search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
[clang][modules] Don't prevent translation of FW_Private includes when explicitly...
[llvm-project.git] / clang / lib / StaticAnalyzer / Core / ExprEngineC.cpp
blob7e431f7e598c4cb8193cd39851cd2f38206841a5
1 //=-- ExprEngineC.cpp - ExprEngine support for C expressions ----*- C++ -*-===//
2 //
3 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4 // See https://llvm.org/LICENSE.txt for license information.
5 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6 //
7 //===----------------------------------------------------------------------===//
8 //
9 // This file defines ExprEngine's support for C expressions.
10 //
11 //===----------------------------------------------------------------------===//
12
13 #include "clang/AST/DeclCXX.h"
14 #include "clang/AST/ExprCXX.h"
15 #include "clang/StaticAnalyzer/Core/CheckerManager.h"
16 #include "clang/StaticAnalyzer/Core/PathSensitive/ExprEngine.h"
17 #include <optional>
18
19 using namespace clang;
20 using namespace ento;
21 using llvm::APSInt;
22
23 /// Optionally conjure and return a symbol for offset when processing
24 /// an expression \p Expression.
25 /// If \p Other is a location, conjure a symbol for \p Symbol
26 /// (offset) if it is unknown so that memory arithmetic always
27 /// results in an ElementRegion.
28 /// \p Count The number of times the current basic block was visited.
29 static SVal conjureOffsetSymbolOnLocation(
30 SVal Symbol, SVal Other, Expr* Expression, SValBuilder &svalBuilder,
31 unsigned Count, const LocationContext *LCtx) {
32 QualType Ty = Expression->getType();
33 if (isa<Loc>(Other) && Ty->isIntegralOrEnumerationType() &&
34 Symbol.isUnknown()) {
35 return svalBuilder.conjureSymbolVal(Expression, LCtx, Ty, Count);
36 }
37 return Symbol;
38 }
39
40 void ExprEngine::VisitBinaryOperator(const BinaryOperator* B,
41 ExplodedNode *Pred,
42 ExplodedNodeSet &Dst) {
43
44 Expr *LHS = B->getLHS()->IgnoreParens();
45 Expr *RHS = B->getRHS()->IgnoreParens();
46
47 // FIXME: Prechecks eventually go in ::Visit().
48 ExplodedNodeSet CheckedSet;
49 ExplodedNodeSet Tmp2;
50 getCheckerManager().runCheckersForPreStmt(CheckedSet, Pred, B, *this);
51
52 // With both the LHS and RHS evaluated, process the operation itself.
53 for (ExplodedNodeSet::iterator it=CheckedSet.begin(), ei=CheckedSet.end();
54 it != ei; ++it) {
55
56 ProgramStateRef state = (*it)->getState();
57 const LocationContext *LCtx = (*it)->getLocationContext();
58 SVal LeftV = state->getSVal(LHS, LCtx);
59 SVal RightV = state->getSVal(RHS, LCtx);
60
61 BinaryOperator::Opcode Op = B->getOpcode();
62
63 if (Op == BO_Assign) {
64 // EXPERIMENTAL: "Conjured" symbols.
65 // FIXME: Handle structs.
66 if (RightV.isUnknown()) {
67 unsigned Count = currBldrCtx->blockCount();
68 RightV = svalBuilder.conjureSymbolVal(nullptr, B->getRHS(), LCtx,
69 Count);
70 }
71 // Simulate the effects of a "store": bind the value of the RHS
72 // to the L-Value represented by the LHS.
73 SVal ExprVal = B->isGLValue() ? LeftV : RightV;
74 evalStore(Tmp2, B, LHS, *it, state->BindExpr(B, LCtx, ExprVal),
75 LeftV, RightV);
76 continue;
77 }
78
79 if (!B->isAssignmentOp()) {
80 StmtNodeBuilder Bldr(*it, Tmp2, *currBldrCtx);
81
82 if (B->isAdditiveOp()) {
83 // TODO: This can be removed after we enable history tracking with
84 // SymSymExpr.
85 unsigned Count = currBldrCtx->blockCount();
86 RightV = conjureOffsetSymbolOnLocation(
87 RightV, LeftV, RHS, svalBuilder, Count, LCtx);
88 LeftV = conjureOffsetSymbolOnLocation(
89 LeftV, RightV, LHS, svalBuilder, Count, LCtx);
90 }
91
92 // Although we don't yet model pointers-to-members, we do need to make
93 // sure that the members of temporaries have a valid 'this' pointer for
94 // other checks.
95 if (B->getOpcode() == BO_PtrMemD)
96 state = createTemporaryRegionIfNeeded(state, LCtx, LHS);
97
98 // Process non-assignments except commas or short-circuited
99 // logical expressions (LAnd and LOr).
100 SVal Result = evalBinOp(state, Op, LeftV, RightV, B->getType());
101 if (!Result.isUnknown()) {
102 state = state->BindExpr(B, LCtx, Result);
103 } else {
104 // If we cannot evaluate the operation escape the operands.
105 state = escapeValues(state, LeftV, PSK_EscapeOther);
106 state = escapeValues(state, RightV, PSK_EscapeOther);
107 }
108
109 Bldr.generateNode(B, *it, state);
110 continue;
111 }
112
113 assert (B->isCompoundAssignmentOp());
114
115 switch (Op) {
116 default:
117 llvm_unreachable("Invalid opcode for compound assignment.");
118 case BO_MulAssign: Op = BO_Mul; break;
119 case BO_DivAssign: Op = BO_Div; break;
120 case BO_RemAssign: Op = BO_Rem; break;
121 case BO_AddAssign: Op = BO_Add; break;
122 case BO_SubAssign: Op = BO_Sub; break;
123 case BO_ShlAssign: Op = BO_Shl; break;
124 case BO_ShrAssign: Op = BO_Shr; break;
125 case BO_AndAssign: Op = BO_And; break;
126 case BO_XorAssign: Op = BO_Xor; break;
127 case BO_OrAssign: Op = BO_Or; break;
128 }
129
130 // Perform a load (the LHS). This performs the checks for
131 // null dereferences, and so on.
132 ExplodedNodeSet Tmp;
133 SVal location = LeftV;
134 evalLoad(Tmp, B, LHS, *it, state, location);
135
136 for (ExplodedNode *N : Tmp) {
137 state = N->getState();
138 const LocationContext *LCtx = N->getLocationContext();
139 SVal V = state->getSVal(LHS, LCtx);
140
141 // Get the computation type.
