CoreEngine.cpp revision ad62deeb70e97da6bd514dd390ea1ce6af6ad81d
1//==- CoreEngine.cpp - Path-Sensitive Dataflow Engine ------------*- C++ -*-// 2// 3// The LLVM Compiler Infrastructure 4// 5// This file is distributed under the University of Illinois Open Source 6// License. See LICENSE.TXT for details. 7// 8//===----------------------------------------------------------------------===// 9// 10// This file defines a generic engine for intraprocedural, path-sensitive, 11// dataflow analysis via graph reachability engine. 12// 13//===----------------------------------------------------------------------===// 14 15#include "clang/StaticAnalyzer/Core/PathSensitive/AnalysisManager.h" 16#include "clang/StaticAnalyzer/Core/PathSensitive/CoreEngine.h" 17#include "clang/StaticAnalyzer/Core/PathSensitive/ExprEngine.h" 18#include "clang/Index/TranslationUnit.h" 19#include "clang/AST/Expr.h" 20#include "clang/AST/StmtCXX.h" 21#include "llvm/Support/Casting.h" 22#include "llvm/ADT/DenseMap.h" 23using namespace clang; 24using namespace ento; 25 26//===----------------------------------------------------------------------===// 27// Worklist classes for exploration of reachable states. 28//===----------------------------------------------------------------------===// 29 30WorkList::Visitor::~Visitor() {} 31 32namespace { 33class DFS : public WorkList { 34 SmallVector<WorkListUnit,20> Stack; 35public: 36 virtual bool hasWork() const { 37 return !Stack.empty(); 38 } 39 40 virtual void enqueue(const WorkListUnit& U) { 41 Stack.push_back(U); 42 } 43 44 virtual WorkListUnit dequeue() { 45 assert (!Stack.empty()); 46 const WorkListUnit& U = Stack.back(); 47 Stack.pop_back(); // This technically "invalidates" U, but we are fine. 48 return U; 49 } 50 51 virtual bool visitItemsInWorkList(Visitor &V) { 52 for (SmallVectorImpl<WorkListUnit>::iterator 53 I = Stack.begin(), E = Stack.end(); I != E; ++I) { 54 if (V.visit(*I)) 55 return true; 56 } 57 return false; 58 } 59}; 60 61class BFS : public WorkList { 62 std::deque<WorkListUnit> Queue; 63public: 64 virtual bool hasWork() const { 65 return !Queue.empty(); 66 } 67 68 virtual void enqueue(const WorkListUnit& U) { 69 Queue.push_front(U); 70 } 71 72 virtual WorkListUnit dequeue() { 73 WorkListUnit U = Queue.front(); 74 Queue.pop_front(); 75 return U; 76 } 77 78 virtual bool visitItemsInWorkList(Visitor &V) { 79 for (std::deque<WorkListUnit>::iterator 80 I = Queue.begin(), E = Queue.end(); I != E; ++I) { 81 if (V.visit(*I)) 82 return true; 83 } 84 return false; 85 } 86}; 87 88} // end anonymous namespace 89 90// Place the dstor for WorkList here because it contains virtual member 91// functions, and we the code for the dstor generated in one compilation unit. 92WorkList::~WorkList() {} 93 94WorkList *WorkList::makeDFS() { return new DFS(); } 95WorkList *WorkList::makeBFS() { return new BFS(); } 96 97namespace { 98 class BFSBlockDFSContents : public WorkList { 99 std::deque<WorkListUnit> Queue; 100 SmallVector<WorkListUnit,20> Stack; 101 public: 102 virtual bool hasWork() const { 103 return !Queue.empty() || !Stack.empty(); 104 } 105 106 virtual void enqueue(const WorkListUnit& U) { 107 if (isa<BlockEntrance>(U.getNode()->getLocation())) 108 Queue.push_front(U); 109 else 110 Stack.push_back(U); 111 } 112 113 virtual WorkListUnit dequeue() { 114 // Process all basic blocks to completion. 