| 1 | //===- ExprEngineCXX.cpp - ExprEngine support for C++ -----------*- C++ -*-===// |
|---|---|
| 2 | // |
| 3 | // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. |
| 4 | // See https://llvm.org/LICENSE.txt for license information. |
| 5 | // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception |
| 6 | // |
| 7 | //===----------------------------------------------------------------------===// |
| 8 | // |
| 9 | // This file defines the C++ expression evaluation engine. |
| 10 | // |
| 11 | //===----------------------------------------------------------------------===// |
| 12 | |
| 13 | #include "clang/AST/ASTContext.h" |
| 14 | #include "clang/AST/AttrIterator.h" |
| 15 | #include "clang/AST/DeclCXX.h" |
| 16 | #include "clang/AST/ParentMap.h" |
| 17 | #include "clang/AST/StmtCXX.h" |
| 18 | #include "clang/Analysis/ConstructionContext.h" |
| 19 | #include "clang/Basic/PrettyStackTrace.h" |
| 20 | #include "clang/StaticAnalyzer/Core/CheckerManager.h" |
| 21 | #include "clang/StaticAnalyzer/Core/PathSensitive/AnalysisManager.h" |
| 22 | #include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h" |
| 23 | #include "clang/StaticAnalyzer/Core/PathSensitive/ExprEngine.h" |
| 24 | #include "clang/StaticAnalyzer/Core/PathSensitive/SVals.h" |
| 25 | #include "llvm/ADT/STLExtras.h" |
| 26 | #include "llvm/ADT/Sequence.h" |
| 27 | #include "llvm/Support/Casting.h" |
| 28 | #include <optional> |
| 29 | |
| 30 | using namespace clang; |
| 31 | using namespace ento; |
| 32 | |
| 33 | void ExprEngine::CreateCXXTemporaryObject(const MaterializeTemporaryExpr *ME, |
| 34 | ExplodedNode *Pred, |
| 35 | ExplodedNodeSet &Dst) { |
| 36 | NodeBuilder Bldr(Pred, Dst, *currBldrCtx); |
| 37 | const Expr *tempExpr = ME->getSubExpr()->IgnoreParens(); |
| 38 | ProgramStateRef state = Pred->getState(); |
| 39 | const StackFrame *SF = Pred->getStackFrame(); |
| 40 | |
| 41 | state = createTemporaryRegionIfNeeded(State: state, SF, InitWithAdjustments: tempExpr, Result: ME); |
| 42 | Bldr.generateNode(S: ME, Pred, St: state); |
| 43 | } |
| 44 | |
| 45 | void ExprEngine::performTrivialCopy(ExplodedNodeSet &Dst, ExplodedNode *Pred, |
| 46 | const CallEvent &Call) { |
| 47 | SVal ThisVal; |
| 48 | bool AlwaysReturnsLValue; |
| 49 | [[maybe_unused]] const CXXRecordDecl *ThisRD = nullptr; |
| 50 | if (const CXXConstructorCall *Ctor = dyn_cast<CXXConstructorCall>(Val: &Call)) { |
| 51 | assert(Ctor->getDecl()->isTrivial()); |
| 52 | assert(Ctor->getDecl()->isCopyOrMoveConstructor()); |
| 53 | ThisVal = Ctor->getCXXThisVal(); |
| 54 | ThisRD = Ctor->getDecl()->getParent(); |
| 55 | AlwaysReturnsLValue = false; |
| 56 | } else { |
| 57 | assert(cast<CXXMethodDecl>(Call.getDecl())->isTrivial()); |
| 58 | assert(cast<CXXMethodDecl>(Call.getDecl())->getOverloadedOperator() == |
| 59 | OO_Equal); |
| 60 | ThisVal = cast<CXXInstanceCall>(Val: Call).getCXXThisVal(); |
| 61 | ThisRD = cast<CXXMethodDecl>(Val: Call.getDecl())->getParent(); |
| 62 | AlwaysReturnsLValue = true; |
| 63 | } |
| 64 | |
| 65 | const StackFrame *SF = Pred->getStackFrame(); |
| 66 | const Expr *CallExpr = Call.getOriginExpr(); |
| 67 | |
| 68 | ExplodedNodeSet DstEval; |
| 69 | |
| 70 | assert(ThisRD); |
| 71 | |
| 72 | if (!ThisRD->isEmpty()) { |
| 73 | SVal V = Call.getArgSVal(Index: 0); |
| 74 | const Expr *VExpr = Call.getArgExpr(Index: 0); |
| 75 | |
| 76 | // If the value being copied is not unknown, load from its location to get |
| 77 | // an aggregate rvalue. |
| 78 | if (std::optional<Loc> L = V.getAs<Loc>()) |
| 79 | V = Pred->getState()->getSVal(LV: *L); |
| 80 | else |
| 81 | assert(V.isUnknownOrUndef()); |
| 82 | |
| 83 | ExplodedNodeSet Tmp; |
| 84 | evalLocation(Dst&: Tmp, NodeEx: CallExpr, BoundEx: VExpr, Pred, St: Pred->getState(), location: V, |
| 85 | /*isLoad=*/true); |
| 86 | for (ExplodedNode *N : Tmp) |
| 87 | evalBind(Dst&: DstEval, StoreE: CallExpr, Pred: N, location: ThisVal, Val: V, AtDeclInit: !AlwaysReturnsLValue); |
| 88 | } else { |
| 89 | // We can't copy empty classes because of empty base class optimization. |
| 90 | // In that case, copying the empty base class subobject would overwrite the |
| 91 | // object that it overlaps with - so let's not do that. |
| 92 | // See issue-157467.cpp for an example. |
| 93 | DstEval.insert(N: Pred); |
| 94 | } |
| 95 | |
| 96 | for (ExplodedNode *N : DstEval) { |
| 97 | ProgramStateRef State = N->getState(); |
| 98 | if (AlwaysReturnsLValue) |
| 99 | State = State->BindExpr(E: CallExpr, SF, V: ThisVal); |
| 100 | else |
| 101 | State = bindReturnValue(Call, SF, State); |
| 102 | Dst.insert(N: Engine.makePostStmtNode(S: CallExpr, State, Pred: N)); |
| 103 | } |
| 104 | } |
| 105 | |
| 106 | SVal ExprEngine::makeElementRegion(ProgramStateRef State, SVal LValue, |
| 107 | QualType &Ty, bool &IsArray, unsigned Idx) { |
| 108 | SValBuilder &SVB = State->getStateManager().getSValBuilder(); |
| 109 | ASTContext &Ctx = SVB.getContext(); |
| 110 | |
| 111 | if (const ArrayType *AT = Ctx.getAsArrayType(T: Ty)) { |
| 112 | while (AT) { |
| 113 | Ty = AT->getElementType(); |
| 114 | AT = dyn_cast<ArrayType>(Val: AT->getElementType()); |
| 115 | } |
| 116 | LValue = State->getLValue(ElementType: Ty, Idx: SVB.makeArrayIndex(idx: Idx), Base: LValue); |
| 117 | IsArray = true; |
| 118 | } |
| 119 | |
| 120 | return LValue; |
| 121 | } |
| 122 | |
| 123 | // In case when the prvalue is returned from the function (kind is one of |
| 124 | // SimpleReturnedValueKind, CXX17ElidedCopyReturnedValueKind), then |
| 125 | // it's materialization happens in context of the caller. |
| 126 | SVal ExprEngine::computeObjectUnderConstruction( |
| 127 | const Expr *E, ProgramStateRef State, unsigned NumVisitedCaller, |
| 128 | const StackFrame *SF, const ConstructionContext *CC, |
| 129 | EvalCallOptions &CallOpts, unsigned Idx) { |
| 130 | |
| 131 | SValBuilder &SVB = getSValBuilder(); |
| 132 | MemRegionManager &MRMgr = SVB.getRegionManager(); |
| 133 | ASTContext &ACtx = SVB.getContext(); |
| 134 | |
| 135 | // Compute the target region by exploring the construction context. |
| 136 | if (CC) { |
| 137 | switch (CC->getKind()) { |
| 138 | case ConstructionContext::CXX17ElidedCopyVariableKind: |
| 139 | case ConstructionContext::SimpleVariableKind: { |
| 140 | const auto *DSCC = cast<VariableConstructionContext>(Val: CC); |
| 141 | const auto *DS = DSCC->getDeclStmt(); |
| 142 | const auto *Var = cast<VarDecl>(Val: DS->getSingleDecl()); |
| 143 | QualType Ty = Var->getType(); |
| 144 | return makeElementRegion(State, LValue: State->getLValue(VD: Var, SF), Ty, |
| 145 | IsArray&: CallOpts.IsArrayCtorOrDtor, Idx); |
| 146 | } |
| 147 | case ConstructionContext::CXX17ElidedCopyConstructorInitializerKind: |
| 148 | case ConstructionContext::SimpleConstructorInitializerKind: { |
| 149 | const auto *ICC = cast<ConstructorInitializerConstructionContext>(Val: CC); |
| 150 | const auto *Init = ICC->getCXXCtorInitializer(); |
| 151 | const CXXMethodDecl *CurCtor = cast<CXXMethodDecl>(Val: SF->getDecl()); |
| 152 | Loc ThisPtr = SVB.getCXXThis(D: CurCtor, SF); |
| 153 | SVal ThisVal = State->getSVal(LV: ThisPtr); |
| 154 | if (Init->isBaseInitializer()) { |
| 155 | const auto *ThisReg = cast<SubRegion>(Val: ThisVal.getAsRegion()); |
| 156 | const CXXRecordDecl *BaseClass = |
| 157 | Init->getBaseClass()->getAsCXXRecordDecl(); |
| 158 | const auto *BaseReg = |
| 159 | MRMgr.getCXXBaseObjectRegion(BaseClass, Super: ThisReg, |
| 160 | IsVirtual: Init->isBaseVirtual()); |
| 161 | return SVB.makeLoc(region: BaseReg); |
