[cfe-commits] r148036 - in /cfe/trunk: include/clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h include/clang/StaticAnalyzer/Core/PathSensitive/Store.h lib/StaticAnalyzer/Core/ExprEngineCallAndReturn.cpp lib/StaticAnalyzer/Core/ProgramState.cpp lib/StaticAnalyzer/Core/RegionStore.cpp lib/StaticAnalyzer/Core/Store.cpp test/Analysis/inline.c
Ted Kremenek
kremenek at apple.com
Thu Jan 12 11:25:47 PST 2012
Author: kremenek
Date: Thu Jan 12 13:25:46 2012
New Revision: 148036
URL: http://llvm.org/viewvc/llvm-project?rev=148036&view=rev
Log:
[analyzer] fix inlining's handling of mapping actual to formal arguments and limit the call stack depth. The analyzer can now accurately simulate factorial for limited depths.
Modified:
cfe/trunk/include/clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h
cfe/trunk/include/clang/StaticAnalyzer/Core/PathSensitive/Store.h
cfe/trunk/lib/StaticAnalyzer/Core/ExprEngineCallAndReturn.cpp
cfe/trunk/lib/StaticAnalyzer/Core/ProgramState.cpp
cfe/trunk/lib/StaticAnalyzer/Core/RegionStore.cpp
cfe/trunk/lib/StaticAnalyzer/Core/Store.cpp
cfe/trunk/test/Analysis/inline.c
Modified: cfe/trunk/include/clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h
URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/include/clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h?rev=148036&r1=148035&r2=148036&view=diff
==============================================================================
--- cfe/trunk/include/clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h (original)
+++ cfe/trunk/include/clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h Thu Jan 12 13:25:46 2012
@@ -227,7 +227,8 @@
/// enterStackFrame - Returns the state for entry to the given stack frame,
/// preserving the current state.
- const ProgramState *enterStackFrame(const StackFrameContext *frame) const;
+ const ProgramState *enterStackFrame(const LocationContext *callerCtx,
+ const StackFrameContext *calleeCtx) const;
/// Get the lvalue for a variable reference.
Loc getLValue(const VarDecl *D, const LocationContext *LC) const;
Modified: cfe/trunk/include/clang/StaticAnalyzer/Core/PathSensitive/Store.h
URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/include/clang/StaticAnalyzer/Core/PathSensitive/Store.h?rev=148036&r1=148035&r2=148036&view=diff
==============================================================================
--- cfe/trunk/include/clang/StaticAnalyzer/Core/PathSensitive/Store.h (original)
+++ cfe/trunk/include/clang/StaticAnalyzer/Core/PathSensitive/Store.h Thu Jan 12 13:25:46 2012
@@ -197,7 +197,8 @@
/// enterStackFrame - Let the StoreManager to do something when execution
/// engine is about to execute into a callee.
virtual StoreRef enterStackFrame(const ProgramState *state,
- const StackFrameContext *frame);
+ const LocationContext *callerCtx,
+ const StackFrameContext *calleeCtx);
virtual void print(Store store, raw_ostream &Out,
const char* nl, const char *sep) = 0;
Modified: cfe/trunk/lib/StaticAnalyzer/Core/ExprEngineCallAndReturn.cpp
URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/lib/StaticAnalyzer/Core/ExprEngineCallAndReturn.cpp?rev=148036&r1=148035&r2=148036&view=diff
==============================================================================
--- cfe/trunk/lib/StaticAnalyzer/Core/ExprEngineCallAndReturn.cpp (original)
+++ cfe/trunk/lib/StaticAnalyzer/Core/ExprEngineCallAndReturn.cpp Thu Jan 12 13:25:46 2012
@@ -22,8 +22,8 @@
void ExprEngine::processCallEnter(CallEnter CE, ExplodedNode *Pred) {
// Get the entry block in the CFG of the callee.
- const StackFrameContext *SFC = CE.getCalleeContext();
- const CFG *CalleeCFG = SFC->getCFG();
+ const StackFrameContext *calleeCtx = CE.getCalleeContext();
+ const CFG *CalleeCFG = calleeCtx->getCFG();
const CFGBlock *Entry = &(CalleeCFG->getEntry());
// Validate the CFG.