115 if (!Stack.empty()) { 116 const WorkListUnit& U = Stack.back(); 117 Stack.pop_back(); // This technically "invalidates" U, but we are fine. 118 return U; 119 } 120 121 assert(!Queue.empty()); 122 // Don't use const reference. The subsequent pop_back() might make it 123 // unsafe. 124 WorkListUnit U = Queue.front(); 125 Queue.pop_front(); 126 return U; 127 } 128 virtual bool visitItemsInWorkList(Visitor &V) { 129 for (SmallVectorImpl<WorkListUnit>::iterator 130 I = Stack.begin(), E = Stack.end(); I != E; ++I) { 131 if (V.visit(*I)) 132 return true; 133 } 134 for (std::deque<WorkListUnit>::iterator 135 I = Queue.begin(), E = Queue.end(); I != E; ++I) { 136 if (V.visit(*I)) 137 return true; 138 } 139 return false; 140 } 141 142 }; 143} // end anonymous namespace 144 145WorkList* WorkList::makeBFSBlockDFSContents() { 146 return new BFSBlockDFSContents(); 147} 148 149//===----------------------------------------------------------------------===// 150// Core analysis engine. 151//===----------------------------------------------------------------------===// 152 153/// ExecuteWorkList - Run the worklist algorithm for a maximum number of steps. 154bool CoreEngine::ExecuteWorkList(const LocationContext *L, unsigned Steps, 155 const ProgramState *InitState) { 156 157 if (G->num_roots() == 0) { // Initialize the analysis by constructing 158 // the root if none exists. 159 160 const CFGBlock *Entry = &(L->getCFG()->getEntry()); 161 162 assert (Entry->empty() && 163 "Entry block must be empty."); 164 165 assert (Entry->succ_size() == 1 && 166 "Entry block must have 1 successor."); 167 168 // Get the solitary successor. 169 const CFGBlock *Succ = *(Entry->succ_begin()); 170 171 // Construct an edge representing the 172 // starting location in the function. 173 BlockEdge StartLoc(Entry, Succ, L); 174 175 // Set the current block counter to being empty. 176 WList->setBlockCounter(BCounterFactory.GetEmptyCounter()); 177 178 if (!InitState) 179 // Generate the root. 180 generateNode(StartLoc, SubEng.getInitialState(L), 0); 181 else 182 generateNode(StartLoc, InitState, 0); 183 } 184 185 // Check if we have a steps limit 186 bool UnlimitedSteps = Steps == 0; 187 188 while (WList->hasWork()) { 189 if (!UnlimitedSteps) { 190 if (Steps == 0) 191 break; 192 --Steps; 193 } 194 195 const WorkListUnit& WU = WList->dequeue(); 196 197 // Set the current block counter. 