CallEvent.cpp source code [clang/lib/StaticAnalyzer/Core/CallEvent.cpp]

1	//===- CallEvent.cpp - Wrapper for all function and method calls ----------===//
2	//
3	// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4	// See https://llvm.org/LICENSE.txt for license information.
5	// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6	//
7	//===----------------------------------------------------------------------===//
8	//
9	/// \file This file defines CallEvent and its subclasses, which represent path-
10	/// sensitive instances of different kinds of function and method calls
11	/// (C, C++, and Objective-C).
12	//
13	//===----------------------------------------------------------------------===//
14
15	#include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h"
16	#include "clang/AST/ASTContext.h"
17	#include "clang/AST/Attr.h"
18	#include "clang/AST/Decl.h"
19	#include "clang/AST/DeclBase.h"
20	#include "clang/AST/DeclCXX.h"
21	#include "clang/AST/DeclObjC.h"
22	#include "clang/AST/Expr.h"
23	#include "clang/AST/ExprCXX.h"
24	#include "clang/AST/ExprObjC.h"
25	#include "clang/AST/ParentMap.h"
26	#include "clang/AST/Stmt.h"
27	#include "clang/AST/Type.h"
28	#include "clang/Analysis/AnalysisDeclContext.h"
29	#include "clang/Analysis/CFG.h"
30	#include "clang/Analysis/CFGStmtMap.h"
31	#include "clang/Analysis/PathDiagnostic.h"
32	#include "clang/Analysis/ProgramPoint.h"
33	#include "clang/Basic/IdentifierTable.h"
34	#include "clang/Basic/LLVM.h"
35	#include "clang/Basic/SourceLocation.h"
36	#include "clang/Basic/SourceManager.h"
37	#include "clang/Basic/Specifiers.h"
38	#include "clang/CrossTU/CrossTranslationUnit.h"
39	#include "clang/StaticAnalyzer/Core/PathSensitive/CallDescription.h"
40	#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
41	#include "clang/StaticAnalyzer/Core/PathSensitive/DynamicType.h"
42	#include "clang/StaticAnalyzer/Core/PathSensitive/DynamicTypeInfo.h"
43	#include "clang/StaticAnalyzer/Core/PathSensitive/MemRegion.h"
44	#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h"
45	#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState_Fwd.h"
46	#include "clang/StaticAnalyzer/Core/PathSensitive/SValBuilder.h"
47	#include "clang/StaticAnalyzer/Core/PathSensitive/SVals.h"
48	#include "clang/StaticAnalyzer/Core/PathSensitive/Store.h"
49	#include "llvm/ADT/ArrayRef.h"
50	#include "llvm/ADT/DenseMap.h"
51	#include "llvm/ADT/ImmutableList.h"
52	#include "llvm/ADT/PointerIntPair.h"
53	#include "llvm/ADT/SmallSet.h"
54	#include "llvm/ADT/SmallVector.h"
55	#include "llvm/ADT/StringExtras.h"
56	#include "llvm/ADT/StringRef.h"
57	#include "llvm/Support/Casting.h"
58	#include "llvm/Support/Compiler.h"
59	#include "llvm/Support/Debug.h"
60	#include "llvm/Support/ErrorHandling.h"
61	#include "llvm/Support/raw_ostream.h"
62	#include <cassert>
63	#include <optional>
64	#include <utility>
65
66	#define DEBUG_TYPE "static-analyzer-call-event"
67
68	using namespace clang;
69	using namespace ento;
70
71	QualType CallEvent::getResultType() const {
72	ASTContext &Ctx = getState()->getStateManager().getContext();
73	const Expr *E = getOriginExpr();
74	if (!E)
75	return Ctx.VoidTy;
76	return Ctx.getReferenceQualifiedType(e: E);
77	}
78
79	static bool isCallback(QualType T) {
80	// If a parameter is a block or a callback, assume it can modify pointer.
81	if (T ->isBlockPointerType() \|\|
82	T ->isFunctionPointerType() \|\|
83	T ->isObjCSelType())
84	return true;
85
86	// Check if a callback is passed inside a struct (for both, struct passed by
87	// reference and by value). Dig just one level into the struct for now.
88
89	if (T ->isAnyPointerType() \|\| T ->isReferenceType())
90	T = T ->getPointeeType();
91
92	if (const RecordType *RT = T->getAsStructureType()) {
93	const RecordDecl *RD = RT->getDecl();
94	for (const auto *I : RD->fields()) {
95	QualType FieldT = I->getType();
96	if (FieldT->isBlockPointerType() \|\| FieldT->isFunctionPointerType())
97	return true;
98	}
99	}
100	return false;
101	}
102
103	static bool isVoidPointerToNonConst(QualType T) {
104	if (const auto *PT = T ->getAs<PointerType>()) {
105	QualType PointeeTy = PT->getPointeeType();
106	if (PointeeTy.isConstQualified())
107	return false;
108	return PointeeTy ->isVoidType();
109	} else
110	return false;
111	}
112
113	bool CallEvent::hasNonNullArgumentsWithType(bool (Condition)(QualType)) const* {
114	unsigned NumOfArgs = getNumArgs();
115
116	// If calling using a function pointer, assume the function does not
117	// satisfy the callback.
118	// TODO: We could check the types of the arguments here.
119	if (!getDecl())
120	return false;
121
122	unsigned Idx = `0`;
123	for (CallEvent::param_type_iterator I = param_type_begin(),
124	E = param_type_end();
125	I != E && Idx < NumOfArgs; ++I, ++Idx) {
126	// If the parameter is 0, it's harmless.
127	if (getArgSVal(Index: Idx).isZeroConstant())
128	continue;
129
130	if (Condition(*I))
131	return true;
132	}
133	return false;
134	}
135
136	bool CallEvent::hasNonZeroCallbackArg() const {
137	return hasNonNullArgumentsWithType(Condition: isCallback);
138	}
139
140	bool CallEvent::hasVoidPointerToNonConstArg() const {
141	return hasNonNullArgumentsWithType(Condition: isVoidPointerToNonConst);
142	}
143
144	bool CallEvent::isGlobalCFunction(StringRef FunctionName) const {
145	const auto *FD = dyn_cast_or_null<FunctionDecl>(Val: getDecl());
146	if (!FD)
147	return false;
148
149	return CheckerContext::isCLibraryFunction(FD, Name: FunctionName);
150	}
151
152	AnalysisDeclContext CallEvent::getCalleeAnalysisDeclContext() const* {
153	const Decl *D = getDecl();
154	if (!D)
155	return nullptr;
156
157	AnalysisDeclContext *ADC =
158	LCtx->getAnalysisDeclContext()->getManager()->getContext(D);
159
160	return ADC;
161	}
162
163	const StackFrameContext *
164	CallEvent::getCalleeStackFrame(unsigned BlockCount) const {
165	AnalysisDeclContext *ADC = getCalleeAnalysisDeclContext();
166	if (!ADC)
167	return nullptr;
168
169	const Expr *E = getOriginExpr();
170	if (!E)
171	return nullptr;
172
173	// Recover CFG block via reverse lookup.
174	// TODO: If we were to keep CFG element information as part of the CallEvent
175	// instead of doing this reverse lookup, we would be able to build the stack
176	// frame for non-expression-based calls, and also we wouldn't need the reverse
177	// lookup.
178	CFGStmtMap *Map = LCtx->getAnalysisDeclContext()->getCFGStmtMap();
179	const CFGBlock *B = Map->getBlock(E);
180	assert(B);
181
182	// Also recover CFG index by scanning the CFG block.
183	unsigned Idx = `0`, Sz = B->size();
184	for (; Idx < Sz; ++Idx)
185	if (auto StmtElem = (*B)[Idx].getAs<CFGStmt>())
186	if (StmtElem->getStmt() == E)
187	break;
188	assert(Idx < Sz);
189
190	return ADC->getManager()->getStackFrame(ADC, LCtx, E, B, BlockCount, Idx);
191	}
192
193	const ParamVarRegion
194	CallEvent::getParameterLocation(unsigned* Index, unsigned BlockCount) const {
195	const StackFrameContext *SFC = getCalleeStackFrame(BlockCount);
196	// We cannot construct a VarRegion without a stack frame.
197	if (!SFC)
198	return nullptr;
199
200	const ParamVarRegion *PVR =
201	State ->getStateManager().getRegionManager().getParamVarRegion(
202	OriginExpr: getOriginExpr(), Index, LC: SFC);
203	return PVR;
204	}
205
206	/// Returns true if a type is a pointer-to-const or reference-to-const
207	/// with no further indirection.
