CallEvent.cpp source code [clang_source_code/lib/StaticAnalyzer/Core/CallEvent.cpp]

1	//===- CallEvent.cpp - Wrapper for all function and method calls ----------===//
2	//
3	// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4	// See https://llvm.org/LICENSE.txt for license information.
5	// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6	//
7	//===----------------------------------------------------------------------===//
8	//
9	/// \file This file defines CallEvent and its subclasses, which represent path-
10	/// sensitive instances of different kinds of function and method calls
11	/// (C, C++, and Objective-C).
12	//
13	//===----------------------------------------------------------------------===//
14
15	#include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h"
16	#include "clang/AST/ASTContext.h"
17	#include "clang/AST/Decl.h"
18	#include "clang/AST/DeclBase.h"
19	#include "clang/AST/DeclCXX.h"
20	#include "clang/AST/DeclObjC.h"
21	#include "clang/AST/Expr.h"
22	#include "clang/AST/ExprCXX.h"
23	#include "clang/AST/ExprObjC.h"
24	#include "clang/AST/ParentMap.h"
25	#include "clang/AST/Stmt.h"
26	#include "clang/AST/Type.h"
27	#include "clang/Analysis/AnalysisDeclContext.h"
28	#include "clang/Analysis/CFG.h"
29	#include "clang/Analysis/CFGStmtMap.h"
30	#include "clang/Analysis/ProgramPoint.h"
31	#include "clang/CrossTU/CrossTranslationUnit.h"
32	#include "clang/Basic/IdentifierTable.h"
33	#include "clang/Basic/LLVM.h"
34	#include "clang/Basic/SourceLocation.h"
35	#include "clang/Basic/SourceManager.h"
36	#include "clang/Basic/Specifiers.h"
37	#include "clang/StaticAnalyzer/Core/BugReporter/PathDiagnostic.h"
38	#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
39	#include "clang/StaticAnalyzer/Core/PathSensitive/DynamicTypeInfo.h"
40	#include "clang/StaticAnalyzer/Core/PathSensitive/DynamicTypeMap.h"
41	#include "clang/StaticAnalyzer/Core/PathSensitive/MemRegion.h"
42	#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h"
43	#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState_Fwd.h"
44	#include "clang/StaticAnalyzer/Core/PathSensitive/SVals.h"
45	#include "clang/StaticAnalyzer/Core/PathSensitive/SValBuilder.h"
46	#include "clang/StaticAnalyzer/Core/PathSensitive/Store.h"
47	#include "llvm/ADT/ArrayRef.h"
48	#include "llvm/ADT/DenseMap.h"
49	#include "llvm/ADT/None.h"
50	#include "llvm/ADT/Optional.h"
51	#include "llvm/ADT/PointerIntPair.h"
52	#include "llvm/ADT/SmallSet.h"
53	#include "llvm/ADT/SmallVector.h"
54	#include "llvm/ADT/StringExtras.h"
55	#include "llvm/ADT/StringRef.h"
56	#include "llvm/Support/Casting.h"
57	#include "llvm/Support/Compiler.h"
58	#include "llvm/Support/Debug.h"
59	#include "llvm/Support/ErrorHandling.h"
60	#include "llvm/Support/raw_ostream.h"
61	#include <cassert>
62	#include <utility>
63
64	#define DEBUG_TYPE "static-analyzer-call-event"
65
66	using namespace clang;
67	using namespace ento;
68
69	QualType CallEvent::getResultType() const {
70	ASTContext &Ctx = getState()->getStateManager().getContext();
71	const Expr *E = getOriginExpr();
72	if (!E)
73	return Ctx.VoidTy;
74	assert(E);
75
76	QualType ResultTy = E->getType();
77
78	// A function that returns a reference to 'int' will have a result type
79	// of simply 'int'. Check the origin expr's value kind to recover the
80	// proper type.
81	switch (E->getValueKind()) {
82	case VK_LValue:
83	ResultTy = Ctx.getLValueReferenceType(ResultTy);
84	break;
85	case VK_XValue:
86	ResultTy = Ctx.getRValueReferenceType(ResultTy);
87	break;
88	case VK_RValue:
89	// No adjustment is necessary.
90	break;
91	}
92
93	return ResultTy;
94	}
95
96	static bool isCallback(QualType T) {
97	// If a parameter is a block or a callback, assume it can modify pointer.
98	if (T->isBlockPointerType() \|\|
99	T->isFunctionPointerType() \|\|
100	T->isObjCSelType())
101	return true;
102
103	// Check if a callback is passed inside a struct (for both, struct passed by
104	// reference and by value). Dig just one level into the struct for now.
105
106	if (T->isAnyPointerType() \|\| T->isReferenceType())
107	T = T->getPointeeType();
108
109	if (const RecordType *RT = T->getAsStructureType()) {
110	const RecordDecl *RD = RT->getDecl();
111	for (const auto *I : RD->fields()) {
112	QualType FieldT = I->getType();
113	if (FieldT->isBlockPointerType() \|\| FieldT->isFunctionPointerType())
114	return true;
115	}
116	}
117	return false;
118	}
119
120	static bool isVoidPointerToNonConst(QualType T) {
121	if (const auto *PT = T->getAs<PointerType>()) {
122	QualType PointeeTy = PT->getPointeeType();
123	if (PointeeTy.isConstQualified())
124	return false;
125	return PointeeTy->isVoidType();
126	} else
127	return false;
128	}
129
130	bool CallEvent::hasNonNullArgumentsWithType(bool (*Condition)(QualType)) const {
131	unsigned NumOfArgs = getNumArgs();
132
133	// If calling using a function pointer, assume the function does not
134	// satisfy the callback.
135	// TODO: We could check the types of the arguments here.
136	if (!getDecl())
137	return false;
138
139	unsigned Idx = 0;
140	for (CallEvent::param_type_iterator I = param_type_begin(),
141	E = param_type_end();
142	I != E && Idx < NumOfArgs; ++I, ++Idx) {
143	// If the parameter is 0, it's harmless.
144	if (getArgSVal(Idx).isZeroConstant())
145	continue;
146
147	if (Condition(*I))
148	return true;
149	}
150	return false;
151	}
152
153	bool CallEvent::hasNonZeroCallbackArg() const {
154	return hasNonNullArgumentsWithType(isCallback);
155	}
156
157	bool CallEvent::hasVoidPointerToNonConstArg() const {
158	return hasNonNullArgumentsWithType(isVoidPointerToNonConst);
159	}
160
161	bool CallEvent::isGlobalCFunction(StringRef FunctionName) const {
162	const auto *FD = dyn_cast_or_null<FunctionDecl>(getDecl());
163	if (!FD)
164	return false;
165
166	return CheckerContext::isCLibraryFunction(FD, FunctionName);
167	}
168
169	AnalysisDeclContext *CallEvent::getCalleeAnalysisDeclContext() const {
170	const Decl *D = getDecl();
171	if (!D)
172	return nullptr;
173
174	// TODO: For now we skip functions without definitions, even if we have
175	// our own getDecl(), because it's hard to find out which re-declaration
176	// is going to be used, and usually clients don't really care about this
177	// situation because there's a loss of precision anyway because we cannot
178	// inline the call.
179	RuntimeDefinition RD = getRuntimeDefinition();
180	if (!RD.getDecl())
181	return nullptr;
182
183	AnalysisDeclContext *ADC =
184	LCtx->getAnalysisDeclContext()->getManager()->getContext(D);
185
186	// TODO: For now we skip virtual functions, because this also rises
187	// the problem of which decl to use, but now it's across different classes.
188	if (RD.mayHaveOtherDefinitions() \|\| RD.getDecl() != ADC->getDecl())
189	return nullptr;
190
191	return ADC;
192	}
193
194	const StackFrameContext *CallEvent::getCalleeStackFrame() const {
195	AnalysisDeclContext *ADC = getCalleeAnalysisDeclContext();
196	if (!ADC)
197	return nullptr;
198
199	const Expr *E = getOriginExpr();
200	if (!E)
201	return nullptr;
202
203	// Recover CFG block via reverse lookup.
204	// TODO: If we were to keep CFG element information as part of the CallEvent
205	// instead of doing this reverse lookup, we would be able to build the stack