142 QualType CTy =
143 cast<CompoundAssignOperator>(B)->getComputationResultType();
144 CTy = getContext().getCanonicalType(CTy);
145
146 QualType CLHSTy =
147 cast<CompoundAssignOperator>(B)->getComputationLHSType();
148 CLHSTy = getContext().getCanonicalType(CLHSTy);
149
150 QualType LTy = getContext().getCanonicalType(LHS->getType());
151
152 // Promote LHS.
153 V = svalBuilder.evalCast(V, CLHSTy, LTy);
154
155 // Compute the result of the operation.
156 SVal Result = svalBuilder.evalCast(evalBinOp(state, Op, V, RightV, CTy),
157 B->getType(), CTy);
158
159 // EXPERIMENTAL: "Conjured" symbols.
160 // FIXME: Handle structs.
161
162 SVal LHSVal;
163
164 if (Result.isUnknown()) {
165 // The symbolic value is actually for the type of the left-hand side
166 // expression, not the computation type, as this is the value the
167 // LValue on the LHS will bind to.
168 LHSVal = svalBuilder.conjureSymbolVal(nullptr, B->getRHS(), LCtx, LTy,
169 currBldrCtx->blockCount());
170 // However, we need to convert the symbol to the computation type.
171 Result = svalBuilder.evalCast(LHSVal, CTy, LTy);
172 } else {
173 // The left-hand side may bind to a different value then the
174 // computation type.
175 LHSVal = svalBuilder.evalCast(Result, LTy, CTy);
176 }
177
178 // In C++, assignment and compound assignment operators return an
179 // lvalue.
180 if (B->isGLValue())
181 state = state->BindExpr(B, LCtx, location);
182 else
183 state = state->BindExpr(B, LCtx, Result);
184
185 evalStore(Tmp2, B, LHS, N, state, location, LHSVal);
186 }
187 }
188
189 // FIXME: postvisits eventually go in ::Visit()
190 getCheckerManager().runCheckersForPostStmt(Dst, Tmp2, B, *this);
191 }
192
193 void ExprEngine::VisitBlockExpr(const BlockExpr *BE, ExplodedNode *Pred,
194 ExplodedNodeSet &Dst) {
195
196 CanQualType T = getContext().getCanonicalType(BE->getType());
197
198 const BlockDecl *BD = BE->getBlockDecl();
199 // Get the value of the block itself.
200 SVal V = svalBuilder.getBlockPointer(BD, T,
201 Pred->getLocationContext(),
202 currBldrCtx->blockCount());
203
204 ProgramStateRef State = Pred->getState();
205
206 // If we created a new MemRegion for the block, we should explicitly bind
207 // the captured variables.
208 if (const BlockDataRegion *BDR =
209 dyn_cast_or_null<BlockDataRegion>(V.getAsRegion())) {
210
211 auto ReferencedVars = BDR->referenced_vars();
212 auto CI = BD->capture_begin();
213 auto CE = BD->capture_end();
214 for (auto Var : ReferencedVars) {
215 const VarRegion *capturedR = Var.getCapturedRegion();
216 const TypedValueRegion *originalR = Var.getOriginalRegion();
217
218 // If the capture had a copy expression, use the result of evaluating
219 // that expression, otherwise use the original value.
220 // We rely on the invariant that the block declaration's capture variables
221 // are a prefix of the BlockDataRegion's referenced vars (which may include
222 // referenced globals, etc.) to enable fast lookup of the capture for a
223 // given referenced var.
224 const Expr *copyExpr = nullptr;
225 if (CI != CE) {
226 assert(CI->getVariable() == capturedR->getDecl());
227 copyExpr = CI->getCopyExpr();
228 CI++;
229 }
230
231 if (capturedR != originalR) {
232 SVal originalV;
233 const LocationContext *LCtx = Pred->getLocationContext();
234 if (copyExpr) {
235 originalV = State->getSVal(copyExpr, LCtx);
236 } else {
237 originalV = State->getSVal(loc::MemRegionVal(originalR));
238 }
239 State = State->bindLoc(loc::MemRegionVal(capturedR), originalV, LCtx);
240 }
241 }
242 }
243
244 ExplodedNodeSet Tmp;
245 StmtNodeBuilder Bldr(Pred, Tmp, *currBldrCtx);
246 Bldr.generateNode(BE, Pred,
247 State->BindExpr(BE, Pred->getLocationContext(), V),
248 nullptr, ProgramPoint::PostLValueKind);
249
250 // FIXME: Move all post/pre visits to ::Visit().
251 getCheckerManager().runCheckersForPostStmt(Dst, Tmp, BE, *this);
252 }
253
254 ProgramStateRef ExprEngine::handleLValueBitCast(
255 ProgramStateRef state, const Expr* Ex, const LocationContext* LCtx,
256 QualType T, QualType ExTy, const CastExpr* CastE, StmtNodeBuilder& Bldr,
257 ExplodedNode* Pred) {
258 if (T->isLValueReferenceType()) {
259 assert(!CastE->getType()->isLValueReferenceType());
260 ExTy = getContext().getLValueReferenceType(ExTy);
261 } else if (T->isRValueReferenceType()) {
262 assert(!CastE->getType()->isRValueReferenceType());
263 ExTy = getContext().getRValueReferenceType(ExTy);
264 }
265 // Delegate to SValBuilder to process.
266 SVal OrigV = state->getSVal(Ex, LCtx);
267 SVal SimplifiedOrigV = svalBuilder.simplifySVal(state, OrigV);
268 SVal V = svalBuilder.evalCast(SimplifiedOrigV, T, ExTy);
269 // Negate the result if we're treating the boolean as a signed i1
270 if (CastE->getCastKind() == CK_BooleanToSignedIntegral && V.isValid())
271 V = svalBuilder.evalMinus(V.castAs<NonLoc>());
272
273 state = state->BindExpr(CastE, LCtx, V);
274 if (V.isUnknown() && !OrigV.isUnknown()) {
275 state = escapeValues(state, OrigV, PSK_EscapeOther);
276 }
277 Bldr.generateNode(CastE, Pred, state);
278
279 return state;
280 }
281
282 void ExprEngine::VisitCast(const CastExpr *CastE, const Expr *Ex,
283 ExplodedNode *Pred, ExplodedNodeSet &Dst) {
284
285 ExplodedNodeSet dstPreStmt;
286 getCheckerManager().runCheckersForPreStmt(dstPreStmt, Pred, CastE, *this);
287
288 if (CastE->getCastKind() == CK_LValueToRValue ||
289 CastE->getCastKind() == CK_LValueToRValueBitCast) {
290 for (ExplodedNode *subExprNode : dstPreStmt) {
291 ProgramStateRef state = subExprNode->getState();
292 const LocationContext *LCtx = subExprNode->getLocationContext();
293 evalLoad(Dst, CastE, CastE, subExprNode, state, state->getSVal(Ex, LCtx));
294 }
295 return;
296 }
297
298 // All other casts.
