[clang] [Clang][analyzer] replace Stmt* with ConstCFGElementRef in SymbolConjured (PR #128251)
Fangyi Zhou via cfe-commits
cfe-commits at lists.llvm.org
Fri Feb 28 18:45:00 PST 2025
https://github.com/fangyi-zhou updated https://github.com/llvm/llvm-project/pull/128251
>From 2716967e80342c9bd1d918b72b568f27d56db3eb Mon Sep 17 00:00:00 2001
From: Fangyi Zhou <me at fangyi.io>
Date: Fri, 21 Feb 2025 20:54:08 +0000
Subject: [PATCH] [Clang][analyzer] replace Stmt* with ConstCFGElementRef in
SymbolConjured
Closes #57270.
This PR changes the `Stmt *` field in `SymbolConjured` with
`CFGBlock::ConstCFGElementRef`. The motivation is that, when conjuring a
symbol, there might not always be a statement available, causing
information to be lost for conjured symbols, whereas the CFGElementRef
can always be provided at the callsite.
Following the idea, this PR changes callsites of functions to create
conjured symbols, and replaces them with appropriate `CFGElementRef`s.
---
clang/include/clang/Analysis/CFG.h | 15 +++
.../StaticAnalyzer/Checkers/SValExplainer.h | 16 ++-
.../Core/PathSensitive/CheckerContext.h | 4 +
.../Core/PathSensitive/LoopWidening.h | 3 +-
.../Core/PathSensitive/ProgramState.h | 14 +-
.../Core/PathSensitive/SValBuilder.h | 59 ++++-----
.../StaticAnalyzer/Core/PathSensitive/Store.h | 11 +-
.../Core/PathSensitive/SymbolManager.h | 46 +++----
.../Checkers/CStringChecker.cpp | 123 ++++++++++--------
.../Checkers/ContainerModeling.cpp | 70 +++++-----
.../StaticAnalyzer/Checkers/ErrnoModeling.cpp | 11 +-
.../StaticAnalyzer/Checkers/ErrnoModeling.h | 7 +-
.../Checkers/ErrnoTesterChecker.cpp | 2 +-
.../lib/StaticAnalyzer/Checkers/Iterator.cpp | 11 +-
clang/lib/StaticAnalyzer/Checkers/Iterator.h | 9 +-
.../Checkers/IteratorModeling.cpp | 111 +++++++++-------
.../StaticAnalyzer/Checkers/MallocChecker.cpp | 8 +-
.../RetainCountChecker/RetainCountChecker.cpp | 4 +-
.../Checkers/STLAlgorithmModeling.cpp | 32 +++--
.../Checkers/SmartPtrModeling.cpp | 30 +++--
.../Checkers/StdLibraryFunctionsChecker.cpp | 7 +-
.../StaticAnalyzer/Checkers/StreamChecker.cpp | 46 ++++---
.../Checkers/cert/InvalidPtrChecker.cpp | 2 +-
clang/lib/StaticAnalyzer/Core/CallEvent.cpp | 2 +-
clang/lib/StaticAnalyzer/Core/ExprEngine.cpp | 39 +++---
clang/lib/StaticAnalyzer/Core/ExprEngineC.cpp | 53 ++++----
.../lib/StaticAnalyzer/Core/ExprEngineCXX.cpp | 11 +-
.../Core/ExprEngineCallAndReturn.cpp | 9 +-
.../StaticAnalyzer/Core/ExprEngineObjC.cpp | 16 ++-
.../lib/StaticAnalyzer/Core/LoopWidening.cpp | 34 ++---
.../lib/StaticAnalyzer/Core/ProgramState.cpp | 14 +-
clang/lib/StaticAnalyzer/Core/RegionStore.cpp | 61 +++++----
clang/lib/StaticAnalyzer/Core/SValBuilder.cpp | 51 ++++----
.../lib/StaticAnalyzer/Core/SymbolManager.cpp | 8 +-
clang/test/Analysis/class-object-state-dump.m | 4 +-
clang/test/Analysis/container-modeling.cpp | 8 +-
clang/test/Analysis/ctor-trivial-copy.cpp | 4 +-
clang/test/Analysis/dump_egraph.cpp | 5 +-
clang/test/Analysis/explain-svals.cpp | 6 +-
.../exploded-graph-rewriter/dynamic_types.cpp | 2 +-
clang/test/Analysis/iterator-modeling.cpp | 8 +-
clang/test/Analysis/malloc.c | 4 +-
clang/test/Analysis/trivial-copy-struct.cpp | 2 +-
43 files changed, 523 insertions(+), 459 deletions(-)
diff --git a/clang/include/clang/Analysis/CFG.h b/clang/include/clang/Analysis/CFG.h
index a7ff38c786a8f..38c46e1285459 100644
--- a/clang/include/clang/Analysis/CFG.h
+++ b/clang/include/clang/Analysis/CFG.h
@@ -695,6 +695,21 @@ class CFGBlock {
void dump() const {
dumpToStream(llvm::errs());
}
+
+ void Profile(llvm::FoldingSetNodeID &ID) const {
+ ID.AddPointer(Parent);
+ ID.AddInteger(Index);
+ }
+
+ int64_t getID() const {
+ if (Parent == nullptr || Parent->getParent() == nullptr) {
+ return 0;
+ }
+ return Parent->getParent()
+ ->getAllocator()
+ .template identifyKnownAlignedObject<CFGElement>(
+ &*(Parent->begin() + Index));
+ }
};
template <bool IsReverse, bool IsConst> class ElementRefIterator {
diff --git a/clang/include/clang/StaticAnalyzer/Checkers/SValExplainer.h b/clang/include/clang/StaticAnalyzer/Checkers/SValExplainer.h
index 519d2d5b3676b..7cf0c76a6e96e 100644
--- a/clang/include/clang/StaticAnalyzer/Checkers/SValExplainer.h
+++ b/clang/include/clang/StaticAnalyzer/Checkers/SValExplainer.h
@@ -19,6 +19,9 @@
#include "clang/AST/DeclCXX.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/SValVisitor.h"
#include "llvm/ADT/StringExtras.h"
+#include "llvm/ADT/StringRef.h"
+#include "llvm/Support/raw_ostream.h"
+#include <cctype>
namespace clang {
@@ -29,6 +32,16 @@ class SValExplainer : public FullSValVisitor<SValExplainer, std::string> {
ASTContext &ACtx;
ProgramStateRef State;
+ std::string printCFGElementRef(const CFGBlock::ConstCFGElementRef ElemRef) {
+ std::string Str;
+ llvm::raw_string_ostream OS(Str);
+ ElemRef->dumpToStream(OS);
+ // HACK: `CFGBlock::ConstCFGElementRef::dumpToStream` contains a new line
+ // character in the end of the string, we don't want it so we remove it here.
+ llvm::StringRef StrRef(Str);
+ return StrRef.rtrim().str();
+ }
+
std::string printStmt(const Stmt *S) {
std::string Str;
llvm::raw_string_ostream OS(Str);
@@ -114,7 +127,8 @@ class SValExplainer : public FullSValVisitor<SValExplainer, std::string> {
std::string VisitSymbolConjured(const SymbolConjured *S) {
return "symbol of type '" + S->getType().getAsString() +
- "' conjured at statement '" + printStmt(S->getStmt()) + "'";
+ "' conjured at statement '" +
+ printCFGElementRef(S->getCFGElementRef()) + "'";
}
std::string VisitSymbolDerived(const SymbolDerived *S) {
diff --git a/clang/include/clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h b/clang/include/clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h
index 168983fd5cb68..c9b3096b28672 100644
--- a/clang/include/clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h
+++ b/clang/include/clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h
@@ -151,6 +151,10 @@ class CheckerContext {
return Pred->getSVal(S);
}
+ CFGBlock::ConstCFGElementRef getCFGElementRef() const {
+ return Eng.getCFGElementRef();
+ }
+
/// Returns true if the value of \p E is greater than or equal to \p
/// Val under unsigned comparison
bool isGreaterOrEqual(const Expr *E, unsigned long long Val);
diff --git a/clang/include/clang/StaticAnalyzer/Core/PathSensitive/LoopWidening.h b/clang/include/clang/StaticAnalyzer/Core/PathSensitive/LoopWidening.h
index e75228f92a8e5..e82bbcb2b73f2 100644
--- a/clang/include/clang/StaticAnalyzer/Core/PathSensitive/LoopWidening.h
+++ b/clang/include/clang/StaticAnalyzer/Core/PathSensitive/LoopWidening.h
@@ -27,7 +27,8 @@ namespace ento {
/// by the loop body in any iteration.
ProgramStateRef getWidenedLoopState(ProgramStateRef PrevState,
const LocationContext *LCtx,
- unsigned BlockCount, const Stmt *LoopStmt);
+ unsigned BlockCount,
+ const CFGBlock::ConstCFGElementRef ElemRef);
} // end namespace ento
} // end namespace clang
diff --git a/clang/include/clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h b/clang/include/clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h
index 208b32e376883..e273c75ac0296 100644
--- a/clang/include/clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h
+++ b/clang/include/clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h
@@ -13,6 +13,7 @@
#ifndef LLVM_CLANG_STATICANALYZER_CORE_PATHSENSITIVE_PROGRAMSTATE_H
#define LLVM_CLANG_STATICANALYZER_CORE_PATHSENSITIVE_PROGRAMSTATE_H
+#include "clang/Analysis/CFG.h"
#include "clang/Basic/LLVM.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/ConstraintManager.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/DynamicTypeInfo.h"
@@ -314,7 +315,8 @@ class ProgramState : public llvm::FoldingSetNode {
/// be triggered by this event.
///
/// \param Regions the set of regions to be invalidated.
- /// \param E the expression that caused the invalidation.
+ /// \param ElemRef \p CFGBlock::ConstCFGElementRef that caused the
+ /// invalidation.
/// \param BlockCount The number of times the current basic block has been
/// visited.
/// \param CausesPointerEscape the flag is set to true when the invalidation
@@ -326,16 +328,18 @@ class ProgramState : public llvm::FoldingSetNode {
/// \param ITraits information about special handling for particular regions
/// or symbols.
[[nodiscard]] ProgramStateRef
- invalidateRegions(ArrayRef<const MemRegion *> Regions, const Stmt *S,
+ invalidateRegions(ArrayRef<const MemRegion *> Regions,
+ const CFGBlock::ConstCFGElementRef ElemRef,
unsigned BlockCount, const LocationContext *LCtx,
bool CausesPointerEscape, InvalidatedSymbols *IS = nullptr,
const CallEvent *Call = nullptr,
RegionAndSymbolInvalidationTraits *ITraits = nullptr) const;
[[nodiscard]] ProgramStateRef
- invalidateRegions(ArrayRef<SVal> Values, const Stmt *S, unsigned BlockCount,
- const LocationContext *LCtx, bool CausesPointerEscape,
- InvalidatedSymbols *IS = nullptr,
+ invalidateRegions(ArrayRef<SVal> Values,
+ const CFGBlock::ConstCFGElementRef ElemRef,
+ unsigned BlockCount, const LocationContext *LCtx,
+ bool CausesPointerEscape, InvalidatedSymbols *IS = nullptr,
const CallEvent *Call = nullptr,
RegionAndSymbolInvalidationTraits *ITraits = nullptr) const;
diff --git a/clang/include/clang/StaticAnalyzer/Core/PathSensitive/SValBuilder.h b/clang/include/clang/StaticAnalyzer/Core/PathSensitive/SValBuilder.h
index 54430d426a82a..dd10c2bbaa605 100644
--- a/clang/include/clang/StaticAnalyzer/Core/PathSensitive/SValBuilder.h
+++ b/clang/include/clang/StaticAnalyzer/Core/PathSensitive/SValBuilder.h
@@ -19,6 +19,7 @@
#include "clang/AST/Expr.h"
#include "clang/AST/ExprObjC.h"
#include "clang/AST/Type.h"
+#include "clang/Analysis/CFG.h"
#include "clang/Basic/LLVM.h"
#include "clang/Basic/LangOptions.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/BasicValueFactory.h"
@@ -171,19 +172,11 @@ class SValBuilder {
// Forwarding methods to SymbolManager.
- const SymbolConjured* conjureSymbol(const Stmt *stmt,
- const LocationContext *LCtx,
- QualType type,
- unsigned visitCount,
- const void *symbolTag = nullptr) {
- return SymMgr.conjureSymbol(stmt, LCtx, type, visitCount, symbolTag);
- }
-
- const SymbolConjured* conjureSymbol(const Expr *expr,
- const LocationContext *LCtx,
- unsigned visitCount,
- const void *symbolTag = nullptr) {
- return SymMgr.conjureSymbol(expr, LCtx, visitCount, symbolTag);
+ const SymbolConjured *
+ conjureSymbol(const CFGBlock::ConstCFGElementRef ElemRef,
+ const LocationContext *LCtx, QualType type, unsigned visitCount,
+ const void *symbolTag = nullptr) {
+ return SymMgr.conjureSymbol(ElemRef, LCtx, type, visitCount, symbolTag);
}
/// Construct an SVal representing '0' for the specified type.
@@ -198,32 +191,24 @@ class SValBuilder {
/// The advantage of symbols derived/built from other symbols is that we
/// preserve the relation between related(or even equivalent) expressions, so
/// conjured symbols should be used sparingly.
- DefinedOrUnknownSVal conjureSymbolVal(const void *symbolTag,
- const Expr *expr,
- const LocationContext *LCtx,
- unsigned count);
- DefinedOrUnknownSVal conjureSymbolVal(const void *symbolTag, const Stmt *S,
- const LocationContext *LCtx,
- QualType type, unsigned count);
- DefinedOrUnknownSVal conjureSymbolVal(const Stmt *stmt,
- const LocationContext *LCtx,
- QualType type,
- unsigned visitCount);
+ DefinedOrUnknownSVal
+ conjureSymbolVal(const void *symbolTag,
+ const CFGBlock::ConstCFGElementRef elemRef,
+ const LocationContext *LCtx, unsigned count);
+ DefinedOrUnknownSVal
+ conjureSymbolVal(const void *symbolTag,
+ const CFGBlock::ConstCFGElementRef elemRef,
+ const LocationContext *LCtx, QualType type, unsigned count);
+ DefinedOrUnknownSVal
+ conjureSymbolVal(const CFGBlock::ConstCFGElementRef elemRef,
+ const LocationContext *LCtx, QualType type,
+ unsigned visitCount);
/// Conjure a symbol representing heap allocated memory region.
- ///
- /// Note, the expression should represent a location.
- DefinedSVal getConjuredHeapSymbolVal(const Expr *E,
- const LocationContext *LCtx,
- unsigned Count);
-
- /// Conjure a symbol representing heap allocated memory region.
- ///
- /// Note, now, the expression *doesn't* need to represent a location.
- /// But the type need to!
- DefinedSVal getConjuredHeapSymbolVal(const Expr *E,
- const LocationContext *LCtx,
- QualType type, unsigned Count);
+ DefinedSVal
+ getConjuredHeapSymbolVal(const CFGBlock::ConstCFGElementRef elemRef,
+ const LocationContext *LCtx, QualType type,
+ unsigned Count);
/// Create an SVal representing the result of an alloca()-like call, that is,
/// an AllocaRegion on the stack.
diff --git a/clang/include/clang/StaticAnalyzer/Core/PathSensitive/Store.h b/clang/include/clang/StaticAnalyzer/Core/PathSensitive/Store.h
index cf7623c7be409..ede866b487196 100644
--- a/clang/include/clang/StaticAnalyzer/Core/PathSensitive/Store.h
+++ b/clang/include/clang/StaticAnalyzer/Core/PathSensitive/Store.h
@@ -14,13 +14,14 @@
#define LLVM_CLANG_STATICANALYZER_CORE_PATHSENSITIVE_STORE_H
#include "clang/AST/Type.h"
+#include "clang/Analysis/CFG.h"
+#include "clang/Basic/LLVM.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/MemRegion.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState_Fwd.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/SValBuilder.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/SVals.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/StoreRef.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/SymExpr.h"
-#include "clang/Basic/LLVM.h"
#include "llvm/ADT/ArrayRef.h"
#include "llvm/ADT/DenseSet.h"
#include "llvm/ADT/SmallVector.h"
@@ -223,8 +224,9 @@ class StoreManager {
///
/// \param[in] store The initial store.
/// \param[in] Values The values to invalidate.
- /// \param[in] S The current statement being evaluated. Used to conjure
- /// symbols to mark the values of invalidated regions.
+ /// \param[in] ElemRef The current \p CFGBlock::ConstCFGElementRef being
+ /// evaluated. Used to conjure symbols to mark the values of invalidated
+ /// regions.
/// \param[in] Count The current block count. Used to conjure
/// symbols to mark the values of invalidated regions.
/// \param[in] Call The call expression which will be used to determine which
@@ -241,7 +243,8 @@ class StoreManager {
/// even if they do not currently have bindings. Pass \c NULL if this
/// information will not be used.
virtual StoreRef invalidateRegions(
- Store store, ArrayRef<SVal> Values, const Stmt *S, unsigned Count,
+ Store store, ArrayRef<SVal> Values,
+ const CFGBlock::ConstCFGElementRef ElemRef, unsigned Count,
const LocationContext *LCtx, const CallEvent *Call,
InvalidatedSymbols &IS, RegionAndSymbolInvalidationTraits &ITraits,
InvalidatedRegions *TopLevelRegions, InvalidatedRegions *Invalidated) = 0;
diff --git a/clang/include/clang/StaticAnalyzer/Core/PathSensitive/SymbolManager.h b/clang/include/clang/StaticAnalyzer/Core/PathSensitive/SymbolManager.h
index cbbea1b56bb40..6184187ccc4d8 100644
--- a/clang/include/clang/StaticAnalyzer/Core/PathSensitive/SymbolManager.h
+++ b/clang/include/clang/StaticAnalyzer/Core/PathSensitive/SymbolManager.h
@@ -17,6 +17,7 @@
#include "clang/AST/Expr.h"
#include "clang/AST/Type.h"
#include "clang/Analysis/AnalysisDeclContext.h"
+#include "clang/Analysis/CFG.h"
#include "clang/Basic/LLVM.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/APSIntPtr.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/MemRegion.h"
@@ -80,29 +81,27 @@ class SymbolRegionValue : public SymbolData {
/// A symbol representing the result of an expression in the case when we do
/// not know anything about what the expression is.
class SymbolConjured : public SymbolData {
- const Stmt *S;
+ const CFGBlock::ConstCFGElementRef ElemRef;
QualType T;
unsigned Count;
const LocationContext *LCtx;
const void *SymbolTag;
friend class SymExprAllocator;
- SymbolConjured(SymbolID sym, const Stmt *s, const LocationContext *lctx,
- QualType t, unsigned count, const void *symbolTag)
- : SymbolData(SymbolConjuredKind, sym), S(s), T(t), Count(count),
- LCtx(lctx), SymbolTag(symbolTag) {
- // FIXME: 's' might be a nullptr if we're conducting invalidation
- // that was caused by a destructor call on a temporary object,
- // which has no statement associated with it.
- // Due to this, we might be creating the same invalidation symbol for
- // two different invalidation passes (for two different temporaries).
+ SymbolConjured(SymbolID sym, CFGBlock::ConstCFGElementRef elemRef,
+ const LocationContext *lctx, QualType t, unsigned count,
+ const void *symbolTag)
+ : SymbolData(SymbolConjuredKind, sym), ElemRef(elemRef), T(t),
+ Count(count), LCtx(lctx), SymbolTag(symbolTag) {
assert(lctx);
assert(isValidTypeForSymbol(t));
}
public:
- /// It might return null.
