1 //==- CoreEngine.cpp - Path-Sensitive Dataflow Engine ------------*- C++ -*-//
3 // The LLVM Compiler Infrastructure
5 // This file is distributed under the University of Illinois Open Source
6 // License. See LICENSE.TXT for details.
8 //===----------------------------------------------------------------------===//
10 // This file defines a generic engine for intraprocedural, path-sensitive,
11 // dataflow analysis via graph reachability engine.
13 //===----------------------------------------------------------------------===//
15 #include "clang/StaticAnalyzer/Core/PathSensitive/AnalysisManager.h"
16 #include "clang/StaticAnalyzer/Core/PathSensitive/CoreEngine.h"
17 #include "clang/StaticAnalyzer/Core/PathSensitive/ExprEngine.h"
18 #include "clang/Index/TranslationUnit.h"
19 #include "clang/AST/Expr.h"
20 #include "clang/AST/StmtCXX.h"
21 #include "llvm/Support/Casting.h"
22 #include "llvm/ADT/DenseMap.h"
23 using namespace clang;
26 //===----------------------------------------------------------------------===//
27 // Worklist classes for exploration of reachable states.
28 //===----------------------------------------------------------------------===//
30 WorkList::Visitor::~Visitor() {}
33 class DFS : public WorkList {
34 SmallVector<WorkListUnit,20> Stack;
36 virtual bool hasWork() const {
37 return !Stack.empty();
40 virtual void enqueue(const WorkListUnit& U) {
44 virtual WorkListUnit dequeue() {
45 assert (!Stack.empty());
46 const WorkListUnit& U = Stack.back();
47 Stack.pop_back(); // This technically "invalidates" U, but we are fine.
51 virtual bool visitItemsInWorkList(Visitor &V) {
52 for (SmallVectorImpl<WorkListUnit>::iterator
53 I = Stack.begin(), E = Stack.end(); I != E; ++I) {
61 class BFS : public WorkList {
62 std::deque<WorkListUnit> Queue;
64 virtual bool hasWork() const {
65 return !Queue.empty();
68 virtual void enqueue(const WorkListUnit& U) {
72 virtual WorkListUnit dequeue() {
73 WorkListUnit U = Queue.front();
78 virtual bool visitItemsInWorkList(Visitor &V) {
79 for (std::deque<WorkListUnit>::iterator
80 I = Queue.begin(), E = Queue.end(); I != E; ++I) {
88 } // end anonymous namespace
90 // Place the dstor for WorkList here because it contains virtual member
91 // functions, and we the code for the dstor generated in one compilation unit.
92 WorkList::~WorkList() {}
94 WorkList *WorkList::makeDFS() { return new DFS(); }
95 WorkList *WorkList::makeBFS() { return new BFS(); }
98 class BFSBlockDFSContents : public WorkList {
99 std::deque<WorkListUnit> Queue;
100 SmallVector<WorkListUnit,20> Stack;
102 virtual bool hasWork() const {
103 return !Queue.empty() || !Stack.empty();
106 virtual void enqueue(const WorkListUnit& U) {
107 if (isa<BlockEntrance>(U.getNode()->getLocation()))
113 virtual WorkListUnit dequeue() {
114 // Process all basic blocks to completion.
115 if (!Stack.empty()) {
116 const WorkListUnit& U = Stack.back();
117 Stack.pop_back(); // This technically "invalidates" U, but we are fine.
121 assert(!Queue.empty());
122 // Don't use const reference. The subsequent pop_back() might make it
124 WorkListUnit U = Queue.front();
128 virtual bool visitItemsInWorkList(Visitor &V) {
129 for (SmallVectorImpl<WorkListUnit>::iterator
130 I = Stack.begin(), E = Stack.end(); I != E; ++I) {
134 for (std::deque<WorkListUnit>::iterator
135 I = Queue.begin(), E = Queue.end(); I != E; ++I) {
143 } // end anonymous namespace
145 WorkList* WorkList::makeBFSBlockDFSContents() {
146 return new BFSBlockDFSContents();
149 //===----------------------------------------------------------------------===//
150 // Core analysis engine.