198 WList->setBlockCounter(WU.getBlockCounter()); 199 200 // Retrieve the node. 201 ExplodedNode *Node = WU.getNode(); 202 203 // Dispatch on the location type. 204 switch (Node->getLocation().getKind()) { 205 case ProgramPoint::BlockEdgeKind: 206 HandleBlockEdge(cast<BlockEdge>(Node->getLocation()), Node); 207 break; 208 209 case ProgramPoint::BlockEntranceKind: 210 HandleBlockEntrance(cast<BlockEntrance>(Node->getLocation()), Node); 211 break; 212 213 case ProgramPoint::BlockExitKind: 214 assert (false && "BlockExit location never occur in forward analysis."); 215 break; 216 217 case ProgramPoint::CallEnterKind: 218 HandleCallEnter(cast<CallEnter>(Node->getLocation()), WU.getBlock(), 219 WU.getIndex(), Node); 220 break; 221 222 case ProgramPoint::CallExitKind: 223 HandleCallExit(cast<CallExit>(Node->getLocation()), Node); 224 break; 225 226 default: 227 assert(isa<PostStmt>(Node->getLocation()) || 228 isa<PostInitializer>(Node->getLocation())); 229 HandlePostStmt(WU.getBlock(), WU.getIndex(), Node); 230 break; 231 } 232 } 233 234 SubEng.processEndWorklist(hasWorkRemaining()); 235 return WList->hasWork(); 236} 237 238void CoreEngine::ExecuteWorkListWithInitialState(const LocationContext *L, 239 unsigned Steps, 240 const ProgramState *InitState, 241 ExplodedNodeSet &Dst) { 242 ExecuteWorkList(L, Steps, InitState); 243 for (SmallVectorImpl<ExplodedNode*>::iterator I = G->EndNodes.begin(), 244 E = G->EndNodes.end(); I != E; ++I) { 245 Dst.Add(*I); 246 } 247} 248 249void CoreEngine::HandleCallEnter(const CallEnter &L, const CFGBlock *Block, 250 unsigned Index, ExplodedNode *Pred) { 251 CallEnterNodeBuilder Builder(*this, Pred, L.getCallExpr(), 252 L.getCalleeContext(), Block, Index); 253 SubEng.processCallEnter(Builder); 254} 255 256void CoreEngine::HandleCallExit(const CallExit &L, ExplodedNode *Pred) { 257 CallExitNodeBuilder Builder(*this, Pred); 258 SubEng.processCallExit(Builder); 259} 260 261void CoreEngine::HandleBlockEdge(const BlockEdge &L, ExplodedNode *Pred) { 262 263 const CFGBlock *Blk = L.getDst(); 264 265 // Check if we are entering the EXIT block. 266 if (Blk == &(L.getLocationContext()->getCFG()->getExit())) { 267 268 assert (L.getLocationContext()->getCFG()->getExit().size() == 0 269 && "EXIT block cannot contain Stmts."); 270 271 // Process the final state transition. 272 EndOfFunctionNodeBuilder Builder(Blk, Pred, this); 273 SubEng.processEndOfFunction(Builder); 274 275 // This path is done. Don't enqueue any more nodes. 276 return; 277 } 278 279 // Call into the subengine to process entering the CFGBlock. 280 ExplodedNodeSet dstNodes; 281 BlockEntrance BE(Blk, Pred->getLocationContext()); 282 GenericNodeBuilder<BlockEntrance> nodeBuilder(*this, Pred, BE); 283 SubEng.processCFGBlockEntrance(dstNodes, nodeBuilder); 284 285 if (dstNodes.empty()) { 286 if (!nodeBuilder.hasGeneratedNode) { 287 // Auto-generate a node and enqueue it to the worklist. 288 generateNode(BE, Pred->State, Pred); 289 } 290 } 291 else { 292 for (ExplodedNodeSet::iterator I = dstNodes.begin(), E = dstNodes.end(); 293 I != E; ++I) { 294 WList->enqueue(*I); 295 } 296 } 297 298 for (SmallVectorImpl<ExplodedNode*>::const_iterator 299 I = nodeBuilder.sinks().begin(), E = nodeBuilder.sinks().end(); 300 I != E; ++I) { 301 blocksExhausted.push_back(std::make_pair(L, *I)); 302 } 303} 304 305void CoreEngine::HandleBlockEntrance(const BlockEntrance &L, 306 ExplodedNode *Pred) { 307 308 // Increment the block counter. 