299 QualType T = CastE->getType();
300 QualType ExTy = Ex->getType();
301
302 if (const ExplicitCastExpr *ExCast=dyn_cast_or_null<ExplicitCastExpr>(CastE))
303 T = ExCast->getTypeAsWritten();
304
305 StmtNodeBuilder Bldr(dstPreStmt, Dst, *currBldrCtx);
306 for (ExplodedNode *Pred : dstPreStmt) {
307 ProgramStateRef state = Pred->getState();
308 const LocationContext *LCtx = Pred->getLocationContext();
309
310 switch (CastE->getCastKind()) {
311 case CK_LValueToRValue:
312 case CK_LValueToRValueBitCast:
313 llvm_unreachable("LValueToRValue casts handled earlier.");
314 case CK_ToVoid:
315 continue;
316 // The analyzer doesn't do anything special with these casts,
317 // since it understands retain/release semantics already.
318 case CK_ARCProduceObject:
319 case CK_ARCConsumeObject:
320 case CK_ARCReclaimReturnedObject:
321 case CK_ARCExtendBlockObject: // Fall-through.
322 case CK_CopyAndAutoreleaseBlockObject:
323 // The analyser can ignore atomic casts for now, although some future
324 // checkers may want to make certain that you're not modifying the same
325 // value through atomic and nonatomic pointers.
326 case CK_AtomicToNonAtomic:
327 case CK_NonAtomicToAtomic:
328 // True no-ops.
329 case CK_NoOp:
330 case CK_ConstructorConversion:
331 case CK_UserDefinedConversion:
332 case CK_FunctionToPointerDecay:
333 case CK_BuiltinFnToFnPtr: {
334 // Copy the SVal of Ex to CastE.
335 ProgramStateRef state = Pred->getState();
336 const LocationContext *LCtx = Pred->getLocationContext();
337 SVal V = state->getSVal(Ex, LCtx);
338 state = state->BindExpr(CastE, LCtx, V);
339 Bldr.generateNode(CastE, Pred, state);
340 continue;
341 }
342 case CK_MemberPointerToBoolean:
343 case CK_PointerToBoolean: {
344 SVal V = state->getSVal(Ex, LCtx);
345 auto PTMSV = V.getAs<nonloc::PointerToMember>();
346 if (PTMSV)
347 V = svalBuilder.makeTruthVal(!PTMSV->isNullMemberPointer(), ExTy);
348 if (V.isUndef() || PTMSV) {
349 state = state->BindExpr(CastE, LCtx, V);
350 Bldr.generateNode(CastE, Pred, state);
351 continue;
352 }
353 // Explicitly proceed with default handler for this case cascade.
354 state =
355 handleLValueBitCast(state, Ex, LCtx, T, ExTy, CastE, Bldr, Pred);
356 continue;
357 }
358 case CK_Dependent:
359 case CK_ArrayToPointerDecay:
360 case CK_BitCast:
361 case CK_AddressSpaceConversion:
362 case CK_BooleanToSignedIntegral:
363 case CK_IntegralToPointer:
364 case CK_PointerToIntegral: {
365 SVal V = state->getSVal(Ex, LCtx);
366 if (isa<nonloc::PointerToMember>(V)) {
367 state = state->BindExpr(CastE, LCtx, UnknownVal());
368 Bldr.generateNode(CastE, Pred, state);
369 continue;
370 }
371 // Explicitly proceed with default handler for this case cascade.
372 state =
373 handleLValueBitCast(state, Ex, LCtx, T, ExTy, CastE, Bldr, Pred);
374 continue;
375 }
376 case CK_IntegralToBoolean:
377 case CK_IntegralToFloating:
378 case CK_FloatingToIntegral:
379 case CK_FloatingToBoolean:
380 case CK_FloatingCast:
381 case CK_FloatingRealToComplex:
382 case CK_FloatingComplexToReal:
383 case CK_FloatingComplexToBoolean:
384 case CK_FloatingComplexCast:
385 case CK_FloatingComplexToIntegralComplex:
386 case CK_IntegralRealToComplex:
387 case CK_IntegralComplexToReal:
388 case CK_IntegralComplexToBoolean:
389 case CK_IntegralComplexCast:
390 case CK_IntegralComplexToFloatingComplex:
391 case CK_CPointerToObjCPointerCast:
392 case CK_BlockPointerToObjCPointerCast:
393 case CK_AnyPointerToBlockPointerCast:
394 case CK_ObjCObjectLValueCast:
395 case CK_ZeroToOCLOpaqueType:
396 case CK_IntToOCLSampler:
397 case CK_LValueBitCast:
398 case CK_FloatingToFixedPoint:
399 case CK_FixedPointToFloating:
400 case CK_FixedPointCast:
401 case CK_FixedPointToBoolean:
402 case CK_FixedPointToIntegral:
403 case CK_IntegralToFixedPoint: {
404 state =
405 handleLValueBitCast(state, Ex, LCtx, T, ExTy, CastE, Bldr, Pred);
406 continue;
407 }
408 case CK_IntegralCast: {
409 // Delegate to SValBuilder to process.
410 SVal V = state->getSVal(Ex, LCtx);
411 if (AMgr.options.ShouldSupportSymbolicIntegerCasts)
412 V = svalBuilder.evalCast(V, T, ExTy);
413 else
414 V = svalBuilder.evalIntegralCast(state, V, T, ExTy);
415 state = state->BindExpr(CastE, LCtx, V);
416 Bldr.generateNode(CastE, Pred, state);
417 continue;
418 }
419 case CK_DerivedToBase:
420 case CK_UncheckedDerivedToBase: {
421 // For DerivedToBase cast, delegate to the store manager.