| 162 | } |
| 163 | if (Init->isDelegatingInitializer()) |
| 164 | return ThisVal; |
| 165 | |
| 166 | const ValueDecl *Field; |
| 167 | SVal FieldVal; |
| 168 | if (Init->isIndirectMemberInitializer()) { |
| 169 | Field = Init->getIndirectMember(); |
| 170 | FieldVal = State->getLValue(decl: Init->getIndirectMember(), Base: ThisVal); |
| 171 | } else { |
| 172 | Field = Init->getMember(); |
| 173 | FieldVal = State->getLValue(decl: Init->getMember(), Base: ThisVal); |
| 174 | } |
| 175 | |
| 176 | QualType Ty = Field->getType(); |
| 177 | return makeElementRegion(State, LValue: FieldVal, Ty, IsArray&: CallOpts.IsArrayCtorOrDtor, |
| 178 | Idx); |
| 179 | } |
| 180 | case ConstructionContext::NewAllocatedObjectKind: { |
| 181 | if (AMgr.getAnalyzerOptions().MayInlineCXXAllocator) { |
| 182 | const auto *NECC = cast<NewAllocatedObjectConstructionContext>(Val: CC); |
| 183 | const auto *NE = NECC->getCXXNewExpr(); |
| 184 | SVal V = *getObjectUnderConstruction(State, Item: NE, SF); |
| 185 | if (const SubRegion *MR = |
| 186 | dyn_cast_or_null<SubRegion>(Val: V.getAsRegion())) { |
| 187 | if (NE->isArray()) { |
| 188 | CallOpts.IsArrayCtorOrDtor = true; |
| 189 | |
| 190 | auto Ty = NE->getType()->getPointeeType(); |
| 191 | while (const auto *AT = getContext().getAsArrayType(T: Ty)) |
| 192 | Ty = AT->getElementType(); |
| 193 | |
| 194 | auto R = MRMgr.getElementRegion(elementType: Ty, Idx: svalBuilder.makeArrayIndex(idx: Idx), |
| 195 | superRegion: MR, Ctx: SVB.getContext()); |
| 196 | |
| 197 | return loc::MemRegionVal(R); |
| 198 | } |
| 199 | return V; |
| 200 | } |
| 201 | // TODO: Detect when the allocator returns a null pointer. |
| 202 | // Constructor shall not be called in this case. |
| 203 | } |
| 204 | break; |
| 205 | } |
| 206 | case ConstructionContext::SimpleReturnedValueKind: |
| 207 | case ConstructionContext::CXX17ElidedCopyReturnedValueKind: { |
| 208 | // The temporary is to be managed by the parent stack frame. |
| 209 | // So build it in the parent stack frame if we're not in the |
| 210 | // top frame of the analysis. |
| 211 | if (const StackFrame *CallerSF = SF->getParent()) { |
| 212 | auto RTC = (*SF->getCallSiteBlock())[SF->getIndex()] |
| 213 | .getAs<CFGCXXRecordTypedCall>(); |
| 214 | if (!RTC) { |
| 215 | // We were unable to find the correct construction context for the |
| 216 | // call in the parent stack frame. This is equivalent to not being |
| 217 | // able to find construction context at all. |
| 218 | break; |
| 219 | } |
| 220 | |
| 221 | unsigned NVCaller = getNumVisited(SF: CallerSF, Block: SF->getCallSiteBlock()); |
| 222 | return computeObjectUnderConstruction( |
| 223 | E: SF->getCallSite(), State, NumVisitedCaller: NVCaller, SF: CallerSF, |
| 224 | CC: RTC->getConstructionContext(), CallOpts); |
| 225 | } else { |
| 226 | // We are on the top frame of the analysis. We do not know where is the |
| 227 | // object returned to. Conjure a symbolic region for the return value. |
| 228 | // TODO: We probably need a new MemRegion kind to represent the storage |
| 229 | // of that SymbolicRegion, so that we could produce a fancy symbol |
| 230 | // instead of an anonymous conjured symbol. |
| 231 | // TODO: Do we need to track the region to avoid having it dead |
| 232 | // too early? It does die too early, at least in C++17, but because |
| 233 | // putting anything into a SymbolicRegion causes an immediate escape, |
| 234 | // it doesn't cause any leak false positives. |
| 235 | const auto *RCC = cast<ReturnedValueConstructionContext>(Val: CC); |
| 236 | // Make sure that this doesn't coincide with any other symbol |
| 237 | // conjured for the returned expression. |
| 238 | static const int TopLevelSymRegionTag = 0; |
| 239 | const Expr *RetE = RCC->getReturnStmt()->getRetValue(); |
| 240 | assert(RetE && "Void returns should not have a construction context"); |
| 241 | QualType ReturnTy = RetE->getType(); |
| 242 | QualType RegionTy = ACtx.getPointerType(T: ReturnTy); |
| 243 | return SVB.conjureSymbolVal(symbolTag: &TopLevelSymRegionTag, elem: getCFGElementRef(), |
| 244 | SF, type: RegionTy, count: getNumVisitedCurrent()); |
| 245 | } |
| 246 | llvm_unreachable("Unhandled return value construction context!"); |
| 247 | } |
| 248 | case ConstructionContext::ElidedTemporaryObjectKind: { |
| 249 | assert(AMgr.getAnalyzerOptions().ShouldElideConstructors); |
| 250 | const auto *TCC = cast<ElidedTemporaryObjectConstructionContext>(Val: CC); |
| 251 | |
| 252 | // Support pre-C++17 copy elision. We'll have the elidable copy |
| 253 | // constructor in the AST and in the CFG, but we'll skip it |
| 254 | // and construct directly into the final object. This call |
| 255 | // also sets the CallOpts flags for us. |
| 256 | // If the elided copy/move constructor is not supported, there's still |
| 257 | // benefit in trying to model the non-elided constructor. |
| 258 | // Stash our state before trying to elide, as it'll get overwritten. |
| 259 | ProgramStateRef PreElideState = State; |
| 260 | EvalCallOptions PreElideCallOpts = CallOpts; |
| 261 | |
| 262 | SVal V = computeObjectUnderConstruction( |
| 263 | E: TCC->getConstructorAfterElision(), State, NumVisitedCaller, SF, |
| 264 | CC: TCC->getConstructionContextAfterElision(), CallOpts); |
| 265 | |
| 266 | // FIXME: This definition of "copy elision has not failed" is unreliable. |
| 267 | // It doesn't indicate that the constructor will actually be inlined |
| 268 | // later; this is still up to evalCall() to decide. |
| 269 | if (!CallOpts.IsCtorOrDtorWithImproperlyModeledTargetRegion) |
| 270 | return V; |
| 271 | |
| 272 | // Copy elision failed. Revert the changes and proceed as if we have |
| 273 | // a simple temporary. |
| 274 | CallOpts = PreElideCallOpts; |
| 275 | CallOpts.IsElidableCtorThatHasNotBeenElided = true; |
| 276 | [[fallthrough]]; |
| 277 | } |
| 278 | case ConstructionContext::SimpleTemporaryObjectKind: { |
| 279 | const auto *TCC = cast<TemporaryObjectConstructionContext>(Val: CC); |
| 280 | const MaterializeTemporaryExpr *MTE = TCC->getMaterializedTemporaryExpr(); |
| 281 | |
| 282 | CallOpts.IsTemporaryCtorOrDtor = true; |
| 283 | if (MTE) { |
| 284 | if (const ValueDecl *VD = MTE->getExtendingDecl()) { |
| 285 | StorageDuration SD = MTE->getStorageDuration(); |
| 286 | assert(SD != SD_FullExpression); |
| 287 | if (!VD->getType()->isReferenceType()) { |
| 288 | // We're lifetime-extended by a surrounding aggregate. |
| 289 | // Automatic destructors aren't quite working in this case |
| 290 | // on the CFG side. We should warn the caller about that. |
| 291 | // FIXME: Is there a better way to retrieve this information from |
| 292 | // the MaterializeTemporaryExpr? |
| 293 | CallOpts.IsTemporaryLifetimeExtendedViaAggregate = true; |
| 294 | } |
| 295 | |
| 296 | if (SD == SD_Static || SD == SD_Thread) |
| 297 | return loc::MemRegionVal( |
| 298 | MRMgr.getCXXStaticLifetimeExtendedObjectRegion(Ex: E, VD)); |
| 299 | |
| 300 | return loc::MemRegionVal( |
| 301 | MRMgr.getCXXLifetimeExtendedObjectRegion(Ex: E, VD, SF)); |
| 302 | } |
| 303 | assert(MTE->getStorageDuration() == SD_FullExpression); |
| 304 | } |
| 305 | |
| 306 | return loc::MemRegionVal(MRMgr.getCXXTempObjectRegion(Ex: E, SF)); |
| 307 | } |
| 308 | case ConstructionContext::LambdaCaptureKind: { |
| 309 | CallOpts.IsTemporaryCtorOrDtor = true; |
| 310 | |
| 311 | const auto *LCC = cast<LambdaCaptureConstructionContext>(Val: CC); |
| 312 | |
| 313 | SVal Base = loc::MemRegionVal( |