- const Stmt *getStmt() const { return S; }
+ const CFGBlock::ConstCFGElementRef getCFGElementRef() const {
+ return ElemRef;
+ }
+
unsigned getCount() const { return Count; }
/// It might return null.
const void *getTag() const { return SymbolTag; }
@@ -113,11 +112,12 @@ class SymbolConjured : public SymbolData {
void dumpToStream(raw_ostream &os) const override;
- static void Profile(llvm::FoldingSetNodeID &profile, const Stmt *S,
+ static void Profile(llvm::FoldingSetNodeID &profile,
+ const CFGBlock::ConstCFGElementRef ElemRef,
const LocationContext *LCtx, QualType T, unsigned Count,
const void *SymbolTag) {
profile.AddInteger((unsigned)SymbolConjuredKind);
- profile.AddPointer(S);
+ profile.Add(ElemRef);
profile.AddPointer(LCtx);
profile.Add(T);
profile.AddInteger(Count);
@@ -125,7 +125,7 @@ class SymbolConjured : public SymbolData {
}
void Profile(llvm::FoldingSetNodeID& profile) override {
- Profile(profile, S, LCtx, T, Count, SymbolTag);
+ Profile(profile, ElemRef, LCtx, T, Count, SymbolTag);
}
// Implement isa<T> support.
@@ -533,18 +533,12 @@ class SymbolManager {
template <typename SymExprT, typename... Args>
const SymExprT *acquire(Args &&...args);
- const SymbolConjured *conjureSymbol(const Stmt *E,
- const LocationContext *LCtx, QualType T,
- unsigned VisitCount,
- const void *SymbolTag = nullptr) {
- return acquire<SymbolConjured>(E, LCtx, T, VisitCount, SymbolTag);
- }
+ const SymbolConjured *
+ conjureSymbol(const CFGBlock::ConstCFGElementRef ElemRef,
+ const LocationContext *LCtx, QualType T, unsigned VisitCount,
+ const void *SymbolTag = nullptr) {
- const SymbolConjured* conjureSymbol(const Expr *E,
- const LocationContext *LCtx,
- unsigned VisitCount,
- const void *SymbolTag = nullptr) {
- return conjureSymbol(E, LCtx, E->getType(), VisitCount, SymbolTag);
+ return acquire<SymbolConjured>(ElemRef, LCtx, T, VisitCount, SymbolTag);
}
QualType getType(const SymExpr *SE) const {
diff --git a/clang/lib/StaticAnalyzer/Checkers/CStringChecker.cpp b/clang/lib/StaticAnalyzer/Checkers/CStringChecker.cpp
index 39dcaf02dbe25..a0c7008bdb689 100644
--- a/clang/lib/StaticAnalyzer/Checkers/CStringChecker.cpp
+++ b/clang/lib/StaticAnalyzer/Checkers/CStringChecker.cpp
@@ -13,6 +13,7 @@
#include "InterCheckerAPI.h"
#include "clang/AST/OperationKinds.h"
+#include "clang/Analysis/CFG.h"
#include "clang/Basic/Builtins.h"
#include "clang/Basic/CharInfo.h"
#include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"
@@ -273,28 +274,32 @@ class CStringChecker : public Checker< eval::Call,
/// Invalidate the destination buffer determined by characters copied.
static ProgramStateRef
invalidateDestinationBufferBySize(CheckerContext &C, ProgramStateRef S,
- const Expr *BufE, SVal BufV, SVal SizeV,
- QualType SizeTy);
+ const Expr *BufE,
+ const CFGBlock::ConstCFGElementRef ElemRef,
+ SVal BufV, SVal SizeV, QualType SizeTy);
/// Operation never overflows, do not invalidate the super region.
static ProgramStateRef invalidateDestinationBufferNeverOverflows(
- CheckerContext &C, ProgramStateRef S, const Expr *BufE, SVal BufV);
+ CheckerContext &C, ProgramStateRef S,
+ const CFGBlock::ConstCFGElementRef ElemRef, SVal BufV);
/// We do not know whether the operation can overflow (e.g. size is unknown),
/// invalidate the super region and escape related pointers.
static ProgramStateRef invalidateDestinationBufferAlwaysEscapeSuperRegion(
- CheckerContext &C, ProgramStateRef S, const Expr *BufE, SVal BufV);
+ CheckerContext &C, ProgramStateRef S,
+ const CFGBlock::ConstCFGElementRef ElemRef, SVal BufV);
/// Invalidate the source buffer for escaping pointers.
- static ProgramStateRef invalidateSourceBuffer(CheckerContext &C,
- ProgramStateRef S,
- const Expr *BufE, SVal BufV);
+ static ProgramStateRef
+ invalidateSourceBuffer(CheckerContext &C, ProgramStateRef S,
+ const CFGBlock::ConstCFGElementRef ElemRef, SVal BufV);
/// @param InvalidationTraitOperations Determine how to invlidate the
/// MemRegion by setting the invalidation traits. Return true to cause pointer
/// escape, or false otherwise.
static ProgramStateRef invalidateBufferAux(
- CheckerContext &C, ProgramStateRef State, const Expr *Ex, SVal V,
+ CheckerContext &C, ProgramStateRef State,
+ const CFGBlock::ConstCFGElementRef ElemRef, SVal V,
llvm::function_ref<bool(RegionAndSymbolInvalidationTraits &,
const MemRegion *)>
InvalidationTraitOperations);
@@ -302,7 +307,8 @@ class CStringChecker : public Checker< eval::Call,
static bool SummarizeRegion(raw_ostream &os, ASTContext &Ctx,
const MemRegion *MR);
- static bool memsetAux(const Expr *DstBuffer, SVal CharE,
+ static bool memsetAux(const Expr *DstBuffer,
+ const CFGBlock::ConstCFGElementRef ElemRef, SVal CharE,
const Expr *Size, CheckerContext &C,
ProgramStateRef &State);
@@ -1211,8 +1217,9 @@ bool CStringChecker::isFirstBufInBound(CheckerContext &C, ProgramStateRef State,
}
ProgramStateRef CStringChecker::invalidateDestinationBufferBySize(
- CheckerContext &C, ProgramStateRef S, const Expr *BufE, SVal BufV,
- SVal SizeV, QualType SizeTy) {
+ CheckerContext &C, ProgramStateRef S, const Expr *BufE,
+ const CFGBlock::ConstCFGElementRef ElemRef, SVal BufV, SVal SizeV,
+ QualType SizeTy) {
auto InvalidationTraitOperations =
[&C, S, BufTy = BufE->getType(), BufV, SizeV,
SizeTy](RegionAndSymbolInvalidationTraits &ITraits, const MemRegion *R) {
@@ -1227,22 +1234,24 @@ ProgramStateRef CStringChecker::invalidateDestinationBufferBySize(
return false;
};
- return invalidateBufferAux(C, S, BufE, BufV, InvalidationTraitOperations);
+ return invalidateBufferAux(C, S, ElemRef, BufV, InvalidationTraitOperations);
}
ProgramStateRef
CStringChecker::invalidateDestinationBufferAlwaysEscapeSuperRegion(
- CheckerContext &C, ProgramStateRef S, const Expr *BufE, SVal BufV) {
+ CheckerContext &C, ProgramStateRef S,
+ const CFGBlock::ConstCFGElementRef ElemRef, SVal BufV) {
auto InvalidationTraitOperations = [](RegionAndSymbolInvalidationTraits &,
const MemRegion *R) {
return isa<FieldRegion>(R);
};
- return invalidateBufferAux(C, S, BufE, BufV, InvalidationTraitOperations);
+ return invalidateBufferAux(C, S, ElemRef, BufV, InvalidationTraitOperations);
}
ProgramStateRef CStringChecker::invalidateDestinationBufferNeverOverflows(
- CheckerContext &C, ProgramStateRef S, const Expr *BufE, SVal BufV) {
+ CheckerContext &C, ProgramStateRef S,
+ const CFGBlock::ConstCFGElementRef ElemRef, SVal BufV) {
auto InvalidationTraitOperations =
[](RegionAndSymbolInvalidationTraits &ITraits, const MemRegion *R) {
if (MemRegion::FieldRegionKind == R->getKind())
@@ -1252,13 +1261,12 @@ ProgramStateRef CStringChecker::invalidateDestinationBufferNeverOverflows(
return false;
};
- return invalidateBufferAux(C, S, BufE, BufV, InvalidationTraitOperations);
+ return invalidateBufferAux(C, S, ElemRef, BufV, InvalidationTraitOperations);
}
-ProgramStateRef CStringChecker::invalidateSourceBuffer(CheckerContext &C,
- ProgramStateRef S,
- const Expr *BufE,
- SVal BufV) {
+ProgramStateRef CStringChecker::invalidateSourceBuffer(
+ CheckerContext &C, ProgramStateRef S,
+ const CFGBlock::ConstCFGElementRef ElemRef, SVal BufV) {
auto InvalidationTraitOperations =
[](RegionAndSymbolInvalidationTraits &ITraits, const MemRegion *R) {
ITraits.setTrait(
@@ -1269,11 +1277,12 @@ ProgramStateRef CStringChecker::invalidateSourceBuffer(CheckerContext &C,
return true;
};
- return invalidateBufferAux(C, S, BufE, BufV, InvalidationTraitOperations);
+ return invalidateBufferAux(C, S, ElemRef, BufV, InvalidationTraitOperations);
}
ProgramStateRef CStringChecker::invalidateBufferAux(
- CheckerContext &C, ProgramStateRef State, const Expr *E, SVal V,
+ CheckerContext &C, ProgramStateRef State,
+ const CFGBlock::ConstCFGElementRef ElemRef, SVal V,
llvm::function_ref<bool(RegionAndSymbolInvalidationTraits &,
const MemRegion *)>
InvalidationTraitOperations) {
@@ -1299,7 +1308,7 @@ ProgramStateRef CStringChecker::invalidateBufferAux(
RegionAndSymbolInvalidationTraits ITraits;
bool CausesPointerEscape = InvalidationTraitOperations(ITraits, R);
- return State->invalidateRegions(R, E, C.blockCount(), LCtx,
+ return State->invalidateRegions(R, ElemRef, C.blockCount(), LCtx,
CausesPointerEscape, nullptr, nullptr,
&ITraits);
}
@@ -1349,9 +1358,10 @@ bool CStringChecker::SummarizeRegion(raw_ostream &os, ASTContext &Ctx,
}
}
-bool CStringChecker::memsetAux(const Expr *DstBuffer, SVal CharVal,
- const Expr *Size, CheckerContext &C,
- ProgramStateRef &State) {
+bool CStringChecker::memsetAux(const Expr *DstBuffer,
+ const CFGBlock::ConstCFGElementRef ElemRef,
+ SVal CharVal, const Expr *Size,
+ CheckerContext &C, ProgramStateRef &State) {
SVal MemVal = C.getSVal(DstBuffer);
SVal SizeVal = C.getSVal(Size);
const MemRegion *MR = MemVal.getAsRegion();
@@ -1404,8 +1414,8 @@ bool CStringChecker::memsetAux(const Expr *DstBuffer, SVal CharVal,
} else {
// If the destination buffer's extent is not equal to the value of
// third argument, just invalidate buffer.
- State = invalidateDestinationBufferBySize(C, State, DstBuffer, MemVal,
- SizeVal, Size->getType());
+ State = invalidateDestinationBufferBySize(
+ C, State, DstBuffer, ElemRef, MemVal, SizeVal, Size->getType());
}
if (StateNullChar && !StateNonNullChar) {
@@ -1430,8 +1440,8 @@ bool CStringChecker::memsetAux(const Expr *DstBuffer, SVal CharVal,
} else {
// If the offset is not zero and char value is not concrete, we can do
// nothing but invalidate the buffer.
- State = invalidateDestinationBufferBySize(C, State, DstBuffer, MemVal,
- SizeVal, Size->getType());
+ State = invalidateDestinationBufferBySize(C, State, DstBuffer, ElemRef,
+ MemVal, SizeVal, Size->getType());
}
return true;
}
@@ -1515,7 +1525,7 @@ void CStringChecker::evalCopyCommon(CheckerContext &C, const CallEvent &Call,
// conjure a return value for later.
if (lastElement.isUnknown())
lastElement = C.getSValBuilder().conjureSymbolVal(
- nullptr, Call.getOriginExpr(), LCtx, C.blockCount());
+ nullptr, Call.getCFGElementRef(), LCtx, C.blockCount());
// The byte after the last byte copied is the return value.
state = state->BindExpr(Call.getOriginExpr(), LCtx, lastElement);
@@ -1532,12 +1542,12 @@ void CStringChecker::evalCopyCommon(CheckerContext &C, const CallEvent &Call,
// This would probably remove any existing bindings past the end of the
// copied region, but that's still an improvement over blank invalidation.
state = invalidateDestinationBufferBySize(
- C, state, Dest.Expression, C.getSVal(Dest.Expression), sizeVal,
- Size.Expression->getType());
+ C, state, Dest.Expression, Call.getCFGElementRef(),
+ C.getSVal(Dest.Expression), sizeVal, Size.Expression->getType());
// Invalidate the source (const-invalidation without const-pointer-escaping
// the address of the top-level region).
- state = invalidateSourceBuffer(C, state, Source.Expression,
+ state = invalidateSourceBuffer(C, state, Call.getCFGElementRef(),
C.getSVal(Source.Expression));
C.addTransition(state);
@@ -1665,8 +1675,8 @@ void CStringChecker::evalMemcmp(CheckerContext &C, const CallEvent &Call,
State = CheckBufferAccess(C, State, Left, Size, AccessKind::read, CK);
if (State) {
// The return value is the comparison result, which we don't know.
- SVal CmpV = Builder.conjureSymbolVal(nullptr, Call.getOriginExpr(), LCtx,
- C.blockCount());
+ SVal CmpV = Builder.conjureSymbolVal(nullptr, Call.getCFGElementRef(),
+ LCtx, C.blockCount());
State = State->BindExpr(Call.getOriginExpr(), LCtx, CmpV);
C.addTransition(State);
}
@@ -1770,7 +1780,7 @@ void CStringChecker::evalstrLengthCommon(CheckerContext &C,
// All we know is the return value is the min of the string length
// and the limit. This is better than nothing.
result = C.getSValBuilder().conjureSymbolVal(
- nullptr, Call.getOriginExpr(), LCtx, C.blockCount());
+ nullptr, Call.getCFGElementRef(), LCtx, C.blockCount());
NonLoc resultNL = result.castAs<NonLoc>();
if (strLengthNL) {
@@ -1794,7 +1804,7 @@ void CStringChecker::evalstrLengthCommon(CheckerContext &C,
// value, so it can be used in constraints, at least.
if (result.isUnknown()) {
result = C.getSValBuilder().conjureSymbolVal(
- nullptr, Call.getOriginExpr(), LCtx, C.blockCount());
+ nullptr, Call.getCFGElementRef(), LCtx, C.blockCount());
}
}
@@ -2235,13 +2245,13 @@ void CStringChecker::evalStrcpyCommon(CheckerContext &C, const CallEvent &Call,
// can use LazyCompoundVals to copy the source values into the destination.
// This would probably remove any existing bindings past the end of the
// string, but that's still an improvement over blank invalidation.
- state = invalidateDestinationBufferBySize(C, state, Dst.Expression,
- *dstRegVal, amountCopied,
- C.getASTContext().getSizeType());
+ state = invalidateDestinationBufferBySize(
+ C, state, Dst.Expression, Call.getCFGElementRef(), *dstRegVal,
+ amountCopied, C.getASTContext().getSizeType());
// Invalidate the source (const-invalidation without const-pointer-escaping
// the address of the top-level region).
- state = invalidateSourceBuffer(C, state, srcExpr.Expression, srcVal);
+ state = invalidateSourceBuffer(C, state, Call.getCFGElementRef(), srcVal);
// Set the C string length of the destination, if we know it.
if (IsBounded && (appendK == ConcatFnKind::none)) {
@@ -2261,8 +2271,8 @@ void CStringChecker::evalStrcpyCommon(CheckerContext &C, const CallEvent &Call,
// If this is a stpcpy-style copy, but we were unable to check for a buffer
// overflow, we still need a result. Conjure a return value.
if (ReturnEnd && Result.isUnknown()) {
- Result = svalBuilder.conjureSymbolVal(nullptr, Call.getOriginExpr(), LCtx,
- C.blockCount());
+ Result = svalBuilder.conjureSymbolVal(nullptr, Call.getCFGElementRef(),
+ LCtx, C.blockCount());
}
}
// Set the return value.
@@ -2361,8 +2371,8 @@ void CStringChecker::evalStrcmpCommon(CheckerContext &C, const CallEvent &Call,
const StringLiteral *RightStrLiteral =
getCStringLiteral(C, state, Right.Expression, RightVal);
bool canComputeResult = false;
- SVal resultVal = svalBuilder.conjureSymbolVal(nullptr, Call.getOriginExpr(),
- LCtx, C.blockCount());
+ SVal resultVal = svalBuilder.conjureSymbolVal(
+ nullptr, Call.getCFGElementRef(), LCtx, C.blockCount());
if (LeftStrLiteral && RightStrLiteral) {
StringRef LeftStrRef = LeftStrLiteral->getString();
@@ -2463,19 +2473,19 @@ void CStringChecker::evalStrsep(CheckerContext &C,
// character to NUL.
// As the replacement never overflows, do not invalidate its super region.
State = invalidateDestinationBufferNeverOverflows(
- C, State, SearchStrPtr.Expression, Result);
+ C, State, Call.getCFGElementRef(), Result);
// Overwrite the search string pointer. The new value is either an address
// further along in the same string, or NULL if there are no more tokens.
State =
State->bindLoc(*SearchStrLoc,
- SVB.conjureSymbolVal(getTag(), Call.getOriginExpr(),
+ SVB.conjureSymbolVal(getTag(), Call.getCFGElementRef(),
LCtx, CharPtrTy, C.blockCount()),
LCtx);
} else {
assert(SearchStrVal.isUnknown());
// Conjure a symbolic value. It's the best we can do.
- Result = SVB.conjureSymbolVal(nullptr, Call.getOriginExpr(), LCtx,
+ Result = SVB.conjureSymbolVal(nullptr, Call.getCFGElementRef(), LCtx,
C.blockCount());
}
@@ -2514,13 +2524,13 @@ void CStringChecker::evalStdCopyCommon(CheckerContext &C,
SVal DstVal = State->getSVal(Dst, LCtx);
// FIXME: As we do not know how many items are copied, we also invalidate the
// super region containing the target location.
- State =
- invalidateDestinationBufferAlwaysEscapeSuperRegion(C, State, Dst, DstVal);
+ State = invalidateDestinationBufferAlwaysEscapeSuperRegion(
+ C, State, Call.getCFGElementRef(), DstVal);
SValBuilder &SVB = C.getSValBuilder();
- SVal ResultVal =
- SVB.conjureSymbolVal(nullptr, Call.getOriginExpr(), LCtx, C.blockCount());
+ SVal ResultVal = SVB.conjureSymbolVal(nullptr, Call.getCFGElementRef(), LCtx,
+ C.blockCount());
State = State->BindExpr(Call.getOriginExpr(), LCtx, ResultVal);
C.addTransition(State);
@@ -2569,8 +2579,8 @@ void CStringChecker::evalMemset(CheckerContext &C,
// According to the values of the arguments, bind the value of the second
// argument to the destination buffer and set string length, or just
// invalidate the destination buffer.