309 BlockCounter Counter = WList->getBlockCounter(); 310 Counter = BCounterFactory.IncrementCount(Counter, 311 Pred->getLocationContext()->getCurrentStackFrame(), 312 L.getBlock()->getBlockID()); 313 WList->setBlockCounter(Counter); 314 315 // Process the entrance of the block. 316 if (CFGElement E = L.getFirstElement()) { 317 StmtNodeBuilder Builder(L.getBlock(), 0, Pred, this); 318 SubEng.processCFGElement(E, Builder); 319 } 320 else 321 HandleBlockExit(L.getBlock(), Pred); 322} 323 324void CoreEngine::HandleBlockExit(const CFGBlock * B, ExplodedNode *Pred) { 325 326 if (const Stmt *Term = B->getTerminator()) { 327 switch (Term->getStmtClass()) { 328 default: 329 llvm_unreachable("Analysis for this terminator not implemented."); 330 331 case Stmt::BinaryOperatorClass: // '&&' and '||' 332 HandleBranch(cast<BinaryOperator>(Term)->getLHS(), Term, B, Pred); 333 return; 334 335 case Stmt::BinaryConditionalOperatorClass: 336 case Stmt::ConditionalOperatorClass: 337 HandleBranch(cast<AbstractConditionalOperator>(Term)->getCond(), 338 Term, B, Pred); 339 return; 340 341 // FIXME: Use constant-folding in CFG construction to simplify this 342 // case. 343 344 case Stmt::ChooseExprClass: 345 HandleBranch(cast<ChooseExpr>(Term)->getCond(), Term, B, Pred); 346 return; 347 348 case Stmt::DoStmtClass: 349 HandleBranch(cast<DoStmt>(Term)->getCond(), Term, B, Pred); 350 return; 351 352 case Stmt::CXXForRangeStmtClass: 353 HandleBranch(cast<CXXForRangeStmt>(Term)->getCond(), Term, B, Pred); 354 return; 355 356 case Stmt::ForStmtClass: 357 HandleBranch(cast<ForStmt>(Term)->getCond(), Term, B, Pred); 358 return; 359 360 case Stmt::ContinueStmtClass: 361 case Stmt::BreakStmtClass: 362 case Stmt::GotoStmtClass: 363 break; 364 365 case Stmt::IfStmtClass: 366 HandleBranch(cast<IfStmt>(Term)->getCond(), Term, B, Pred); 367 return; 368 369 case Stmt::IndirectGotoStmtClass: { 370 // Only 1 successor: the indirect goto dispatch block. 371 assert (B->succ_size() == 1); 372 373 IndirectGotoNodeBuilder 374 builder(Pred, B, cast<IndirectGotoStmt>(Term)->getTarget(), 375 *(B->succ_begin()), this); 376 377 SubEng.processIndirectGoto(builder); 378 return; 379 } 380 381 case Stmt::ObjCForCollectionStmtClass: { 382 // In the case of ObjCForCollectionStmt, it appears twice in a CFG: 383 // 384 // (1) inside a basic block, which represents the binding of the 385 // 'element' variable to a value. 386 // (2) in a terminator, which represents the branch. 387 // 388 // For (1), subengines will bind a value (i.e., 0 or 1) indicating 389 // whether or not collection contains any more elements. We cannot 390 // just test to see if the element is nil because a container can 391 // contain nil elements. 