CallEvent.cpp source code [clang/lib/StaticAnalyzer/Core/CallEvent.cpp]

1	//===- CallEvent.cpp - Wrapper for all function and method calls ----------===//
2	//
3	// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4	// See https://llvm.org/LICENSE.txt for license information.
5	// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6	//
7	//===----------------------------------------------------------------------===//
8	//
9	/// \file This file defines CallEvent and its subclasses, which represent path-
10	/// sensitive instances of different kinds of function and method calls
11	/// (C, C++, and Objective-C).
12	//
13	//===----------------------------------------------------------------------===//
14
15	#include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h"
16	#include "clang/AST/ASTContext.h"
17	#include "clang/AST/Attr.h"
18	#include "clang/AST/Decl.h"
19	#include "clang/AST/DeclBase.h"
20	#include "clang/AST/DeclCXX.h"
21	#include "clang/AST/DeclObjC.h"
22	#include "clang/AST/Expr.h"
23	#include "clang/AST/ExprCXX.h"
24	#include "clang/AST/ExprObjC.h"
25	#include "clang/AST/ParentMap.h"
26	#include "clang/AST/Stmt.h"
27	#include "clang/AST/Type.h"
28	#include "clang/Analysis/AnalysisDeclContext.h"
29	#include "clang/Analysis/CFG.h"
30	#include "clang/Analysis/CFGStmtMap.h"
31	#include "clang/Analysis/PathDiagnostic.h"
32	#include "clang/Analysis/ProgramPoint.h"
33	#include "clang/Basic/IdentifierTable.h"
34	#include "clang/Basic/LLVM.h"
35	#include "clang/Basic/SourceLocation.h"
36	#include "clang/Basic/SourceManager.h"
37	#include "clang/Basic/Specifiers.h"
38	#include "clang/CrossTU/CrossTranslationUnit.h"
39	#include "clang/StaticAnalyzer/Core/PathSensitive/CallDescription.h"
40	#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
41	#include "clang/StaticAnalyzer/Core/PathSensitive/DynamicType.h"
42	#include "clang/StaticAnalyzer/Core/PathSensitive/DynamicTypeInfo.h"
43	#include "clang/StaticAnalyzer/Core/PathSensitive/MemRegion.h"
44	#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h"
45	#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState_Fwd.h"
46	#include "clang/StaticAnalyzer/Core/PathSensitive/SValBuilder.h"
47	#include "clang/StaticAnalyzer/Core/PathSensitive/SVals.h"
48	#include "clang/StaticAnalyzer/Core/PathSensitive/Store.h"
49	#include "llvm/ADT/ArrayRef.h"
50	#include "llvm/ADT/DenseMap.h"
51	#include "llvm/ADT/ImmutableList.h"
52	#include "llvm/ADT/None.h"
53	#include "llvm/ADT/Optional.h"
54	#include "llvm/ADT/PointerIntPair.h"
55	#include "llvm/ADT/SmallSet.h"
56	#include "llvm/ADT/SmallVector.h"
57	#include "llvm/ADT/StringExtras.h"
58	#include "llvm/ADT/StringRef.h"
59	#include "llvm/Support/Casting.h"
60	#include "llvm/Support/Compiler.h"
61	#include "llvm/Support/Debug.h"
62	#include "llvm/Support/ErrorHandling.h"
63	#include "llvm/Support/raw_ostream.h"
64	#include <cassert>
65	#include <utility>
66
67	#define DEBUG_TYPE "static-analyzer-call-event"
68
69	using namespace clang;
70	using namespace ento;
71
72	QualType CallEvent::getResultType() const {
73	ASTContext &Ctx = getState()->getStateManager().getContext();
74	const Expr *E = getOriginExpr();
75	if (!E)
76	return Ctx.VoidTy;
77	return Ctx.getReferenceQualifiedType(E);
78	}
79
80	static bool isCallback(QualType T) {
81	// If a parameter is a block or a callback, assume it can modify pointer.
82	if (T->isBlockPointerType() \|\|
83	T->isFunctionPointerType() \|\|
84	T->isObjCSelType())
85	return true;
86
87	// Check if a callback is passed inside a struct (for both, struct passed by
88	// reference and by value). Dig just one level into the struct for now.
89
90	if (T->isAnyPointerType() \|\| T->isReferenceType())
91	T = T->getPointeeType();
92
93	if (const RecordType *RT = T->getAsStructureType()) {
94	const RecordDecl *RD = RT->getDecl();
95	for (const auto *I : RD->fields()) {
96	QualType FieldT = I->getType();
97	if (FieldT->isBlockPointerType() \|\| FieldT->isFunctionPointerType())
98	return true;
99	}
100	}
101	return false;
102	}
103
104	static bool isVoidPointerToNonConst(QualType T) {
105	if (const auto *PT = T->getAs<PointerType>()) {
106	QualType PointeeTy = PT->getPointeeType();
107	if (PointeeTy.isConstQualified())
108	return false;
109	return PointeeTy->isVoidType();
110	} else
111	return false;
112	}
113
114	bool CallEvent::hasNonNullArgumentsWithType(bool (Condition)(QualType)) const* {
115	unsigned NumOfArgs = getNumArgs();
116
117	// If calling using a function pointer, assume the function does not
118	// satisfy the callback.
119	// TODO: We could check the types of the arguments here.
120	if (!getDecl())
121	return false;
122
123	unsigned Idx = `0`;
124	for (CallEvent::param_type_iterator I = param_type_begin(),
125	E = param_type_end();
126	I != E && Idx < NumOfArgs; ++I, ++Idx) {
127	// If the parameter is 0, it's harmless.
128	if (getArgSVal(Idx).isZeroConstant())
129	continue;
130
131	if (Condition(*I))
132	return true;
133	}
134	return false;
135	}
136
137	bool CallEvent::hasNonZeroCallbackArg() const {
138	return hasNonNullArgumentsWithType(isCallback);
139	}
140
141	bool CallEvent::hasVoidPointerToNonConstArg() const {
142	return hasNonNullArgumentsWithType(isVoidPointerToNonConst);
143	}
144
145	bool CallEvent::isGlobalCFunction(StringRef FunctionName) const {
146	const auto *FD = dyn_cast_or_null<FunctionDecl>(getDecl());
147	if (!FD)
148	return false;
149
150	return CheckerContext::isCLibraryFunction(FD, FunctionName);
151	}
152
153	AnalysisDeclContext CallEvent::getCalleeAnalysisDeclContext() const* {
154	const Decl *D = getDecl();
155	if (!D)
156	return nullptr;
157
158	AnalysisDeclContext *ADC =
159	LCtx->getAnalysisDeclContext()->getManager()->getContext(D);
160
161	return ADC;
162	}
163
164	const StackFrameContext *
165	CallEvent::getCalleeStackFrame(unsigned BlockCount) const {
166	AnalysisDeclContext *ADC = getCalleeAnalysisDeclContext();
167	if (!ADC)
168	return nullptr;
169
170	const Expr *E = getOriginExpr();
171	if (!E)
172	return nullptr;
173
174	// Recover CFG block via reverse lookup.
175	// TODO: If we were to keep CFG element information as part of the CallEvent
176	// instead of doing this reverse lookup, we would be able to build the stack
177	// frame for non-expression-based calls, and also we wouldn't need the reverse
178	// lookup.
179	CFGStmtMap *Map = LCtx->getAnalysisDeclContext()->getCFGStmtMap();
180	const CFGBlock *B = Map->getBlock(E);
181	assert(B);
182
183	// Also recover CFG index by scanning the CFG block.