- if (!memsetAux(Buffer.Expression, C.getSVal(CharE.Expression),
- Size.Expression, C, State))
+ if (!memsetAux(Buffer.Expression, Call.getCFGElementRef(),
+ C.getSVal(CharE.Expression), Size.Expression, C, State))
return;
State = State->BindExpr(Call.getOriginExpr(), LCtx, BufferPtrVal);
@@ -2614,7 +2624,8 @@ void CStringChecker::evalBzero(CheckerContext &C, const CallEvent &Call) const {
if (!State)
return;
- if (!memsetAux(Buffer.Expression, Zero, Size.Expression, C, State))
+ if (!memsetAux(Buffer.Expression, Call.getCFGElementRef(), Zero,
+ Size.Expression, C, State))
return;
C.addTransition(State);
diff --git a/clang/lib/StaticAnalyzer/Checkers/ContainerModeling.cpp b/clang/lib/StaticAnalyzer/Checkers/ContainerModeling.cpp
index 55ed809bfed6c..03cffc1c02803 100644
--- a/clang/lib/StaticAnalyzer/Checkers/ContainerModeling.cpp
+++ b/clang/lib/StaticAnalyzer/Checkers/ContainerModeling.cpp
@@ -11,6 +11,7 @@
//===----------------------------------------------------------------------===//
#include "clang/AST/DeclTemplate.h"
+#include "clang/Analysis/CFG.h"
#include "clang/Driver/DriverDiagnostic.h"
#include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"
#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
@@ -33,11 +34,13 @@ namespace {
class ContainerModeling
: public Checker<check::PostCall, check::LiveSymbols, check::DeadSymbols> {
- void handleBegin(CheckerContext &C, const Expr *CE, SVal RetVal,
+ void handleBegin(CheckerContext &C,
+ const CFGBlock::ConstCFGElementRef ElemRef, SVal RetVal,
SVal Cont) const;
- void handleEnd(CheckerContext &C, const Expr *CE, SVal RetVal,
- SVal Cont) const;
- void handleAssignment(CheckerContext &C, SVal Cont, const Expr *CE = nullptr,
+ void handleEnd(CheckerContext &C, const CFGBlock::ConstCFGElementRef ElemRef,
+ SVal RetVal, SVal Cont) const;
+ void handleAssignment(CheckerContext &C, SVal Cont,
+ const CFGBlock::ConstCFGElementRef ElemRef,
SVal OldCont = UndefinedVal()) const;
void handleAssign(CheckerContext &C, SVal Cont, const Expr *ContE) const;
void handleClear(CheckerContext &C, SVal Cont, const Expr *ContE) const;
@@ -108,12 +111,13 @@ bool backModifiable(ProgramStateRef State, const MemRegion *Reg);
SymbolRef getContainerBegin(ProgramStateRef State, const MemRegion *Cont);
SymbolRef getContainerEnd(ProgramStateRef State, const MemRegion *Cont);
ProgramStateRef createContainerBegin(ProgramStateRef State,
- const MemRegion *Cont, const Expr *E,
+ const MemRegion *Cont,
+ const CFGBlock::ConstCFGElementRef ElemRef,
QualType T, const LocationContext *LCtx,
unsigned BlockCount);
ProgramStateRef createContainerEnd(ProgramStateRef State, const MemRegion *Cont,
- const Expr *E, QualType T,
- const LocationContext *LCtx,
+ const CFGBlock::ConstCFGElementRef ElemRef,
+ QualType T, const LocationContext *LCtx,
unsigned BlockCount);
ProgramStateRef setContainerData(ProgramStateRef State, const MemRegion *Cont,
const ContainerData &CData);
@@ -160,12 +164,12 @@ void ContainerModeling::checkPostCall(const CallEvent &Call,
// Overloaded 'operator=' must be a non-static member function.
const auto *InstCall = cast<CXXInstanceCall>(&Call);
if (cast<CXXMethodDecl>(Func)->isMoveAssignmentOperator()) {
- handleAssignment(C, InstCall->getCXXThisVal(), Call.getOriginExpr(),
- Call.getArgSVal(0));
+ handleAssignment(C, InstCall->getCXXThisVal(), Call.getCFGElementRef(),
+ Call.getArgSVal(0));
return;
}
- handleAssignment(C, InstCall->getCXXThisVal());
+ handleAssignment(C, InstCall->getCXXThisVal(), C.getCFGElementRef());
return;
}
} else {
@@ -195,13 +199,13 @@ void ContainerModeling::checkPostCall(const CallEvent &Call,
return;
if (isBeginCall(Func)) {
- handleBegin(C, OrigExpr, Call.getReturnValue(),
+ handleBegin(C, Call.getCFGElementRef(), Call.getReturnValue(),
InstCall->getCXXThisVal());
return;
}
if (isEndCall(Func)) {
- handleEnd(C, OrigExpr, Call.getReturnValue(),
+ handleEnd(C, Call.getCFGElementRef(), Call.getReturnValue(),
InstCall->getCXXThisVal());
return;
}
@@ -247,8 +251,9 @@ void ContainerModeling::checkDeadSymbols(SymbolReaper &SR,
C.addTransition(State);
}
-void ContainerModeling::handleBegin(CheckerContext &C, const Expr *CE,
- SVal RetVal, SVal Cont) const {
+void ContainerModeling::handleBegin(CheckerContext &C,
+ const CFGBlock::ConstCFGElementRef ElemRef,
+ SVal RetVal, SVal Cont) const {
const auto *ContReg = Cont.getAsRegion();
if (!ContReg)
return;
@@ -260,8 +265,9 @@ void ContainerModeling::handleBegin(CheckerContext &C, const Expr *CE,
auto State = C.getState();
auto BeginSym = getContainerBegin(State, ContReg);
if (!BeginSym) {
- State = createContainerBegin(State, ContReg, CE, C.getASTContext().LongTy,
- C.getLocationContext(), C.blockCount());
+ State =
+ createContainerBegin(State, ContReg, ElemRef, C.getASTContext().LongTy,
+ C.getLocationContext(), C.blockCount());
BeginSym = getContainerBegin(State, ContReg);
}
State = setIteratorPosition(State, RetVal,
@@ -269,8 +275,9 @@ void ContainerModeling::handleBegin(CheckerContext &C, const Expr *CE,
C.addTransition(State);
}
-void ContainerModeling::handleEnd(CheckerContext &C, const Expr *CE,
- SVal RetVal, SVal Cont) const {
+void ContainerModeling::handleEnd(CheckerContext &C,
+ const CFGBlock::ConstCFGElementRef ElemRef,
+ SVal RetVal, SVal Cont) const {
const auto *ContReg = Cont.getAsRegion();
if (!ContReg)
return;
@@ -282,8 +289,9 @@ void ContainerModeling::handleEnd(CheckerContext &C, const Expr *CE,
auto State = C.getState();
auto EndSym = getContainerEnd(State, ContReg);
if (!EndSym) {
- State = createContainerEnd(State, ContReg, CE, C.getASTContext().LongTy,
- C.getLocationContext(), C.blockCount());
+ State =
+ createContainerEnd(State, ContReg, ElemRef, C.getASTContext().LongTy,
+ C.getLocationContext(), C.blockCount());
EndSym = getContainerEnd(State, ContReg);
}
State = setIteratorPosition(State, RetVal,
@@ -291,8 +299,9 @@ void ContainerModeling::handleEnd(CheckerContext &C, const Expr *CE,
C.addTransition(State);
}
-void ContainerModeling::handleAssignment(CheckerContext &C, SVal Cont,
- const Expr *CE, SVal OldCont) const {
+void ContainerModeling::handleAssignment(
+ CheckerContext &C, SVal Cont, const CFGBlock::ConstCFGElementRef ElemRef,
+ SVal OldCont) const {
const auto *ContReg = Cont.getAsRegion();
if (!ContReg)
return;
@@ -326,7 +335,7 @@ void ContainerModeling::handleAssignment(CheckerContext &C, SVal Cont,
auto &SVB = C.getSValBuilder();
// Then generate and assign a new "end" symbol for the new container.
auto NewEndSym =
- SymMgr.conjureSymbol(CE, C.getLocationContext(),
+ SymMgr.conjureSymbol(ElemRef, C.getLocationContext(),
C.getASTContext().LongTy, C.blockCount());
State = assumeNoOverflow(State, NewEndSym, 4);
if (CData) {
@@ -845,7 +854,8 @@ SymbolRef getContainerEnd(ProgramStateRef State, const MemRegion *Cont) {
}
ProgramStateRef createContainerBegin(ProgramStateRef State,
- const MemRegion *Cont, const Expr *E,
+ const MemRegion *Cont,
+ const CFGBlock::ConstCFGElementRef ElemRef,
QualType T, const LocationContext *LCtx,
unsigned BlockCount) {
// Only create if it does not exist
@@ -854,8 +864,8 @@ ProgramStateRef createContainerBegin(ProgramStateRef State,
return State;
auto &SymMgr = State->getSymbolManager();
- const SymbolConjured *Sym = SymMgr.conjureSymbol(E, LCtx, T, BlockCount,
- "begin");
+ const SymbolConjured *Sym =
+ SymMgr.conjureSymbol(ElemRef, LCtx, T, BlockCount, "begin");
State = assumeNoOverflow(State, Sym, 4);
if (CDataPtr) {
@@ -868,8 +878,8 @@ ProgramStateRef createContainerBegin(ProgramStateRef State,
}
ProgramStateRef createContainerEnd(ProgramStateRef State, const MemRegion *Cont,
- const Expr *E, QualType T,
- const LocationContext *LCtx,
+ const CFGBlock::ConstCFGElementRef ElemRef,
+ QualType T, const LocationContext *LCtx,
unsigned BlockCount) {
// Only create if it does not exist
const auto *CDataPtr = getContainerData(State, Cont);
@@ -877,8 +887,8 @@ ProgramStateRef createContainerEnd(ProgramStateRef State, const MemRegion *Cont,
return State;
auto &SymMgr = State->getSymbolManager();
- const SymbolConjured *Sym = SymMgr.conjureSymbol(E, LCtx, T, BlockCount,
- "end");
+ const SymbolConjured *Sym =
+ SymMgr.conjureSymbol(ElemRef, LCtx, T, BlockCount, "end");
State = assumeNoOverflow(State, Sym, 4);
if (CDataPtr) {
diff --git a/clang/lib/StaticAnalyzer/Checkers/ErrnoModeling.cpp b/clang/lib/StaticAnalyzer/Checkers/ErrnoModeling.cpp
index 6ffc05f06742b..ec535f52497a9 100644
--- a/clang/lib/StaticAnalyzer/Checkers/ErrnoModeling.cpp
+++ b/clang/lib/StaticAnalyzer/Checkers/ErrnoModeling.cpp
@@ -20,6 +20,7 @@
#include "ErrnoModeling.h"
#include "clang/AST/ParentMapContext.h"
+#include "clang/Analysis/CFG.h"
#include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"
#include "clang/StaticAnalyzer/Core/Checker.h"
#include "clang/StaticAnalyzer/Core/CheckerManager.h"
@@ -124,7 +125,7 @@ void ErrnoModeling::checkBeginFunction(CheckerContext &C) const {
// of the data member `ErrnoDecl` of the singleton `ErrnoModeling` checker
// object.
const SymbolConjured *Sym = SVB.conjureSymbol(
- nullptr, C.getLocationContext(),
+ C.getCFGElementRef(), C.getLocationContext(),
ACtx.getLValueReferenceType(ACtx.IntTy), C.blockCount(), &ErrnoDecl);
// The symbolic region is untyped, create a typed sub-region in it.
@@ -254,13 +255,13 @@ ProgramStateRef setErrnoForStdFailure(ProgramStateRef State, CheckerContext &C,
return setErrnoValue(State, C.getLocationContext(), ErrnoSym, Irrelevant);
}
-ProgramStateRef setErrnoStdMustBeChecked(ProgramStateRef State,
- CheckerContext &C,
- const Expr *InvalE) {
+ProgramStateRef
+setErrnoStdMustBeChecked(ProgramStateRef State, CheckerContext &C,
+ const CFGBlock::ConstCFGElementRef ElemRef) {
const MemRegion *ErrnoR = State->get<ErrnoRegion>();
if (!ErrnoR)
return State;
- State = State->invalidateRegions(ErrnoR, InvalE, C.blockCount(),
+ State = State->invalidateRegions(ErrnoR, ElemRef, C.blockCount(),
C.getLocationContext(), false);
if (!State)
return nullptr;
diff --git a/clang/lib/StaticAnalyzer/Checkers/ErrnoModeling.h b/clang/lib/StaticAnalyzer/Checkers/ErrnoModeling.h
index 95da8a28d3253..7559dbdb6a205 100644
--- a/clang/lib/StaticAnalyzer/Checkers/ErrnoModeling.h
+++ b/clang/lib/StaticAnalyzer/Checkers/ErrnoModeling.h
@@ -13,6 +13,7 @@
#ifndef LLVM_CLANG_LIB_STATICANALYZER_CHECKERS_ERRNOMODELING_H
#define LLVM_CLANG_LIB_STATICANALYZER_CHECKERS_ERRNOMODELING_H
+#include "clang/Analysis/CFG.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/SVals.h"
@@ -96,9 +97,9 @@ ProgramStateRef setErrnoForStdFailure(ProgramStateRef State, CheckerContext &C,
/// Set errno state for the common case when a standard function indicates
/// failure only by \c errno. Sets \c ErrnoCheckState to \c MustBeChecked, and
/// invalidates the errno region (clear of previous value).
-/// \arg \c InvalE Expression that causes invalidation of \c errno.
-ProgramStateRef setErrnoStdMustBeChecked(ProgramStateRef State,
- CheckerContext &C, const Expr *InvalE);
+ProgramStateRef
+setErrnoStdMustBeChecked(ProgramStateRef State, CheckerContext &C,
+ const CFGBlock::ConstCFGElementRef ElemRef);
} // namespace errno_modeling
} // namespace ento
diff --git a/clang/lib/StaticAnalyzer/Checkers/ErrnoTesterChecker.cpp b/clang/lib/StaticAnalyzer/Checkers/ErrnoTesterChecker.cpp
index 6076a6bc78973..6f00bafd519b3 100644
--- a/clang/lib/StaticAnalyzer/Checkers/ErrnoTesterChecker.cpp
+++ b/clang/lib/StaticAnalyzer/Checkers/ErrnoTesterChecker.cpp
@@ -131,7 +131,7 @@ void ErrnoTesterChecker::evalSetErrnoIfErrorRange(CheckerContext &C,
ProgramStateRef StateFailure = State->BindExpr(
Call.getOriginExpr(), C.getLocationContext(), SVB.makeIntVal(1, true));
DefinedOrUnknownSVal ErrnoVal = SVB.conjureSymbolVal(
- nullptr, Call.getOriginExpr(), C.getLocationContext(), C.blockCount());
+ nullptr, Call.getCFGElementRef(), C.getLocationContext(), C.blockCount());
StateFailure = StateFailure->assume(ErrnoVal, true);
assert(StateFailure && "Failed to assume on an initial value.");
StateFailure =
diff --git a/clang/lib/StaticAnalyzer/Checkers/Iterator.cpp b/clang/lib/StaticAnalyzer/Checkers/Iterator.cpp
index ba561ddebdb69..31fdf58f6ba1e 100644
--- a/clang/lib/StaticAnalyzer/Checkers/Iterator.cpp
+++ b/clang/lib/StaticAnalyzer/Checkers/Iterator.cpp
@@ -11,6 +11,7 @@
//===----------------------------------------------------------------------===//
#include "Iterator.h"
+#include "clang/Analysis/CFG.h"
namespace clang {
namespace ento {
@@ -206,15 +207,15 @@ ProgramStateRef setIteratorPosition(ProgramStateRef State, SVal Val,
return nullptr;
}
-ProgramStateRef createIteratorPosition(ProgramStateRef State, SVal Val,
- const MemRegion *Cont, const Stmt *S,
- const LocationContext *LCtx,
- unsigned blockCount) {
+ProgramStateRef
+createIteratorPosition(ProgramStateRef State, SVal Val, const MemRegion *Cont,
+ const CFGBlock::ConstCFGElementRef ElemRef,
+ const LocationContext *LCtx, unsigned blockCount) {
auto &StateMgr = State->getStateManager();
auto &SymMgr = StateMgr.getSymbolManager();
auto &ACtx = StateMgr.getContext();
- auto Sym = SymMgr.conjureSymbol(S, LCtx, ACtx.LongTy, blockCount);
+ auto Sym = SymMgr.conjureSymbol(ElemRef, LCtx, ACtx.LongTy, blockCount);
State = assumeNoOverflow(State, Sym, 4);
return setIteratorPosition(State, Val,
IteratorPosition::getPosition(Cont, Sym));
diff --git a/clang/lib/StaticAnalyzer/Checkers/Iterator.h b/clang/lib/StaticAnalyzer/Checkers/Iterator.h
index 46de8ea01d77b..dbae7da9cac22 100644
--- a/clang/lib/StaticAnalyzer/Checkers/Iterator.h
+++ b/clang/lib/StaticAnalyzer/Checkers/Iterator.h
@@ -13,6 +13,7 @@
#ifndef LLVM_CLANG_LIB_STATICANALYZER_CHECKERS_ITERATOR_H
#define LLVM_CLANG_LIB_STATICANALYZER_CHECKERS_ITERATOR_H
+#include "clang/Analysis/CFG.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/DynamicType.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/SymExpr.h"
@@ -164,10 +165,10 @@ const ContainerData *getContainerData(ProgramStateRef State,
const IteratorPosition *getIteratorPosition(ProgramStateRef State, SVal Val);
ProgramStateRef setIteratorPosition(ProgramStateRef State, SVal Val,
const IteratorPosition &Pos);
-ProgramStateRef createIteratorPosition(ProgramStateRef State, SVal Val,
- const MemRegion *Cont, const Stmt *S,
- const LocationContext *LCtx,
- unsigned blockCount);
+ProgramStateRef
+createIteratorPosition(ProgramStateRef State, SVal Val, const MemRegion *Cont,
+ const CFGBlock::ConstCFGElementRef ElemRef,
+ const LocationContext *LCtx, unsigned blockCount);
ProgramStateRef advancePosition(ProgramStateRef State, SVal Iter,
OverloadedOperatorKind Op, SVal Distance);
ProgramStateRef assumeNoOverflow(ProgramStateRef State, SymbolRef Sym,
diff --git a/clang/lib/StaticAnalyzer/Checkers/IteratorModeling.cpp b/clang/lib/StaticAnalyzer/Checkers/IteratorModeling.cpp
index d4ce73b03acb8..af7d723f836a2 100644
--- a/clang/lib/StaticAnalyzer/Checkers/IteratorModeling.cpp
+++ b/clang/lib/StaticAnalyzer/Checkers/IteratorModeling.cpp
@@ -65,6 +65,7 @@
// a constraint which we later retrieve when doing an actual comparison.