422 SVal val = state->getSVal(Ex, LCtx);
423 val = getStoreManager().evalDerivedToBase(val, CastE);
424 state = state->BindExpr(CastE, LCtx, val);
425 Bldr.generateNode(CastE, Pred, state);
426 continue;
427 }
428 // Handle C++ dyn_cast.
429 case CK_Dynamic: {
430 SVal val = state->getSVal(Ex, LCtx);
431
432 // Compute the type of the result.
433 QualType resultType = CastE->getType();
434 if (CastE->isGLValue())
435 resultType = getContext().getPointerType(resultType);
436
437 bool Failed = true;
438
439 // Check if the value being cast does not evaluates to 0.
440 if (!val.isZeroConstant())
441 if (std::optional<SVal> V =
442 StateMgr.getStoreManager().evalBaseToDerived(val, T)) {
443 val = *V;
444 Failed = false;
445 }
446
447 if (Failed) {
448 if (T->isReferenceType()) {
449 // A bad_cast exception is thrown if input value is a reference.
450 // Currently, we model this, by generating a sink.
451 Bldr.generateSink(CastE, Pred, state);
452 continue;
453 } else {
454 // If the cast fails on a pointer, bind to 0.
455 state = state->BindExpr(CastE, LCtx,
456 svalBuilder.makeNullWithType(resultType));
457 }
458 } else {
459 // If we don't know if the cast succeeded, conjure a new symbol.
460 if (val.isUnknown()) {
461 DefinedOrUnknownSVal NewSym =
462 svalBuilder.conjureSymbolVal(nullptr, CastE, LCtx, resultType,
463 currBldrCtx->blockCount());
464 state = state->BindExpr(CastE, LCtx, NewSym);
465 } else
466 // Else, bind to the derived region value.
467 state = state->BindExpr(CastE, LCtx, val);
468 }
469 Bldr.generateNode(CastE, Pred, state);
470 continue;
471 }
472 case CK_BaseToDerived: {
473 SVal val = state->getSVal(Ex, LCtx);
474 QualType resultType = CastE->getType();
475 if (CastE->isGLValue())
476 resultType = getContext().getPointerType(resultType);
477
478 if (!val.isConstant()) {
479 std::optional<SVal> V = getStoreManager().evalBaseToDerived(val, T);
480 val = V ? *V : UnknownVal();
481 }
482
483 // Failed to cast or the result is unknown, fall back to conservative.
484 if (val.isUnknown()) {
485 val =
486 svalBuilder.conjureSymbolVal(nullptr, CastE, LCtx, resultType,
487 currBldrCtx->blockCount());
488 }
489 state = state->BindExpr(CastE, LCtx, val);
490 Bldr.generateNode(CastE, Pred, state);
491 continue;
492 }
493 case CK_NullToPointer: {
494 SVal V = svalBuilder.makeNullWithType(CastE->getType());
495 state = state->BindExpr(CastE, LCtx, V);
496 Bldr.generateNode(CastE, Pred, state);
497 continue;
498 }
499 case CK_NullToMemberPointer: {
500 SVal V = svalBuilder.getMemberPointer(nullptr);
501 state = state->BindExpr(CastE, LCtx, V);
502 Bldr.generateNode(CastE, Pred, state);
503 continue;
504 }
505 case CK_DerivedToBaseMemberPointer:
506 case CK_BaseToDerivedMemberPointer:
507 case CK_ReinterpretMemberPointer: {
508 SVal V = state->getSVal(Ex, LCtx);
509 if (auto PTMSV = V.getAs<nonloc::PointerToMember>()) {
510 SVal CastedPTMSV =
511 svalBuilder.makePointerToMember(getBasicVals().accumCXXBase(
512 CastE->path(), *PTMSV, CastE->getCastKind()));
513 state = state->BindExpr(CastE, LCtx, CastedPTMSV);
514 Bldr.generateNode(CastE, Pred, state);
515 continue;
516 }
517 // Explicitly proceed with default handler for this case cascade.
518 }
519 [[fallthrough]];
520 // Various C++ casts that are not handled yet.
521 case CK_ToUnion:
522 case CK_MatrixCast:
523 case CK_VectorSplat: {
524 QualType resultType = CastE->getType();
525 if (CastE->isGLValue())
526 resultType = getContext().getPointerType(resultType);
527 SVal result = svalBuilder.conjureSymbolVal(
528 /*symbolTag=*/nullptr, CastE, LCtx, resultType,
529 currBldrCtx->blockCount());
530 state = state->BindExpr(CastE, LCtx, result);
531 Bldr.generateNode(CastE, Pred, state);
532 continue;
533 }
534 }
535 }
536 }
537
538 void ExprEngine::VisitCompoundLiteralExpr(const CompoundLiteralExpr *CL,
539 ExplodedNode *Pred,
540 ExplodedNodeSet &Dst) {
541 StmtNodeBuilder B(Pred, Dst, *currBldrCtx);
542
543 ProgramStateRef State = Pred->getState();
544 const LocationContext *LCtx = Pred->getLocationContext();
545
546 const Expr *Init = CL->getInitializer();
547 SVal V = State->getSVal(CL->getInitializer(), LCtx);
548
549 if (isa<CXXConstructExpr, CXXStdInitializerListExpr>(Init)) {
550 // No work needed. Just pass the value up to this expression.
551 } else {
552 assert(isa<InitListExpr>(Init));
553 Loc CLLoc = State->getLValue(CL, LCtx);
554 State = State->bindLoc(CLLoc, V, LCtx);
555
556 if (CL->isGLValue())
557 V = CLLoc;
558 }
559
560 B.generateNode(CL, Pred, State->BindExpr(CL, LCtx, V));
561 }
562
563 void ExprEngine::VisitDeclStmt(const DeclStmt *DS, ExplodedNode *Pred,
564 ExplodedNodeSet &Dst) {
565 if (isa<TypedefNameDecl>(*DS->decl_begin())) {
566 // C99 6.7.7 "Any array size expressions associated with variable length
567 // array declarators are evaluated each time the declaration of the typedef
568 // name is reached in the order of execution."
569 // The checkers should know about typedef to be able to handle VLA size
570 // expressions.
571 ExplodedNodeSet DstPre;
572 getCheckerManager().runCheckersForPreStmt(DstPre, Pred, DS, *this);
573 getCheckerManager().runCheckersForPostStmt(Dst, DstPre, DS, *this);
574 return;
575 }
576
577 // Assumption: The CFG has one DeclStmt per Decl.