208	static bool isPointerToConst(QualType Ty) {
209	QualType PointeeTy = Ty ->getPointeeType();
210	if (PointeeTy == QualType ())
211	return false;
212	if (!PointeeTy.isConstQualified())
213	return false;
214	if (PointeeTy ->isAnyPointerType())
215	return false;
216	return true;
217	}
218
219	// Try to retrieve the function declaration and find the function parameter
220	// types which are pointers/references to a non-pointer const.
221	// We will not invalidate the corresponding argument regions.
222	static void findPtrToConstParams(llvm::SmallSet<unsigned, `4`> &PreserveArgs,
223	const CallEvent &Call) {
224	unsigned Idx = `0`;
225	for (CallEvent::param_type_iterator I = Call.param_type_begin(),
226	E = Call.param_type_end();
227	I != E; ++I, ++Idx) {
228	if (isPointerToConst(Ty: *I))
229	PreserveArgs.insert(V: Idx);
230	}
231	}
232
233	ProgramStateRef CallEvent::invalidateRegions(unsigned BlockCount,
234	ProgramStateRef Orig) const {
235	ProgramStateRef Result = (Orig ? Orig : getState());
236
237	// Don't invalidate anything if the callee is marked pure/const.
238	if (const Decl *callee = getDecl())
239	if (callee->hasAttr<PureAttr>() \|\| callee->hasAttr<ConstAttr>())
240	return Result;
241
242	SmallVector<SVal, `8`> ValuesToInvalidate;
243	RegionAndSymbolInvalidationTraits ETraits;
244
245	getExtraInvalidatedValues(Values&: ValuesToInvalidate, ETraits: &ETraits);
246
247	// Indexes of arguments whose values will be preserved by the call.
248	llvm::SmallSet<unsigned, `4`> PreserveArgs;
249	if (!argumentsMayEscape())
250	findPtrToConstParams(PreserveArgs, Call: *this);
251
252	for (unsigned Idx = `0`, Count = getNumArgs(); Idx != Count; ++Idx) {
253	// Mark this region for invalidation. We batch invalidate regions
254	// below for efficiency.
255	if (PreserveArgs.count(V: Idx))
256	if (const MemRegion *MR = getArgSVal(Index: Idx).getAsRegion())
257	ETraits.setTrait(MR: MR->getBaseRegion(),
258	IK: RegionAndSymbolInvalidationTraits::TK_PreserveContents);
259	// TODO: Factor this out + handle the lower level const pointers.
260
261	ValuesToInvalidate.push_back(Elt: getArgSVal(Index: Idx));
262
263	// If a function accepts an object by argument (which would of course be a
264	// temporary that isn't lifetime-extended), invalidate the object itself,
265	// not only other objects reachable from it. This is necessary because the
266	// destructor has access to the temporary object after the call.
267	// TODO: Support placement arguments once we start
268	// constructing them directly.
269	// TODO: This is unnecessary when there's no destructor, but that's
270	// currently hard to figure out.
271	if (getKind() != CE_CXXAllocator)
272	if (isArgumentConstructedDirectly(Index: Idx))
273	if (auto AdjIdx = getAdjustedParameterIndex(ASTArgumentIndex: Idx))
274	if (const TypedValueRegion *TVR =
275	getParameterLocation(Index: *AdjIdx, BlockCount))
276	ValuesToInvalidate.push_back(Elt: loc::MemRegionVal (TVR));
277	}
278
279	// Invalidate designated regions using the batch invalidation API.
280	// NOTE: Even if RegionsToInvalidate is empty, we may still invalidate
281	// global variables.
282	return Result ->invalidateRegions(Regions: ValuesToInvalidate, E: getOriginExpr(),
283	BlockCount, LCtx: getLocationContext(),
284	/CausedByPointerEscape/ CausesPointerEscape: true,
285	/Symbols=/IS: nullptr, Call: this, ITraits: &ETraits);
286	}
287
288	ProgramPoint CallEvent::getProgramPoint(bool IsPreVisit,
289	const ProgramPointTag Tag) const* {
290
291	if (const Expr *E = getOriginExpr()) {
292	if (IsPreVisit)
293	return PreStmt(E, getLocationContext(), Tag);
294	return PostStmt(E, getLocationContext(), Tag);
295	}
296
297	const Decl *D = getDecl();
298	assert(D && "Cannot get a program point without a statement or decl");
299	assert(ElemRef.getParent() &&
300	"Cannot get a program point without a CFGElementRef");
301
302	SourceLocation Loc = getSourceRange().getBegin();
303	if (IsPreVisit)
304	return PreImplicitCall (D, Loc, getLocationContext(), ElemRef, Tag);
305	return PostImplicitCall (D, Loc, getLocationContext(), ElemRef, Tag);
306	}
307
308	SVal CallEvent::getArgSVal(unsigned Index) const {
309	const Expr *ArgE = getArgExpr(Index);
310	if (!ArgE)
311	return UnknownVal ();
312	return getSVal(ArgE);
313	}
314
315	SourceRange CallEvent::getArgSourceRange(unsigned Index) const {
316	const Expr *ArgE = getArgExpr(Index);
317	if (!ArgE)
318	return {};
319	return ArgE->getSourceRange();
320	}
321
322	SVal CallEvent::getReturnValue() const {
323	const Expr *E = getOriginExpr();
324	if (!E)
325	return UndefinedVal ();
326	return getSVal(E);
327	}
328
329	LLVM_DUMP_METHOD void CallEvent::dump() const { dump(Out&: llvm::errs()); }
330
331	void CallEvent::dump(raw_ostream &Out) const {
332	ASTContext &Ctx = getState()->getStateManager().getContext();
333	if (const Expr *E = getOriginExpr()) {
334	E->printPretty(Out, nullptr, Ctx.getPrintingPolicy());
335	return;
336	}
337
338	if (const Decl *D = getDecl()) {
339	Out << "Call to ";
340	D->print(Out, Policy: Ctx.getPrintingPolicy());
341	return;
342	}
343
344	Out << "Unknown call (type " << getKindAsString() << ")";
345	}
346
347	bool CallEvent::isCallStmt(const Stmt *S) {
348	return isa<CallExpr, ObjCMessageExpr, CXXConstructExpr, CXXNewExpr>(Val: S);
349	}
350
351	QualType CallEvent::getDeclaredResultType(const Decl *D) {
352	assert(D);
353	if (const auto *FD = dyn_cast<FunctionDecl>(Val: D))
354	return FD->getReturnType();
355	if (const auto *MD = dyn_cast<ObjCMethodDecl>(Val: D))
356	return MD->getReturnType();
357	if (const auto *BD = dyn_cast<BlockDecl>(Val: D)) {
358	// Blocks are difficult because the return type may not be stored in the
359	// BlockDecl itself. The AST should probably be enhanced, but for now we
360	// just do what we can.
361	// If the block is declared without an explicit argument list, the
362	// signature-as-written just includes the return type, not the entire
363	// function type.
364	// FIXME: All blocks should have signatures-as-written, even if the return
365	// type is inferred. (That's signified with a dependent result type.)
366	if (const TypeSourceInfo *TSI = BD->getSignatureAsWritten()) {
367	QualType Ty = TSI->getType();
368	if (const FunctionType *FT = Ty ->getAs<FunctionType>())
369	Ty = FT->getReturnType();
370	if (!Ty ->isDependentType())
371	return Ty;
372	}
373
374	return {};
375	}
376
377	llvm_unreachable("unknown callable kind");
378	}
379
380	bool CallEvent::isVariadic(const Decl *D) {
381	assert(D);
382
383	if (const auto *FD = dyn_cast<FunctionDecl>(Val: D))
384	return FD->isVariadic();
385	if (const auto *MD = dyn_cast<ObjCMethodDecl>(Val: D))
386	return MD->isVariadic();
387	if (const auto *BD = dyn_cast<BlockDecl>(Val: D))
388	return BD->isVariadic();
389
390	llvm_unreachable("unknown callable kind");
391	}
392
393	static bool isTransparentUnion(QualType T) {
394	const RecordType *UT = T->getAsUnionType();
395	return UT && UT->getDecl()->hasAttr<TransparentUnionAttr>();
396	}
397
398	// In some cases, symbolic cases should be transformed before we associate
399	// them with parameters. This function incapsulates such cases.