206	// frame for non-expression-based calls, and also we wouldn't need the reverse
207	// lookup.
208	CFGStmtMap *Map = LCtx->getAnalysisDeclContext()->getCFGStmtMap();
209	const CFGBlock *B = Map->getBlock(E);
210	assert(B);
211
212	// Also recover CFG index by scanning the CFG block.
213	unsigned Idx = 0, Sz = B->size();
214	for (; Idx < Sz; ++Idx)
215	if (auto StmtElem = (*B)[Idx].getAs<CFGStmt>())
216	if (StmtElem->getStmt() == E)
217	break;
218	assert(Idx < Sz);
219
220	return ADC->getManager()->getStackFrame(ADC, LCtx, E, B, Idx);
221	}
222
223	const VarRegion *CallEvent::getParameterLocation(unsigned Index) const {
224	const StackFrameContext *SFC = getCalleeStackFrame();
225	// We cannot construct a VarRegion without a stack frame.
226	if (!SFC)
227	return nullptr;
228
229	// Retrieve parameters of the definition, which are different from
230	// CallEvent's parameters() because getDecl() isn't necessarily
231	// the definition. SFC contains the definition that would be used
232	// during analysis.
233	const Decl *D = SFC->getDecl();
234
235	// TODO: Refactor into a virtual method of CallEvent, like parameters().
236	const ParmVarDecl *PVD = nullptr;
237	if (const auto *FD = dyn_cast<FunctionDecl>(D))
238	PVD = FD->parameters()[Index];
239	else if (const auto *BD = dyn_cast<BlockDecl>(D))
240	PVD = BD->parameters()[Index];
241	else if (const auto *MD = dyn_cast<ObjCMethodDecl>(D))
242	PVD = MD->parameters()[Index];
243	else if (const auto *CD = dyn_cast<CXXConstructorDecl>(D))
244	PVD = CD->parameters()[Index];
245	(0) . __assert_fail ("PVD && \"Unexpected Decl kind!\"", "/home/seafit/code_projects/clang_source/clang/lib/StaticAnalyzer/Core/CallEvent.cpp", 245, __PRETTY_FUNCTION__))" file_link="../../../../include/assert.h.html#88" macro="true">assert(PVD && "Unexpected Decl kind!");
246
247	const VarRegion *VR =
248	State->getStateManager().getRegionManager().getVarRegion(PVD, SFC);
249
250	// This sanity check would fail if our parameter declaration doesn't
251	// correspond to the stack frame's function declaration.
252	getStackFrame() == SFC", "/home/seafit/code_projects/clang_source/clang/lib/StaticAnalyzer/Core/CallEvent.cpp", 252, __PRETTY_FUNCTION__))" file_link="../../../../include/assert.h.html#88" macro="true">assert(VR->getStackFrame() == SFC);
253
254	return VR;
255	}
256
257	/// Returns true if a type is a pointer-to-const or reference-to-const
258	/// with no further indirection.
259	static bool isPointerToConst(QualType Ty) {
260	QualType PointeeTy = Ty->getPointeeType();
261	if (PointeeTy == QualType())
262	return false;
263	if (!PointeeTy.isConstQualified())
264	return false;
265	if (PointeeTy->isAnyPointerType())
266	return false;
267	return true;
268	}
269
270	// Try to retrieve the function declaration and find the function parameter
271	// types which are pointers/references to a non-pointer const.
272	// We will not invalidate the corresponding argument regions.
273	static void findPtrToConstParams(llvm::SmallSet<unsigned, 4> &PreserveArgs,
274	const CallEvent &Call) {
275	unsigned Idx = 0;
276	for (CallEvent::param_type_iterator I = Call.param_type_begin(),
277	E = Call.param_type_end();
278	I != E; ++I, ++Idx) {
279	if (isPointerToConst(*I))
280	PreserveArgs.insert(Idx);
281	}
282	}
283
284	ProgramStateRef CallEvent::invalidateRegions(unsigned BlockCount,
285	ProgramStateRef Orig) const {
286	ProgramStateRef Result = (Orig ? Orig : getState());
287
288	// Don't invalidate anything if the callee is marked pure/const.
289	if (const Decl *callee = getDecl())
290	if (callee->hasAttr<PureAttr>() \|\| callee->hasAttr<ConstAttr>())
291	return Result;
292
293	SmallVector<SVal, 8> ValuesToInvalidate;
294	RegionAndSymbolInvalidationTraits ETraits;
295
296	getExtraInvalidatedValues(ValuesToInvalidate, &ETraits);
297
298	// Indexes of arguments whose values will be preserved by the call.
299	llvm::SmallSet<unsigned, 4> PreserveArgs;
300	if (!argumentsMayEscape())
301	findPtrToConstParams(PreserveArgs, *this);
302
303	for (unsigned Idx = 0, Count = getNumArgs(); Idx != Count; ++Idx) {
304	// Mark this region for invalidation. We batch invalidate regions
305	// below for efficiency.
306	if (const MemRegion *MR = getArgSVal(Idx).getAsRegion()) {
307	bool UseBaseRegion = true;
308	if (const auto *FR = MR->getAs<FieldRegion>()) {
309	if (const auto *TVR = FR->getSuperRegion()->getAs<TypedValueRegion>()) {
310	if (!TVR->getValueType()->isUnionType()) {
311	ETraits.setTrait(MR, RegionAndSymbolInvalidationTraits::
312	TK_DoNotInvalidateSuperRegion);
313	UseBaseRegion = false;
314	}
315	}
316	}
317	// todo: factor this out + handle the lower level const pointers.
318	if (PreserveArgs.count(Idx))
319	ETraits.setTrait(
320	UseBaseRegion ? MR->getBaseRegion() : MR,
321	RegionAndSymbolInvalidationTraits::TK_PreserveContents);
322	}
323
324	ValuesToInvalidate.push_back(getArgSVal(Idx));
325
326	// If a function accepts an object by argument (which would of course be a
327	// temporary that isn't lifetime-extended), invalidate the object itself,
328	// not only other objects reachable from it. This is necessary because the
329	// destructor has access to the temporary object after the call.
330	// TODO: Support placement arguments once we start
331	// constructing them directly.
332	// TODO: This is unnecessary when there's no destructor, but that's
333	// currently hard to figure out.
334	if (getKind() != CE_CXXAllocator)
335	if (isArgumentConstructedDirectly(Idx))
336	if (auto AdjIdx = getAdjustedParameterIndex(Idx))
337	if (const VarRegion VR = getParameterLocation(AdjIdx))
338	ValuesToInvalidate.push_back(loc::MemRegionVal(VR));
339	}
340
341	// Invalidate designated regions using the batch invalidation API.
342	// NOTE: Even if RegionsToInvalidate is empty, we may still invalidate
343	// global variables.
344	return Result->invalidateRegions(ValuesToInvalidate, getOriginExpr(),
345	BlockCount, getLocationContext(),
346	/CausedByPointerEscape/ true,
347	/Symbols=/nullptr, this, &ETraits);
348	}
349
350	ProgramPoint CallEvent::getProgramPoint(bool IsPreVisit,
351	const ProgramPointTag *Tag) const {
352	if (const Expr *E = getOriginExpr()) {
353	if (IsPreVisit)
354	return PreStmt(E, getLocationContext(), Tag);
355	return PostStmt(E, getLocationContext(), Tag);
356	}
357
358	const Decl *D = getDecl();
359	(0) . __assert_fail ("D && \"Cannot get a program point without a statement or decl\"", "/home/seafit/code_projects/clang_source/clang/lib/StaticAnalyzer/Core/CallEvent.cpp", 359, __PRETTY_FUNCTION__))" file_link="../../../../include/assert.h.html#88" macro="true">assert(D && "Cannot get a program point without a statement or decl");
360
361	SourceLocation Loc = getSourceRange().getBegin();
362	if (IsPreVisit)
363	return PreImplicitCall(D, Loc, getLocationContext(), Tag);
364	return PostImplicitCall(D, Loc, getLocationContext(), Tag);
365	}
366
367	bool CallEvent::isCalled(const CallDescription &CD) const {
368	// FIXME: Add ObjC Message support.
369	if (getKind() == CE_ObjCMessage)
370	return false;
371	if (!CD.IsLookupDone) {
372	CD.IsLookupDone = true;
373	CD.II = &getState()->getStateManager().getContext().Idents.get(
374	CD.getFunctionName());
375	}
376	const IdentifierInfo *II = getCalleeIdentifier();
377	if (!II \|\| II != CD.II)
378	return false;