184	unsigned Idx = `0`, Sz = B->size();
185	for (; Idx < Sz; ++Idx)
186	if (auto StmtElem = (*B)[Idx].getAs<CFGStmt>())
187	if (StmtElem->getStmt() == E)
188	break;
189	assert(Idx < Sz);
190
191	return ADC->getManager()->getStackFrame(ADC, LCtx, E, B, BlockCount, Idx);
192	}
193
194	const ParamVarRegion
195	CallEvent::getParameterLocation(unsigned* Index, unsigned BlockCount) const {
196	const StackFrameContext *SFC = getCalleeStackFrame(BlockCount);
197	// We cannot construct a VarRegion without a stack frame.
198	if (!SFC)
199	return nullptr;
200
201	const ParamVarRegion *PVR =
202	State->getStateManager().getRegionManager().getParamVarRegion(
203	getOriginExpr(), Index, SFC);
204	return PVR;
205	}
206
207	/// Returns true if a type is a pointer-to-const or reference-to-const
208	/// with no further indirection.
209	static bool isPointerToConst(QualType Ty) {
210	QualType PointeeTy = Ty->getPointeeType();
211	if (PointeeTy == QualType())
212	return false;
213	if (!PointeeTy.isConstQualified())
214	return false;
215	if (PointeeTy->isAnyPointerType())
216	return false;
217	return true;
218	}
219
220	// Try to retrieve the function declaration and find the function parameter
221	// types which are pointers/references to a non-pointer const.
222	// We will not invalidate the corresponding argument regions.
223	static void findPtrToConstParams(llvm::SmallSet<unsigned, `4`> &PreserveArgs,
224	const CallEvent &Call) {
225	unsigned Idx = `0`;
226	for (CallEvent::param_type_iterator I = Call.param_type_begin(),
227	E = Call.param_type_end();
228	I != E; ++I, ++Idx) {
229	if (isPointerToConst(*I))
230	PreserveArgs.insert(Idx);
231	}
232	}
233
234	ProgramStateRef CallEvent::invalidateRegions(unsigned BlockCount,
235	ProgramStateRef Orig) const {
236	ProgramStateRef Result = (Orig ? Orig : getState());
237
238	// Don't invalidate anything if the callee is marked pure/const.
239	if (const Decl *callee = getDecl())
240	if (callee->hasAttr<PureAttr>() \|\| callee->hasAttr<ConstAttr>())
241	return Result;
242
243	SmallVector<SVal, `8`> ValuesToInvalidate;
244	RegionAndSymbolInvalidationTraits ETraits;
245
246	getExtraInvalidatedValues(ValuesToInvalidate, &ETraits);
247
248	// Indexes of arguments whose values will be preserved by the call.
249	llvm::SmallSet<unsigned, `4`> PreserveArgs;
250	if (!argumentsMayEscape())
251	findPtrToConstParams(PreserveArgs, *this);
252
253	for (unsigned Idx = `0`, Count = getNumArgs(); Idx != Count; ++Idx) {
254	// Mark this region for invalidation. We batch invalidate regions
255	// below for efficiency.
256	if (PreserveArgs.count(Idx))
257	if (const MemRegion *MR = getArgSVal(Idx).getAsRegion())
258	ETraits.setTrait(MR->getBaseRegion(),
259	RegionAndSymbolInvalidationTraits::TK_PreserveContents);
260	// TODO: Factor this out + handle the lower level const pointers.
261
262	ValuesToInvalidate.push_back(getArgSVal(Idx));
263
264	// If a function accepts an object by argument (which would of course be a
265	// temporary that isn't lifetime-extended), invalidate the object itself,
266	// not only other objects reachable from it. This is necessary because the
267	// destructor has access to the temporary object after the call.
268	// TODO: Support placement arguments once we start
269	// constructing them directly.
270	// TODO: This is unnecessary when there's no destructor, but that's
271	// currently hard to figure out.
272	if (getKind() != CE_CXXAllocator)
273	if (isArgumentConstructedDirectly(Idx))
274	if (auto AdjIdx = getAdjustedParameterIndex(Idx))
275	if (const TypedValueRegion *TVR =
276	getParameterLocation(*AdjIdx, BlockCount))
277	ValuesToInvalidate.push_back(loc::MemRegionVal(TVR));
278	}
279
280	// Invalidate designated regions using the batch invalidation API.
281	// NOTE: Even if RegionsToInvalidate is empty, we may still invalidate
282	// global variables.
283	return Result->invalidateRegions(ValuesToInvalidate, getOriginExpr(),
284	BlockCount, getLocationContext(),
285	/CausedByPointerEscape/ true,
286	/Symbols=/nullptr, this, &ETraits);
287	}
288
289	ProgramPoint CallEvent::getProgramPoint(bool IsPreVisit,
290	const ProgramPointTag Tag) const* {
291	if (const Expr *E = getOriginExpr()) {
292	if (IsPreVisit)
293	return PreStmt(E, getLocationContext(), Tag);
294	return PostStmt(E, getLocationContext(), Tag);
295	}
296
297	const Decl *D = getDecl();
298	assert(D && "Cannot get a program point without a statement or decl");
299
300	SourceLocation Loc = getSourceRange().getBegin();
301	if (IsPreVisit)
302	return PreImplicitCall(D, Loc, getLocationContext(), Tag);
303	return PostImplicitCall(D, Loc, getLocationContext(), Tag);
304	}
305
306	SVal CallEvent::getArgSVal(unsigned Index) const {
307	const Expr *ArgE = getArgExpr(Index);
308	if (!ArgE)
309	return UnknownVal();
310	return getSVal(ArgE);
311	}
312
313	SourceRange CallEvent::getArgSourceRange(unsigned Index) const {
314	const Expr *ArgE = getArgExpr(Index);
315	if (!ArgE)
316	return {};
317	return ArgE->getSourceRange();
318	}
319
320	SVal CallEvent::getReturnValue() const {
321	const Expr *E = getOriginExpr();
322	if (!E)
323	return UndefinedVal();
324	return getSVal(E);
325	}
326
327	LLVM_DUMP_METHOD void CallEvent::dump() const { dump(llvm::errs()); }
328
329	void CallEvent::dump(raw_ostream &Out) const {
330	ASTContext &Ctx = getState()->getStateManager().getContext();
331	if (const Expr *E = getOriginExpr()) {
332	E->printPretty(Out, nullptr, Ctx.getPrintingPolicy());
333	return;
334	}
335
336	if (const Decl *D = getDecl()) {
337	Out << "Call to ";
338	D->print(Out, Ctx.getPrintingPolicy());
339	return;
340	}
341
342	Out << "Unknown call (type " << getKindAsString() << ")";
343	}
344
345	bool CallEvent::isCallStmt(const Stmt *S) {
346	return isa<CallExpr, ObjCMessageExpr, CXXConstructExpr, CXXNewExpr>(S);
347	}
348
349	QualType CallEvent::getDeclaredResultType(const Decl *D) {
350	assert(D);
351	if (const auto *FD = dyn_cast<FunctionDecl>(D))
352	return FD->getReturnType();
353	if (const auto *MD = dyn_cast<ObjCMethodDecl>(D))
354	return MD->getReturnType();
355	if (const auto *BD = dyn_cast<BlockDecl>(D)) {
356	// Blocks are difficult because the return type may not be stored in the
357	// BlockDecl itself. The AST should probably be enhanced, but for now we
358	// just do what we can.
359	// If the block is declared without an explicit argument list, the
360	// signature-as-written just includes the return type, not the entire
361	// function type.
362	// FIXME: All blocks should have signatures-as-written, even if the return
363	// type is inferred. (That's signified with a dependent result type.)
