1 //===- CallEvent.h - Wrapper for all function and method calls ----*- C++ -*--// 2 // 3 // The LLVM Compiler Infrastructure 4 // 5 // This file is distributed under the University of Illinois Open Source 6 // License. See LICENSE.TXT for details. 7 // 8 //===----------------------------------------------------------------------===// 9 // 10 /// \file This file defines CallEvent and its subclasses, which represent path- 11 /// sensitive instances of different kinds of function and method calls 12 /// (C, C++, and Objective-C). 13 // 14 //===----------------------------------------------------------------------===// 15 16 #ifndef LLVM_CLANG_STATICANALYZER_PATHSENSITIVE_CALL 17 #define LLVM_CLANG_STATICANALYZER_PATHSENSITIVE_CALL 18 19 #include "clang/AST/DeclCXX.h" 20 #include "clang/AST/ExprCXX.h" 21 #include "clang/AST/ExprObjC.h" 22 #include "clang/Analysis/AnalysisContext.h" 23 #include "clang/Basic/SourceManager.h" 24 #include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h" 25 #include "clang/StaticAnalyzer/Core/PathSensitive/SVals.h" 26 #include "llvm/ADT/PointerIntPair.h" 27 28 namespace clang { 29 class ProgramPoint; 30 class ProgramPointTag; 31 32 namespace ento { 33 34 enum CallEventKind { 35 CE_Function, 36 CE_CXXMember, 37 CE_CXXMemberOperator, 38 CE_CXXDestructor, 39 CE_BEG_CXX_INSTANCE_CALLS = CE_CXXMember, 40 CE_END_CXX_INSTANCE_CALLS = CE_CXXDestructor, 41 CE_CXXConstructor, 42 CE_CXXAllocator, 43 CE_BEG_FUNCTION_CALLS = CE_Function, 44 CE_END_FUNCTION_CALLS = CE_CXXAllocator, 45 CE_Block, 46 CE_ObjCMessage 47 }; 48 49 class CallEvent; 50 class CallEventManager; 51 52 template<typename T = CallEvent> 53 class CallEventRef : public IntrusiveRefCntPtr<const T> { 54 public: 55 CallEventRef(const T *Call) : IntrusiveRefCntPtr<const T>(Call) {} 56 CallEventRef(const CallEventRef &Orig) : IntrusiveRefCntPtr<const T>(Orig) {} 57 58 CallEventRef<T> cloneWithState(ProgramStateRef State) const { 59 return this->get()->template cloneWithState<T>(State); 60 } 61 62 // Allow implicit conversions to a superclass type, since CallEventRef 63 // behaves like a pointer-to-const. 64 template <typename SuperT> 65 operator CallEventRef<SuperT> () const { 66 return this->get(); 67 } 68 }; 69 70 /// \class RuntimeDefinition 71 /// \brief Defines the runtime definition of the called function. 72 /// 73 /// Encapsulates the information we have about which Decl will be used 74 /// when the call is executed on the given path. When dealing with dynamic 75 /// dispatch, the information is based on DynamicTypeInfo and might not be 76 /// precise. 77 class RuntimeDefinition { 78 /// The Declaration of the function which could be called at runtime. 79 /// NULL if not available. 80 const Decl *D; 81 82 /// The region representing an object (ObjC/C++) on which the method is 83 /// called. With dynamic dispatch, the method definition depends on the 84 /// runtime type of this object. NULL when the DynamicTypeInfo is 85 /// precise. 86 const MemRegion *R; 87 88 public: 89 RuntimeDefinition(): D(nullptr), R(nullptr) {} 90 RuntimeDefinition(const Decl *InD): D(InD), R(nullptr) {} 91 RuntimeDefinition(const Decl *InD, const MemRegion *InR): D(InD), R(InR) {} 92 const Decl *getDecl() { return D; } 93 94 /// \brief Check if the definition we have is precise. 95 /// If not, it is possible that the call dispatches to another definition at 96 /// execution time. 97 bool mayHaveOtherDefinitions() { return R != nullptr; } 98 99 /// When other definitions are possible, returns the region whose runtime type 100 /// determines the method definition. 101 const MemRegion *getDispatchRegion() { return R; } 102 }; 103 104 /// \brief Represents an abstract call to a function or method along a 105 /// particular path. 106 /// 107 /// CallEvents are created through the factory methods of CallEventManager. 108 /// 109 /// CallEvents should always be cheap to create and destroy. In order for 110 /// CallEventManager to be able to re-use CallEvent-sized memory blocks, 111 /// subclasses of CallEvent may not add any data members to the base class. 112 /// Use the "Data" and "Location" fields instead. 113 class CallEvent { 114 public: 115 typedef CallEventKind Kind; 116 117 private: 118 ProgramStateRef State; 119 const LocationContext *LCtx; 120 llvm::PointerUnion<const Expr *, const Decl *> Origin; 121 122 void operator=(const CallEvent &) LLVM_DELETED_FUNCTION; 123 124 protected: 125 // This is user data for subclasses. 126 const void *Data; 127 128 // This is user data for subclasses. 