1 //===- ExplodedGraph.h - Local, Path-Sens. "Exploded Graph" -----*- C++ -*-===//
3 // The LLVM Compiler Infrastructure
5 // This file is distributed under the University of Illinois Open Source
6 // License. See LICENSE.TXT for details.
8 //===----------------------------------------------------------------------===//
10 // This file defines the template classes ExplodedNode and ExplodedGraph,
11 // which represent a path-sensitive, intra-procedural "exploded graph."
12 // See "Precise interprocedural dataflow analysis via graph reachability"
13 // by Reps, Horwitz, and Sagiv
14 // (http://portal.acm.org/citation.cfm?id=199462) for the definition of an
17 //===----------------------------------------------------------------------===//
19 #ifndef LLVM_CLANG_STATICANALYZER_CORE_PATHSENSITIVE_EXPLODEDGRAPH_H
20 #define LLVM_CLANG_STATICANALYZER_CORE_PATHSENSITIVE_EXPLODEDGRAPH_H
22 #include "clang/Analysis/AnalysisDeclContext.h"
23 #include "clang/Analysis/ProgramPoint.h"
24 #include "clang/Analysis/Support/BumpVector.h"
25 #include "clang/Basic/LLVM.h"
26 #include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h"
27 #include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState_Fwd.h"
28 #include "clang/StaticAnalyzer/Core/PathSensitive/SVals.h"
29 #include "llvm/ADT/ArrayRef.h"
30 #include "llvm/ADT/DenseMap.h"
31 #include "llvm/ADT/DepthFirstIterator.h"
32 #include "llvm/ADT/FoldingSet.h"
33 #include "llvm/ADT/GraphTraits.h"
34 #include "llvm/ADT/Optional.h"
35 #include "llvm/ADT/STLExtras.h"
36 #include "llvm/ADT/SetVector.h"
37 #include "llvm/Support/Allocator.h"
38 #include "llvm/Support/Compiler.h"
57 //===----------------------------------------------------------------------===//
58 // ExplodedGraph "implementation" classes. These classes are not typed to
59 // contain a specific kind of state. Typed-specialized versions are defined
60 // on top of these classes.
61 //===----------------------------------------------------------------------===//
63 // ExplodedNode is not constified all over the engine because we need to add
64 // successors to it at any time after creating it.
66 class ExplodedNode : public llvm::FoldingSetNode {
67 friend class BranchNodeBuilder;
68 friend class CoreEngine;
69 friend class EndOfFunctionNodeBuilder;
70 friend class ExplodedGraph;
71 friend class IndirectGotoNodeBuilder;
72 friend class NodeBuilder;
73 friend class SwitchNodeBuilder;
75 /// Efficiently stores a list of ExplodedNodes, or an optional flag.
77 /// NodeGroup provides opaque storage for a list of ExplodedNodes, optimizing
78 /// for the case when there is only one node in the group. This is a fairly
79 /// common case in an ExplodedGraph, where most nodes have only one
80 /// predecessor and many have only one successor. It can also be used to
81 /// store a flag rather than a node list, which ExplodedNode uses to mark
82 /// whether a node is a sink. If the flag is set, the group is implicitly
83 /// empty and no nodes may be added.
85 // Conceptually a discriminated union. If the low bit is set, the node is
86 // a sink. If the low bit is not set, the pointer refers to the storage
87 // for the nodes in the group.
88 // This is not a PointerIntPair in order to keep the storage type opaque.
92 NodeGroup(bool Flag = false) : P(Flag) {
93 assert(getFlag() == Flag);
96 ExplodedNode * const *begin() const;
98 ExplodedNode * const *end() const;
100 unsigned size() const;
102 bool empty() const { return P == 0 || getFlag() != 0; }
104 /// Adds a node to the list.
106 /// The group must not have been created with its flag set.
107 void addNode(ExplodedNode *N, ExplodedGraph &G);
109 /// Replaces the single node in this group with a new node.
111 /// Note that this should only be used when you know the group was not
112 /// created with its flag set, and that the group is empty or contains
113 /// only a single node.
114 void replaceNode(ExplodedNode *node);
116 /// Returns whether this group was created with its flag set.