364	if (const TypeSourceInfo *TSI = BD->getSignatureAsWritten()) {
365	QualType Ty = TSI->getType();
366	if (const FunctionType *FT = Ty->getAs<FunctionType>())
367	Ty = FT->getReturnType();
368	if (!Ty->isDependentType())
369	return Ty;
370	}
371
372	return {};
373	}
374
375	llvm_unreachable("unknown callable kind");
376	}
377
378	bool CallEvent::isVariadic(const Decl *D) {
379	assert(D);
380
381	if (const auto *FD = dyn_cast<FunctionDecl>(D))
382	return FD->isVariadic();
383	if (const auto *MD = dyn_cast<ObjCMethodDecl>(D))
384	return MD->isVariadic();
385	if (const auto *BD = dyn_cast<BlockDecl>(D))
386	return BD->isVariadic();
387
388	llvm_unreachable("unknown callable kind");
389	}
390
391	static bool isTransparentUnion(QualType T) {
392	const RecordType *UT = T->getAsUnionType();
393	return UT && UT->getDecl()->hasAttr<TransparentUnionAttr>();
394	}
395
396	// In some cases, symbolic cases should be transformed before we associate
397	// them with parameters. This function incapsulates such cases.
398	static SVal processArgument(SVal Value, const Expr *ArgumentExpr,
399	const ParmVarDecl *Parameter, SValBuilder &SVB) {
400	QualType ParamType = Parameter->getType();
401	QualType ArgumentType = ArgumentExpr->getType();
402
403	// Transparent unions allow users to easily convert values of union field
404	// types into union-typed objects.
405	//
406	// Also, more importantly, they allow users to define functions with different
407	// different parameter types, substituting types matching transparent union
408	// field types with the union type itself.
409	//
410	// Here, we check specifically for latter cases and prevent binding
411	// field-typed values to union-typed regions.
412	if (isTransparentUnion(ParamType) &&
413	// Let's check that we indeed trying to bind different types.
414	!isTransparentUnion(ArgumentType)) {
415	BasicValueFactory &BVF = SVB.getBasicValueFactory();
416
417	llvm::ImmutableList<SVal> CompoundSVals = BVF.getEmptySValList();
418	CompoundSVals = BVF.prependSVal(Value, CompoundSVals);
419
420	// Wrap it with compound value.
421	return SVB.makeCompoundVal(ParamType, CompoundSVals);
422	}
423
424	return Value;
425	}
426
427	static void addParameterValuesToBindings(const StackFrameContext *CalleeCtx,
428	CallEvent::BindingsTy &Bindings,
429	SValBuilder &SVB,
430	const CallEvent &Call,
431	ArrayRef<ParmVarDecl*> parameters) {
432	MemRegionManager &MRMgr = SVB.getRegionManager();
433
434	// If the function has fewer parameters than the call has arguments, we simply
435	// do not bind any values to them.
436	unsigned NumArgs = Call.getNumArgs();
437	unsigned Idx = `0`;
438	ArrayRef<ParmVarDecl*>::iterator I = parameters.begin(), E = parameters.end();
439	for (; I != E && Idx < NumArgs; ++I, ++Idx) {
440	assert(*I && "Formal parameter has no decl?");
441
442	// TODO: Support allocator calls.
443	if (Call.getKind() != CE_CXXAllocator)
444	if (Call.isArgumentConstructedDirectly(Call.getASTArgumentIndex(Idx)))
445	continue;
446
447	// TODO: Allocators should receive the correct size and possibly alignment,
448	// determined in compile-time but not represented as arg-expressions,
449	// which makes getArgSVal() fail and return UnknownVal.
450	SVal ArgVal = Call.getArgSVal(Idx);
451	const Expr *ArgExpr = Call.getArgExpr(Idx);
452	if (!ArgVal.isUnknown()) {
453	Loc ParamLoc = SVB.makeLoc(
454	MRMgr.getParamVarRegion(Call.getOriginExpr(), Idx, CalleeCtx));
455	Bindings.push_back(
456	std::make_pair(ParamLoc, processArgument(ArgVal, ArgExpr, *I, SVB)));
457	}
458	}
459
460	// FIXME: Variadic arguments are not handled at all right now.
461	}
462
463	const ConstructionContext CallEvent::getConstructionContext() const* {
464	const StackFrameContext *StackFrame = getCalleeStackFrame(`0`);
465	if (!StackFrame)
466	return nullptr;
467
468	const CFGElement Element = StackFrame->getCallSiteCFGElement();
469	if (const auto Ctor = Element.getAs<CFGConstructor>()) {
470	return Ctor->getConstructionContext();
471	}
472
473	if (const auto RecCall = Element.getAs<CFGCXXRecordTypedCall>()) {
474	return RecCall->getConstructionContext();
475	}
476
477	return nullptr;
478	}
479
480	Optional<SVal>
481	CallEvent::getReturnValueUnderConstruction() const {
482	const auto *CC = getConstructionContext();
483	if (!CC)
484	return None;
485
486	EvalCallOptions CallOpts;
487	ExprEngine &Engine = getState()->getStateManager().getOwningEngine();
488	SVal RetVal =
489	Engine.computeObjectUnderConstruction(getOriginExpr(), getState(),
490	getLocationContext(), CC, CallOpts);
491	return RetVal;
492	}
493
494	ArrayRef<ParmVarDecl> AnyFunctionCall::parameters() const* {
495	const FunctionDecl *D = getDecl();
496	if (!D)
497	return None;
498	return D->parameters();
499	}
500
501	RuntimeDefinition AnyFunctionCall::getRuntimeDefinition() const {
502	const FunctionDecl *FD = getDecl();
503	if (!FD)
504	return {};
505
506	// Note that the AnalysisDeclContext will have the FunctionDecl with
507	// the definition (if one exists).
508	AnalysisDeclContext *AD =
509	getLocationContext()->getAnalysisDeclContext()->
510	getManager()->getContext(FD);
511	bool IsAutosynthesized;
512	Stmt* Body = AD->getBody(IsAutosynthesized);
513	LLVM_DEBUG({
514	if (IsAutosynthesized)
515	llvm::dbgs() << "Using autosynthesized body for " << FD->getName()
516	<< "\n";
517	});
518
519	ExprEngine &Engine = getState()->getStateManager().getOwningEngine();
520	cross_tu::CrossTranslationUnitContext &CTUCtx =
521	*Engine.getCrossTranslationUnitContext();
522
523	AnalyzerOptions &Opts = Engine.getAnalysisManager().options;
524
525	if (Body) {
526	const Decl* Decl = AD->getDecl();
527	if (Opts.IsNaiveCTUEnabled && CTUCtx.isImportedAsNew(Decl)) {
528	// A newly created definition, but we had error(s) during the import.
529	if (CTUCtx.hasError(Decl))
530	return {};
531	return RuntimeDefinition(Decl, /Foreign=/true);
532	}
533	return RuntimeDefinition(Decl, /Foreign=/false);
534	}
535
536	// Try to get CTU definition only if CTUDir is provided.