129 // This should come right before RefCount, so that the two fields can be 130 // packed together on LP64 platforms. 131 SourceLocation Location; 132 133 private: 134 mutable unsigned RefCount; 135 136 template <typename T> friend struct llvm::IntrusiveRefCntPtrInfo; 137 void Retain() const { ++RefCount; } 138 void Release() const; 139 140 protected: 141 friend class CallEventManager; 142 143 CallEvent(const Expr *E, ProgramStateRef state, const LocationContext *lctx) 144 : State(state), LCtx(lctx), Origin(E), RefCount(0) {} 145 146 CallEvent(const Decl *D, ProgramStateRef state, const LocationContext *lctx) 147 : State(state), LCtx(lctx), Origin(D), RefCount(0) {} 148 149 // DO NOT MAKE PUBLIC 150 CallEvent(const CallEvent &Original) 151 : State(Original.State), LCtx(Original.LCtx), Origin(Original.Origin), 152 Data(Original.Data), Location(Original.Location), RefCount(0) {} 153 154 /// Copies this CallEvent, with vtable intact, into a new block of memory. 155 virtual void cloneTo(void *Dest) const = 0; 156 157 /// \brief Get the value of arbitrary expressions at this point in the path. 158 SVal getSVal(const Stmt *S) const { 159 return getState()->getSVal(S, getLocationContext()); 160 } 161 162 163 typedef SmallVectorImpl<SVal> ValueList; 164 165 /// \brief Used to specify non-argument regions that will be invalidated as a 166 /// result of this call. 167 virtual void getExtraInvalidatedValues(ValueList &Values) const {} 168 169 public: 170 virtual ~CallEvent() {} 171 172 /// \brief Returns the kind of call this is. 173 virtual Kind getKind() const = 0; 174 175 /// \brief Returns the declaration of the function or method that will be 176 /// called. May be null. 177 virtual const Decl *getDecl() const { 178 return Origin.dyn_cast<const Decl *>(); 179 } 180 181 /// \brief The state in which the call is being evaluated. 182 const ProgramStateRef &getState() const { 183 return State; 184 } 185 186 /// \brief The context in which the call is being evaluated. 187 const LocationContext *getLocationContext() const { 188 return LCtx; 189 } 190 191 /// \brief Returns the definition of the function or method that will be 192 /// called. 193 virtual RuntimeDefinition getRuntimeDefinition() const = 0; 194 195 /// \brief Returns the expression whose value will be the result of this call. 196 /// May be null. 197 const Expr *getOriginExpr() const { 198 return Origin.dyn_cast<const Expr *>(); 199 } 200 201 /// \brief Returns the number of arguments (explicit and implicit). 202 /// 203 /// Note that this may be greater than the number of parameters in the 204 /// callee's declaration, and that it may include arguments not written in 205 /// the source. 206 virtual unsigned getNumArgs() const = 0; 207 208 /// \brief Returns true if the callee is known to be from a system header. 209 bool isInSystemHeader() const { 210 const Decl *D = getDecl(); 211 if (!D) 212 return false; 213 214 SourceLocation Loc = D->getLocation(); 215 if (Loc.isValid()) { 216 const SourceManager &SM = 217 getState()->getStateManager().getContext().getSourceManager(); 218 return SM.isInSystemHeader(D->getLocation()); 219 } 220 221 // Special case for implicitly-declared global operator new/delete. 222 // These should be considered system functions. 223 if (const FunctionDecl *FD = dyn_cast<FunctionDecl>(D)) 224 return FD->isOverloadedOperator() && FD->isImplicit() && FD->isGlobal(); 225 226 return false; 227 } 228 229 /// \brief Returns a source range for the entire call, suitable for 230 /// outputting in diagnostics. 231 virtual SourceRange getSourceRange() const { 232 return getOriginExpr()->getSourceRange(); 233 } 234 235 /// \brief Returns the value of a given argument at the time of the call. 236 virtual SVal getArgSVal(unsigned Index) const; 237 238 /// \brief Returns the expression associated with a given argument. 239 /// May be null if this expression does not appear in the source. 240 virtual const Expr *getArgExpr(unsigned Index) const { return nullptr; } 241 242 /// \brief Returns the source range for errors associated with this argument. 243 /// 244 /// May be invalid if the argument is not written in the source. 245 virtual SourceRange getArgSourceRange(unsigned Index) const; 246 247 /// \brief Returns the result type, adjusted for references. 248 QualType getResultType() const; 249 250 /// \brief Returns the return value of the call. 251 /// 252 /// This should only be called if the CallEvent was created using a state in 253 /// which the return value has already been bound to the origin expression. 