c132c916484b0570420f30dmikesamuel        GraphPrintCheckerState->isUndefControlFlow(N) ||
18436f71b09d7575db927c132c916484b0570420f30dmikesamuel        GraphPrintCheckerState->isUndefResult(N) ||
1844y2,�        GraphPrintCheckerState->isBadCall(N) ||
1845ax]���چ�'ꭻ+�.̚���ቶ        GraphPrintCheckerState->isUndefArg(N))
18466f71b09d7575db927c132c916484b0570420f30dmikesamuel      return "color=\"red\",style=\"filled\"";
18476f71b09d7575db927c132c916484b0570420f30dmikesamuel
18486f71b09d7575db927c132c916484b0570420f30dmikesamuel    if (GraphPrintCheckerState->isNoReturnCall(N))
18496f71b09d7575db927c132c916484b0570420f30dmikesamuel      return "color=\"blue\",style=\"filled\"";
18506f71b09d7575db927c132c916484b0570420f30dmikesamuel#endif
18516f71b09d7575db927c132c916484b0570420f30dmikesamuel    return "";
18526f71b09d7575db927c132c916484b0570420f30dmikesamuel  }
18536f71b09d7575db927c132c916484b0570420f30dmikesamuel
18546f71b09d7575db927c132c916484b0570420f30dmikesamuel  static std::string getNodeLabel(const ExplodedNode *N, void*){
18556f71b09d7575db927c132c916484b0570420f30dmikesamuel
18566f71b09d7575db927c132c916484b0570420f30dmikesamuel    std::string sbuf;
1857i���g    llvm::raw_string_ostream Out(sbuf);
18586f71b09d7575db927c132c916484b0570420f30dmikesamuel
18596f71b09d7575db927c132c916484b0570420f30dmikesamuel    // Program Location.
18606f71b09d7575db927c132c916484b0570420f30dmikesamuel    ProgramPoint Loc = N->getLocation();
18616f71b09d7575db927c132c916484b0570420f30dmikesamuel
18626f71b09d7575db927c132c916484b0570420f30dmikesamuel    switch (Loc.getKind()) {
1863MTR(�����濨      case ProgramPoint::BlockEntranceKind:
18646f71b09d7575db927c132c916484b0570420f30dmikesamuel        Out << "Block Entrance: B"
18656f71b09d7575db927c132c916484b0570420f30dmikesamuel            << cast<BlockEntrance>(Loc).getBlock()->getBlockID();
18666f71b09d7575db927c132c916484b0570420f30dmikesamuel        break;
18676f71b09d7575db927c132c916484b0570420f30dmikesamuel
18686f71b09d7575db927c132c916484b0570420f30dmikesamuel      case ProgramPoint::BlockExitKind:
1869MUO��        assert (false);
18706f71b09d7575db927c132c916484b0570420f30dmikesamuel        break;
18716f71b09d7575db927c132c916484b0570420f30dmikesamuel
18726f71b09d7575db927c132c916484b0570420f30dmikesamuel      case ProgramPoint::CallEnterKind:
18736f71b09d7575db927c132c916484b0570420f30dmikesamuel        Out << "CallEnter";
18746f71b09d7575db927c132c916484b0570420f30dmikesamuel        break;
18756f71b09d7575db927c132c916484b0570420f30dmikesamuel
18766f71b09d7575db927c132c916484b0570420f30dmikesamuel      case ProgramPoint::CallExitKind:
18776f71b09d7575db927c132c916484b0570420f30dmikesamuel        Out << "CallExit";
18786f71b09d7575db927c132c916484b0570420f30dmikesamuel        break;
1879Q�!�x
18806f71b09d7575db927c132c916484b0570420f30dmikesamuel      case ProgramPoint::EpsilonKind:
18816f71b09d7575db927c132c916484b0570420f30dmikesamuel        Out << "Epsilon Point";
18827��Ż�˷��;e%�        break;
18836f71b09d7575db927c132c916484b0570420f30dmikesamuel
1884A?�XP�����oK���@`[��Q��|-�V��      default: {
18856f71b09d7575db927c132c916484b0570420f30dmikesamuel        if (StmtPoint *L = dyn_cast<StmtPoint>(&Loc)) {
18866f71b09d7575db927c132c916484b0570420f30dmikesamuel          const Stmt *S = L->getStmt();
18876f71b09d7575db927c132c916484b0570420f30dmikesamuel          SourceLocation SLoc = S->getLocStart();
18886f71b09d7575db927c132c916484b0570420f30dmikesamuel
18896f71b09d7575db927c132c916484b0570420f30dmikesamuel          Out << S->getStmtClassName() << ' ' << (void*) S << ' ';
18906f71b09d7575db927c132c916484b0570420f30dmikesamuel          LangOptions LO; // FIXME.