379
380	const Decl *D = getDecl();
381	// If CallDescription provides prefix names, use them to improve matching
382	// accuracy.
383	if (CD.QualifiedName.size() > 1 && D) {
384	const DeclContext *Ctx = D->getDeclContext();
385	// See if we'll be able to match them all.
386	size_t NumUnmatched = CD.QualifiedName.size() - 1;
387	for (; Ctx && isa<NamedDecl>(Ctx); Ctx = Ctx->getParent()) {
388	if (NumUnmatched == 0)
389	break;
390
391	if (const auto *ND = dyn_cast<NamespaceDecl>(Ctx)) {
392	if (ND->getName() == CD.QualifiedName[NumUnmatched - 1])
393	--NumUnmatched;
394	continue;
395	}
396
397	if (const auto *RD = dyn_cast<RecordDecl>(Ctx)) {
398	if (RD->getName() == CD.QualifiedName[NumUnmatched - 1])
399	--NumUnmatched;
400	continue;
401	}
402	}
403
404	if (NumUnmatched > 0)
405	return false;
406	}
407
408	return (CD.RequiredArgs == CallDescription::NoArgRequirement \|\|
409	CD.RequiredArgs == getNumArgs());
410	}
411
412	SVal CallEvent::getArgSVal(unsigned Index) const {
413	const Expr *ArgE = getArgExpr(Index);
414	if (!ArgE)
415	return UnknownVal();
416	return getSVal(ArgE);
417	}
418
419	SourceRange CallEvent::getArgSourceRange(unsigned Index) const {
420	const Expr *ArgE = getArgExpr(Index);
421	if (!ArgE)
422	return {};
423	return ArgE->getSourceRange();
424	}
425
426	SVal CallEvent::getReturnValue() const {
427	const Expr *E = getOriginExpr();
428	if (!E)
429	return UndefinedVal();
430	return getSVal(E);
431	}
432
433	LLVM_DUMP_METHOD void CallEvent::dump() const { dump(llvm::errs()); }
434
435	void CallEvent::dump(raw_ostream &Out) const {
436	ASTContext &Ctx = getState()->getStateManager().getContext();
437	if (const Expr *E = getOriginExpr()) {
438	E->printPretty(Out, nullptr, Ctx.getPrintingPolicy());
439	Out << "\n";
440	return;
441	}
442
443	if (const Decl *D = getDecl()) {
444	Out << "Call to ";
445	D->print(Out, Ctx.getPrintingPolicy());
446	return;
447	}
448
449	// FIXME: a string representation of the kind would be nice.
450	Out << "Unknown call (type " << getKind() << ")";
451	}
452
453	bool CallEvent::isCallStmt(const Stmt *S) {
454	return isa<CallExpr>(S) \|\| isa<ObjCMessageExpr>(S)
455	\|\| isa<CXXConstructExpr>(S)
456	\|\| isa<CXXNewExpr>(S);
457	}
458
459	QualType CallEvent::getDeclaredResultType(const Decl *D) {
460	assert(D);
461	if (const auto *FD = dyn_cast<FunctionDecl>(D))
462	return FD->getReturnType();
463	if (const auto *MD = dyn_cast<ObjCMethodDecl>(D))
464	return MD->getReturnType();
465	if (const auto *BD = dyn_cast<BlockDecl>(D)) {
466	// Blocks are difficult because the return type may not be stored in the
467	// BlockDecl itself. The AST should probably be enhanced, but for now we
468	// just do what we can.
469	// If the block is declared without an explicit argument list, the
470	// signature-as-written just includes the return type, not the entire
471	// function type.
472	// FIXME: All blocks should have signatures-as-written, even if the return
473	// type is inferred. (That's signified with a dependent result type.)
474	if (const TypeSourceInfo *TSI = BD->getSignatureAsWritten()) {
475	QualType Ty = TSI->getType();
476	if (const FunctionType *FT = Ty->getAs<FunctionType>())
477	Ty = FT->getReturnType();
478	if (!Ty->isDependentType())
479	return Ty;
480	}
481
482	return {};
483	}
484
485	llvm_unreachable("unknown callable kind");
486	}
487
488	bool CallEvent::isVariadic(const Decl *D) {
489	assert(D);
490
491	if (const auto *FD = dyn_cast<FunctionDecl>(D))
492	return FD->isVariadic();
493	if (const auto *MD = dyn_cast<ObjCMethodDecl>(D))
494	return MD->isVariadic();
495	if (const auto *BD = dyn_cast<BlockDecl>(D))
496	return BD->isVariadic();
497
498	llvm_unreachable("unknown callable kind");
499	}
500
501	static void addParameterValuesToBindings(const StackFrameContext *CalleeCtx,
502	CallEvent::BindingsTy &Bindings,
503	SValBuilder &SVB,
504	const CallEvent &Call,
505	ArrayRef<ParmVarDecl*> parameters) {
506	MemRegionManager &MRMgr = SVB.getRegionManager();
507
508	// If the function has fewer parameters than the call has arguments, we simply
509	// do not bind any values to them.
510	unsigned NumArgs = Call.getNumArgs();
511	unsigned Idx = 0;
512	ArrayRef<ParmVarDecl*>::iterator I = parameters.begin(), E = parameters.end();
513	for (; I != E && Idx < NumArgs; ++I, ++Idx) {
514	const ParmVarDecl ParamDecl = I;
515	(0) . __assert_fail ("ParamDecl && \"Formal parameter has no decl?\"", "/home/seafit/code_projects/clang_source/clang/lib/StaticAnalyzer/Core/CallEvent.cpp", 515, __PRETTY_FUNCTION__))" file_link="../../../../include/assert.h.html#88" macro="true">assert(ParamDecl && "Formal parameter has no decl?");
516
517	// TODO: Support allocator calls.
518	if (Call.getKind() != CE_CXXAllocator)
519	if (Call.isArgumentConstructedDirectly(Idx))
520	continue;
521
522	// TODO: Allocators should receive the correct size and possibly alignment,
523	// determined in compile-time but not represented as arg-expressions,
524	// which makes getArgSVal() fail and return UnknownVal.
525	SVal ArgVal = Call.getArgSVal(Idx);
526	if (!ArgVal.isUnknown()) {
527	Loc ParamLoc = SVB.makeLoc(MRMgr.getVarRegion(ParamDecl, CalleeCtx));
528	Bindings.push_back(std::make_pair(ParamLoc, ArgVal));
529	}
530	}
531
532	// FIXME: Variadic arguments are not handled at all right now.
533	}
534
535	ArrayRef<ParmVarDecl*> AnyFunctionCall::parameters() const {
536	const FunctionDecl *D = getDecl();
537	if (!D)
538	return None;
539	return D->parameters();
540	}
541
542	RuntimeDefinition AnyFunctionCall::getRuntimeDefinition() const {
543	const FunctionDecl *FD = getDecl();
544	if (!FD)
545	return {};
546
547	// Note that the AnalysisDeclContext will have the FunctionDecl with
548	// the definition (if one exists).
549	AnalysisDeclContext *AD =
550	getLocationContext()->getAnalysisDeclContext()->
551	getManager()->getContext(FD);
552	bool IsAutosynthesized;
553	Stmt* Body = AD->getBody(IsAutosynthesized);
554	LLVM_DEBUG({
555	if (IsAutosynthesized)
556	llvm::dbgs() << "Using autosynthesized body for " << FD->getName()
557	<< "\n";
558	});
559	if (Body) {
560	const Decl* Decl = AD->getDecl();
561	return RuntimeDefinition(Decl);
562	}
563
564	SubEngine &Engine = getState()->getStateManager().getOwningEngine();
565	AnalyzerOptions &Opts = Engine.getAnalysisManager().options;
566
567	// Try to get CTU definition only if CTUDir is provided.
568	if (!Opts.IsNaiveCTUEnabled)
569	return {};
570
571	cross_tu::CrossTranslationUnitContext &CTUCtx =
572	*Engine.getCrossTranslationUnitContext();
573	llvm::Expected<const FunctionDecl *> CTUDeclOrError =
574	CTUCtx.getCrossTUDefinition(FD, Opts.CTUDir, Opts.CTUIndexName,
575	Opts.DisplayCTUProgress);
576
577	if (!CTUDeclOrError) {
578	handleAllErrors(CTUDeclOrError.takeError(),
579	[&](const cross_tu::IndexError &IE) {
580	CTUCtx.emitCrossTUDiagnostics(IE);
581	});
582	return {};
583	}
584
585	return RuntimeDefinition(*CTUDeclOrError);
586	}
587
588	void AnyFunctionCall::getInitialStackFrameContents(
589	const StackFrameContext *CalleeCtx,
590	BindingsTy &Bindings) const {
591	const auto *D = cast<FunctionDecl>(CalleeCtx->getDecl());
592	SValBuilder &SVB = getState()->getStateManager().getSValBuilder();
593	addParameterValuesToBindings(CalleeCtx, Bindings, SVB, *this,
594	D->parameters());