254 SVal getReturnValue() const; 255 256 /// \brief Returns true if any of the arguments appear to represent callbacks. 257 bool hasNonZeroCallbackArg() const; 258 259 /// \brief Returns true if any of the arguments are known to escape to long- 260 /// term storage, even if this method will not modify them. 261 // NOTE: The exact semantics of this are still being defined! 262 // We don't really want a list of hardcoded exceptions in the long run, 263 // but we don't want duplicated lists of known APIs in the short term either. 264 virtual bool argumentsMayEscape() const { 265 return hasNonZeroCallbackArg(); 266 } 267 268 /// \brief Returns true if the callee is an externally-visible function in the 269 /// top-level namespace, such as \c malloc. 270 /// 271 /// You can use this call to determine that a particular function really is 272 /// a library function and not, say, a C++ member function with the same name. 273 /// 274 /// If a name is provided, the function must additionally match the given 275 /// name. 276 /// 277 /// Note that this deliberately excludes C++ library functions in the \c std 278 /// namespace, but will include C library functions accessed through the 279 /// \c std namespace. This also does not check if the function is declared 280 /// as 'extern "C"', or if it uses C++ name mangling. 281 // FIXME: Add a helper for checking namespaces. 282 // FIXME: Move this down to AnyFunctionCall once checkers have more 283 // precise callbacks. 284 bool isGlobalCFunction(StringRef SpecificName = StringRef()) const; 285 286 /// \brief Returns the name of the callee, if its name is a simple identifier. 287 /// 288 /// Note that this will fail for Objective-C methods, blocks, and C++ 289 /// overloaded operators. The former is named by a Selector rather than a 290 /// simple identifier, and the latter two do not have names. 291 // FIXME: Move this down to AnyFunctionCall once checkers have more 292 // precise callbacks. 293 const IdentifierInfo *getCalleeIdentifier() const { 294 const NamedDecl *ND = dyn_cast_or_null<NamedDecl>(getDecl()); 295 if (!ND) 296 return nullptr; 297 return ND->getIdentifier(); 298 } 299 300 /// \brief Returns an appropriate ProgramPoint for this call. 301 ProgramPoint getProgramPoint(bool IsPreVisit = false, 302 const ProgramPointTag *Tag = nullptr) const; 303 304 /// \brief Returns a new state with all argument regions invalidated. 305 /// 306 /// This accepts an alternate state in case some processing has already 307 /// occurred. 308 ProgramStateRef invalidateRegions(unsigned BlockCount, 309 ProgramStateRef Orig = nullptr) const; 310 311 typedef std::pair<Loc, SVal> FrameBindingTy; 312 typedef SmallVectorImpl<FrameBindingTy> BindingsTy; 313 314 /// Populates the given SmallVector with the bindings in the callee's stack 315 /// frame at the start of this call. 316 virtual void getInitialStackFrameContents(const StackFrameContext *CalleeCtx, 317 BindingsTy &Bindings) const = 0; 318 319 /// Returns a copy of this CallEvent, but using the given state. 320 template <typename T> 321 CallEventRef<T> cloneWithState(ProgramStateRef NewState) const; 322 323 /// Returns a copy of this CallEvent, but using the given state. 324 CallEventRef<> cloneWithState(ProgramStateRef NewState) const { 325 return cloneWithState<CallEvent>(NewState); 326 } 327 328 /// \brief Returns true if this is a statement is a function or method call 329 /// of some kind. 330 static bool isCallStmt(const Stmt *S); 331 332 /// \brief Returns the result type of a function or method declaration. 333 /// 334 /// This will return a null QualType if the result type cannot be determined. 335 static QualType getDeclaredResultType(const Decl *D); 336 337 /// \brief Returns true if the given decl is known to be variadic. 338 /// 339 /// \p D must not be null. 340 static bool isVariadic(const Decl *D); 341 342 // Iterator access to formal parameters and their types. 343 private: 344 typedef std::const_mem_fun_t<QualType, ParmVarDecl> get_type_fun; 345 346 public: 347 /// Return call's formal parameters. 348 /// 349 /// Remember that the number of formal parameters may not match the number 350 /// of arguments for all calls. However, the first parameter will always 351 /// correspond with the argument value returned by \c getArgSVal(0). 352 virtual ArrayRef<ParmVarDecl*> parameters() const = 0; 353 354 typedef llvm::mapped_iterator<ArrayRef<ParmVarDecl*>::iterator, get_type_fun> 355 param_type_iterator; 356 357 /// Returns an iterator over the types of the call's formal parameters. 