400	static SVal processArgument(SVal Value, const Expr *ArgumentExpr,
401	const ParmVarDecl *Parameter, SValBuilder &SVB) {
402	QualType ParamType = Parameter->getType();
403	QualType ArgumentType = ArgumentExpr->getType();
404
405	// Transparent unions allow users to easily convert values of union field
406	// types into union-typed objects.
407	//
408	// Also, more importantly, they allow users to define functions with different
409	// different parameter types, substituting types matching transparent union
410	// field types with the union type itself.
411	//
412	// Here, we check specifically for latter cases and prevent binding
413	// field-typed values to union-typed regions.
414	if (isTransparentUnion(T: ParamType) &&
415	// Let's check that we indeed trying to bind different types.
416	!isTransparentUnion(T: ArgumentType)) {
417	BasicValueFactory &BVF = SVB.getBasicValueFactory();
418
419	llvm::ImmutableList<SVal> CompoundSVals = BVF.getEmptySValList();
420	CompoundSVals = BVF.prependSVal(X: Value, L: CompoundSVals);
421
422	// Wrap it with compound value.
423	return SVB.makeCompoundVal(type: ParamType, vals: CompoundSVals);
424	}
425
426	return Value;
427	}
428
429	/// Cast the argument value to the type of the parameter at the function
430	/// declaration.
431	/// Returns the argument value if it didn't need a cast.
432	/// Or returns the cast argument if it needed a cast.
433	/// Or returns 'Unknown' if it would need a cast but the callsite and the
434	/// runtime definition don't match in terms of argument and parameter count.
435	static SVal castArgToParamTypeIfNeeded(const CallEvent &Call, unsigned ArgIdx,
436	SVal ArgVal, SValBuilder &SVB) {
437	const FunctionDecl *RTDecl =
438	Call.getRuntimeDefinition().getDecl()->getAsFunction();
439	const auto *CallExprDecl = dyn_cast_or_null<FunctionDecl>(Val: Call.getDecl());
440
441	if (!RTDecl \|\| !CallExprDecl)
442	return ArgVal;
443
444	// The function decl of the Call (in the AST) will not have any parameter
445	// declarations, if it was 'only' declared without a prototype. However, the
446	// engine will find the appropriate runtime definition - basically a
447	// redeclaration, which has a function body (and a function prototype).
448	if (CallExprDecl->hasPrototype() \|\| !RTDecl->hasPrototype())
449	return ArgVal;
450
451	// Only do this cast if the number arguments at the callsite matches with
452	// the parameters at the runtime definition.
453	if (Call.getNumArgs() != RTDecl->getNumParams())
454	return UnknownVal ();
455
456	const Expr *ArgExpr = Call.getArgExpr(Index: ArgIdx);
457	const ParmVarDecl *Param = RTDecl->getParamDecl(i: ArgIdx);
458	return SVB.evalCast(V: ArgVal, CastTy: Param->getType(), OriginalTy: ArgExpr->getType());
459	}
460
461	static void addParameterValuesToBindings(const StackFrameContext *CalleeCtx,
462	CallEvent::BindingsTy &Bindings,
463	SValBuilder &SVB,
464	const CallEvent &Call,
465	ArrayRef<ParmVarDecl*> parameters) {
466	MemRegionManager &MRMgr = SVB.getRegionManager();
467
468	// If the function has fewer parameters than the call has arguments, we simply
469	// do not bind any values to them.
470	unsigned NumArgs = Call.getNumArgs();
471	unsigned Idx = `0`;
472	ArrayRef<ParmVarDecl*>::iterator I = parameters.begin(), E = parameters.end();
473	for (; I != E && Idx < NumArgs; ++I, ++Idx) {
474	assert(*I && "Formal parameter has no decl?");
475
476	// TODO: Support allocator calls.
477	if (Call.getKind() != CE_CXXAllocator)
478	if (Call.isArgumentConstructedDirectly(Index: Call.getASTArgumentIndex(CallArgumentIndex: Idx)))
479	continue;
480
481	// TODO: Allocators should receive the correct size and possibly alignment,
482	// determined in compile-time but not represented as arg-expressions,
483	// which makes getArgSVal() fail and return UnknownVal.
484	SVal ArgVal = Call.getArgSVal(Index: Idx);
485	const Expr *ArgExpr = Call.getArgExpr(Index: Idx);
486
487	if (ArgVal.isUnknown())
488	continue;
489
490	// Cast the argument value to match the type of the parameter in some
491	// edge-cases.
492	ArgVal = castArgToParamTypeIfNeeded(Call, ArgIdx: Idx, ArgVal, SVB);
493
494	Loc ParamLoc = SVB.makeLoc(
495	region: MRMgr.getParamVarRegion(OriginExpr: Call.getOriginExpr(), Index: Idx, LC: CalleeCtx));
496	Bindings.push_back(
497	Elt: std::make_pair(x&: ParamLoc, y: processArgument(Value: ArgVal, ArgumentExpr: ArgExpr, Parameter: *I, SVB)));
498	}
499
500	// FIXME: Variadic arguments are not handled at all right now.
501	}
502
503	const ConstructionContext CallEvent::getConstructionContext() const* {
504	const StackFrameContext *StackFrame = getCalleeStackFrame(BlockCount: `0`);
505	if (!StackFrame)
506	return nullptr;
507
508	const CFGElement Element = StackFrame->getCallSiteCFGElement();
509	if (const auto Ctor = Element.getAs<CFGConstructor>()) {
510	return Ctor ->getConstructionContext();
511	}
512
513	if (const auto RecCall = Element.getAs<CFGCXXRecordTypedCall>()) {
514	return RecCall ->getConstructionContext();
515	}
516
517	return nullptr;
518	}
519
520	const CallEventRef<> CallEvent::getCaller() const {
521	const auto CallLocationContext = this*->getLocationContext();
522	if (!CallLocationContext \|\| CallLocationContext->inTopFrame())
523	return nullptr;
524
525	const auto *CallStackFrameContext = CallLocationContext->getStackFrame();
526	if (!CallStackFrameContext)
527	return nullptr;
528
529	CallEventManager &CEMgr = State ->getStateManager().getCallEventManager();
530	return CEMgr.getCaller(CalleeCtx: CallStackFrameContext, State);
531	}
532
533	bool CallEvent::isCalledFromSystemHeader() const {
534	if (const CallEventRef<> Caller = getCaller())
535	return Caller ->isInSystemHeader();
536
537	return false;
538	}
539
540	std::optional<SVal> CallEvent::getReturnValueUnderConstruction() const {
541	const auto *CC = getConstructionContext();
542	if (!CC)
543	return std::nullopt;
544
545	EvalCallOptions CallOpts;
546	ExprEngine &Engine = getState()->getStateManager().getOwningEngine();
547	SVal RetVal = Engine.computeObjectUnderConstruction(
548	E: getOriginExpr(), State: getState(), BldrCtx: &Engine.getBuilderContext(),
549	LCtx: getLocationContext(), CC, CallOpts);
550	return RetVal;
551	}
552
553	ArrayRef<ParmVarDecl> AnyFunctionCall::parameters() const* {
554	const FunctionDecl *D = getDecl();
555	if (!D)
556	return std::nullopt;
557	return D->parameters();
558	}
559
560	RuntimeDefinition AnyFunctionCall::getRuntimeDefinition() const {
561	const FunctionDecl *FD = getDecl();
562	if (!FD)
563	return {};
564
565	// Note that the AnalysisDeclContext will have the FunctionDecl with
566	// the definition (if one exists).
567	AnalysisDeclContext *AD =
568	getLocationContext()->getAnalysisDeclContext()->
569	getManager()->getContext(FD);
570	bool IsAutosynthesized;
571	Stmt* Body = AD->getBody(IsAutosynthesized);
572	LLVM_DEBUG({
573	if (IsAutosynthesized)
574	llvm::dbgs() << "Using autosynthesized body for " << FD->getName()
575	<< "\n";
576	});
577
578	ExprEngine &Engine = getState()->getStateManager().getOwningEngine();
579	cross_tu::CrossTranslationUnitContext &CTUCtx =
580	*Engine.getCrossTranslationUnitContext();
581
582	AnalyzerOptions &Opts = Engine.getAnalysisManager().options;
583
584	if (Body) {
585	const Decl* Decl = AD->getDecl();
586	if (Opts.IsNaiveCTUEnabled && CTUCtx.isImportedAsNew(ToDecl: Decl)) {
587	// A newly created definition, but we had error(s) during the import.