117 bool getFlag() const {
122 /// Location - The program location (within a function body) associated
124 const ProgramPoint Location;
126 /// State - The state associated with this node.
127 ProgramStateRef State;
129 /// Preds - The predecessors of this node.
132 /// Succs - The successors of this node.
136 explicit ExplodedNode(const ProgramPoint &loc, ProgramStateRef state,
138 : Location(loc), State(std::move(state)), Succs(IsSink) {
139 assert(isSink() == IsSink);
142 /// getLocation - Returns the edge associated with the given node.
143 ProgramPoint getLocation() const { return Location; }
145 const LocationContext *getLocationContext() const {
146 return getLocation().getLocationContext();
149 const StackFrameContext *getStackFrame() const {
150 return getLocation().getStackFrame();
153 const Decl &getCodeDecl() const { return *getLocationContext()->getDecl(); }
155 CFG &getCFG() const { return *getLocationContext()->getCFG(); }
157 ParentMap &getParentMap() const {return getLocationContext()->getParentMap();}
159 template <typename T>
160 T &getAnalysis() const {
161 return *getLocationContext()->getAnalysis<T>();
164 const ProgramStateRef &getState() const { return State; }
166 template <typename T>
167 Optional<T> getLocationAs() const LLVM_LVALUE_FUNCTION {
168 return Location.getAs<T>();
171 /// Get the value of an arbitrary expression at this node.
172 SVal getSVal(const Stmt *S) const {
173 return getState()->getSVal(S, getLocationContext());
176 static void Profile(llvm::FoldingSetNodeID &ID,
177 const ProgramPoint &Loc,
178 const ProgramStateRef &state,
181 ID.AddPointer(state.get());
182 ID.AddBoolean(IsSink);
185 void Profile(llvm::FoldingSetNodeID& ID) const {
186 // We avoid copy constructors by not using accessors.
187 Profile(ID, Location, State, isSink());
190 /// addPredeccessor - Adds a predecessor to the current node, and
191 /// in tandem add this node as a successor of the other node.
192 void addPredecessor(ExplodedNode *V, ExplodedGraph &G);
194 unsigned succ_size() const { return Succs.size(); }
195 unsigned pred_size() const { return Preds.size(); }
196 bool succ_empty() const { return Succs.empty(); }
197 bool pred_empty() const { return Preds.empty(); }
199 bool isSink() const { return Succs.getFlag(); }
201 bool hasSinglePred() const {
202 return (pred_size() == 1);
205 ExplodedNode *getFirstPred() {
206 return pred_empty() ? nullptr : *(pred_begin());
209 const ExplodedNode *getFirstPred() const {
210 return const_cast<ExplodedNode*>(this)->getFirstPred();
213 const ExplodedNode *getFirstSucc() const {
214 return succ_empty() ? nullptr : *(succ_begin());
217 // Iterators over successor and predecessor vertices.
218 using succ_iterator = ExplodedNode * const *;
219 using const_succ_iterator = const ExplodedNode * const *;
220 using pred_iterator = ExplodedNode * const *;
221 using const_pred_iterator = const ExplodedNode * const *;
223 pred_iterator pred_begin() { return Preds.begin(); }
224 pred_iterator pred_end() { return Preds.end(); }
226 const_pred_iterator pred_begin() const {
227 return const_cast<ExplodedNode*>(this)->pred_begin();
229 const_pred_iterator pred_end() const {
230 return const_cast<ExplodedNode*>(this)->pred_end();
233 succ_iterator succ_begin() { return Succs.begin(); }
234 succ_iterator succ_end() { return Succs.end(); }
236 const_succ_iterator succ_begin() const {
237 return const_cast<ExplodedNode*>(this)->succ_begin();
239 const_succ_iterator succ_end() const {
240 return const_cast<ExplodedNode*>(this)->succ_end();
250 virtual void AddEdge(ExplodedNode *Src, ExplodedNode *Dst) = 0;
253 static void SetAuditor(Auditor* A);
256 void replaceSuccessor(ExplodedNode *node) { Succs.replaceNode(node); }
257 void replacePredecessor(ExplodedNode *node) { Preds.replaceNode(node); }
260 using InterExplodedGraphMap =
261 llvm::DenseMap<const ExplodedNode *, const ExplodedNode *>;
263 class ExplodedGraph {
265 friend class CoreEngine;
268 using NodeVector = std::vector<ExplodedNode *>;
270 /// The roots of the simulation graph. Usually there will be only
271 /// one, but clients are free to establish multiple subgraphs within a single
272 /// SimulGraph. Moreover, these subgraphs can often merge when paths from
273 /// different roots reach the same state at the same program location.
