ExprEngineCXX.cpp revision 66c486f275531df6362b3511fc3af6563561801b
1//===- ExprEngineCXX.cpp - ExprEngine support for C++ -----------*- C++ -*-===// 2// 3// The LLVM Compiler Infrastructure 4// 5// This file is distributed under the University of Illinois Open Source 6// License. See LICENSE.TXT for details. 7// 8//===----------------------------------------------------------------------===// 9// 10// This file defines the C++ expression evaluation engine. 11// 12//===----------------------------------------------------------------------===// 13 14#include "clang/StaticAnalyzer/Core/CheckerManager.h" 15#include "clang/StaticAnalyzer/Core/PathSensitive/AnalysisManager.h" 16#include "clang/StaticAnalyzer/Core/PathSensitive/ExprEngine.h" 17#include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h" 18#include "clang/AST/DeclCXX.h" 19#include "clang/AST/StmtCXX.h" 20#include "clang/Basic/PrettyStackTrace.h" 21 22using namespace clang; 23using namespace ento; 24 25void ExprEngine::CreateCXXTemporaryObject(const MaterializeTemporaryExpr *ME, 26 ExplodedNode *Pred, 27 ExplodedNodeSet &Dst) { 28 StmtNodeBuilder Bldr(Pred, Dst, *currBldrCtx); 29 const Expr *tempExpr = ME->GetTemporaryExpr()->IgnoreParens(); 30 ProgramStateRef state = Pred->getState(); 31 const LocationContext *LCtx = Pred->getLocationContext(); 32 33 // Bind the temporary object to the value of the expression. Then bind 34 // the expression to the location of the object. 35 SVal V = state->getSVal(tempExpr, Pred->getLocationContext()); 36 37 const MemRegion *R = 38 svalBuilder.getRegionManager().getCXXTempObjectRegion(ME, LCtx); 39 40 state = state->bindLoc(loc::MemRegionVal(R), V); 41 Bldr.generateNode(ME, Pred, state->BindExpr(ME, LCtx, loc::MemRegionVal(R))); 42} 43 44void ExprEngine::VisitCXXConstructExpr(const CXXConstructExpr *CE, 45 ExplodedNode *Pred, 46 ExplodedNodeSet &destNodes) { 47 const LocationContext *LCtx = Pred->getLocationContext(); 48 ProgramStateRef State = Pred->getState(); 49 50 const MemRegion *Target = 0; 51 52 switch (CE->getConstructionKind()) { 53 case CXXConstructExpr::CK_Complete: { 54 // See if we're constructing an existing region by looking at the next 55 // element in the CFG. 56 const CFGBlock *B = currBldrCtx->getBlock(); 57 if (currStmtIdx + 1 < B->size()) { 58 CFGElement Next = (*B)[currStmtIdx+1]; 59 60 // Is this a constructor for a local variable? 61 if (const CFGStmt *StmtElem = dyn_cast<CFGStmt>(&Next)) { 62 if (const DeclStmt *DS = dyn_cast<DeclStmt>(StmtElem->getStmt())) { 63 if (const VarDecl *Var = dyn_cast<VarDecl>(DS->getSingleDecl())) { 64 if (Var->getInit()->IgnoreImplicit() == CE) { 65 QualType Ty = Var->getType(); 66 if (const ArrayType *AT = getContext().getAsArrayType(Ty)) { 67 // FIXME: Handle arrays, which run the same constructor for 68 // every element. This workaround will just run the first 69 // constructor (which should still invalidate the entire array). 70 SVal Base = State->getLValue(Var, LCtx); 71 Target = State->getLValue(AT->getElementType(), 72 getSValBuilder().makeZeroArrayIndex(), 73 Base).getAsRegion(); 74 } else { 75 Target = State->getLValue(Var, LCtx).getAsRegion(); 76 } 77 } 78 } 79 } 80 } 81 82 // Is this a constructor for a member? 83 if (const CFGInitializer *InitElem = dyn_cast<CFGInitializer>(&Next)) { 84 const CXXCtorInitializer *Init = InitElem->getInitializer(); 85 assert(Init->isAnyMemberInitializer()); 86 87 const CXXMethodDecl *CurCtor = cast<CXXMethodDecl>(LCtx->getDecl()); 88 Loc ThisPtr = getSValBuilder().getCXXThis(CurCtor, 89 LCtx->getCurrentStackFrame()); 90 SVal ThisVal = State->getSVal(ThisPtr); 91 92 if (Init->isIndirectMemberInitializer()) { 93 SVal Field = State->getLValue(Init->getIndirectMember(), ThisVal); 94 Target = Field.getAsRegion(); 95 } else { 96 SVal Field = State->getLValue(Init->getMember(), ThisVal); 97 Target = Field.getAsRegion(); 98 } 99 } 100 101 // FIXME: This