588	if (CTUCtx.hasError(ToDecl: Decl))
589	return {};
590	return RuntimeDefinition (Decl, /Foreign=/true);
591	}
592	return RuntimeDefinition (Decl, /Foreign=/false);
593	}
594
595	// Try to get CTU definition only if CTUDir is provided.
596	if (!Opts.IsNaiveCTUEnabled)
597	return {};
598
599	llvm::Expected<const FunctionDecl *> CTUDeclOrError =
600	CTUCtx.getCrossTUDefinition(FD, CrossTUDir: Opts.CTUDir, IndexName: Opts.CTUIndexName,
601	DisplayCTUProgress: Opts.DisplayCTUProgress);
602
603	if (!CTUDeclOrError) {
604	handleAllErrors(E: CTUDeclOrError.takeError(),
605	Handlers: [&](const cross_tu::IndexError &IE) {
606	CTUCtx.emitCrossTUDiagnostics(IE);
607	});
608	return {};
609	}
610
611	return RuntimeDefinition(CTUDeclOrError, /Foreign=/*true);
612	}
613
614	void AnyFunctionCall::getInitialStackFrameContents(
615	const StackFrameContext *CalleeCtx,
616	BindingsTy &Bindings) const {
617	const auto *D = cast<FunctionDecl>(Val: CalleeCtx->getDecl());
618	SValBuilder &SVB = getState()->getStateManager().getSValBuilder();
619	addParameterValuesToBindings(CalleeCtx, Bindings, SVB, Call: *this,
620	parameters: D->parameters());
621	}
622
623	bool AnyFunctionCall::argumentsMayEscape() const {
624	if (CallEvent::argumentsMayEscape() \|\| hasVoidPointerToNonConstArg())
625	return true;
626
627	const FunctionDecl *D = getDecl();
628	if (!D)
629	return true;
630
631	const IdentifierInfo *II = D->getIdentifier();
632	if (!II)
633	return false;
634
635	// This set of "escaping" APIs is
636
637	// - 'int pthread_setspecific(ptheread_key k, const void )' stores a*
638	// value into thread local storage. The value can later be retrieved with
639	// 'void ptheread_getspecific(pthread_key)'. So even thought the*
640	// parameter is 'const void ', the region escapes through the call.*
641	if (II->isStr(Str: "pthread_setspecific"))
642	return true;
643
644	// - xpc_connection_set_context stores a value which can be retrieved later
645	// with xpc_connection_get_context.
646	if (II->isStr(Str: "xpc_connection_set_context"))
647	return true;
648
649	// - funopen - sets a buffer for future IO calls.
650	if (II->isStr(Str: "funopen"))
651	return true;
652
653	// - __cxa_demangle - can reallocate memory and can return the pointer to
654	// the input buffer.
655	if (II->isStr(Str: "__cxa_demangle"))
656	return true;
657
658	StringRef FName = II->getName();
659
660	// - CoreFoundation functions that end with "NoCopy" can free a passed-in
661	// buffer even if it is const.
662	if (FName.ends_with(Suffix: "NoCopy"))
663	return true;
664
665	// - NSXXInsertXX, for example NSMapInsertIfAbsent, since they can
666	// be deallocated by NSMapRemove.
667	if (FName.starts_with(Prefix: "NS") && FName.contains(Other: "Insert"))
668	return true;
669
670	// - Many CF containers allow objects to escape through custom
671	// allocators/deallocators upon container construction. (PR12101)
672	if (FName.starts_with(Prefix: "CF") \|\| FName.starts_with(Prefix: "CG")) {
673	return StrInStrNoCase(s1: FName, s2: "InsertValue") != StringRef::npos \|\|
674	StrInStrNoCase(s1: FName, s2: "AddValue") != StringRef::npos \|\|
675	StrInStrNoCase(s1: FName, s2: "SetValue") != StringRef::npos \|\|
676	StrInStrNoCase(s1: FName, s2: "WithData") != StringRef::npos \|\|
677	StrInStrNoCase(s1: FName, s2: "AppendValue") != StringRef::npos \|\|
678	StrInStrNoCase(s1: FName, s2: "SetAttribute") != StringRef::npos;
679	}
680
681	return false;
682	}
683
684	const FunctionDecl SimpleFunctionCall::getDecl() const* {
685	const FunctionDecl *D = getOriginExpr()->getDirectCallee();
686	if (D)
687	return D;
688
689	return getSVal(getOriginExpr()->getCallee()).getAsFunctionDecl();
690	}
691
692	const FunctionDecl CXXInstanceCall::getDecl() const* {
693	const auto *CE = cast_or_null<CallExpr>(Val: getOriginExpr());
694	if (!CE)
695	return AnyFunctionCall::getDecl();
696
697	const FunctionDecl *D = CE->getDirectCallee();
698	if (D)
699	return D;
700
701	return getSVal(CE->getCallee()).getAsFunctionDecl();
702	}
703
704	void CXXInstanceCall::getExtraInvalidatedValues(
705	ValueList &Values, RegionAndSymbolInvalidationTraits ETraits) const* {
706	SVal ThisVal = getCXXThisVal();
707	Values.push_back(Elt: ThisVal);
708
709	// Don't invalidate if the method is const and there are no mutable fields.
710	if (const auto *D = cast_or_null<CXXMethodDecl>(Val: getDecl())) {
711	if (!D->isConst())
712	return;
713	// Get the record decl for the class of 'This'. D->getParent() may return a
714	// base class decl, rather than the class of the instance which needs to be
715	// checked for mutable fields.
716	// TODO: We might as well look at the dynamic type of the object.
717	const Expr *Ex = getCXXThisExpr()->IgnoreParenBaseCasts();
718	QualType T = Ex->getType();
719	if (T ->isPointerType()) // Arrow or implicit-this syntax?
720	T = T ->getPointeeType();
721	const CXXRecordDecl *ParentRecord = T ->getAsCXXRecordDecl();
722	assert(ParentRecord);
723	if (ParentRecord->hasMutableFields())
724	return;
725	// Preserve CXXThis.
726	const MemRegion *ThisRegion = ThisVal.getAsRegion();
727	if (!ThisRegion)
728	return;
729
730	ETraits->setTrait(MR: ThisRegion->getBaseRegion(),
731	IK: RegionAndSymbolInvalidationTraits::TK_PreserveContents);
732	}
733	}
734
735	SVal CXXInstanceCall::getCXXThisVal() const {
736	const Expr *Base = getCXXThisExpr();
737	// FIXME: This doesn't handle an overloaded -> operator.*
738	SVal ThisVal = Base ? getSVal(Base) : UnknownVal ();
739
740	if (isa<NonLoc>(Val: ThisVal)) {
741	SValBuilder &SVB = getState()->getStateManager().getSValBuilder();
742	QualType OriginalTy = ThisVal.getType(SVB.getContext());
743	return SVB.evalCast(V: ThisVal, CastTy: Base->getType(), OriginalTy);
744	}
745
746	assert(ThisVal.isUnknownOrUndef() \|\| isa<Loc>(ThisVal));
747	return ThisVal;
748	}
749
750	RuntimeDefinition CXXInstanceCall::getRuntimeDefinition() const {
751	// Do we have a decl at all?
752	const Decl *D = getDecl();
753	if (!D)
754	return {};
755
756	// If the method is non-virtual, we know we can inline it.
757	const auto *MD = cast<CXXMethodDecl>(Val: D);
758	if (!MD->isVirtual())
759	return AnyFunctionCall::getRuntimeDefinition();
760
761	// Do we know the implicit 'this' object being called?
762	const MemRegion *R = getCXXThisVal().getAsRegion();
763	if (!R)
764	return {};
765
766	// Do we know anything about the type of 'this'?
767	DynamicTypeInfo DynType = getDynamicTypeInfo(State: getState(), MR: R);
768	if (!DynType.isValid())
769	return {};
770
771	// Is the type a C++ class? (This is mostly a defensive check.)
772	QualType RegionType = DynType.getType()->getPointeeType();
773	assert(!RegionType.isNull() && "DynamicTypeInfo should always be a pointer.");
774
775	const CXXRecordDecl *RD = RegionType ->getAsCXXRecordDecl();
776	if (!RD \|\| !RD->hasDefinition())
777	return {};
778
779	// Find the decl for this method in that class.
780	const CXXMethodDecl Result = MD->getCorrespondingMethodInClass(RD, true*);
781	if (!Result) {
782	// We might not even get the original statically-resolved method due to
783	// some particularly nasty casting (e.g. casts to sister classes).