537	if (!Opts.IsNaiveCTUEnabled)
538	return {};
539
540	llvm::Expected<const FunctionDecl *> CTUDeclOrError =
541	CTUCtx.getCrossTUDefinition(FD, Opts.CTUDir, Opts.CTUIndexName,
542	Opts.DisplayCTUProgress);
543
544	if (!CTUDeclOrError) {
545	handleAllErrors(CTUDeclOrError.takeError(),
546	[&](const cross_tu::IndexError &IE) {
547	CTUCtx.emitCrossTUDiagnostics(IE);
548	});
549	return {};
550	}
551
552	return RuntimeDefinition(CTUDeclOrError, /Foreign=/*true);
553	}
554
555	void AnyFunctionCall::getInitialStackFrameContents(
556	const StackFrameContext *CalleeCtx,
557	BindingsTy &Bindings) const {
558	const auto *D = cast<FunctionDecl>(CalleeCtx->getDecl());
559	SValBuilder &SVB = getState()->getStateManager().getSValBuilder();
560	addParameterValuesToBindings(CalleeCtx, Bindings, SVB, *this,
561	D->parameters());
562	}
563
564	bool AnyFunctionCall::argumentsMayEscape() const {
565	if (CallEvent::argumentsMayEscape() \|\| hasVoidPointerToNonConstArg())
566	return true;
567
568	const FunctionDecl *D = getDecl();
569	if (!D)
570	return true;
571
572	const IdentifierInfo *II = D->getIdentifier();
573	if (!II)
574	return false;
575
576	// This set of "escaping" APIs is
577
578	// - 'int pthread_setspecific(ptheread_key k, const void )' stores a*
579	// value into thread local storage. The value can later be retrieved with
580	// 'void ptheread_getspecific(pthread_key)'. So even thought the*
581	// parameter is 'const void ', the region escapes through the call.*
582	if (II->isStr("pthread_setspecific"))
583	return true;
584
585	// - xpc_connection_set_context stores a value which can be retrieved later
586	// with xpc_connection_get_context.
587	if (II->isStr("xpc_connection_set_context"))
588	return true;
589
590	// - funopen - sets a buffer for future IO calls.
591	if (II->isStr("funopen"))
592	return true;
593
594	// - __cxa_demangle - can reallocate memory and can return the pointer to
595	// the input buffer.
596	if (II->isStr("__cxa_demangle"))
597	return true;
598
599	StringRef FName = II->getName();
600
601	// - CoreFoundation functions that end with "NoCopy" can free a passed-in
602	// buffer even if it is const.
603	if (FName.endswith("NoCopy"))
604	return true;
605
606	// - NSXXInsertXX, for example NSMapInsertIfAbsent, since they can
607	// be deallocated by NSMapRemove.
608	if (FName.startswith("NS") && FName.contains("Insert"))
609	return true;
610
611	// - Many CF containers allow objects to escape through custom
612	// allocators/deallocators upon container construction. (PR12101)
613	if (FName.startswith("CF") \|\| FName.startswith("CG")) {
614	return StrInStrNoCase(FName, "InsertValue") != StringRef::npos \|\|
615	StrInStrNoCase(FName, "AddValue") != StringRef::npos \|\|
616	StrInStrNoCase(FName, "SetValue") != StringRef::npos \|\|
617	StrInStrNoCase(FName, "WithData") != StringRef::npos \|\|
618	StrInStrNoCase(FName, "AppendValue") != StringRef::npos \|\|
619	StrInStrNoCase(FName, "SetAttribute") != StringRef::npos;
620	}
621
622	return false;
623	}
624
625	const FunctionDecl SimpleFunctionCall::getDecl() const* {
626	const FunctionDecl *D = getOriginExpr()->getDirectCallee();
627	if (D)
628	return D;
629
630	return getSVal(getOriginExpr()->getCallee()).getAsFunctionDecl();
631	}
632
633	const FunctionDecl CXXInstanceCall::getDecl() const* {
634	const auto *CE = cast_or_null<CallExpr>(getOriginExpr());
635	if (!CE)
636	return AnyFunctionCall::getDecl();
637
638	const FunctionDecl *D = CE->getDirectCallee();
639	if (D)
640	return D;
641
642	return getSVal(CE->getCallee()).getAsFunctionDecl();
643	}
644
645	void CXXInstanceCall::getExtraInvalidatedValues(
646	ValueList &Values, RegionAndSymbolInvalidationTraits ETraits) const* {
647	SVal ThisVal = getCXXThisVal();
648	Values.push_back(ThisVal);
649
650	// Don't invalidate if the method is const and there are no mutable fields.
651	if (const auto *D = cast_or_null<CXXMethodDecl>(getDecl())) {
652	if (!D->isConst())
653	return;
654	// Get the record decl for the class of 'This'. D->getParent() may return a
655	// base class decl, rather than the class of the instance which needs to be
656	// checked for mutable fields.
657	// TODO: We might as well look at the dynamic type of the object.
658	const Expr *Ex = getCXXThisExpr()->IgnoreParenBaseCasts();
659	QualType T = Ex->getType();
660	if (T->isPointerType()) // Arrow or implicit-this syntax?
661	T = T->getPointeeType();
662	const CXXRecordDecl *ParentRecord = T->getAsCXXRecordDecl();
663	assert(ParentRecord);
664	if (ParentRecord->hasMutableFields())
665	return;
666	// Preserve CXXThis.
667	const MemRegion *ThisRegion = ThisVal.getAsRegion();
668	if (!ThisRegion)
669	return;
670
671	ETraits->setTrait(ThisRegion->getBaseRegion(),
672	RegionAndSymbolInvalidationTraits::TK_PreserveContents);
673	}
674	}
675
676	SVal CXXInstanceCall::getCXXThisVal() const {
677	const Expr *Base = getCXXThisExpr();
678	// FIXME: This doesn't handle an overloaded -> operator.*
679	if (!Base)
680	return UnknownVal();
681
682	SVal ThisVal = getSVal(Base);
683	assert(ThisVal.isUnknownOrUndef() \|\| isa<Loc>(ThisVal));
684	return ThisVal;
685	}
686
687	RuntimeDefinition CXXInstanceCall::getRuntimeDefinition() const {
688	// Do we have a decl at all?
689	const Decl *D = getDecl();
690	if (!D)
691	return {};
692
693	// If the method is non-virtual, we know we can inline it.
694	const auto *MD = cast<CXXMethodDecl>(D);
695	if (!MD->isVirtual())
696	return AnyFunctionCall::getRuntimeDefinition();
697
698	// Do we know the implicit 'this' object being called?
699	const MemRegion *R = getCXXThisVal().getAsRegion();
700	if (!R)
701	return {};
702
703	// Do we know anything about the type of 'this'?
704	DynamicTypeInfo DynType = getDynamicTypeInfo(getState(), R);
705	if (!DynType.isValid())
706	return {};
707
708	// Is the type a C++ class? (This is mostly a defensive check.)
709	QualType RegionType = DynType.getType()->getPointeeType();
710	assert(!RegionType.isNull() && "DynamicTypeInfo should always be a pointer.");
711
712	const CXXRecordDecl *RD = RegionType->getAsCXXRecordDecl();
713	if (!RD \|\| !RD->hasDefinition())
714	return {};
715
716	// Find the decl for this method in that class.
717	const CXXMethodDecl Result = MD->getCorrespondingMethodInClass(RD, true*);
718	if (!Result) {
719	// We might not even get the original statically-resolved method due to
720	// some particularly nasty casting (e.g. casts to sister classes).
721	// However, we should at least be able to search up and down our own class
722	// hierarchy, and some real bugs have been caught by checking this.
723	assert(!RD->isDerivedFrom(MD->getParent()) && "Couldn't find known method");
724
725	// FIXME: This is checking that our DynamicTypeInfo is at least as good as
726	// the static type. However, because we currently don't update
727	// DynamicTypeInfo when an object is cast, we can't actually be sure the
728	// DynamicTypeInfo is up to date. This assert should be re-enabled once
729	// this is fixed. <rdar://problem/12287087>
730	//assert(!MD->getParent()->isDerivedFrom(RD) && "Bad DynamicTypeInfo");
731
732	return {};
733	}
734
735	// Does the decl that we found have an implementation?
736	const FunctionDecl *Definition;
737	if (!Result->hasBody(Definition)) {
738	if (!DynType.canBeASubClass())
739	return AnyFunctionCall::getRuntimeDefinition();
740	return {};
741	}
742
743	// We found a definition. If we're not sure that this devirtualization is
744	// actually what will happen at runtime, make sure to provide the region so
745	// that ExprEngine can decide what to do with it.
