ExprEngineC.cpp source code [clang/lib/StaticAnalyzer/Core/ExprEngineC.cpp]

1	//=-- ExprEngineC.cpp - ExprEngine support for C expressions ----- C++ --===//
2	//
3	// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4	// See https://llvm.org/LICENSE.txt for license information.
5	// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6	//
7	//===----------------------------------------------------------------------===//
8	//
9	// This file defines ExprEngine's support for C expressions.
10	//
11	//===----------------------------------------------------------------------===//
12
13	#include "clang/AST/DeclCXX.h"
14	#include "clang/AST/ExprCXX.h"
15	#include "clang/StaticAnalyzer/Core/CheckerManager.h"
16	#include "clang/StaticAnalyzer/Core/PathSensitive/ExprEngine.h"
17	#include <optional>
18
19	using namespace clang;
20	using namespace ento;
21	using llvm::APSInt;
22
23	/// Optionally conjure and return a symbol for offset when processing
24	/// \p Elem.
25	/// If \p Other is a location, conjure a symbol for \p Symbol
26	/// (offset) if it is unknown so that memory arithmetic always
27	/// results in an ElementRegion.
28	/// \p Count The number of times the current basic block was visited.
29	static SVal conjureOffsetSymbolOnLocation(SVal Symbol, SVal Other,
30	ConstCFGElementRef Elem, QualType Ty,
31	SValBuilder &svalBuilder,
32	unsigned Count,
33	const LocationContext *LCtx) {
34	if (isa<Loc>(Val: Other) && Ty ->isIntegralOrEnumerationType() &&
35	Symbol.isUnknown()) {
36	return svalBuilder.conjureSymbolVal(elem: Elem, LCtx, type: Ty, visitCount: Count);
37	}
38	return Symbol;
39	}
40
41	void ExprEngine::VisitBinaryOperator(const BinaryOperator* B,
42	ExplodedNode *Pred,
43	ExplodedNodeSet &Dst) {
44
45	Expr *LHS = B->getLHS()->IgnoreParens();
46	Expr *RHS = B->getRHS()->IgnoreParens();
47
48	// FIXME: Prechecks eventually go in ::Visit().
49	ExplodedNodeSet CheckedSet;
50	ExplodedNodeSet Tmp2;
51	getCheckerManager().runCheckersForPreStmt(CheckedSet, Pred, B, *this);
52
53	// With both the LHS and RHS evaluated, process the operation itself.
54	for (ExplodedNodeSet::iterator it=CheckedSet.begin(), ei=CheckedSet.end();
55	it != ei; ++it) {
56
57	ProgramStateRef state = (*it)->getState();
58	const LocationContext LCtx = (it)->getLocationContext();
59	SVal LeftV = state ->getSVal(LHS, LCtx);
60	SVal RightV = state ->getSVal(RHS, LCtx);
61
62	BinaryOperator::Opcode Op = B->getOpcode();
63
64	if (Op == BO_Assign) {
65	// EXPERIMENTAL: "Conjured" symbols.
66	// FIXME: Handle structs.
67	if (RightV.isUnknown()) {
68	unsigned Count = currBldrCtx->blockCount();
69	RightV = svalBuilder.conjureSymbolVal(symbolTag: nullptr, elem: getCFGElementRef(), LCtx,
70	count: Count);
71	}
72	// Simulate the effects of a "store": bind the value of the RHS
73	// to the L-Value represented by the LHS.
74	SVal ExprVal = B->isGLValue() ? LeftV : RightV;
75	evalStore(Tmp2, B, LHS, *it, state ->BindExpr(B, LCtx, ExprVal),
76	LeftV, RightV);
77	continue;
78	}
79
80	if (!B->isAssignmentOp()) {
81	StmtNodeBuilder Bldr(it, Tmp2, currBldrCtx);
82
83	if (B->isAdditiveOp()) {
84	// TODO: This can be removed after we enable history tracking with
85	// SymSymExpr.
86	unsigned Count = currBldrCtx->blockCount();
87	RightV = conjureOffsetSymbolOnLocation(
88	Symbol: RightV, Other: LeftV, Elem: getCFGElementRef(), Ty: RHS->getType(), svalBuilder,
89	Count, LCtx);
90	LeftV = conjureOffsetSymbolOnLocation(Symbol: LeftV, Other: RightV, Elem: getCFGElementRef(),
91	Ty: LHS->getType(), svalBuilder,
92	Count, LCtx);
93	}
94
95	// Although we don't yet model pointers-to-members, we do need to make
96	// sure that the members of temporaries have a valid 'this' pointer for
97	// other checks.
98	if (B->getOpcode() == BO_PtrMemD)
99	state = createTemporaryRegionIfNeeded(State: state, LC: LCtx, InitWithAdjustments: LHS);
100
101	// Process non-assignments except commas or short-circuited
102	// logical expressions (LAnd and LOr).
103	SVal Result = evalBinOp(ST: state, Op, LHS: LeftV, RHS: RightV, T: B->getType());
104	if (!Result.isUnknown()) {
105	state = state ->BindExpr(B, LCtx, Result);
106	} else {
107	// If we cannot evaluate the operation escape the operands.
108	state = escapeValues(State: state, Vs: LeftV, K: PSK_EscapeOther);
109	state = escapeValues(State: state, Vs: RightV, K: PSK_EscapeOther);
110	}
111
112	Bldr.generateNode(B, *it, state);
113	continue;
114	}
115
116	assert (B->isCompoundAssignmentOp());
117
118	switch (Op) {
119	default:
120	llvm_unreachable("Invalid opcode for compound assignment.");
121	case BO_MulAssign: Op = BO_Mul; break;
122	case BO_DivAssign: Op = BO_Div; break;
123	case BO_RemAssign: Op = BO_Rem; break;
124	case BO_AddAssign: Op = BO_Add; break;
125	case BO_SubAssign: Op = BO_Sub; break;
126	case BO_ShlAssign: Op = BO_Shl; break;
127	case BO_ShrAssign: Op = BO_Shr; break;
128	case BO_AndAssign: Op = BO_And; break;
129	case BO_XorAssign: Op = BO_Xor; break;
130	case BO_OrAssign: Op = BO_Or; break;
131	}
132
133	// Perform a load (the LHS). This performs the checks for
134	// null dereferences, and so on.
135	ExplodedNodeSet Tmp;
136	SVal location = LeftV;
137	evalLoad(Tmp, B, LHS, *it, state, location);
138
139	for (ExplodedNode *N : Tmp) {
140	state = N->getState();
141	const LocationContext *LCtx = N->getLocationContext();
142	SVal V = state ->getSVal(LHS, LCtx);
143
144	// Get the computation type.