@@ -34,11 +34,13 @@
const CFGBlock *Succ = *(Entry->succ_begin());
// Construct an edge representing the starting location in the callee.
- BlockEdge Loc(Entry, Succ, SFC);
+ BlockEdge Loc(Entry, Succ, calleeCtx);
// Construct a new state which contains the mapping from actual to
// formal arguments.
- const ProgramState *state = Pred->getState()->enterStackFrame(SFC);
+ const LocationContext *callerCtx = Pred->getLocationContext();
+ const ProgramState *state = Pred->getState()->enterStackFrame(callerCtx,
+ calleeCtx);
// Construct a new node and add it to the worklist.
bool isNew;
@@ -115,6 +117,16 @@
}
}
+static unsigned getNumberStackFrames(const LocationContext *LCtx) {
+ unsigned count = 0;
+ while (LCtx) {
+ if (isa<StackFrameContext>(LCtx))
+ ++count;
+ LCtx = LCtx->getParent();
+ }
+ return count;
+}
+
bool ExprEngine::InlineCall(ExplodedNodeSet &Dst,
const CallExpr *CE,
ExplodedNode *Pred) {
@@ -130,6 +142,11 @@
// FIXME: Handle C++.
break;
case Stmt::CallExprClass: {
+ // Cap the stack depth at 4 calls (5 stack frames, base + 4 calls).
+ // These heuristics are a WIP.
+ if (getNumberStackFrames(Pred->getLocationContext()) == 5)
+ return false;
+
// Construct a new stack frame for the callee.
AnalysisDeclContext *CalleeADC = AMgr.getAnalysisDeclContext(FD);
const StackFrameContext *CallerSFC =
Modified: cfe/trunk/lib/StaticAnalyzer/Core/ProgramState.cpp
URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/lib/StaticAnalyzer/Core/ProgramState.cpp?rev=148036&r1=148035&r2=148036&view=diff
==============================================================================
--- cfe/trunk/lib/StaticAnalyzer/Core/ProgramState.cpp (original)
+++ cfe/trunk/lib/StaticAnalyzer/Core/ProgramState.cpp Thu Jan 12 13:25:46 2012
@@ -180,9 +180,11 @@
return makeWithStore(newStore);
}
-const ProgramState *ProgramState::enterStackFrame(const StackFrameContext *frame) const {
+const ProgramState *
+ProgramState::enterStackFrame(const LocationContext *callerCtx,
+ const StackFrameContext *calleeCtx) const {
const StoreRef &new_store =
- getStateManager().StoreMgr->enterStackFrame(this, frame);
+ getStateManager().StoreMgr->enterStackFrame(this, callerCtx, calleeCtx);
return makeWithStore(new_store);
}
Modified: cfe/trunk/lib/StaticAnalyzer/Core/RegionStore.cpp
URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/lib/StaticAnalyzer/Core/RegionStore.cpp?rev=148036&r1=148035&r2=148036&view=diff
==============================================================================
--- cfe/trunk/lib/StaticAnalyzer/Core/RegionStore.cpp (original)
+++ cfe/trunk/lib/StaticAnalyzer/Core/RegionStore.cpp Thu Jan 12 13:25:46 2012
@@ -380,7 +380,8 @@
SymbolReaper& SymReaper);
StoreRef enterStackFrame(const ProgramState *state,
- const StackFrameContext *frame);
+ const LocationContext *callerCtx,
+ const StackFrameContext *calleeCtx);
//===------------------------------------------------------------------===//
// Region "extents".