595	}
596
597	bool AnyFunctionCall::argumentsMayEscape() const {
598	if (CallEvent::argumentsMayEscape() \|\| hasVoidPointerToNonConstArg())
599	return true;
600
601	const FunctionDecl *D = getDecl();
602	if (!D)
603	return true;
604
605	const IdentifierInfo *II = D->getIdentifier();
606	if (!II)
607	return false;
608
609	// This set of "escaping" APIs is
610
611	// - 'int pthread_setspecific(ptheread_key k, const void *)' stores a
612	// value into thread local storage. The value can later be retrieved with
613	// 'void *ptheread_getspecific(pthread_key)'. So even thought the
614	// parameter is 'const void *', the region escapes through the call.
615	if (II->isStr("pthread_setspecific"))
616	return true;
617
618	// - xpc_connection_set_context stores a value which can be retrieved later
619	// with xpc_connection_get_context.
620	if (II->isStr("xpc_connection_set_context"))
621	return true;
622
623	// - funopen - sets a buffer for future IO calls.
624	if (II->isStr("funopen"))
625	return true;
626
627	// - __cxa_demangle - can reallocate memory and can return the pointer to
628	// the input buffer.
629	if (II->isStr("__cxa_demangle"))
630	return true;
631
632	StringRef FName = II->getName();
633
634	// - CoreFoundation functions that end with "NoCopy" can free a passed-in
635	// buffer even if it is const.
636	if (FName.endswith("NoCopy"))
637	return true;
638
639	// - NSXXInsertXX, for example NSMapInsertIfAbsent, since they can
640	// be deallocated by NSMapRemove.
641	if (FName.startswith("NS") && (FName.find("Insert") != StringRef::npos))
642	return true;
643
644	// - Many CF containers allow objects to escape through custom
645	// allocators/deallocators upon container construction. (PR12101)
646	if (FName.startswith("CF") \|\| FName.startswith("CG")) {
647	return StrInStrNoCase(FName, "InsertValue") != StringRef::npos \|\|
648	StrInStrNoCase(FName, "AddValue") != StringRef::npos \|\|
649	StrInStrNoCase(FName, "SetValue") != StringRef::npos \|\|
650	StrInStrNoCase(FName, "WithData") != StringRef::npos \|\|
651	StrInStrNoCase(FName, "AppendValue") != StringRef::npos \|\|
652	StrInStrNoCase(FName, "SetAttribute") != StringRef::npos;
653	}
654
655	return false;
656	}
657
658	const FunctionDecl *SimpleFunctionCall::getDecl() const {
659	const FunctionDecl *D = getOriginExpr()->getDirectCallee();
660	if (D)
661	return D;
662
663	return getSVal(getOriginExpr()->getCallee()).getAsFunctionDecl();
664	}
665
666	const FunctionDecl *CXXInstanceCall::getDecl() const {
667	const auto *CE = cast_or_null<CallExpr>(getOriginExpr());
668	if (!CE)
669	return AnyFunctionCall::getDecl();
670
671	const FunctionDecl *D = CE->getDirectCallee();
672	if (D)
673	return D;
674
675	return getSVal(CE->getCallee()).getAsFunctionDecl();
676	}
677
678	void CXXInstanceCall::getExtraInvalidatedValues(
679	ValueList &Values, RegionAndSymbolInvalidationTraits *ETraits) const {
680	SVal ThisVal = getCXXThisVal();
681	Values.push_back(ThisVal);
682
683	// Don't invalidate if the method is const and there are no mutable fields.
684	if (const auto *D = cast_or_null<CXXMethodDecl>(getDecl())) {
685	if (!D->isConst())
686	return;
687	// Get the record decl for the class of 'This'. D->getParent() may return a
688	// base class decl, rather than the class of the instance which needs to be
689	// checked for mutable fields.
690	// TODO: We might as well look at the dynamic type of the object.
691	const Expr *Ex = getCXXThisExpr()->ignoreParenBaseCasts();
692	QualType T = Ex->getType();
693	if (T->isPointerType()) // Arrow or implicit-this syntax?
694	T = T->getPointeeType();
695	const CXXRecordDecl *ParentRecord = T->getAsCXXRecordDecl();
696	assert(ParentRecord);
697	if (ParentRecord->hasMutableFields())
698	return;
699	// Preserve CXXThis.
700	const MemRegion *ThisRegion = ThisVal.getAsRegion();
701	if (!ThisRegion)
702	return;
703
704	ETraits->setTrait(ThisRegion->getBaseRegion(),
705	RegionAndSymbolInvalidationTraits::TK_PreserveContents);
706	}
707	}
708
709	SVal CXXInstanceCall::getCXXThisVal() const {
710	const Expr *Base = getCXXThisExpr();
711	// FIXME: This doesn't handle an overloaded ->* operator.
712	if (!Base)
713	return UnknownVal();
714
715	SVal ThisVal = getSVal(Base);
716	()", "/home/seafit/code_projects/clang_source/clang/lib/StaticAnalyzer/Core/CallEvent.cpp", 716, __PRETTY_FUNCTION__))" file_link="../../../../include/assert.h.html#88" macro="true">assert(ThisVal.isUnknownOrUndef() \|\| ThisVal.getAs<Loc>());
717	return ThisVal;
718	}
719
720	RuntimeDefinition CXXInstanceCall::getRuntimeDefinition() const {
721	// Do we have a decl at all?
722	const Decl *D = getDecl();
723	if (!D)
724	return {};
725
726	// If the method is non-virtual, we know we can inline it.
727	const auto *MD = cast<CXXMethodDecl>(D);
728	if (!MD->isVirtual())
729	return AnyFunctionCall::getRuntimeDefinition();
730
731	// Do we know the implicit 'this' object being called?
732	const MemRegion *R = getCXXThisVal().getAsRegion();
733	if (!R)
734	return {};
735
736	// Do we know anything about the type of 'this'?
737	DynamicTypeInfo DynType = getDynamicTypeInfo(getState(), R);
738	if (!DynType.isValid())
739	return {};
740
741	// Is the type a C++ class? (This is mostly a defensive check.)
742	QualType RegionType = DynType.getType()->getPointeeType();
743	(0) . __assert_fail ("!RegionType.isNull() && \"DynamicTypeInfo should always be a pointer.\"", "/home/seafit/code_projects/clang_source/clang/lib/StaticAnalyzer/Core/CallEvent.cpp", 743, __PRETTY_FUNCTION__))" file_link="../../../../include/assert.h.html#88" macro="true">assert(!RegionType.isNull() && "DynamicTypeInfo should always be a pointer.");
744
745	const CXXRecordDecl *RD = RegionType->getAsCXXRecordDecl();
746	if (!RD \|\| !RD->hasDefinition())
747	return {};
748
749	// Find the decl for this method in that class.
750	const CXXMethodDecl *Result = MD->getCorrespondingMethodInClass(RD, true);
751	if (!Result) {
752	// We might not even get the original statically-resolved method due to
753	// some particularly nasty casting (e.g. casts to sister classes).
754	// However, we should at least be able to search up and down our own class
755	// hierarchy, and some real bugs have been caught by checking this.
756	(0) . __assert_fail ("!RD->isDerivedFrom(MD->getParent()) && \"Couldn't find known method\"", "/home/seafit/code_projects/clang_source/clang/lib/StaticAnalyzer/Core/CallEvent.cpp", 756, __PRETTY_FUNCTION__))" file_link="../../../../include/assert.h.html#88" macro="true">assert(!RD->isDerivedFrom(MD->getParent()) && "Couldn't find known method");
757
758	// FIXME: This is checking that our DynamicTypeInfo is at least as good as
759	// the static type. However, because we currently don't update
760	// DynamicTypeInfo when an object is cast, we can't actually be sure the
761	// DynamicTypeInfo is up to date. This assert should be re-enabled once
762	// this is fixed. <rdar://problem/12287087>
763	//assert(!MD->getParent()->isDerivedFrom(RD) && "Bad DynamicTypeInfo");
764
765	return {};
766	}
767
768	// Does the decl that we found have an implementation?
769	const FunctionDecl *Definition;
770	if (!Result->hasBody(Definition))
771	return {};
772
773	// We found a definition. If we're not sure that this devirtualization is