#include "clang/AST/DeclTemplate.h"
+#include "clang/Analysis/CFG.h"
#include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"
#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
#include "clang/StaticAnalyzer/Core/Checker.h"
@@ -90,8 +91,9 @@ class IteratorModeling
check::PostStmt<MaterializeTemporaryExpr>,
check::Bind, check::LiveSymbols, check::DeadSymbols> {
- using AdvanceFn = void (IteratorModeling::*)(CheckerContext &, const Expr *,
- SVal, SVal, SVal) const;
+ using AdvanceFn = void (IteratorModeling::*)(
+ CheckerContext &, const CFGBlock::ConstCFGElementRef, SVal, SVal,
+ SVal) const;
void handleOverloadedOperator(CheckerContext &C, const CallEvent &Call,
OverloadedOperatorKind Op) const;
@@ -99,7 +101,8 @@ class IteratorModeling
const Expr *OrigExpr,
const AdvanceFn *Handler) const;
- void handleComparison(CheckerContext &C, const Expr *CE, SVal RetVal,
+ void handleComparison(CheckerContext &C, const Expr *CE,
+ const CFGBlock::ConstCFGElementRef ElemRef, SVal RetVal,
SVal LVal, SVal RVal, OverloadedOperatorKind Op) const;
void processComparison(CheckerContext &C, ProgramStateRef State,
SymbolRef Sym1, SymbolRef Sym2, SVal RetVal,
@@ -108,19 +111,23 @@ class IteratorModeling
bool Postfix) const;
void handleDecrement(CheckerContext &C, SVal RetVal, SVal Iter,
bool Postfix) const;
- void handleRandomIncrOrDecr(CheckerContext &C, const Expr *CE,
+ void handleRandomIncrOrDecr(CheckerContext &C,
+ const CFGBlock::ConstCFGElementRef ElemRef,
OverloadedOperatorKind Op, SVal RetVal,
SVal Iterator, SVal Amount) const;
void handlePtrIncrOrDecr(CheckerContext &C, const Expr *Iterator,
+ const CFGBlock::ConstCFGElementRef ElemRef,
OverloadedOperatorKind OK, SVal Offset) const;
- void handleAdvance(CheckerContext &C, const Expr *CE, SVal RetVal, SVal Iter,
- SVal Amount) const;
- void handlePrev(CheckerContext &C, const Expr *CE, SVal RetVal, SVal Iter,
- SVal Amount) const;
- void handleNext(CheckerContext &C, const Expr *CE, SVal RetVal, SVal Iter,
- SVal Amount) const;
- void assignToContainer(CheckerContext &C, const Expr *CE, SVal RetVal,
- const MemRegion *Cont) const;
+ void handleAdvance(CheckerContext &C,
+ const CFGBlock::ConstCFGElementRef ElemRef, SVal RetVal,
+ SVal Iter, SVal Amount) const;
+ void handlePrev(CheckerContext &C, const CFGBlock::ConstCFGElementRef ElemRef,
+ SVal RetVal, SVal Iter, SVal Amount) const;
+ void handleNext(CheckerContext &C, const CFGBlock::ConstCFGElementRef ElemRef,
+ SVal RetVal, SVal Iter, SVal Amount) const;
+ void assignToContainer(CheckerContext &C,
+ const CFGBlock::ConstCFGElementRef ElemRef,
+ SVal RetVal, const MemRegion *Cont) const;
bool noChangeInAdvance(CheckerContext &C, SVal Iter, const Expr *CE) const;
void printState(raw_ostream &Out, ProgramStateRef State, const char *NL,
const char *Sep) const override;
@@ -224,7 +231,7 @@ void IteratorModeling::checkPostCall(const CallEvent &Call,
C.getASTContext()).getTypePtr() ==
Call.getResultType().getDesugaredType(C.getASTContext()).getTypePtr()) {
if (const auto *Pos = getIteratorPosition(State, Call.getArgSVal(i))) {
- assignToContainer(C, OrigExpr, Call.getReturnValue(),
+ assignToContainer(C, Call.getCFGElementRef(), Call.getReturnValue(),
Pos->getContainer());
return;
}
@@ -255,7 +262,7 @@ void IteratorModeling::checkPostStmt(const UnaryOperator *UO,
return;
auto &SVB = C.getSValBuilder();
- handlePtrIncrOrDecr(C, UO->getSubExpr(),
+ handlePtrIncrOrDecr(C, UO->getSubExpr(), C.getCFGElementRef(),
isIncrementOperator(OK) ? OO_Plus : OO_Minus,
SVB.makeArrayIndex(1));
}
@@ -271,7 +278,7 @@ void IteratorModeling::checkPostStmt(const BinaryOperator *BO,
if (isSimpleComparisonOperator(BO->getOpcode())) {
SVal Result = State->getSVal(BO, C.getLocationContext());
- handleComparison(C, BO, Result, LVal, RVal,
+ handleComparison(C, BO, C.getCFGElementRef(), Result, LVal, RVal,
BinaryOperator::getOverloadedOperator(OK));
} else if (isRandomIncrOrDecrOperator(OK)) {
// In case of operator+ the iterator can be either on the LHS (eg.: it + 1),
@@ -284,8 +291,8 @@ void IteratorModeling::checkPostStmt(const BinaryOperator *BO,
if (!AmountExpr->getType()->isIntegralOrEnumerationType())
return;
SVal AmountVal = IsIterOnLHS ? RVal : LVal;
- handlePtrIncrOrDecr(C, IterExpr, BinaryOperator::getOverloadedOperator(OK),
- AmountVal);
+ handlePtrIncrOrDecr(C, IterExpr, C.getCFGElementRef(),
+ BinaryOperator::getOverloadedOperator(OK), AmountVal);
}
}
@@ -351,27 +358,29 @@ IteratorModeling::handleOverloadedOperator(CheckerContext &C,
OverloadedOperatorKind Op) const {
if (isSimpleComparisonOperator(Op)) {
const auto *OrigExpr = Call.getOriginExpr();
+ const auto ElemRef = Call.getCFGElementRef();
if (!OrigExpr)
return;
if (const auto *InstCall = dyn_cast<CXXInstanceCall>(&Call)) {
- handleComparison(C, OrigExpr, Call.getReturnValue(),
+ handleComparison(C, OrigExpr, ElemRef, Call.getReturnValue(),
InstCall->getCXXThisVal(), Call.getArgSVal(0), Op);
return;
}
- handleComparison(C, OrigExpr, Call.getReturnValue(), Call.getArgSVal(0),
- Call.getArgSVal(1), Op);
+ handleComparison(C, OrigExpr, ElemRef, Call.getReturnValue(),
+ Call.getArgSVal(0), Call.getArgSVal(1), Op);
return;
} else if (isRandomIncrOrDecrOperator(Op)) {
const auto *OrigExpr = Call.getOriginExpr();
+ const auto ElemRef = Call.getCFGElementRef();
if (!OrigExpr)
return;
if (const auto *InstCall = dyn_cast<CXXInstanceCall>(&Call)) {
if (Call.getNumArgs() >= 1 &&
Call.getArgExpr(0)->getType()->isIntegralOrEnumerationType()) {
- handleRandomIncrOrDecr(C, OrigExpr, Op, Call.getReturnValue(),
+ handleRandomIncrOrDecr(C, ElemRef, Op, Call.getReturnValue(),
InstCall->getCXXThisVal(), Call.getArgSVal(0));
return;
}
@@ -391,7 +400,7 @@ IteratorModeling::handleOverloadedOperator(CheckerContext &C,
SVal Iterator = IsIterFirst ? FirstArg : SecondArg;
SVal Amount = IsIterFirst ? SecondArg : FirstArg;
- handleRandomIncrOrDecr(C, OrigExpr, Op, Call.getReturnValue(),
+ handleRandomIncrOrDecr(C, ElemRef, Op, Call.getReturnValue(),
Iterator, Amount);
return;
}
@@ -425,7 +434,7 @@ IteratorModeling::handleAdvanceLikeFunction(CheckerContext &C,
const Expr *OrigExpr,
const AdvanceFn *Handler) const {
if (!C.wasInlined) {
- (this->**Handler)(C, OrigExpr, Call.getReturnValue(),
+ (this->**Handler)(C, Call.getCFGElementRef(), Call.getReturnValue(),
Call.getArgSVal(0), Call.getArgSVal(1));
return;
}
@@ -436,16 +445,17 @@ IteratorModeling::handleAdvanceLikeFunction(CheckerContext &C,
if (IdInfo) {
if (IdInfo->getName() == "advance") {
if (noChangeInAdvance(C, Call.getArgSVal(0), OrigExpr)) {
- (this->**Handler)(C, OrigExpr, Call.getReturnValue(),
+ (this->**Handler)(C, Call.getCFGElementRef(), Call.getReturnValue(),
Call.getArgSVal(0), Call.getArgSVal(1));
}
}
}
}
-void IteratorModeling::handleComparison(CheckerContext &C, const Expr *CE,
- SVal RetVal, SVal LVal, SVal RVal,
- OverloadedOperatorKind Op) const {
+void IteratorModeling::handleComparison(
+ CheckerContext &C, const Expr *CE,
+ const CFGBlock::ConstCFGElementRef ElemRef, SVal RetVal, SVal LVal,
+ SVal RVal, OverloadedOperatorKind Op) const {
// Record the operands and the operator of the comparison for the next
// evalAssume, if the result is a symbolic expression. If it is a concrete
// value (only one branch is possible), then transfer the state between
@@ -467,7 +477,7 @@ void IteratorModeling::handleComparison(CheckerContext &C, const Expr *CE,
SymbolRef Sym;
if (!LPos || !RPos) {
auto &SymMgr = C.getSymbolManager();
- Sym = SymMgr.conjureSymbol(CE, C.getLocationContext(),
+ Sym = SymMgr.conjureSymbol(ElemRef, C.getLocationContext(),
C.getASTContext().LongTy, C.blockCount());
State = assumeNoOverflow(State, Sym, 4);
}
@@ -494,7 +504,7 @@ void IteratorModeling::handleComparison(CheckerContext &C, const Expr *CE,
auto &SymMgr = C.getSymbolManager();
auto *LCtx = C.getLocationContext();
RetVal = nonloc::SymbolVal(SymMgr.conjureSymbol(
- CE, LCtx, C.getASTContext().BoolTy, C.blockCount()));
+ ElemRef, LCtx, C.getASTContext().BoolTy, C.blockCount()));
State = State->BindExpr(CE, LCtx, RetVal);
}
@@ -583,10 +593,9 @@ void IteratorModeling::handleDecrement(CheckerContext &C, SVal RetVal,
C.addTransition(State);
}
-void IteratorModeling::handleRandomIncrOrDecr(CheckerContext &C, const Expr *CE,
- OverloadedOperatorKind Op,
- SVal RetVal, SVal Iterator,
- SVal Amount) const {
+void IteratorModeling::handleRandomIncrOrDecr(
+ CheckerContext &C, const CFGBlock::ConstCFGElementRef ElemRef,
+ OverloadedOperatorKind Op, SVal RetVal, SVal Iterator, SVal Amount) const {
// Increment or decrement the symbolic expressions which represents the
// position of the iterator
auto State = C.getState();
@@ -617,14 +626,14 @@ void IteratorModeling::handleRandomIncrOrDecr(CheckerContext &C, const Expr *CE,
State = setIteratorPosition(State, TgtVal, *NewPos);
C.addTransition(State);
} else {
- assignToContainer(C, CE, TgtVal, Pos->getContainer());
+ assignToContainer(C, ElemRef, TgtVal, Pos->getContainer());
}
}
-void IteratorModeling::handlePtrIncrOrDecr(CheckerContext &C,
- const Expr *Iterator,
- OverloadedOperatorKind OK,
- SVal Offset) const {
+void IteratorModeling::handlePtrIncrOrDecr(
+ CheckerContext &C, const Expr *Iterator,
+ const CFGBlock::ConstCFGElementRef ElemRef, OverloadedOperatorKind OK,
+ SVal Offset) const {
if (!isa<DefinedSVal>(Offset))
return;
@@ -661,34 +670,38 @@ void IteratorModeling::handlePtrIncrOrDecr(CheckerContext &C,
ProgramStateRef NewState = setIteratorPosition(State, NewVal, *NewPos);
C.addTransition(NewState);
} else {
- assignToContainer(C, Iterator, NewVal, OldPos->getContainer());
+ assignToContainer(C, ElemRef, NewVal, OldPos->getContainer());
}
}
-void IteratorModeling::handleAdvance(CheckerContext &C, const Expr *CE,
+void IteratorModeling::handleAdvance(CheckerContext &C,
+ const CFGBlock::ConstCFGElementRef ElemRef,
SVal RetVal, SVal Iter,
SVal Amount) const {
- handleRandomIncrOrDecr(C, CE, OO_PlusEqual, RetVal, Iter, Amount);
+ handleRandomIncrOrDecr(C, ElemRef, OO_PlusEqual, RetVal, Iter, Amount);
}
-void IteratorModeling::handlePrev(CheckerContext &C, const Expr *CE,
+void IteratorModeling::handlePrev(CheckerContext &C,
+ const CFGBlock::ConstCFGElementRef ElemRef,
SVal RetVal, SVal Iter, SVal Amount) const {
- handleRandomIncrOrDecr(C, CE, OO_Minus, RetVal, Iter, Amount);
+ handleRandomIncrOrDecr(C, ElemRef, OO_Minus, RetVal, Iter, Amount);
}
-void IteratorModeling::handleNext(CheckerContext &C, const Expr *CE,
+void IteratorModeling::handleNext(CheckerContext &C,
+ const CFGBlock::ConstCFGElementRef ElemRef,
SVal RetVal, SVal Iter, SVal Amount) const {
- handleRandomIncrOrDecr(C, CE, OO_Plus, RetVal, Iter, Amount);
+ handleRandomIncrOrDecr(C, ElemRef, OO_Plus, RetVal, Iter, Amount);
}
-void IteratorModeling::assignToContainer(CheckerContext &C, const Expr *CE,
- SVal RetVal,
- const MemRegion *Cont) const {
+void IteratorModeling::assignToContainer(
+ CheckerContext &C, const CFGBlock::ConstCFGElementRef ElemRef, SVal RetVal,
+ const MemRegion *Cont) const {
Cont = Cont->getMostDerivedObjectRegion();
auto State = C.getState();
const auto *LCtx = C.getLocationContext();
- State = createIteratorPosition(State, RetVal, Cont, CE, LCtx, C.blockCount());
+ State = createIteratorPosition(State, RetVal, Cont, ElemRef, LCtx,
+ C.blockCount());
C.addTransition(State);
}
diff --git a/clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp b/clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp
index 0d1213ddf8b01..4b8da0562b4d3 100644
--- a/clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp
+++ b/clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp
@@ -1833,8 +1833,10 @@ ProgramStateRef MallocChecker::MallocBindRetVal(CheckerContext &C,
unsigned Count = C.blockCount();
SValBuilder &SVB = C.getSValBuilder();
const LocationContext *LCtx = C.getPredecessor()->getLocationContext();
- DefinedSVal RetVal = isAlloca ? SVB.getAllocaRegionVal(CE, LCtx, Count)
- : SVB.getConjuredHeapSymbolVal(CE, LCtx, Count);
+ DefinedSVal RetVal =
+ isAlloca ? SVB.getAllocaRegionVal(CE, LCtx, Count)
+ : SVB.getConjuredHeapSymbolVal(Call.getCFGElementRef(), LCtx,
+ CE->getType(), Count);
return State->BindExpr(CE, C.getLocationContext(), RetVal);
}
@@ -2304,7 +2306,7 @@ MallocChecker::FreeMemAux(CheckerContext &C, const Expr *ArgExpr,
// Assume that after memory is freed, it contains unknown values. This
// conforts languages standards, since reading from freed memory is considered
// UB and may result in arbitrary value.
- State = State->invalidateRegions({location}, Call.getOriginExpr(),
+ State = State->invalidateRegions({location}, Call.getCFGElementRef(),
C.blockCount(), C.getLocationContext(),
/*CausesPointerEscape=*/false,
/*InvalidatedSymbols=*/nullptr);
diff --git a/clang/lib/StaticAnalyzer/Checkers/RetainCountChecker/RetainCountChecker.cpp b/clang/lib/StaticAnalyzer/Checkers/RetainCountChecker/RetainCountChecker.cpp
index cc1ced7358710..939a8544e28b7 100644
--- a/clang/lib/StaticAnalyzer/Checkers/RetainCountChecker/RetainCountChecker.cpp
+++ b/clang/lib/StaticAnalyzer/Checkers/RetainCountChecker/RetainCountChecker.cpp
@@ -931,8 +931,8 @@ bool RetainCountChecker::evalCall(const CallEvent &Call,
if (RetVal.isUnknown() ||
(hasTrustedImplementationAnnotation && !ResultTy.isNull())) {
SValBuilder &SVB = C.getSValBuilder();
- RetVal =
- SVB.conjureSymbolVal(nullptr, CE, LCtx, ResultTy, C.blockCount());
+ RetVal = SVB.conjureSymbolVal(nullptr, Call.getCFGElementRef(), LCtx,
+ ResultTy, C.blockCount());
}
// Bind the value.
diff --git a/clang/lib/StaticAnalyzer/Checkers/STLAlgorithmModeling.cpp b/clang/lib/StaticAnalyzer/Checkers/STLAlgorithmModeling.cpp
index e037719b90298..5cd8bf411b767 100644
--- a/clang/lib/StaticAnalyzer/Checkers/STLAlgorithmModeling.cpp
+++ b/clang/lib/StaticAnalyzer/Checkers/STLAlgorithmModeling.cpp
@@ -10,6 +10,7 @@
//
//===----------------------------------------------------------------------===//
+#include "clang/Analysis/CFG.h"
#include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"
#include "clang/StaticAnalyzer/Core/Checker.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/CallDescription.h"
@@ -25,12 +26,16 @@ using namespace iterator;
namespace {
class STLAlgorithmModeling : public Checker<eval::Call> {
- bool evalFind(CheckerContext &C, const CallExpr *CE) const;
+ bool evalFind(CheckerContext &C, const CallExpr *CE,
+ const CFGBlock::ConstCFGElementRef ElemRef) const;
- void Find(CheckerContext &C, const CallExpr *CE, unsigned paramNum) const;
+ void Find(CheckerContext &C, const CallExpr *CE,
+ const CFGBlock::ConstCFGElementRef ElemRef,
+ unsigned paramNum) const;
- using FnCheck = bool (STLAlgorithmModeling::*)(CheckerContext &,
- const CallExpr *) const;
+ using FnCheck =
+ bool (STLAlgorithmModeling::*)(CheckerContext &, const CallExpr *,
+ const CFGBlock::ConstCFGElementRef) const;
const CallDescriptionMap<FnCheck> Callbacks = {
{{CDM::SimpleFunc, {"std", "find"}, 3}, &STLAlgorithmModeling::evalFind},
@@ -97,11 +102,12 @@ bool STLAlgorithmModeling::evalCall(const CallEvent &Call,
if (!Handler)
return false;
- return (this->**Handler)(C, CE);
+ return (this->**Handler)(C, CE, Call.getCFGElementRef());
}
-bool STLAlgorithmModeling::evalFind(CheckerContext &C,
- const CallExpr *CE) const {
+bool STLAlgorithmModeling::evalFind(
+ CheckerContext &C, const CallExpr *CE,
+ const CFGBlock::ConstCFGElementRef ElemRef) const {
// std::find()-like functions either take their primary range in the first
// two parameters, or if the first parameter is "execution policy" then in
// the second and third. This means that the second parameter must always be
@@ -112,14 +118,14 @@ bool STLAlgorithmModeling::evalFind(CheckerContext &C,
// If no "execution policy" parameter is used then the first argument is the
// beginning of the range.
if (isIteratorType(CE->getArg(0)->getType())) {
- Find(C, CE, 0);
+ Find(C, CE, ElemRef, 0);
return true;
}
// If "execution policy" parameter is used then the second argument is the
// beginning of the range.