578 const VarDecl *VD = dyn_cast_or_null<VarDecl>(*DS->decl_begin());
579
580 if (!VD) {
581 //TODO:AZ: remove explicit insertion after refactoring is done.
582 Dst.insert(Pred);
583 return;
584 }
585
586 // FIXME: all pre/post visits should eventually be handled by ::Visit().
587 ExplodedNodeSet dstPreVisit;
588 getCheckerManager().runCheckersForPreStmt(dstPreVisit, Pred, DS, *this);
589
590 ExplodedNodeSet dstEvaluated;
591 StmtNodeBuilder B(dstPreVisit, dstEvaluated, *currBldrCtx);
592 for (ExplodedNodeSet::iterator I = dstPreVisit.begin(), E = dstPreVisit.end();
593 I!=E; ++I) {
594 ExplodedNode *N = *I;
595 ProgramStateRef state = N->getState();
596 const LocationContext *LC = N->getLocationContext();
597
598 // Decls without InitExpr are not initialized explicitly.
599 if (const Expr *InitEx = VD->getInit()) {
600
601 // Note in the state that the initialization has occurred.
602 ExplodedNode *UpdatedN = N;
603 SVal InitVal = state->getSVal(InitEx, LC);
604
605 assert(DS->isSingleDecl());
606 if (getObjectUnderConstruction(state, DS, LC)) {
607 state = finishObjectConstruction(state, DS, LC);
608 // We constructed the object directly in the variable.
609 // No need to bind anything.
610 B.generateNode(DS, UpdatedN, state);
611 } else {
612 // Recover some path-sensitivity if a scalar value evaluated to
613 // UnknownVal.
614 if (InitVal.isUnknown()) {
615 QualType Ty = InitEx->getType();
616 if (InitEx->isGLValue()) {
617 Ty = getContext().getPointerType(Ty);
618 }
619
620 InitVal = svalBuilder.conjureSymbolVal(nullptr, InitEx, LC, Ty,
621 currBldrCtx->blockCount());
622 }
623
624
625 B.takeNodes(UpdatedN);
626 ExplodedNodeSet Dst2;
627 evalBind(Dst2, DS, UpdatedN, state->getLValue(VD, LC), InitVal, true);
628 B.addNodes(Dst2);
629 }
630 }
631 else {
632 B.generateNode(DS, N, state);
633 }
634 }
635
636 getCheckerManager().runCheckersForPostStmt(Dst, B.getResults(), DS, *this);
637 }
638
639 void ExprEngine::VisitLogicalExpr(const BinaryOperator* B, ExplodedNode *Pred,
640 ExplodedNodeSet &Dst) {
641 // This method acts upon CFG elements for logical operators && and ||
642 // and attaches the value (true or false) to them as expressions.
643 // It doesn't produce any state splits.
644 // If we made it that far, we're past the point when we modeled the short
645 // circuit. It means that we should have precise knowledge about whether
646 // we've short-circuited. If we did, we already know the value we need to
647 // bind. If we didn't, the value of the RHS (casted to the boolean type)
648 // is the answer.
649 // Currently this method tries to figure out whether we've short-circuited
650 // by looking at the ExplodedGraph. This method is imperfect because there
651 // could inevitably have been merges that would have resulted in multiple
652 // potential path traversal histories. We bail out when we fail.
653 // Due to this ambiguity, a more reliable solution would have been to
654 // track the short circuit operation history path-sensitively until
655 // we evaluate the respective logical operator.
656 assert(B->getOpcode() == BO_LAnd ||
657 B->getOpcode() == BO_LOr);
658
659 StmtNodeBuilder Bldr(Pred, Dst, *currBldrCtx);
660 ProgramStateRef state = Pred->getState();
661
662 if (B->getType()->isVectorType()) {
663 // FIXME: We do not model vector arithmetic yet. When adding support for
664 // that, note that the CFG-based reasoning below does not apply, because
665 // logical operators on vectors are not short-circuit. Currently they are
666 // modeled as short-circuit in Clang CFG but this is incorrect.
667 // Do not set the value for the expression. It'd be UnknownVal by default.
668 Bldr.generateNode(B, Pred, state);
669 return;
670 }
671
672 ExplodedNode *N = Pred;
673 while (!N->getLocation().getAs<BlockEntrance>()) {
674 ProgramPoint P = N->getLocation();
675 assert(P.getAs<PreStmt>()|| P.getAs<PreStmtPurgeDeadSymbols>());
676 (void) P;
677 if (N->pred_size() != 1) {
678 // We failed to track back where we came from.
679 Bldr.generateNode(B, Pred, state);
680 return;
681 }
682 N = *N->pred_begin();
683 }
684
685 if (N->pred_size() != 1) {
686 // We failed to track back where we came from.
687 Bldr.generateNode(B, Pred, state);
688 return;
689 }
690
691 N = *N->pred_begin();
692 BlockEdge BE = N->getLocation().castAs<BlockEdge>();
693 SVal X;
694
695 // Determine the value of the expression by introspecting how we
696 // got this location in the CFG. This requires looking at the previous
697 // block we were in and what kind of control-flow transfer was involved.
698 const CFGBlock *SrcBlock = BE.getSrc();
699 // The only terminator (if there is one) that makes sense is a logical op.
700 CFGTerminator T = SrcBlock->getTerminator();
701 if (const BinaryOperator *Term = cast_or_null<BinaryOperator>(T.getStmt())) {
702 (void) Term;
703 assert(Term->isLogicalOp());
704 assert(SrcBlock->succ_size() == 2);
705 // Did we take the true or false branch?
706 unsigned constant = (*SrcBlock->succ_begin() == BE.getDst()) ? 1 : 0;
707 X = svalBuilder.makeIntVal(constant, B->getType());
708 }
709 else {
710 // If there is no terminator, by construction the last statement
711 // in SrcBlock is the value of the enclosing expression.
712 // However, we still need to constrain that value to be 0 or 1.
713 assert(!SrcBlock->empty());
714 CFGStmt Elem = SrcBlock->rbegin()->castAs<CFGStmt>();
715 const Expr *RHS = cast<Expr>(Elem.getStmt());
716 SVal RHSVal = N->getState()->getSVal(RHS, Pred->getLocationContext());
717
718 if (RHSVal.isUndef()) {
719 X = RHSVal;
720 } else {
721 // We evaluate "RHSVal != 0" expression which result in 0 if the value is
722 // known to be false, 1 if the value is known to be true and a new symbol
723 // when the assumption is unknown.