358 /// 359 /// This uses the callee decl found by default name lookup rather than the 360 /// definition because it represents a public interface, and probably has 361 /// more annotations. 362 param_type_iterator param_type_begin() const { 363 return llvm::map_iterator(parameters().begin(), 364 get_type_fun(&ParmVarDecl::getType)); 365 } 366 /// \sa param_type_begin() 367 param_type_iterator param_type_end() const { 368 return llvm::map_iterator(parameters().end(), 369 get_type_fun(&ParmVarDecl::getType)); 370 } 371 372 // For debugging purposes only 373 void dump(raw_ostream &Out) const; 374 void dump() const; 375 }; 376 377 378 /// \brief Represents a call to any sort of function that might have a 379 /// FunctionDecl. 380 class AnyFunctionCall : public CallEvent { 381 protected: 382 AnyFunctionCall(const Expr *E, ProgramStateRef St, 383 const LocationContext *LCtx) 384 : CallEvent(E, St, LCtx) {} 385 AnyFunctionCall(const Decl *D, ProgramStateRef St, 386 const LocationContext *LCtx) 387 : CallEvent(D, St, LCtx) {} 388 AnyFunctionCall(const AnyFunctionCall &Other) : CallEvent(Other) {} 389 390 public: 391 // This function is overridden by subclasses, but they must return 392 // a FunctionDecl. 393 const FunctionDecl *getDecl() const override { 394 return cast<FunctionDecl>(CallEvent::getDecl()); 395 } 396 397 RuntimeDefinition getRuntimeDefinition() const override { 398 const FunctionDecl *FD = getDecl(); 399 // Note that the AnalysisDeclContext will have the FunctionDecl with 400 // the definition (if one exists). 401 if (FD) { 402 AnalysisDeclContext *AD = 403 getLocationContext()->getAnalysisDeclContext()-> 404 getManager()->getContext(FD); 405 if (AD->getBody()) 406 return RuntimeDefinition(AD->getDecl()); 407 } 408 409 return RuntimeDefinition(); 410 } 411 412 bool argumentsMayEscape() const override; 413 414 void getInitialStackFrameContents(const StackFrameContext *CalleeCtx, 415 BindingsTy &Bindings) const override; 416 417 ArrayRef<ParmVarDecl *> parameters() const override; 418 419 static bool classof(const CallEvent *CA) { 420 return CA->getKind() >= CE_BEG_FUNCTION_CALLS && 421 CA->getKind() <= CE_END_FUNCTION_CALLS; 422 } 423 }; 424 425 /// \brief Represents a C function or static C++ member function call. 426 /// 427 /// Example: \c fun() 428 class SimpleFunctionCall : public AnyFunctionCall { 429 friend class CallEventManager; 430 431 protected: 432 SimpleFunctionCall(const CallExpr *CE, ProgramStateRef St, 433 const LocationContext *LCtx) 434 : AnyFunctionCall(CE, St, LCtx) {} 435 SimpleFunctionCall(const SimpleFunctionCall &Other) 436 : AnyFunctionCall(Other) {} 437 void cloneTo(void *Dest) const override { 438 new (Dest) SimpleFunctionCall(*this); 439 } 440 441 public: 442 virtual const CallExpr *getOriginExpr() const { 443 return cast<CallExpr>(AnyFunctionCall::getOriginExpr()); 444 } 445 446 const FunctionDecl *getDecl() const override; 447 448 unsigned getNumArgs() const override { return getOriginExpr()->getNumArgs(); } 449 450 const Expr *getArgExpr(unsigned Index) const override { 451 return getOriginExpr()->getArg(Index); 452 } 453 454 Kind getKind() const override { return CE_Function; } 455 456 static bool classof(const CallEvent *CA) { 457 return CA->getKind() == CE_Function; 458 } 459 }; 460 461 /// \brief Represents a call to a block. 462 /// 463 /// Example: <tt>^{ /* ... */ }()</tt> 464 class BlockCall : public CallEvent { 465 friend class CallEventManager; 466 467 protected: 468 BlockCall(const CallExpr *CE, ProgramStateRef St, 469 const LocationContext *LCtx) 470 : CallEvent(CE, St, LCtx) {} 471 472 BlockCall(const BlockCall &Other) : CallEvent(Other) {} 473 void cloneTo(void *Dest) const override { new (Dest) BlockCall(*this); } 474 475 void getExtraInvalidatedValues(ValueList &Values) const override; 476 477 public: 478 virtual const CallExpr *getOriginExpr() const { 479 return cast<CallExpr>(CallEvent::getOriginExpr()); 480 } 481 482 unsigned getNumArgs() const override { return getOriginExpr()->getNumArgs(); } 483 484 const Expr *getArgExpr(unsigned Index) const override { 485 return getOriginExpr()->getArg(Index); 486 } 487 488 /// \brief Returns the region associated with this instance of the block. 489 /// 490 /// This may be NULL if the block's origin is unknown. 