| 314 | MRMgr.getCXXTempObjectRegion(Ex: LCC->getInitializer(), SF)); |
| 315 | |
| 316 | const auto *CE = dyn_cast_or_null<CXXConstructExpr>(Val: E); |
| 317 | if (getIndexOfElementToConstruct(State, E: CE, SF)) { |
| 318 | CallOpts.IsArrayCtorOrDtor = true; |
| 319 | Base = State->getLValue(ElementType: E->getType(), Idx: svalBuilder.makeArrayIndex(idx: Idx), |
| 320 | Base); |
| 321 | } |
| 322 | |
| 323 | return Base; |
| 324 | } |
| 325 | case ConstructionContext::ArgumentKind: { |
| 326 | // Arguments are technically temporaries. |
| 327 | CallOpts.IsTemporaryCtorOrDtor = true; |
| 328 | |
| 329 | const auto *ACC = cast<ArgumentConstructionContext>(Val: CC); |
| 330 | const Expr *E = ACC->getCallLikeExpr(); |
| 331 | unsigned Idx = ACC->getIndex(); |
| 332 | |
| 333 | CallEventManager &CEMgr = getStateManager().getCallEventManager(); |
| 334 | auto getArgLoc = [&](CallEventRef<> Caller) -> std::optional<SVal> { |
| 335 | const StackFrame *FutureSF = |
| 336 | Caller->getCalleeStackFrame(BlockCount: NumVisitedCaller); |
| 337 | // Return early if we are unable to reliably foresee |
| 338 | // the future stack frame. |
| 339 | if (!FutureSF) |
| 340 | return std::nullopt; |
| 341 | |
| 342 | // This should be equivalent to Caller->getDecl() for now, but |
| 343 | // FutureSF->getDecl() is likely to support better stuff (like |
| 344 | // virtual functions) earlier. |
| 345 | const Decl *CalleeD = FutureSF->getDecl(); |
| 346 | |
| 347 | // FIXME: Support for variadic arguments is not implemented here yet. |
| 348 | if (CallEvent::isVariadic(D: CalleeD)) |
| 349 | return std::nullopt; |
| 350 | |
| 351 | // Operator arguments do not correspond to operator parameters |
| 352 | // because this-argument is implemented as a normal argument in |
| 353 | // operator call expressions but not in operator declarations. |
| 354 | const TypedValueRegion *TVR = Caller->getParameterLocation( |
| 355 | Index: *Caller->getAdjustedParameterIndex(ASTArgumentIndex: Idx), BlockCount: NumVisitedCaller); |
| 356 | if (!TVR) |
| 357 | return std::nullopt; |
| 358 | |
| 359 | return loc::MemRegionVal(TVR); |
| 360 | }; |
| 361 | |
| 362 | if (const auto *CE = dyn_cast<CallExpr>(Val: E)) { |
| 363 | CallEventRef<> Caller = |
| 364 | CEMgr.getSimpleCall(E: CE, State, SF, ElemRef: getCFGElementRef()); |
| 365 | if (std::optional<SVal> V = getArgLoc(Caller)) |
| 366 | return *V; |
| 367 | else |
| 368 | break; |
| 369 | } else if (const auto *CCE = dyn_cast<CXXConstructExpr>(Val: E)) { |
| 370 | // Don't bother figuring out the target region for the future |
| 371 | // constructor because we won't need it. |
| 372 | CallEventRef<> Caller = CEMgr.getCXXConstructorCall( |
| 373 | E: CCE, /*Target=*/nullptr, State, SF, ElemRef: getCFGElementRef()); |
| 374 | if (std::optional<SVal> V = getArgLoc(Caller)) |
| 375 | return *V; |
| 376 | else |
| 377 | break; |
| 378 | } else if (const auto *ME = dyn_cast<ObjCMessageExpr>(Val: E)) { |
| 379 | CallEventRef<> Caller = |
| 380 | CEMgr.getObjCMethodCall(E: ME, State, SF, ElemRef: getCFGElementRef()); |
| 381 | if (std::optional<SVal> V = getArgLoc(Caller)) |
| 382 | return *V; |
| 383 | else |
| 384 | break; |
| 385 | } |
| 386 | } |
| 387 | } // switch (CC->getKind()) |
| 388 | } |
| 389 | |
| 390 | // If we couldn't find an existing region to construct into, assume we're |
| 391 | // constructing a temporary. Notify the caller of our failure. |
| 392 | CallOpts.IsCtorOrDtorWithImproperlyModeledTargetRegion = true; |
| 393 | return loc::MemRegionVal(MRMgr.getCXXTempObjectRegion(Ex: E, SF)); |
| 394 | } |
| 395 | |
| 396 | ProgramStateRef ExprEngine::updateObjectsUnderConstruction( |
| 397 | SVal V, const Expr *E, ProgramStateRef State, const StackFrame *SF, |
| 398 | const ConstructionContext *CC, const EvalCallOptions &CallOpts) { |
| 399 | if (CallOpts.IsCtorOrDtorWithImproperlyModeledTargetRegion) { |
| 400 | // Sounds like we failed to find the target region and therefore |
| 401 | // copy elision failed. There's nothing we can do about it here. |
| 402 | return State; |
| 403 | } |
| 404 | |
| 405 | // See if we're constructing an existing region by looking at the |
| 406 | // current construction context. |
| 407 | assert(CC && "Computed target region without construction context?"); |
| 408 | switch (CC->getKind()) { |
| 409 | case ConstructionContext::CXX17ElidedCopyVariableKind: |
| 410 | case ConstructionContext::SimpleVariableKind: { |
| 411 | const auto *DSCC = cast<VariableConstructionContext>(Val: CC); |
| 412 | return addObjectUnderConstruction(State, Item: DSCC->getDeclStmt(), SF, V); |
| 413 | } |
| 414 | case ConstructionContext::CXX17ElidedCopyConstructorInitializerKind: |
| 415 | case ConstructionContext::SimpleConstructorInitializerKind: { |
| 416 | const auto *ICC = cast<ConstructorInitializerConstructionContext>(Val: CC); |
| 417 | const auto *Init = ICC->getCXXCtorInitializer(); |
| 418 | // Base and delegating initializers handled above |
| 419 | assert(Init->isAnyMemberInitializer() && |
| 420 | "Base and delegating initializers should have been handled by" |
| 421 | "computeObjectUnderConstruction()"); |
| 422 | return addObjectUnderConstruction(State, Item: Init, SF, V); |
| 423 | } |
| 424 | case ConstructionContext::NewAllocatedObjectKind: { |
| 425 | return State; |
| 426 | } |
| 427 | case ConstructionContext::SimpleReturnedValueKind: |
| 428 | case ConstructionContext::CXX17ElidedCopyReturnedValueKind: { |
| 429 | const StackFrame *CallerSF = SF->getParent(); |
| 430 | if (!CallerSF) { |
| 431 | // No extra work is necessary in top frame. |
| 432 | return State; |
| 433 | } |
| 434 | |
| 435 | auto RTC = (*SF->getCallSiteBlock())[SF->getIndex()] |
| 436 | .getAs<CFGCXXRecordTypedCall>(); |
| 437 | assert(RTC && "Could not have had a target region without it"); |
| 438 | |
| 439 | return updateObjectsUnderConstruction( |
| 440 | V, E: SF->getCallSite(), State, SF: CallerSF, CC: RTC->getConstructionContext(), |
| 441 | CallOpts); |
| 442 | } |
| 443 | case ConstructionContext::ElidedTemporaryObjectKind: { |
| 444 | assert(AMgr.getAnalyzerOptions().ShouldElideConstructors); |
| 445 | if (!CallOpts.IsElidableCtorThatHasNotBeenElided) { |
| 446 | const auto *TCC = cast<ElidedTemporaryObjectConstructionContext>(Val: CC); |
| 447 | State = updateObjectsUnderConstruction( |
| 448 | V, E: TCC->getConstructorAfterElision(), State, SF, |
| 449 | CC: TCC->getConstructionContextAfterElision(), CallOpts); |
| 450 | |
| 451 | // Remember that we've elided the constructor. |
| 452 | State = addObjectUnderConstruction( |
| 453 | State, Item: TCC->getConstructorAfterElision(), SF, V); |
| 454 | |
| 455 | // Remember that we've elided the destructor. |
| 456 | if (const auto *BTE = TCC->getCXXBindTemporaryExpr()) |
| 457 | State = elideDestructor(State, BTE, SF); |
| 458 | |
| 459 | // Instead of materialization, shamelessly return |
| 460 | // the final object destination. |
| 461 | if (const auto *MTE = TCC->getMaterializedTemporaryExpr()) |
| 462 | State = addObjectUnderConstruction(State, Item: MTE, SF, V); |
| 463 | |
| 464 | return State; |
| 465 | } |
| 466 | // If we decided not to elide the constructor, proceed as if |
| 467 | // it's a simple temporary. |
| 468 | [[fallthrough]]; |
| 469 | } |
| 470 | case ConstructionContext::SimpleTemporaryObjectKind: { |
| 471 | const auto *TCC = cast<TemporaryObjectConstructionContext>(Val: CC); |
| 472 | if (const auto *BTE = TCC->getCXXBindTemporaryExpr()) |
