StaticAnalyzer/Core/Environment.cpp

218887Sdim//== Environment.cpp - Map from Stmt* to Locations/Values -------*- C++ -*--==//
218887Sdim//
218887Sdim//                     The LLVM Compiler Infrastructure
218887Sdim//
218887Sdim// This file is distributed under the University of Illinois Open Source
218887Sdim// License. See LICENSE.TXT for details.
218887Sdim//
218887Sdim//===----------------------------------------------------------------------===//
218887Sdim//
218887Sdim//  This file defined the Environment and EnvironmentManager classes.
218887Sdim//
218887Sdim//===----------------------------------------------------------------------===//
218887Sdim
234353Sdim#include "clang/AST/ExprCXX.h"
226633Sdim#include "clang/AST/ExprObjC.h"
218887Sdim#include "clang/Analysis/AnalysisContext.h"
218887Sdim#include "clang/Analysis/CFG.h"
226633Sdim#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h"
218887Sdim
218887Sdimusing namespace clang;
218887Sdimusing namespace ento;
218887Sdim
234353SdimSVal Environment::lookupExpr(const EnvironmentEntry &E) const {
218887Sdim  const SVal* X = ExprBindings.lookup(E);
218887Sdim  if (X) {
218887Sdim    SVal V = *X;
218887Sdim    return V;
218887Sdim  }
218887Sdim  return UnknownVal();
218887Sdim}
218887Sdim
234353SdimSVal Environment::getSVal(const EnvironmentEntry &Entry,
234353Sdim                          SValBuilder& svalBuilder,
234353Sdim                          bool useOnlyDirectBindings) const {
221345Sdim
221345Sdim  if (useOnlyDirectBindings) {
221345Sdim    // This branch is rarely taken, but can be exercised by
221345Sdim    // checkers that explicitly bind values to arbitrary
221345Sdim    // expressions.  It is crucial that we do not ignore any
221345Sdim    // expression here, and do a direct lookup.
234353Sdim    return lookupExpr(Entry);
221345Sdim  }
221345Sdim
234353Sdim  const Stmt *E = Entry.getStmt();
234353Sdim  const LocationContext *LCtx = Entry.getLocationContext();
234353Sdim
218887Sdim  for (;;) {
223017Sdim    if (const Expr *Ex = dyn_cast<Expr>(E))
223017Sdim      E = Ex->IgnoreParens();
223017Sdim
218887Sdim    switch (E->getStmtClass()) {
218887Sdim      case Stmt::AddrLabelExprClass:
218887Sdim        return svalBuilder.makeLoc(cast<AddrLabelExpr>(E));
219077Sdim      case Stmt::OpaqueValueExprClass: {
219077Sdim        const OpaqueValueExpr *ope = cast<OpaqueValueExpr>(E);
219077Sdim        E = ope->getSourceExpr();
219077Sdim        continue;
219077Sdim      }
218887Sdim      case Stmt::ParenExprClass:
221345Sdim      case Stmt::GenericSelectionExprClass:
223017Sdim        llvm_unreachable("ParenExprs and GenericSelectionExprs should "
223017Sdim                         "have been handled by IgnoreParens()");
218887Sdim      case Stmt::CharacterLiteralClass: {
218887Sdim        const CharacterLiteral* C = cast<CharacterLiteral>(E);
218887Sdim        return svalBuilder.makeIntVal(C->getValue(), C->getType());
218887Sdim      }
218887Sdim      case Stmt::CXXBoolLiteralExprClass: {
234353Sdim        const SVal *X = ExprBindings.lookup(EnvironmentEntry(E, LCtx));
218887Sdim        if (X)
218887Sdim          return *X;
218887Sdim        else
218887Sdim          return svalBuilder.makeBoolVal(cast<CXXBoolLiteralExpr>(E));
218887Sdim      }
218887Sdim      case Stmt::IntegerLiteralClass: {
218887Sdim        // In C++, this expression may have been bound to a temporary object.