151 //===----------------------------------------------------------------------===//
153 /// ExecuteWorkList - Run the worklist algorithm for a maximum number of steps.
154 bool CoreEngine::ExecuteWorkList(const LocationContext *L, unsigned Steps,
155 const ProgramState *InitState) {
157 if (G->num_roots() == 0) { // Initialize the analysis by constructing
158 // the root if none exists.
160 const CFGBlock *Entry = &(L->getCFG()->getEntry());
162 assert (Entry->empty() &&
163 "Entry block must be empty.");
165 assert (Entry->succ_size() == 1 &&
166 "Entry block must have 1 successor.");
168 // Get the solitary successor.
169 const CFGBlock *Succ = *(Entry->succ_begin());
171 // Construct an edge representing the
172 // starting location in the function.
173 BlockEdge StartLoc(Entry, Succ, L);
175 // Set the current block counter to being empty.
176 WList->setBlockCounter(BCounterFactory.GetEmptyCounter());
179 // Generate the root.
180 generateNode(StartLoc, SubEng.getInitialState(L), 0);
182 generateNode(StartLoc, InitState, 0);
185 // Check if we have a steps limit
186 bool UnlimitedSteps = Steps == 0;
188 while (WList->hasWork()) {
189 if (!UnlimitedSteps) {
195 const WorkListUnit& WU = WList->dequeue();
197 // Set the current block counter.
198 WList->setBlockCounter(WU.getBlockCounter());
200 // Retrieve the node.
201 ExplodedNode *Node = WU.getNode();
203 // Dispatch on the location type.
204 switch (Node->getLocation().getKind()) {
205 case ProgramPoint::BlockEdgeKind:
206 HandleBlockEdge(cast<BlockEdge>(Node->getLocation()), Node);
209 case ProgramPoint::BlockEntranceKind:
210 HandleBlockEntrance(cast<BlockEntrance>(Node->getLocation()), Node);
213 case ProgramPoint::BlockExitKind:
214 assert (false && "BlockExit location never occur in forward analysis.");
217 case ProgramPoint::CallEnterKind:
218 HandleCallEnter(cast<CallEnter>(Node->getLocation()), WU.getBlock(),
219 WU.getIndex(), Node);
222 case ProgramPoint::CallExitKind:
223 HandleCallExit(cast<CallExit>(Node->getLocation()), Node);
227 assert(isa<PostStmt>(Node->getLocation()) ||
228 isa<PostInitializer>(Node->getLocation()));
229 HandlePostStmt(WU.getBlock(), WU.getIndex(), Node);
234 SubEng.processEndWorklist(hasWorkRemaining());
235 return WList->hasWork();
238 void CoreEngine::ExecuteWorkListWithInitialState(const LocationContext *L,
240 const ProgramState *InitState,
241 ExplodedNodeSet &Dst) {
242 ExecuteWorkList(L, Steps, InitState);
243 for (SmallVectorImpl<ExplodedNode*>::iterator I = G->EndNodes.begin(),
244 E = G->EndNodes.end(); I != E; ++I) {
249 void CoreEngine::HandleCallEnter(const CallEnter &L, const CFGBlock *Block,
250 unsigned Index, ExplodedNode *Pred) {
251 CallEnterNodeBuilder Builder(*this, Pred, L.getCallExpr(),
252 L.getCalleeContext(), Block, Index);
253 SubEng.processCallEnter(Builder);
256 void CoreEngine::HandleCallExit(const CallExit &L, ExplodedNode *Pred) {
257 CallExitNodeBuilder Builder(*this, Pred);
258 SubEng.processCallExit(Builder);
261 void CoreEngine::HandleBlockEdge(const BlockEdge &L, ExplodedNode *Pred) {
263 const CFGBlock *Blk = L.getDst();
265 // Check if we are entering the EXIT block.
266 if (Blk == &(L.getLocationContext()->getCFG()->getExit())) {
268 assert (L.getLocationContext()->getCFG()->getExit().size() == 0
269 && "EXIT block cannot contain Stmts.");
271 // Process the final state transition.
272 EndOfFunctionNodeBuilder Builder(Blk, Pred, this);
273 SubEng.processEndOfFunction(Builder);
275 // This path is done. Don't enqueue any more nodes.