491 const BlockDataRegion *getBlockRegion() const; 492 493 const BlockDecl *getDecl() const override { 494 const BlockDataRegion *BR = getBlockRegion(); 495 if (!BR) 496 return nullptr; 497 return BR->getDecl(); 498 } 499 500 RuntimeDefinition getRuntimeDefinition() const override { 501 return RuntimeDefinition(getDecl()); 502 } 503 504 bool argumentsMayEscape() const override { 505 return true; 506 } 507 508 void getInitialStackFrameContents(const StackFrameContext *CalleeCtx, 509 BindingsTy &Bindings) const override; 510 511 ArrayRef<ParmVarDecl*> parameters() const override; 512 513 Kind getKind() const override { return CE_Block; } 514 515 static bool classof(const CallEvent *CA) { 516 return CA->getKind() == CE_Block; 517 } 518 }; 519 520 /// \brief Represents a non-static C++ member function call, no matter how 521 /// it is written. 522 class CXXInstanceCall : public AnyFunctionCall { 523 protected: 524 void getExtraInvalidatedValues(ValueList &Values) const override; 525 526 CXXInstanceCall(const CallExpr *CE, ProgramStateRef St, 527 const LocationContext *LCtx) 528 : AnyFunctionCall(CE, St, LCtx) {} 529 CXXInstanceCall(const FunctionDecl *D, ProgramStateRef St, 530 const LocationContext *LCtx) 531 : AnyFunctionCall(D, St, LCtx) {} 532 533 534 CXXInstanceCall(const CXXInstanceCall &Other) : AnyFunctionCall(Other) {} 535 536 public: 537 /// \brief Returns the expression representing the implicit 'this' object. 538 virtual const Expr *getCXXThisExpr() const { return nullptr; } 539 540 /// \brief Returns the value of the implicit 'this' object. 541 virtual SVal getCXXThisVal() const; 542 543 const FunctionDecl *getDecl() const override; 544 545 RuntimeDefinition getRuntimeDefinition() const override; 546 547 void getInitialStackFrameContents(const StackFrameContext *CalleeCtx, 548 BindingsTy &Bindings) const override; 549 550 static bool classof(const CallEvent *CA) { 551 return CA->getKind() >= CE_BEG_CXX_INSTANCE_CALLS && 552 CA->getKind() <= CE_END_CXX_INSTANCE_CALLS; 553 } 554 }; 555 556 /// \brief Represents a non-static C++ member function call. 557 /// 558 /// Example: \c obj.fun() 559 class CXXMemberCall : public CXXInstanceCall { 560 friend class CallEventManager; 561 562 protected: 563 CXXMemberCall(const CXXMemberCallExpr *CE, ProgramStateRef St, 564 const LocationContext *LCtx) 565 : CXXInstanceCall(CE, St, LCtx) {} 566 567 CXXMemberCall(const CXXMemberCall &Other) : CXXInstanceCall(Other) {} 568 void cloneTo(void *Dest) const override { new (Dest) CXXMemberCall(*this); } 569 570 public: 571 virtual const CXXMemberCallExpr *getOriginExpr() const { 572 return cast<CXXMemberCallExpr>(CXXInstanceCall::getOriginExpr()); 573 } 574 575 unsigned getNumArgs() const override { 576 if (const CallExpr *CE = getOriginExpr()) 577 return CE->getNumArgs(); 578 return 0; 579 } 580 581 const Expr *getArgExpr(unsigned Index) const override { 582 return getOriginExpr()->getArg(Index); 583 } 584 585 const Expr *getCXXThisExpr() const override; 586 587 RuntimeDefinition getRuntimeDefinition() const override; 588 589 Kind getKind() const override { return CE_CXXMember; } 590 591 static bool classof(const CallEvent *CA) { 592 return CA->getKind() == CE_CXXMember; 593 } 594 }; 595 596 /// \brief Represents a C++ overloaded operator call where the operator is 597 /// implemented as a non-static member function. 598 /// 599 /// Example: <tt>iter + 1</tt> 600 class CXXMemberOperatorCall : public CXXInstanceCall { 601 friend class CallEventManager; 602 603 protected: 604 CXXMemberOperatorCall(const CXXOperatorCallExpr *CE, ProgramStateRef St, 605 const LocationContext *LCtx) 606 : CXXInstanceCall(CE, St, LCtx) {} 607 608 CXXMemberOperatorCall(const CXXMemberOperatorCall &Other) 609 : CXXInstanceCall(Other) {} 610 void cloneTo(void *Dest) const override { 611 new (Dest) CXXMemberOperatorCall(*this); 612 } 613 614 public: 615 virtual const CXXOperatorCallExpr *getOriginExpr() const { 616 return cast<CXXOperatorCallExpr>(CXXInstanceCall::getOriginExpr()); 617 } 618 619 unsigned getNumArgs() const override { 620 return getOriginExpr()->getNumArgs() - 1; 621 } 622 const Expr *getArgExpr(unsigned Index) const override { 623 return getOriginExpr()->getArg(Index + 1); 624 } 625 626 const Expr *getCXXThisExpr() const override; 627 628 Kind getKind() const override { return CE_CXXMemberOperator; } 629 630 static bool classof(const CallEvent *CA) { 631 return CA->getKind() == CE_CXXMemberOperator; 632 } 633 }; 634 635 /// \brief Represents an implicit call to a C++ destructor. 636 /// 637 /// This can occur at the end of a scope (for automatic objects), at the end 638 /// of a full-expression (for temporaries), or as part of a delete. 