18916f71b09d7575db927c132c916484b0570420f30dmikesamuel          S->printPretty(Out, 0, PrintingPolicy(LO));
18926f71b09d7575db927c132c916484b0570420f30dmikesamuel
18936f71b09d7575db927c132c916484b0570420f30dmikesamuel          if (SLoc.isFileID()) {
18946f71b09d7575db927c132c916484b0570420f30dmikesamuel            Out << "\\lline="
1895occ�              << GraphPrintSourceManager->getExpansionLineNumber(SLoc)
18966f71b09d7575db927c132c916484b0570420f30dmikesamuel              << " col="
18976f71b09d7575db927c132c916484b0570420f30dmikesamuel              << GraphPrintSourceManager->getExpansionColumnNumber(SLoc)
18986f71b09d7575db927c132c916484b0570420f30dmikesamuel              << "\\l";
18996f71b09d7575db927c132c916484b0570420f30dmikesamuel          }
19000�*����u�
19016f71b09d7575db927c132c916484b0570420f30dmikesamuel          if (isa<PreStmt>(Loc))
19026f71b09d7575db927c132c916484b0570420f30dmikesamuel            Out << "\\lPreStmt\\l;";
1903UvLw����z�ێ��/zG����OԾ���'�Tk�;G���c�ק          else if (isa<PostLoad>(Loc))
19046f71b09d7575db927c132c916484b0570420f30dmikesamuel            Out << "\\lPostLoad\\l;";
19053����u���F�u���)��;Ȓ�ʰ��          else if (isa<PostStore>(Loc))
19066f71b09d7575db927c132c916484b0570420f30dmikesamuel            Out << "\\lPostStore\\l";
19076f71b09d7575db927c132c916484b0570420f30dmikesamuel          else if (isa<PostLValue>(Loc))
19086f71b09d7575db927c132c916484b0570420f30dmikesamuel            Out << "\\lPostLValue\\l";
19096f71b09d7575db927c132c916484b0570420f30dmikesamuel
19106f71b09d7575db927c132c916484b0570420f30dmikesamuel#if 0
19116f71b09d7575db927c132c916484b0570420f30dmikesamuel            // FIXME: Replace with a general scheme to determine
19126f71b09d7575db927c132c916484b0570420f30dmikesamuel            // the name of the check.