276 /// The nodes in the simulation graph which have been
277 /// specially marked as the endpoint of an abstract simulation path.
280 /// Nodes - The nodes in the graph.
281 llvm::FoldingSet<ExplodedNode> Nodes;
283 /// BVC - Allocator and context for allocating nodes and their predecessor
284 /// and successor groups.
285 BumpVectorContext BVC;
287 /// NumNodes - The number of nodes in the graph.
288 unsigned NumNodes = 0;
290 /// A list of recently allocated nodes that can potentially be recycled.
291 NodeVector ChangedNodes;
293 /// A list of nodes that can be reused.
294 NodeVector FreeNodes;
296 /// Determines how often nodes are reclaimed.
298 /// If this is 0, nodes will never be reclaimed.
299 unsigned ReclaimNodeInterval = 0;
301 /// Counter to determine when to reclaim nodes.
302 unsigned ReclaimCounter;
308 /// Retrieve the node associated with a (Location,State) pair,
309 /// where the 'Location' is a ProgramPoint in the CFG. If no node for
310 /// this pair exists, it is created. IsNew is set to true if
311 /// the node was freshly created.
312 ExplodedNode *getNode(const ProgramPoint &L, ProgramStateRef State,
314 bool* IsNew = nullptr);
316 /// Create a node for a (Location, State) pair,
317 /// but don't store it for deduplication later. This
318 /// is useful when copying an already completed
319 /// ExplodedGraph for further processing.
320 ExplodedNode *createUncachedNode(const ProgramPoint &L,
321 ProgramStateRef State,
322 bool IsSink = false);
324 std::unique_ptr<ExplodedGraph> MakeEmptyGraph() const {
325 return llvm::make_unique<ExplodedGraph>();
328 /// addRoot - Add an untyped node to the set of roots.
329 ExplodedNode *addRoot(ExplodedNode *V) {
334 /// addEndOfPath - Add an untyped node to the set of EOP nodes.
335 ExplodedNode *addEndOfPath(ExplodedNode *V) {
336 EndNodes.push_back(V);
340 unsigned num_roots() const { return Roots.size(); }
341 unsigned num_eops() const { return EndNodes.size(); }
343 bool empty() const { return NumNodes == 0; }
344 unsigned size() const { return NumNodes; }
346 void reserve(unsigned NodeCount) { Nodes.reserve(NodeCount); }
349 using NodeTy = ExplodedNode;
350 using AllNodesTy = llvm::FoldingSet<ExplodedNode>;
351 using roots_iterator = NodeVector::iterator;
352 using const_roots_iterator = NodeVector::const_iterator;
353 using eop_iterator = NodeVector::iterator;
354 using const_eop_iterator = NodeVector::const_iterator;
355 using node_iterator = AllNodesTy::iterator;
356 using const_node_iterator = AllNodesTy::const_iterator;
358 node_iterator nodes_begin() { return Nodes.begin(); }
360 node_iterator nodes_end() { return Nodes.end(); }
362 const_node_iterator nodes_begin() const { return Nodes.begin(); }
364 const_node_iterator nodes_end() const { return Nodes.end(); }
366 roots_iterator roots_begin() { return Roots.begin(); }
368 roots_iterator roots_end() { return Roots.end(); }
370 const_roots_iterator roots_begin() const { return Roots.begin(); }
372 const_roots_iterator roots_end() const { return Roots.end(); }
374 eop_iterator eop_begin() { return EndNodes.begin(); }
376 eop_iterator eop_end() { return EndNodes.end(); }
378 const_eop_iterator eop_begin() const { return EndNodes.begin(); }
380 const_eop_iterator eop_end() const { return EndNodes.end(); }
382 llvm::BumpPtrAllocator & getAllocator() { return BVC.getAllocator(); }
383 BumpVectorContext &getNodeAllocator() { return BVC; }
385 using NodeMap = llvm::DenseMap<const ExplodedNode *, ExplodedNode *>;
387 /// Creates a trimmed version of the graph that only contains paths leading
388 /// to the given nodes.