724 nonloc::ConcreteInt Zero(getBasicVals().getValue(0, B->getType()));
725 X = evalBinOp(N->getState(), BO_NE,
726 svalBuilder.evalCast(RHSVal, B->getType(), RHS->getType()),
727 Zero, B->getType());
728 }
729 }
730 Bldr.generateNode(B, Pred, state->BindExpr(B, Pred->getLocationContext(), X));
731 }
732
733 void ExprEngine::VisitInitListExpr(const InitListExpr *IE,
734 ExplodedNode *Pred,
735 ExplodedNodeSet &Dst) {
736 StmtNodeBuilder B(Pred, Dst, *currBldrCtx);
737
738 ProgramStateRef state = Pred->getState();
739 const LocationContext *LCtx = Pred->getLocationContext();
740 QualType T = getContext().getCanonicalType(IE->getType());
741 unsigned NumInitElements = IE->getNumInits();
742
743 if (!IE->isGLValue() && !IE->isTransparent() &&
744 (T->isArrayType() || T->isRecordType() || T->isVectorType() ||
745 T->isAnyComplexType())) {
746 llvm::ImmutableList<SVal> vals = getBasicVals().getEmptySValList();
747
748 // Handle base case where the initializer has no elements.
749 // e.g: static int* myArray[] = {};
750 if (NumInitElements == 0) {
751 SVal V = svalBuilder.makeCompoundVal(T, vals);
752 B.generateNode(IE, Pred, state->BindExpr(IE, LCtx, V));
753 return;
754 }
755
756 for (const Stmt *S : llvm::reverse(*IE)) {
757 SVal V = state->getSVal(cast<Expr>(S), LCtx);
758 vals = getBasicVals().prependSVal(V, vals);
759 }
760
761 B.generateNode(IE, Pred,
762 state->BindExpr(IE, LCtx,
763 svalBuilder.makeCompoundVal(T, vals)));
764 return;
765 }
766
767 // Handle scalars: int{5} and int{} and GLvalues.
768 // Note, if the InitListExpr is a GLvalue, it means that there is an address
769 // representing it, so it must have a single init element.
770 assert(NumInitElements <= 1);
771
772 SVal V;
773 if (NumInitElements == 0)
774 V = getSValBuilder().makeZeroVal(T);
775 else
776 V = state->getSVal(IE->getInit(0), LCtx);
777
778 B.generateNode(IE, Pred, state->BindExpr(IE, LCtx, V));
779 }
780
781 void ExprEngine::VisitGuardedExpr(const Expr *Ex,
782 const Expr *L,
783 const Expr *R,
784 ExplodedNode *Pred,
785 ExplodedNodeSet &Dst) {
786 assert(L && R);
787
788 StmtNodeBuilder B(Pred, Dst, *currBldrCtx);
789 ProgramStateRef state = Pred->getState();
790 const LocationContext *LCtx = Pred->getLocationContext();
791 const CFGBlock *SrcBlock = nullptr;
792
793 // Find the predecessor block.
794 ProgramStateRef SrcState = state;
795 for (const ExplodedNode *N = Pred ; N ; N = *N->pred_begin()) {
796 ProgramPoint PP = N->getLocation();
797 if (PP.getAs<PreStmtPurgeDeadSymbols>() || PP.getAs<BlockEntrance>()) {
798 // If the state N has multiple predecessors P, it means that successors
799 // of P are all equivalent.
800 // In turn, that means that all nodes at P are equivalent in terms
801 // of observable behavior at N, and we can follow any of them.
802 // FIXME: a more robust solution which does not walk up the tree.
803 continue;
804 }
805 SrcBlock = PP.castAs<BlockEdge>().getSrc();
806 SrcState = N->getState();
807 break;
808 }
809
810 assert(SrcBlock && "missing function entry");
811
812 // Find the last expression in the predecessor block. That is the
813 // expression that is used for the value of the ternary expression.
814 bool hasValue = false;
815 SVal V;
816
817 for (CFGElement CE : llvm::reverse(*SrcBlock)) {
818 if (std::optional<CFGStmt> CS = CE.getAs<CFGStmt>()) {
819 const Expr *ValEx = cast<Expr>(CS->getStmt());
820 ValEx = ValEx->IgnoreParens();
821
822 // For GNU extension '?:' operator, the left hand side will be an
823 // OpaqueValueExpr, so get the underlying expression.
824 if (const OpaqueValueExpr *OpaqueEx = dyn_cast<OpaqueValueExpr>(L))
825 L = OpaqueEx->getSourceExpr();
826
827 // If the last expression in the predecessor block matches true or false
828 // subexpression, get its the value.
829 if (ValEx == L->IgnoreParens() || ValEx == R->IgnoreParens()) {
830 hasValue = true;
831 V = SrcState->getSVal(ValEx, LCtx);
832 }
833 break;
834 }
835 }
836
837 if (!hasValue)
838 V = svalBuilder.conjureSymbolVal(nullptr, Ex, LCtx,
839 currBldrCtx->blockCount());
840
841 // Generate a new node with the binding from the appropriate path.
842 B.generateNode(Ex, Pred, state->BindExpr(Ex, LCtx, V, true));
843 }
844
845 void ExprEngine::
846 VisitOffsetOfExpr(const OffsetOfExpr *OOE,
847 ExplodedNode *Pred, ExplodedNodeSet &Dst) {
848 StmtNodeBuilder B(Pred, Dst, *currBldrCtx);
849 Expr::EvalResult Result;
850 if (OOE->EvaluateAsInt(Result, getContext())) {
851 APSInt IV = Result.Val.getInt();
852 assert(IV.getBitWidth() == getContext().getTypeSize(OOE->getType()));
853 assert(OOE->getType()->castAs<BuiltinType>()->isInteger());
854 assert(IV.isSigned() == OOE->getType()->isSignedIntegerType());
855 SVal X = svalBuilder.makeIntVal(IV);
856 B.generateNode(OOE, Pred,
857 Pred->getState()->BindExpr(OOE, Pred->getLocationContext(),
858 X));
859 }
860 // FIXME: Handle the case where __builtin_offsetof is not a constant.
861 }
862
863
864 void ExprEngine::
865 VisitUnaryExprOrTypeTraitExpr(const UnaryExprOrTypeTraitExpr *Ex,
866 ExplodedNode *Pred,
867 ExplodedNodeSet &Dst) {
868 // FIXME: Prechecks eventually go in ::Visit().