392 HandleBranch(Term, Term, B, Pred); 393 return; 394 } 395 396 case Stmt::SwitchStmtClass: { 397 SwitchNodeBuilder builder(Pred, B, cast<SwitchStmt>(Term)->getCond(), 398 this); 399 400 SubEng.processSwitch(builder); 401 return; 402 } 403 404 case Stmt::WhileStmtClass: 405 HandleBranch(cast<WhileStmt>(Term)->getCond(), Term, B, Pred); 406 return; 407 } 408 } 409 410 assert (B->succ_size() == 1 && 411 "Blocks with no terminator should have at most 1 successor."); 412 413 generateNode(BlockEdge(B, *(B->succ_begin()), Pred->getLocationContext()), 414 Pred->State, Pred); 415} 416 417void CoreEngine::HandleBranch(const Stmt *Cond, const Stmt *Term, 418 const CFGBlock * B, ExplodedNode *Pred) { 419 assert(B->succ_size() == 2); 420 NodeBuilderContext Ctx(*this, B); 421 SubEng.processBranch(Cond, Term, Ctx, Pred, 422 *(B->succ_begin()), *(B->succ_begin()+1)); 423} 424 425void CoreEngine::HandlePostStmt(const CFGBlock *B, unsigned StmtIdx, 426 ExplodedNode *Pred) { 427 assert(B); 428 assert(!B->empty()); 429 430 if (StmtIdx == B->size()) 431 HandleBlockExit(B, Pred); 432 else { 433 StmtNodeBuilder Builder(B, StmtIdx, Pred, this); 434 SubEng.processCFGElement((*B)[StmtIdx], Builder); 435 } 436} 437 438/// generateNode - Utility method to generate nodes, hook up successors, 439/// and add nodes to the worklist. 440void CoreEngine::generateNode(const ProgramPoint &Loc, 441 const ProgramState *State, 442 ExplodedNode *Pred) { 443 444 bool IsNew; 445 ExplodedNode *Node = G->getNode(Loc, State, &IsNew); 446 447 if (Pred) 448 Node->addPredecessor(Pred, *G); // Link 'Node' with its predecessor. 449 else { 450 assert (IsNew); 451 G->addRoot(Node); // 'Node' has no predecessor. Make it a root. 452 } 453 454 // Only add 'Node' to the worklist if it was freshly generated. 455 if (IsNew) WList->enqueue(Node); 456} 457 458void CoreEngine::enqueue(NodeBuilder &NB) { 459 for (NodeBuilder::iterator I = NB.results_begin(), 460 E = NB.results_end(); I != E; ++I) { 461 WList->enqueue(*I); 462 } 463} 464 465ExplodedNode * 466GenericNodeBuilderImpl::generateNodeImpl(const ProgramState *state, 467 ExplodedNode *pred, 468 ProgramPoint programPoint, 469 bool asSink) { 470 471 hasGeneratedNode = true; 472 bool isNew; 473 ExplodedNode *node = engine.getGraph().getNode(programPoint, state, &isNew); 474 if (pred) 475 node->addPredecessor(pred, engine.getGraph()); 476 if (isNew) { 477 if (asSink) { 478 node->markAsSink(); 479 sinksGenerated.push_back(node); 480 } 481 return node; 482 } 483 return 0; 484} 485 486ExplodedNode* NodeBuilder::generateNodeImpl(const ProgramPoint &Loc, 487 const ProgramState *State, 488 ExplodedNode *FromN, 489 bool MarkAsSink) { 490 assert(Finalized == false && 491 "We cannot create new nodes after the results have been finalized."); 492 493 bool IsNew; 494 ExplodedNode *N = C.Eng.G->getNode(Loc, State, &IsNew); 495 N->addPredecessor(FromN, *C.Eng.G); 496 Deferred.erase(FromN); 497 498 if (MarkAsSink) 499 N->markAsSink(); 500 501 if (IsNew && !N->isSink()) 502 Deferred.insert(N); 503 504 return (IsNew ? N : 0); 505} 506 507 508StmtNodeBuilder::StmtNodeBuilder(const CFGBlock *b, 509 unsigned idx, 510 ExplodedNode *N, 511 CoreEngine* e) 512 : CommonNodeBuilder(e, N), B(*b), Idx(idx), 513 PurgingDeadSymbols(false), BuildSinks(false), hasGeneratedNode(false), 514 PointKind(ProgramPoint::PostStmtKind), Tag(0) { 515 Deferred.insert(N); 516} 517 518StmtNodeBuilder::~StmtNodeBuilder() { 519 for (DeferredTy::iterator I=Deferred.begin(), E=Deferred.end(); I!