| 473 | State = addObjectUnderConstruction(State, Item: BTE, SF, V); |
| 474 | |
| 475 | if (const auto *MTE = TCC->getMaterializedTemporaryExpr()) |
| 476 | State = addObjectUnderConstruction(State, Item: MTE, SF, V); |
| 477 | |
| 478 | return State; |
| 479 | } |
| 480 | case ConstructionContext::LambdaCaptureKind: { |
| 481 | const auto *LCC = cast<LambdaCaptureConstructionContext>(Val: CC); |
| 482 | |
| 483 | // If we capture and array, we want to store the super region, not a |
| 484 | // sub-region. |
| 485 | if (const auto *EL = dyn_cast_or_null<ElementRegion>(Val: V.getAsRegion())) |
| 486 | V = loc::MemRegionVal(EL->getSuperRegion()); |
| 487 | |
| 488 | return addObjectUnderConstruction( |
| 489 | State, Item: {LCC->getLambdaExpr(), LCC->getIndex()}, SF, V); |
| 490 | } |
| 491 | case ConstructionContext::ArgumentKind: { |
| 492 | const auto *ACC = cast<ArgumentConstructionContext>(Val: CC); |
| 493 | if (const auto *BTE = ACC->getCXXBindTemporaryExpr()) |
| 494 | State = addObjectUnderConstruction(State, Item: BTE, SF, V); |
| 495 | |
| 496 | return addObjectUnderConstruction( |
| 497 | State, Item: {ACC->getCallLikeExpr(), ACC->getIndex()}, SF, V); |
| 498 | } |
| 499 | } |
| 500 | llvm_unreachable("Unhandled construction context!"); |
| 501 | } |
| 502 | |
| 503 | static ProgramStateRef |
| 504 | bindRequiredArrayElementToEnvironment(ProgramStateRef State, |
| 505 | const ArrayInitLoopExpr *AILE, |
| 506 | const StackFrame *SF, NonLoc Idx) { |
| 507 | SValBuilder &SVB = State->getStateManager().getSValBuilder(); |
| 508 | MemRegionManager &MRMgr = SVB.getRegionManager(); |
| 509 | ASTContext &Ctx = SVB.getContext(); |
| 510 | |
| 511 | // HACK: There is no way we can put the index of the array element into the |
| 512 | // CFG unless we unroll the loop, so we manually select and bind the required |
| 513 | // parameter to the environment. |
| 514 | const Expr *SourceArray = AILE->getCommonExpr()->getSourceExpr(); |
| 515 | const auto *Ctor = |
| 516 | cast<CXXConstructExpr>(Val: extractElementInitializerFromNestedAILE(AILE)); |
| 517 | |
| 518 | const auto *SourceArrayRegion = |
| 519 | cast<SubRegion>(Val: State->getSVal(E: SourceArray, SF).getAsRegion()); |
| 520 | const ElementRegion *ElementRegion = |
| 521 | MRMgr.getElementRegion(elementType: Ctor->getType(), Idx, superRegion: SourceArrayRegion, Ctx); |
| 522 | |
| 523 | return State->BindExpr(E: Ctor->getArg(Arg: 0), SF, V: loc::MemRegionVal(ElementRegion)); |
| 524 | } |
| 525 | |
| 526 | void ExprEngine::handleConstructor(const Expr *E, |
| 527 | ExplodedNode *Pred, |
| 528 | ExplodedNodeSet &destNodes) { |
| 529 | const auto *CE = dyn_cast<CXXConstructExpr>(Val: E); |
| 530 | const auto *CIE = dyn_cast<CXXInheritedCtorInitExpr>(Val: E); |
| 531 | assert(CE || CIE); |
| 532 | |
| 533 | const StackFrame *SF = Pred->getStackFrame(); |
| 534 | ProgramStateRef State = Pred->getState(); |
| 535 | |
| 536 | SVal Target = UnknownVal(); |
| 537 | |
| 538 | if (CE) { |
| 539 | if (std::optional<SVal> ElidedTarget = |
| 540 | getObjectUnderConstruction(State, Item: CE, SF)) { |
| 541 | // We've previously modeled an elidable constructor by pretending that |
| 542 | // it in fact constructs into the correct target. This constructor can |
| 543 | // therefore be skipped. |
| 544 | Target = *ElidedTarget; |
| 545 | NodeBuilder Bldr(Pred, destNodes, *currBldrCtx); |
| 546 | State = finishObjectConstruction(State, Item: CE, SF); |
| 547 | if (auto L = Target.getAs<Loc>()) |
| 548 | State = State->BindExpr(E: CE, SF, V: State->getSVal(LV: *L, T: CE->getType())); |
| 549 | Bldr.generateNode(S: CE, Pred, St: State); |
| 550 | return; |
| 551 | } |
| 552 | } |
| 553 | |
| 554 | EvalCallOptions CallOpts; |
| 555 | auto C = getCurrentCFGElement().getAs<CFGConstructor>(); |
| 556 | assert(C || getCurrentCFGElement().getAs<CFGStmt>()); |
| 557 | const ConstructionContext *CC = C ? C->getConstructionContext() : nullptr; |
| 558 | |
| 559 | const CXXConstructionKind CK = |
| 560 | CE ? CE->getConstructionKind() : CIE->getConstructionKind(); |
| 561 | switch (CK) { |
| 562 | case CXXConstructionKind::Complete: { |
| 563 | // Inherited constructors are always base class constructors. |
| 564 | assert(CE && !CIE && "A complete constructor is inherited?!"); |
| 565 | |
| 566 | // If the ctor is part of an ArrayInitLoopExpr, we want to handle it |
| 567 | // differently. |
| 568 | auto *AILE = CC ? CC->getArrayInitLoop() : nullptr; |
| 569 | |
| 570 | unsigned Idx = 0; |
| 571 | if (CE->getType()->isArrayType() || AILE) { |
| 572 | |
| 573 | auto isZeroSizeArray = [&] { |
| 574 | uint64_t Size = 1; |
| 575 | |
| 576 | if (const auto *CAT = dyn_cast<ConstantArrayType>(Val: CE->getType())) |
| 577 | Size = getContext().getConstantArrayElementCount(CA: CAT); |
| 578 | else if (AILE) |
| 579 | Size = getContext().getArrayInitLoopExprElementCount(AILE); |
| 580 | |
| 581 | return Size == 0; |
| 582 | }; |
| 583 | |
| 584 | // No element construction will happen in a 0 size array. |
| 585 | if (isZeroSizeArray()) { |
| 586 | NodeBuilder Bldr(Pred, destNodes, *currBldrCtx); |
| 587 | static SimpleProgramPointTag T{"ExprEngine", |
| 588 | "Skipping 0 size array construction"}; |
| 589 | Bldr.generateNode(S: CE, Pred, St: State, tag: &T); |
| 590 | return; |
| 591 | } |
| 592 | |
| 593 | Idx = getIndexOfElementToConstruct(State, E: CE, SF).value_or(u: 0u); |
| 594 | State = setIndexOfElementToConstruct(State, E: CE, SF, Idx: Idx + 1); |
| 595 | } |
| 596 | |
| 597 | if (AILE) { |
| 598 | // Only set this once even though we loop through it multiple times. |
| 599 | if (!getPendingInitLoop(State, E: CE, SF)) |
| 600 | State = setPendingInitLoop( |
| 601 | State, E: CE, SF, Idx: getContext().getArrayInitLoopExprElementCount(AILE)); |
| 602 | |
| 603 | State = bindRequiredArrayElementToEnvironment( |
| 604 | State, AILE, SF, Idx: svalBuilder.makeArrayIndex(idx: Idx)); |
| 605 | } |
| 606 | |
| 607 | // The target region is found from construction context. |
| 608 | std::tie(args&: State, args&: Target) = handleConstructionContext(E: CE, State, BldrCtx: currBldrCtx, |
| 609 | SF, CC, CallOpts, Idx); |
| 610 | break; |
| 611 | } |
| 612 | case CXXConstructionKind::VirtualBase: { |
| 613 | // Make sure we are not calling virtual base class initializers twice. |
| 614 | // Only the most-derived object should initialize virtual base classes. |
| 615 | const auto *OuterCtor = |
| 616 | dyn_cast_or_null<CXXConstructExpr>(Val: SF->getCallSite()); |
| 617 | assert( |
| 618 | (!OuterCtor || |
| 619 | OuterCtor->getConstructionKind() == CXXConstructionKind::Complete || |
| 620 | OuterCtor->getConstructionKind() == CXXConstructionKind::Delegating) && |
| 621 | ("This virtual base should have already been initialized by " |
| 622 | "the most derived class!")); |
| 623 | (void)OuterCtor; |
| 624 | [[fallthrough]]; |
| 625 | } |
| 626 | case CXXConstructionKind::NonVirtualBase: |
| 627 | // In C++17, classes with non-virtual bases may be aggregates, so they would |
| 628 | // be initialized as aggregates without a constructor call, so we may have |
| 629 | // a base class constructed directly into an initializer list without |
| 630 | // having the derived-class constructor call on the previous stack frame. |
| 631 | // Initializer lists may be nested into more initializer lists that |
| 632 | // correspond to surrounding aggregate initializations. |
| 633 | // FIXME: For now this code essentially bails out. We need to find the |
| 634 | // correct target region and set it. |