746	if (DynType.canBeASubClass())
747	return RuntimeDefinition(Definition, R->StripCasts());
748	return RuntimeDefinition(Definition, /DispatchRegion=/nullptr);
749	}
750
751	void CXXInstanceCall::getInitialStackFrameContents(
752	const StackFrameContext *CalleeCtx,
753	BindingsTy &Bindings) const {
754	AnyFunctionCall::getInitialStackFrameContents(CalleeCtx, Bindings);
755
756	// Handle the binding of 'this' in the new stack frame.
757	SVal ThisVal = getCXXThisVal();
758	if (!ThisVal.isUnknown()) {
759	ProgramStateManager &StateMgr = getState()->getStateManager();
760	SValBuilder &SVB = StateMgr.getSValBuilder();
761
762	const auto *MD = cast<CXXMethodDecl>(CalleeCtx->getDecl());
763	Loc ThisLoc = SVB.getCXXThis(MD, CalleeCtx);
764
765	// If we devirtualized to a different member function, we need to make sure
766	// we have the proper layering of CXXBaseObjectRegions.
767	if (MD->getCanonicalDecl() != getDecl()->getCanonicalDecl()) {
768	ASTContext &Ctx = SVB.getContext();
769	const CXXRecordDecl *Class = MD->getParent();
770	QualType Ty = Ctx.getPointerType(Ctx.getRecordType(Class));
771
772	// FIXME: CallEvent maybe shouldn't be directly accessing StoreManager.
773	Optional<SVal> V =
774	StateMgr.getStoreManager().evalBaseToDerived(ThisVal, Ty);
775	if (!V) {
776	// We might have suffered some sort of placement new earlier, so
777	// we're constructing in a completely unexpected storage.
778	// Fall back to a generic pointer cast for this-value.
779	const CXXMethodDecl *StaticMD = cast<CXXMethodDecl>(getDecl());
780	const CXXRecordDecl *StaticClass = StaticMD->getParent();
781	QualType StaticTy = Ctx.getPointerType(Ctx.getRecordType(StaticClass));
782	ThisVal = SVB.evalCast(ThisVal, Ty, StaticTy);
783	} else
784	ThisVal = *V;
785	}
786
787	if (!ThisVal.isUnknown())
788	Bindings.push_back(std::make_pair(ThisLoc, ThisVal));
789	}
790	}
791
792	const Expr CXXMemberCall::getCXXThisExpr() const* {
793	return getOriginExpr()->getImplicitObjectArgument();
794	}
795
796	RuntimeDefinition CXXMemberCall::getRuntimeDefinition() const {
797	// C++11 [expr.call]p1: ...If the selected function is non-virtual, or if the
798	// id-expression in the class member access expression is a qualified-id,
799	// that function is called. Otherwise, its final overrider in the dynamic type
800	// of the object expression is called.
801	if (const auto *ME = dyn_cast<MemberExpr>(getOriginExpr()->getCallee()))
802	if (ME->hasQualifier())
803	return AnyFunctionCall::getRuntimeDefinition();
804
805	return CXXInstanceCall::getRuntimeDefinition();
806	}
807
808	const Expr CXXMemberOperatorCall::getCXXThisExpr() const* {
809	return getOriginExpr()->getArg(`0`);
810	}
811
812	const BlockDataRegion BlockCall::getBlockRegion() const* {
813	const Expr *Callee = getOriginExpr()->getCallee();
814	const MemRegion *DataReg = getSVal(Callee).getAsRegion();
815
816	return dyn_cast_or_null<BlockDataRegion>(DataReg);
817	}
818
819	ArrayRef<ParmVarDecl> BlockCall::parameters() const* {
820	const BlockDecl *D = getDecl();
821	if (!D)
822	return None;
823	return D->parameters();
824	}
825
826	void BlockCall::getExtraInvalidatedValues(ValueList &Values,
827	RegionAndSymbolInvalidationTraits ETraits) const* {
828	// FIXME: This also needs to invalidate captured globals.
829	if (const MemRegion *R = getBlockRegion())
830	Values.push_back(loc::MemRegionVal(R));
831	}
832
833	void BlockCall::getInitialStackFrameContents(const StackFrameContext *CalleeCtx,
834	BindingsTy &Bindings) const {
835	SValBuilder &SVB = getState()->getStateManager().getSValBuilder();
836	ArrayRef<ParmVarDecl*> Params;
837	if (isConversionFromLambda()) {
838	auto *LambdaOperatorDecl = cast<CXXMethodDecl>(CalleeCtx->getDecl());
839	Params = LambdaOperatorDecl->parameters();
840
841	// For blocks converted from a C++ lambda, the callee declaration is the
842	// operator() method on the lambda so we bind "this" to
843	// the lambda captured by the block.
844	const VarRegion *CapturedLambdaRegion = getRegionStoringCapturedLambda();
845	SVal ThisVal = loc::MemRegionVal(CapturedLambdaRegion);
846	Loc ThisLoc = SVB.getCXXThis(LambdaOperatorDecl, CalleeCtx);
847	Bindings.push_back(std::make_pair(ThisLoc, ThisVal));
848	} else {
849	Params = cast<BlockDecl>(CalleeCtx->getDecl())->parameters();
850	}
851
852	addParameterValuesToBindings(CalleeCtx, Bindings, SVB, *this,
853	Params);
854	}
855
856	SVal AnyCXXConstructorCall::getCXXThisVal() const {
857	if (Data)
858	return loc::MemRegionVal(static_cast<const MemRegion *>(Data));
859	return UnknownVal();
860	}
861
862	void AnyCXXConstructorCall::getExtraInvalidatedValues(ValueList &Values,
863	RegionAndSymbolInvalidationTraits ETraits) const* {
864	SVal V = getCXXThisVal();
865	if (SymbolRef Sym = V.getAsSymbol(true))
866	ETraits->setTrait(Sym,
867	RegionAndSymbolInvalidationTraits::TK_SuppressEscape);
868	Values.push_back(V);
869	}
870
871	void AnyCXXConstructorCall::getInitialStackFrameContents(
872	const StackFrameContext *CalleeCtx,
873	BindingsTy &Bindings) const {
874	AnyFunctionCall::getInitialStackFrameContents(CalleeCtx, Bindings);
875
876	SVal ThisVal = getCXXThisVal();
877	if (!ThisVal.isUnknown()) {
878	SValBuilder &SVB = getState()->getStateManager().getSValBuilder();
879	const auto *MD = cast<CXXMethodDecl>(CalleeCtx->getDecl());
880	Loc ThisLoc = SVB.getCXXThis(MD, CalleeCtx);
881	Bindings.push_back(std::make_pair(ThisLoc, ThisVal));
882	}
883	}
884
885	const StackFrameContext *
886	CXXInheritedConstructorCall::getInheritingStackFrame() const {
887	const StackFrameContext *SFC = getLocationContext()->getStackFrame();
888	while (isa<CXXInheritedCtorInitExpr>(SFC->getCallSite()))
889	SFC = SFC->getParent()->getStackFrame();
890	return SFC;
891	}
892
893	SVal CXXDestructorCall::getCXXThisVal() const {
894	if (Data)
895	return loc::MemRegionVal(DtorDataTy::getFromOpaqueValue(Data).getPointer());
896	return UnknownVal();
897	}
898
899	RuntimeDefinition CXXDestructorCall::getRuntimeDefinition() const {
900	// Base destructors are always called non-virtually.
901	// Skip CXXInstanceCall's devirtualization logic in this case.