19136f71b09d7575db927c132c916484b0570420f30dmikesamuel          if (GraphPrintCheckerState->isImplicitNullDeref(N))
19146f71b09d7575db927c132c916484b0570420f30dmikesamuel            Out << "\\|Implicit-Null Dereference.\\l";
1915PY�*�@%"�o�L��	]U���Cf�蜦�u��~G          else if (GraphPrintCheckerState->isExplicitNullDeref(N))
19166f71b09d7575db927c132c916484b0570420f30dmikesamuel            Out << "\\|Explicit-Null Dereference.\\l";
19176f71b09d7575db927c132c916484b0570420f30dmikesamuel          else if (GraphPrintCheckerState->isUndefDeref(N))
19186f71b09d7575db927c132c916484b0570420f30dmikesamuel            Out << "\\|Dereference of undefialied value.\\l";
19196f71b09d7575db927c132c916484b0570420f30dmikesamuel          else if (GraphPrintCheckerState->isUndefStore(N))
19206f71b09d7575db927c132c916484b0570420f30dmikesamuel            Out << "\\|Store to Undefined Loc.";
1921J��/          else if (GraphPrintCheckerState->isUndefResult(N))
1922ao_ʵ���j�@[�z��Z=�iM�Ԗ�[k����v�L\[���            Out << "\\|Result of operation is undefined.";
19236f71b09d7575db927c132c916484b0570420f30dmikesamuel          else if (GraphPrintCheckerState->isNoReturnCall(N))
19246f71b09d7575db927c132c916484b0570420f30dmikesamuel            Out << "\\|Call to function marked \"noreturn\".";
1925p;���a��C|w��N&�{rG=ۅd��u�t�tW��C          else if (GraphPrintCheckerState->isBadCall(N))
19266f71b09d7575db927c132c916484b0570420f30dmikesamuel            Out << "\\|Call to NULL/Undefined.";
19276f71b09d7575db927c132c916484b0570420f30dmikesamuel          else if (GraphPrintCheckerState->isUndefArg(N))
19286f71b09d7575db927c132c916484b0570420f30dmikesamuel            Out << "\\|Argument in call is undefined";
19296f71b09d7575db927c132c916484b0570420f30dmikesamuel#endif
19306f71b09d7575db927c132c916484b0570420f30dmikesamuel
1931L��'���f!�ͼ�LW�ɗ�          break;
19326f71b09d7575db927c132c916484b0570420f30dmikesamuel        }
19336f71b09d7575db927c132c916484b0570420f30dmikesamuel
19346f71b09d7575db927c132c916484b0570420f30dmikesamuel        const BlockEdge &E = cast<BlockEdge>(Loc);
19356f71b09d7575db927c132c916484b0570420f30dmikesamuel        Out << "Edge: (B" << E.getSrc()->getBlockID() << ", B"
19366f71b09d7575db927c132c916484b0570420f30dmikesamuel            << E.getDst()->getBlockID()  << ')';
19376f71b09d7575db927c132c916484b0570420f30dmikesamuel
19386f71b09d7575db927c132c916484b0570420f30dmikesamuel        if (const Stmt *T = E.getSrc()->getTerminator()) {
19396f71b09d7575db927c132c916484b0570420f30dmikesamuel
19406f71b09d7575db927c132c916484b0570420f30dmikesamuel          SourceLocation SLoc = T->getLocStart();
19416f71b09d7575db927c132c916484b0570420f30dmikesamuel
19426f71b09d7575db927c132c916484b0570420f30dmikesamuel          Out << "\\|Terminator: ";
19436f71b09d7575db927c132c916484b0570420f30dmikesamuel          LangOptions LO; // FIXME.
19446f71b09d7575db927c132c916484b0570420f30dmikesamuel          E.getSrc()->printTerminator(Out, LO);
1945oz
19466f71b09d7575db927c132c916484b0570420f30dmikesamuel          if (SLoc.isFileID()) {
19476f71b09d7575db927c132c916484b0570420f30dmikesamuel            Out << "\\lline="
19486f71b09d7575db927c132c916484b0570420f30dmikesamuel              << GraphPrintSourceManager->getExpansionLineNumber(SLoc)
19496f71b09d7575db927c132c916484b0570420f30dmikesamuel              << " col="
19506f71b09d7575db927c132c916484b0570420f30dmikesamuel              << GraphPrintSourceManager->getExpansionColumnNumber(SLoc);
19516f71b09d7575db927c132c916484b0570420f30dmikesamuel          }
19526f71b09d7575db927c132c916484b0570420f30dmikesamuel
19536f71b09d7575db927c132c916484b0570420f30dmikesamuel          if (isa<SwitchStmt>(T)) {
1954kok߭���?            const Stmt *Label = E.getDst()->getLabel();
19556f71b09d7575db927c132c916484b0570420f30dmikesamuel
1956z�B�R��-            if (Label) {
1957IO�              if (const CaseStmt *C = dyn_cast<CaseStmt>(Label)) {
19586f71b09d7575db927c132c916484b0570420f30dmikesamuel                Out << "\\lcase ";
19596f71b09d7575db927c132c916484b0570420f30dmikesamuel                LangOptions LO; // FIXME.