869 ExplodedNodeSet CheckedSet;
870 getCheckerManager().runCheckersForPreStmt(CheckedSet, Pred, Ex, *this);
871
872 ExplodedNodeSet EvalSet;
873 StmtNodeBuilder Bldr(CheckedSet, EvalSet, *currBldrCtx);
874
875 QualType T = Ex->getTypeOfArgument();
876
877 for (ExplodedNode *N : CheckedSet) {
878 if (Ex->getKind() == UETT_SizeOf) {
879 if (!T->isIncompleteType() && !T->isConstantSizeType()) {
880 assert(T->isVariableArrayType() && "Unknown non-constant-sized type.");
881
882 // FIXME: Add support for VLA type arguments and VLA expressions.
883 // When that happens, we should probably refactor VLASizeChecker's code.
884 continue;
885 } else if (T->getAs<ObjCObjectType>()) {
886 // Some code tries to take the sizeof an ObjCObjectType, relying that
887 // the compiler has laid out its representation. Just report Unknown
888 // for these.
889 continue;
890 }
891 }
892
893 APSInt Value = Ex->EvaluateKnownConstInt(getContext());
894 CharUnits amt = CharUnits::fromQuantity(Value.getZExtValue());
895
896 ProgramStateRef state = N->getState();
897 state = state->BindExpr(
898 Ex, N->getLocationContext(),
899 svalBuilder.makeIntVal(amt.getQuantity(), Ex->getType()));
900 Bldr.generateNode(Ex, N, state);
901 }
902
903 getCheckerManager().runCheckersForPostStmt(Dst, EvalSet, Ex, *this);
904 }
905
906 void ExprEngine::handleUOExtension(ExplodedNode *N, const UnaryOperator *U,
907 StmtNodeBuilder &Bldr) {
908 // FIXME: We can probably just have some magic in Environment::getSVal()
909 // that propagates values, instead of creating a new node here.
910 //
911 // Unary "+" is a no-op, similar to a parentheses. We still have places
912 // where it may be a block-level expression, so we need to
913 // generate an extra node that just propagates the value of the
914 // subexpression.
915 const Expr *Ex = U->getSubExpr()->IgnoreParens();
916 ProgramStateRef state = N->getState();
917 const LocationContext *LCtx = N->getLocationContext();
918 Bldr.generateNode(U, N, state->BindExpr(U, LCtx, state->getSVal(Ex, LCtx)));
919 }
920
921 void ExprEngine::VisitUnaryOperator(const UnaryOperator* U, ExplodedNode *Pred,
922 ExplodedNodeSet &Dst) {
923 // FIXME: Prechecks eventually go in ::Visit().
924 ExplodedNodeSet CheckedSet;
925 getCheckerManager().runCheckersForPreStmt(CheckedSet, Pred, U, *this);
926
927 ExplodedNodeSet EvalSet;
928 StmtNodeBuilder Bldr(CheckedSet, EvalSet, *currBldrCtx);
929
930 for (ExplodedNode *N : CheckedSet) {
931 switch (U->getOpcode()) {
932 default: {
933 Bldr.takeNodes(N);
934 ExplodedNodeSet Tmp;
935 VisitIncrementDecrementOperator(U, N, Tmp);
936 Bldr.addNodes(Tmp);
937 break;
938 }
939 case UO_Real: {
940 const Expr *Ex = U->getSubExpr()->IgnoreParens();
941
942 // FIXME: We don't have complex SValues yet.
943 if (Ex->getType()->isAnyComplexType()) {
944 // Just report "Unknown."
945 break;
946 }
947
948 // For all other types, UO_Real is an identity operation.
949 assert (U->getType() == Ex->getType());
950 ProgramStateRef state = N->getState();
951 const LocationContext *LCtx = N->getLocationContext();
952 Bldr.generateNode(U, N,
953 state->BindExpr(U, LCtx, state->getSVal(Ex, LCtx)));
954 break;
955 }
956
957 case UO_Imag: {
958 const Expr *Ex = U->getSubExpr()->IgnoreParens();
959 // FIXME: We don't have complex SValues yet.
960 if (Ex->getType()->isAnyComplexType()) {
961 // Just report "Unknown."
962 break;
963 }
964 // For all other types, UO_Imag returns 0.
965 ProgramStateRef state = N->getState();
966 const LocationContext *LCtx = N->getLocationContext();
967 SVal X = svalBuilder.makeZeroVal(Ex->getType());
968 Bldr.generateNode(U, N, state->BindExpr(U, LCtx, X));
969 break;
970 }
971
972 case UO_AddrOf: {
973 // Process pointer-to-member address operation.
974 const Expr *Ex = U->getSubExpr()->IgnoreParens();
975 if (const DeclRefExpr *DRE = dyn_cast<DeclRefExpr>(Ex)) {
976 const ValueDecl *VD = DRE->getDecl();
977
978 if (isa<CXXMethodDecl, FieldDecl, IndirectFieldDecl>(VD)) {
979 ProgramStateRef State = N->getState();
980 const LocationContext *LCtx = N->getLocationContext();
981 SVal SV = svalBuilder.getMemberPointer(cast<NamedDecl>(VD));
982 Bldr.generateNode(U, N, State->BindExpr(U, LCtx, SV));
983 break;
984 }
985 }
986 // Explicitly proceed with default handler for this case cascade.
987 handleUOExtension(N, U, Bldr);
988 break;
989 }
990 case UO_Plus:
991 assert(!U->isGLValue());
992 [[fallthrough]];
993 case UO_Deref:
994 case UO_Extension: {
995 handleUOExtension(N, U, Bldr);
996 break;
997 }
998
999 case UO_LNot:
1000 case UO_Minus:
1001 case UO_Not: {
1002 assert (!U->isGLValue());
1003 const Expr *Ex = U->getSubExpr()->IgnoreParens();
1004 ProgramStateRef state = N->getState();
1005 const LocationContext *LCtx = N->getLocationContext();
1006
1007 // Get the value of the subexpression.
1008 SVal V = state->getSVal(Ex, LCtx);
1009
1010 if (V.isUnknownOrUndef()) {
1011 Bldr.generateNode(U, N, state->BindExpr(U, LCtx, V));
1012 break;
1013 }
1014
1015 switch (U->getOpcode()) {
1016 default:
1017 llvm_unreachable("Invalid Opcode.");
1018 case UO_Not:
1019 // FIXME: Do we need to handle promotions?