784	// However, we should at least be able to search up and down our own class
785	// hierarchy, and some real bugs have been caught by checking this.
786	assert(!RD->isDerivedFrom(MD->getParent()) && "Couldn't find known method");
787
788	// FIXME: This is checking that our DynamicTypeInfo is at least as good as
789	// the static type. However, because we currently don't update
790	// DynamicTypeInfo when an object is cast, we can't actually be sure the
791	// DynamicTypeInfo is up to date. This assert should be re-enabled once
792	// this is fixed.
793	//
794	// assert(!MD->getParent()->isDerivedFrom(RD) && "Bad DynamicTypeInfo");
795
796	return {};
797	}
798
799	// Does the decl that we found have an implementation?
800	const FunctionDecl *Definition;
801	if (!Result->hasBody(Definition)) {
802	if (!DynType.canBeASubClass())
803	return AnyFunctionCall::getRuntimeDefinition();
804	return {};
805	}
806
807	// We found a definition. If we're not sure that this devirtualization is
808	// actually what will happen at runtime, make sure to provide the region so
809	// that ExprEngine can decide what to do with it.
810	if (DynType.canBeASubClass())
811	return RuntimeDefinition(Definition, R->StripCasts());
812	return RuntimeDefinition(Definition, /DispatchRegion=/nullptr);
813	}
814
815	void CXXInstanceCall::getInitialStackFrameContents(
816	const StackFrameContext *CalleeCtx,
817	BindingsTy &Bindings) const {
818	AnyFunctionCall::getInitialStackFrameContents(CalleeCtx, Bindings);
819
820	// Handle the binding of 'this' in the new stack frame.
821	SVal ThisVal = getCXXThisVal();
822	if (!ThisVal.isUnknown()) {
823	ProgramStateManager &StateMgr = getState()->getStateManager();
824	SValBuilder &SVB = StateMgr.getSValBuilder();
825
826	const auto *MD = cast<CXXMethodDecl>(Val: CalleeCtx->getDecl());
827	Loc ThisLoc = SVB.getCXXThis(D: MD, SFC: CalleeCtx);
828
829	// If we devirtualized to a different member function, we need to make sure
830	// we have the proper layering of CXXBaseObjectRegions.
831	if (MD->getCanonicalDecl() != getDecl()->getCanonicalDecl()) {
832	ASTContext &Ctx = SVB.getContext();
833	const CXXRecordDecl *Class = MD->getParent();
834	QualType Ty = Ctx.getPointerType(T: Ctx.getRecordType(Class));
835
836	// FIXME: CallEvent maybe shouldn't be directly accessing StoreManager.
837	std::optional<SVal> V =
838	StateMgr.getStoreManager().evalBaseToDerived(Base: ThisVal, DerivedPtrType: Ty);
839	if (!V) {
840	// We might have suffered some sort of placement new earlier, so
841	// we're constructing in a completely unexpected storage.
842	// Fall back to a generic pointer cast for this-value.
843	const CXXMethodDecl *StaticMD = cast<CXXMethodDecl>(Val: getDecl());
844	const CXXRecordDecl *StaticClass = StaticMD->getParent();
845	QualType StaticTy = Ctx.getPointerType(T: Ctx.getRecordType(StaticClass));
846	ThisVal = SVB.evalCast(V: ThisVal, CastTy: Ty, OriginalTy: StaticTy);
847	} else
848	ThisVal = *V;
849	}
850
851	if (!ThisVal.isUnknown())
852	Bindings.push_back(Elt: std::make_pair(x&: ThisLoc, y&: ThisVal));
853	}
854	}
855
856	const Expr CXXMemberCall::getCXXThisExpr() const* {
857	return getOriginExpr()->getImplicitObjectArgument();
858	}
859
860	RuntimeDefinition CXXMemberCall::getRuntimeDefinition() const {
861	// C++11 [expr.call]p1: ...If the selected function is non-virtual, or if the
862	// id-expression in the class member access expression is a qualified-id,
863	// that function is called. Otherwise, its final overrider in the dynamic type
864	// of the object expression is called.
865	if (const auto *ME = dyn_cast<MemberExpr>(getOriginExpr()->getCallee()))
866	if (ME->hasQualifier())
867	return AnyFunctionCall::getRuntimeDefinition();
868
869	return CXXInstanceCall::getRuntimeDefinition();
870	}
871
872	const Expr CXXMemberOperatorCall::getCXXThisExpr() const* {
873	return getOriginExpr()->getArg(`0`);
874	}
875
876	const BlockDataRegion BlockCall::getBlockRegion() const* {
877	const Expr *Callee = getOriginExpr()->getCallee();
878	const MemRegion *DataReg = getSVal(Callee).getAsRegion();
879
880	return dyn_cast_or_null<BlockDataRegion>(Val: DataReg);
881	}
882
883	ArrayRef<ParmVarDecl> BlockCall::parameters() const* {
884	const BlockDecl *D = getDecl();
885	if (!D)
886	return std::nullopt;
887	return D->parameters();
888	}
889
890	void BlockCall::getExtraInvalidatedValues(ValueList &Values,
891	RegionAndSymbolInvalidationTraits ETraits) const* {
892	// FIXME: This also needs to invalidate captured globals.
893	if (const MemRegion *R = getBlockRegion())
894	Values.push_back(Elt: loc::MemRegionVal (R));
895	}
896
897	void BlockCall::getInitialStackFrameContents(const StackFrameContext *CalleeCtx,
898	BindingsTy &Bindings) const {
899	SValBuilder &SVB = getState()->getStateManager().getSValBuilder();
900	ArrayRef<ParmVarDecl*> Params;
901	if (isConversionFromLambda()) {
902	auto *LambdaOperatorDecl = cast<CXXMethodDecl>(Val: CalleeCtx->getDecl());
903	Params = LambdaOperatorDecl->parameters();
904
905	// For blocks converted from a C++ lambda, the callee declaration is the
906	// operator() method on the lambda so we bind "this" to
907	// the lambda captured by the block.
908	const VarRegion *CapturedLambdaRegion = getRegionStoringCapturedLambda();
909	SVal ThisVal = loc::MemRegionVal (CapturedLambdaRegion);
910	Loc ThisLoc = SVB.getCXXThis(D: LambdaOperatorDecl, SFC: CalleeCtx);
911	Bindings.push_back(Elt: std::make_pair(x&: ThisLoc, y&: ThisVal));
912	} else {
913	Params = cast<BlockDecl>(Val: CalleeCtx->getDecl())->parameters();
914	}
915
916	addParameterValuesToBindings(CalleeCtx, Bindings, SVB, Call: *this,
917	parameters: Params);
918	}
919
920	SVal AnyCXXConstructorCall::getCXXThisVal() const {
921	if (Data)
922	return loc::MemRegionVal (static_cast<const MemRegion *>(Data));
923	return UnknownVal ();
924	}
925
926	void AnyCXXConstructorCall::getExtraInvalidatedValues(ValueList &Values,
927	RegionAndSymbolInvalidationTraits ETraits) const* {
928	SVal V = getCXXThisVal();
929	if (SymbolRef Sym = V.getAsSymbol(IncludeBaseRegions: true))
930	ETraits->setTrait(Sym,
931	IK: RegionAndSymbolInvalidationTraits::TK_SuppressEscape);
932	Values.push_back(Elt: V);
933	}
934
935	void AnyCXXConstructorCall::getInitialStackFrameContents(
936	const StackFrameContext *CalleeCtx,
937	BindingsTy &Bindings) const {
938	AnyFunctionCall::getInitialStackFrameContents(CalleeCtx, Bindings);
939
940	SVal ThisVal = getCXXThisVal();
941	if (!ThisVal.isUnknown()) {
942	SValBuilder &SVB = getState()->getStateManager().getSValBuilder();
943	const auto *MD = cast<CXXMethodDecl>(Val: CalleeCtx->getDecl());
944	Loc ThisLoc = SVB.getCXXThis(D: MD, SFC: CalleeCtx);
945	Bindings.push_back(Elt: std::make_pair(x&: ThisLoc, y&: ThisVal));
946	}
947	}
948
949	const StackFrameContext *
950	CXXInheritedConstructorCall::getInheritingStackFrame() const {
951	const StackFrameContext *SFC = getLocationContext()->getStackFrame();
952	while (isa<CXXInheritedCtorInitExpr>(Val: SFC->getCallSite()))
953	SFC = SFC->getParent()->getStackFrame();
954	return SFC;
955	}
956
957	SVal CXXDestructorCall::getCXXThisVal() const {
958	if (Data)
959	return loc::MemRegionVal (DtorDataTy::getFromOpaqueValue(V: Data).getPointer());
960	return UnknownVal ();
961	}
962
963	RuntimeDefinition CXXDestructorCall::getRuntimeDefinition() const {
964	// Base destructors are always called non-virtually.