234353Sdim        SVal const *X = ExprBindings.lookup(EnvironmentEntry(E, LCtx));
218887Sdim        if (X)
218887Sdim          return *X;
218887Sdim        else
218887Sdim          return svalBuilder.makeIntVal(cast<IntegerLiteral>(E));
218887Sdim      }
234353Sdim      case Stmt::ObjCBoolLiteralExprClass:
234353Sdim        return svalBuilder.makeBoolVal(cast<ObjCBoolLiteralExpr>(E));
234353Sdim
221345Sdim      // For special C0xx nullptr case, make a null pointer SVal.
221345Sdim      case Stmt::CXXNullPtrLiteralExprClass:
221345Sdim        return svalBuilder.makeNull();
218887Sdim      case Stmt::ExprWithCleanupsClass:
218887Sdim        E = cast<ExprWithCleanups>(E)->getSubExpr();
218887Sdim        continue;
218887Sdim      case Stmt::CXXBindTemporaryExprClass:
218887Sdim        E = cast<CXXBindTemporaryExpr>(E)->getSubExpr();
218887Sdim        continue;
226633Sdim      case Stmt::ObjCPropertyRefExprClass:
226633Sdim        return loc::ObjCPropRef(cast<ObjCPropertyRefExpr>(E));
234353Sdim      case Stmt::ObjCStringLiteralClass: {
234353Sdim        MemRegionManager &MRMgr = svalBuilder.getRegionManager();
234353Sdim        const ObjCStringLiteral *SL = cast<ObjCStringLiteral>(E);
234353Sdim        return svalBuilder.makeLoc(MRMgr.getObjCStringRegion(SL));
234353Sdim      }
234353Sdim      case Stmt::StringLiteralClass: {
234353Sdim        MemRegionManager &MRMgr = svalBuilder.getRegionManager();
234353Sdim        const StringLiteral *SL = cast<StringLiteral>(E);
234353Sdim        return svalBuilder.makeLoc(MRMgr.getStringRegion(SL));
234353Sdim      }
234353Sdim      case Stmt::ReturnStmtClass: {
234353Sdim        const ReturnStmt *RS = cast<ReturnStmt>(E);
234353Sdim        if (const Expr *RE = RS->getRetValue()) {
234353Sdim          E = RE;
234353Sdim          continue;
234353Sdim        }
234353Sdim        return UndefinedVal();
234353Sdim      }
226633Sdim
218887Sdim      // Handle all other Stmt* using a lookup.
218887Sdim      default:
218887Sdim        break;
218887Sdim    };
218887Sdim    break;
218887Sdim  }
234353Sdim  return lookupExpr(EnvironmentEntry(E, LCtx));
218887Sdim}
218887Sdim
234353SdimEnvironment EnvironmentManager::bindExpr(Environment Env,
234353Sdim                                         const EnvironmentEntry &E,
234353Sdim                                         SVal V,
234353Sdim                                         bool Invalidate) {
218887Sdim  if (V.isUnknown()) {
218887Sdim    if (Invalidate)
234353Sdim      return Environment(F.remove(Env.ExprBindings, E));
218887Sdim    else
218887Sdim      return Env;
218887Sdim  }
234353Sdim  return Environment(F.add(Env.ExprBindings, E, V));
218887Sdim}
218887Sdim
234353Sdimstatic inline EnvironmentEntry MakeLocation(const EnvironmentEntry &E) {
234353Sdim  const Stmt *S = E.getStmt();
234353Sdim  S = (const Stmt*) (((uintptr_t) S) | 0x1);
234353Sdim  return EnvironmentEntry(S, E.getLocationContext());
218887Sdim}
218887Sdim
218887SdimEnvironment EnvironmentManager::bindExprAndLocation(Environment Env,
234353Sdim                                                    const EnvironmentEntry &E,
218887Sdim                                                    SVal location, SVal V) {
234353Sdim  return Environment(F.add(F.add(Env.ExprBindings, MakeLocation(E), location),
234353Sdim                           E, V));
218887Sdim}
218887Sdim
218887Sdimnamespace {
218887Sdimclass MarkLiveCallback : public SymbolVisitor {
218887Sdim  SymbolReaper &SymReaper;
218887Sdimpublic:
218887Sdim  MarkLiveCallback(SymbolReaper &symreaper) : SymReaper(symreaper) {}
234353Sdim  bool VisitSymbol(SymbolRef sym) {
234353Sdim    SymReaper.markLive(sym);
234353Sdim    return true;
234353Sdim  }
234353Sdim  bool VisitMemRegion(const MemRegion *R) {
234353Sdim    SymReaper.markLive(R);
234353Sdim    return true;
234353Sdim  }
218887Sdim};
218887Sdim} // end anonymous namespace
218887Sdim
234353Sdim// In addition to mapping from EnvironmentEntry - > SVals in the Environment,
234353Sdim// we also maintain a mapping from EnvironmentEntry -> SVals (locations)
234353Sdim// that were used during a load and store.