19606f71b09d7575db927c132c916484b0570420f30dmikesamuel                C->getLHS()->printPretty(Out, 0, PrintingPolicy(LO));
1961E�b,q��{
19626f71b09d7575db927c132c916484b0570420f30dmikesamuel                if (const Stmt *RHS = C->getRHS()) {
19636f71b09d7575db927c132c916484b0570420f30dmikesamuel                  Out << " .. ";
19646f71b09d7575db927c132c916484b0570420f30dmikesamuel                  RHS->printPretty(Out, 0, PrintingPolicy(LO));
19656f71b09d7575db927c132c916484b0570420f30dmikesamuel                }
19666f71b09d7575db927c132c916484b0570420f30dmikesamuel
1967YBh��;S                Out << ":";
19686f71b09d7575db927c132c916484b0570420f30dmikesamuel              }
19696f71b09d7575db927c132c916484b0570420f30dmikesamuel              else {
1970V                assert (isa<DefaultStmt>(Label));
19716f71b09d7575db927c132c916484b0570420f30dmikesamuel                Out << "\\ldefault:";
19726f71b09d7575db927c132c916484b0570420f30dmikesamuel              }
19736f71b09d7575db927c132c916484b0570420f30dmikesamuel            }
1974eC��n�            else
19756f71b09d7575db927c132c916484b0570420f30dmikesamuel              Out << "\\l(implicit) default:";
19766f71b09d7575db927c132c916484b0570420f30dmikesamuel          }
19776f71b09d7575db927c132c916484b0570420f30dmikesamuel          else if (isa<IndirectGotoStmt>(T)) {
19786f71b09d7575db927c132c916484b0570420f30dmikesamuel            // FIXME
19796f71b09d7575db927c132c916484b0570420f30dmikesamuel          }
19806f71b09d7575db927c132c916484b0570420f30dmikesamuel          else {
19816f71b09d7575db927c132c916484b0570420f30dmikesamuel            Out << "\\lCondition: ";
19826f71b09d7575db927c132c916484b0570420f30dmikesamuel            if (*E.getSrc()->succ_begin() == E.getDst())
19836f71b09d7575db927c132c916484b0570420f30dmikesamuel              Out << "true";
19846f71b09d7575db927c132c916484b0570420f30dmikesamuel            else
19856f71b09d7575db927c132c916484b0570420f30dmikesamuel              Out << "false";
1986kV֏��d����B�O�>{ݧQ`�`��(��$J�K[<�	\���(Xև�������ׇI��}�}Z��%_EIJpi�x�ʹo          }
19876f71b09d7575db927c132c916484b0570420f30dmikesamuel
1988y�vl�C��TO�_O�oX�����          Out << "\\l";
19896f71b09d7575db927c132c916484b0570420f30dmikesamuel        }
19906f71b09d7575db927c132c916484b0570420f30dmikesamuel
19916f71b09d7575db927c132c916484b0570420f30dmikesamuel#if 0
19926f71b09d7575db927c132c916484b0570420f30dmikesamuel          // FIXME: Replace with a general scheme to determine
19936f71b09d7575db927c132c916484b0570420f30dmikesamuel          // the name of the check.