965	// Skip CXXInstanceCall's devirtualization logic in this case.
966	if (isBaseDestructor())
967	return AnyFunctionCall::getRuntimeDefinition();
968
969	return CXXInstanceCall::getRuntimeDefinition();
970	}
971
972	ArrayRef<ParmVarDecl> ObjCMethodCall::parameters() const* {
973	const ObjCMethodDecl *D = getDecl();
974	if (!D)
975	return std::nullopt;
976	return D->parameters();
977	}
978
979	void ObjCMethodCall::getExtraInvalidatedValues(
980	ValueList &Values, RegionAndSymbolInvalidationTraits ETraits) const* {
981
982	// If the method call is a setter for property known to be backed by
983	// an instance variable, don't invalidate the entire receiver, just
984	// the storage for that instance variable.
985	if (const ObjCPropertyDecl *PropDecl = getAccessedProperty()) {
986	if (const ObjCIvarDecl *PropIvar = PropDecl->getPropertyIvarDecl()) {
987	SVal IvarLVal = getState()->getLValue(D: PropIvar, Base: getReceiverSVal());
988	if (const MemRegion *IvarRegion = IvarLVal.getAsRegion()) {
989	ETraits->setTrait(
990	MR: IvarRegion,
991	IK: RegionAndSymbolInvalidationTraits::TK_DoNotInvalidateSuperRegion);
992	ETraits->setTrait(
993	MR: IvarRegion,
994	IK: RegionAndSymbolInvalidationTraits::TK_SuppressEscape);
995	Values.push_back(Elt: IvarLVal);
996	}
997	return;
998	}
999	}
1000
1001	Values.push_back(Elt: getReceiverSVal());
1002	}
1003
1004	SVal ObjCMethodCall::getReceiverSVal() const {
1005	// FIXME: Is this the best way to handle class receivers?
1006	if (!isInstanceMessage())
1007	return UnknownVal ();
1008
1009	if (const Expr *RecE = getOriginExpr()->getInstanceReceiver())
1010	return getSVal(RecE);
1011
1012	// An instance message with no expression means we are sending to super.
1013	// In this case the object reference is the same as 'self'.
1014	assert(getOriginExpr()->getReceiverKind() == ObjCMessageExpr::SuperInstance);
1015	SVal SelfVal = getState()->getSelfSVal(LC: getLocationContext());
1016	assert(SelfVal.isValid() && "Calling super but not in ObjC method");
1017	return SelfVal;
1018	}
1019
1020	bool ObjCMethodCall::isReceiverSelfOrSuper() const {
1021	if (getOriginExpr()->getReceiverKind() == ObjCMessageExpr::SuperInstance \|\|
1022	getOriginExpr()->getReceiverKind() == ObjCMessageExpr::SuperClass)
1023	return true;
1024
1025	if (!isInstanceMessage())
1026	return false;
1027
1028	SVal RecVal = getSVal(getOriginExpr()->getInstanceReceiver());
1029	SVal SelfVal = getState()->getSelfSVal(LC: getLocationContext());
1030
1031	return (RecVal == SelfVal);
1032	}
1033
1034	SourceRange ObjCMethodCall::getSourceRange() const {
1035	switch (getMessageKind()) {
1036	case OCM_Message:
1037	return getOriginExpr()->getSourceRange();
1038	case OCM_PropertyAccess:
1039	case OCM_Subscript:
1040	return getContainingPseudoObjectExpr()->getSourceRange();
1041	}
1042	llvm_unreachable("unknown message kind");
1043	}
1044
1045	using ObjCMessageDataTy = llvm::PointerIntPair<const PseudoObjectExpr *, `2`>;
1046
1047	const PseudoObjectExpr ObjCMethodCall::getContainingPseudoObjectExpr() const* {
1048	assert(Data && "Lazy lookup not yet performed.");
1049	assert(getMessageKind() != OCM_Message && "Explicit message send.");
1050	return ObjCMessageDataTy::getFromOpaqueValue(V: Data).getPointer();
1051	}
1052
1053	static const Expr *
1054	getSyntacticFromForPseudoObjectExpr(const PseudoObjectExpr *POE) {
1055	const Expr *Syntactic = POE->getSyntacticForm()->IgnoreParens();
1056
1057	// This handles the funny case of assigning to the result of a getter.
1058	// This can happen if the getter returns a non-const reference.
1059	if (const auto *BO = dyn_cast<BinaryOperator>(Val: Syntactic))
1060	Syntactic = BO->getLHS()->IgnoreParens();
1061
1062	return Syntactic;
1063	}
1064
1065	ObjCMessageKind ObjCMethodCall::getMessageKind() const {
1066	if (!Data) {
1067	// Find the parent, ignoring implicit casts.
1068	const ParentMap &PM = getLocationContext()->getParentMap();
1069	const Stmt *S = PM.getParentIgnoreParenCasts(getOriginExpr());
1070
1071	// Check if parent is a PseudoObjectExpr.
1072	if (const auto *POE = dyn_cast_or_null<PseudoObjectExpr>(S)) {
1073	const Expr *Syntactic = getSyntacticFromForPseudoObjectExpr(POE);
1074
1075	ObjCMessageKind K;
1076	switch (Syntactic->getStmtClass()) {
1077	case Stmt::ObjCPropertyRefExprClass:
1078	K = OCM_PropertyAccess;
1079	break;
1080	case Stmt::ObjCSubscriptRefExprClass:
1081	K = OCM_Subscript;
1082	break;
1083	default:
1084	// FIXME: Can this ever happen?
1085	K = OCM_Message;
1086	break;
1087	}
1088
1089	if (K != OCM_Message) {
1090	const_cast<ObjCMethodCall >(this*)->Data
1091	= ObjCMessageDataTy(POE, K).getOpaqueValue();
1092	assert(getMessageKind() == K);
1093	return K;
1094	}
1095	}
1096
1097	const_cast<ObjCMethodCall >(this*)->Data
1098	= ObjCMessageDataTy (nullptr, `1`).getOpaqueValue();
1099	assert(getMessageKind() == OCM_Message);
1100	return OCM_Message;
1101	}
1102
1103	ObjCMessageDataTy Info = ObjCMessageDataTy::getFromOpaqueValue(V: Data);
1104	if (!Info.getPointer())
1105	return OCM_Message;
1106	return static_cast<ObjCMessageKind>(Info.getInt());
1107	}
1108
1109	const ObjCPropertyDecl ObjCMethodCall::getAccessedProperty() const* {
1110	// Look for properties accessed with property syntax (foo.bar = ...)
1111	if (getMessageKind() == OCM_PropertyAccess) {
1112	const PseudoObjectExpr *POE = getContainingPseudoObjectExpr();
1113	assert(POE && "Property access without PseudoObjectExpr?");
1114
1115	const Expr *Syntactic = getSyntacticFromForPseudoObjectExpr(POE);
1116	auto *RefExpr = cast<ObjCPropertyRefExpr>(Val: Syntactic);
1117
1118	if (RefExpr->isExplicitProperty())
1119	return RefExpr->getExplicitProperty();
1120	}
1121
1122	// Look for properties accessed with method syntax ([foo setBar:...]).
1123	const ObjCMethodDecl *MD = getDecl();
1124	if (!MD \|\| !MD->isPropertyAccessor())
1125	return nullptr;
1126
1127	// Note: This is potentially quite slow.
1128	return MD->findPropertyDecl();
1129	}
1130
1131	bool ObjCMethodCall::canBeOverridenInSubclass(ObjCInterfaceDecl *IDecl,
1132	Selector Sel) const {
1133	assert(IDecl);
1134	AnalysisManager &AMgr =
1135	getState()->getStateManager().getOwningEngine().getAnalysisManager();
1136	// If the class interface is declared inside the main file, assume it is not
1137	// subcassed.
1138	// TODO: It could actually be subclassed if the subclass is private as well.
1139	// This is probably very rare.
1140	SourceLocation InterfLoc = IDecl->getEndOfDefinitionLoc();
1141	if (InterfLoc.isValid() && AMgr.isInCodeFile(SL: InterfLoc))
1142	return false;
1143
1144	// Assume that property accessors are not overridden.