145	QualType CTy =
146	cast<CompoundAssignOperator>(Val: B)->getComputationResultType();
147	CTy = getContext().getCanonicalType(T: CTy);
148
149	QualType CLHSTy =
150	cast<CompoundAssignOperator>(Val: B)->getComputationLHSType();
151	CLHSTy = getContext().getCanonicalType(T: CLHSTy);
152
153	QualType LTy = getContext().getCanonicalType(T: LHS->getType());
154
155	// Promote LHS.
156	V = svalBuilder.evalCast(V, CastTy: CLHSTy, OriginalTy: LTy);
157
158	// Compute the result of the operation.
159	SVal Result = svalBuilder.evalCast(V: evalBinOp(ST: state, Op, LHS: V, RHS: RightV, T: CTy),
160	CastTy: B->getType(), OriginalTy: CTy);
161
162	// EXPERIMENTAL: "Conjured" symbols.
163	// FIXME: Handle structs.
164
165	SVal LHSVal;
166
167	if (Result.isUnknown()) {
168	// The symbolic value is actually for the type of the left-hand side
169	// expression, not the computation type, as this is the value the
170	// LValue on the LHS will bind to.
171	LHSVal = svalBuilder.conjureSymbolVal(/symbolTag=/nullptr,
172	elem: getCFGElementRef(), LCtx, type: LTy,
173	count: currBldrCtx->blockCount());
174	// However, we need to convert the symbol to the computation type.
175	Result = svalBuilder.evalCast(V: LHSVal, CastTy: CTy, OriginalTy: LTy);
176	} else {
177	// The left-hand side may bind to a different value then the
178	// computation type.
179	LHSVal = svalBuilder.evalCast(V: Result, CastTy: LTy, OriginalTy: CTy);
180	}
181
182	// In C++, assignment and compound assignment operators return an
183	// lvalue.
184	if (B->isGLValue())
185	state = state ->BindExpr(B, LCtx, location);
186	else
187	state = state ->BindExpr(B, LCtx, Result);
188
189	evalStore(Tmp2, B, LHS, N, state, location, LHSVal);
190	}
191	}
192
193	// FIXME: postvisits eventually go in ::Visit()
194	getCheckerManager().runCheckersForPostStmt(Dst, Tmp2, B, *this);
195	}
196
197	void ExprEngine::VisitBlockExpr(const BlockExpr BE, ExplodedNode Pred,
198	ExplodedNodeSet &Dst) {
199
200	CanQualType T = getContext().getCanonicalType(BE->getType());
201
202	const BlockDecl *BD = BE->getBlockDecl();
203	// Get the value of the block itself.
204	SVal V = svalBuilder.getBlockPointer(block: BD, locTy: T,
205	locContext: Pred->getLocationContext(),
206	blockCount: currBldrCtx->blockCount());
207
208	ProgramStateRef State = Pred->getState();
209
210	// If we created a new MemRegion for the block, we should explicitly bind
211	// the captured variables.
212	if (const BlockDataRegion *BDR =
213	dyn_cast_or_null<BlockDataRegion>(Val: V.getAsRegion())) {
214
215	auto ReferencedVars = BDR->referenced_vars();
216	auto CI = BD->capture_begin();
217	auto CE = BD->capture_end();
218	for (auto Var : ReferencedVars) {
219	const VarRegion *capturedR = Var.getCapturedRegion();
220	const TypedValueRegion *originalR = Var.getOriginalRegion();
221
222	// If the capture had a copy expression, use the result of evaluating
223	// that expression, otherwise use the original value.
224	// We rely on the invariant that the block declaration's capture variables
225	// are a prefix of the BlockDataRegion's referenced vars (which may include
226	// referenced globals, etc.) to enable fast lookup of the capture for a
227	// given referenced var.
228	const Expr copyExpr = nullptr*;
229	if (CI != CE) {
230	assert(CI->getVariable() == capturedR->getDecl());
231	copyExpr = CI->getCopyExpr();
232	CI++;
233	}
234
235	if (capturedR != originalR) {
236	SVal originalV;
237	const LocationContext *LCtx = Pred->getLocationContext();
238	if (copyExpr) {
239	originalV = State->getSVal(copyExpr, LCtx);
240	} else {
241	originalV = State->getSVal(loc::MemRegionVal(originalR));
242	}
243	State = State->bindLoc(loc::MemRegionVal(capturedR), originalV, LCtx);
244	}
245	}
246	}
247
248	ExplodedNodeSet Tmp;
249	StmtNodeBuilder Bldr(Pred, Tmp, *currBldrCtx);
250	Bldr.generateNode(BE, Pred,
251	State ->BindExpr(BE, Pred->getLocationContext(), V),
252	nullptr, ProgramPoint::PostLValueKind);
253
254	// FIXME: Move all post/pre visits to ::Visit().
255	getCheckerManager().runCheckersForPostStmt(Dst, Tmp, BE, *this);
256	}
257
258	ProgramStateRef ExprEngine::handleLValueBitCast(
259	ProgramStateRef state, const Expr* Ex, const LocationContext* LCtx,
260	QualType T, QualType ExTy, const CastExpr* CastE, StmtNodeBuilder& Bldr,
261	ExplodedNode* Pred) {
262	if (T ->isLValueReferenceType()) {
263	assert(!CastE->getType()->isLValueReferenceType());
264	ExTy = getContext().getLValueReferenceType(T: ExTy);
265	} else if (T ->isRValueReferenceType()) {
266	assert(!CastE->getType()->isRValueReferenceType());
267	ExTy = getContext().getRValueReferenceType(T: ExTy);
268	}
269	// Delegate to SValBuilder to process.
270	SVal OrigV = state ->getSVal(Ex, LCtx);
271	SVal SimplifiedOrigV = svalBuilder.simplifySVal(State: state, Val: OrigV);
272	SVal V = svalBuilder.evalCast(V: SimplifiedOrigV, CastTy: T, OriginalTy: ExTy);
273	// Negate the result if we're treating the boolean as a signed i1
274	if (CastE->getCastKind() == CK_BooleanToSignedIntegral && V.isValid())
275	V = svalBuilder.evalMinus(val: V.castAs<NonLoc>());
276
277	state = state ->BindExpr(CastE, LCtx, V);
278	if (V.isUnknown() && !OrigV.isUnknown()) {
279	state = escapeValues(State: state, Vs: OrigV, K: PSK_EscapeOther);
280	}
281	Bldr.generateNode(CastE, Pred, state);
282
283	return state;
284	}
285
286	void ExprEngine::VisitCast(const CastExpr CastE, const* Expr *Ex,
287	ExplodedNode *Pred, ExplodedNodeSet &Dst) {
288
289	ExplodedNodeSet DstPreStmt;
290	getCheckerManager().runCheckersForPreStmt(DstPreStmt, Pred, CastE, *this);
291
292	if (CastE->getCastKind() == CK_LValueToRValue) {
293	for (ExplodedNode *Node : DstPreStmt) {
294	ProgramStateRef State = Node->getState();
295	const LocationContext *LCtx = Node->getLocationContext();
296	evalLoad(Dst, CastE, CastE, Node, State, State ->getSVal(Ex, LCtx));
297	}
298	return;
299	}
300	if (CastE->getCastKind() == CK_LValueToRValueBitCast) {
301	// Handle `__builtin_bit_cast`:
302	ExplodedNodeSet DstEvalLoc;
303
304	// Simulate the lvalue-to-rvalue conversion on `Ex`:
305	for (ExplodedNode *Node : DstPreStmt) {
306	ProgramStateRef State = Node->getState();
307	const LocationContext *LCtx = Node->getLocationContext();
308	evalLocation(DstEvalLoc, CastE, Ex, Node, State, State ->getSVal(Ex, LCtx),
309	true);
310	}
311	// Simulate the operation that actually casts the original value to a new
312	// value of the destination type :
313	StmtNodeBuilder Bldr(DstEvalLoc, Dst, *currBldrCtx);
314
315	for (ExplodedNode *Node : DstEvalLoc) {
316	ProgramStateRef State = Node->getState();
317	const LocationContext *LCtx = Node->getLocationContext();
318	// Although `Ex` is an lvalue, it could have `Loc::ConcreteInt` kind
319	// (e.g., `(int )123456`). In such cases, there is no MemRegion*
320	// available and we can't get the value to be casted.