if (isIteratorType(CE->getArg(2)->getType())) {
- Find(C, CE, 1);
+ Find(C, CE, ElemRef, 1);
return true;
}
@@ -127,12 +133,13 @@ bool STLAlgorithmModeling::evalFind(CheckerContext &C,
}
void STLAlgorithmModeling::Find(CheckerContext &C, const CallExpr *CE,
+ const CFGBlock::ConstCFGElementRef ElemRef,
unsigned paramNum) const {
auto State = C.getState();
auto &SVB = C.getSValBuilder();
const auto *LCtx = C.getLocationContext();
- SVal RetVal = SVB.conjureSymbolVal(nullptr, CE, LCtx, C.blockCount());
+ SVal RetVal = SVB.conjureSymbolVal(nullptr, ElemRef, LCtx, C.blockCount());
SVal Param = State->getSVal(CE->getArg(paramNum), LCtx);
auto StateFound = State->BindExpr(CE, LCtx, RetVal);
@@ -144,7 +151,7 @@ void STLAlgorithmModeling::Find(CheckerContext &C, const CallExpr *CE,
const auto *Pos = getIteratorPosition(State, Param);
if (Pos) {
StateFound = createIteratorPosition(StateFound, RetVal, Pos->getContainer(),
- CE, LCtx, C.blockCount());
+ ElemRef, LCtx, C.blockCount());
const auto *NewPos = getIteratorPosition(StateFound, RetVal);
assert(NewPos && "Failed to create new iterator position.");
@@ -166,7 +173,7 @@ void STLAlgorithmModeling::Find(CheckerContext &C, const CallExpr *CE,
Pos = getIteratorPosition(State, Param);
if (Pos) {
StateFound = createIteratorPosition(StateFound, RetVal, Pos->getContainer(),
- CE, LCtx, C.blockCount());
+ ElemRef, LCtx, C.blockCount());
const auto *NewPos = getIteratorPosition(StateFound, RetVal);
assert(NewPos && "Failed to create new iterator position.");
@@ -199,4 +206,3 @@ void ento::registerSTLAlgorithmModeling(CheckerManager &Mgr) {
bool ento::shouldRegisterSTLAlgorithmModeling(const CheckerManager &mgr) {
return true;
}
-
diff --git a/clang/lib/StaticAnalyzer/Checkers/SmartPtrModeling.cpp b/clang/lib/StaticAnalyzer/Checkers/SmartPtrModeling.cpp
index 321388ad857f4..433bcf4f270f7 100644
--- a/clang/lib/StaticAnalyzer/Checkers/SmartPtrModeling.cpp
+++ b/clang/lib/StaticAnalyzer/Checkers/SmartPtrModeling.cpp
@@ -18,6 +18,7 @@
#include "clang/AST/DeclarationName.h"
#include "clang/AST/ExprCXX.h"
#include "clang/AST/Type.h"
+#include "clang/Analysis/CFG.h"
#include "clang/Basic/LLVM.h"
#include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"
#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
@@ -80,7 +81,8 @@ class SmartPtrModeling
CheckerContext &C) const;
std::pair<SVal, ProgramStateRef>
retrieveOrConjureInnerPtrVal(ProgramStateRef State,
- const MemRegion *ThisRegion, const Expr *E,
+ const MemRegion *ThisRegion,
+ const CFGBlock::ConstCFGElementRef ElemRef,
QualType Type, CheckerContext &C) const;
using SmartPtrMethodHandlerFn =
@@ -306,7 +308,7 @@ bool SmartPtrModeling::evalCall(const CallEvent &Call,
return false;
const auto PtrVal = C.getSValBuilder().getConjuredHeapSymbolVal(
- Call.getOriginExpr(), C.getLocationContext(),
+ Call.getCFGElementRef(), C.getLocationContext(),
getPointerTypeFromTemplateArg(Call, C), C.blockCount());
const MemRegion *ThisRegion = ThisRegionOpt->getAsRegion();
@@ -437,13 +439,14 @@ bool SmartPtrModeling::evalCall(const CallEvent &Call,
}
std::pair<SVal, ProgramStateRef> SmartPtrModeling::retrieveOrConjureInnerPtrVal(
- ProgramStateRef State, const MemRegion *ThisRegion, const Expr *E,
- QualType Type, CheckerContext &C) const {
+ ProgramStateRef State, const MemRegion *ThisRegion,
+ const CFGBlock::ConstCFGElementRef ElemRef, QualType Type,
+ CheckerContext &C) const {
const auto *Ptr = State->get<TrackedRegionMap>(ThisRegion);
if (Ptr)
return {*Ptr, State};
- auto Val = C.getSValBuilder().conjureSymbolVal(E, C.getLocationContext(),
- Type, C.blockCount());
+ auto Val = C.getSValBuilder().conjureSymbolVal(
+ ElemRef, C.getLocationContext(), Type, C.blockCount());
State = State->set<TrackedRegionMap>(ThisRegion, Val);
return {Val, State};
}
@@ -469,6 +472,7 @@ bool SmartPtrModeling::handleComparisionOp(const CallEvent &Call,
// https://en.cppreference.com/w/cpp/memory/unique_ptr/operator_cmp.
auto makeSValFor = [&C, this](ProgramStateRef State, const Expr *E,
+ const CFGBlock::ConstCFGElementRef ElemRef,
SVal S) -> std::pair<SVal, ProgramStateRef> {
if (S.isZeroConstant()) {
return {S, State};
@@ -477,7 +481,7 @@ bool SmartPtrModeling::handleComparisionOp(const CallEvent &Call,
assert(Reg &&
"this pointer of std::unique_ptr should be obtainable as MemRegion");
QualType Type = getInnerPointerType(C, E->getType()->getAsCXXRecordDecl());
- return retrieveOrConjureInnerPtrVal(State, Reg, E, Type, C);
+ return retrieveOrConjureInnerPtrVal(State, Reg, ElemRef, Type, C);
};
SVal First = Call.getArgSVal(0);
@@ -491,8 +495,10 @@ bool SmartPtrModeling::handleComparisionOp(const CallEvent &Call,
ProgramStateRef State = C.getState();
SVal FirstPtrVal, SecondPtrVal;
- std::tie(FirstPtrVal, State) = makeSValFor(State, FirstExpr, First);
- std::tie(SecondPtrVal, State) = makeSValFor(State, SecondExpr, Second);
+ std::tie(FirstPtrVal, State) =
+ makeSValFor(State, FirstExpr, Call.getCFGElementRef(), First);
+ std::tie(SecondPtrVal, State) =
+ makeSValFor(State, SecondExpr, Call.getCFGElementRef(), Second);
BinaryOperatorKind BOK =
operationKindFromOverloadedOperator(OOK, true).GetBinaryOpUnsafe();
auto RetVal = Bldr.evalBinOp(State, BOK, FirstPtrVal, SecondPtrVal,
@@ -530,7 +536,7 @@ bool SmartPtrModeling::handleOstreamOperator(const CallEvent &Call,
if (!StreamThisRegion)
return false;
State =
- State->invalidateRegions({StreamThisRegion}, Call.getOriginExpr(),
+ State->invalidateRegions({StreamThisRegion}, Call.getCFGElementRef(),
C.blockCount(), C.getLocationContext(), false);
State =
State->BindExpr(Call.getOriginExpr(), C.getLocationContext(), StreamVal);
@@ -722,7 +728,7 @@ void SmartPtrModeling::handleGet(const CallEvent &Call,
SVal InnerPointerVal;
std::tie(InnerPointerVal, State) = retrieveOrConjureInnerPtrVal(
- State, ThisRegion, Call.getOriginExpr(), Call.getResultType(), C);
+ State, ThisRegion, Call.getCFGElementRef(), Call.getResultType(), C);
State = State->BindExpr(Call.getOriginExpr(), C.getLocationContext(),
InnerPointerVal);
// TODO: Add NoteTag, for how the raw pointer got using 'get' method.
@@ -853,7 +859,7 @@ void SmartPtrModeling::handleBoolConversion(const CallEvent &Call,
const LocationContext *LC = C.getLocationContext();
InnerPointerVal = C.getSValBuilder().conjureSymbolVal(
- CallExpr, LC, InnerPointerType, C.blockCount());
+ Call.getCFGElementRef(), LC, InnerPointerType, C.blockCount());
State = State->set<TrackedRegionMap>(ThisRegion, InnerPointerVal);
}
diff --git a/clang/lib/StaticAnalyzer/Checkers/StdLibraryFunctionsChecker.cpp b/clang/lib/StaticAnalyzer/Checkers/StdLibraryFunctionsChecker.cpp
index 356d63e3e8b80..7721ecc309256 100644
--- a/clang/lib/StaticAnalyzer/Checkers/StdLibraryFunctionsChecker.cpp
+++ b/clang/lib/StaticAnalyzer/Checkers/StdLibraryFunctionsChecker.cpp
@@ -585,7 +585,7 @@ class StdLibraryFunctionsChecker
CheckerContext &C) const override {
SValBuilder &SVB = C.getSValBuilder();
NonLoc ErrnoSVal =
- SVB.conjureSymbolVal(&Tag, Call.getOriginExpr(),
+ SVB.conjureSymbolVal(&Tag, Call.getCFGElementRef(),
C.getLocationContext(), C.getASTContext().IntTy,
C.blockCount())
.castAs<NonLoc>();
@@ -621,7 +621,7 @@ class StdLibraryFunctionsChecker
const Summary &Summary,
CheckerContext &C) const override {
return errno_modeling::setErrnoStdMustBeChecked(State, C,
- Call.getOriginExpr());
+ Call.getCFGElementRef());
}
const std::string describe(CheckerContext &C) const override {
@@ -1479,7 +1479,8 @@ bool StdLibraryFunctionsChecker::evalCall(const CallEvent &Call,
const LocationContext *LC = C.getLocationContext();
const auto *CE = cast<CallExpr>(Call.getOriginExpr());
SVal V = C.getSValBuilder().conjureSymbolVal(
- CE, LC, CE->getType().getCanonicalType(), C.blockCount());
+ Call.getCFGElementRef(), LC, CE->getType().getCanonicalType(),
+ C.blockCount());
State = State->BindExpr(CE, LC, V);
C.addTransition(State);
diff --git a/clang/lib/StaticAnalyzer/Checkers/StreamChecker.cpp b/clang/lib/StaticAnalyzer/Checkers/StreamChecker.cpp
index 80969ce664530..c34ad74012b24 100644
--- a/clang/lib/StaticAnalyzer/Checkers/StreamChecker.cpp
+++ b/clang/lib/StaticAnalyzer/Checkers/StreamChecker.cpp
@@ -13,6 +13,7 @@
#include "NoOwnershipChangeVisitor.h"
#include "clang/ASTMatchers/ASTMatchFinder.h"
#include "clang/ASTMatchers/ASTMatchers.h"
+#include "clang/Analysis/CFG.h"
#include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"
#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
#include "clang/StaticAnalyzer/Core/Checker.h"
@@ -224,18 +225,18 @@ SVal getStreamArg(const FnDescription *Desc, const CallEvent &Call) {
}
/// Create a conjured symbol return value for a call expression.
-DefinedSVal makeRetVal(CheckerContext &C, const CallExpr *CE) {
- assert(CE && "Expecting a call expression.");
-
- const LocationContext *LCtx = C.getLocationContext();
+DefinedSVal makeRetVal(CheckerContext &C,
+ const CFGBlock::ConstCFGElementRef ElemRef) {
return C.getSValBuilder()
- .conjureSymbolVal(nullptr, CE, LCtx, C.blockCount())
+ .conjureSymbolVal(nullptr, ElemRef, C.getLocationContext(),
+ C.blockCount())
.castAs<DefinedSVal>();
}
ProgramStateRef bindAndAssumeTrue(ProgramStateRef State, CheckerContext &C,
- const CallExpr *CE) {
- DefinedSVal RetVal = makeRetVal(C, CE);
+ const CallExpr *CE,
+ const CFGBlock::ConstCFGElementRef ElemRef) {
+ DefinedSVal RetVal = makeRetVal(C, ElemRef);
State = State->BindExpr(CE, C.getLocationContext(), RetVal);
State = State->assume(RetVal, true);
assert(State && "Assumption on new value should not fail.");
@@ -645,6 +646,7 @@ struct StreamOperationEvaluator {
SymbolRef StreamSym = nullptr;
const StreamState *SS = nullptr;
const CallExpr *CE = nullptr;
+ std::optional<CFGBlock::ConstCFGElementRef> ElemRef;
StreamErrorState NewES;
StreamOperationEvaluator(CheckerContext &C)
@@ -664,6 +666,7 @@ struct StreamOperationEvaluator {
CE = dyn_cast_or_null<CallExpr>(Call.getOriginExpr());
if (!CE)
return false;
+ ElemRef = Call.getCFGElementRef();
assertStreamStateOpened(SS);
@@ -683,7 +686,7 @@ struct StreamOperationEvaluator {
}
ProgramStateRef makeAndBindRetVal(ProgramStateRef State, CheckerContext &C) {
- NonLoc RetVal = makeRetVal(C, CE).castAs<NonLoc>();
+ NonLoc RetVal = makeRetVal(C, ElemRef.value()).castAs<NonLoc>();
return State->BindExpr(CE, C.getLocationContext(), RetVal);
}
@@ -716,7 +719,7 @@ struct StreamOperationEvaluator {
ConstraintManager::ProgramStatePair
makeRetValAndAssumeDual(ProgramStateRef State, CheckerContext &C) {
- DefinedSVal RetVal = makeRetVal(C, CE);
+ DefinedSVal RetVal = makeRetVal(C, ElemRef.value());
State = State->BindExpr(CE, C.getLocationContext(), RetVal);
return C.getConstraintManager().assumeDual(State, RetVal);
}
@@ -858,7 +861,7 @@ escapeByStartIndexAndCount(ProgramStateRef State, const CallEvent &Call,
ITraits.setTrait(Element, DoNotInvalidateSuperRegion);
}
return State->invalidateRegions(
- EscapingVals, Call.getOriginExpr(), BlockCount, LCtx,
+ EscapingVals, Call.getCFGElementRef(), BlockCount, LCtx,
/*CausesPointerEscape=*/false,
/*InvalidatedSymbols=*/nullptr, &Call, &ITraits);
}
@@ -868,7 +871,7 @@ static ProgramStateRef escapeArgs(ProgramStateRef State, CheckerContext &C,
ArrayRef<unsigned int> EscapingArgs) {
auto GetArgSVal = [&Call](int Idx) { return Call.getArgSVal(Idx); };
auto EscapingVals = to_vector(map_range(EscapingArgs, GetArgSVal));
- State = State->invalidateRegions(EscapingVals, Call.getOriginExpr(),
+ State = State->invalidateRegions(EscapingVals, Call.getCFGElementRef(),
C.blockCount(), C.getLocationContext(),
/*CausesPointerEscape=*/false,
/*InvalidatedSymbols=*/nullptr);
@@ -931,7 +934,7 @@ void StreamChecker::evalFopen(const FnDescription *Desc, const CallEvent &Call,
if (!CE)
return;
- DefinedSVal RetVal = makeRetVal(C, CE);
+ DefinedSVal RetVal = makeRetVal(C, Call.getCFGElementRef());
SymbolRef RetSym = RetVal.getAsSymbol();
assert(RetSym && "RetVal must be a symbol here.");
@@ -1200,7 +1203,7 @@ void StreamChecker::evalFreadFwrite(const FnDescription *Desc,
if (!IsFread && !PedanticMode)
return;
- NonLoc RetVal = makeRetVal(C, E.CE).castAs<NonLoc>();
+ NonLoc RetVal = makeRetVal(C, E.ElemRef.value()).castAs<NonLoc>();
ProgramStateRef StateFailed =
State->BindExpr(E.CE, C.getLocationContext(), RetVal);
StateFailed = E.assumeBinOpNN(StateFailed, BO_LT, RetVal, *NMembVal);
@@ -1235,7 +1238,7 @@ void StreamChecker::evalFgetx(const FnDescription *Desc, const CallEvent &Call,
State = escapeArgs(State, C, Call, {0});
if (SingleChar) {
// Generate a transition for the success state of `fgetc`.
- NonLoc RetVal = makeRetVal(C, E.CE).castAs<NonLoc>();
+ NonLoc RetVal = makeRetVal(C, E.ElemRef.value()).castAs<NonLoc>();
ProgramStateRef StateNotFailed =
State->BindExpr(E.CE, C.getLocationContext(), RetVal);
// The returned 'unsigned char' of `fgetc` is converted to 'int',
@@ -1300,7 +1303,7 @@ void StreamChecker::evalFputx(const FnDescription *Desc, const CallEvent &Call,
C.addTransition(StateNotFailed);
} else {
// Generate a transition for the success state of `fputs`.
- NonLoc RetVal = makeRetVal(C, E.CE).castAs<NonLoc>();
+ NonLoc RetVal = makeRetVal(C, E.ElemRef.value()).castAs<NonLoc>();
ProgramStateRef StateNotFailed =
State->BindExpr(E.CE, C.getLocationContext(), RetVal);
StateNotFailed =
@@ -1334,7 +1337,7 @@ void StreamChecker::evalFprintf(const FnDescription *Desc,
if (!E.Init(Desc, Call, C, State))
return;
- NonLoc RetVal = makeRetVal(C, E.CE).castAs<NonLoc>();
+ NonLoc RetVal = makeRetVal(C, E.ElemRef.value()).castAs<NonLoc>();
State = State->BindExpr(E.CE, C.getLocationContext(), RetVal);
auto Cond =
E.SVB
@@ -1379,7 +1382,7 @@ void StreamChecker::evalFscanf(const FnDescription *Desc, const CallEvent &Call,
// case, and no error flags are set on the stream. This is probably not
// accurate, and the POSIX documentation does not tell more.
if (!E.isStreamEof()) {
- NonLoc RetVal = makeRetVal(C, E.CE).castAs<NonLoc>();
+ NonLoc RetVal = makeRetVal(C, E.ElemRef.value()).castAs<NonLoc>();
ProgramStateRef StateNotFailed =
State->BindExpr(E.CE, C.getLocationContext(), RetVal);
StateNotFailed =
@@ -1460,7 +1463,7 @@ void StreamChecker::evalGetdelim(const FnDescription *Desc,
State = escapeArgs(State, C, Call, {0, 1});
// Add transition for the successful state.
- NonLoc RetVal = makeRetVal(C, E.CE).castAs<NonLoc>();
+ NonLoc RetVal = makeRetVal(C, E.ElemRef.value()).castAs<NonLoc>();
ProgramStateRef StateNotFailed = E.bindReturnValue(State, C, RetVal);
StateNotFailed =
E.assumeBinOpNN(StateNotFailed, BO_GE, RetVal, E.getZeroVal(Call));
@@ -1601,7 +1604,7 @@ void StreamChecker::evalFtell(const FnDescription *Desc, const CallEvent &Call,
if (!E.Init(Desc, Call, C, State))
return;
- NonLoc RetVal = makeRetVal(C, E.CE).castAs<NonLoc>();
+ NonLoc RetVal = makeRetVal(C, E.ElemRef.value()).castAs<NonLoc>();
ProgramStateRef StateNotFailed =
State->BindExpr(E.CE, C.getLocationContext(), RetVal);
StateNotFailed =
@@ -1735,7 +1738,8 @@ void StreamChecker::evalFeofFerror(const FnDescription *Desc,
// Execution path with error of ErrorKind.
// Function returns true.
// From now on it is the only one error state.
- ProgramStateRef TrueState = bindAndAssumeTrue(State, C, E.CE);
+ ProgramStateRef TrueState =
+ bindAndAssumeTrue(State, C, E.CE, E.ElemRef.value());
C.addTransition(E.setStreamState(
TrueState, StreamState::getOpened(Desc, ErrorKind,
E.SS->FilePositionIndeterminate &&
@@ -1769,7 +1773,7 @@ void StreamChecker::evalFileno(const FnDescription *Desc, const CallEvent &Call,
if (!E.Init(Desc, Call, C, State))
return;
- NonLoc RetVal = makeRetVal(C, E.CE).castAs<NonLoc>();
+ NonLoc RetVal = makeRetVal(C, E.ElemRef.value()).castAs<NonLoc>();
State = State->BindExpr(E.CE, C.getLocationContext(), RetVal);
State = E.assumeBinOpNN(State, BO_GE, RetVal, E.getZeroVal(Call));
if (!State)
diff --git a/clang/lib/StaticAnalyzer/Checkers/cert/InvalidPtrChecker.cpp b/clang/lib/StaticAnalyzer/Checkers/cert/InvalidPtrChecker.cpp
index fefe846b6911f..044f9ba61113b 100644
--- a/clang/lib/StaticAnalyzer/Checkers/cert/InvalidPtrChecker.cpp
+++ b/clang/lib/StaticAnalyzer/Checkers/cert/InvalidPtrChecker.cpp
@@ -207,7 +207,7 @@ void InvalidPtrChecker::postPreviousReturnInvalidatingCall(
// Function call will return a pointer to the new symbolic region.
DefinedOrUnknownSVal RetVal = C.getSValBuilder().conjureSymbolVal(
- CE, LCtx, CE->getType(), C.blockCount());
+ Call.getCFGElementRef(), LCtx, CE->getType(), C.blockCount());
State = State->BindExpr(CE, LCtx, RetVal);
const auto *SymRegOfRetVal =
diff --git a/clang/lib/StaticAnalyzer/Core/CallEvent.cpp b/clang/lib/StaticAnalyzer/Core/CallEvent.cpp
index bb4a39f68280c..583315f4f3a90 100644
--- a/clang/lib/StaticAnalyzer/Core/CallEvent.cpp
+++ b/clang/lib/StaticAnalyzer/Core/CallEvent.cpp
@@ -280,7 +280,7 @@ ProgramStateRef CallEvent::invalidateRegions(unsigned BlockCount,
// Invalidate designated regions using the batch invalidation API.