774	// actually what will happen at runtime, make sure to provide the region so
775	// that ExprEngine can decide what to do with it.
776	if (DynType.canBeASubClass())
777	return RuntimeDefinition(Definition, R->StripCasts());
778	return RuntimeDefinition(Definition, /DispatchRegion=/nullptr);
779	}
780
781	void CXXInstanceCall::getInitialStackFrameContents(
782	const StackFrameContext *CalleeCtx,
783	BindingsTy &Bindings) const {
784	AnyFunctionCall::getInitialStackFrameContents(CalleeCtx, Bindings);
785
786	// Handle the binding of 'this' in the new stack frame.
787	SVal ThisVal = getCXXThisVal();
788	if (!ThisVal.isUnknown()) {
789	ProgramStateManager &StateMgr = getState()->getStateManager();
790	SValBuilder &SVB = StateMgr.getSValBuilder();
791
792	const auto *MD = cast<CXXMethodDecl>(CalleeCtx->getDecl());
793	Loc ThisLoc = SVB.getCXXThis(MD, CalleeCtx);
794
795	// If we devirtualized to a different member function, we need to make sure
796	// we have the proper layering of CXXBaseObjectRegions.
797	if (MD->getCanonicalDecl() != getDecl()->getCanonicalDecl()) {
798	ASTContext &Ctx = SVB.getContext();
799	const CXXRecordDecl *Class = MD->getParent();
800	QualType Ty = Ctx.getPointerType(Ctx.getRecordType(Class));
801
802	// FIXME: CallEvent maybe shouldn't be directly accessing StoreManager.
803	bool Failed;
804	ThisVal = StateMgr.getStoreManager().attemptDownCast(ThisVal, Ty, Failed);
805	if (Failed) {
806	// We might have suffered some sort of placement new earlier, so
807	// we're constructing in a completely unexpected storage.
808	// Fall back to a generic pointer cast for this-value.
809	const CXXMethodDecl *StaticMD = cast<CXXMethodDecl>(getDecl());
810	const CXXRecordDecl *StaticClass = StaticMD->getParent();
811	QualType StaticTy = Ctx.getPointerType(Ctx.getRecordType(StaticClass));
812	ThisVal = SVB.evalCast(ThisVal, Ty, StaticTy);
813	}
814	}
815
816	if (!ThisVal.isUnknown())
817	Bindings.push_back(std::make_pair(ThisLoc, ThisVal));
818	}
819	}
820
821	const Expr *CXXMemberCall::getCXXThisExpr() const {
822	return getOriginExpr()->getImplicitObjectArgument();
823	}
824
825	RuntimeDefinition CXXMemberCall::getRuntimeDefinition() const {
826	// C++11 [expr.call]p1: ...If the selected function is non-virtual, or if the
827	// id-expression in the class member access expression is a qualified-id,
828	// that function is called. Otherwise, its final overrider in the dynamic type
829	// of the object expression is called.
830	if (const auto *ME = dyn_cast<MemberExpr>(getOriginExpr()->getCallee()))
831	if (ME->hasQualifier())
832	return AnyFunctionCall::getRuntimeDefinition();
833
834	return CXXInstanceCall::getRuntimeDefinition();
835	}
836
837	const Expr *CXXMemberOperatorCall::getCXXThisExpr() const {
838	return getOriginExpr()->getArg(0);
839	}
840
841	const BlockDataRegion *BlockCall::getBlockRegion() const {
842	const Expr *Callee = getOriginExpr()->getCallee();
843	const MemRegion *DataReg = getSVal(Callee).getAsRegion();
844
845	return dyn_cast_or_null<BlockDataRegion>(DataReg);
846	}
847
848	ArrayRef<ParmVarDecl*> BlockCall::parameters() const {
849	const BlockDecl *D = getDecl();
850	if (!D)
851	return None;
852	return D->parameters();
853	}
854
855	void BlockCall::getExtraInvalidatedValues(ValueList &Values,
856	RegionAndSymbolInvalidationTraits *ETraits) const {
857	// FIXME: This also needs to invalidate captured globals.
858	if (const MemRegion *R = getBlockRegion())
859	Values.push_back(loc::MemRegionVal(R));
860	}
861
862	void BlockCall::getInitialStackFrameContents(const StackFrameContext *CalleeCtx,
863	BindingsTy &Bindings) const {
864	SValBuilder &SVB = getState()->getStateManager().getSValBuilder();
865	ArrayRef<ParmVarDecl*> Params;
866	if (isConversionFromLambda()) {
867	auto *LambdaOperatorDecl = cast<CXXMethodDecl>(CalleeCtx->getDecl());
868	Params = LambdaOperatorDecl->parameters();
869
870	// For blocks converted from a C++ lambda, the callee declaration is the
871	// operator() method on the lambda so we bind "this" to
872	// the lambda captured by the block.
873	const VarRegion *CapturedLambdaRegion = getRegionStoringCapturedLambda();
874	SVal ThisVal = loc::MemRegionVal(CapturedLambdaRegion);
875	Loc ThisLoc = SVB.getCXXThis(LambdaOperatorDecl, CalleeCtx);
876	Bindings.push_back(std::make_pair(ThisLoc, ThisVal));
877	} else {
878	Params = cast<BlockDecl>(CalleeCtx->getDecl())->parameters();
879	}
880
881	addParameterValuesToBindings(CalleeCtx, Bindings, SVB, *this,
882	Params);
883	}
884
885	SVal CXXConstructorCall::getCXXThisVal() const {
886	if (Data)
887	return loc::MemRegionVal(static_cast<const MemRegion *>(Data));
888	return UnknownVal();
889	}
890
891	void CXXConstructorCall::getExtraInvalidatedValues(ValueList &Values,
892	RegionAndSymbolInvalidationTraits *ETraits) const {
893	if (Data) {
894	loc::MemRegionVal MV(static_cast<const MemRegion *>(Data));
895	if (SymbolRef Sym = MV.getAsSymbol(true))
896	ETraits->setTrait(Sym,
897	RegionAndSymbolInvalidationTraits::TK_SuppressEscape);
898	Values.push_back(MV);
899	}
900	}
901
902	void CXXConstructorCall::getInitialStackFrameContents(
903	const StackFrameContext *CalleeCtx,
904	BindingsTy &Bindings) const {
905	AnyFunctionCall::getInitialStackFrameContents(CalleeCtx, Bindings);
906
907	SVal ThisVal = getCXXThisVal();
908	if (!ThisVal.isUnknown()) {
909	SValBuilder &SVB = getState()->getStateManager().getSValBuilder();
910	const auto *MD = cast<CXXMethodDecl>(CalleeCtx->getDecl());
911	Loc ThisLoc = SVB.getCXXThis(MD, CalleeCtx);
912	Bindings.push_back(std::make_pair(ThisLoc, ThisVal));
913	}
914	}
915
916	SVal CXXDestructorCall::getCXXThisVal() const {
917	if (Data)
918	return loc::MemRegionVal(DtorDataTy::getFromOpaqueValue(Data).getPointer());
919	return UnknownVal();
920	}
921
922	RuntimeDefinition CXXDestructorCall::getRuntimeDefinition() const {
923	// Base destructors are always called non-virtually.
924	// Skip CXXInstanceCall's devirtualization logic in this case.
925	if (isBaseDestructor())
926	return AnyFunctionCall::getRuntimeDefinition();
927
928	return CXXInstanceCall::getRuntimeDefinition();
929	}
930
931	ArrayRef<ParmVarDecl*> ObjCMethodCall::parameters() const {
932	const ObjCMethodDecl *D = getDecl();
933	if (!D)
934	return None;
935	return D->parameters();
936	}
937
938	void ObjCMethodCall::getExtraInvalidatedValues(
939	ValueList &Values, RegionAndSymbolInvalidationTraits *ETraits) const {
940
941	// If the method call is a setter for property known to be backed by
942	// an instance variable, don't invalidate the entire receiver, just
943	// the storage for that instance variable.
944	if (const ObjCPropertyDecl *PropDecl = getAccessedProperty()) {
945	if (const ObjCIvarDecl *PropIvar = PropDecl->getPropertyIvarDecl()) {
946	SVal IvarLVal = getState()->getLValue(PropIvar, getReceiverSVal());
947	if (const MemRegion *IvarRegion = IvarLVal.getAsRegion()) {
948	ETraits->setTrait(
949	IvarRegion,
950	RegionAndSymbolInvalidationTraits::TK_DoNotInvalidateSuperRegion);
951	ETraits->setTrait(
952	IvarRegion,
953	RegionAndSymbolInvalidationTraits::TK_SuppressEscape);
954	Values.push_back(IvarLVal);
955	}
956	return;
957	}
958	}
959
960	Values.push_back(getReceiverSVal());
961	}
962
963	SVal ObjCMethodCall::getSelfSVal() const {