902	if (isBaseDestructor())
903	return AnyFunctionCall::getRuntimeDefinition();
904
905	return CXXInstanceCall::getRuntimeDefinition();
906	}
907
908	ArrayRef<ParmVarDecl> ObjCMethodCall::parameters() const* {
909	const ObjCMethodDecl *D = getDecl();
910	if (!D)
911	return None;
912	return D->parameters();
913	}
914
915	void ObjCMethodCall::getExtraInvalidatedValues(
916	ValueList &Values, RegionAndSymbolInvalidationTraits ETraits) const* {
917
918	// If the method call is a setter for property known to be backed by
919	// an instance variable, don't invalidate the entire receiver, just
920	// the storage for that instance variable.
921	if (const ObjCPropertyDecl *PropDecl = getAccessedProperty()) {
922	if (const ObjCIvarDecl *PropIvar = PropDecl->getPropertyIvarDecl()) {
923	SVal IvarLVal = getState()->getLValue(PropIvar, getReceiverSVal());
924	if (const MemRegion *IvarRegion = IvarLVal.getAsRegion()) {
925	ETraits->setTrait(
926	IvarRegion,
927	RegionAndSymbolInvalidationTraits::TK_DoNotInvalidateSuperRegion);
928	ETraits->setTrait(
929	IvarRegion,
930	RegionAndSymbolInvalidationTraits::TK_SuppressEscape);
931	Values.push_back(IvarLVal);
932	}
933	return;
934	}
935	}
936
937	Values.push_back(getReceiverSVal());
938	}
939
940	SVal ObjCMethodCall::getReceiverSVal() const {
941	// FIXME: Is this the best way to handle class receivers?
942	if (!isInstanceMessage())
943	return UnknownVal();
944
945	if (const Expr *RecE = getOriginExpr()->getInstanceReceiver())
946	return getSVal(RecE);
947
948	// An instance message with no expression means we are sending to super.
949	// In this case the object reference is the same as 'self'.
950	assert(getOriginExpr()->getReceiverKind() == ObjCMessageExpr::SuperInstance);
951	SVal SelfVal = getState()->getSelfSVal(getLocationContext());
952	assert(SelfVal.isValid() && "Calling super but not in ObjC method");
953	return SelfVal;
954	}
955
956	bool ObjCMethodCall::isReceiverSelfOrSuper() const {
957	if (getOriginExpr()->getReceiverKind() == ObjCMessageExpr::SuperInstance \|\|
958	getOriginExpr()->getReceiverKind() == ObjCMessageExpr::SuperClass)
959	return true;
960
961	if (!isInstanceMessage())
962	return false;
963
964	SVal RecVal = getSVal(getOriginExpr()->getInstanceReceiver());
965	SVal SelfVal = getState()->getSelfSVal(getLocationContext());
966
967	return (RecVal == SelfVal);
968	}
969
970	SourceRange ObjCMethodCall::getSourceRange() const {
971	switch (getMessageKind()) {
972	case OCM_Message:
973	return getOriginExpr()->getSourceRange();
974	case OCM_PropertyAccess:
975	case OCM_Subscript:
976	return getContainingPseudoObjectExpr()->getSourceRange();
977	}
978	llvm_unreachable("unknown message kind");
979	}
980
981	using ObjCMessageDataTy = llvm::PointerIntPair<const PseudoObjectExpr *, `2`>;
982
983	const PseudoObjectExpr ObjCMethodCall::getContainingPseudoObjectExpr() const* {
984	assert(Data && "Lazy lookup not yet performed.");
985	assert(getMessageKind() != OCM_Message && "Explicit message send.");
986	return ObjCMessageDataTy::getFromOpaqueValue(Data).getPointer();
987	}
988
989	static const Expr *
990	getSyntacticFromForPseudoObjectExpr(const PseudoObjectExpr *POE) {
991	const Expr *Syntactic = POE->getSyntacticForm()->IgnoreParens();
992
993	// This handles the funny case of assigning to the result of a getter.
994	// This can happen if the getter returns a non-const reference.
995	if (const auto *BO = dyn_cast<BinaryOperator>(Syntactic))
996	Syntactic = BO->getLHS()->IgnoreParens();
997
998	return Syntactic;
999	}
1000
1001	ObjCMessageKind ObjCMethodCall::getMessageKind() const {
1002	if (!Data) {
1003	// Find the parent, ignoring implicit casts.
1004	const ParentMap &PM = getLocationContext()->getParentMap();
1005	const Stmt *S = PM.getParentIgnoreParenCasts(getOriginExpr());
1006
1007	// Check if parent is a PseudoObjectExpr.
1008	if (const auto *POE = dyn_cast_or_null<PseudoObjectExpr>(S)) {
1009	const Expr *Syntactic = getSyntacticFromForPseudoObjectExpr(POE);
1010
1011	ObjCMessageKind K;
1012	switch (Syntactic->getStmtClass()) {
1013	case Stmt::ObjCPropertyRefExprClass:
1014	K = OCM_PropertyAccess;
1015	break;
1016	case Stmt::ObjCSubscriptRefExprClass:
1017	K = OCM_Subscript;
1018	break;
1019	default:
1020	// FIXME: Can this ever happen?
1021	K = OCM_Message;
1022	break;
1023	}
1024
1025	if (K != OCM_Message) {
1026	const_cast<ObjCMethodCall >(this*)->Data
1027	= ObjCMessageDataTy(POE, K).getOpaqueValue();
1028	assert(getMessageKind() == K);
1029	return K;
1030	}
1031	}
1032
1033	const_cast<ObjCMethodCall >(this*)->Data
1034	= ObjCMessageDataTy(nullptr, `1`).getOpaqueValue();
1035	assert(getMessageKind() == OCM_Message);
1036	return OCM_Message;
1037	}
1038
1039	ObjCMessageDataTy Info = ObjCMessageDataTy::getFromOpaqueValue(Data);
1040	if (!Info.getPointer())
1041	return OCM_Message;
1042	return static_cast<ObjCMessageKind>(Info.getInt());
1043	}
1044
1045	const ObjCPropertyDecl ObjCMethodCall::getAccessedProperty() const* {
1046	// Look for properties accessed with property syntax (foo.bar = ...)
1047	if (getMessageKind() == OCM_PropertyAccess) {
1048	const PseudoObjectExpr *POE = getContainingPseudoObjectExpr();
1049	assert(POE && "Property access without PseudoObjectExpr?");
1050
1051	const Expr *Syntactic = getSyntacticFromForPseudoObjectExpr(POE);
1052	auto *RefExpr = cast<ObjCPropertyRefExpr>(Syntactic);
1053
1054	if (RefExpr->isExplicitProperty())
1055	return RefExpr->getExplicitProperty();
1056	}
1057
1058	// Look for properties accessed with method syntax ([foo setBar:...]).
1059	const ObjCMethodDecl *MD = getDecl();
1060	if (!MD \|\| !MD->isPropertyAccessor())
1061	return nullptr;
1062
1063	// Note: This is potentially quite slow.
1064	return MD->findPropertyDecl();
1065	}
1066
1067	bool ObjCMethodCall::canBeOverridenInSubclass(ObjCInterfaceDecl *IDecl,
1068	Selector Sel) const {
1069	assert(IDecl);
1070	AnalysisManager &AMgr =
1071	getState()->getStateManager().getOwningEngine().getAnalysisManager();
1072	// If the class interface is declared inside the main file, assume it is not
1073	// subcassed.
1074	// TODO: It could actually be subclassed if the subclass is private as well.
1075	// This is probably very rare.
1076	SourceLocation InterfLoc = IDecl->getEndOfDefinitionLoc();
1077	if (InterfLoc.isValid() && AMgr.isInCodeFile(InterfLoc))
1078	return false;
1079
1080	// Assume that property accessors are not overridden.
1081	if (getMessageKind() == OCM_PropertyAccess)
1082	return false;
1083
1084	// We assume that if the method is public (declared outside of main file) or
1085	// has a parent which publicly declares the method, the method could be
1086	// overridden in a subclass.