| 635 | // FIXME: Instead of relying on the ParentMap, we should have the |
| 636 | // trigger-statement (InitListExpr or CXXParenListInitExpr in this case) |
| 637 | // passed down from CFG or otherwise always available during construction. |
| 638 | if (isa_and_nonnull<InitListExpr, CXXParenListInitExpr>( |
| 639 | Val: SF->getParentMap().getParent(S: E))) { |
| 640 | MemRegionManager &MRMgr = getSValBuilder().getRegionManager(); |
| 641 | Target = loc::MemRegionVal(MRMgr.getCXXTempObjectRegion(Ex: E, SF)); |
| 642 | CallOpts.IsCtorOrDtorWithImproperlyModeledTargetRegion = true; |
| 643 | break; |
| 644 | } |
| 645 | [[fallthrough]]; |
| 646 | case CXXConstructionKind::Delegating: { |
| 647 | const CXXMethodDecl *CurCtor = cast<CXXMethodDecl>(Val: SF->getDecl()); |
| 648 | Loc ThisPtr = getSValBuilder().getCXXThis(D: CurCtor, SF); |
| 649 | SVal ThisVal = State->getSVal(LV: ThisPtr); |
| 650 | |
| 651 | if (CK == CXXConstructionKind::Delegating) { |
| 652 | Target = ThisVal; |
| 653 | } else { |
| 654 | // Cast to the base type. |
| 655 | bool IsVirtual = (CK == CXXConstructionKind::VirtualBase); |
| 656 | SVal BaseVal = |
| 657 | getStoreManager().evalDerivedToBase(Derived: ThisVal, DerivedPtrType: E->getType(), IsVirtual); |
| 658 | Target = BaseVal; |
| 659 | } |
| 660 | break; |
| 661 | } |
| 662 | } |
| 663 | |
| 664 | if (State != Pred->getState()) { |
| 665 | static SimpleProgramPointTag T("ExprEngine", |
| 666 | "Prepare for object construction"); |
| 667 | ExplodedNodeSet DstPrepare; |
| 668 | NodeBuilder BldrPrepare(Pred, DstPrepare, *currBldrCtx); |
| 669 | Pred = |
| 670 | BldrPrepare.generateNode(S: E, Pred, St: State, tag: &T, K: ProgramPoint::PreStmtKind); |
| 671 | if (!Pred) |
| 672 | return; |
| 673 | } |
| 674 | |
| 675 | const MemRegion *TargetRegion = Target.getAsRegion(); |
| 676 | CallEventManager &CEMgr = getStateManager().getCallEventManager(); |
| 677 | CallEventRef<> Call = |
| 678 | CIE ? (CallEventRef<>)CEMgr.getCXXInheritedConstructorCall( |
| 679 | E: CIE, Target: TargetRegion, State, SF, ElemRef: getCFGElementRef()) |
| 680 | : (CallEventRef<>)CEMgr.getCXXConstructorCall(E: CE, Target: TargetRegion, State, |
| 681 | SF, ElemRef: getCFGElementRef()); |
| 682 | |
| 683 | ExplodedNodeSet DstPreVisit; |
| 684 | getCheckerManager().runCheckersForPreStmt(Dst&: DstPreVisit, Src: Pred, S: E, Eng&: *this); |
| 685 | |
| 686 | ExplodedNodeSet PreInitialized; |
| 687 | if (CE) { |
| 688 | // FIXME: Is it possible and/or useful to do this before PreStmt? |
| 689 | NodeBuilder Bldr(DstPreVisit, PreInitialized, *currBldrCtx); |
| 690 | for (ExplodedNode *N : DstPreVisit) { |
| 691 | ProgramStateRef State = N->getState(); |
| 692 | if (CE->requiresZeroInitialization()) { |
| 693 | // FIXME: Once we properly handle constructors in new-expressions, we'll |
| 694 | // need to invalidate the region before setting a default value, to make |
| 695 | // sure there aren't any lingering bindings around. This probably needs |
| 696 | // to happen regardless of whether or not the object is zero-initialized |
| 697 | // to handle random fields of a placement-initialized object picking up |
| 698 | // old bindings. We might only want to do it when we need to, though. |
| 699 | // FIXME: This isn't actually correct for arrays -- we need to zero- |
| 700 | // initialize the entire array, not just the first element -- but our |
| 701 | // handling of arrays everywhere else is weak as well, so this shouldn't |
| 702 | // actually make things worse. Placement new makes this tricky as well, |
| 703 | // since it's then possible to be initializing one part of a multi- |
| 704 | // dimensional array. |
| 705 | const CXXRecordDecl *TargetHeldRecord = |
| 706 | dyn_cast_or_null<CXXRecordDecl>(Val: CE->getType()->getAsRecordDecl()); |
| 707 | |
| 708 | if (!TargetHeldRecord || !TargetHeldRecord->isEmpty()) |
| 709 | State = State->bindDefaultZero(loc: Target, SF); |
| 710 | } |
| 711 | |
| 712 | Bldr.generateNode(S: CE, Pred: N, St: State, /*tag=*/nullptr, |
| 713 | K: ProgramPoint::PreStmtKind); |
| 714 | } |
| 715 | } else { |
| 716 | PreInitialized = DstPreVisit; |
| 717 | } |
| 718 | |
| 719 | ExplodedNodeSet DstPreCall; |
| 720 | getCheckerManager().runCheckersForPreCall(Dst&: DstPreCall, Src: PreInitialized, |
| 721 | Call: *Call, Eng&: *this); |
| 722 | |
| 723 | ExplodedNodeSet DstEvaluated; |
| 724 | |
| 725 | if (CE && CE->getConstructor()->isTrivial() && |
| 726 | CE->getConstructor()->isCopyOrMoveConstructor() && |
| 727 | !CallOpts.IsArrayCtorOrDtor) { |
| 728 | // FIXME: Handle other kinds of trivial constructors as well. |
| 729 | for (ExplodedNode *N : DstPreCall) |
| 730 | performTrivialCopy(Dst&: DstEvaluated, Pred: N, Call: *Call); |
| 731 | |
| 732 | } else { |
| 733 | for (ExplodedNode *N : DstPreCall) |
| 734 | getCheckerManager().runCheckersForEvalCall(Dst&: DstEvaluated, Src: N, CE: *Call, Eng&: *this, |
| 735 | CallOpts); |
| 736 | } |
| 737 | |
| 738 | // If the CFG was constructed without elements for temporary destructors |
| 739 | // and the just-called constructor created a temporary object then |
| 740 | // stop exploration if the temporary object has a noreturn constructor. |
| 741 | // This can lose coverage because the destructor, if it were present |
| 742 | // in the CFG, would be called at the end of the full expression or |
| 743 | // later (for life-time extended temporaries) -- but avoids infeasible |
| 744 | // paths when no-return temporary destructors are used for assertions. |
| 745 | ExplodedNodeSet DstEvaluatedPostProcessed; |
| 746 | NodeBuilder Bldr(DstEvaluated, DstEvaluatedPostProcessed, *currBldrCtx); |
| 747 | const AnalysisDeclContext *ADC = SF->getAnalysisDeclContext(); |
| 748 | if (!ADC->getCFGBuildOptions().AddTemporaryDtors) { |
| 749 | if (llvm::isa_and_nonnull<CXXTempObjectRegion, |
| 750 | CXXLifetimeExtendedObjectRegion>(Val: TargetRegion) && |
| 751 | cast<CXXConstructorDecl>(Val: Call->getDecl()) |
| 752 | ->getParent() |
| 753 | ->isAnyDestructorNoReturn()) { |
| 754 | |
| 755 | // If we've inlined the constructor, then DstEvaluated would be empty. |
| 756 | // In this case we still want a sink, which could be implemented |
| 757 | // in processCallExit. But we don't have that implemented at the moment, |
| 758 | // so if you hit this assertion, see if you can avoid inlining |
| 759 | // the respective constructor when analyzer-config cfg-temporary-dtors |
| 760 | // is set to false. |
| 761 | // Otherwise there's nothing wrong with inlining such constructor. |
| 762 | assert(!DstEvaluated.empty() && |
| 763 | "We should not have inlined this constructor!"); |
| 764 | |
| 765 | for (ExplodedNode *N : DstEvaluated) { |
| 766 | Bldr.generateSink(S: E, Pred: N, St: N->getState()); |
| 767 | } |
| 768 | |
| 769 | // There is no need to run the PostCall and PostStmt checker |
| 770 | // callbacks because we just generated sinks on all nodes in th |
| 771 | // frontier. |
| 772 | return; |
| 773 | } |
| 774 | } |
| 775 | |
| 776 | ExplodedNodeSet DstPostArgumentCleanup; |
| 777 | for (ExplodedNode *I : DstEvaluatedPostProcessed) |
| 778 | finishArgumentConstruction(Dst&: DstPostArgumentCleanup, Pred: I, Call: *Call); |
| 779 | |
| 780 | // If there were other constructors called for object-type arguments |
| 781 | // of this constructor, clean them up. |
| 782 | ExplodedNodeSet DstPostCall; |
| 783 | getCheckerManager().runCheckersForPostCall(Dst&: DstPostCall, |
| 784 | Src: DstPostArgumentCleanup, |
| 785 | Call: *Call, Eng&: *this); |