1145	if (getMessageKind() == OCM_PropertyAccess)
1146	return false;
1147
1148	// We assume that if the method is public (declared outside of main file) or
1149	// has a parent which publicly declares the method, the method could be
1150	// overridden in a subclass.
1151
1152	// Find the first declaration in the class hierarchy that declares
1153	// the selector.
1154	ObjCMethodDecl D = nullptr*;
1155	while (true) {
1156	D = IDecl->lookupMethod(Sel, isInstance: true);
1157
1158	// Cannot find a public definition.
1159	if (!D)
1160	return false;
1161
1162	// If outside the main file,
1163	if (D->getLocation().isValid() && !AMgr.isInCodeFile(D->getLocation()))
1164	return true;
1165
1166	if (D->isOverriding()) {
1167	// Search in the superclass on the next iteration.
1168	IDecl = D->getClassInterface();
1169	if (!IDecl)
1170	return false;
1171
1172	IDecl = IDecl->getSuperClass();
1173	if (!IDecl)
1174	return false;
1175
1176	continue;
1177	}
1178
1179	return false;
1180	};
1181
1182	llvm_unreachable("The while loop should always terminate.");
1183	}
1184
1185	static const ObjCMethodDecl findDefiningRedecl(const* ObjCMethodDecl *MD) {
1186	if (!MD)
1187	return MD;
1188
1189	// Find the redeclaration that defines the method.
1190	if (!MD->hasBody()) {
1191	for (auto *I : MD->redecls())
1192	if (I->hasBody())
1193	MD = cast<ObjCMethodDecl>(I);
1194	}
1195	return MD;
1196	}
1197
1198	struct PrivateMethodKey {
1199	const ObjCInterfaceDecl *Interface;
1200	Selector LookupSelector;
1201	bool IsClassMethod;
1202	};
1203
1204	namespace llvm {
1205	template <> struct DenseMapInfo<PrivateMethodKey> {
1206	using InterfaceInfo = DenseMapInfo<const ObjCInterfaceDecl *>;
1207	using SelectorInfo = DenseMapInfo<Selector>;
1208
1209	static inline PrivateMethodKey getEmptyKey() {
1210	return {InterfaceInfo::getEmptyKey(), SelectorInfo::getEmptyKey(), false};
1211	}
1212
1213	static inline PrivateMethodKey getTombstoneKey() {
1214	return {InterfaceInfo::getTombstoneKey(), SelectorInfo::getTombstoneKey(),
1215	true};
1216	}
1217
1218	static unsigned getHashValue(const PrivateMethodKey &Key) {
1219	return llvm::hash_combine(
1220	args: llvm::hash_code (InterfaceInfo::getHashValue(PtrVal: Key.Interface)),
1221	args: llvm::hash_code(SelectorInfo::getHashValue(S: Key.LookupSelector)),
1222	args: Key.IsClassMethod);
1223	}
1224
1225	static bool isEqual(const PrivateMethodKey &LHS,
1226	const PrivateMethodKey &RHS) {
1227	return InterfaceInfo::isEqual(LHS: LHS.Interface, RHS: RHS.Interface) &&
1228	SelectorInfo::isEqual(LHS: LHS.LookupSelector, RHS: RHS.LookupSelector) &&
1229	LHS.IsClassMethod == RHS.IsClassMethod;
1230	}
1231	};
1232	} // end namespace llvm
1233
1234	static const ObjCMethodDecl *
1235	lookupRuntimeDefinition(const ObjCInterfaceDecl *Interface,
1236	Selector LookupSelector, bool InstanceMethod) {
1237	// Repeatedly calling lookupPrivateMethod() is expensive, especially
1238	// when in many cases it returns null. We cache the results so
1239	// that repeated queries on the same ObjCIntefaceDecl and Selector
1240	// don't incur the same cost. On some test cases, we can see the
1241	// same query being issued thousands of times.
1242	//
1243	// NOTE: This cache is essentially a "global" variable, but it
1244	// only gets lazily created when we get here. The value of the
1245	// cache probably comes from it being global across ExprEngines,
1246	// where the same queries may get issued. If we are worried about
1247	// concurrency, or possibly loading/unloading ASTs, etc., we may
1248	// need to revisit this someday. In terms of memory, this table
1249	// stays around until clang quits, which also may be bad if we
1250	// need to release memory.
1251	using PrivateMethodCache =
1252	llvm::DenseMap<PrivateMethodKey, std::optional<const ObjCMethodDecl *>>;
1253
1254	static PrivateMethodCache PMC;
1255	std::optional<const ObjCMethodDecl *> &Val =
1256	PMC[{Interface, LookupSelector, InstanceMethod}];
1257
1258	// Query lookupPrivateMethod() if the cache does not hit.
1259	if (!Val) {
1260	Val = Interface->lookupPrivateMethod(Sel: LookupSelector, Instance: InstanceMethod);
1261
1262	if (!*Val) {
1263	// Query 'lookupMethod' as a backup.
1264	Val = Interface->lookupMethod(Sel: LookupSelector, isInstance: InstanceMethod);
1265	}
1266	}
1267
1268	return *Val;
1269	}
1270
1271	RuntimeDefinition ObjCMethodCall::getRuntimeDefinition() const {
1272	const ObjCMessageExpr *E = getOriginExpr();
1273	assert(E);
1274	Selector Sel = E->getSelector();
1275
1276	if (E->isInstanceMessage()) {
1277	// Find the receiver type.
1278	const ObjCObjectType ReceiverT = nullptr*;
1279	bool CanBeSubClassed = false;
1280	bool LookingForInstanceMethod = true;
1281	QualType SupersType = E->getSuperType();
1282	const MemRegion Receiver = nullptr*;
1283
1284	if (!SupersType.isNull()) {
1285	// The receiver is guaranteed to be 'super' in this case.
1286	// Super always means the type of immediate predecessor to the method
1287	// where the call occurs.
1288	ReceiverT = cast<ObjCObjectPointerType>(Val&: SupersType)->getObjectType();
1289	} else {
1290	Receiver = getReceiverSVal().getAsRegion();
1291	if (!Receiver)
1292	return {};
1293
1294	DynamicTypeInfo DTI = getDynamicTypeInfo(State: getState(), MR: Receiver);
1295	if (!DTI.isValid()) {
1296	assert(isa<AllocaRegion>(Receiver) &&
1297	"Unhandled untyped region class!");
1298	return {};
1299	}
1300
1301	QualType DynType = DTI.getType();
1302	CanBeSubClassed = DTI.canBeASubClass();
1303
1304	const auto *ReceiverDynT =
1305	dyn_cast<ObjCObjectPointerType>(Val: DynType.getCanonicalType());
1306
1307	if (ReceiverDynT) {
1308	ReceiverT = ReceiverDynT->getObjectType();
1309
1310	// It can be actually class methods called with Class object as a
1311	// receiver. This type of messages is treated by the compiler as
1312	// instance (not class).
1313	if (ReceiverT->isObjCClass()) {
1314
1315	SVal SelfVal = getState()->getSelfSVal(LC: getLocationContext());
1316	// For [self classMethod], return compiler visible declaration.
1317	if (Receiver == SelfVal.getAsRegion()) {
1318	return RuntimeDefinition(findDefiningRedecl(MD: E->getMethodDecl()));
1319	}
1320
1321	// Otherwise, let's check if we know something about the type
1322	// inside of this class object.
1323	if (SymbolRef ReceiverSym = getReceiverSVal().getAsSymbol()) {
1324	DynamicTypeInfo DTI =
1325	getClassObjectDynamicTypeInfo(State: getState(), Sym: ReceiverSym);
1326	if (DTI.isValid()) {
1327	// Let's use this type for lookup.
1328	ReceiverT =
1329	cast<ObjCObjectType>(Val: DTI.getType().getCanonicalType());
1330
1331	CanBeSubClassed = DTI.canBeASubClass();
1332	// And it should be a class method instead.
1333	LookingForInstanceMethod = false;
1334	}
1335	}
1336	}
1337
1338	if (CanBeSubClassed)
1339	if (ObjCInterfaceDecl *IDecl = ReceiverT->getInterface())
1340	// Even if `DynamicTypeInfo` told us that it can be
1341	// not necessarily this type, but its descendants, we still want
1342	// to check again if this selector can be actually overridden.