234353Sdimstatic inline bool IsLocation(const EnvironmentEntry &E) {
234353Sdim  const Stmt *S = E.getStmt();
218887Sdim  return (bool) (((uintptr_t) S) & 0x1);
218887Sdim}
218887Sdim
218887Sdim// removeDeadBindings:
218887Sdim//  - Remove subexpression bindings.
218887Sdim//  - Remove dead block expression bindings.
218887Sdim//  - Keep live block expression bindings:
218887Sdim//   - Mark their reachable symbols live in SymbolReaper,
218887Sdim//     see ScanReachableSymbols.
218887Sdim//   - Mark the region in DRoots if the binding is a loc::MemRegionVal.
218887SdimEnvironment
218887SdimEnvironmentManager::removeDeadBindings(Environment Env,
218887Sdim                                       SymbolReaper &SymReaper,
234353Sdim                                       ProgramStateRef ST) {
218887Sdim
218887Sdim  // We construct a new Environment object entirely, as this is cheaper than
218887Sdim  // individually removing all the subexpression bindings (which will greatly
218887Sdim  // outnumber block-level expression bindings).
218887Sdim  Environment NewEnv = getInitialEnvironment();
218887Sdim
234353Sdim  SmallVector<std::pair<EnvironmentEntry, SVal>, 10> deferredLocations;
218887Sdim
226633Sdim  MarkLiveCallback CB(SymReaper);
226633Sdim  ScanReachableSymbols RSScaner(ST, CB);
226633Sdim
234353Sdim  llvm::ImmutableMapRef<EnvironmentEntry,SVal>
226633Sdim    EBMapRef(NewEnv.ExprBindings.getRootWithoutRetain(),
226633Sdim             F.getTreeFactory());
226633Sdim
218887Sdim  // Iterate over the block-expr bindings.
218887Sdim  for (Environment::iterator I = Env.begin(), E = Env.end();
218887Sdim       I != E; ++I) {
218887Sdim
234353Sdim    const EnvironmentEntry &BlkExpr = I.getKey();
218887Sdim    // For recorded locations (used when evaluating loads and stores), we
218887Sdim    // consider them live only when their associated normal expression is
218887Sdim    // also live.
218887Sdim    // NOTE: This assumes that loads/stores that evaluated to UnknownVal
218887Sdim    // still have an entry in the map.
218887Sdim    if (IsLocation(BlkExpr)) {
218887Sdim      deferredLocations.push_back(std::make_pair(BlkExpr, I.getData()));
218887Sdim      continue;
218887Sdim    }
218887Sdim    const SVal &X = I.getData();
218887Sdim
234353Sdim    if (SymReaper.isLive(BlkExpr.getStmt(), BlkExpr.getLocationContext())) {
218887Sdim      // Copy the binding to the new map.