| 786 | getCheckerManager().runCheckersForPostStmt(Dst&: destNodes, Src: DstPostCall, S: E, Eng&: *this); |
| 787 | } |
| 788 | |
| 789 | void ExprEngine::VisitCXXConstructExpr(const CXXConstructExpr *CE, |
| 790 | ExplodedNode *Pred, |
| 791 | ExplodedNodeSet &Dst) { |
| 792 | handleConstructor(E: CE, Pred, destNodes&: Dst); |
| 793 | } |
| 794 | |
| 795 | void ExprEngine::VisitCXXInheritedCtorInitExpr( |
| 796 | const CXXInheritedCtorInitExpr *CE, ExplodedNode *Pred, |
| 797 | ExplodedNodeSet &Dst) { |
| 798 | handleConstructor(E: CE, Pred, destNodes&: Dst); |
| 799 | } |
| 800 | |
| 801 | void ExprEngine::VisitCXXDestructor(QualType ObjectType, |
| 802 | const MemRegion *Dest, |
| 803 | const Stmt *S, |
| 804 | bool IsBaseDtor, |
| 805 | ExplodedNode *Pred, |
| 806 | ExplodedNodeSet &Dst, |
| 807 | EvalCallOptions &CallOpts) { |
| 808 | assert(S && "A destructor without a trigger!"); |
| 809 | const StackFrame *SF = Pred->getStackFrame(); |
| 810 | ProgramStateRef State = Pred->getState(); |
| 811 | |
| 812 | const CXXRecordDecl *RecordDecl = ObjectType->getAsCXXRecordDecl(); |
| 813 | assert(RecordDecl && "Only CXXRecordDecls should have destructors"); |
| 814 | const CXXDestructorDecl *DtorDecl = RecordDecl->getDestructor(); |
| 815 | // FIXME: There should always be a Decl, otherwise the destructor call |
| 816 | // shouldn't have been added to the CFG in the first place. |
| 817 | if (!DtorDecl) { |
| 818 | // Skip the invalid destructor. We cannot simply return because |
| 819 | // it would interrupt the analysis instead. |
| 820 | static SimpleProgramPointTag T("ExprEngine", "SkipInvalidDestructor"); |
| 821 | // FIXME: PostImplicitCall with a null decl may crash elsewhere anyway. |
| 822 | PostImplicitCall PP(/*Decl=*/nullptr, S->getEndLoc(), SF, |
| 823 | getCFGElementRef(), &T); |
| 824 | NodeBuilder Bldr(Pred, Dst, *currBldrCtx); |
| 825 | Bldr.generateNode(PP, State: Pred->getState(), Pred); |
| 826 | return; |
| 827 | } |
| 828 | |
| 829 | if (!Dest) { |
| 830 | // We're trying to destroy something that is not a region. This may happen |
| 831 | // for a variety of reasons (unknown target region, concrete integer instead |
| 832 | // of target region, etc.). The current code makes an attempt to recover. |
| 833 | // FIXME: We probably don't really need to recover when we're dealing |
| 834 | // with concrete integers specifically. |
| 835 | CallOpts.IsCtorOrDtorWithImproperlyModeledTargetRegion = true; |
| 836 | if (const Expr *E = dyn_cast_or_null<Expr>(Val: S)) { |
| 837 | Dest = MRMgr.getCXXTempObjectRegion(Ex: E, SF: Pred->getStackFrame()); |
| 838 | } else { |
| 839 | static SimpleProgramPointTag T("ExprEngine", "SkipInvalidDestructor"); |
| 840 | NodeBuilder Bldr(Pred, Dst, *currBldrCtx); |
| 841 | Bldr.generateSink(PP: Pred->getLocation().withTag(tag: &T), |
| 842 | State: Pred->getState(), Pred); |
| 843 | return; |
| 844 | } |
| 845 | } |
| 846 | |
| 847 | CallEventManager &CEMgr = getStateManager().getCallEventManager(); |
| 848 | CallEventRef<CXXDestructorCall> Call = CEMgr.getCXXDestructorCall( |
| 849 | DD: DtorDecl, Trigger: S, Target: Dest, IsBase: IsBaseDtor, State, SF, ElemRef: getCFGElementRef()); |
| 850 | |
| 851 | PrettyStackTraceLoc CrashInfo(getContext().getSourceManager(), |
| 852 | Call->getSourceRange().getBegin(), |
| 853 | "Error evaluating destructor"); |
| 854 | |
| 855 | ExplodedNodeSet DstPreCall; |
| 856 | getCheckerManager().runCheckersForPreCall(Dst&: DstPreCall, Src: Pred, |
| 857 | Call: *Call, Eng&: *this); |
| 858 | |
| 859 | ExplodedNodeSet DstInvalidated; |
| 860 | for (ExplodedNode *N : DstPreCall) |
| 861 | defaultEvalCall(Dst&: DstInvalidated, Pred: N, Call: *Call, CallOpts); |
| 862 | |
| 863 | getCheckerManager().runCheckersForPostCall(Dst, Src: DstInvalidated, |
| 864 | Call: *Call, Eng&: *this); |
| 865 | } |
| 866 | |
| 867 | void ExprEngine::VisitCXXNewAllocatorCall(const CXXNewExpr *CNE, |
| 868 | ExplodedNode *Pred, |
| 869 | ExplodedNodeSet &Dst) { |
| 870 | ProgramStateRef State = Pred->getState(); |
| 871 | const StackFrame *SF = Pred->getStackFrame(); |
| 872 | PrettyStackTraceLoc CrashInfo(getContext().getSourceManager(), |
| 873 | CNE->getBeginLoc(), |
| 874 | "Error evaluating New Allocator Call"); |
| 875 | CallEventManager &CEMgr = getStateManager().getCallEventManager(); |
| 876 | CallEventRef<CXXAllocatorCall> Call = |
| 877 | CEMgr.getCXXAllocatorCall(E: CNE, State, SF, ElemRef: getCFGElementRef()); |
| 878 | |
| 879 | ExplodedNodeSet DstPreCall; |
| 880 | getCheckerManager().runCheckersForPreCall(Dst&: DstPreCall, Src: Pred, |
| 881 | Call: *Call, Eng&: *this); |
| 882 | |
| 883 | ExplodedNodeSet DstPostCall; |
| 884 | for (ExplodedNode *I : DstPreCall) { |
| 885 | // Operator new calls (CXXNewExpr) are intentionally not eval-called, |
| 886 | // because it does not make sense to eval-call user-provided functions. |
| 887 | // 1) If the new operator can be inlined, then don't prevent it from |
| 888 | // inlining by having an eval-call of that operator. |
| 889 | // 2) If it can't be inlined, then the default conservative modeling |
| 890 | // is what we want anyway. |
| 891 | // So the best is to not allow eval-calling CXXNewExprs from checkers. |
| 892 | // Checkers can provide their pre/post-call callbacks if needed. |
| 893 | defaultEvalCall(Dst&: DstPostCall, Pred: I, Call: *Call); |
| 894 | } |
| 895 | // If the call is inlined, DstPostCall will be empty and we bail out now. |
| 896 | |
| 897 | // Store return value of operator new() for future use, until the actual |
| 898 | // CXXNewExpr gets processed. |
| 899 | ExplodedNodeSet DstPostValue; |
| 900 | NodeBuilder ValueBldr(DstPostCall, DstPostValue, *currBldrCtx); |
| 901 | for (ExplodedNode *I : DstPostCall) { |
| 902 | // FIXME: Because CNE serves as the "call site" for the allocator (due to |
| 903 | // lack of a better expression in the AST), the conjured return value symbol |
| 904 | // is going to be of the same type (C++ object pointer type). Technically |
| 905 | // this is not correct because the operator new's prototype always says that |
| 906 | // it returns a 'void *'. So we should change the type of the symbol, |
| 907 | // and then evaluate the cast over the symbolic pointer from 'void *' to |
| 908 | // the object pointer type. But without changing the symbol's type it |
| 909 | // is breaking too much to evaluate the no-op symbolic cast over it, so we |
| 910 | // skip it for now. |
| 911 | ProgramStateRef State = I->getState(); |
| 912 | SVal RetVal = State->getSVal(E: CNE, SF); |
| 913 | // [basic.stc.dynamic.allocation] (on the return value of an allocation |
| 914 | // function): |
| 915 | // "The order, contiguity, and initial value of storage allocated by |
| 916 | // successive calls to an allocation function are unspecified." |
| 917 | State = State->bindDefaultInitial(loc: RetVal, V: UndefinedVal{}, SF); |
| 918 | |
| 919 | // If this allocation function is not declared as non-throwing, failures |
| 920 | // /must/ be signalled by exceptions, and thus the return value will never |
| 921 | // be NULL. -fno-exceptions does not influence this semantics. |
| 922 | // FIXME: GCC has a -fcheck-new option, which forces it to consider the case |
| 923 | // where new can return NULL. If we end up supporting that option, we can |
| 924 | // consider adding a check for it here. |
| 925 | // C++11 [basic.stc.dynamic.allocation]p3. |
| 926 | if (const FunctionDecl *FD = CNE->getOperatorNew()) { |
| 927 | QualType Ty = FD->getType(); |