// NOTE: Even if RegionsToInvalidate is empty, we may still invalidate
// global variables.
- return Result->invalidateRegions(ValuesToInvalidate, getOriginExpr(),
+ return Result->invalidateRegions(ValuesToInvalidate, getCFGElementRef(),
BlockCount, getLocationContext(),
/*CausedByPointerEscape*/ true,
/*Symbols=*/nullptr, this, &ETraits);
diff --git a/clang/lib/StaticAnalyzer/Core/ExprEngine.cpp b/clang/lib/StaticAnalyzer/Core/ExprEngine.cpp
index 318fa3c1caf06..bec5980a5b3cd 100644
--- a/clang/lib/StaticAnalyzer/Core/ExprEngine.cpp
+++ b/clang/lib/StaticAnalyzer/Core/ExprEngine.cpp
@@ -420,7 +420,7 @@ ProgramStateRef ExprEngine::createTemporaryRegionIfNeeded(
break;
case SubobjectAdjustment::MemberPointerAdjustment:
// FIXME: Unimplemented.
- State = State->invalidateRegions(Reg, InitWithAdjustments,
+ State = State->invalidateRegions(Reg, getCFGElementRef(),
currBldrCtx->blockCount(), LC, true,
nullptr, nullptr, nullptr);
return State;
@@ -437,8 +437,8 @@ ProgramStateRef ExprEngine::createTemporaryRegionIfNeeded(
// values inside Reg would be correct.
SVal InitVal = State->getSVal(Init, LC);
if (InitVal.isUnknown()) {
- InitVal = getSValBuilder().conjureSymbolVal(Result, LC, Init->getType(),
- currBldrCtx->blockCount());
+ InitVal = getSValBuilder().conjureSymbolVal(
+ getCFGElementRef(), LC, Init->getType(), currBldrCtx->blockCount());
State = State->bindLoc(BaseReg.castAs<Loc>(), InitVal, LC, false);
// Then we'd need to take the value that certainly exists and bind it
@@ -447,7 +447,7 @@ ProgramStateRef ExprEngine::createTemporaryRegionIfNeeded(
// Try to recover some path sensitivity in case we couldn't
// compute the value.
InitValWithAdjustments = getSValBuilder().conjureSymbolVal(
- Result, LC, InitWithAdjustments->getType(),
+ getCFGElementRef(), LC, InitWithAdjustments->getType(),
currBldrCtx->blockCount());
}
State =
@@ -1213,9 +1213,9 @@ void ExprEngine::ProcessInitializer(const CFGInitializer CFGInit,
// If we fail to get the value for some reason, use a symbolic value.
if (InitVal.isUnknownOrUndef()) {
SValBuilder &SVB = getSValBuilder();
- InitVal = SVB.conjureSymbolVal(BMI->getInit(), stackFrame,
- Field->getType(),
- currBldrCtx->blockCount());
+ InitVal =
+ SVB.conjureSymbolVal(getCFGElementRef(), stackFrame,
+ Field->getType(), currBldrCtx->blockCount());
}
} else {
InitVal = State->getSVal(BMI->getInit(), stackFrame);
@@ -2042,9 +2042,9 @@ void ExprEngine::Visit(const Stmt *S, ExplodedNode *Pred,
for (const auto N : preVisit) {
const LocationContext *LCtx = N->getLocationContext();
- SVal result = svalBuilder.conjureSymbolVal(nullptr, Ex, LCtx,
- resultType,
- currBldrCtx->blockCount());
+ SVal result =
+ svalBuilder.conjureSymbolVal(nullptr, getCFGElementRef(), LCtx,
+ resultType, currBldrCtx->blockCount());
ProgramStateRef State = N->getState()->BindExpr(Ex, LCtx, result);
// Escape pointers passed into the list, unless it's an ObjC boxed
@@ -2549,8 +2549,8 @@ void ExprEngine::processCFGBlockEntrance(const BlockEdge &L,
return;
// Widen.
const LocationContext *LCtx = Pred->getLocationContext();
- ProgramStateRef WidenedState =
- getWidenedLoopState(Pred->getState(), LCtx, BlockCount, Term);
+ ProgramStateRef WidenedState = getWidenedLoopState(
+ Pred->getState(), LCtx, BlockCount, getCFGElementRef());
nodeBuilder.generateNode(WidenedState, Pred);
return;
}
@@ -3511,11 +3511,10 @@ void ExprEngine::VisitAtomicExpr(const AtomicExpr *AE, ExplodedNode *Pred,
ValuesToInvalidate.push_back(SubExprVal);
}
- State = State->invalidateRegions(ValuesToInvalidate, AE,
- currBldrCtx->blockCount(),
- LCtx,
- /*CausedByPointerEscape*/true,
- /*Symbols=*/nullptr);
+ State = State->invalidateRegions(ValuesToInvalidate, getCFGElementRef(),
+ currBldrCtx->blockCount(), LCtx,
+ /*CausedByPointerEscape*/ true,
+ /*Symbols=*/nullptr);
SVal ResultVal = UnknownVal();
State = State->BindExpr(AE, LCtx, ResultVal);
@@ -3862,7 +3861,8 @@ void ExprEngine::VisitGCCAsmStmt(const GCCAsmStmt *A, ExplodedNode *Pred,
assert(!isa<NonLoc>(X)); // Should be an Lval, or unknown, undef.
if (std::optional<Loc> LV = X.getAs<Loc>())
- state = state->invalidateRegions(*LV, A, currBldrCtx->blockCount(),
+ state = state->invalidateRegions(*LV, getCFGElementRef(),
+ currBldrCtx->blockCount(),
Pred->getLocationContext(),
/*CausedByPointerEscape=*/true);
}
@@ -3872,7 +3872,8 @@ void ExprEngine::VisitGCCAsmStmt(const GCCAsmStmt *A, ExplodedNode *Pred,
SVal X = state->getSVal(I, Pred->getLocationContext());
if (std::optional<Loc> LV = X.getAs<Loc>())
- state = state->invalidateRegions(*LV, A, currBldrCtx->blockCount(),
+ state = state->invalidateRegions(*LV, getCFGElementRef(),
+ currBldrCtx->blockCount(),
Pred->getLocationContext(),
/*CausedByPointerEscape=*/true);
}
diff --git a/clang/lib/StaticAnalyzer/Core/ExprEngineC.cpp b/clang/lib/StaticAnalyzer/Core/ExprEngineC.cpp
index 1061dafbb2473..8f03f6bbeb4c8 100644
--- a/clang/lib/StaticAnalyzer/Core/ExprEngineC.cpp
+++ b/clang/lib/StaticAnalyzer/Core/ExprEngineC.cpp
@@ -12,6 +12,7 @@
#include "clang/AST/DeclCXX.h"
#include "clang/AST/ExprCXX.h"
+#include "clang/Analysis/CFG.h"
#include "clang/StaticAnalyzer/Core/CheckerManager.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/ExprEngine.h"
#include <optional>
@@ -21,18 +22,19 @@ using namespace ento;
using llvm::APSInt;
/// Optionally conjure and return a symbol for offset when processing
-/// an expression \p Expression.
+/// a \p CFGElementRef.
/// If \p Other is a location, conjure a symbol for \p Symbol
/// (offset) if it is unknown so that memory arithmetic always
/// results in an ElementRegion.
/// \p Count The number of times the current basic block was visited.
-static SVal conjureOffsetSymbolOnLocation(
- SVal Symbol, SVal Other, Expr* Expression, SValBuilder &svalBuilder,
- unsigned Count, const LocationContext *LCtx) {
- QualType Ty = Expression->getType();
+static SVal conjureOffsetSymbolOnLocation(SVal Symbol, SVal Other,
+ CFGBlock::ConstCFGElementRef ElemRef,
+ QualType Ty, SValBuilder &svalBuilder,
+ unsigned Count,
+ const LocationContext *LCtx) {
if (isa<Loc>(Other) && Ty->isIntegralOrEnumerationType() &&
Symbol.isUnknown()) {
- return svalBuilder.conjureSymbolVal(Expression, LCtx, Ty, Count);
+ return svalBuilder.conjureSymbolVal(ElemRef, LCtx, Ty, Count);
}
return Symbol;
}
@@ -65,7 +67,7 @@ void ExprEngine::VisitBinaryOperator(const BinaryOperator* B,
// FIXME: Handle structs.
if (RightV.isUnknown()) {
unsigned Count = currBldrCtx->blockCount();
- RightV = svalBuilder.conjureSymbolVal(nullptr, B->getRHS(), LCtx,
+ RightV = svalBuilder.conjureSymbolVal(nullptr, getCFGElementRef(), LCtx,
Count);
}
// Simulate the effects of a "store": bind the value of the RHS
@@ -84,9 +86,11 @@ void ExprEngine::VisitBinaryOperator(const BinaryOperator* B,
// SymSymExpr.
unsigned Count = currBldrCtx->blockCount();
RightV = conjureOffsetSymbolOnLocation(
- RightV, LeftV, RHS, svalBuilder, Count, LCtx);
- LeftV = conjureOffsetSymbolOnLocation(
- LeftV, RightV, LHS, svalBuilder, Count, LCtx);
+ RightV, LeftV, getCFGElementRef(), RHS->getType(), svalBuilder,
+ Count, LCtx);
+ LeftV = conjureOffsetSymbolOnLocation(LeftV, RightV, getCFGElementRef(),
+ LHS->getType(), svalBuilder,
+ Count, LCtx);
}
// Although we don't yet model pointers-to-members, we do need to make
@@ -165,8 +169,8 @@ void ExprEngine::VisitBinaryOperator(const BinaryOperator* B,
// The symbolic value is actually for the type of the left-hand side
// expression, not the computation type, as this is the value the
// LValue on the LHS will bind to.
- LHSVal = svalBuilder.conjureSymbolVal(nullptr, B->getRHS(), LCtx, LTy,
- currBldrCtx->blockCount());
+ LHSVal = svalBuilder.conjureSymbolVal(nullptr, getCFGElementRef(), LCtx,
+ LTy, currBldrCtx->blockCount());
// However, we need to convert the symbol to the computation type.
Result = svalBuilder.evalCast(LHSVal, CTy, LTy);
} else {
@@ -459,9 +463,9 @@ void ExprEngine::VisitCast(const CastExpr *CastE, const Expr *Ex,
} else {
// If we don't know if the cast succeeded, conjure a new symbol.
if (val.isUnknown()) {
- DefinedOrUnknownSVal NewSym =
- svalBuilder.conjureSymbolVal(nullptr, CastE, LCtx, resultType,
- currBldrCtx->blockCount());
+ DefinedOrUnknownSVal NewSym = svalBuilder.conjureSymbolVal(
+ nullptr, getCFGElementRef(), LCtx, resultType,
+ currBldrCtx->blockCount());
state = state->BindExpr(CastE, LCtx, NewSym);
} else
// Else, bind to the derived region value.
@@ -483,9 +487,9 @@ void ExprEngine::VisitCast(const CastExpr *CastE, const Expr *Ex,
// Failed to cast or the result is unknown, fall back to conservative.
if (val.isUnknown()) {
- val =
- svalBuilder.conjureSymbolVal(nullptr, CastE, LCtx, resultType,
- currBldrCtx->blockCount());
+ val = svalBuilder.conjureSymbolVal(nullptr, getCFGElementRef(), LCtx,
+ resultType,
+ currBldrCtx->blockCount());
}
state = state->BindExpr(CastE, LCtx, val);
Bldr.generateNode(CastE, Pred, state);
@@ -529,7 +533,7 @@ void ExprEngine::VisitCast(const CastExpr *CastE, const Expr *Ex,
if (CastE->isGLValue())
resultType = getContext().getPointerType(resultType);
SVal result = svalBuilder.conjureSymbolVal(
- /*symbolTag=*/nullptr, CastE, LCtx, resultType,
+ /*symbolTag=*/nullptr, getCFGElementRef(), LCtx, resultType,
currBldrCtx->blockCount());
state = state->BindExpr(CastE, LCtx, result);
Bldr.generateNode(CastE, Pred, state);
@@ -621,8 +625,8 @@ void ExprEngine::VisitDeclStmt(const DeclStmt *DS, ExplodedNode *Pred,
Ty = getContext().getPointerType(Ty);
}
- InitVal = svalBuilder.conjureSymbolVal(nullptr, InitEx, LC, Ty,
- currBldrCtx->blockCount());
+ InitVal = svalBuilder.conjureSymbolVal(
+ nullptr, getCFGElementRef(), LC, Ty, currBldrCtx->blockCount());
}
@@ -839,7 +843,7 @@ void ExprEngine::VisitGuardedExpr(const Expr *Ex,
}
if (!hasValue)
- V = svalBuilder.conjureSymbolVal(nullptr, Ex, LCtx,
+ V = svalBuilder.conjureSymbolVal(nullptr, getCFGElementRef(), LCtx,
currBldrCtx->blockCount());
// Generate a new node with the binding from the appropriate path.
@@ -1121,9 +1125,8 @@ void ExprEngine::VisitIncrementDecrementOperator(const UnaryOperator* U,
// Conjure a new symbol if necessary to recover precision.
if (Result.isUnknown()){
- DefinedOrUnknownSVal SymVal =
- svalBuilder.conjureSymbolVal(nullptr, U, LCtx,
- currBldrCtx->blockCount());
+ DefinedOrUnknownSVal SymVal = svalBuilder.conjureSymbolVal(
+ nullptr, getCFGElementRef(), LCtx, currBldrCtx->blockCount());
Result = SymVal;
// If the value is a location, ++/-- should always preserve
diff --git a/clang/lib/StaticAnalyzer/Core/ExprEngineCXX.cpp b/clang/lib/StaticAnalyzer/Core/ExprEngineCXX.cpp
index f7020da2e6da2..ada7a2e7f51ad 100644
--- a/clang/lib/StaticAnalyzer/Core/ExprEngineCXX.cpp
+++ b/clang/lib/StaticAnalyzer/Core/ExprEngineCXX.cpp
@@ -235,8 +235,8 @@ SVal ExprEngine::computeObjectUnderConstruction(
assert(RetE && "Void returns should not have a construction context");
QualType ReturnTy = RetE->getType();
QualType RegionTy = ACtx.getPointerType(ReturnTy);
- return SVB.conjureSymbolVal(&TopLevelSymRegionTag, RetE, SFC, RegionTy,
- currBldrCtx->blockCount());
+ return SVB.conjureSymbolVal(&TopLevelSymRegionTag, getCFGElementRef(),
+ SFC, RegionTy, currBldrCtx->blockCount());
}
llvm_unreachable("Unhandled return value construction context!");
}
@@ -967,9 +967,10 @@ void ExprEngine::VisitCXXNewExpr(const CXXNewExpr *CNE, ExplodedNode *Pred,
// a custom global allocator.
if (symVal.isUnknown()) {
if (IsStandardGlobalOpNewFunction)
- symVal = svalBuilder.getConjuredHeapSymbolVal(CNE, LCtx, blockCount);
+ symVal = svalBuilder.getConjuredHeapSymbolVal(getCFGElementRef(), LCtx,
+ CNE->getType(), blockCount);
else
- symVal = svalBuilder.conjureSymbolVal(nullptr, CNE, LCtx, CNE->getType(),
+ symVal = svalBuilder.conjureSymbolVal(nullptr, getCFGElementRef(), LCtx,
blockCount);
}
@@ -1102,7 +1103,7 @@ void ExprEngine::VisitCXXCatchStmt(const CXXCatchStmt *CS, ExplodedNode *Pred,
}
const LocationContext *LCtx = Pred->getLocationContext();
- SVal V = svalBuilder.conjureSymbolVal(CS, LCtx, VD->getType(),
+ SVal V = svalBuilder.conjureSymbolVal(getCFGElementRef(), LCtx, VD->getType(),
currBldrCtx->blockCount());
ProgramStateRef state = Pred->getState();
state = state->bindLoc(state->getLValue(VD, LCtx), V, LCtx);
diff --git a/clang/lib/StaticAnalyzer/Core/ExprEngineCallAndReturn.cpp b/clang/lib/StaticAnalyzer/Core/ExprEngineCallAndReturn.cpp
index 02facf786830d..33c84b55ab743 100644
--- a/clang/lib/StaticAnalyzer/Core/ExprEngineCallAndReturn.cpp
+++ b/clang/lib/StaticAnalyzer/Core/ExprEngineCallAndReturn.cpp
@@ -15,6 +15,7 @@
#include "clang/AST/Decl.h"
#include "clang/AST/DeclCXX.h"
#include "clang/Analysis/Analyses/LiveVariables.h"
+#include "clang/Analysis/CFG.h"
#include "clang/Analysis/ConstructionContext.h"
#include "clang/StaticAnalyzer/Core/CheckerManager.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h"
@@ -746,6 +747,7 @@ ProgramStateRef ExprEngine::bindReturnValue(const CallEvent &Call,
const LocationContext *LCtx,
ProgramStateRef State) {
const Expr *E = Call.getOriginExpr();
+ const CFGBlock::ConstCFGElementRef ElemRef = Call.getCFGElementRef();
if (!E)
return State;
@@ -788,7 +790,7 @@ ProgramStateRef ExprEngine::bindReturnValue(const CallEvent &Call,
RegionAndSymbolInvalidationTraits ITraits;
ITraits.setTrait(TargetR,
RegionAndSymbolInvalidationTraits::TK_DoNotInvalidateSuperRegion);
- State = State->invalidateRegions(TargetR, E, Count, LCtx,
+ State = State->invalidateRegions(TargetR, ElemRef, Count, LCtx,
/* CausesPointerEscape=*/false, nullptr,
&Call, &ITraits);
@@ -800,7 +802,8 @@ ProgramStateRef ExprEngine::bindReturnValue(const CallEvent &Call,
// a regular unknown pointer.
const auto *CNE = dyn_cast<CXXNewExpr>(E);
if (CNE && CNE->getOperatorNew()->isReplaceableGlobalAllocationFunction()) {
- R = svalBuilder.getConjuredHeapSymbolVal(E, LCtx, Count);
+ R = svalBuilder.getConjuredHeapSymbolVal(ElemRef, LCtx, E->getType(),
+ Count);
const MemRegion *MR = R.getAsRegion()->StripCasts();
// Store the extent of the allocated object(s).