279 // Call into the subengine to process entering the CFGBlock.
280 ExplodedNodeSet dstNodes;
281 BlockEntrance BE(Blk, Pred->getLocationContext());
282 GenericNodeBuilder<BlockEntrance> nodeBuilder(*this, Pred, BE);
283 SubEng.processCFGBlockEntrance(dstNodes, nodeBuilder);
285 if (dstNodes.empty()) {
286 if (!nodeBuilder.hasGeneratedNode) {
287 // Auto-generate a node and enqueue it to the worklist.
288 generateNode(BE, Pred->State, Pred);
292 for (ExplodedNodeSet::iterator I = dstNodes.begin(), E = dstNodes.end();
298 for (SmallVectorImpl<ExplodedNode*>::const_iterator
299 I = nodeBuilder.sinks().begin(), E = nodeBuilder.sinks().end();
301 blocksExhausted.push_back(std::make_pair(L, *I));
305 void CoreEngine::HandleBlockEntrance(const BlockEntrance &L,
306 ExplodedNode *Pred) {
308 // Increment the block counter.
309 BlockCounter Counter = WList->getBlockCounter();
310 Counter = BCounterFactory.IncrementCount(Counter,
311 Pred->getLocationContext()->getCurrentStackFrame(),
312 L.getBlock()->getBlockID());
313 WList->setBlockCounter(Counter);
315 // Process the entrance of the block.
316 if (CFGElement E = L.getFirstElement()) {
317 StmtNodeBuilder Builder(L.getBlock(), 0, Pred, this);
318 SubEng.processCFGElement(E, Builder);
321 HandleBlockExit(L.getBlock(), Pred);
324 void CoreEngine::HandleBlockExit(const CFGBlock * B, ExplodedNode *Pred) {
326 if (const Stmt *Term = B->getTerminator()) {
327 switch (Term->getStmtClass()) {
329 llvm_unreachable("Analysis for this terminator not implemented.");
331 case Stmt::BinaryOperatorClass: // '&&' and '||'
332 HandleBranch(cast<BinaryOperator>(Term)->getLHS(), Term, B, Pred);
335 case Stmt::BinaryConditionalOperatorClass:
336 case Stmt::ConditionalOperatorClass:
337 HandleBranch(cast<AbstractConditionalOperator>(Term)->getCond(),
341 // FIXME: Use constant-folding in CFG construction to simplify this
344 case Stmt::ChooseExprClass:
345 HandleBranch(cast<ChooseExpr>(Term)->getCond(), Term, B, Pred);
348 case Stmt::DoStmtClass:
349 HandleBranch(cast<DoStmt>(Term)->getCond(), Term, B, Pred);
352 case Stmt::CXXForRangeStmtClass:
353 HandleBranch(cast<CXXForRangeStmt>(Term)->getCond(), Term, B, Pred);
356 case Stmt::ForStmtClass:
357 HandleBranch(cast<ForStmt>(Term)->getCond(), Term, B, Pred);
360 case Stmt::ContinueStmtClass:
361 case Stmt::BreakStmtClass:
362 case Stmt::GotoStmtClass:
365 case Stmt::IfStmtClass:
366 HandleBranch(cast<IfStmt>(Term)->getCond(), Term, B, Pred);
369 case Stmt::IndirectGotoStmtClass: {
370 // Only 1 successor: the indirect goto dispatch block.
371 assert (B->succ_size() == 1);
373 IndirectGotoNodeBuilder
374 builder(Pred, B, cast<IndirectGotoStmt>(Term)->getTarget(),
375 *(B->succ_begin()), this);
377 SubEng.processIndirectGoto(builder);
381 case Stmt::ObjCForCollectionStmtClass: {
382 // In the case of ObjCForCollectionStmt, it appears twice in a CFG:
384 // (1) inside a basic block, which represents the binding of the
385 // 'element' variable to a value.
386 // (2) in a terminator, which represents the branch.
388 // For (1), subengines will bind a value (i.e., 0 or 1) indicating
389 // whether or not collection contains any more elements. We cannot
390 // just test to see if the element is nil because a container can
391 // contain nil elements.