321	SVal CastedV = UnknownVal ();
322
323	if (const MemRegion *MR = State ->getSVal(Ex, LCtx).getAsRegion()) {
324	SVal OrigV = State ->getSVal(R: MR);
325	CastedV = svalBuilder.evalCast(V: svalBuilder.simplifySVal(State, Val: OrigV),
326	CastTy: CastE->getType(), OriginalTy: Ex->getType());
327	}
328	State = State ->BindExpr(CastE, LCtx, CastedV);
329	Bldr.generateNode(CastE, Node, State);
330	}
331	return;
332	}
333
334	// All other casts.
335	QualType T = CastE->getType();
336	QualType ExTy = Ex->getType();
337
338	if (const ExplicitCastExpr *ExCast=dyn_cast_or_null<ExplicitCastExpr>(Val: CastE))
339	T = ExCast->getTypeAsWritten();
340
341	StmtNodeBuilder Bldr(DstPreStmt, Dst, *currBldrCtx);
342	for (ExplodedNode *Pred : DstPreStmt) {
343	ProgramStateRef state = Pred->getState();
344	const LocationContext *LCtx = Pred->getLocationContext();
345
346	switch (CastE->getCastKind()) {
347	case CK_LValueToRValue:
348	case CK_LValueToRValueBitCast:
349	llvm_unreachable("LValueToRValue casts handled earlier.");
350	case CK_ToVoid:
351	continue;
352	// The analyzer doesn't do anything special with these casts,
353	// since it understands retain/release semantics already.
354	case CK_ARCProduceObject:
355	case CK_ARCConsumeObject:
356	case CK_ARCReclaimReturnedObject:
357	case CK_ARCExtendBlockObject: // Fall-through.
358	case CK_CopyAndAutoreleaseBlockObject:
359	// The analyser can ignore atomic casts for now, although some future
360	// checkers may want to make certain that you're not modifying the same
361	// value through atomic and nonatomic pointers.
362	case CK_AtomicToNonAtomic:
363	case CK_NonAtomicToAtomic:
364	// True no-ops.
365	case CK_NoOp:
366	case CK_ConstructorConversion:
367	case CK_UserDefinedConversion:
368	case CK_FunctionToPointerDecay:
369	case CK_BuiltinFnToFnPtr:
370	case CK_HLSLArrayRValue: {
371	// Copy the SVal of Ex to CastE.
372	ProgramStateRef state = Pred->getState();
373	const LocationContext *LCtx = Pred->getLocationContext();
374	SVal V = state ->getSVal(Ex, LCtx);
375	state = state ->BindExpr(CastE, LCtx, V);
376	Bldr.generateNode(CastE, Pred, state);
377	continue;
378	}
379	case CK_MemberPointerToBoolean:
380	case CK_PointerToBoolean: {
381	SVal V = state ->getSVal(Ex, LCtx);
382	auto PTMSV = V.getAs<nonloc::PointerToMember>();
383	if (PTMSV)
384	V = svalBuilder.makeTruthVal(!PTMSV->isNullMemberPointer(), ExTy);
385	if (V.isUndef() \|\| PTMSV) {
386	state = state ->BindExpr(CastE, LCtx, V);
387	Bldr.generateNode(CastE, Pred, state);
388	continue;
389	}
390	// Explicitly proceed with default handler for this case cascade.
391	state =
392	handleLValueBitCast(state, Ex, LCtx, T, ExTy, CastE, Bldr, Pred);
393	continue;
394	}
395	case CK_Dependent:
396	case CK_ArrayToPointerDecay:
397	case CK_BitCast:
398	case CK_AddressSpaceConversion:
399	case CK_BooleanToSignedIntegral:
400	case CK_IntegralToPointer:
401	case CK_PointerToIntegral: {
402	SVal V = state ->getSVal(Ex, LCtx);
403	if (isa<nonloc::PointerToMember>(Val: V)) {
404	state = state ->BindExpr(CastE, LCtx, UnknownVal ());
405	Bldr.generateNode(CastE, Pred, state);
406	continue;
407	}
408	// Explicitly proceed with default handler for this case cascade.
409	state =
410	handleLValueBitCast(state, Ex, LCtx, T, ExTy, CastE, Bldr, Pred);
411	continue;
412	}
413	case CK_IntegralToBoolean:
414	case CK_IntegralToFloating:
415	case CK_FloatingToIntegral:
416	case CK_FloatingToBoolean:
417	case CK_FloatingCast:
418	case CK_FloatingRealToComplex:
419	case CK_FloatingComplexToReal:
420	case CK_FloatingComplexToBoolean:
421	case CK_FloatingComplexCast:
422	case CK_FloatingComplexToIntegralComplex:
423	case CK_IntegralRealToComplex:
424	case CK_IntegralComplexToReal:
425	case CK_IntegralComplexToBoolean:
426	case CK_IntegralComplexCast:
427	case CK_IntegralComplexToFloatingComplex:
428	case CK_CPointerToObjCPointerCast:
429	case CK_BlockPointerToObjCPointerCast:
430	case CK_AnyPointerToBlockPointerCast:
431	case CK_ObjCObjectLValueCast:
432	case CK_ZeroToOCLOpaqueType:
433	case CK_IntToOCLSampler:
434	case CK_LValueBitCast:
435	case CK_FloatingToFixedPoint:
436	case CK_FixedPointToFloating:
437	case CK_FixedPointCast:
438	case CK_FixedPointToBoolean:
439	case CK_FixedPointToIntegral:
440	case CK_IntegralToFixedPoint: {
441	state =
442	handleLValueBitCast(state, Ex, LCtx, T, ExTy, CastE, Bldr, Pred);
443	continue;
444	}
445	case CK_IntegralCast: {
446	// Delegate to SValBuilder to process.