226633Sdim      EBMapRef = EBMapRef.add(BlkExpr, X);
218887Sdim
218887Sdim      // If the block expr's value is a memory region, then mark that region.
218887Sdim      if (isa<loc::MemRegionVal>(X)) {
226633Sdim        const MemRegion *R = cast<loc::MemRegionVal>(X).getRegion();
226633Sdim        SymReaper.markLive(R);
218887Sdim      }
218887Sdim
218887Sdim      // Mark all symbols in the block expr's value live.
226633Sdim      RSScaner.scan(X);
218887Sdim      continue;
218887Sdim    }
218887Sdim
218887Sdim    // Otherwise the expression is dead with a couple exceptions.
218887Sdim    // Do not misclean LogicalExpr or ConditionalOperator.  It is dead at the
218887Sdim    // beginning of itself, but we need its UndefinedVal to determine its
218887Sdim    // SVal.
218887Sdim    if (X.isUndef() && cast<UndefinedVal>(X).getData())
226633Sdim      EBMapRef = EBMapRef.add(BlkExpr, X);
218887Sdim  }
218887Sdim
218887Sdim  // Go through he deferred locations and add them to the new environment if
218887Sdim  // the correspond Stmt* is in the map as well.
234353Sdim  for (SmallVectorImpl<std::pair<EnvironmentEntry, SVal> >::iterator
218887Sdim      I = deferredLocations.begin(), E = deferredLocations.end(); I != E; ++I) {
234353Sdim    const EnvironmentEntry &En = I->first;
234353Sdim    const Stmt *S = (Stmt*) (((uintptr_t) En.getStmt()) & (uintptr_t) ~0x1);
234353Sdim    if (EBMapRef.lookup(EnvironmentEntry(S, En.getLocationContext())))
234353Sdim      EBMapRef = EBMapRef.add(En, I->second);
218887Sdim  }
218887Sdim
226633Sdim  NewEnv.ExprBindings = EBMapRef.asImmutableMap();
218887Sdim  return NewEnv;
218887Sdim}
234353Sdim
234353Sdimvoid Environment::print(raw_ostream &Out, const char *NL,
234353Sdim                        const char *Sep) const {
234353Sdim  printAux(Out, false, NL, Sep);
234353Sdim  printAux(Out, true, NL, Sep);
234353Sdim}
234353Sdim
234353Sdimvoid Environment::printAux(raw_ostream &Out, bool printLocations,
234353Sdim                           const char *NL,
234353Sdim                           const char *Sep) const{
234353Sdim
234353Sdim  bool isFirst = true;
234353Sdim
234353Sdim  for (Environment::iterator I = begin(), E = end(); I != E; ++I) {
234353Sdim    const EnvironmentEntry &En = I.getKey();
234353Sdim    if (IsLocation(En)) {
234353Sdim      if (!printLocations)
234353Sdim        continue;
234353Sdim    }
234353Sdim    else {
234353Sdim      if (printLocations)
234353Sdim        continue;
234353Sdim    }
234353Sdim
234353Sdim    if (isFirst) {
234353Sdim      Out << NL << NL
234353Sdim          << (printLocations ? "Load/Store locations:" : "Expressions:")
234353Sdim          << NL;
234353Sdim      isFirst = false;
234353Sdim    } else {
234353Sdim      Out << NL;
234353Sdim    }
234353Sdim
234353Sdim    const Stmt *S = En.getStmt();
234353Sdim    if (printLocations) {
234353Sdim      S = (Stmt*) (((uintptr_t) S) & ((uintptr_t) ~0x1));
234353Sdim    }
234353Sdim
234353Sdim    Out << " (" << (void*) En.getLocationContext() << ',' << (void*) S << ") ";
234353Sdim    LangOptions LO; // FIXME.
234353Sdim    S->printPretty(Out, 0, PrintingPolicy(LO));
234353Sdim    Out << " : " << I.getData();
234353Sdim  }
234353Sdim}