=E; ++I) 520 if (!(*I)->isSink()) 521 GenerateAutoTransition(*I); 522} 523 524void StmtNodeBuilder::GenerateAutoTransition(ExplodedNode *N) { 525 assert (!N->isSink()); 526 527 // Check if this node entered a callee. 528 if (isa<CallEnter>(N->getLocation())) { 529 // Still use the index of the CallExpr. It's needed to create the callee 530 // StackFrameContext. 531 Eng.WList->enqueue(N, &B, Idx); 532 return; 533 } 534 535 // Do not create extra nodes. Move to the next CFG element. 536 if (isa<PostInitializer>(N->getLocation())) { 537 Eng.WList->enqueue(N, &B, Idx+1); 538 return; 539 } 540 541 PostStmt Loc(getStmt(), N->getLocationContext()); 542 543 if (Loc == N->getLocation()) { 544 // Note: 'N' should be a fresh node because otherwise it shouldn't be 545 // a member of Deferred. 546 Eng.WList->enqueue(N, &B, Idx+1); 547 return; 548 } 549 550 bool IsNew; 551 ExplodedNode *Succ = Eng.G->getNode(Loc, N->State, &IsNew); 552 Succ->addPredecessor(N, *Eng.G); 553 554 if (IsNew) 555 Eng.WList->enqueue(Succ, &B, Idx+1); 556} 557 558ExplodedNode *StmtNodeBuilder::MakeNode(ExplodedNodeSet &Dst, 559 const Stmt *S, 560 ExplodedNode *Pred, 561 const ProgramState *St, 562 ProgramPoint::Kind K) { 563 564 ExplodedNode *N = generateNode(S, St, Pred, K); 565 566 if (N) { 567 if (BuildSinks) 568 N->markAsSink(); 569 else 570 Dst.Add(N); 571 } 572 573 return N; 574} 575 576ExplodedNode* 577StmtNodeBuilder::generateNodeInternal(const Stmt *S, 578 const ProgramState *state, 579 ExplodedNode *Pred, 580 ProgramPoint::Kind K, 581 const ProgramPointTag *tag) { 582 583 const ProgramPoint &L = ProgramPoint::getProgramPoint(S, K, 584 Pred->getLocationContext(), tag); 585 return generateNodeInternal(L, state, Pred); 586} 587 588ExplodedNode* 589StmtNodeBuilder::generateNodeInternal(const ProgramPoint &Loc, 590 const ProgramState *State, 591 ExplodedNode *Pred) { 592 bool IsNew; 593 ExplodedNode *N = Eng.G->getNode(Loc, State, &IsNew); 594 N->addPredecessor(Pred, *Eng.G); 595 Deferred.erase(Pred); 596 597 if (IsNew) { 598 Deferred.insert(N); 599 return N; 600 } 601 602 return NULL; 603} 604 605// This function generate a new ExplodedNode but not a new branch(block edge). 606// Creates a transition from the Builder's top predecessor. 607ExplodedNode *BranchNodeBuilder::generateNode(const Stmt *Condition, 608 const ProgramState *State, 609 const ProgramPointTag *Tag, 610 bool MarkAsSink) { 611 ProgramPoint PP = PostCondition(Condition, 612 BuilderPred->getLocationContext(), Tag); 613 ExplodedNode *N = generateNodeImpl(PP, State, BuilderPred, MarkAsSink); 614 assert(N); 615 // TODO: This needs to go - we should not change Pred!!! 616 BuilderPred = N; 617 return N; 618} 619 620ExplodedNode *BranchNodeBuilder::generateNode(const ProgramState *State, 621 bool branch, 622 ExplodedNode *NodePred) { 623 624 // If the branch has been marked infeasible we should not generate a node. 625 if (!isFeasible(branch)) 626 return NULL; 627 628 if (!NodePred) 629 NodePred = BuilderPred; 630 ProgramPoint Loc = BlockEdge(C.Block, branch ? DstT:DstF, 631 NodePred->getLocationContext()); 632 ExplodedNode *Succ = generateNodeImpl(Loc, State, NodePred); 633 634 if (branch) 635 GeneratedTrue = true; 636 else 637 GeneratedFalse = true; 638 639 return Succ; 640} 641 642ExplodedNode* 643IndirectGotoNodeBuilder::generateNode(const iterator &I, 644 const ProgramState *St, 645 bool isSink) { 646 bool IsNew; 647 648 ExplodedNode *Succ = Eng.G->getNode(BlockEdge(Src, I.getBlock(), 649 Pred->getLocationContext()), St, &IsNew); 650 651 Succ->addPredecessor(Pred, *Eng.G); 652 653 if (IsNew) { 654 655 if (isSink) 656 Succ->markAsSink(); 657 else 658 Eng.WList->enqueue(Succ); 659 660 return Succ; 661 } 662 663 return NULL; 664} 665 666 667ExplodedNode* 668SwitchNodeBuilder::generateCaseStmtNode(const iterator &I, 669 const ProgramState *St) { 670 671 bool IsNew; 672 ExplodedNode *Succ = Eng.G->getNode(BlockEdge(Src, I.getBlock(), 673 Pred->getLocationContext()), 674 St, &IsNew); 675 Succ->addPredecessor(Pred, *Eng.G); 676 if (IsNew) { 677 Eng.WList->enqueue(Succ); 678 return Succ; 679 } 680 return NULL; 681} 682 683 684ExplodedNode* 685SwitchNodeBuilder::generateDefaultCaseNode(const ProgramState *St, 686 bool isSink) { 687 // Get the block for the default case. 688 assert(Src->succ_rbegin() != Src->succ_rend()); 689 CFGBlock *DefaultBlock = *Src->succ_rbegin(); 690 691 // Sanity check for default blocks that are unreachable and not caught 692 // by earlier stages. 693 if (!DefaultBlock) 694 return NULL; 695 696 bool IsNew; 697 698 ExplodedNode *Succ = Eng.G->getNode(BlockEdge(Src, DefaultBlock, 699 Pred->getLocationContext()), St, &IsNew); 700 Succ->addPredecessor(Pred, *Eng.G); 701 702 if (IsNew) { 703 if (isSink) 704 Succ->markAsSink(); 705 else 706 Eng.WList->enqueue(Succ); 707 708 return Succ; 709 } 710 711 return NULL; 712} 713 714EndOfFunctionNodeBuilder::~EndOfFunctionNodeBuilder() { 715 // Auto-generate an EOP node if one has not been generated. 716 if (!hasGeneratedNode) { 717 // If we are in an inlined call, generate CallExit node. 718 if (Pred->getLocationContext()->getParent()) 719 GenerateCallExitNode(Pred->State); 720 else 721 generateNode(Pred->State); 722 } 723} 724 725ExplodedNode* 726EndOfFunctionNodeBuilder::generateNode(const ProgramState *State, 727 ExplodedNode *P, 728 const ProgramPointTag *tag) { 729 hasGeneratedNode = true; 730 bool IsNew; 731 732 ExplodedNode *Node = Eng.G->getNode(BlockEntrance(&B, 733 Pred->getLocationContext(), tag ? tag : Tag), 734 State, &IsNew); 735 736 Node->addPredecessor(P ? P : Pred, *Eng.G); 737 738 if (IsNew) { 739 Eng.G->addEndOfPath(Node); 740 return Node; 741 } 742 743 return NULL; 744} 745 746void EndOfFunctionNodeBuilder::GenerateCallExitNode(const ProgramState *state) { 747 hasGeneratedNode = true; 748 // Create a CallExit node and enqueue it. 749 const StackFrameContext *LocCtx 750 = cast<StackFrameContext>(Pred->getLocationContext()); 751 const Stmt *CE = LocCtx->getCallSite(); 752 753 // Use the the callee location context. 