447	SVal V = state ->getSVal(Ex, LCtx);
448	if (AMgr.options.ShouldSupportSymbolicIntegerCasts)
449	V = svalBuilder.evalCast(V, CastTy: T, OriginalTy: ExTy);
450	else
451	V = svalBuilder.evalIntegralCast(state, val: V, castTy: T, originalType: ExTy);
452	state = state ->BindExpr(CastE, LCtx, V);
453	Bldr.generateNode(CastE, Pred, state);
454	continue;
455	}
456	case CK_DerivedToBase:
457	case CK_UncheckedDerivedToBase: {
458	// For DerivedToBase cast, delegate to the store manager.
459	SVal val = state ->getSVal(Ex, LCtx);
460	val = getStoreManager().evalDerivedToBase(Derived: val, Cast: CastE);
461	state = state ->BindExpr(CastE, LCtx, val);
462	Bldr.generateNode(CastE, Pred, state);
463	continue;
464	}
465	// Handle C++ dyn_cast.
466	case CK_Dynamic: {
467	SVal val = state ->getSVal(Ex, LCtx);
468
469	// Compute the type of the result.
470	QualType resultType = CastE->getType();
471	if (CastE->isGLValue())
472	resultType = getContext().getPointerType(T: resultType);
473
474	bool Failed = true;
475
476	// Check if the value being cast does not evaluates to 0.
477	if (!val.isZeroConstant())
478	if (std::optional<SVal> V =
479	StateMgr.getStoreManager().evalBaseToDerived(Base: val, DerivedPtrType: T)) {
480	val = *V;
481	Failed = false;
482	}
483
484	if (Failed) {
485	if (T ->isReferenceType()) {
486	// A bad_cast exception is thrown if input value is a reference.
487	// Currently, we model this, by generating a sink.
488	Bldr.generateSink(CastE, Pred, state);
489	continue;
490	} else {
491	// If the cast fails on a pointer, bind to 0.
492	state = state ->BindExpr(CastE, LCtx,
493	svalBuilder.makeNullWithType(type: resultType));
494	}
495	} else {
496	// If we don't know if the cast succeeded, conjure a new symbol.
497	if (val.isUnknown()) {
498	DefinedOrUnknownSVal NewSym = svalBuilder.conjureSymbolVal(
499	/symbolTag=/nullptr, elem: getCFGElementRef(), LCtx, type: resultType,
500	count: currBldrCtx->blockCount());
501	state = state ->BindExpr(CastE, LCtx, NewSym);
502	} else
503	// Else, bind to the derived region value.
504	state = state ->BindExpr(CastE, LCtx, val);
505	}
506	Bldr.generateNode(CastE, Pred, state);
507	continue;
508	}
509	case CK_BaseToDerived: {
510	SVal val = state ->getSVal(Ex, LCtx);
511	QualType resultType = CastE->getType();
512	if (CastE->isGLValue())
513	resultType = getContext().getPointerType(T: resultType);
514
515	if (!val.isConstant()) {
516	std::optional<SVal> V = getStoreManager().evalBaseToDerived(Base: val, DerivedPtrType: T);
517	val = V ? *V : UnknownVal ();
518	}
519
520	// Failed to cast or the result is unknown, fall back to conservative.
521	if (val.isUnknown()) {
522	val = svalBuilder.conjureSymbolVal(
523	/symbolTag=/nullptr, elem: getCFGElementRef(), LCtx, type: resultType,
524	count: currBldrCtx->blockCount());
525	}
526	state = state ->BindExpr(CastE, LCtx, val);
527	Bldr.generateNode(CastE, Pred, state);
528	continue;
529	}
530	case CK_NullToPointer: {
531	SVal V = svalBuilder.makeNullWithType(type: CastE->getType());
532	state = state ->BindExpr(CastE, LCtx, V);
533	Bldr.generateNode(CastE, Pred, state);
534	continue;
535	}
536	case CK_NullToMemberPointer: {
537	SVal V = svalBuilder.getMemberPointer(ND: nullptr);
538	state = state ->BindExpr(CastE, LCtx, V);
539	Bldr.generateNode(CastE, Pred, state);
540	continue;
541	}
542	case CK_DerivedToBaseMemberPointer:
543	case CK_BaseToDerivedMemberPointer:
544	case CK_ReinterpretMemberPointer: {
545	SVal V = state ->getSVal(Ex, LCtx);
546	if (auto PTMSV = V.getAs<nonloc::PointerToMember>()) {
547	SVal CastedPTMSV =
548	svalBuilder.makePointerToMember(getBasicVals().accumCXXBase(
549	PathRange: CastE->path(), PTM: *PTMSV, kind: CastE->getCastKind()));
550	state = state ->BindExpr(CastE, LCtx, CastedPTMSV);
551	Bldr.generateNode(CastE, Pred, state);
552	continue;
553	}
554	// Explicitly proceed with default handler for this case cascade.
555	}
556	[[fallthrough]];
557	// Various C++ casts that are not handled yet.
558	case CK_ToUnion:
559	case CK_MatrixCast:
560	case CK_VectorSplat:
561	case CK_HLSLElementwiseCast:
562	case CK_HLSLAggregateSplatCast:
563	case CK_HLSLVectorTruncation: {
564	QualType resultType = CastE->getType();
565	if (CastE->isGLValue())
566	resultType = getContext().getPointerType(T: resultType);
567	SVal result = svalBuilder.conjureSymbolVal(
568	/symbolTag=/nullptr, elem: getCFGElementRef(), LCtx, type: resultType,
569	count: currBldrCtx->blockCount());
570	state = state ->BindExpr(CastE, LCtx, result);
571	Bldr.generateNode(CastE, Pred, state);
572	continue;
573	}
574	}
575	}
576	}
577
578	void ExprEngine::VisitCompoundLiteralExpr(const CompoundLiteralExpr *CL,
579	ExplodedNode *Pred,
580	ExplodedNodeSet &Dst) {
581	StmtNodeBuilder B(Pred, Dst, *currBldrCtx);
582
583	ProgramStateRef State = Pred->getState();
584	const LocationContext *LCtx = Pred->getLocationContext();
585
586	const Expr *Init = CL->getInitializer();
587	SVal V = State ->getSVal(CL->getInitializer(), LCtx);
588
589	if (isa<CXXConstructExpr, CXXStdInitializerListExpr>(Val: Init)) {
590	// No work needed. Just pass the value up to this expression.