will eventually need to handle new-expressions as well. 102 } 103 104 // If we couldn't find an existing region to construct into, we'll just 105 // generate a symbolic region, which is fine. 106 107 break; 108 } 109 case CXXConstructExpr::CK_NonVirtualBase: 110 case CXXConstructExpr::CK_VirtualBase: 111 case CXXConstructExpr::CK_Delegating: { 112 const CXXMethodDecl *CurCtor = cast<CXXMethodDecl>(LCtx->getDecl()); 113 Loc ThisPtr = getSValBuilder().getCXXThis(CurCtor, 114 LCtx->getCurrentStackFrame()); 115 SVal ThisVal = State->getSVal(ThisPtr); 116 117 if (CE->getConstructionKind() == CXXConstructExpr::CK_Delegating) { 118 Target = ThisVal.getAsRegion(); 119 } else { 120 // Cast to the base type. 121 QualType BaseTy = CE->getType(); 122 SVal BaseVal = getStoreManager().evalDerivedToBase(ThisVal, BaseTy); 123 Target = BaseVal.getAsRegion(); 124 } 125 break; 126 } 127 } 128 129 CallEventManager &CEMgr = getStateManager().getCallEventManager(); 130 CallEventRef<CXXConstructorCall> Call = 131 CEMgr.getCXXConstructorCall(CE, Target, State, LCtx); 132 133 ExplodedNodeSet DstPreVisit; 134 getCheckerManager().runCheckersForPreStmt(DstPreVisit, Pred, CE, *this); 135 ExplodedNodeSet DstPreCall; 136 getCheckerManager().runCheckersForPreCall(DstPreCall, DstPreVisit, 137 *Call, *this); 138 139 ExplodedNodeSet DstInvalidated; 140 StmtNodeBuilder Bldr(DstPreCall, DstInvalidated, *currBldrCtx); 141 for (ExplodedNodeSet::iterator I = DstPreCall.begin(), E = DstPreCall.end(); 142 I != E; ++I) 143 defaultEvalCall(Bldr, *I, *Call); 144 145 ExplodedNodeSet DstPostCall; 146 getCheckerManager().runCheckersForPostCall(DstPostCall, DstInvalidated, 147 *Call, *this); 148 getCheckerManager().runCheckersForPostStmt(destNodes, DstPostCall, CE, *this); 149} 150 151void ExprEngine::VisitCXXDestructor(QualType ObjectType, 152 const MemRegion *Dest, 153 const Stmt *S, 154 ExplodedNode *Pred, 155 ExplodedNodeSet &Dst) { 156 const LocationContext *LCtx = Pred->getLocationContext(); 157 ProgramStateRef State = Pred->getState(); 158 159 // FIXME: We need to run the same destructor on every element of the array. 160 // This workaround will just run the first destructor (which will still 161 // invalidate the entire array). 162 if (const ArrayType *AT = getContext().getAsArrayType(ObjectType)) { 163 ObjectType = AT->getElementType(); 164 Dest = State->getLValue(ObjectType, getSValBuilder().makeZeroArrayIndex(), 165 loc::MemRegionVal(Dest)).getAsRegion(); 166 } 167 168 const CXXRecordDecl *RecordDecl = ObjectType->getAsCXXRecordDecl(); 169 assert(RecordDecl && "Only CXXRecordDecls should have destructors"); 170 const CXXDestructorDecl *DtorDecl = RecordDecl->getDestructor(); 171 172 CallEventManager &CEMgr = getStateManager().getCallEventManager(); 173 CallEventRef<CXXDestructorCall> Call = 174 CEMgr.getCXXDestructorCall(DtorDecl, S, Dest, State, LCtx); 175 176 PrettyStackTraceLoc CrashInfo(getContext().getSourceManager(), 177 Call->getSourceRange().getBegin(), 178 "Error evaluating destructor"); 179 180 ExplodedNodeSet DstPreCall; 181 getCheckerManager().runCheckersForPreCall(DstPreCall, Pred, 182 *Call, *this); 183 184 ExplodedNodeSet DstInvalidated; 185 StmtNodeBuilder Bldr(DstPreCall, DstInvalidated, *currBldrCtx); 186 for (ExplodedNodeSet::iterator I = DstPreCall.begin(), E = DstPreCall.end(); 187 I != E; ++I) 188 defaultEvalCall(Bldr, *I, *Call); 189 190 ExplodedNodeSet DstPostCall; 191 getCheckerManager().runCheckersForPostCall(Dst, DstInvalidated, 192 *Call, *this); 193} 194 195void ExprEngine::VisitCXXNewExpr(const CXXNewExpr *CNE, ExplodedNode *Pred, 196 ExplodedNodeSet &Dst) { 197 // FIXME: Much of this should eventually migrate to CXXAllocatorCall. 198 // Also, we need to decide how allocators actually work -- they're not 199 // really part of the CXXNewExpr because they happen BEFORE the 200 // CXXConstructExpr subexpression. See PR12014 for some discussion. 