964	const LocationContext *LCtx = getLocationContext();
965	const ImplicitParamDecl *SelfDecl = LCtx->getSelfDecl();
966	if (!SelfDecl)
967	return SVal();
968	return getState()->getSVal(getState()->getRegion(SelfDecl, LCtx));
969	}
970
971	SVal ObjCMethodCall::getReceiverSVal() const {
972	// FIXME: Is this the best way to handle class receivers?
973	if (!isInstanceMessage())
974	return UnknownVal();
975
976	if (const Expr *RecE = getOriginExpr()->getInstanceReceiver())
977	return getSVal(RecE);
978
979	// An instance message with no expression means we are sending to super.
980	// In this case the object reference is the same as 'self'.
981	getReceiverKind() == ObjCMessageExpr..SuperInstance", "/home/seafit/code_projects/clang_source/clang/lib/StaticAnalyzer/Core/CallEvent.cpp", 981, __PRETTY_FUNCTION__))" file_link="../../../../include/assert.h.html#88" macro="true">assert(getOriginExpr()->getReceiverKind() == ObjCMessageExpr::SuperInstance);
982	SVal SelfVal = getSelfSVal();
983	(0) . __assert_fail ("SelfVal.isValid() && \"Calling super but not in ObjC method\"", "/home/seafit/code_projects/clang_source/clang/lib/StaticAnalyzer/Core/CallEvent.cpp", 983, __PRETTY_FUNCTION__))" file_link="../../../../include/assert.h.html#88" macro="true">assert(SelfVal.isValid() && "Calling super but not in ObjC method");
984	return SelfVal;
985	}
986
987	bool ObjCMethodCall::isReceiverSelfOrSuper() const {
988	if (getOriginExpr()->getReceiverKind() == ObjCMessageExpr::SuperInstance \|\|
989	getOriginExpr()->getReceiverKind() == ObjCMessageExpr::SuperClass)
990	return true;
991
992	if (!isInstanceMessage())
993	return false;
994
995	SVal RecVal = getSVal(getOriginExpr()->getInstanceReceiver());
996
997	return (RecVal == getSelfSVal());
998	}
999
1000	SourceRange ObjCMethodCall::getSourceRange() const {
1001	switch (getMessageKind()) {
1002	case OCM_Message:
1003	return getOriginExpr()->getSourceRange();
1004	case OCM_PropertyAccess:
1005	case OCM_Subscript:
1006	return getContainingPseudoObjectExpr()->getSourceRange();
1007	}
1008	llvm_unreachable("unknown message kind");
1009	}
1010
1011	using ObjCMessageDataTy = llvm::PointerIntPair<const PseudoObjectExpr *, 2>;
1012
1013	const PseudoObjectExpr *ObjCMethodCall::getContainingPseudoObjectExpr() const {
1014	(0) . __assert_fail ("Data && \"Lazy lookup not yet performed.\"", "/home/seafit/code_projects/clang_source/clang/lib/StaticAnalyzer/Core/CallEvent.cpp", 1014, __PRETTY_FUNCTION__))" file_link="../../../../include/assert.h.html#88" macro="true">assert(Data && "Lazy lookup not yet performed.");
1015	(0) . __assert_fail ("getMessageKind() != OCM_Message && \"Explicit message send.\"", "/home/seafit/code_projects/clang_source/clang/lib/StaticAnalyzer/Core/CallEvent.cpp", 1015, __PRETTY_FUNCTION__))" file_link="../../../../include/assert.h.html#88" macro="true">assert(getMessageKind() != OCM_Message && "Explicit message send.");
1016	return ObjCMessageDataTy::getFromOpaqueValue(Data).getPointer();
1017	}
1018
1019	static const Expr *
1020	getSyntacticFromForPseudoObjectExpr(const PseudoObjectExpr *POE) {
1021	const Expr *Syntactic = POE->getSyntacticForm();
1022
1023	// This handles the funny case of assigning to the result of a getter.
1024	// This can happen if the getter returns a non-const reference.
1025	if (const auto *BO = dyn_cast<BinaryOperator>(Syntactic))
1026	Syntactic = BO->getLHS();
1027
1028	return Syntactic;
1029	}
1030
1031	ObjCMessageKind ObjCMethodCall::getMessageKind() const {
1032	if (!Data) {
1033	// Find the parent, ignoring implicit casts.
1034	ParentMap &PM = getLocationContext()->getParentMap();
1035	const Stmt *S = PM.getParentIgnoreParenCasts(getOriginExpr());
1036
1037	// Check if parent is a PseudoObjectExpr.
1038	if (const auto *POE = dyn_cast_or_null<PseudoObjectExpr>(S)) {
1039	const Expr *Syntactic = getSyntacticFromForPseudoObjectExpr(POE);
1040
1041	ObjCMessageKind K;
1042	switch (Syntactic->getStmtClass()) {
1043	case Stmt::ObjCPropertyRefExprClass:
1044	K = OCM_PropertyAccess;
1045	break;
1046	case Stmt::ObjCSubscriptRefExprClass:
1047	K = OCM_Subscript;
1048	break;
1049	default:
1050	// FIXME: Can this ever happen?
1051	K = OCM_Message;
1052	break;
1053	}
1054
1055	if (K != OCM_Message) {
1056	const_cast<ObjCMethodCall *>(this)->Data
1057	= ObjCMessageDataTy(POE, K).getOpaqueValue();
1058	assert(getMessageKind() == K);
1059	return K;
1060	}
1061	}
1062
1063	const_cast<ObjCMethodCall *>(this)->Data
1064	= ObjCMessageDataTy(nullptr, 1).getOpaqueValue();
1065	assert(getMessageKind() == OCM_Message);
1066	return OCM_Message;
1067	}
1068
1069	ObjCMessageDataTy Info = ObjCMessageDataTy::getFromOpaqueValue(Data);
1070	if (!Info.getPointer())
1071	return OCM_Message;
1072	return static_cast<ObjCMessageKind>(Info.getInt());
1073	}
1074
1075	const ObjCPropertyDecl *ObjCMethodCall::getAccessedProperty() const {
1076	// Look for properties accessed with property syntax (foo.bar = ...)
1077	if ( getMessageKind() == OCM_PropertyAccess) {
1078	const PseudoObjectExpr *POE = getContainingPseudoObjectExpr();
1079	(0) . __assert_fail ("POE && \"Property access without PseudoObjectExpr?\"", "/home/seafit/code_projects/clang_source/clang/lib/StaticAnalyzer/Core/CallEvent.cpp", 1079, __PRETTY_FUNCTION__))" file_link="../../../../include/assert.h.html#88" macro="true">assert(POE && "Property access without PseudoObjectExpr?");
1080
1081	const Expr *Syntactic = getSyntacticFromForPseudoObjectExpr(POE);
1082	auto *RefExpr = cast<ObjCPropertyRefExpr>(Syntactic);
1083
1084	if (RefExpr->isExplicitProperty())
1085	return RefExpr->getExplicitProperty();
1086	}
1087
1088	// Look for properties accessed with method syntax ([foo setBar:...]).
1089	const ObjCMethodDecl *MD = getDecl();
1090	if (!MD \|\| !MD->isPropertyAccessor())
1091	return nullptr;
1092
1093	// Note: This is potentially quite slow.
1094	return MD->findPropertyDecl();
1095	}
1096
1097	bool ObjCMethodCall::canBeOverridenInSubclass(ObjCInterfaceDecl *IDecl,
1098	Selector Sel) const {
1099	assert(IDecl);
1100	AnalysisManager &AMgr =
1101	getState()->getStateManager().getOwningEngine().getAnalysisManager();
1102	// If the class interface is declared inside the main file, assume it is not
1103	// subcassed.
1104	// TODO: It could actually be subclassed if the subclass is private as well.
1105	// This is probably very rare.
1106	SourceLocation InterfLoc = IDecl->getEndOfDefinitionLoc();
1107	if (InterfLoc.isValid() && AMgr.isInCodeFile(InterfLoc))
1108	return false;
1109
1110	// Assume that property accessors are not overridden.
1111	if (getMessageKind() == OCM_PropertyAccess)
1112	return false;
1113
1114	// We assume that if the method is public (declared outside of main file) or
1115	// has a parent which publicly declares the method, the method could be
1116	// overridden in a subclass.
1117
1118	// Find the first declaration in the class hierarchy that declares
1119	// the selector.
1120	ObjCMethodDecl *D = nullptr;
1121	while (true) {
1122	D = IDecl->lookupMethod(Sel, true);
1123
1124	// Cannot find a public definition.
1125	if (!D)
1126	return false;
1127
1128	// If outside the main file,
1129	if (D->getLocation().isValid() && !AMgr.isInCodeFile(D->getLocation()))
1130	return true;
1131
1132	if (D->isOverriding()) {