@@ -1855,36 +1856,40 @@
StoreRef RegionStoreManager::enterStackFrame(const ProgramState *state,
- const StackFrameContext *frame) {
- FunctionDecl const *FD = cast<FunctionDecl>(frame->getDecl());
+ const LocationContext *callerCtx,
+ const StackFrameContext *calleeCtx)
+{
+ FunctionDecl const *FD = cast<FunctionDecl>(calleeCtx->getDecl());
FunctionDecl::param_const_iterator PI = FD->param_begin(),
PE = FD->param_end();
StoreRef store = StoreRef(state->getStore(), *this);
- if (CallExpr const *CE = dyn_cast<CallExpr>(frame->getCallSite())) {
+ if (CallExpr const *CE = dyn_cast<CallExpr>(calleeCtx->getCallSite())) {
CallExpr::const_arg_iterator AI = CE->arg_begin(), AE = CE->arg_end();
// Copy the arg expression value to the arg variables. We check that
// PI != PE because the actual number of arguments may be different than
// the function declaration.
for (; AI != AE && PI != PE; ++AI, ++PI) {
- SVal ArgVal = state->getSVal(*AI, frame);
+ SVal ArgVal = state->getSVal(*AI, callerCtx);
store = Bind(store.getStore(),
- svalBuilder.makeLoc(MRMgr.getVarRegion(*PI, frame)), ArgVal);
+ svalBuilder.makeLoc(MRMgr.getVarRegion(*PI, calleeCtx)),
+ ArgVal);
}
} else if (const CXXConstructExpr *CE =
- dyn_cast<CXXConstructExpr>(frame->getCallSite())) {
+ dyn_cast<CXXConstructExpr>(calleeCtx->getCallSite())) {
CXXConstructExpr::const_arg_iterator AI = CE->arg_begin(),
AE = CE->arg_end();
// Copy the arg expression value to the arg variables.
for (; AI != AE; ++AI, ++PI) {
- SVal ArgVal = state->getSVal(*AI, frame);
+ SVal ArgVal = state->getSVal(*AI, callerCtx);
store = Bind(store.getStore(),
- svalBuilder.makeLoc(MRMgr.getVarRegion(*PI,frame)), ArgVal);
+ svalBuilder.makeLoc(MRMgr.getVarRegion(*PI, calleeCtx)),
+ ArgVal);
}
} else
- assert(isa<CXXDestructorDecl>(frame->getDecl()));
+ assert(isa<CXXDestructorDecl>(calleeCtx->getDecl()));
return store;
}
Modified: cfe/trunk/lib/StaticAnalyzer/Core/Store.cpp
URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/lib/StaticAnalyzer/Core/Store.cpp?rev=148036&r1=148035&r2=148036&view=diff
==============================================================================
--- cfe/trunk/lib/StaticAnalyzer/Core/Store.cpp (original)
+++ cfe/trunk/lib/StaticAnalyzer/Core/Store.cpp Thu Jan 12 13:25:46 2012
@@ -23,7 +23,8 @@
MRMgr(svalBuilder.getRegionManager()), Ctx(stateMgr.getContext()) {}
StoreRef StoreManager::enterStackFrame(const ProgramState *state,
- const StackFrameContext *frame) {
+ const LocationContext *callerCtx,
+ const StackFrameContext *calleeCtx) {
return StoreRef(state->getStore(), *this);
}
Modified: cfe/trunk/test/Analysis/inline.c
URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/test/Analysis/inline.c?rev=148036&r1=148035&r2=148036&view=diff
==============================================================================
--- cfe/trunk/test/Analysis/inline.c (original)
+++ cfe/trunk/test/Analysis/inline.c Thu Jan 12 13:25:46 2012
@@ -28,3 +28,33 @@
test2_f1(test2_f2()); // expected-warning{{too many arguments in call to 'test2_f1'}}
}
+// Test that inlining works with recursive functions.
+
+unsigned factorial(unsigned x) {
+ if (x <= 1)
+ return 1;
+ return x * factorial(x - 1);
+}
+
+void test_factorial() {
+ if (factorial(3) == 6) {
+ int *p = 0;
+ *p = 0xDEADBEEF; // expected-warning {{null}}
+ }
+ else {
+ int *p = 0;
+ *p = 0xDEADBEEF; // no-warning
+ }
+}
+
+void test_factorial_2() {
+ unsigned x = factorial(3);
+ if (x == factorial(3)) {
+ int *p = 0;
+ *p = 0xDEADBEEF; // expected-warning {{null}}
+ }
+ else {
+ int *p = 0;
+ *p = 0xDEADBEEF; // no-warning
+ }
+}
More information about the cfe-commits
mailing list