@@ -824,7 +827,7 @@ ProgramStateRef ExprEngine::bindReturnValue(const CallEvent &Call,
State = setDynamicExtent(State, MR, Size.castAs<DefinedOrUnknownSVal>());
} else {
- R = svalBuilder.conjureSymbolVal(nullptr, E, LCtx, ResultTy, Count);
+ R = svalBuilder.conjureSymbolVal(ElemRef, LCtx, ResultTy, Count);
}
}
return State->BindExpr(E, LCtx, R);
diff --git a/clang/lib/StaticAnalyzer/Core/ExprEngineObjC.cpp b/clang/lib/StaticAnalyzer/Core/ExprEngineObjC.cpp
index 9426e0afd65a0..ac67b9e1dc301 100644
--- a/clang/lib/StaticAnalyzer/Core/ExprEngineObjC.cpp
+++ b/clang/lib/StaticAnalyzer/Core/ExprEngineObjC.cpp
@@ -45,8 +45,8 @@ void ExprEngine::VisitObjCAtSynchronizedStmt(const ObjCAtSynchronizedStmt *S,
/// for-loop iterator.
static void populateObjCForDestinationSet(
ExplodedNodeSet &dstLocation, SValBuilder &svalBuilder,
- const ObjCForCollectionStmt *S, const Stmt *elem, SVal elementV,
- SymbolManager &SymMgr, const NodeBuilderContext *currBldrCtx,
+ const ObjCForCollectionStmt *S, const CFGBlock::ConstCFGElementRef elemRef,
+ SVal elementV, SymbolManager &SymMgr, const NodeBuilderContext *currBldrCtx,
StmtNodeBuilder &Bldr, bool hasElements) {
for (ExplodedNode *Pred : dstLocation) {
@@ -66,8 +66,8 @@ static void populateObjCForDestinationSet(
SVal V;
if (hasElements) {
- SymbolRef Sym = SymMgr.conjureSymbol(elem, LCtx, T,
- currBldrCtx->blockCount());
+ SymbolRef Sym =
+ SymMgr.conjureSymbol(elemRef, LCtx, T, currBldrCtx->blockCount());
V = svalBuilder.makeLoc(Sym);
} else {
V = svalBuilder.makeIntVal(0, T);
@@ -110,6 +110,7 @@ void ExprEngine::VisitObjCForCollectionStmt(const ObjCForCollectionStmt *S,
const Stmt *elem = S->getElement();
const Stmt *collection = S->getCollection();
+ const CFGBlock::ConstCFGElementRef elemRef = getCFGElementRef();
ProgramStateRef state = Pred->getState();
SVal collectionV = state->getSVal(collection, Pred->getLocationContext());
@@ -132,11 +133,12 @@ void ExprEngine::VisitObjCForCollectionStmt(const ObjCForCollectionStmt *S,
StmtNodeBuilder Bldr(dstLocation, Tmp, *currBldrCtx);
if (!isContainerNull)
- populateObjCForDestinationSet(DstLocationSingleton, svalBuilder, S, elem,
- elementV, SymMgr, currBldrCtx, Bldr,
+ populateObjCForDestinationSet(DstLocationSingleton, svalBuilder, S,
+ elemRef, elementV, SymMgr, currBldrCtx,
+ Bldr,
/*hasElements=*/true);
- populateObjCForDestinationSet(DstLocationSingleton, svalBuilder, S, elem,
+ populateObjCForDestinationSet(DstLocationSingleton, svalBuilder, S, elemRef,
elementV, SymMgr, currBldrCtx, Bldr,
/*hasElements=*/false);
diff --git a/clang/lib/StaticAnalyzer/Core/LoopWidening.cpp b/clang/lib/StaticAnalyzer/Core/LoopWidening.cpp
index 9e42801760622..f28b0ae9cec85 100644
--- a/clang/lib/StaticAnalyzer/Core/LoopWidening.cpp
+++ b/clang/lib/StaticAnalyzer/Core/LoopWidening.cpp
@@ -13,10 +13,11 @@
///
//===----------------------------------------------------------------------===//
+#include "clang/StaticAnalyzer/Core/PathSensitive/LoopWidening.h"
#include "clang/AST/AST.h"
#include "clang/ASTMatchers/ASTMatchFinder.h"
+#include "clang/Analysis/CFG.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/ExplodedGraph.h"
-#include "clang/StaticAnalyzer/Core/PathSensitive/LoopWidening.h"
using namespace clang;
using namespace ento;
@@ -24,31 +25,13 @@ using namespace clang::ast_matchers;
const auto MatchRef = "matchref";
-/// Return the loops condition Stmt or NULL if LoopStmt is not a loop
-static const Expr *getLoopCondition(const Stmt *LoopStmt) {
- switch (LoopStmt->getStmtClass()) {
- default:
- return nullptr;
- case Stmt::ForStmtClass:
- return cast<ForStmt>(LoopStmt)->getCond();
- case Stmt::WhileStmtClass:
- return cast<WhileStmt>(LoopStmt)->getCond();
- case Stmt::DoStmtClass:
- return cast<DoStmt>(LoopStmt)->getCond();
- case Stmt::CXXForRangeStmtClass:
- return cast<CXXForRangeStmt>(LoopStmt)->getCond();
- }
-}
-
namespace clang {
namespace ento {
-ProgramStateRef getWidenedLoopState(ProgramStateRef PrevState,
- const LocationContext *LCtx,
- unsigned BlockCount, const Stmt *LoopStmt) {
-
- assert((isa<ForStmt, WhileStmt, DoStmt, CXXForRangeStmt>(LoopStmt)));
-
+ProgramStateRef
+getWidenedLoopState(ProgramStateRef PrevState, const LocationContext *LCtx,
+ unsigned BlockCount,
+ const CFGBlock::ConstCFGElementRef ElemRef) {
// Invalidate values in the current state.
// TODO Make this more conservative by only invalidating values that might
// be modified by the body of the loop.
@@ -93,9 +76,8 @@ ProgramStateRef getWidenedLoopState(ProgramStateRef PrevState,
RegionAndSymbolInvalidationTraits::TK_PreserveContents);
}
- return PrevState->invalidateRegions(Regions, getLoopCondition(LoopStmt),
- BlockCount, LCtx, true, nullptr, nullptr,
- &ITraits);
+ return PrevState->invalidateRegions(Regions, ElemRef, BlockCount, LCtx, true,
+ nullptr, nullptr, &ITraits);
}
} // end namespace ento
diff --git a/clang/lib/StaticAnalyzer/Core/ProgramState.cpp b/clang/lib/StaticAnalyzer/Core/ProgramState.cpp
index 492209d4d2bf0..31a2803bb7729 100644
--- a/clang/lib/StaticAnalyzer/Core/ProgramState.cpp
+++ b/clang/lib/StaticAnalyzer/Core/ProgramState.cpp
@@ -149,21 +149,21 @@ typedef ArrayRef<const MemRegion *> RegionList;
typedef ArrayRef<SVal> ValueList;
ProgramStateRef ProgramState::invalidateRegions(
- RegionList Regions, const Stmt *S, unsigned Count,
- const LocationContext *LCtx, bool CausedByPointerEscape,
+ RegionList Regions, const CFGBlock::ConstCFGElementRef ElemRef,
+ unsigned Count, const LocationContext *LCtx, bool CausedByPointerEscape,
InvalidatedSymbols *IS, const CallEvent *Call,
RegionAndSymbolInvalidationTraits *ITraits) const {
SmallVector<SVal, 8> Values;
for (const MemRegion *Reg : Regions)
Values.push_back(loc::MemRegionVal(Reg));
- return invalidateRegions(Values, S, Count, LCtx, CausedByPointerEscape, IS,
- Call, ITraits);
+ return invalidateRegions(Values, ElemRef, Count, LCtx, CausedByPointerEscape,
+ IS, Call, ITraits);
}
ProgramStateRef ProgramState::invalidateRegions(
- ValueList Values, const Stmt *S, unsigned Count,
- const LocationContext *LCtx, bool CausedByPointerEscape,
+ ValueList Values, const CFGBlock::ConstCFGElementRef ElemRef,
+ unsigned Count, const LocationContext *LCtx, bool CausedByPointerEscape,
InvalidatedSymbols *IS, const CallEvent *Call,
RegionAndSymbolInvalidationTraits *ITraits) const {
@@ -181,7 +181,7 @@ ProgramStateRef ProgramState::invalidateRegions(
StoreManager::InvalidatedRegions TopLevelInvalidated;
StoreManager::InvalidatedRegions Invalidated;
const StoreRef &NewStore = Mgr.StoreMgr->invalidateRegions(
- getStore(), Values, S, Count, LCtx, Call, *IS, *ITraits,
+ getStore(), Values, ElemRef, Count, LCtx, Call, *IS, *ITraits,
&TopLevelInvalidated, &Invalidated);
ProgramStateRef NewState = makeWithStore(NewStore);
diff --git a/clang/lib/StaticAnalyzer/Core/RegionStore.cpp b/clang/lib/StaticAnalyzer/Core/RegionStore.cpp
index 79cb5a07701fd..9ef24c497bb0a 100644
--- a/clang/lib/StaticAnalyzer/Core/RegionStore.cpp
+++ b/clang/lib/StaticAnalyzer/Core/RegionStore.cpp
@@ -19,6 +19,7 @@
#include "clang/ASTMatchers/ASTMatchFinder.h"
#include "clang/Analysis/Analyses/LiveVariables.h"
#include "clang/Analysis/AnalysisDeclContext.h"
+#include "clang/Analysis/CFG.h"
#include "clang/Basic/JsonSupport.h"
#include "clang/Basic/TargetInfo.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/AnalysisManager.h"
@@ -563,13 +564,14 @@ class RegionStoreManager : public StoreManager {
//===-------------------------------------------------------------------===//
// Binding values to regions.
//===-------------------------------------------------------------------===//
- RegionBindingsRef invalidateGlobalRegion(MemRegion::Kind K, const Stmt *S,
- unsigned Count,
- const LocationContext *LCtx,
- RegionBindingsRef B,
- InvalidatedRegions *Invalidated);
+ RegionBindingsRef
+ invalidateGlobalRegion(MemRegion::Kind K,
+ const CFGBlock::ConstCFGElementRef ElemRef,
+ unsigned Count, const LocationContext *LCtx,
+ RegionBindingsRef B, InvalidatedRegions *Invalidated);
- StoreRef invalidateRegions(Store store, ArrayRef<SVal> Values, const Stmt *S,
+ StoreRef invalidateRegions(Store store, ArrayRef<SVal> Values,
+ const CFGBlock::ConstCFGElementRef ElemRef,
unsigned Count, const LocationContext *LCtx,
const CallEvent *Call, InvalidatedSymbols &IS,
RegionAndSymbolInvalidationTraits &ITraits,
@@ -1147,7 +1149,7 @@ RegionStoreManager::removeSubRegionBindings(LimitedRegionBindingsConstRef B,
namespace {
class InvalidateRegionsWorker : public ClusterAnalysis<InvalidateRegionsWorker>
{
- const Stmt *S;
+ const CFGBlock::ConstCFGElementRef ElemRef;
unsigned Count;
const LocationContext *LCtx;
InvalidatedSymbols &IS;
@@ -1156,14 +1158,16 @@ class InvalidateRegionsWorker : public ClusterAnalysis<InvalidateRegionsWorker>
GlobalsFilterKind GlobalsFilter;
public:
InvalidateRegionsWorker(RegionStoreManager &rm, ProgramStateManager &stateMgr,
- RegionBindingsRef b, const Stmt *S, unsigned count,
- const LocationContext *lctx, InvalidatedSymbols &is,
+ RegionBindingsRef b,
+ const CFGBlock::ConstCFGElementRef elemRef,
+ unsigned count, const LocationContext *lctx,
+ InvalidatedSymbols &is,
RegionAndSymbolInvalidationTraits &ITraitsIn,
StoreManager::InvalidatedRegions *r,
GlobalsFilterKind GFK)
- : ClusterAnalysis<InvalidateRegionsWorker>(rm, stateMgr, b), S(S),
- Count(count), LCtx(lctx), IS(is), ITraits(ITraitsIn), Regions(r),
- GlobalsFilter(GFK) {}
+ : ClusterAnalysis<InvalidateRegionsWorker>(rm, stateMgr, b),
+ ElemRef(elemRef), Count(count), LCtx(lctx), IS(is), ITraits(ITraitsIn),
+ Regions(r), GlobalsFilter(GFK) {}
void VisitCluster(const MemRegion *baseR, const ClusterBindings *C);
void VisitBinding(SVal V);
@@ -1296,7 +1300,7 @@ void InvalidateRegionsWorker::VisitCluster(const MemRegion *baseR,
// Invalidate the region by setting its default value to
// conjured symbol. The type of the symbol is irrelevant.
DefinedOrUnknownSVal V =
- svalBuilder.conjureSymbolVal(baseR, S, LCtx, Ctx.IntTy, Count);
+ svalBuilder.conjureSymbolVal(baseR, ElemRef, LCtx, Ctx.IntTy, Count);
B = B.addBinding(baseR, BindingKey::Default, V);
return;
}
@@ -1318,7 +1322,7 @@ void InvalidateRegionsWorker::VisitCluster(const MemRegion *baseR,
// Invalidate the region by setting its default value to
// conjured symbol. The type of the symbol is irrelevant.
DefinedOrUnknownSVal V =
- svalBuilder.conjureSymbolVal(baseR, S, LCtx, Ctx.IntTy, Count);
+ svalBuilder.conjureSymbolVal(baseR, ElemRef, LCtx, Ctx.IntTy, Count);
B = B.addBinding(baseR, BindingKey::Default, V);
return;
}
@@ -1386,13 +1390,13 @@ void InvalidateRegionsWorker::VisitCluster(const MemRegion *baseR,
conjure_default:
// Set the default value of the array to conjured symbol.
DefinedOrUnknownSVal V = svalBuilder.conjureSymbolVal(
- baseR, S, LCtx, AT->getElementType(), Count);
+ baseR, ElemRef, LCtx, AT->getElementType(), Count);
B = B.addBinding(baseR, BindingKey::Default, V);
return;
}
DefinedOrUnknownSVal V =
- svalBuilder.conjureSymbolVal(baseR, S, LCtx, T, Count);
+ svalBuilder.conjureSymbolVal(baseR, ElemRef, LCtx, T, Count);
assert(SymbolManager::canSymbolicate(T) || V.isUnknown());
B = B.addBinding(baseR, BindingKey::Direct, V);
}
@@ -1421,15 +1425,15 @@ bool InvalidateRegionsWorker::includeEntireMemorySpace(const MemRegion *Base) {
}
RegionBindingsRef RegionStoreManager::invalidateGlobalRegion(
- MemRegion::Kind K, const Stmt *S, unsigned Count,
- const LocationContext *LCtx, RegionBindingsRef B,
+ MemRegion::Kind K, const CFGBlock::ConstCFGElementRef ElemRef,
+ unsigned Count, const LocationContext *LCtx, RegionBindingsRef B,
InvalidatedRegions *Invalidated) {
// Bind the globals memory space to a new symbol that we will use to derive
// the bindings for all globals.
const GlobalsSpaceRegion *GS = MRMgr.getGlobalsRegion(K);
- SVal V =
- svalBuilder.conjureSymbolVal(/* symbolTag = */ (const void *)GS, S, LCtx,
- /* type does not matter */ Ctx.IntTy, Count);
+ SVal V = svalBuilder.conjureSymbolVal(
+ /* symbolTag = */ (const void *)GS, ElemRef, LCtx,
+ /* type does not matter */ Ctx.IntTy, Count);
B = B.removeBinding(GS)
.addBinding(BindingKey::Make(GS, BindingKey::Default), V);
@@ -1464,7 +1468,8 @@ void RegionStoreManager::populateWorkList(InvalidateRegionsWorker &W,
}
StoreRef RegionStoreManager::invalidateRegions(
- Store store, ArrayRef<SVal> Values, const Stmt *S, unsigned Count,
+ Store store, ArrayRef<SVal> Values,
+ const CFGBlock::ConstCFGElementRef ElemRef, unsigned Count,
const LocationContext *LCtx, const CallEvent *Call, InvalidatedSymbols &IS,
RegionAndSymbolInvalidationTraits &ITraits,
InvalidatedRegions *TopLevelRegions, InvalidatedRegions *Invalidated) {
@@ -1479,8 +1484,8 @@ StoreRef RegionStoreManager::invalidateRegions(
}
RegionBindingsRef B = getRegionBindings(store);
- InvalidateRegionsWorker W(*this, StateMgr, B, S, Count, LCtx, IS, ITraits,
- Invalidated, GlobalsFilter);
+ InvalidateRegionsWorker W(*this, StateMgr, B, ElemRef, Count, LCtx, IS,
+ ITraits, Invalidated, GlobalsFilter);
// Scan the bindings and generate the clusters.
W.GenerateClusters();
@@ -1499,12 +1504,12 @@ StoreRef RegionStoreManager::invalidateRegions(
// TODO: This could possibly be more precise with modules.
switch (GlobalsFilter) {
case GFK_All:
- B = invalidateGlobalRegion(MemRegion::GlobalInternalSpaceRegionKind, S,
- Count, LCtx, B, Invalidated);
+ B = invalidateGlobalRegion(MemRegion::GlobalInternalSpaceRegionKind,
+ ElemRef, Count, LCtx, B, Invalidated);
[[fallthrough]];
case GFK_SystemOnly:
- B = invalidateGlobalRegion(MemRegion::GlobalSystemSpaceRegionKind, S, Count,
- LCtx, B, Invalidated);
+ B = invalidateGlobalRegion(MemRegion::GlobalSystemSpaceRegionKind, ElemRef,
+ Count, LCtx, B, Invalidated);
[[fallthrough]];
case GFK_None:
break;
diff --git a/clang/lib/StaticAnalyzer/Core/SValBuilder.cpp b/clang/lib/StaticAnalyzer/Core/SValBuilder.cpp
index 4f45b24be86c1..5b73eb76cae95 100644
--- a/clang/lib/StaticAnalyzer/Core/SValBuilder.cpp
+++ b/clang/lib/StaticAnalyzer/Core/SValBuilder.cpp
@@ -20,6 +20,7 @@
#include "clang/AST/Stmt.h"
#include "clang/AST/Type.h"
#include "clang/Analysis/AnalysisDeclContext.h"
+#include "clang/Analysis/CFG.h"
#include "clang/Basic/LLVM.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/APSIntType.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/AnalysisManager.h"
@@ -36,6 +37,7 @@
#include "llvm/ADT/APSInt.h"
#include "llvm/Support/Casting.h"
#include "llvm/Support/Compiler.h"
+#include "llvm/Support/raw_ostream.h"
#include <cassert>
#include <optional>
#include <tuple>
@@ -151,10 +153,13 @@ SValBuilder::getRegionValueSymbolVal(const TypedValueRegion *region) {
return nonloc::SymbolVal(sym);
}
-DefinedOrUnknownSVal SValBuilder::conjureSymbolVal(const void *SymbolTag,
- const Expr *Ex,
- const LocationContext *LCtx,
- unsigned Count) {
+/// When using this overload, the \p elemRef provided must be a \p CFGStmt.
