Rework ExprEngine::processCFGBlockEntrance()

author Ted Kremenek <kremenek@apple.com>

Tue, 11 Jan 2011 06:37:47 +0000 (06:37 +0000)

committer Ted Kremenek <kremenek@apple.com>

Tue, 11 Jan 2011 06:37:47 +0000 (06:37 +0000)
author Ted Kremenek <kremenek@apple.com>
Tue, 11 Jan 2011 06:37:47 +0000 (06:37 +0000)
committer Ted Kremenek <kremenek@apple.com>
Tue, 11 Jan 2011 06:37:47 +0000 (06:37 +0000)
diff --git a/include/clang/StaticAnalyzer/PathSensitive/CoreEngine.h b/include/clang/StaticAnalyzer/PathSensitive/CoreEngine.h

index 08a3660cd62ff086693a5eb12947317d70787f92..44a321c2f73ed2779ba90ae0a41672cf7918ade8 100644 (file)
--- a/include/clang/StaticAnalyzer/PathSensitive/CoreEngine.h
+++ b/include/clang/StaticAnalyzer/PathSensitive/CoreEngine.h
@@ -37,6 +37,7 @@ namespace ento {
  ///   any transfer function logic and the sub-expression level (if any).
  class CoreEngine {
    friend class StmtNodeBuilder;
+  friend class GenericNodeBuilderImpl;
    friend class BranchNodeBuilder;
    friend class IndirectGotoNodeBuilder;
    friend class SwitchNodeBuilder;
@@ -397,6 +398,50 @@ public:
    const GRState* getState() const { return Pred->State; }
  };
  
+class GenericNodeBuilderImpl {
+protected:
+  CoreEngine &engine;
+  ExplodedNode *pred;
+  bool HasGeneratedNode;
+  ProgramPoint pp;
+  llvm::SmallVector<ExplodedNode*, 2> sinksGenerated;  
+
+  ExplodedNode *generateNodeImpl(const GRState *state, ExplodedNode *pred,
+                                 ProgramPoint programPoint, bool asSink);
+
+  GenericNodeBuilderImpl(CoreEngine &eng, ExplodedNode *pr, ProgramPoint p)
+    : engine(eng), pred(pr), HasGeneratedNode(false), pp(p) {}
+
+public:
+  bool hasGeneratedNode() const { return HasGeneratedNode; }
+  
+  WorkList &getWorkList() { return *engine.WList; }
+  
+  ExplodedNode* getPredecessor() const { return pred; }
+  
+  BlockCounter getBlockCounter() const {
+    return engine.WList->getBlockCounter();
+  }
+  
+  const llvm::SmallVectorImpl<ExplodedNode*> &sinks() const {
+    return sinksGenerated;
+  }
+};
+
+template <typename PP>
+class GenericNodeBuilder : public GenericNodeBuilderImpl {
+public:
+  GenericNodeBuilder(CoreEngine &eng, ExplodedNode *pr, const PP &p)
+    : GenericNodeBuilderImpl(eng, pr, p) {}
+
+  ExplodedNode *generateNode(const GRState *state, ExplodedNode *pred,
+                             PP programPoint, bool asSink) {
+    return generateNodeImpl(state, pred, programPoint, asSink);
+  }
+  
+  const PP &getProgramPoint() const { return cast<PP>(pp); }
+};
+
  class EndOfFunctionNodeBuilder {
    CoreEngine &Eng;
    const CFGBlock& B;
diff --git a/include/clang/StaticAnalyzer/PathSensitive/ExprEngine.h b/include/clang/StaticAnalyzer/PathSensitive/ExprEngine.h

index 2991cc7864de6fcdb0d89db19ba9233524feebda..747c8ebb2a3b9e3ea10086dd9bbbc3e68b3616ba 100644 (file)
--- a/include/clang/StaticAnalyzer/PathSensitive/ExprEngine.h
+++ b/include/clang/StaticAnalyzer/PathSensitive/ExprEngine.h
@@ -193,12 +193,10 @@ public:
    void ProcessTemporaryDtor(const CFGTemporaryDtor D, 
                              StmtNodeBuilder &builder);
  