19946f71b09d7575db927c132c916484b0570420f30dmikesamuel        if (GraphPrintCheckerState->isUndefControlFlow(N)) {
19956f71b09d7575db927c132c916484b0570420f30dmikesamuel          Out << "\\|Control-flow based on\\lUndefined value.\\l";
19966f71b09d7575db927c132c916484b0570420f30dmikesamuel        }
19976f71b09d7575db927c132c916484b0570420f30dmikesamuel#endif
19986f71b09d7575db927c132c916484b0570420f30dmikesamuel      }
19996f71b09d7575db927c132c916484b0570420f30dmikesamuel    }
20006f71b09d7575db927c132c916484b0570420f30dmikesamuel
20016f71b09d7575db927c132c916484b0570420f30dmikesamuel    ProgramStateRef state = N->getState();
2002rRҙ���������    Out << "\\|StateID: " << (void*) state.getPtr()
2003V���܄ϝ��!���?�$���&�Y���/�]Db        << " NodeID: " << (void*) N << "\\|";
2004G�    state->printDOT(Out);
2005iIG`UӰ;Ţ��
20066f71b09d7575db927c132c916484b0570420f30dmikesamuel    Out << "\\l";
20076f71b09d7575db927c132c916484b0570420f30dmikesamuel
20086f71b09d7575db927c132c916484b0570420f30dmikesamuel    if (const ProgramPointTag *tag = Loc.getTag()) {
20096f71b09d7575db927c132c916484b0570420f30dmikesamuel      Out << "\\|Tag: " << tag->getTagDescription();
20106f71b09d7575db927c132c916484b0570420f30dmikesamuel      Out << "\\l";
20116f71b09d7575db927c132c916484b0570420f30dmikesamuel    }
2012e�^�񚁍t/�RV}�����!���:j�Y-�k����m���:�|�$��"���ġ'�H����nK�V@���>w�=����A�s�a$C    return Out.str();
20136f71b09d7575db927c132c916484b0570420f30dmikesamuel  }
20146f71b09d7575db927c132c916484b0570420f30dmikesamuel};
20156f71b09d7575db927c132c916484b0570420f30dmikesamuel} // end llvm namespace
20166f71b09d7575db927c132c916484b0570420f30dmikesamuel#endif
20176f71b09d7575db927c132c916484b0570420f30dmikesamuel
20186f71b09d7575db927c132c916484b0570420f30dmikesamuel#ifndef NDEBUG
2019W'�template <typename ITERATOR>
20206f71b09d7575db927c132c916484b0570420f30dmikesamuelExplodedNode *GetGraphNode(ITERATOR I) { return *I; }
20216f71b09d7575db927c132c916484b0570420f30dmikesamuel
20226f71b09d7575db927c132c916484b0570420f30dmikesamueltemplate <> ExplodedNode*
20236f71b09d7575db927c132c916484b0570420f30dmikesamuelGetGraphNode<llvm::DenseMap<ExplodedNode*, Expr*>::iterator>
20246f71b09d7575db927c132c916484b0570420f30dmikesamuel  (llvm::DenseMap<ExplodedNode*, Expr*>::iterator I) {
20256f71b09d7575db927c132c916484b0570420f30dmikesamuel  return I->first;
20266f71b09d7575db927c132c916484b0570420f30dmikesamuel}
2027F�O�>:W��^"���<�y	���FX!Q����###endif
20286f71b09d7575db927c132c916484b0570420f30dmikesamuel
20296f71b09d7575db927c132c916484b0570420f30dmikesamuelvoid ExprEngine::ViewGraph(bool trim) {
20306f71b09d7575db927c132c916484b0570420f30dmikesamuel#ifndef NDEBUG
20316f71b09d7575db927c132c916484b0570420f30dmikesamuel  if (trim) {
20326f71b09d7575db927c132c916484b0570420f30dmikesamuel    std::vector<ExplodedNode*> Src;
20336f71b09d7575db927c132c916484b0570420f30dmikesamuel
20346f71b09d7575db927c132c916484b0570420f30dmikesamuel    // Flush any outstanding reports to make sure we cover all the nodes.
20356f71b09d7575db927c132c916484b0570420f30dmikesamuel    // This does not cause them to get displayed.
20366f71b09d7575db927c132c916484b0570420f30dmikesamuel    for (BugReporter::iterator I=BR.begin(), E=BR.end(); I!=E; ++I)
20376f71b09d7575db927c132c916484b0570420f30dmikesamuel      const_cast<BugType*>(*I)->FlushReports(BR);
20386f71b09d7575db927c132c916484b0570420f30dmikesamuel
20396f71b09d7575db927c132c916484b0570420f30dmikesamuel    // Iterate through the reports and get their nodes.