1343	CanBeSubClassed = canBeOverridenInSubclass(IDecl, Sel);
1344	}
1345	}
1346
1347	// Lookup the instance method implementation.
1348	if (ReceiverT)
1349	if (ObjCInterfaceDecl *IDecl = ReceiverT->getInterface()) {
1350	const ObjCMethodDecl *MD =
1351	lookupRuntimeDefinition(Interface: IDecl, LookupSelector: Sel, InstanceMethod: LookingForInstanceMethod);
1352
1353	if (MD && !MD->hasBody())
1354	MD = MD->getCanonicalDecl();
1355
1356	if (CanBeSubClassed)
1357	return RuntimeDefinition(MD, Receiver);
1358	else
1359	return RuntimeDefinition(MD, nullptr);
1360	}
1361	} else {
1362	// This is a class method.
1363	// If we have type info for the receiver class, we are calling via
1364	// class name.
1365	if (ObjCInterfaceDecl *IDecl = E->getReceiverInterface()) {
1366	// Find/Return the method implementation.
1367	return RuntimeDefinition(IDecl->lookupPrivateClassMethod(Sel));
1368	}
1369	}
1370
1371	return {};
1372	}
1373
1374	bool ObjCMethodCall::argumentsMayEscape() const {
1375	if (isInSystemHeader() && !isInstanceMessage()) {
1376	Selector Sel = getSelector();
1377	if (Sel.getNumArgs() == `1` &&
1378	Sel.getIdentifierInfoForSlot(argIndex: `0`)->isStr(Str: "valueWithPointer"))
1379	return true;
1380	}
1381
1382	return CallEvent::argumentsMayEscape();
1383	}
1384
1385	void ObjCMethodCall::getInitialStackFrameContents(
1386	const StackFrameContext *CalleeCtx,
1387	BindingsTy &Bindings) const {
1388	const auto *D = cast<ObjCMethodDecl>(Val: CalleeCtx->getDecl());
1389	SValBuilder &SVB = getState()->getStateManager().getSValBuilder();
1390	addParameterValuesToBindings(CalleeCtx, Bindings, SVB, Call: *this,
1391	parameters: D->parameters());
1392
1393	SVal SelfVal = getReceiverSVal();
1394	if (!SelfVal.isUnknown()) {
1395	const VarDecl *SelfD = CalleeCtx->getAnalysisDeclContext()->getSelfDecl();
1396	MemRegionManager &MRMgr = SVB.getRegionManager();
1397	Loc SelfLoc = SVB.makeLoc(region: MRMgr.getVarRegion(VD: SelfD, LC: CalleeCtx));
1398	Bindings.push_back(Elt: std::make_pair(x&: SelfLoc, y&: SelfVal));
1399	}
1400	}
1401
1402	CallEventRef<>
1403	CallEventManager::getSimpleCall(const CallExpr *CE, ProgramStateRef State,
1404	const LocationContext *LCtx,
1405	CFGBlock::ConstCFGElementRef ElemRef) {
1406	if (const auto *MCE = dyn_cast<CXXMemberCallExpr>(Val: CE))
1407	return create<CXXMemberCall>(A: MCE, St: State, LCtx, ElemRef);
1408
1409	if (const auto *OpCE = dyn_cast<CXXOperatorCallExpr>(Val: CE)) {
1410	const FunctionDecl *DirectCallee = OpCE->getDirectCallee();
1411	if (const auto *MD = dyn_cast<CXXMethodDecl>(DirectCallee))
1412	if (MD->isInstance())
1413	return create<CXXMemberOperatorCall>(A: OpCE, St: State, LCtx, ElemRef);
1414
1415	} else if (CE->getCallee()->getType()->isBlockPointerType()) {
1416	return create<BlockCall>(A: CE, St: State, LCtx, ElemRef);
1417	}
1418
1419	// Otherwise, it's a normal function call, static member function call, or
1420	// something we can't reason about.
1421	return create<SimpleFunctionCall>(A: CE, St: State, LCtx, ElemRef);
1422	}
1423
1424	CallEventRef<>
1425	CallEventManager::getCaller(const StackFrameContext *CalleeCtx,
1426	ProgramStateRef State) {
1427	const LocationContext *ParentCtx = CalleeCtx->getParent();
1428	const LocationContext *CallerCtx = ParentCtx->getStackFrame();
1429	CFGBlock::ConstCFGElementRef ElemRef = {CalleeCtx->getCallSiteBlock(),
1430	CalleeCtx->getIndex()};
1431	assert(CallerCtx && "This should not be used for top-level stack frames");
1432
1433	const Stmt *CallSite = CalleeCtx->getCallSite();
1434
1435	if (CallSite) {
1436	if (CallEventRef<> Out = getCall(S: CallSite, State, LC: CallerCtx, ElemRef))
1437	return Out;
1438
1439	SValBuilder &SVB = State ->getStateManager().getSValBuilder();
1440	const auto *Ctor = cast<CXXMethodDecl>(Val: CalleeCtx->getDecl());
1441	Loc ThisPtr = SVB.getCXXThis(D: Ctor, SFC: CalleeCtx);
1442	SVal ThisVal = State ->getSVal(LV: ThisPtr);
1443
1444	if (const auto *CE = dyn_cast<CXXConstructExpr>(Val: CallSite))
1445	return getCXXConstructorCall(E: CE, Target: ThisVal.getAsRegion(), State, LCtx: CallerCtx,
1446	ElemRef);
1447	else if (const auto *CIE = dyn_cast<CXXInheritedCtorInitExpr>(Val: CallSite))
1448	return getCXXInheritedConstructorCall(E: CIE, Target: ThisVal.getAsRegion(), State,
1449	LCtx: CallerCtx, ElemRef);
1450	else {
1451	// All other cases are handled by getCall.
1452	llvm_unreachable("This is not an inlineable statement");
1453	}
1454	}
1455
1456	// Fall back to the CFG. The only thing we haven't handled yet is
1457	// destructors, though this could change in the future.
1458	const CFGBlock *B = CalleeCtx->getCallSiteBlock();
1459	CFGElement E = (*B)[CalleeCtx->getIndex()];
1460	assert((E.getAs<CFGImplicitDtor>() \|\| E.getAs<CFGTemporaryDtor>()) &&
1461	"All other CFG elements should have exprs");
1462
1463	SValBuilder &SVB = State ->getStateManager().getSValBuilder();
1464	const auto *Dtor = cast<CXXDestructorDecl>(Val: CalleeCtx->getDecl());
1465	Loc ThisPtr = SVB.getCXXThis(Dtor, CalleeCtx);
1466	SVal ThisVal = State ->getSVal(LV: ThisPtr);
1467
1468	const Stmt *Trigger;
1469	if (std::optional<CFGAutomaticObjDtor> AutoDtor =
1470	E.getAs<CFGAutomaticObjDtor>())
1471	Trigger = AutoDtor ->getTriggerStmt();
1472	else if (std::optional<CFGDeleteDtor> DeleteDtor = E.getAs<CFGDeleteDtor>())
1473	Trigger = DeleteDtor ->getDeleteExpr();
1474	else
1475	Trigger = Dtor->getBody();
1476
1477	return getCXXDestructorCall(DD: Dtor, Trigger, Target: ThisVal.getAsRegion(),
1478	IsBase: E.getAs<CFGBaseDtor>().has_value(), State,
1479	LCtx: CallerCtx, ElemRef);
1480	}
1481
1482	CallEventRef<> CallEventManager::getCall(const Stmt *S, ProgramStateRef State,
1483	const LocationContext *LC,
1484	CFGBlock::ConstCFGElementRef ElemRef) {
1485	if (const auto *CE = dyn_cast<CallExpr>(Val: S)) {
1486	return getSimpleCall(CE, State, LCtx: LC, ElemRef);
1487	} else if (const auto *NE = dyn_cast<CXXNewExpr>(Val: S)) {
1488	return getCXXAllocatorCall(E: NE, State, LCtx: LC, ElemRef);
1489	} else if (const auto *DE = dyn_cast<CXXDeleteExpr>(Val: S)) {
1490	return getCXXDeallocatorCall(E: DE, State, LCtx: LC, ElemRef);
1491	} else if (const auto *ME = dyn_cast<ObjCMessageExpr>(Val: S)) {
1492	return getObjCMethodCall(E: ME, State, LCtx: LC, ElemRef);
1493	} else {
1494	return nullptr;
1495	}
1496	}
1497

source code of clang/lib/StaticAnalyzer/Core/CallEvent.cpp