392 HandleBranch(Term, Term, B, Pred);
396 case Stmt::SwitchStmtClass: {
397 SwitchNodeBuilder builder(Pred, B, cast<SwitchStmt>(Term)->getCond(),
400 SubEng.processSwitch(builder);
404 case Stmt::WhileStmtClass:
405 HandleBranch(cast<WhileStmt>(Term)->getCond(), Term, B, Pred);
410 assert (B->succ_size() == 1 &&
411 "Blocks with no terminator should have at most 1 successor.");
413 generateNode(BlockEdge(B, *(B->succ_begin()), Pred->getLocationContext()),
417 void CoreEngine::HandleBranch(const Stmt *Cond, const Stmt *Term,
418 const CFGBlock * B, ExplodedNode *Pred) {
419 assert(B->succ_size() == 2);
420 BranchNodeBuilder Builder(B, *(B->succ_begin()), *(B->succ_begin()+1),
422 SubEng.processBranch(Cond, Term, Builder);
425 void CoreEngine::HandlePostStmt(const CFGBlock *B, unsigned StmtIdx,
426 ExplodedNode *Pred) {
427 assert (!B->empty());
429 if (StmtIdx == B->size())
430 HandleBlockExit(B, Pred);
432 StmtNodeBuilder Builder(B, StmtIdx, Pred, this);
433 SubEng.processCFGElement((*B)[StmtIdx], Builder);
437 /// generateNode - Utility method to generate nodes, hook up successors,
438 /// and add nodes to the worklist.
439 void CoreEngine::generateNode(const ProgramPoint &Loc,
440 const ProgramState *State,
441 ExplodedNode *Pred) {
444 ExplodedNode *Node = G->getNode(Loc, State, &IsNew);
447 Node->addPredecessor(Pred, *G); // Link 'Node' with its predecessor.
450 G->addRoot(Node); // 'Node' has no predecessor. Make it a root.
453 // Only add 'Node' to the worklist if it was freshly generated.
454 if (IsNew) WList->enqueue(Node);
458 GenericNodeBuilderImpl::generateNodeImpl(const ProgramState *state,
460 ProgramPoint programPoint,
463 hasGeneratedNode = true;
465 ExplodedNode *node = engine.getGraph().getNode(programPoint, state, &isNew);
467 node->addPredecessor(pred, engine.getGraph());
471 sinksGenerated.push_back(node);
478 StmtNodeBuilder::StmtNodeBuilder(const CFGBlock *b,
482 : Eng(*e), B(*b), Idx(idx), Pred(N),
483 PurgingDeadSymbols(false), BuildSinks(false), hasGeneratedNode(false),
484 PointKind(ProgramPoint::PostStmtKind), Tag(0) {
488 StmtNodeBuilder::~StmtNodeBuilder() {
489 for (DeferredTy::iterator I=Deferred.begin(), E=Deferred.end(); I!=E; ++I)
491 GenerateAutoTransition(*I);
494 void StmtNodeBuilder::GenerateAutoTransition(ExplodedNode *N) {
495 assert (!N->isSink());
497 // Check if this node entered a callee.
498 if (isa<CallEnter>(N->getLocation())) {
499 // Still use the index of the CallExpr. It's needed to create the callee
500 // StackFrameContext.
501 Eng.WList->enqueue(N, &B, Idx);
505 // Do not create extra nodes. Move to the next CFG element.
506 if (isa<PostInitializer>(N->getLocation())) {
507 Eng.WList->enqueue(N, &B, Idx+1);
511 PostStmt Loc(getStmt(), N->getLocationContext());
513 if (Loc == N->getLocation()) {
514 // Note: 'N' should be a fresh node because otherwise it shouldn't be
515 // a member of Deferred.