1087
1088	// Find the first declaration in the class hierarchy that declares
1089	// the selector.
1090	ObjCMethodDecl D = nullptr*;
1091	while (true) {
1092	D = IDecl->lookupMethod(Sel, true);
1093
1094	// Cannot find a public definition.
1095	if (!D)
1096	return false;
1097
1098	// If outside the main file,
1099	if (D->getLocation().isValid() && !AMgr.isInCodeFile(D->getLocation()))
1100	return true;
1101
1102	if (D->isOverriding()) {
1103	// Search in the superclass on the next iteration.
1104	IDecl = D->getClassInterface();
1105	if (!IDecl)
1106	return false;
1107
1108	IDecl = IDecl->getSuperClass();
1109	if (!IDecl)
1110	return false;
1111
1112	continue;
1113	}
1114
1115	return false;
1116	};
1117
1118	llvm_unreachable("The while loop should always terminate.");
1119	}
1120
1121	static const ObjCMethodDecl findDefiningRedecl(const* ObjCMethodDecl *MD) {
1122	if (!MD)
1123	return MD;
1124
1125	// Find the redeclaration that defines the method.
1126	if (!MD->hasBody()) {
1127	for (auto I : MD->redecls())
1128	if (I->hasBody())
1129	MD = cast<ObjCMethodDecl>(I);
1130	}
1131	return MD;
1132	}
1133
1134	struct PrivateMethodKey {
1135	const ObjCInterfaceDecl *Interface;
1136	Selector LookupSelector;
1137	bool IsClassMethod;
1138	};
1139
1140	namespace llvm {
1141	template <> struct DenseMapInfo<PrivateMethodKey> {
1142	using InterfaceInfo = DenseMapInfo<const ObjCInterfaceDecl *>;
1143	using SelectorInfo = DenseMapInfo<Selector>;
1144
1145	static inline PrivateMethodKey getEmptyKey() {
1146	return {InterfaceInfo::getEmptyKey(), SelectorInfo::getEmptyKey(), false};
1147	}
1148
1149	static inline PrivateMethodKey getTombstoneKey() {
1150	return {InterfaceInfo::getTombstoneKey(), SelectorInfo::getTombstoneKey(),
1151	true};
1152	}
1153
1154	static unsigned getHashValue(const PrivateMethodKey &Key) {
1155	return llvm::hash_combine(
1156	llvm::hash_code(InterfaceInfo::getHashValue(Key.Interface)),
1157	llvm::hash_code(SelectorInfo::getHashValue(Key.LookupSelector)),
1158	Key.IsClassMethod);
1159	}
1160
1161	static bool isEqual(const PrivateMethodKey &LHS,
1162	const PrivateMethodKey &RHS) {
1163	return InterfaceInfo::isEqual(LHS.Interface, RHS.Interface) &&
1164	SelectorInfo::isEqual(LHS.LookupSelector, RHS.LookupSelector) &&
1165	LHS.IsClassMethod == RHS.IsClassMethod;
1166	}
1167	};
1168	} // end namespace llvm
1169
1170	static const ObjCMethodDecl *
1171	lookupRuntimeDefinition(const ObjCInterfaceDecl *Interface,
1172	Selector LookupSelector, bool InstanceMethod) {
1173	// Repeatedly calling lookupPrivateMethod() is expensive, especially
1174	// when in many cases it returns null. We cache the results so
1175	// that repeated queries on the same ObjCIntefaceDecl and Selector
1176	// don't incur the same cost. On some test cases, we can see the
1177	// same query being issued thousands of times.
1178	//
1179	// NOTE: This cache is essentially a "global" variable, but it
1180	// only gets lazily created when we get here. The value of the
1181	// cache probably comes from it being global across ExprEngines,
1182	// where the same queries may get issued. If we are worried about
1183	// concurrency, or possibly loading/unloading ASTs, etc., we may
1184	// need to revisit this someday. In terms of memory, this table
1185	// stays around until clang quits, which also may be bad if we
1186	// need to release memory.
1187	using PrivateMethodCache =
1188	llvm::DenseMap<PrivateMethodKey, Optional<const ObjCMethodDecl *>>;
1189
1190	static PrivateMethodCache PMC;
1191	Optional<const ObjCMethodDecl *> &Val =
1192	PMC[{Interface, LookupSelector, InstanceMethod}];
1193
1194	// Query lookupPrivateMethod() if the cache does not hit.
1195	if (!Val) {
1196	Val = Interface->lookupPrivateMethod(LookupSelector, InstanceMethod);
1197
1198	if (!*Val) {
1199	// Query 'lookupMethod' as a backup.
1200	Val = Interface->lookupMethod(LookupSelector, InstanceMethod);
1201	}
1202	}
1203
1204	return *Val;
1205	}
1206
1207	RuntimeDefinition ObjCMethodCall::getRuntimeDefinition() const {
1208	const ObjCMessageExpr *E = getOriginExpr();
1209	assert(E);
1210	Selector Sel = E->getSelector();
1211
1212	if (E->isInstanceMessage()) {
1213	// Find the receiver type.
1214	const ObjCObjectType ReceiverT = nullptr*;
1215	bool CanBeSubClassed = false;
1216	bool LookingForInstanceMethod = true;
1217	QualType SupersType = E->getSuperType();
1218	const MemRegion Receiver = nullptr*;
1219
1220	if (!SupersType.isNull()) {
1221	// The receiver is guaranteed to be 'super' in this case.
1222	// Super always means the type of immediate predecessor to the method
1223	// where the call occurs.
1224	ReceiverT = cast<ObjCObjectPointerType>(SupersType)->getObjectType();
1225	} else {
1226	Receiver = getReceiverSVal().getAsRegion();
1227	if (!Receiver)
1228	return {};
1229
1230	DynamicTypeInfo DTI = getDynamicTypeInfo(getState(), Receiver);
1231	if (!DTI.isValid()) {
1232	assert(isa<AllocaRegion>(Receiver) &&
1233	"Unhandled untyped region class!");
1234	return {};
1235	}
1236
1237	QualType DynType = DTI.getType();
1238	CanBeSubClassed = DTI.canBeASubClass();
1239
1240	const auto *ReceiverDynT =
1241	dyn_cast<ObjCObjectPointerType>(DynType.getCanonicalType());
1242
1243	if (ReceiverDynT) {
1244	ReceiverT = ReceiverDynT->getObjectType();
1245
1246	// It can be actually class methods called with Class object as a
1247	// receiver. This type of messages is treated by the compiler as
1248	// instance (not class).
1249	if (ReceiverT->isObjCClass()) {
1250
1251	SVal SelfVal = getState()->getSelfSVal(getLocationContext());
1252	// For [self classMethod], return compiler visible declaration.
1253	if (Receiver == SelfVal.getAsRegion()) {
1254	return RuntimeDefinition(findDefiningRedecl(E->getMethodDecl()));
1255	}
1256
1257	// Otherwise, let's check if we know something about the type
1258	// inside of this class object.
1259	if (SymbolRef ReceiverSym = getReceiverSVal().getAsSymbol()) {
1260	DynamicTypeInfo DTI =
1261	getClassObjectDynamicTypeInfo(getState(), ReceiverSym);
1262	if (DTI.isValid()) {
1263	// Let's use this type for lookup.
1264	ReceiverT =
1265	cast<ObjCObjectType>(DTI.getType().getCanonicalType());
1266
1267	CanBeSubClassed = DTI.canBeASubClass();
1268	// And it should be a class method instead.
1269	LookingForInstanceMethod = false;
1270	}
1271	}
1272	}
1273
1274	if (CanBeSubClassed)
1275	if (ObjCInterfaceDecl *IDecl = ReceiverT->getInterface())
1276	// Even if `DynamicTypeInfo` told us that it can be
1277	// not necessarily this type, but its descendants, we still want
1278	// to check again if this selector can be actually overridden.