| 928 | if (const auto *ProtoType = Ty->getAs<FunctionProtoType>()) |
| 929 | if (!ProtoType->isNothrow()) |
| 930 | State = State->assume(Cond: RetVal.castAs<DefinedOrUnknownSVal>(), Assumption: true); |
| 931 | } |
| 932 | |
| 933 | ValueBldr.generateNode(S: CNE, Pred: I, |
| 934 | St: addObjectUnderConstruction(State, Item: CNE, SF, V: RetVal)); |
| 935 | } |
| 936 | |
| 937 | ExplodedNodeSet DstPostPostCallCallback; |
| 938 | getCheckerManager().runCheckersForPostCall(Dst&: DstPostPostCallCallback, |
| 939 | Src: DstPostValue, Call: *Call, Eng&: *this); |
| 940 | for (ExplodedNode *I : DstPostPostCallCallback) { |
| 941 | getCheckerManager().runCheckersForNewAllocator(Call: *Call, Dst, Pred: I, Eng&: *this); |
| 942 | } |
| 943 | } |
| 944 | |
| 945 | void ExprEngine::VisitCXXNewExpr(const CXXNewExpr *CNE, ExplodedNode *Pred, |
| 946 | ExplodedNodeSet &Dst) { |
| 947 | // FIXME: Much of this should eventually migrate to CXXAllocatorCall. |
| 948 | // Also, we need to decide how allocators actually work -- they're not |
| 949 | // really part of the CXXNewExpr because they happen BEFORE the |
| 950 | // CXXConstructExpr subexpression. See PR12014 for some discussion. |
| 951 | |
| 952 | unsigned blockCount = getNumVisitedCurrent(); |
| 953 | const StackFrame *SF = Pred->getStackFrame(); |
| 954 | SVal symVal = UnknownVal(); |
| 955 | FunctionDecl *FD = CNE->getOperatorNew(); |
| 956 | |
| 957 | bool IsStandardGlobalOpNewFunction = |
| 958 | FD->isReplaceableGlobalAllocationFunction(); |
| 959 | |
| 960 | ProgramStateRef State = Pred->getState(); |
| 961 | |
| 962 | // Retrieve the stored operator new() return value. |
| 963 | if (AMgr.getAnalyzerOptions().MayInlineCXXAllocator) { |
| 964 | symVal = *getObjectUnderConstruction(State, Item: CNE, SF); |
| 965 | State = finishObjectConstruction(State, Item: CNE, SF); |
| 966 | } |
| 967 | |
| 968 | // We assume all standard global 'operator new' functions allocate memory in |
| 969 | // heap. We realize this is an approximation that might not correctly model |
| 970 | // a custom global allocator. |
| 971 | if (symVal.isUnknown()) { |
| 972 | if (IsStandardGlobalOpNewFunction) |
| 973 | symVal = svalBuilder.getConjuredHeapSymbolVal(elem: getCFGElementRef(), SF, |
| 974 | type: CNE->getType(), Count: blockCount); |
| 975 | else |
| 976 | symVal = svalBuilder.conjureSymbolVal( |
| 977 | /*symbolTag=*/nullptr, elem: getCFGElementRef(), SF, count: blockCount); |
| 978 | } |
| 979 | |
| 980 | CallEventManager &CEMgr = getStateManager().getCallEventManager(); |
| 981 | CallEventRef<CXXAllocatorCall> Call = |
| 982 | CEMgr.getCXXAllocatorCall(E: CNE, State, SF, ElemRef: getCFGElementRef()); |
| 983 | |
| 984 | if (!AMgr.getAnalyzerOptions().MayInlineCXXAllocator) { |
| 985 | // Invalidate placement args. |
| 986 | // FIXME: Once we figure out how we want allocators to work, |
| 987 | // we should be using the usual pre-/(default-)eval-/post-call checkers |
| 988 | // here. |
| 989 | State = Call->invalidateRegions(BlockCount: blockCount, State); |
| 990 | if (!State) |
| 991 | return; |
| 992 | |
| 993 | // If this allocation function is not declared as non-throwing, failures |
| 994 | // /must/ be signalled by exceptions, and thus the return value will never |
| 995 | // be NULL. -fno-exceptions does not influence this semantics. |
| 996 | // FIXME: GCC has a -fcheck-new option, which forces it to consider the case |
| 997 | // where new can return NULL. If we end up supporting that option, we can |
| 998 | // consider adding a check for it here. |
| 999 | // C++11 [basic.stc.dynamic.allocation]p3. |
| 1000 | if (const auto *ProtoType = FD->getType()->getAs<FunctionProtoType>()) |
| 1001 | if (!ProtoType->isNothrow()) |
| 1002 | if (auto dSymVal = symVal.getAs<DefinedOrUnknownSVal>()) |
| 1003 | State = State->assume(Cond: *dSymVal, Assumption: true); |
| 1004 | } |
| 1005 | |
| 1006 | NodeBuilder Bldr(Pred, Dst, *currBldrCtx); |
| 1007 | |
| 1008 | SVal Result = symVal; |
| 1009 | |
| 1010 | if (CNE->isArray()) { |
| 1011 | |
| 1012 | if (const auto *NewReg = cast_or_null<SubRegion>(Val: symVal.getAsRegion())) { |
| 1013 | // If each element is initialized by their default constructor, the field |
| 1014 | // values are properly placed inside the required region, however if an |
| 1015 | // initializer list is used, this doesn't happen automatically. |
| 1016 | auto *Init = CNE->getInitializer(); |
| 1017 | bool isInitList = |
| 1018 | isa_and_nonnull<InitListExpr, CXXParenListInitExpr>(Val: Init); |
| 1019 | |
| 1020 | QualType ObjTy = |
| 1021 | isInitList ? Init->getType() : CNE->getType()->getPointeeType(); |
| 1022 | const ElementRegion *EleReg = |
| 1023 | MRMgr.getElementRegion(elementType: ObjTy, Idx: svalBuilder.makeArrayIndex(idx: 0), superRegion: NewReg, |
| 1024 | Ctx: svalBuilder.getContext()); |
| 1025 | Result = loc::MemRegionVal(EleReg); |
| 1026 | |
| 1027 | // If the array is list initialized, we bind the initializer list to the |
| 1028 | // memory region here, otherwise we would lose it. |
| 1029 | if (isInitList) { |
| 1030 | Bldr.takeNodes(N: Pred); |
| 1031 | Pred = Bldr.generateNode(S: CNE, Pred, St: State); |
| 1032 | |
| 1033 | SVal V = State->getSVal(E: Init, SF); |
| 1034 | ExplodedNodeSet evaluated; |
| 1035 | evalBind(Dst&: evaluated, StoreE: CNE, Pred, location: Result, Val: V, AtDeclInit: true); |
| 1036 | |
| 1037 | Bldr.takeNodes(N: Pred); |
| 1038 | Bldr.addNodes(S: evaluated); |
| 1039 | |
| 1040 | Pred = *evaluated.begin(); |
| 1041 | State = Pred->getState(); |
| 1042 | } |
| 1043 | } |
| 1044 | |
| 1045 | State = State->BindExpr(E: CNE, SF: Pred->getStackFrame(), V: Result); |
| 1046 | Bldr.generateNode(S: CNE, Pred, St: State); |
| 1047 | return; |
| 1048 | } |
| 1049 | |
| 1050 | // FIXME: Once we have proper support for CXXConstructExprs inside |
| 1051 | // CXXNewExpr, we need to make sure that the constructed object is not |
| 1052 | // immediately invalidated here. (The placement call should happen before |
| 1053 | // the constructor call anyway.) |
| 1054 | if (FD->isReservedGlobalPlacementOperator()) { |
| 1055 | // Non-array placement new should always return the placement location. |
| 1056 | SVal PlacementLoc = State->getSVal(E: CNE->getPlacementArg(I: 0), SF); |
| 1057 | Result = svalBuilder.evalCast(V: PlacementLoc, CastTy: CNE->getType(), |
| 1058 | OriginalTy: CNE->getPlacementArg(I: 0)->getType()); |
| 1059 | } |
| 1060 | |
| 1061 | // Bind the address of the object, then check to see if we cached out. |
| 1062 | State = State->BindExpr(E: CNE, SF, V: Result); |
| 1063 | ExplodedNode *NewN = Bldr.generateNode(S: CNE, Pred, St: State); |
| 1064 | if (!NewN) |
| 1065 | return; |
| 1066 | |
| 1067 | // If the type is not a record, we won't have a CXXConstructExpr as an |
| 1068 | // initializer. Copy the value over. |
| 1069 | if (const Expr *Init = CNE->getInitializer()) { |
| 1070 | if (!isa<CXXConstructExpr>(Val: Init)) { |
| 1071 | assert(Bldr.getResults().size() == 1); |
| 1072 | Bldr.takeNodes(N: NewN); |
| 1073 | evalBind(Dst, StoreE: CNE, Pred: NewN, location: Result, Val: State->getSVal(E: Init, SF), |
| 1074 | /*FirstInit=*/AtDeclInit: IsStandardGlobalOpNewFunction); |
| 1075 | } |
| 1076 | } |
| 1077 | } |
| 1078 | |
| 1079 | void ExprEngine::VisitCXXDeleteExpr(const CXXDeleteExpr *CDE, |
| 1080 | ExplodedNode *Pred, ExplodedNodeSet &Dst) { |
| 1081 | |
| 1082 | CallEventManager &CEMgr = getStateManager().getCallEventManager(); |