20406f71b09d7575db927c132c916484b0570420f30dmikesamuel    for (BugReporter::EQClasses_iterator
20416f71b09d7575db927c132c916484b0570420f30dmikesamuel           EI = BR.EQClasses_begin(), EE = BR.EQClasses_end(); EI != EE; ++EI) {
20426f71b09d7575db927c132c916484b0570420f30dmikesamuel      ExplodedNode *N = const_cast<ExplodedNode*>(EI->begin()->getErrorNode());
20436f71b09d7575db927c132c916484b0570420f30dmikesamuel      if (N) Src.push_back(N);
20446f71b09d7575db927c132c916484b0570420f30dmikesamuel    }
2045q
20466f71b09d7575db927c132c916484b0570420f30dmikesamuel    ViewGraph(&Src[0], &Src[0]+Src.size());
20476f71b09d7575db927c132c916484b0570420f30dmikesamuel  }
2048B~���b�!  else {
20496f71b09d7575db927c132c916484b0570420f30dmikesamuel    GraphPrintCheckerState = this;
20506f71b09d7575db927c132c916484b0570420f30dmikesamuel    GraphPrintSourceManager = &getContext().getSourceManager();
20516f71b09d7575db927c132c916484b0570420f30dmikesamuel
20526f71b09d7575db927c132c916484b0570420f30dmikesamuel    llvm::ViewGraph(*G.roots_begin(), "ExprEngine");
2053mu��h�F�+[�m
2054W6'̶َAd�    GraphPrintCheckerState = NULL;
2055Xbbwa��ҘBiR���EY�BiV��J����P�*���.ԭ����hA�k�p��,�uZmZ]Z    GraphPrintSourceManager = NULL;
20566f71b09d7575db927c132c916484b0570420f30dmikesamuel  }
20576f71b09d7575db927c132c916484b0570420f30dmikesamuel#endif
2058Ej���!�u�C�}
2059K�`HFB�˸"CAV�*
20606f71b09d7575db927c132c916484b0570420f30dmikesamuelvoid ExprEngine::ViewGraph(ExplodedNode** Beg, ExplodedNode** End) {
20616f71b09d7575db927c132c916484b0570420f30dmikesamuel#ifndef NDEBUG
20626f71b09d7575db927c132c916484b0570420f30dmikesamuel  GraphPrintCheckerState = this;
20636f71b09d7575db927c132c916484b0570420f30dmikesamuel  GraphPrintSourceManager = &getContext().getSourceManager();
20646f71b09d7575db927c132c916484b0570420f30dmikesamuel
2065com�x���z��  std::auto_ptr<ExplodedGraph> TrimmedG(G.Trim(Beg, End).first);
20666f71b09d7575db927c132c916484b0570420f30dmikesamuel
20676f71b09d7575db927c132c916484b0570420f30dmikesamuel  if (!TrimmedG.get())
20686f71b09d7575db927c132c916484b0570420f30dmikesamuel    llvm::errs() << "warning: Trimmed ExplodedGraph is empty.\n";
20696f71b09d7575db927c132c916484b0570420f30dmikesamuel  else
20706f71b09d7575db927c132c916484b0570420f30dmikesamuel    llvm::ViewGraph(*TrimmedG->roots_begin(), "TrimmedExprEngine");
20716f71b09d7575db927c132c916484b0570420f30dmikesamuel
20726f71b09d7575db927c132c916484b0570420f30dmikesamuel  GraphPrintCheckerState = NULL;
20736f71b09d7575db927c132c916484b0570420f30dmikesamuel  GraphPrintSourceManager = NULL;
20746f71b09d7575db927c132c916484b0570420f30dmikesamuel#endif
20756f71b09d7575db927c132c916484b0570420f30dmikesamuel}
20766f71b09d7575db927c132c916484b0570420f30dmikesamuel