1133	// Search in the superclass on the next iteration.
1134	IDecl = D->getClassInterface();
1135	if (!IDecl)
1136	return false;
1137
1138	IDecl = IDecl->getSuperClass();
1139	if (!IDecl)
1140	return false;
1141
1142	continue;
1143	}
1144
1145	return false;
1146	};
1147
1148	llvm_unreachable("The while loop should always terminate.");
1149	}
1150
1151	static const ObjCMethodDecl findDefiningRedecl(const ObjCMethodDecl MD) {
1152	if (!MD)
1153	return MD;
1154
1155	// Find the redeclaration that defines the method.
1156	if (!MD->hasBody()) {
1157	for (auto I : MD->redecls())
1158	if (I->hasBody())
1159	MD = cast<ObjCMethodDecl>(I);
1160	}
1161	return MD;
1162	}
1163
1164	static bool isCallToSelfClass(const ObjCMessageExpr *ME) {
1165	const Expr* InstRec = ME->getInstanceReceiver();
1166	if (!InstRec)
1167	return false;
1168	const auto *InstRecIg = dyn_cast<DeclRefExpr>(InstRec->IgnoreParenImpCasts());
1169
1170	// Check that receiver is called 'self'.
1171	if (!InstRecIg \|\| !InstRecIg->getFoundDecl() \|\|
1172	!InstRecIg->getFoundDecl()->getName().equals("self"))
1173	return false;
1174
1175	// Check that the method name is 'class'.
1176	if (ME->getSelector().getNumArgs() != 0 \|\|
1177	!ME->getSelector().getNameForSlot(0).equals("class"))
1178	return false;
1179
1180	return true;
1181	}
1182
1183	RuntimeDefinition ObjCMethodCall::getRuntimeDefinition() const {
1184	const ObjCMessageExpr *E = getOriginExpr();
1185	assert(E);
1186	Selector Sel = E->getSelector();
1187
1188	if (E->isInstanceMessage()) {
1189	// Find the receiver type.
1190	const ObjCObjectPointerType *ReceiverT = nullptr;
1191	bool CanBeSubClassed = false;
1192	QualType SupersType = E->getSuperType();
1193	const MemRegion *Receiver = nullptr;
1194
1195	if (!SupersType.isNull()) {
1196	// The receiver is guaranteed to be 'super' in this case.
1197	// Super always means the type of immediate predecessor to the method
1198	// where the call occurs.
1199	ReceiverT = cast<ObjCObjectPointerType>(SupersType);
1200	} else {
1201	Receiver = getReceiverSVal().getAsRegion();
1202	if (!Receiver)
1203	return {};
1204
1205	DynamicTypeInfo DTI = getDynamicTypeInfo(getState(), Receiver);
1206	if (!DTI.isValid()) {
1207	(0) . __assert_fail ("isa(Receiver) && \"Unhandled untyped region class!\"", "/home/seafit/code_projects/clang_source/clang/lib/StaticAnalyzer/Core/CallEvent.cpp", 1208, __PRETTY_FUNCTION__))" file_link="../../../../include/assert.h.html#88" macro="true">assert(isa<AllocaRegion>(Receiver) &&
1208	(0) . __assert_fail ("isa(Receiver) && \"Unhandled untyped region class!\"", "/home/seafit/code_projects/clang_source/clang/lib/StaticAnalyzer/Core/CallEvent.cpp", 1208, __PRETTY_FUNCTION__))" file_link="../../../../include/assert.h.html#88" macro="true"> "Unhandled untyped region class!");
1209	return {};
1210	}
1211
1212	QualType DynType = DTI.getType();
1213	CanBeSubClassed = DTI.canBeASubClass();
1214	ReceiverT = dyn_cast<ObjCObjectPointerType>(DynType.getCanonicalType());
1215
1216	if (ReceiverT && CanBeSubClassed)
1217	if (ObjCInterfaceDecl *IDecl = ReceiverT->getInterfaceDecl())
1218	if (!canBeOverridenInSubclass(IDecl, Sel))
1219	CanBeSubClassed = false;
1220	}
1221
1222	// Handle special cases of '[self classMethod]' and
1223	// '[[self class] classMethod]', which are treated by the compiler as
1224	// instance (not class) messages. We will statically dispatch to those.
1225	if (auto *PT = dyn_cast_or_null<ObjCObjectPointerType>(ReceiverT)) {
1226	// For [self classMethod], return the compiler visible declaration.
1227	if (PT->getObjectType()->isObjCClass() &&
1228	Receiver == getSelfSVal().getAsRegion())
1229	return RuntimeDefinition(findDefiningRedecl(E->getMethodDecl()));
1230
1231	// Similarly, handle [[self class] classMethod].
1232	// TODO: We are currently doing a syntactic match for this pattern with is
1233	// limiting as the test cases in Analysis/inlining/InlineObjCClassMethod.m
1234	// shows. A better way would be to associate the meta type with the symbol
1235	// using the dynamic type info tracking and use it here. We can add a new
1236	// SVal for ObjC 'Class' values that know what interface declaration they
1237	// come from. Then 'self' in a class method would be filled in with
1238	// something meaningful in ObjCMethodCall::getReceiverSVal() and we could
1239	// do proper dynamic dispatch for class methods just like we do for
1240	// instance methods now.
1241	if (E->getInstanceReceiver())
1242	if (const auto *M = dyn_cast<ObjCMessageExpr>(E->getInstanceReceiver()))
1243	if (isCallToSelfClass(M))
1244	return RuntimeDefinition(findDefiningRedecl(E->getMethodDecl()));
1245	}
1246
1247	// Lookup the instance method implementation.
1248	if (ReceiverT)
1249	if (ObjCInterfaceDecl *IDecl = ReceiverT->getInterfaceDecl()) {
1250	// Repeatedly calling lookupPrivateMethod() is expensive, especially
1251	// when in many cases it returns null. We cache the results so
1252	// that repeated queries on the same ObjCIntefaceDecl and Selector
1253	// don't incur the same cost. On some test cases, we can see the
1254	// same query being issued thousands of times.
1255	//
1256	// NOTE: This cache is essentially a "global" variable, but it
1257	// only gets lazily created when we get here. The value of the
1258	// cache probably comes from it being global across ExprEngines,
1259	// where the same queries may get issued. If we are worried about
1260	// concurrency, or possibly loading/unloading ASTs, etc., we may
1261	// need to revisit this someday. In terms of memory, this table
1262	// stays around until clang quits, which also may be bad if we
1263	// need to release memory.
1264	using PrivateMethodKey = std::pair<const ObjCInterfaceDecl *, Selector>;
1265	using PrivateMethodCache =
1266	llvm::DenseMap<PrivateMethodKey, Optional<const ObjCMethodDecl *>>;
1267
1268	static PrivateMethodCache PMC;
1269	Optional<const ObjCMethodDecl *> &Val = PMC[std::make_pair(IDecl, Sel)];
1270
1271	// Query lookupPrivateMethod() if the cache does not hit.
1272	if (!Val.hasValue()) {
1273	Val = IDecl->lookupPrivateMethod(Sel);
1274
1275	// If the method is a property accessor, we should try to "inline" it
1276	// even if we don't actually have an implementation.
1277	if (!*Val)
1278	if (const ObjCMethodDecl *CompileTimeMD = E->getMethodDecl())
1279	if (CompileTimeMD->isPropertyAccessor()) {
1280	if (!CompileTimeMD->getSelfDecl() &&
1281	isa<ObjCCategoryDecl>(CompileTimeMD->getDeclContext())) {
1282	// If the method is an accessor in a category, and it doesn't
1283	// have a self declaration, first
1284	// try to find the method in a class extension. This
1285	// works around a bug in Sema where multiple accessors
1286	// are synthesized for properties in class
1287	// extensions that are redeclared in a category and the
1288	// the implicit parameters are not filled in for
1289	// the method on the category.
1290	// This ensures we find the accessor in the extension, which
1291	// has the implicit parameters filled in.
1292	auto *ID = CompileTimeMD->getClassInterface();
1293	for (auto *CatDecl : ID->visible_extensions()) {
1294	Val = CatDecl->getMethod(Sel,
1295	CompileTimeMD->isInstanceMethod());
1296	if (*Val)
1297	break;
1298	}
1299	}
1300	if (!*Val)
1301	Val = IDecl->lookupInstanceMethod(Sel);
1302	}