516 Eng.WList->enqueue(N, &B, Idx+1);
521 ExplodedNode *Succ = Eng.G->getNode(Loc, N->State, &IsNew);
522 Succ->addPredecessor(N, *Eng.G);
525 Eng.WList->enqueue(Succ, &B, Idx+1);
528 ExplodedNode *StmtNodeBuilder::MakeNode(ExplodedNodeSet &Dst,
531 const ProgramState *St,
532 ProgramPoint::Kind K) {
534 ExplodedNode *N = generateNode(S, St, Pred, K);
547 StmtNodeBuilder::generateNodeInternal(const Stmt *S,
548 const ProgramState *state,
550 ProgramPoint::Kind K,
551 const ProgramPointTag *tag) {
553 const ProgramPoint &L = ProgramPoint::getProgramPoint(S, K,
554 Pred->getLocationContext(), tag);
555 return generateNodeInternal(L, state, Pred);
559 StmtNodeBuilder::generateNodeInternal(const ProgramPoint &Loc,
560 const ProgramState *State,
561 ExplodedNode *Pred) {
563 ExplodedNode *N = Eng.G->getNode(Loc, State, &IsNew);
564 N->addPredecessor(Pred, *Eng.G);
565 Deferred.erase(Pred);
575 // This function generate a new ExplodedNode but not a new branch(block edge).
576 ExplodedNode *BranchNodeBuilder::generateNode(const Stmt *Condition,
577 const ProgramState *State) {
581 = Eng.G->getNode(PostCondition(Condition, Pred->getLocationContext()), State,
584 Succ->addPredecessor(Pred, *Eng.G);
594 ExplodedNode *BranchNodeBuilder::generateNode(const ProgramState *State,
597 // If the branch has been marked infeasible we should not generate a node.
598 if (!isFeasible(branch))
604 Eng.G->getNode(BlockEdge(Src,branch ? DstT:DstF,Pred->getLocationContext()),
607 Succ->addPredecessor(Pred, *Eng.G);
610 GeneratedTrue = true;
612 GeneratedFalse = true;
615 Deferred.push_back(Succ);
622 BranchNodeBuilder::~BranchNodeBuilder() {
623 if (!GeneratedTrue) generateNode(Pred->State, true);
624 if (!GeneratedFalse) generateNode(Pred->State, false);
626 for (DeferredTy::iterator I=Deferred.begin(), E=Deferred.end(); I!=E; ++I)
627 if (!(*I)->isSink()) Eng.WList->enqueue(*I);
632 IndirectGotoNodeBuilder::generateNode(const iterator &I,
633 const ProgramState *St,
637 ExplodedNode *Succ = Eng.G->getNode(BlockEdge(Src, I.getBlock(),
638 Pred->getLocationContext()), St, &IsNew);
640 Succ->addPredecessor(Pred, *Eng.G);
647 Eng.WList->enqueue(Succ);
657 SwitchNodeBuilder::generateCaseStmtNode(const iterator &I,
658 const ProgramState *St) {
661 ExplodedNode *Succ = Eng.G->getNode(BlockEdge(Src, I.getBlock(),
662 Pred->getLocationContext()),
664 Succ->addPredecessor(Pred, *Eng.G);
666 Eng.WList->enqueue(Succ);
674 SwitchNodeBuilder::generateDefaultCaseNode(const ProgramState *St,
676 // Get the block for the default case.
677 assert(Src->succ_rbegin() != Src->succ_rend());
678 CFGBlock *DefaultBlock = *Src->succ_rbegin();
680 // Sanity check for default blocks that are unreachable and not caught
681 // by earlier stages.
687 ExplodedNode *Succ = Eng.G->getNode(BlockEdge(Src, DefaultBlock,
688 Pred->getLocationContext()), St, &IsNew);
689 Succ->addPredecessor(Pred, *Eng.G);
695 Eng.WList->enqueue(Succ);
703 EndOfFunctionNodeBuilder::~EndOfFunctionNodeBuilder() {
704 // Auto-generate an EOP node if one has not been generated.
705 if (!hasGeneratedNode) {
706 // If we are in an inlined call, generate CallExit node.
707 if (Pred->getLocationContext()->getParent())
708 GenerateCallExitNode(Pred->State);
710 generateNode(Pred->State);
715 EndOfFunctionNodeBuilder::generateNode(const ProgramState *State,
717 const ProgramPointTag *tag) {
718 hasGeneratedNode = true;
721 ExplodedNode *Node = Eng.G->getNode(BlockEntrance(&B,
722 Pred->getLocationContext(), tag ? tag : Tag),
725 Node->addPredecessor(P ? P : Pred, *Eng.G);
728 Eng.G->addEndOfPath(Node);
735 void EndOfFunctionNodeBuilder::GenerateCallExitNode(const ProgramState *state) {
736 hasGeneratedNode = true;
737 // Create a CallExit node and enqueue it.