+DefinedOrUnknownSVal
+SValBuilder::conjureSymbolVal(const void *SymbolTag,
+ const CFGBlock::ConstCFGElementRef elemRef,
+ const LocationContext *LCtx, unsigned Count) {
+ const Expr *Ex = dyn_cast<Expr>(elemRef->getAs<CFGStmt>()->getStmt());
+ assert(Ex && "elemRef must be a CFGStmt containing an Expr");
QualType T = Ex->getType();
if (T->isNullPtrType())
@@ -166,21 +171,19 @@ DefinedOrUnknownSVal SValBuilder::conjureSymbolVal(const void *SymbolTag,
if (Ex->isGLValue())
T = LCtx->getAnalysisDeclContext()->getASTContext().getPointerType(ExType);
- return conjureSymbolVal(SymbolTag, Ex, LCtx, T, Count);
+ return conjureSymbolVal(SymbolTag, elemRef, LCtx, T, Count);
}
-DefinedOrUnknownSVal SValBuilder::conjureSymbolVal(const void *symbolTag,
- const Stmt *St,
- const LocationContext *LCtx,
- QualType type,
- unsigned count) {
+DefinedOrUnknownSVal SValBuilder::conjureSymbolVal(
+ const void *symbolTag, const CFGBlock::ConstCFGElementRef elemRef,
+ const LocationContext *LCtx, QualType type, unsigned count) {
if (type->isNullPtrType())
return makeZeroVal(type);
if (!SymbolManager::canSymbolicate(type))
return UnknownVal();
- SymbolRef sym = SymMgr.conjureSymbol(St, LCtx, type, count, symbolTag);
+ SymbolRef sym = SymMgr.conjureSymbol(elemRef, LCtx, type, count, symbolTag);
if (Loc::isLocType(type))
return loc::MemRegionVal(MemMgr.getSymbolicRegion(sym));
@@ -188,17 +191,17 @@ DefinedOrUnknownSVal SValBuilder::conjureSymbolVal(const void *symbolTag,
return nonloc::SymbolVal(sym);
}
-DefinedOrUnknownSVal SValBuilder::conjureSymbolVal(const Stmt *stmt,
- const LocationContext *LCtx,
- QualType type,
- unsigned visitCount) {
+DefinedOrUnknownSVal
+SValBuilder::conjureSymbolVal(const CFGBlock::ConstCFGElementRef elemRef,
+ const LocationContext *LCtx, QualType type,
+ unsigned visitCount) {
if (type->isNullPtrType())
return makeZeroVal(type);
if (!SymbolManager::canSymbolicate(type))
return UnknownVal();
- SymbolRef sym = SymMgr.conjureSymbol(stmt, LCtx, type, visitCount);
+ SymbolRef sym = SymMgr.conjureSymbol(elemRef, LCtx, type, visitCount);
if (Loc::isLocType(type))
return loc::MemRegionVal(MemMgr.getSymbolicRegion(sym));
@@ -206,17 +209,9 @@ DefinedOrUnknownSVal SValBuilder::conjureSymbolVal(const Stmt *stmt,
return nonloc::SymbolVal(sym);
}
-DefinedSVal SValBuilder::getConjuredHeapSymbolVal(const Expr *E,
- const LocationContext *LCtx,
- unsigned VisitCount) {
- QualType T = E->getType();
- return getConjuredHeapSymbolVal(E, LCtx, T, VisitCount);
-}
-
-DefinedSVal SValBuilder::getConjuredHeapSymbolVal(const Expr *E,
- const LocationContext *LCtx,
- QualType type,
- unsigned VisitCount) {
+DefinedSVal SValBuilder::getConjuredHeapSymbolVal(
+ const CFGBlock::ConstCFGElementRef elemRef, const LocationContext *LCtx,
+ QualType type, unsigned VisitCount) {
assert(Loc::isLocType(type));
assert(SymbolManager::canSymbolicate(type));
if (type->isNullPtrType()) {
@@ -225,7 +220,7 @@ DefinedSVal SValBuilder::getConjuredHeapSymbolVal(const Expr *E,
return makeZeroVal(type).castAs<DefinedSVal>();
}
- SymbolRef sym = SymMgr.conjureSymbol(E, LCtx, type, VisitCount);
+ SymbolRef sym = SymMgr.conjureSymbol(elemRef, LCtx, type, VisitCount);
return loc::MemRegionVal(MemMgr.getSymbolicHeapRegion(sym));
}
diff --git a/clang/lib/StaticAnalyzer/Core/SymbolManager.cpp b/clang/lib/StaticAnalyzer/Core/SymbolManager.cpp
index a4648f5922ef1..41df94271c849 100644
--- a/clang/lib/StaticAnalyzer/Core/SymbolManager.cpp
+++ b/clang/lib/StaticAnalyzer/Core/SymbolManager.cpp
@@ -81,12 +81,8 @@ void UnarySymExpr::dumpToStream(raw_ostream &os) const {
}
void SymbolConjured::dumpToStream(raw_ostream &os) const {
- os << getKindStr() << getSymbolID() << '{' << T << ", LC" << LCtx->getID();
- if (S)
- os << ", S" << S->getID(LCtx->getDecl()->getASTContext());
- else
- os << ", no stmt";
- os << ", #" << Count << '}';
+ os << getKindStr() << getSymbolID() << '{' << T << ", LC" << LCtx->getID()
+ << ", CFGElemRef" << ElemRef.getID() << ", #" << Count << '}';
}
void SymbolDerived::dumpToStream(raw_ostream &os) const {
diff --git a/clang/test/Analysis/class-object-state-dump.m b/clang/test/Analysis/class-object-state-dump.m
index 740e517b83020..f0f39c1c409c7 100644
--- a/clang/test/Analysis/class-object-state-dump.m
+++ b/clang/test/Analysis/class-object-state-dump.m
@@ -28,8 +28,8 @@ + (void)test {
clang_analyzer_printState();
// CHECK: "class_object_types": [
- // CHECK-NEXT: { "symbol": "conj_$[[#]]{Class, LC[[#]], S[[#]], #[[#]]}", "dyn_type": "Child", "sub_classable": true },
- // CHECK-NEXT: { "symbol": "conj_$[[#]]{Class, LC[[#]], S[[#]], #[[#]]}", "dyn_type": "Child", "sub_classable": true }
+ // CHECK-NEXT: { "symbol": "conj_$[[#]]{Class, LC[[#]], CFGElemRef[[#]], #[[#]]}", "dyn_type": "Child", "sub_classable": true },
+ // CHECK-NEXT: { "symbol": "conj_$[[#]]{Class, LC[[#]], CFGElemRef[[#]], #[[#]]}", "dyn_type": "Child", "sub_classable": true }
// CHECK-NEXT: ]
// Let's make sure that the information is not GC'd away.
diff --git a/clang/test/Analysis/container-modeling.cpp b/clang/test/Analysis/container-modeling.cpp
index bf4a12a0e0fe2..46e7d91d46ccf 100644
--- a/clang/test/Analysis/container-modeling.cpp
+++ b/clang/test/Analysis/container-modeling.cpp
@@ -196,7 +196,7 @@ void pop_front(std::list<int> &L, int n) {
void push_back() {
std::vector<int> V;
V.end();
-
+
clang_analyzer_denote(clang_analyzer_container_end(V), "$V.end()");
V.push_back(1); // expected-note{{Container 'V' extended to the back by 1 position}}
@@ -251,15 +251,15 @@ void print_state(std::vector<int> &V) {
// CHECK: "checker_messages": [
// CHECK-NEXT: { "checker": "alpha.cplusplus.ContainerModeling", "messages": [
// CHECK-NEXT: "Container Data :",
-// CHECK-NEXT: "SymRegion{reg_$[[#]]<std::vector<int> & V>} : [ conj_$[[#]]{long, LC[[#]], S[[#]], #[[#]]} .. <Unknown> ]"
+// CHECK-NEXT: "SymRegion{reg_$[[#]]<std::vector<int> & V>} : [ conj_$[[#]]{long, LC[[#]], CFGElemRef[[#]], #[[#]]} .. <Unknown> ]"
// CHECK-NEXT: ]}
V.cend();
clang_analyzer_printState();
-
+
// CHECK: "checker_messages": [
// CHECK-NEXT: { "checker": "alpha.cplusplus.ContainerModeling", "messages": [
// CHECK-NEXT: "Container Data :",
-// CHECK-NEXT: "SymRegion{reg_$[[#]]<std::vector<int> & V>} : [ conj_$[[#]]{long, LC[[#]], S[[#]], #[[#]]} .. conj_$[[#]]{long, LC[[#]], S[[#]], #[[#]]} ]"
+// CHECK-NEXT: "SymRegion{reg_$[[#]]<std::vector<int> & V>} : [ conj_$[[#]]{long, LC[[#]], CFGElemRef[[#]], #[[#]]} .. conj_$[[#]]{long, LC[[#]], CFGElemRef[[#]], #[[#]]} ]"
// CHECK-NEXT: ]}
}
diff --git a/clang/test/Analysis/ctor-trivial-copy.cpp b/clang/test/Analysis/ctor-trivial-copy.cpp
index 45c8ca4c51776..eed5f1a93f81e 100644
--- a/clang/test/Analysis/ctor-trivial-copy.cpp
+++ b/clang/test/Analysis/ctor-trivial-copy.cpp
@@ -64,7 +64,7 @@ void _01_empty_structs() {
// CHECK-NEXT: { "kind": "Default", "offset": 0, "value": "conj_$
// CHECK-NEXT: ]},
// CHECK-NEXT: { "cluster": "Empty", "pointer": "0x{{[0-9a-f]+}}", "items": [
- // CHECK-NEXT: { "kind": "Default", "offset": 0, "value": "[[EMPTY_CONJ:conj_\$[0-9]+{int, LC[0-9]+, S[0-9]+, #[0-9]+}]]" }
+ // CHECK-NEXT: { "kind": "Default", "offset": 0, "value": "[[EMPTY_CONJ:conj_\$[0-9]+{int, LC[0-9]+, CFGElemRef[0-9]+, #[0-9]+}]]" }
// CHECK-NEXT: ]},
// CHECK-NEXT: { "cluster": "Empty2", "pointer": "0x{{[0-9a-f]+}}", "items": [
// CHECK-NEXT: { "kind": "Default", "offset": 0, "value": "[[EMPTY_CONJ]]" }
@@ -101,7 +101,7 @@ void _02_structs_with_members() {
// CHECK-NEXT: { "kind": "Default", "offset": 0, "value": "conj_$
// CHECK-NEXT: ]},
// CHECK-NEXT: { "cluster": "Aggr", "pointer": "0x{{[0-9a-f]+}}", "items": [
- // CHECK-NEXT: { "kind": "Default", "offset": 0, "value": "[[AGGR_CONJ:conj_\$[0-9]+{int, LC[0-9]+, S[0-9]+, #[0-9]+}]]" }
+ // CHECK-NEXT: { "kind": "Default", "offset": 0, "value": "[[AGGR_CONJ:conj_\$[0-9]+{int, LC[0-9]+, CFGElemRef[0-9]+, #[0-9]+}]]" }
// CHECK-NEXT: ]},
// CHECK-NEXT: { "cluster": "Aggr2", "pointer": "0x{{[0-9a-f]+}}", "items": [
// CHECK-NEXT: { "kind": "Default", "offset": 0, "value": "[[AGGR_CONJ]]" }
diff --git a/clang/test/Analysis/dump_egraph.cpp b/clang/test/Analysis/dump_egraph.cpp
index 13459699a06f6..313158fe1b7a5 100644
--- a/clang/test/Analysis/dump_egraph.cpp
+++ b/clang/test/Analysis/dump_egraph.cpp
@@ -21,7 +21,6 @@ void foo() {
// CHECK: \"location_context\": \"#0 Call\", \"calling\": \"T::T\", \"location\": \{ \"line\": 15, \"column\": 5, \"file\": \"{{.*}}dump_egraph.cpp\" \}, \"items\": [\l \{ \"init_id\": {{[0-9]+}}, \"kind\": \"construct into member variable\", \"argument_index\": null, \"pretty\": \"s\", \"value\": \"&t.s\"
-// CHECK: \"cluster\": \"t\", \"pointer\": \"{{0x[0-9a-f]+}}\", \"items\": [\l \{ \"kind\": \"Default\", \"offset\": 0, \"value\": \"conj_$3\{int, LC5, no stmt, #1\}\"
-
-// CHECK: \"dynamic_types\": [\l \{ \"region\": \"HeapSymRegion\{conj_$1\{S *, LC1, S{{[0-9]+}}, #1\}\}\", \"dyn_type\": \"S\", \"sub_classable\": false \}\l
+// CHECK: \"cluster\": \"t\", \"pointer\": \"{{0x[0-9a-f]+}}\", \"items\": [\l \{ \"kind\": \"Default\", \"offset\": 0, \"value\": \"conj_$3\{int, LC5, CFGElemRef{{[0-9]+}}, #1\}\"
+// CHECK: \"dynamic_types\": [\l \{ \"region\": \"HeapSymRegion\{conj_$1\{S *, LC1, CFGElemRef{{[0-9]+}}, #1\}\}\", \"dyn_type\": \"S\", \"sub_classable\": false \}\l
diff --git a/clang/test/Analysis/explain-svals.cpp b/clang/test/Analysis/explain-svals.cpp
index d1615e6cc6c9a..defca68ff1e7c 100644
--- a/clang/test/Analysis/explain-svals.cpp
+++ b/clang/test/Analysis/explain-svals.cpp
@@ -52,7 +52,7 @@ void test_2(char *ptr, int ext) {
clang_analyzer_explain(glob_ptr); // expected-warning-re{{{{^value derived from \(symbol of type 'int' conjured at statement 'conjure\(\)'\) for global variable 'glob_ptr'$}}}}
clang_analyzer_explain(clang_analyzer_getExtent(ptr)); // expected-warning-re{{{{^extent of pointee of argument 'ptr'$}}}}
int *x = new int[ext];
- clang_analyzer_explain(x); // expected-warning-re{{{{^pointer to element of type 'int' with index 0 of heap segment that starts at symbol of type 'int \*' conjured at statement 'new int \[ext\]'$}}}}
+ clang_analyzer_explain(x); // expected-warning-re{{{{^pointer to element of type 'int' with index 0 of heap segment that starts at symbol of type 'int \*' conjured at statement 'CFGNewAllocator\(int \*\)'$}}}}
// Sic! What gets computed is the extent of the element-region.
clang_analyzer_explain(clang_analyzer_getExtent(x)); // expected-warning-re{{{{^\(argument 'ext'\) \* 4$}}}}
delete[] x;
@@ -99,8 +99,8 @@ class C {
} // end of anonymous namespace
void test_6() {
- clang_analyzer_explain(conjure_S()); // expected-warning-re{{{{^symbol of type 'int' conjured at statement 'conjure_S\(\)'$}}}}
- clang_analyzer_explain(conjure_S().z); // expected-warning-re{{{{^value derived from \(symbol of type 'int' conjured at statement 'conjure_S\(\)'\) for field 'z' of temporary object constructed at statement 'conjure_S\(\)'$}}}}
+ clang_analyzer_explain(conjure_S()); // expected-warning-re{{{{^symbol of type 'int' conjured at statement 'conjure_S\(\) \(CXXRecordTypedCall, \+0\)'$}}}}
+ clang_analyzer_explain(conjure_S().z); // expected-warning-re{{{{^value derived from \(symbol of type 'int' conjured at statement 'conjure_S\(\) \(CXXRecordTypedCall, \)'\) for field 'z' of temporary object constructed at statement 'conjure_S\(\)'$}}}}
}
class C_top_level {
diff --git a/clang/test/Analysis/exploded-graph-rewriter/dynamic_types.cpp b/clang/test/Analysis/exploded-graph-rewriter/dynamic_types.cpp
index 01914a86ad4a5..6db74fcfd27ef 100644
--- a/clang/test/Analysis/exploded-graph-rewriter/dynamic_types.cpp
+++ b/clang/test/Analysis/exploded-graph-rewriter/dynamic_types.cpp
@@ -10,7 +10,7 @@ void test() {
// CHECK: Dynamic Types:
// CHECK-SAME: <tr><td align="left"><table border="0"><tr>
// CHECK-SAME: <td align="left">HeapSymRegion\{conj_$1\{S *, LC1,
- // CHECK-SAME: S{{[0-9]*}}, #1\}\}</td>
+ // CHECK-SAME: CFGElemRef{{[0-9]*}}, #1\}\}</td>
// CHECK-SAME: <td align="left">S</td>
// CHECK-SAME: </tr></table></td></tr>
new S;
diff --git a/clang/test/Analysis/iterator-modeling.cpp b/clang/test/Analysis/iterator-modeling.cpp
index 78882da4431fd..453878a8ea093 100644
--- a/clang/test/Analysis/iterator-modeling.cpp
+++ b/clang/test/Analysis/iterator-modeling.cpp
@@ -2035,8 +2035,8 @@ void print_state(std::vector<int> &V) {
// CHECK: "checker_messages": [
// CHECK: { "checker": "alpha.cplusplus.IteratorModeling", "messages": [
// CHECK-NEXT: "Iterator Positions :",
- // CHECK-NEXT: "conj_$[[#]]{int, LC[[#]], S[[#]], #[[#]]} : Valid ; Container == SymRegion{reg_$[[#]]<std::vector<int> & V>} ; Offset == conj_$[[#]]{long, LC[[#]], S[[#]], #[[#]]}",
- // CHECK-NEXT: "i0 : Valid ; Container == SymRegion{reg_$[[#]]<std::vector<int> & V>} ; Offset == conj_$[[#]]{long, LC[[#]], S[[#]], #[[#]]}"
+ // CHECK-NEXT: "conj_$[[#]]{int, LC[[#]], CFGElemRef[[#]], #[[#]]} : Valid ; Container == SymRegion{reg_$[[#]]<std::vector<int> & V>} ; Offset == conj_$[[#]]{long, LC[[#]], CFGElemRef[[#]], #[[#]]}",
+ // CHECK-NEXT: "i0 : Valid ; Container == SymRegion{reg_$[[#]]<std::vector<int> & V>} ; Offset == conj_$[[#]]{long, LC[[#]], CFGElemRef[[#]], #[[#]]}"
// CHECK-NEXT: ]}
*i0;
@@ -2046,8 +2046,8 @@ void print_state(std::vector<int> &V) {
// CHECK: "checker_messages": [
// CHECK: { "checker": "alpha.cplusplus.IteratorModeling", "messages": [
// CHECK-NEXT: "Iterator Positions :",
- // CHECK-NEXT: "conj_$[[#]]{int, LC[[#]], S[[#]], #[[#]]} : Valid ; Container == SymRegion{reg_$[[#]]<std::vector<int> & V>} ; Offset == conj_$[[#]]{long, LC[[#]], S[[#]], #[[#]]}",
- // CHECK-NEXT: "i1 : Valid ; Container == SymRegion{reg_$[[#]]<std::vector<int> & V>} ; Offset == conj_$[[#]]{long, LC[[#]], S[[#]], #[[#]]}"
+ // CHECK-NEXT: "conj_$[[#]]{int, LC[[#]], CFGElemRef[[#]], #[[#]]} : Valid ; Container == SymRegion{reg_$[[#]]<std::vector<int> & V>} ; Offset == conj_$[[#]]{long, LC[[#]], CFGElemRef[[#]], #[[#]]}",
+ // CHECK-NEXT: "i1 : Valid ; Container == SymRegion{reg_$[[#]]<std::vector<int> & V>} ; Offset == conj_$[[#]]{long, LC[[#]], CFGElemRef[[#]], #[[#]]}"
// CHECK-NEXT: ]}
*i1;
diff --git a/clang/test/Analysis/malloc.c b/clang/test/Analysis/malloc.c
index 27a04ff873521..10bd372709aa7 100644
--- a/clang/test/Analysis/malloc.c
+++ b/clang/test/Analysis/malloc.c
@@ -1954,9 +1954,9 @@ int conjure(void);
void testExtent(void) {
int x = conjure();
clang_analyzer_dump(x);
- // expected-warning-re at -1 {{{{^conj_\$[[:digit:]]+{int, LC1, S[[:digit:]]+, #1}}}}}}
+ // expected-warning-re at -1 {{{{^conj_\$[[:digit:]]+{int, LC1, CFGElemRef[[:digit:]]+, #1}}}}}}
int *p = (int *)malloc(x);
clang_analyzer_dumpExtent(p);
- // expected-warning-re at -1 {{{{^conj_\$[[:digit:]]+{int, LC1, S[[:digit:]]+, #1}}}}}}
+ // expected-warning-re at -1 {{{{^conj_\$[[:digit:]]+{int, LC1, CFGElemRef[[:digit:]]+, #1}}}}}}
free(p);
}
diff --git a/clang/test/Analysis/trivial-copy-struct.cpp b/clang/test/Analysis/trivial-copy-struct.cpp
index b2da777541aba..8583f64d73883 100644
--- a/clang/test/Analysis/trivial-copy-struct.cpp
+++ b/clang/test/Analysis/trivial-copy-struct.cpp
@@ -25,7 +25,7 @@ void copy_on_heap(Node* n1) {
Node* n2 = new Node(*n1);
clang_analyzer_dump(n1); // expected-warning-re {{&SymRegion{reg_${{[0-9]+}}<Node * n1>}}}
- clang_analyzer_dump(n2); // expected-warning-re {{&HeapSymRegion{conj_${{[0-9]+}}{Node *, LC{{[0-9]+}}, S{{[0-9]+}}, #{{[0-9]+}}}}}}
+ clang_analyzer_dump(n2); // expected-warning-re {{&HeapSymRegion{conj_${{[0-9]+}}{Node *, LC{{[0-9]+}}, CFGElemRef{{[0-9]+}}, #{{[0-9]+}}}}}}
clang_analyzer_dump(n1->ptr); // expected-warning-re {{&SymRegion{reg_${{[0-9]+}}<int * Element{SymRegion{reg_${{[0-9]+}}<Node * n1>},0 S64b,struct Node}.ptr>}}}
clang_analyzer_dump(n2->ptr); // expected-warning-re {{&SymRegion{reg_${{[0-9]+}}<int * Element{SymRegion{reg_${{[0-9]+}}<Node * n1>},0 S64b,struct Node}.ptr>}}}
More information about the cfe-commits
mailing list