| 1083 | CallEventRef<CXXDeallocatorCall> Call = CEMgr.getCXXDeallocatorCall( |
| 1084 | E: CDE, State: Pred->getState(), SF: Pred->getStackFrame(), ElemRef: getCFGElementRef()); |
| 1085 | |
| 1086 | ExplodedNodeSet DstPreCall; |
| 1087 | getCheckerManager().runCheckersForPreCall(Dst&: DstPreCall, Src: Pred, Call: *Call, Eng&: *this); |
| 1088 | ExplodedNodeSet DstPostCall; |
| 1089 | |
| 1090 | if (AMgr.getAnalyzerOptions().MayInlineCXXAllocator) { |
| 1091 | for (ExplodedNode *I : DstPreCall) { |
| 1092 | // Intentionally either inline or conservative eval-call the operator |
| 1093 | // delete, but avoid triggering an eval-call event for checkers. |
| 1094 | // As detailed at handling CXXNewExprs, in short, because it does not |
| 1095 | // really make sense to eval-call user-provided functions. |
| 1096 | defaultEvalCall(Dst&: DstPostCall, Pred: I, Call: *Call); |
| 1097 | } |
| 1098 | } else { |
| 1099 | DstPostCall = std::move(DstPreCall); |
| 1100 | } |
| 1101 | getCheckerManager().runCheckersForPostCall(Dst, Src: DstPostCall, Call: *Call, Eng&: *this); |
| 1102 | } |
| 1103 | |
| 1104 | void ExprEngine::VisitCXXCatchStmt(const CXXCatchStmt *CS, ExplodedNode *Pred, |
| 1105 | ExplodedNodeSet &Dst) { |
| 1106 | const VarDecl *VD = CS->getExceptionDecl(); |
| 1107 | if (!VD) { |
| 1108 | Dst.insert(N: Pred); |
| 1109 | return; |
| 1110 | } |
| 1111 | |
| 1112 | const StackFrame *SF = Pred->getStackFrame(); |
| 1113 | SVal V = svalBuilder.conjureSymbolVal(elem: getCFGElementRef(), SF, type: VD->getType(), |
| 1114 | visitCount: getNumVisitedCurrent()); |
| 1115 | ProgramStateRef state = Pred->getState(); |
| 1116 | state = state->bindLoc(location: state->getLValue(VD, SF), V, SF); |
| 1117 | |
| 1118 | NodeBuilder Bldr(Pred, Dst, *currBldrCtx); |
| 1119 | Bldr.generateNode(S: CS, Pred, St: state); |
| 1120 | } |
| 1121 | |
| 1122 | void ExprEngine::VisitCXXThisExpr(const CXXThisExpr *TE, ExplodedNode *Pred, |
| 1123 | ExplodedNodeSet &Dst) { |
| 1124 | NodeBuilder Bldr(Pred, Dst, *currBldrCtx); |
| 1125 | |
| 1126 | // Get the this object region from StoreManager. |
| 1127 | const StackFrame *SF = Pred->getStackFrame(); |
| 1128 | const MemRegion *R = svalBuilder.getRegionManager().getCXXThisRegion( |
| 1129 | thisPointerTy: getContext().getCanonicalType(T: TE->getType()), SF); |
| 1130 | |
| 1131 | ProgramStateRef state = Pred->getState(); |
| 1132 | SVal V = state->getSVal(LV: loc::MemRegionVal(R)); |
| 1133 | Bldr.generateNode(S: TE, Pred, St: state->BindExpr(E: TE, SF, V)); |
| 1134 | } |
| 1135 | |
| 1136 | void ExprEngine::VisitLambdaExpr(const LambdaExpr *LE, ExplodedNode *Pred, |
| 1137 | ExplodedNodeSet &Dst) { |
| 1138 | const StackFrame *SF = Pred->getStackFrame(); |
| 1139 | |
| 1140 | // Get the region of the lambda itself. |
| 1141 | const MemRegion *R = |
| 1142 | svalBuilder.getRegionManager().getCXXTempObjectRegion(Ex: LE, SF); |
| 1143 | SVal V = loc::MemRegionVal(R); |
| 1144 | |
| 1145 | ProgramStateRef State = Pred->getState(); |
| 1146 | |
| 1147 | // If we created a new MemRegion for the lambda, we should explicitly bind |
| 1148 | // the captures. |
| 1149 | for (auto const [Idx, FieldForCapture, InitExpr] : |
| 1150 | llvm::zip(t: llvm::seq<unsigned>(Begin: 0, End: -1), u: LE->getLambdaClass()->fields(), |
| 1151 | args: LE->capture_inits())) { |
| 1152 | SVal FieldLoc = State->getLValue(decl: FieldForCapture, Base: V); |
| 1153 | |
| 1154 | SVal InitVal; |
| 1155 | if (!FieldForCapture->hasCapturedVLAType()) { |
| 1156 | assert(InitExpr && "Capture missing initialization expression"); |
| 1157 | |
| 1158 | // Capturing a 0 length array is a no-op, so we ignore it to get a more |
| 1159 | // accurate analysis. If it's not ignored, it would set the default |
| 1160 | // binding of the lambda to 'Unknown', which can lead to falsely detecting |
| 1161 | // 'Uninitialized' values as 'Unknown' and not reporting a warning. |
| 1162 | const auto FTy = FieldForCapture->getType(); |
| 1163 | if (FTy->isConstantArrayType() && |
| 1164 | getContext().getConstantArrayElementCount( |
| 1165 | CA: getContext().getAsConstantArrayType(T: FTy)) == 0) |
| 1166 | continue; |
| 1167 | |
| 1168 | // With C++17 copy elision the InitExpr can be anything, so instead of |
| 1169 | // pattern matching all cases, we simple check if the current field is |
| 1170 | // under construction or not, regardless what it's InitExpr is. |
| 1171 | if (const auto OUC = getObjectUnderConstruction(State, Item: {LE, Idx}, SF)) { |
| 1172 | InitVal = State->getSVal(R: OUC->getAsRegion()); |
| 1173 | |
| 1174 | State = finishObjectConstruction(State, Item: {LE, Idx}, SF); |
| 1175 | } else |
| 1176 | InitVal = State->getSVal(E: InitExpr, SF); |
| 1177 | |
| 1178 | } else { |
| 1179 | |
| 1180 | assert(!getObjectUnderConstruction(State, {LE, Idx}, SF) && |
| 1181 | "VLA capture by value is a compile time error!"); |
| 1182 | |
| 1183 | // The field stores the length of a captured variable-length array. |
| 1184 | // These captures don't have initialization expressions; instead we |
| 1185 | // get the length from the VLAType size expression. |
| 1186 | Expr *SizeExpr = FieldForCapture->getCapturedVLAType()->getSizeExpr(); |
| 1187 | InitVal = State->getSVal(E: SizeExpr, SF); |
| 1188 | } |
| 1189 | |
| 1190 | State = State->bindLoc(LV: FieldLoc, V: InitVal, SF); |
| 1191 | } |
| 1192 | |
| 1193 | // Decay the Loc into an RValue, because there might be a |
| 1194 | // MaterializeTemporaryExpr node above this one which expects the bound value |
| 1195 | // to be an RValue. |
| 1196 | SVal LambdaRVal = State->getSVal(R); |
| 1197 | |
| 1198 | ExplodedNodeSet Tmp; |
| 1199 | NodeBuilder Bldr(Pred, Tmp, *currBldrCtx); |
| 1200 | // FIXME: is this the right program point kind? |
| 1201 | Bldr.generateNode(S: LE, Pred, St: State->BindExpr(E: LE, SF, V: LambdaRVal), tag: nullptr, |
| 1202 | K: ProgramPoint::PostLValueKind); |
| 1203 | |
| 1204 | // FIXME: Move all post/pre visits to ::Visit(). |
| 1205 | getCheckerManager().runCheckersForPostStmt(Dst, Src: Tmp, S: LE, Eng&: *this); |
| 1206 | } |
| 1207 | |
| 1208 | void ExprEngine::VisitAttributedStmt(const AttributedStmt *A, |
| 1209 | ExplodedNode *Pred, ExplodedNodeSet &Dst) { |
| 1210 | const StackFrame *SF = Pred->getStackFrame(); |
| 1211 | ExplodedNodeSet CheckerPreStmt; |
| 1212 | getCheckerManager().runCheckersForPreStmt(Dst&: CheckerPreStmt, Src: Pred, S: A, Eng&: *this); |
| 1213 | |
| 1214 | ExplodedNodeSet EvalSet; |
| 1215 | |
| 1216 | for (ExplodedNode *N : CheckerPreStmt) { |
| 1217 | ProgramStateRef State = N->getState(); |
| 1218 | for (const auto *Attr : getSpecificAttrs<CXXAssumeAttr>(container: A->getAttrs())) { |
| 1219 | SVal AssumedVal = State->getSVal(E: Attr->getAssumption(), SF); |
| 1220 | // This code ignores assumptions that evaluate to UndefinedVal. |
| 1221 | // Perhaps there should be a checker that reports this situation. |
| 1222 | if (auto ValidAssumedVal = AssumedVal.getAs<DefinedOrUnknownSVal>()) { |
| 1223 | State = State->assume(Cond: *ValidAssumedVal, Assumption: true); |
| 1224 | } |
| 1225 | |
| 1226 | if (!State) |
| 1227 | break; |
| 1228 | } |
| 1229 | |
| 1230 | if (State) |
| 1231 | EvalSet.insert(N: Engine.makePostStmtNode(S: A, State, Pred: N)); |
| 1232 | } |
| 1233 | |
| 1234 | getCheckerManager().runCheckersForPostStmt(Dst, Src: EvalSet, S: A, Eng&: *this); |
| 1235 | } |
| 1236 |
Generated on 2026-Jun-29 from project llvm_projects revision 33feb48f5
Powered by 
Code Browser 2.1
Generator usage only permitted with license.