591	} else {
592	assert(isa<InitListExpr>(Init));
593	Loc CLLoc = State ->getLValue(literal: CL, LC: LCtx);
594	State = State ->bindLoc(location: CLLoc, V, LCtx);
595
596	if (CL->isGLValue())
597	V = CLLoc;
598	}
599
600	B.generateNode(CL, Pred, State ->BindExpr(CL, LCtx, V));
601	}
602
603	void ExprEngine::VisitDeclStmt(const DeclStmt DS, ExplodedNode Pred,
604	ExplodedNodeSet &Dst) {
605	if (isa<TypedefNameDecl>(Val: *DS->decl_begin())) {
606	// C99 6.7.7 "Any array size expressions associated with variable length
607	// array declarators are evaluated each time the declaration of the typedef
608	// name is reached in the order of execution."
609	// The checkers should know about typedef to be able to handle VLA size
610	// expressions.
611	ExplodedNodeSet DstPre;
612	getCheckerManager().runCheckersForPreStmt(Dst&: DstPre, Src: Pred, S: DS, Eng&: *this);
613	getCheckerManager().runCheckersForPostStmt(Dst, Src: DstPre, S: DS, Eng&: *this);
614	return;
615	}
616
617	// Assumption: The CFG has one DeclStmt per Decl.
618	const VarDecl VD = dyn_cast_or_null<VarDecl>(Val: DS->decl_begin());
619
620	if (!VD) {
621	//TODO:AZ: remove explicit insertion after refactoring is done.
622	Dst.insert(S: Pred);
623	return;
624	}
625
626	// FIXME: all pre/post visits should eventually be handled by ::Visit().
627	ExplodedNodeSet dstPreVisit;
628	getCheckerManager().runCheckersForPreStmt(Dst&: dstPreVisit, Src: Pred, S: DS, Eng&: *this);
629
630	ExplodedNodeSet dstEvaluated;
631	StmtNodeBuilder B(dstPreVisit, dstEvaluated, *currBldrCtx);
632	for (ExplodedNodeSet::iterator I = dstPreVisit.begin(), E = dstPreVisit.end();
633	I!=E; ++I) {
634	ExplodedNode N = I;
635	ProgramStateRef state = N->getState();
636	const LocationContext *LC = N->getLocationContext();
637
638	// Decls without InitExpr are not initialized explicitly.
639	if (const Expr *InitEx = VD->getInit()) {
640
641	// Note in the state that the initialization has occurred.
642	ExplodedNode *UpdatedN = N;
643	SVal InitVal = state ->getSVal(InitEx, LC);
644
645	assert(DS->isSingleDecl());
646	if (getObjectUnderConstruction(State: state, Item: DS, LC)) {
647	state = finishObjectConstruction(State: state, Item: DS, LC);
648	// We constructed the object directly in the variable.
649	// No need to bind anything.
650	B.generateNode(S: DS, Pred: UpdatedN, St: state);
651	} else {
652	// Recover some path-sensitivity if a scalar value evaluated to
653	// UnknownVal.
654	if (InitVal.isUnknown()) {
655	QualType Ty = InitEx->getType();
656	if (InitEx->isGLValue()) {
657	Ty = getContext().getPointerType(T: Ty);
658	}
659
660	InitVal = svalBuilder.conjureSymbolVal(
661	/symbolTag=/nullptr, elem: getCFGElementRef(), LCtx: LC, type: Ty,
662	count: currBldrCtx->blockCount());
663	}
664
665
666	B.takeNodes(N: UpdatedN);
667	ExplodedNodeSet Dst2;
668	evalBind(Dst&: Dst2, StoreE: DS, Pred: UpdatedN, location: state ->getLValue(VD, LC), Val: InitVal, atDeclInit: true);
669	B.addNodes(S: Dst2);
670	}
671	}
672	else {
673	B.generateNode(S: DS, Pred: N, St: state);
674	}
675	}
676
677	getCheckerManager().runCheckersForPostStmt(Dst, Src: B.getResults(), S: DS, Eng&: *this);
678	}
679
680	void ExprEngine::VisitLogicalExpr(const BinaryOperator* B, ExplodedNode *Pred,
681	ExplodedNodeSet &Dst) {
682	// This method acts upon CFG elements for logical operators && and \|\|
683	// and attaches the value (true or false) to them as expressions.
684	// It doesn't produce any state splits.
685	// If we made it that far, we're past the point when we modeled the short
686	// circuit. It means that we should have precise knowledge about whether
687	// we've short-circuited. If we did, we already know the value we need to
688	// bind. If we didn't, the value of the RHS (casted to the boolean type)
689	// is the answer.
690	// Currently this method tries to figure out whether we've short-circuited
691	// by looking at the ExplodedGraph. This method is imperfect because there
692	// could inevitably have been merges that would have resulted in multiple
693	// potential path traversal histories. We bail out when we fail.
694	// Due to this ambiguity, a more reliable solution would have been to
695	// track the short circuit operation history path-sensitively until
696	// we evaluate the respective logical operator.
697	assert(B->getOpcode() == BO_LAnd \|\|
698	B->getOpcode() == BO_LOr);
699
700	StmtNodeBuilder Bldr(Pred, Dst, *currBldrCtx);
701	ProgramStateRef state = Pred->getState();
702
703	if (B->getType()->isVectorType()) {
704	// FIXME: We do not model vector arithmetic yet. When adding support for
705	// that, note that the CFG-based reasoning below does not apply, because
706	// logical operators on vectors are not short-circuit. Currently they are
707	// modeled as short-circuit in Clang CFG but this is incorrect.
708	// Do not set the value for the expression. It'd be UnknownVal by default.
709	Bldr.generateNode(B, Pred, state);
710	return;
711	}
712
713	ExplodedNode *N = Pred;
714	while (!N->getLocation().getAs<BlockEdge>()) {
715	ProgramPoint P = N->getLocation();
716	assert(P.getAs<PreStmt>() \|\| P.getAs<PreStmtPurgeDeadSymbols>() \|\|
717	P.getAs<BlockEntrance>());
718	(void) P;
719	if (N->pred_size() != `1`) {
720	// We failed to track back where we came from.
721	Bldr.generateNode(B, Pred, state);
722	return;
723	}
724	N = *N->pred_begin();
725	}
726
727	if (N->pred_size() != `1`) {
728	// We failed to track back where we came from.
729	Bldr.generateNode(B, Pred, state);
730	return;
731	}
732
733	BlockEdge BE = N->getLocation().castAs<BlockEdge>();
734	SVal X;
735
736	// Determine the value of the expression by introspecting how we
737	// got this location in the CFG. This requires looking at the previous
738	// block we were in and what kind of control-flow transfer was involved.
739	const CFGBlock *SrcBlock = BE.getSrc();
740	// The only terminator (if there is one) that makes sense is a logical op.
741	CFGTerminator T = SrcBlock->getTerminator();
742	if (const BinaryOperator *Term = cast_or_null<BinaryOperator>(Val: T.getStmt())) {
743	(void) Term;
744	assert(Term->isLogicalOp());
745	assert(SrcBlock->succ_size() == `2`);
746	// Did we take the true or false branch?