1020 state = state->BindExpr(
1021 U, LCtx, svalBuilder.evalComplement(V.castAs<NonLoc>()));
1022 break;
1023 case UO_Minus:
1024 // FIXME: Do we need to handle promotions?
1025 state = state->BindExpr(U, LCtx,
1026 svalBuilder.evalMinus(V.castAs<NonLoc>()));
1027 break;
1028 case UO_LNot:
1029 // C99 6.5.3.3: "The expression !E is equivalent to (0==E)."
1030 //
1031 // Note: technically we do "E == 0", but this is the same in the
1032 // transfer functions as "0 == E".
1033 SVal Result;
1034 if (std::optional<Loc> LV = V.getAs<Loc>()) {
1035 Loc X = svalBuilder.makeNullWithType(Ex->getType());
1036 Result = evalBinOp(state, BO_EQ, *LV, X, U->getType());
1037 } else if (Ex->getType()->isFloatingType()) {
1038 // FIXME: handle floating point types.
1039 Result = UnknownVal();
1040 } else {
1041 nonloc::ConcreteInt X(getBasicVals().getValue(0, Ex->getType()));
1042 Result = evalBinOp(state, BO_EQ, V.castAs<NonLoc>(), X, U->getType());
1043 }
1044
1045 state = state->BindExpr(U, LCtx, Result);
1046 break;
1047 }
1048 Bldr.generateNode(U, N, state);
1049 break;
1050 }
1051 }
1052 }
1053
1054 getCheckerManager().runCheckersForPostStmt(Dst, EvalSet, U, *this);
1055 }
1056
1057 void ExprEngine::VisitIncrementDecrementOperator(const UnaryOperator* U,
1058 ExplodedNode *Pred,
1059 ExplodedNodeSet &Dst) {
1060 // Handle ++ and -- (both pre- and post-increment).
1061 assert (U->isIncrementDecrementOp());
1062 const Expr *Ex = U->getSubExpr()->IgnoreParens();
1063
1064 const LocationContext *LCtx = Pred->getLocationContext();
1065 ProgramStateRef state = Pred->getState();
1066 SVal loc = state->getSVal(Ex, LCtx);
1067
1068 // Perform a load.
1069 ExplodedNodeSet Tmp;
1070 evalLoad(Tmp, U, Ex, Pred, state, loc);
1071
1072 ExplodedNodeSet Dst2;
1073 StmtNodeBuilder Bldr(Tmp, Dst2, *currBldrCtx);
1074 for (ExplodedNode *N : Tmp) {
1075 state = N->getState();
1076 assert(LCtx == N->getLocationContext());
1077 SVal V2_untested = state->getSVal(Ex, LCtx);
1078
1079 // Propagate unknown and undefined values.
1080 if (V2_untested.isUnknownOrUndef()) {
1081 state = state->BindExpr(U, LCtx, V2_untested);
1082
1083 // Perform the store, so that the uninitialized value detection happens.
1084 Bldr.takeNodes(N);
1085 ExplodedNodeSet Dst3;
1086 evalStore(Dst3, U, Ex, N, state, loc, V2_untested);
1087 Bldr.addNodes(Dst3);
1088
1089 continue;
1090 }
1091 DefinedSVal V2 = V2_untested.castAs<DefinedSVal>();
1092
1093 // Handle all other values.
1094 BinaryOperator::Opcode Op = U->isIncrementOp() ? BO_Add : BO_Sub;
1095
1096 // If the UnaryOperator has non-location type, use its type to create the
1097 // constant value. If the UnaryOperator has location type, create the
1098 // constant with int type and pointer width.
1099 SVal RHS;
1100 SVal Result;
1101
1102 if (U->getType()->isAnyPointerType())
1103 RHS = svalBuilder.makeArrayIndex(1);
1104 else if (U->getType()->isIntegralOrEnumerationType())
1105 RHS = svalBuilder.makeIntVal(1, U->getType());
1106 else
1107 RHS = UnknownVal();
1108
1109 // The use of an operand of type bool with the ++ operators is deprecated
1110 // but valid until C++17. And if the operand of the ++ operator is of type
1111 // bool, it is set to true until C++17. Note that for '_Bool', it is also
1112 // set to true when it encounters ++ operator.
1113 if (U->getType()->isBooleanType() && U->isIncrementOp())
1114 Result = svalBuilder.makeTruthVal(true, U->getType());
1115 else
1116 Result = evalBinOp(state, Op, V2, RHS, U->getType());
1117
1118 // Conjure a new symbol if necessary to recover precision.
1119 if (Result.isUnknown()){
1120 DefinedOrUnknownSVal SymVal =
1121 svalBuilder.conjureSymbolVal(nullptr, U, LCtx,
1122 currBldrCtx->blockCount());
1123 Result = SymVal;
1124
1125 // If the value is a location, ++/-- should always preserve
1126 // non-nullness. Check if the original value was non-null, and if so
1127 // propagate that constraint.
1128 if (Loc::isLocType(U->getType())) {
1129 DefinedOrUnknownSVal Constraint =
1130 svalBuilder.evalEQ(state, V2,svalBuilder.makeZeroVal(U->getType()));
1131
1132 if (!state->assume(Constraint, true)) {
1133 // It isn't feasible for the original value to be null.
1134 // Propagate this constraint.
1135 Constraint = svalBuilder.evalEQ(state, SymVal,
1136 svalBuilder.makeZeroVal(U->getType()));
1137
1138 state = state->assume(Constraint, false);
1139 assert(state);
1140 }
1141 }
1142 }
1143
1144 // Since the lvalue-to-rvalue conversion is explicit in the AST,
1145 // we bind an l-value if the operator is prefix and an lvalue (in C++).
1146 if (U->isGLValue())
1147 state = state->BindExpr(U, LCtx, loc);
1148 else
1149 state = state->BindExpr(U, LCtx, U->isPostfix() ? V2 : Result);
1150
1151 // Perform the store.
1152 Bldr.takeNodes(N);
1153 ExplodedNodeSet Dst3;
1154 evalStore(Dst3, U, Ex, N, state, loc, Result);
1155 Bldr.addNodes(Dst3);
1156 }
1157 Dst.insert(Dst2);
1158 }
LLVM monorepo