639 class CXXDestructorCall : public CXXInstanceCall { 640 friend class CallEventManager; 641 642 protected: 643 typedef llvm::PointerIntPair<const MemRegion *, 1, bool> DtorDataTy; 644 645 /// Creates an implicit destructor. 646 /// 647 /// \param DD The destructor that will be called. 648 /// \param Trigger The statement whose completion causes this destructor call. 649 /// \param Target The object region to be destructed. 650 /// \param St The path-sensitive state at this point in the program. 651 /// \param LCtx The location context at this point in the program. 652 CXXDestructorCall(const CXXDestructorDecl *DD, const Stmt *Trigger, 653 const MemRegion *Target, bool IsBaseDestructor, 654 ProgramStateRef St, const LocationContext *LCtx) 655 : CXXInstanceCall(DD, St, LCtx) { 656 Data = DtorDataTy(Target, IsBaseDestructor).getOpaqueValue(); 657 Location = Trigger->getLocEnd(); 658 } 659 660 CXXDestructorCall(const CXXDestructorCall &Other) : CXXInstanceCall(Other) {} 661 void cloneTo(void *Dest) const override {new (Dest) CXXDestructorCall(*this);} 662 663 public: 664 SourceRange getSourceRange() const override { return Location; } 665 unsigned getNumArgs() const override { return 0; } 666 667 RuntimeDefinition getRuntimeDefinition() const override; 668 669 /// \brief Returns the value of the implicit 'this' object. 670 SVal getCXXThisVal() const override; 671 672 /// Returns true if this is a call to a base class destructor. 673 bool isBaseDestructor() const { 674 return DtorDataTy::getFromOpaqueValue(Data).getInt(); 675 } 676 677 Kind getKind() const override { return CE_CXXDestructor; } 678 679 static bool classof(const CallEvent *CA) { 680 return CA->getKind() == CE_CXXDestructor; 681 } 682 }; 683 684 /// \brief Represents a call to a C++ constructor. 685 /// 686 /// Example: \c T(1) 687 class CXXConstructorCall : public AnyFunctionCall { 688 friend class CallEventManager; 689 690 protected: 691 /// Creates a constructor call. 692 /// 693 /// \param CE The constructor expression as written in the source. 694 /// \param Target The region where the object should be constructed. If NULL, 695 /// a new symbolic region will be used. 696 /// \param St The path-sensitive state at this point in the program. 697 /// \param LCtx The location context at this point in the program. 698 CXXConstructorCall(const CXXConstructExpr *CE, const MemRegion *Target, 699 ProgramStateRef St, const LocationContext *LCtx) 700 : AnyFunctionCall(CE, St, LCtx) { 701 Data = Target; 702 } 703 704 CXXConstructorCall(const CXXConstructorCall &Other) : AnyFunctionCall(Other){} 705 void cloneTo(void *Dest) const override { new (Dest) CXXConstructorCall(*this); } 706 707 void getExtraInvalidatedValues(ValueList &Values) const override; 708 709 public: 710 virtual const CXXConstructExpr *getOriginExpr() const { 711 return cast<CXXConstructExpr>(AnyFunctionCall::getOriginExpr()); 712 } 713 714 const CXXConstructorDecl *getDecl() const override { 715 return getOriginExpr()->getConstructor(); 716 } 717 718 unsigned getNumArgs() const override { return getOriginExpr()->getNumArgs(); } 719 720 const Expr *getArgExpr(unsigned Index) const override { 721 return getOriginExpr()->getArg(Index); 722 } 723 724 /// \brief Returns the value of the implicit 'this' object. 725 SVal getCXXThisVal() const; 726 727 void getInitialStackFrameContents(const StackFrameContext *CalleeCtx, 728 BindingsTy &Bindings) const override; 729 730 Kind getKind() const override { return CE_CXXConstructor; } 731 732 static bool classof(const CallEvent *CA) { 733 return CA->getKind() == CE_CXXConstructor; 734 } 735 }; 736 737 /// \brief Represents the memory allocation call in a C++ new-expression. 738 /// 739 /// This is a call to "operator new". 740 class CXXAllocatorCall : public AnyFunctionCall { 741 friend class CallEventManager; 742 743 protected: 744 CXXAllocatorCall(const CXXNewExpr *E, ProgramStateRef St, 745 const LocationContext *LCtx) 746 : AnyFunctionCall(E, St, LCtx) {} 747 748 CXXAllocatorCall(const CXXAllocatorCall &Other) : AnyFunctionCall(Other) {} 749 void cloneTo(void *Dest) const override { new (Dest) CXXAllocatorCall(*this); } 750 751 public: 752 virtual const CXXNewExpr *getOriginExpr() const { 753 return cast<CXXNewExpr>(AnyFunctionCall::getOriginExpr()); 754 } 755 756 const FunctionDecl *getDecl() const override { 757 return getOriginExpr()->getOperatorNew(); 758 } 759 760 unsigned getNumArgs() const override { 761 return getOriginExpr()->getNumPlacementArgs() + 1; 762 } 763 764 const Expr *getArgExpr(unsigned Index) const override { 765 // The first argument of an allocator call is the size of the allocation. 