747	unsigned constant = (*SrcBlock->succ_begin() == BE.getDst()) ? `1` : `0`;
748	X = svalBuilder.makeIntVal(constant, B->getType());
749	}
750	else {
751	// If there is no terminator, by construction the last statement
752	// in SrcBlock is the value of the enclosing expression.
753	// However, we still need to constrain that value to be 0 or 1.
754	assert(!SrcBlock->empty());
755	CFGStmt Elem = SrcBlock->rbegin()->castAs<CFGStmt>();
756	const Expr *RHS = cast<Expr>(Val: Elem.getStmt());
757	SVal RHSVal = N->getState()->getSVal(RHS, Pred->getLocationContext());
758
759	if (RHSVal.isUndef()) {
760	X = RHSVal;
761	} else {
762	// We evaluate "RHSVal != 0" expression which result in 0 if the value is
763	// known to be false, 1 if the value is known to be true and a new symbol
764	// when the assumption is unknown.
765	nonloc::ConcreteInt Zero(getBasicVals().getValue(`0`, B->getType()));
766	X = evalBinOp(ST: N->getState(), Op: BO_NE,
767	LHS: svalBuilder.evalCast(V: RHSVal, CastTy: B->getType(), OriginalTy: RHS->getType()),
768	RHS: Zero, T: B->getType());
769	}
770	}
771	Bldr.generateNode(B, Pred, state ->BindExpr(B, Pred->getLocationContext(), X));
772	}
773
774	void ExprEngine::VisitInitListExpr(const InitListExpr *IE,
775	ExplodedNode *Pred,
776	ExplodedNodeSet &Dst) {
777	StmtNodeBuilder B(Pred, Dst, *currBldrCtx);
778
779	ProgramStateRef state = Pred->getState();
780	const LocationContext *LCtx = Pred->getLocationContext();
781	QualType T = getContext().getCanonicalType(IE->getType());
782	unsigned NumInitElements = IE->getNumInits();
783
784	if (!IE->isGLValue() && !IE->isTransparent() &&
785	(T ->isArrayType() \|\| T ->isRecordType() \|\| T ->isVectorType() \|\|
786	T ->isAnyComplexType())) {
787	llvm::ImmutableList<SVal> vals = getBasicVals().getEmptySValList();
788
789	// Handle base case where the initializer has no elements.
790	// e.g: static int myArray[] = {};*
791	if (NumInitElements == `0`) {
792	SVal V = svalBuilder.makeCompoundVal(type: T, vals);
793	B.generateNode(IE, Pred, state ->BindExpr(IE, LCtx, V));
794	return;
795	}
796
797	for (const Stmt S : llvm::reverse(C: IE)) {
798	SVal V = state ->getSVal(cast<Expr>(Val: S), LCtx);
799	vals = getBasicVals().prependSVal(X: V, L: vals);
800	}
801
802	B.generateNode(IE, Pred,
803	state ->BindExpr(IE, LCtx,
804	svalBuilder.makeCompoundVal(type: T, vals)));
805	return;
806	}
807
808	// Handle scalars: int{5} and int{} and GLvalues.
809	// Note, if the InitListExpr is a GLvalue, it means that there is an address
810	// representing it, so it must have a single init element.
811	assert(NumInitElements <= `1`);
812
813	SVal V;
814	if (NumInitElements == `0`)
815	V = getSValBuilder().makeZeroVal(type: T);
816	else
817	V = state ->getSVal(IE->getInit(Init: `0`), LCtx);
818
819	B.generateNode(IE, Pred, state ->BindExpr(IE, LCtx, V));
820	}
821
822	void ExprEngine::VisitGuardedExpr(const Expr *Ex,
823	const Expr *L,
824	const Expr *R,
825	ExplodedNode *Pred,
826	ExplodedNodeSet &Dst) {
827	assert(L && R);
828
829	StmtNodeBuilder B(Pred, Dst, *currBldrCtx);
830	ProgramStateRef state = Pred->getState();
831	const LocationContext *LCtx = Pred->getLocationContext();
832	const CFGBlock SrcBlock = nullptr*;
833
834	// Find the predecessor block.
835	ProgramStateRef SrcState = state;
836	for (const ExplodedNode N = Pred ; N ; N = N->pred_begin()) {
837	auto Edge = N->getLocationAs<BlockEdge>();
838	if (!Edge.has_value()) {
839	// If the state N has multiple predecessors P, it means that successors
840	// of P are all equivalent.
841	// In turn, that means that all nodes at P are equivalent in terms
842	// of observable behavior at N, and we can follow any of them.
843	// FIXME: a more robust solution which does not walk up the tree.
844	continue;
845	}
846	SrcBlock = Edge ->getSrc();
847	SrcState = N->getState();
848	break;
849	}
850
851	assert(SrcBlock && "missing function entry");
852
853	// Find the last expression in the predecessor block. That is the
854	// expression that is used for the value of the ternary expression.
855	bool hasValue = false;
856	SVal V;
857
858	for (CFGElement CE : llvm::reverse(C: *SrcBlock)) {
859	if (std::optional<CFGStmt> CS = CE.getAs<CFGStmt>()) {
860	const Expr *ValEx = cast<Expr>(Val: CS ->getStmt());
861	ValEx = ValEx->IgnoreParens();
862
863	// For GNU extension '?:' operator, the left hand side will be an
864	// OpaqueValueExpr, so get the underlying expression.
865	if (const OpaqueValueExpr *OpaqueEx = dyn_cast<OpaqueValueExpr>(Val: L))
866	L = OpaqueEx->getSourceExpr();
867
868	// If the last expression in the predecessor block matches true or false
869	// subexpression, get its the value.
870	if (ValEx == L->IgnoreParens() \|\| ValEx == R->IgnoreParens()) {
871	hasValue = true;
872	V = SrcState ->getSVal(ValEx, LCtx);
873	}
874	break;
875	}
876	}
877
878	if (!hasValue)
879	V = svalBuilder.conjureSymbolVal(symbolTag: nullptr, elem: getCFGElementRef(), LCtx,
880	count: currBldrCtx->blockCount());
881
882	// Generate a new node with the binding from the appropriate path.
883	B.generateNode(Ex, Pred, state ->BindExpr(Ex, LCtx, V, true));
884	}
885
886	void ExprEngine::
887	VisitOffsetOfExpr(const OffsetOfExpr *OOE,
888	ExplodedNode *Pred, ExplodedNodeSet &Dst) {
889	StmtNodeBuilder B(Pred, Dst, *currBldrCtx);
890	Expr::EvalResult Result;
891	if (OOE->EvaluateAsInt(Result, getContext())) {
892	APSInt IV = Result.Val.getInt();
893	assert(IV.getBitWidth() == getContext().getTypeSize(OOE->getType()));
894	assert(OOE->getType()->castAs<BuiltinType>()->isInteger());
895	assert(IV.isSigned() == OOE->getType()->isSignedIntegerType());
896	SVal X = svalBuilder.makeIntVal(integer: IV);
897	B.generateNode(OOE, Pred,
898	Pred->getState()->BindExpr(OOE, Pred->getLocationContext(),
899	X));
900	}
901	// FIXME: Handle the case where __builtin_offsetof is not a constant.