738 const StackFrameContext *LocCtx
739 = cast<StackFrameContext>(Pred->getLocationContext());
740 const Stmt *CE = LocCtx->getCallSite();
742 // Use the the callee location context.
743 CallExit Loc(CE, LocCtx);
746 ExplodedNode *Node = Eng.G->getNode(Loc, state, &isNew);
747 Node->addPredecessor(Pred, *Eng.G);
750 Eng.WList->enqueue(Node);
754 void CallEnterNodeBuilder::generateNode(const ProgramState *state) {
755 // Check if the callee is in the same translation unit.
756 if (CalleeCtx->getTranslationUnit() !=
757 Pred->getLocationContext()->getTranslationUnit()) {
758 // Create a new engine. We must be careful that the new engine should not
759 // reference data structures owned by the old engine.
761 AnalysisManager &OldMgr = Eng.SubEng.getAnalysisManager();
763 // Get the callee's translation unit.
764 idx::TranslationUnit *TU = CalleeCtx->getTranslationUnit();
766 // Create a new AnalysisManager with components of the callee's
768 // The Diagnostic is actually shared when we create ASTUnits from AST files.
769 AnalysisManager AMgr(TU->getASTContext(), TU->getDiagnostic(), OldMgr);
771 // Create the new engine.
772 // FIXME: This cast isn't really safe.
773 bool GCEnabled = static_cast<ExprEngine&>(Eng.SubEng).isObjCGCEnabled();
774 ExprEngine NewEng(AMgr, GCEnabled);
776 // Create the new LocationContext.
777 AnalysisContext *NewAnaCtx = AMgr.getAnalysisContext(CalleeCtx->getDecl(),
778 CalleeCtx->getTranslationUnit());
779 const StackFrameContext *OldLocCtx = CalleeCtx;
780 const StackFrameContext *NewLocCtx = AMgr.getStackFrame(NewAnaCtx,
781 OldLocCtx->getParent(),
782 OldLocCtx->getCallSite(),
783 OldLocCtx->getCallSiteBlock(),
784 OldLocCtx->getIndex());
786 // Now create an initial state for the new engine.
787 const ProgramState *NewState =
788 NewEng.getStateManager().MarshalState(state, NewLocCtx);
789 ExplodedNodeSet ReturnNodes;
790 NewEng.ExecuteWorkListWithInitialState(NewLocCtx, AMgr.getMaxNodes(),
791 NewState, ReturnNodes);
795 // Get the callee entry block.
796 const CFGBlock *Entry = &(CalleeCtx->getCFG()->getEntry());
797 assert(Entry->empty());
798 assert(Entry->succ_size() == 1);
800 // Get the solitary successor.
801 const CFGBlock *SuccB = *(Entry->succ_begin());
803 // Construct an edge representing the starting location in the callee.
804 BlockEdge Loc(Entry, SuccB, CalleeCtx);
807 ExplodedNode *Node = Eng.G->getNode(Loc, state, &isNew);
808 Node->addPredecessor(const_cast<ExplodedNode*>(Pred), *Eng.G);
811 Eng.WList->enqueue(Node);
814 void CallExitNodeBuilder::generateNode(const ProgramState *state) {
815 // Get the callee's location context.
816 const StackFrameContext *LocCtx
817 = cast<StackFrameContext>(Pred->getLocationContext());
818 // When exiting an implicit automatic obj dtor call, the callsite is the Stmt
819 // that triggers the dtor.
820 PostStmt Loc(LocCtx->getCallSite(), LocCtx->getParent());
822 ExplodedNode *Node = Eng.G->getNode(Loc, state, &isNew);
823 Node->addPredecessor(const_cast<ExplodedNode*>(Pred), *Eng.G);
825 Eng.WList->enqueue(Node, LocCtx->getCallSiteBlock(),
826 LocCtx->getIndex() + 1);
projects / FreeBSD / releng / 9.0.git / blob