201 StmtNodeBuilder Bldr(Pred, Dst, *currBldrCtx); 202 203 unsigned blockCount = currBldrCtx->blockCount(); 204 const LocationContext *LCtx = Pred->getLocationContext(); 205 DefinedOrUnknownSVal symVal = svalBuilder.conjureSymbolVal(0, CNE, LCtx, 206 CNE->getType(), 207 blockCount); 208 ProgramStateRef State = Pred->getState(); 209 210 CallEventManager &CEMgr = getStateManager().getCallEventManager(); 211 CallEventRef<CXXAllocatorCall> Call = 212 CEMgr.getCXXAllocatorCall(CNE, State, LCtx); 213 214 // Invalidate placement args. 215 // FIXME: Once we figure out how we want allocators to work, 216 // we should be using the usual pre-/(default-)eval-/post-call checks here. 217 State = Call->invalidateRegions(blockCount); 218 219 if (CNE->isArray()) { 220 // FIXME: allocating an array requires simulating the constructors. 221 // For now, just return a symbolicated region. 222 const MemRegion *NewReg = cast<loc::MemRegionVal>(symVal).getRegion(); 223 QualType ObjTy = CNE->getType()->getAs<PointerType>()->getPointeeType(); 224 const ElementRegion *EleReg = 225 getStoreManager().GetElementZeroRegion(NewReg, ObjTy); 226 State = State->BindExpr(CNE, Pred->getLocationContext(), 227 loc::MemRegionVal(EleReg)); 228 Bldr.generateNode(CNE, Pred, State); 229 return; 230 } 231 232 // FIXME: Once we have proper support for CXXConstructExprs inside 233 // CXXNewExpr, we need to make sure that the constructed object is not 234 // immediately invalidated here. (The placement call should happen before 235 // the constructor call anyway.) 236 FunctionDecl *FD = CNE->getOperatorNew(); 237 if (FD && FD->isReservedGlobalPlacementOperator()) { 238 // Non-array placement new should always return the placement location. 239 SVal PlacementLoc = State->getSVal(CNE->getPlacementArg(0), LCtx); 240 State = State->BindExpr(CNE, LCtx, PlacementLoc); 241 } else { 242 State = State->BindExpr(CNE, LCtx, symVal); 243 } 244 245 // If the type is not a record, we won't have a CXXConstructExpr as an 246 // initializer. Copy the value over. 247 if (const Expr *Init = CNE->getInitializer()) { 248 if (!isa<CXXConstructExpr>(Init)) { 249 QualType ObjTy = CNE->getType()->getAs<PointerType>()->getPointeeType(); 250 (void)ObjTy; 251 assert(!ObjTy->isRecordType()); 252 SVal Location = State->getSVal(CNE, LCtx); 253 if (isa<Loc>(Location)) 254 State = State->bindLoc(cast<Loc>(Location), State->getSVal(Init, LCtx)); 255 } 256 } 257 258 Bldr.generateNode(CNE, Pred, State); 259} 260 261void ExprEngine::VisitCXXDeleteExpr(const CXXDeleteExpr *CDE, 262 ExplodedNode *Pred, ExplodedNodeSet &Dst) { 263 StmtNodeBuilder Bldr(Pred, Dst, *currBldrCtx); 264 ProgramStateRef state = Pred->getState(); 265 Bldr.generateNode(CDE, Pred, state); 266} 267 268void ExprEngine::VisitCXXCatchStmt(const CXXCatchStmt *CS, 269 ExplodedNode *Pred, 270 ExplodedNodeSet &Dst) { 271 const VarDecl *VD = CS->getExceptionDecl(); 272 if (!VD) { 273 Dst.Add(Pred); 274 return; 275 } 276 277 const LocationContext *LCtx = Pred->getLocationContext(); 278 SVal V = svalBuilder.conjureSymbolVal(CS, LCtx, VD->getType(), 279 currBldrCtx->blockCount()); 280 ProgramStateRef state = Pred->getState(); 281 state = state->bindLoc(state->getLValue(VD, LCtx), V); 282 283 StmtNodeBuilder Bldr(Pred, Dst, *currBldrCtx); 284 Bldr.generateNode(CS, Pred, state); 285} 286 287void ExprEngine::VisitCXXThisExpr(const CXXThisExpr *TE, ExplodedNode *Pred, 288 ExplodedNodeSet &Dst) { 289 StmtNodeBuilder Bldr(Pred, Dst, *currBldrCtx); 290 291 // Get the this object region from StoreManager. 292 const LocationContext *LCtx = Pred->getLocationContext(); 293 const MemRegion *R = 294 svalBuilder.getRegionManager().getCXXThisRegion( 295 getContext().getCanonicalType(TE->getType()), 296 LCtx); 297 298 ProgramStateRef state = Pred->getState(); 299 SVal V = state->getSVal(loc::MemRegionVal(R)); 300 Bldr.generateNode(TE, Pred, state->BindExpr(TE, LCtx, V)); 301} 302