902	}
903
904
905	void ExprEngine::
906	VisitUnaryExprOrTypeTraitExpr(const UnaryExprOrTypeTraitExpr *Ex,
907	ExplodedNode *Pred,
908	ExplodedNodeSet &Dst) {
909	// FIXME: Prechecks eventually go in ::Visit().
910	ExplodedNodeSet CheckedSet;
911	getCheckerManager().runCheckersForPreStmt(CheckedSet, Pred, Ex, *this);
912
913	ExplodedNodeSet EvalSet;
914	StmtNodeBuilder Bldr(CheckedSet, EvalSet, *currBldrCtx);
915
916	QualType T = Ex->getTypeOfArgument();
917
918	for (ExplodedNode *N : CheckedSet) {
919	if (Ex->getKind() == UETT_SizeOf) {
920	if (!T ->isIncompleteType() && !T ->isConstantSizeType()) {
921	assert(T ->isVariableArrayType() && "Unknown non-constant-sized type.");
922
923	// FIXME: Add support for VLA type arguments and VLA expressions.
924	// When that happens, we should probably refactor VLASizeChecker's code.
925	continue;
926	} else if (T ->getAs<ObjCObjectType>()) {
927	// Some code tries to take the sizeof an ObjCObjectType, relying that
928	// the compiler has laid out its representation. Just report Unknown
929	// for these.
930	continue;
931	}
932	}
933
934	APSInt Value = Ex->EvaluateKnownConstInt(getContext());
935	CharUnits amt = CharUnits::fromQuantity(Quantity: Value.getZExtValue());
936
937	ProgramStateRef state = N->getState();
938	state = state ->BindExpr(
939	S: Ex, LCtx: N->getLocationContext(),
940	V: svalBuilder.makeIntVal(amt.getQuantity(), Ex->getType()));
941	Bldr.generateNode(Ex, N, state);
942	}
943
944	getCheckerManager().runCheckersForPostStmt(Dst, EvalSet, Ex, *this);
945	}
946
947	void ExprEngine::handleUOExtension(ExplodedNode N, const* UnaryOperator *U,
948	StmtNodeBuilder &Bldr) {
949	// FIXME: We can probably just have some magic in Environment::getSVal()
950	// that propagates values, instead of creating a new node here.
951	//
952	// Unary "+" is a no-op, similar to a parentheses. We still have places
953	// where it may be a block-level expression, so we need to
954	// generate an extra node that just propagates the value of the
955	// subexpression.
956	const Expr *Ex = U->getSubExpr()->IgnoreParens();
957	ProgramStateRef state = N->getState();
958	const LocationContext *LCtx = N->getLocationContext();
959	Bldr.generateNode(U, N, state ->BindExpr(U, LCtx, state ->getSVal(Ex, LCtx)));
960	}
961
962	void ExprEngine::VisitUnaryOperator(const UnaryOperator* U, ExplodedNode *Pred,
963	ExplodedNodeSet &Dst) {
964	// FIXME: Prechecks eventually go in ::Visit().
965	ExplodedNodeSet CheckedSet;
966	getCheckerManager().runCheckersForPreStmt(CheckedSet, Pred, U, *this);
967
968	ExplodedNodeSet EvalSet;
969	StmtNodeBuilder Bldr(CheckedSet, EvalSet, *currBldrCtx);
970
971	for (ExplodedNode *N : CheckedSet) {
972	switch (U->getOpcode()) {
973	default: {
974	Bldr.takeNodes(N);
975	ExplodedNodeSet Tmp;
976	VisitIncrementDecrementOperator(U, Pred: N, Dst&: Tmp);
977	Bldr.addNodes(S: Tmp);
978	break;
979	}
980	case UO_Real: {
981	const Expr *Ex = U->getSubExpr()->IgnoreParens();
982
983	// FIXME: We don't have complex SValues yet.
984	if (Ex->getType()->isAnyComplexType()) {
985	// Just report "Unknown."
986	break;
987	}
988
989	// For all other types, UO_Real is an identity operation.
990	assert (U->getType() == Ex->getType());
991	ProgramStateRef state = N->getState();
992	const LocationContext *LCtx = N->getLocationContext();
993	Bldr.generateNode(U, N,
994	state ->BindExpr(U, LCtx, state ->getSVal(Ex, LCtx)));
995	break;
996	}
997
998	case UO_Imag: {
999	const Expr *Ex = U->getSubExpr()->IgnoreParens();
1000	// FIXME: We don't have complex SValues yet.
1001	if (Ex->getType()->isAnyComplexType()) {
1002	// Just report "Unknown."
1003	break;
1004	}
1005	// For all other types, UO_Imag returns 0.
1006	ProgramStateRef state = N->getState();
1007	const LocationContext *LCtx = N->getLocationContext();
1008	SVal X = svalBuilder.makeZeroVal(type: Ex->getType());
1009	Bldr.generateNode(U, N, state ->BindExpr(U, LCtx, X));
1010	break;
1011	}
1012
1013	case UO_AddrOf: {
1014	// Process pointer-to-member address operation.
1015	const Expr *Ex = U->getSubExpr()->IgnoreParens();
1016	if (const DeclRefExpr *DRE = dyn_cast<DeclRefExpr>(Val: Ex)) {
1017	const ValueDecl *VD = DRE->getDecl();
1018
1019	if (isa<CXXMethodDecl, FieldDecl, IndirectFieldDecl>(Val: VD)) {
1020	ProgramStateRef State = N->getState();
1021	const LocationContext *LCtx = N->getLocationContext();
1022	SVal SV = svalBuilder.getMemberPointer(ND: cast<NamedDecl>(Val: VD));
1023	Bldr.generateNode(U, N, State ->BindExpr(U, LCtx, SV));
1024	break;
1025	}
1026	}
1027	// Explicitly proceed with default handler for this case cascade.
1028	handleUOExtension(N, U, Bldr);
1029	break;
1030	}
1031	case UO_Plus:
1032	assert(!U->isGLValue());
1033	[[fallthrough]];
1034	case UO_Deref:
1035	case UO_Extension: {
1036	handleUOExtension(N, U, Bldr);
1037	break;
1038	}
1039
1040	case UO_LNot:
1041	case UO_Minus:
1042	case UO_Not: {
1043	assert (!U->isGLValue());
1044	const Expr *Ex = U->getSubExpr()->IgnoreParens();
1045	ProgramStateRef state = N->getState();
1046	const LocationContext *LCtx = N->getLocationContext();
1047
1048	// Get the value of the subexpression.