766 if (Index == 0) 767 return nullptr; 768 return getOriginExpr()->getPlacementArg(Index - 1); 769 } 770 771 Kind getKind() const override { return CE_CXXAllocator; } 772 773 static bool classof(const CallEvent *CE) { 774 return CE->getKind() == CE_CXXAllocator; 775 } 776 }; 777 778 /// \brief Represents the ways an Objective-C message send can occur. 779 // 780 // Note to maintainers: OCM_Message should always be last, since it does not 781 // need to fit in the Data field's low bits. 782 enum ObjCMessageKind { 783 OCM_PropertyAccess, 784 OCM_Subscript, 785 OCM_Message 786 }; 787 788 /// \brief Represents any expression that calls an Objective-C method. 789 /// 790 /// This includes all of the kinds listed in ObjCMessageKind. 791 class ObjCMethodCall : public CallEvent { 792 friend class CallEventManager; 793 794 const PseudoObjectExpr *getContainingPseudoObjectExpr() const; 795 796 protected: 797 ObjCMethodCall(const ObjCMessageExpr *Msg, ProgramStateRef St, 798 const LocationContext *LCtx) 799 : CallEvent(Msg, St, LCtx) { 800 Data = nullptr; 801 } 802 803 ObjCMethodCall(const ObjCMethodCall &Other) : CallEvent(Other) {} 804 void cloneTo(void *Dest) const override { new (Dest) ObjCMethodCall(*this); } 805 806 void getExtraInvalidatedValues(ValueList &Values) const override; 807 808 /// Check if the selector may have multiple definitions (may have overrides). 809 virtual bool canBeOverridenInSubclass(ObjCInterfaceDecl *IDecl, 810 Selector Sel) const; 811 812 public: 813 virtual const ObjCMessageExpr *getOriginExpr() const { 814 return cast<ObjCMessageExpr>(CallEvent::getOriginExpr()); 815 } 816 const ObjCMethodDecl *getDecl() const override { 817 return getOriginExpr()->getMethodDecl(); 818 } 819 unsigned getNumArgs() const override { 820 return getOriginExpr()->getNumArgs(); 821 } 822 const Expr *getArgExpr(unsigned Index) const override { 823 return getOriginExpr()->getArg(Index); 824 } 825 826 bool isInstanceMessage() const { 827 return getOriginExpr()->isInstanceMessage(); 828 } 829 ObjCMethodFamily getMethodFamily() const { 830 return getOriginExpr()->getMethodFamily(); 831 } 832 Selector getSelector() const { 833 return getOriginExpr()->getSelector(); 834 } 835 836 SourceRange getSourceRange() const override; 837 838 /// \brief Returns the value of the receiver at the time of this call. 839 SVal getReceiverSVal() const; 840 841 /// \brief Return the value of 'self' if available. 842 SVal getSelfSVal() const; 843 844 /// \brief Get the interface for the receiver. 845 /// 846 /// This works whether this is an instance message or a class message. 847 /// However, it currently just uses the static type of the receiver. 848 const ObjCInterfaceDecl *getReceiverInterface() const { 849 return getOriginExpr()->getReceiverInterface(); 850 } 851 852 /// \brief Checks if the receiver refers to 'self' or 'super'. 853 bool isReceiverSelfOrSuper() const; 854 855 /// Returns how the message was written in the source (property access, 856 /// subscript, or explicit message send). 857 ObjCMessageKind getMessageKind() const; 858 859 /// Returns true if this property access or subscript is a setter (has the 860 /// form of an assignment). 861 bool isSetter() const { 862 switch (getMessageKind()) { 863 case OCM_Message: 864 llvm_unreachable("This is not a pseudo-object access!"); 865 case OCM_PropertyAccess: 866 return getNumArgs() > 0; 867 case OCM_Subscript: 868 return getNumArgs() > 1; 869 } 870 llvm_unreachable("Unknown message kind"); 871 } 872 873 RuntimeDefinition getRuntimeDefinition() const override; 874 875 bool argumentsMayEscape() const override; 876 877 void getInitialStackFrameContents(const StackFrameContext *CalleeCtx, 878 BindingsTy &Bindings) const override; 879 880 ArrayRef<ParmVarDecl*> parameters() const override; 881 882 Kind getKind() const override { return CE_ObjCMessage; } 883 884 static bool classof(const CallEvent *CA) { 885 return CA->getKind() == CE_ObjCMessage; 886 } 887 }; 888 889 890 /// \brief Manages the lifetime of CallEvent objects. 891 /// 892 /// CallEventManager provides a way to create arbitrary CallEvents "on the 893 /// stack" as if they were value objects by keeping a cache of CallEvent-sized 894 /// memory blocks. The CallEvents created by CallEventManager are only valid 895 /// for the lifetime of the OwnedCallEvent that holds them; right now these 896 /// objects cannot be copied and ownership cannot be transferred. 