1279	CanBeSubClassed = canBeOverridenInSubclass(IDecl, Sel);
1280	}
1281	}
1282
1283	// Lookup the instance method implementation.
1284	if (ReceiverT)
1285	if (ObjCInterfaceDecl *IDecl = ReceiverT->getInterface()) {
1286	const ObjCMethodDecl *MD =
1287	lookupRuntimeDefinition(IDecl, Sel, LookingForInstanceMethod);
1288
1289	if (MD && !MD->hasBody())
1290	MD = MD->getCanonicalDecl();
1291
1292	if (CanBeSubClassed)
1293	return RuntimeDefinition(MD, Receiver);
1294	else
1295	return RuntimeDefinition(MD, nullptr);
1296	}
1297	} else {
1298	// This is a class method.
1299	// If we have type info for the receiver class, we are calling via
1300	// class name.
1301	if (ObjCInterfaceDecl *IDecl = E->getReceiverInterface()) {
1302	// Find/Return the method implementation.
1303	return RuntimeDefinition(IDecl->lookupPrivateClassMethod(Sel));
1304	}
1305	}
1306
1307	return {};
1308	}
1309
1310	bool ObjCMethodCall::argumentsMayEscape() const {
1311	if (isInSystemHeader() && !isInstanceMessage()) {
1312	Selector Sel = getSelector();
1313	if (Sel.getNumArgs() == `1` &&
1314	Sel.getIdentifierInfoForSlot(`0`)->isStr("valueWithPointer"))
1315	return true;
1316	}
1317
1318	return CallEvent::argumentsMayEscape();
1319	}
1320
1321	void ObjCMethodCall::getInitialStackFrameContents(
1322	const StackFrameContext *CalleeCtx,
1323	BindingsTy &Bindings) const {
1324	const auto *D = cast<ObjCMethodDecl>(CalleeCtx->getDecl());
1325	SValBuilder &SVB = getState()->getStateManager().getSValBuilder();
1326	addParameterValuesToBindings(CalleeCtx, Bindings, SVB, *this,
1327	D->parameters());
1328
1329	SVal SelfVal = getReceiverSVal();
1330	if (!SelfVal.isUnknown()) {
1331	const VarDecl *SelfD = CalleeCtx->getAnalysisDeclContext()->getSelfDecl();
1332	MemRegionManager &MRMgr = SVB.getRegionManager();
1333	Loc SelfLoc = SVB.makeLoc(MRMgr.getVarRegion(SelfD, CalleeCtx));
1334	Bindings.push_back(std::make_pair(SelfLoc, SelfVal));
1335	}
1336	}
1337
1338	CallEventRef<>
1339	CallEventManager::getSimpleCall(const CallExpr *CE, ProgramStateRef State,
1340	const LocationContext *LCtx) {
1341	if (const auto *MCE = dyn_cast<CXXMemberCallExpr>(CE))
1342	return create<CXXMemberCall>(MCE, State, LCtx);
1343
1344	if (const auto *OpCE = dyn_cast<CXXOperatorCallExpr>(CE)) {
1345	const FunctionDecl *DirectCallee = OpCE->getDirectCallee();
1346	if (const auto *MD = dyn_cast<CXXMethodDecl>(DirectCallee))
1347	if (MD->isInstance())
1348	return create<CXXMemberOperatorCall>(OpCE, State, LCtx);
1349
1350	} else if (CE->getCallee()->getType()->isBlockPointerType()) {
1351	return create<BlockCall>(CE, State, LCtx);
1352	}
1353
1354	// Otherwise, it's a normal function call, static member function call, or
1355	// something we can't reason about.
1356	return create<SimpleFunctionCall>(CE, State, LCtx);
1357	}
1358
1359	CallEventRef<>
1360	CallEventManager::getCaller(const StackFrameContext *CalleeCtx,
1361	ProgramStateRef State) {
1362	const LocationContext *ParentCtx = CalleeCtx->getParent();
1363	const LocationContext *CallerCtx = ParentCtx->getStackFrame();
1364	assert(CallerCtx && "This should not be used for top-level stack frames");
1365
1366	const Stmt *CallSite = CalleeCtx->getCallSite();
1367
1368	if (CallSite) {
1369	if (CallEventRef<> Out = getCall(CallSite, State, CallerCtx))
1370	return Out;
1371
1372	SValBuilder &SVB = State->getStateManager().getSValBuilder();
1373	const auto *Ctor = cast<CXXMethodDecl>(CalleeCtx->getDecl());
1374	Loc ThisPtr = SVB.getCXXThis(Ctor, CalleeCtx);
1375	SVal ThisVal = State->getSVal(ThisPtr);
1376
1377	if (const auto *CE = dyn_cast<CXXConstructExpr>(CallSite))
1378	return getCXXConstructorCall(CE, ThisVal.getAsRegion(), State, CallerCtx);
1379	else if (const auto *CIE = dyn_cast<CXXInheritedCtorInitExpr>(CallSite))
1380	return getCXXInheritedConstructorCall(CIE, ThisVal.getAsRegion(), State,
1381	CallerCtx);
1382	else {
1383	// All other cases are handled by getCall.
1384	llvm_unreachable("This is not an inlineable statement");
1385	}
1386	}
1387
1388	// Fall back to the CFG. The only thing we haven't handled yet is
1389	// destructors, though this could change in the future.
1390	const CFGBlock *B = CalleeCtx->getCallSiteBlock();
1391	CFGElement E = (*B)[CalleeCtx->getIndex()];
1392	assert((E.getAs<CFGImplicitDtor>() \|\| E.getAs<CFGTemporaryDtor>()) &&
1393	"All other CFG elements should have exprs");
1394
1395	SValBuilder &SVB = State->getStateManager().getSValBuilder();
1396	const auto *Dtor = cast<CXXDestructorDecl>(CalleeCtx->getDecl());
1397	Loc ThisPtr = SVB.getCXXThis(Dtor, CalleeCtx);
1398	SVal ThisVal = State->getSVal(ThisPtr);
1399
1400	const Stmt *Trigger;
1401	if (Optional<CFGAutomaticObjDtor> AutoDtor = E.getAs<CFGAutomaticObjDtor>())
1402	Trigger = AutoDtor->getTriggerStmt();
1403	else if (Optional<CFGDeleteDtor> DeleteDtor = E.getAs<CFGDeleteDtor>())
1404	Trigger = DeleteDtor->getDeleteExpr();
1405	else
1406	Trigger = Dtor->getBody();
1407
1408	return getCXXDestructorCall(Dtor, Trigger, ThisVal.getAsRegion(),
1409	E.getAs<CFGBaseDtor>().has_value(), State,
1410	CallerCtx);
1411	}
1412
1413	CallEventRef<> CallEventManager::getCall(const Stmt *S, ProgramStateRef State,
1414	const LocationContext *LC) {
1415	if (const auto *CE = dyn_cast<CallExpr>(S)) {
1416	return getSimpleCall(CE, State, LC);
1417	} else if (const auto *NE = dyn_cast<CXXNewExpr>(S)) {
1418	return getCXXAllocatorCall(NE, State, LC);
1419	} else if (const auto *DE = dyn_cast<CXXDeleteExpr>(S)) {
1420	return getCXXDeallocatorCall(DE, State, LC);
1421	} else if (const auto *ME = dyn_cast<ObjCMessageExpr>(S)) {
1422	return getObjCMethodCall(ME, State, LC);
1423	} else {
1424	return nullptr;
1425	}
1426	}
1427

source code of clang/lib/StaticAnalyzer/Core/CallEvent.cpp