390 /// \param Nodes The nodes which must appear in the final graph. Presumably
391 /// these are end-of-path nodes (i.e. they have no successors).
392 /// \param[out] ForwardMap A optional map from nodes in this graph to nodes in
393 /// the returned graph.
394 /// \param[out] InverseMap An optional map from nodes in the returned graph to
395 /// nodes in this graph.
396 /// \returns The trimmed graph
397 std::unique_ptr<ExplodedGraph>
398 trim(ArrayRef<const NodeTy *> Nodes,
399 InterExplodedGraphMap *ForwardMap = nullptr,
400 InterExplodedGraphMap *InverseMap = nullptr) const;
402 /// Enable tracking of recently allocated nodes for potential reclamation
403 /// when calling reclaimRecentlyAllocatedNodes().
404 void enableNodeReclamation(unsigned Interval) {
405 ReclaimCounter = ReclaimNodeInterval = Interval;
408 /// Reclaim "uninteresting" nodes created since the last time this method
410 void reclaimRecentlyAllocatedNodes();
412 /// Returns true if nodes for the given expression kind are always
414 static bool isInterestingLValueExpr(const Expr *Ex);
417 bool shouldCollect(const ExplodedNode *node);
418 void collectNode(ExplodedNode *node);
421 class ExplodedNodeSet {
422 using ImplTy = llvm::SmallSetVector<ExplodedNode *, 4>;
426 ExplodedNodeSet(ExplodedNode *N) {
427 assert(N && !static_cast<ExplodedNode*>(N)->isSink());
431 ExplodedNodeSet() = default;
433 void Add(ExplodedNode *N) {
434 if (N && !static_cast<ExplodedNode*>(N)->isSink()) Impl.insert(N);
437 using iterator = ImplTy::iterator;
438 using const_iterator = ImplTy::const_iterator;
440 unsigned size() const { return Impl.size(); }
441 bool empty() const { return Impl.empty(); }
442 bool erase(ExplodedNode *N) { return Impl.remove(N); }
444 void clear() { Impl.clear(); }
446 void insert(const ExplodedNodeSet &S) {
451 Impl.insert(S.begin(), S.end());
454 iterator begin() { return Impl.begin(); }
455 iterator end() { return Impl.end(); }
457 const_iterator begin() const { return Impl.begin(); }
458 const_iterator end() const { return Impl.end(); }
469 template<> struct GraphTraits<clang::ento::ExplodedNode*> {
470 using NodeRef = clang::ento::ExplodedNode *;
471 using ChildIteratorType = clang::ento::ExplodedNode::succ_iterator;
472 using nodes_iterator = llvm::df_iterator<NodeRef>;
474 static NodeRef getEntryNode(NodeRef N) { return N; }
476 static ChildIteratorType child_begin(NodeRef N) { return N->succ_begin(); }
478 static ChildIteratorType child_end(NodeRef N) { return N->succ_end(); }
480 static nodes_iterator nodes_begin(NodeRef N) { return df_begin(N); }
482 static nodes_iterator nodes_end(NodeRef N) { return df_end(N); }
485 template<> struct GraphTraits<const clang::ento::ExplodedNode*> {
486 using NodeRef = const clang::ento::ExplodedNode *;
487 using ChildIteratorType = clang::ento::ExplodedNode::const_succ_iterator;
488 using nodes_iterator = llvm::df_iterator<NodeRef>;
490 static NodeRef getEntryNode(NodeRef N) { return N; }
492 static ChildIteratorType child_begin(NodeRef N) { return N->succ_begin(); }
494 static ChildIteratorType child_end(NodeRef N) { return N->succ_end(); }
496 static nodes_iterator nodes_begin(NodeRef N) { return df_begin(N); }
498 static nodes_iterator nodes_end(NodeRef N) { return df_end(N); }
503 #endif // LLVM_CLANG_STATICANALYZER_CORE_PATHSENSITIVE_EXPLODEDGRAPH_H