897 class CallEventManager { 898 friend class CallEvent; 899 900 llvm::BumpPtrAllocator &Alloc; 901 SmallVector<void *, 8> Cache; 902 typedef SimpleFunctionCall CallEventTemplateTy; 903 904 void reclaim(const void *Memory) { 905 Cache.push_back(const_cast<void *>(Memory)); 906 } 907 908 /// Returns memory that can be initialized as a CallEvent. 909 void *allocate() { 910 if (Cache.empty()) 911 return Alloc.Allocate<CallEventTemplateTy>(); 912 else 913 return Cache.pop_back_val(); 914 } 915 916 template <typename T, typename Arg> 917 T *create(Arg A, ProgramStateRef St, const LocationContext *LCtx) { 918 static_assert(sizeof(T) == sizeof(CallEventTemplateTy), 919 "CallEvent subclasses are not all the same size"); 920 return new (allocate()) T(A, St, LCtx); 921 } 922 923 template <typename T, typename Arg1, typename Arg2> 924 T *create(Arg1 A1, Arg2 A2, ProgramStateRef St, const LocationContext *LCtx) { 925 static_assert(sizeof(T) == sizeof(CallEventTemplateTy), 926 "CallEvent subclasses are not all the same size"); 927 return new (allocate()) T(A1, A2, St, LCtx); 928 } 929 930 template <typename T, typename Arg1, typename Arg2, typename Arg3> 931 T *create(Arg1 A1, Arg2 A2, Arg3 A3, ProgramStateRef St, 932 const LocationContext *LCtx) { 933 static_assert(sizeof(T) == sizeof(CallEventTemplateTy), 934 "CallEvent subclasses are not all the same size"); 935 return new (allocate()) T(A1, A2, A3, St, LCtx); 936 } 937 938 template <typename T, typename Arg1, typename Arg2, typename Arg3, 939 typename Arg4> 940 T *create(Arg1 A1, Arg2 A2, Arg3 A3, Arg4 A4, ProgramStateRef St, 941 const LocationContext *LCtx) { 942 static_assert(sizeof(T) == sizeof(CallEventTemplateTy), 943 "CallEvent subclasses are not all the same size"); 944 return new (allocate()) T(A1, A2, A3, A4, St, LCtx); 945 } 946 947 public: 948 CallEventManager(llvm::BumpPtrAllocator &alloc) : Alloc(alloc) {} 949 950 951 CallEventRef<> 952 getCaller(const StackFrameContext *CalleeCtx, ProgramStateRef State); 953 954 955 CallEventRef<> 956 getSimpleCall(const CallExpr *E, ProgramStateRef State, 957 const LocationContext *LCtx); 958 959 CallEventRef<ObjCMethodCall> 960 getObjCMethodCall(const ObjCMessageExpr *E, ProgramStateRef State, 961 const LocationContext *LCtx) { 962 return create<ObjCMethodCall>(E, State, LCtx); 963 } 964 965 CallEventRef<CXXConstructorCall> 966 getCXXConstructorCall(const CXXConstructExpr *E, const MemRegion *Target, 967 ProgramStateRef State, const LocationContext *LCtx) { 968 return create<CXXConstructorCall>(E, Target, State, LCtx); 969 } 970 971 CallEventRef<CXXDestructorCall> 972 getCXXDestructorCall(const CXXDestructorDecl *DD, const Stmt *Trigger, 973 const MemRegion *Target, bool IsBase, 974 ProgramStateRef State, const LocationContext *LCtx) { 975 return create<CXXDestructorCall>(DD, Trigger, Target, IsBase, State, LCtx); 976 } 977 978 CallEventRef<CXXAllocatorCall> 979 getCXXAllocatorCall(const CXXNewExpr *E, ProgramStateRef State, 980 const LocationContext *LCtx) { 981 return create<CXXAllocatorCall>(E, State, LCtx); 982 } 983 }; 984 985 986 template <typename T> 987 CallEventRef<T> CallEvent::cloneWithState(ProgramStateRef NewState) const { 988 assert(isa<T>(*this) && "Cloning to unrelated type"); 989 static_assert(sizeof(T) == sizeof(CallEvent), 990 "Subclasses may not add fields"); 991 992 if (NewState == State) 993 return cast<T>(this); 994 995 CallEventManager &Mgr = State->getStateManager().getCallEventManager(); 996 T *Copy = static_cast<T *>(Mgr.allocate()); 997 cloneTo(Copy); 998 assert(Copy->getKind() == this->getKind() && "Bad copy"); 999 1000 Copy->State = NewState; 1001 return Copy; 1002 } 1003 1004 inline void CallEvent::Release() const { 1005 assert(RefCount > 0 && "Reference count is already zero."); 1006 --RefCount; 1007 1008 if (RefCount > 0) 1009 return; 1010 1011 CallEventManager &Mgr = State->getStateManager().getCallEventManager(); 1012 Mgr.reclaim(this); 1013 1014 this->~CallEvent(); 1015 } 1016 1017 } // end namespace ento 1018 } // end namespace clang 1019 1020 namespace llvm { 1021 // Support isa<>, cast<>, and dyn_cast<> for CallEventRef. 1022 template<class T> struct simplify_type< clang::ento::CallEventRef<T> > { 1023 typedef const T *SimpleType; 1024 1025 static SimpleType 1026 getSimplifiedValue(clang::ento::CallEventRef<T> Val) { 1027 return Val.get(); 1028 } 1029 }; 1030 } 1031 1032 #endif 1033