1049	SVal V = state ->getSVal(Ex, LCtx);
1050
1051	if (V.isUnknownOrUndef()) {
1052	Bldr.generateNode(U, N, state ->BindExpr(U, LCtx, V));
1053	break;
1054	}
1055
1056	switch (U->getOpcode()) {
1057	default:
1058	llvm_unreachable("Invalid Opcode.");
1059	case UO_Not:
1060	// FIXME: Do we need to handle promotions?
1061	state = state ->BindExpr(
1062	U, LCtx, svalBuilder.evalComplement(val: V.castAs<NonLoc>()));
1063	break;
1064	case UO_Minus:
1065	// FIXME: Do we need to handle promotions?
1066	state = state ->BindExpr(U, LCtx,
1067	svalBuilder.evalMinus(val: V.castAs<NonLoc>()));
1068	break;
1069	case UO_LNot:
1070	// C99 6.5.3.3: "The expression !E is equivalent to (0==E)."
1071	//
1072	// Note: technically we do "E == 0", but this is the same in the
1073	// transfer functions as "0 == E".
1074	SVal Result;
1075	if (std::optional<Loc> LV = V.getAs<Loc>()) {
1076	Loc X = svalBuilder.makeNullWithType(type: Ex->getType());
1077	Result = evalBinOp(ST: state, Op: BO_EQ, LHS: *LV, RHS: X, T: U->getType());
1078	} else if (Ex->getType()->isFloatingType()) {
1079	// FIXME: handle floating point types.
1080	Result = UnknownVal ();
1081	} else {
1082	nonloc::ConcreteInt X(getBasicVals().getValue(X: `0`, T: Ex->getType()));
1083	Result = evalBinOp(ST: state, Op: BO_EQ, LHS: V.castAs<NonLoc>(), RHS: X, T: U->getType());
1084	}
1085
1086	state = state ->BindExpr(U, LCtx, Result);
1087	break;
1088	}
1089	Bldr.generateNode(U, N, state);
1090	break;
1091	}
1092	}
1093	}
1094
1095	getCheckerManager().runCheckersForPostStmt(Dst, EvalSet, U, *this);
1096	}
1097
1098	void ExprEngine::VisitIncrementDecrementOperator(const UnaryOperator* U,
1099	ExplodedNode *Pred,
1100	ExplodedNodeSet &Dst) {
1101	// Handle ++ and -- (both pre- and post-increment).
1102	assert (U->isIncrementDecrementOp());
1103	const Expr *Ex = U->getSubExpr()->IgnoreParens();
1104
1105	const LocationContext *LCtx = Pred->getLocationContext();
1106	ProgramStateRef state = Pred->getState();
1107	SVal loc = state ->getSVal(Ex, LCtx);
1108
1109	// Perform a load.
1110	ExplodedNodeSet Tmp;
1111	evalLoad(Tmp, U, Ex, Pred, state, loc);
1112
1113	ExplodedNodeSet Dst2;
1114	StmtNodeBuilder Bldr(Tmp, Dst2, *currBldrCtx);
1115	for (ExplodedNode *N : Tmp) {
1116	state = N->getState();
1117	assert(LCtx == N->getLocationContext());
1118	SVal V2_untested = state ->getSVal(Ex, LCtx);
1119
1120	// Propagate unknown and undefined values.
1121	if (V2_untested.isUnknownOrUndef()) {
1122	state = state ->BindExpr(U, LCtx, V2_untested);
1123
1124	// Perform the store, so that the uninitialized value detection happens.
1125	Bldr.takeNodes(N);
1126	ExplodedNodeSet Dst3;
1127	evalStore(Dst3, U, Ex, N, state, loc, V2_untested);
1128	Bldr.addNodes(S: Dst3);
1129
1130	continue;
1131	}
1132	DefinedSVal V2 = V2_untested.castAs<DefinedSVal>();
1133
1134	// Handle all other values.
1135	BinaryOperator::Opcode Op = U->isIncrementOp() ? BO_Add : BO_Sub;
1136
1137	// If the UnaryOperator has non-location type, use its type to create the
1138	// constant value. If the UnaryOperator has location type, create the
1139	// constant with int type and pointer width.
1140	SVal RHS;
1141	SVal Result;
1142
1143	if (U->getType()->isAnyPointerType())
1144	RHS = svalBuilder.makeArrayIndex(idx: `1`);
1145	else if (U->getType()->isIntegralOrEnumerationType())
1146	RHS = svalBuilder.makeIntVal(`1`, U->getType());
1147	else
1148	RHS = UnknownVal ();
1149
1150	// The use of an operand of type bool with the ++ operators is deprecated
1151	// but valid until C++17. And if the operand of the ++ operator is of type
1152	// bool, it is set to true until C++17. Note that for '_Bool', it is also
1153	// set to true when it encounters ++ operator.
1154	if (U->getType()->isBooleanType() && U->isIncrementOp())
1155	Result = svalBuilder.makeTruthVal(true, U->getType());
1156	else
1157	Result = evalBinOp(ST: state, Op, LHS: V2, RHS, T: U->getType());
1158
1159	// Conjure a new symbol if necessary to recover precision.
1160	if (Result.isUnknown()){
1161	DefinedOrUnknownSVal SymVal = svalBuilder.conjureSymbolVal(
1162	/symbolTag=/nullptr, elem: getCFGElementRef(), LCtx,
1163	count: currBldrCtx->blockCount());
1164	Result = SymVal;
1165
1166	// If the value is a location, ++/-- should always preserve
1167	// non-nullness. Check if the original value was non-null, and if so
1168	// propagate that constraint.
1169	if (Loc::isLocType(T: U->getType())) {
1170	DefinedOrUnknownSVal Constraint =
1171	svalBuilder.evalEQ(state, V2,svalBuilder.makeZeroVal(type: U->getType()));
1172
1173	if (!state ->assume(Cond: Constraint, Assumption: true)) {
1174	// It isn't feasible for the original value to be null.
1175	// Propagate this constraint.
1176	Constraint = svalBuilder.evalEQ(state, SymVal,
1177	svalBuilder.makeZeroVal(type: U->getType()));
1178
1179	state = state ->assume(Cond: Constraint, Assumption: false);
1180	assert(state);
1181	}
1182	}
1183	}
1184
1185	// Since the lvalue-to-rvalue conversion is explicit in the AST,
1186	// we bind an l-value if the operator is prefix and an lvalue (in C++).
1187	if (U->isGLValue())
1188	state = state ->BindExpr(U, LCtx, loc);
1189	else
1190	state = state ->BindExpr(U, LCtx, U->isPostfix() ? V2 : Result);
1191
1192	// Perform the store.
1193	Bldr.takeNodes(N);
1194	ExplodedNodeSet Dst3;
1195	evalStore(Dst3, U, Ex, N, state, loc, Result);
1196	Bldr.addNodes(S: Dst3);
1197	}
1198	Dst.insert(S: Dst2);
1199	}
1200

source code of clang/lib/StaticAnalyzer/Core/ExprEngineC.cpp