754 CallExit Loc(CE, LocCtx); 755 756 bool isNew; 757 ExplodedNode *Node = Eng.G->getNode(Loc, state, &isNew); 758 Node->addPredecessor(Pred, *Eng.G); 759 760 if (isNew) 761 Eng.WList->enqueue(Node); 762} 763 764 765void CallEnterNodeBuilder::generateNode(const ProgramState *state) { 766 // Check if the callee is in the same translation unit. 767 if (CalleeCtx->getTranslationUnit() != 768 Pred->getLocationContext()->getTranslationUnit()) { 769 // Create a new engine. We must be careful that the new engine should not 770 // reference data structures owned by the old engine. 771 772 AnalysisManager &OldMgr = Eng.SubEng.getAnalysisManager(); 773 774 // Get the callee's translation unit. 775 idx::TranslationUnit *TU = CalleeCtx->getTranslationUnit(); 776 777 // Create a new AnalysisManager with components of the callee's 778 // TranslationUnit. 779 // The Diagnostic is actually shared when we create ASTUnits from AST files. 780 AnalysisManager AMgr(TU->getASTContext(), TU->getDiagnostic(), OldMgr); 781 782 // Create the new engine. 783 // FIXME: This cast isn't really safe. 784 bool GCEnabled = static_cast<ExprEngine&>(Eng.SubEng).isObjCGCEnabled(); 785 ExprEngine NewEng(AMgr, GCEnabled); 786 787 // Create the new LocationContext. 788 AnalysisContext *NewAnaCtx = AMgr.getAnalysisContext(CalleeCtx->getDecl(), 789 CalleeCtx->getTranslationUnit()); 790 const StackFrameContext *OldLocCtx = CalleeCtx; 791 const StackFrameContext *NewLocCtx = AMgr.getStackFrame(NewAnaCtx, 792 OldLocCtx->getParent(), 793 OldLocCtx->getCallSite(), 794 OldLocCtx->getCallSiteBlock(), 795 OldLocCtx->getIndex()); 796 797 // Now create an initial state for the new engine. 798 const ProgramState *NewState = 799 NewEng.getStateManager().MarshalState(state, NewLocCtx); 800 ExplodedNodeSet ReturnNodes; 801 NewEng.ExecuteWorkListWithInitialState(NewLocCtx, AMgr.getMaxNodes(), 802 NewState, ReturnNodes); 803 return; 804 } 805 806 // Get the callee entry block. 807 const CFGBlock *Entry = &(CalleeCtx->getCFG()->getEntry()); 808 assert(Entry->empty()); 809 assert(Entry->succ_size() == 1); 810 811 // Get the solitary successor. 812 const CFGBlock *SuccB = *(Entry->succ_begin()); 813 814 // Construct an edge representing the starting location in the callee. 815 BlockEdge Loc(Entry, SuccB, CalleeCtx); 816 817 bool isNew; 818 ExplodedNode *Node = Eng.G->getNode(Loc, state, &isNew); 819 Node->addPredecessor(const_cast<ExplodedNode*>(Pred), *Eng.G); 820 821 if (isNew) 822 Eng.WList->enqueue(Node); 823} 824 825void CallExitNodeBuilder::generateNode(const ProgramState *state) { 826 // Get the callee's location context. 827 const StackFrameContext *LocCtx 828 = cast<StackFrameContext>(Pred->getLocationContext()); 829 // When exiting an implicit automatic obj dtor call, the callsite is the Stmt 830 // that triggers the dtor. 831 PostStmt Loc(LocCtx->getCallSite(), LocCtx->getParent()); 832 bool isNew; 833 ExplodedNode *Node = Eng.G->getNode(Loc, state, &isNew); 834 Node->addPredecessor(const_cast<ExplodedNode*>(Pred), *Eng.G); 835 if (isNew) 836 Eng.WList->enqueue(Node, LocCtx->getCallSiteBlock(), 837 LocCtx->getIndex() + 1); 838} 839