1303	}
1304
1305	const ObjCMethodDecl *MD = Val.getValue();
1306	if (CanBeSubClassed)
1307	return RuntimeDefinition(MD, Receiver);
1308	else
1309	return RuntimeDefinition(MD, nullptr);
1310	}
1311	} else {
1312	// This is a class method.
1313	// If we have type info for the receiver class, we are calling via
1314	// class name.
1315	if (ObjCInterfaceDecl *IDecl = E->getReceiverInterface()) {
1316	// Find/Return the method implementation.
1317	return RuntimeDefinition(IDecl->lookupPrivateClassMethod(Sel));
1318	}
1319	}
1320
1321	return {};
1322	}
1323
1324	bool ObjCMethodCall::argumentsMayEscape() const {
1325	if (isInSystemHeader() && !isInstanceMessage()) {
1326	Selector Sel = getSelector();
1327	if (Sel.getNumArgs() == 1 &&
1328	Sel.getIdentifierInfoForSlot(0)->isStr("valueWithPointer"))
1329	return true;
1330	}
1331
1332	return CallEvent::argumentsMayEscape();
1333	}
1334
1335	void ObjCMethodCall::getInitialStackFrameContents(
1336	const StackFrameContext *CalleeCtx,
1337	BindingsTy &Bindings) const {
1338	const auto *D = cast<ObjCMethodDecl>(CalleeCtx->getDecl());
1339	SValBuilder &SVB = getState()->getStateManager().getSValBuilder();
1340	addParameterValuesToBindings(CalleeCtx, Bindings, SVB, *this,
1341	D->parameters());
1342
1343	SVal SelfVal = getReceiverSVal();
1344	if (!SelfVal.isUnknown()) {
1345	const VarDecl *SelfD = CalleeCtx->getAnalysisDeclContext()->getSelfDecl();
1346	MemRegionManager &MRMgr = SVB.getRegionManager();
1347	Loc SelfLoc = SVB.makeLoc(MRMgr.getVarRegion(SelfD, CalleeCtx));
1348	Bindings.push_back(std::make_pair(SelfLoc, SelfVal));
1349	}
1350	}
1351
1352	CallEventRef<>
1353	CallEventManager::getSimpleCall(const CallExpr *CE, ProgramStateRef State,
1354	const LocationContext *LCtx) {
1355	if (const auto *MCE = dyn_cast<CXXMemberCallExpr>(CE))
1356	return create<CXXMemberCall>(MCE, State, LCtx);
1357
1358	if (const auto *OpCE = dyn_cast<CXXOperatorCallExpr>(CE)) {
1359	const FunctionDecl *DirectCallee = OpCE->getDirectCallee();
1360	if (const auto *MD = dyn_cast<CXXMethodDecl>(DirectCallee))
1361	if (MD->isInstance())
1362	return create<CXXMemberOperatorCall>(OpCE, State, LCtx);
1363
1364	} else if (CE->getCallee()->getType()->isBlockPointerType()) {
1365	return create<BlockCall>(CE, State, LCtx);
1366	}
1367
1368	// Otherwise, it's a normal function call, static member function call, or
1369	// something we can't reason about.
1370	return create<SimpleFunctionCall>(CE, State, LCtx);
1371	}
1372
1373	CallEventRef<>
1374	CallEventManager::getCaller(const StackFrameContext *CalleeCtx,
1375	ProgramStateRef State) {
1376	const LocationContext *ParentCtx = CalleeCtx->getParent();
1377	const LocationContext *CallerCtx = ParentCtx->getStackFrame();
1378	(0) . __assert_fail ("CallerCtx && \"This should not be used for top-level stack frames\"", "/home/seafit/code_projects/clang_source/clang/lib/StaticAnalyzer/Core/CallEvent.cpp", 1378, __PRETTY_FUNCTION__))" file_link="../../../../include/assert.h.html#88" macro="true">assert(CallerCtx && "This should not be used for top-level stack frames");
1379
1380	const Stmt *CallSite = CalleeCtx->getCallSite();
1381
1382	if (CallSite) {
1383	if (CallEventRef<> Out = getCall(CallSite, State, CallerCtx))
1384	return Out;
1385
1386	// All other cases are handled by getCall.
1387	(0) . __assert_fail ("isa(CallSite) && \"This is not an inlineable statement\"", "/home/seafit/code_projects/clang_source/clang/lib/StaticAnalyzer/Core/CallEvent.cpp", 1388, __PRETTY_FUNCTION__))" file_link="../../../../include/assert.h.html#88" macro="true">assert(isa<CXXConstructExpr>(CallSite) &&
1388	(0) . __assert_fail ("isa(CallSite) && \"This is not an inlineable statement\"", "/home/seafit/code_projects/clang_source/clang/lib/StaticAnalyzer/Core/CallEvent.cpp", 1388, __PRETTY_FUNCTION__))" file_link="../../../../include/assert.h.html#88" macro="true"> "This is not an inlineable statement");
1389
1390	SValBuilder &SVB = State->getStateManager().getSValBuilder();
1391	const auto *Ctor = cast<CXXMethodDecl>(CalleeCtx->getDecl());
1392	Loc ThisPtr = SVB.getCXXThis(Ctor, CalleeCtx);
1393	SVal ThisVal = State->getSVal(ThisPtr);
1394
1395	return getCXXConstructorCall(cast<CXXConstructExpr>(CallSite),
1396	ThisVal.getAsRegion(), State, CallerCtx);
1397	}
1398
1399	// Fall back to the CFG. The only thing we haven't handled yet is
1400	// destructors, though this could change in the future.
1401	const CFGBlock *B = CalleeCtx->getCallSiteBlock();
1402	CFGElement E = (*B)[CalleeCtx->getIndex()];
1403	(0) . __assert_fail ("(E.getAs() \|\| E.getAs()) && \"All other CFG elements should have exprs\"", "/home/seafit/code_projects/clang_source/clang/lib/StaticAnalyzer/Core/CallEvent.cpp", 1404, __PRETTY_FUNCTION__))" file_link="../../../../include/assert.h.html#88" macro="true">assert((E.getAs<CFGImplicitDtor>() \|\| E.getAs<CFGTemporaryDtor>()) &&
1404	(0) . __assert_fail ("(E.getAs() \|\| E.getAs()) && \"All other CFG elements should have exprs\"", "/home/seafit/code_projects/clang_source/clang/lib/StaticAnalyzer/Core/CallEvent.cpp", 1404, __PRETTY_FUNCTION__))" file_link="../../../../include/assert.h.html#88" macro="true"> "All other CFG elements should have exprs");
1405
1406	SValBuilder &SVB = State->getStateManager().getSValBuilder();
1407	const auto *Dtor = cast<CXXDestructorDecl>(CalleeCtx->getDecl());
1408	Loc ThisPtr = SVB.getCXXThis(Dtor, CalleeCtx);
1409	SVal ThisVal = State->getSVal(ThisPtr);
1410
1411	const Stmt *Trigger;
1412	if (Optional<CFGAutomaticObjDtor> AutoDtor = E.getAs<CFGAutomaticObjDtor>())
1413	Trigger = AutoDtor->getTriggerStmt();
1414	else if (Optional<CFGDeleteDtor> DeleteDtor = E.getAs<CFGDeleteDtor>())
1415	Trigger = DeleteDtor->getDeleteExpr();
1416	else
1417	Trigger = Dtor->getBody();
1418
1419	return getCXXDestructorCall(Dtor, Trigger, ThisVal.getAsRegion(),
1420	E.getAs<CFGBaseDtor>().hasValue(), State,
1421	CallerCtx);
1422	}
1423
1424	CallEventRef<> CallEventManager::getCall(const Stmt *S, ProgramStateRef State,
1425	const LocationContext *LC) {
1426	if (const auto *CE = dyn_cast<CallExpr>(S)) {
1427	return getSimpleCall(CE, State, LC);
1428	} else if (const auto *NE = dyn_cast<CXXNewExpr>(S)) {
1429	return getCXXAllocatorCall(NE, State, LC);
1430	} else if (const auto *ME = dyn_cast<ObjCMessageExpr>(S)) {
1431	return getObjCMethodCall(ME, State, LC);
1432	} else {
1433	return nullptr;
1434	}
1435	}
1436

clang::ento::CallEvent::getResultType

clang::ento::CallEvent::hasNonNullArgumentsWithType

clang::ento::CallEvent::hasNonZeroCallbackArg

clang::ento::CallEvent::hasVoidPointerToNonConstArg

clang::ento::CallEvent::isGlobalCFunction

clang::ento::CallEvent::getCalleeAnalysisDeclContext

clang::ento::CallEvent::getCalleeStackFrame

clang::ento::CallEvent::getParameterLocation

clang::ento::ObjCMethodCall::getContainingPseudoObjectExpr

clang::ento::ObjCMethodCall::getMessageKind

clang::ento::ObjCMethodCall::getAccessedProperty

clang::ento::ObjCMethodCall::canBeOverridenInSubclass

clang::ento::ObjCMethodCall::getRuntimeDefinition

clang::ento::ObjCMethodCall::argumentsMayEscape

clang::ento::ObjCMethodCall::getInitialStackFrameContents

clang::ento::CallEventManager::getSimpleCall

clang::ento::CallEventManager::getCaller

clang::ento::CallEventManager::getCall

Clang Project