-  /// processCFGBlockEntrance - Called by CoreEngine when start processing
-  ///  a CFGBlock.  This method returns true if the analysis should continue
-  ///  exploring the given path, and false otherwise.
-  bool processCFGBlockEntrance(const CFGBlock* B, const ExplodedNode *Pred,
-                            BlockCounter BC);
-
+  /// Called by CoreEngine when processing the entrance of a CFGBlock.
+  virtual void processCFGBlockEntrance(ExplodedNodeSet &dstNodes,
+                                GenericNodeBuilder<BlockEntrance> &nodeBuilder);
+  
    /// ProcessBranch - Called by CoreEngine.  Used to generate successor
    ///  nodes by processing the 'effects' of a branch condition.
    void processBranch(const Stmt* Condition, const Stmt* Term, 
diff --git a/include/clang/StaticAnalyzer/PathSensitive/SubEngine.h b/include/clang/StaticAnalyzer/PathSensitive/SubEngine.h

index d82e19a707690b63ee25478bbfcbde1e87dc4b8e..caf5b389ac96bb6bc0cc24ebbcbd0588d8241130 100644 (file)
--- a/include/clang/StaticAnalyzer/PathSensitive/SubEngine.h
+++ b/include/clang/StaticAnalyzer/PathSensitive/SubEngine.h
@@ -13,6 +13,7 @@
  #ifndef LLVM_CLANG_GR_SUBENGINE_H
  #define LLVM_CLANG_GR_SUBENGINE_H
  
+#include "clang/Analysis/ProgramPoint.h"
  #include "clang/StaticAnalyzer/PathSensitive/SVals.h"
  
  namespace clang {
@@ -23,8 +24,10 @@ class LocationContext;
  class Stmt;
  
  namespace ento {
-
+  
+template <typename PP> class GenericNodeBuilder;
  class AnalysisManager;
+class ExplodedNodeSet;
  class ExplodedNode;
  class GRState;
  class GRStateManager;
@@ -52,12 +55,11 @@ public:
    /// nodes by processing the 'effects' of a block-level statement.
    virtual void processCFGElement(const CFGElement E, StmtNodeBuilder& builder)=0;
  
-  /// Called by CoreEngine when start processing
-  /// a CFGBlock.  This method returns true if the analysis should continue
-  /// exploring the given path, and false otherwise.
-  virtual bool processCFGBlockEntrance(const CFGBlock* B,
-                                       const ExplodedNode *Pred,
-                                       BlockCounter BC) = 0;
+  /// Called by CoreEngine when it starts processing a CFGBlock.  The
+  /// SubEngine is expected to populate dstNodes with new nodes representing
+  /// updated analysis state, or generate no nodes at all if it doesn't.
+  virtual void processCFGBlockEntrance(ExplodedNodeSet &dstNodes,
+                            GenericNodeBuilder<BlockEntrance> &nodeBuilder) = 0;
  
    /// Called by CoreEngine.  Used to generate successor
    ///  nodes by processing the 'effects' of a branch condition.
diff --git a/lib/StaticAnalyzer/Checkers/ExprEngine.cpp b/lib/StaticAnalyzer/Checkers/ExprEngine.cpp

index 5dd5d72a4c0637765e5f5ed747d15fe4b34301c7..e6d9d715d4384aa484afeca7a73e99a0c00ded6e 100644 (file)
--- a/lib/StaticAnalyzer/Checkers/ExprEngine.cpp
+++ b/lib/StaticAnalyzer/Checkers/ExprEngine.cpp
@@ -1077,11 +1077,22 @@ void ExprEngine::Visit(const Stmt* S, ExplodedNode* Pred,
  // Block entrance.  (Update counters).
  //===----------------------------------------------------------------------===//
  
-bool ExprEngine::processCFGBlockEntrance(const CFGBlock* B, 
-                                        const ExplodedNode *Pred,
-                                        BlockCounter BC) {
-  return BC.getNumVisited(Pred->getLocationContext()->getCurrentStackFrame(), 
-                          B->getBlockID()) < AMgr.getMaxVisit();
+void ExprEngine::processCFGBlockEntrance(ExplodedNodeSet &dstNodes,
+                               GenericNodeBuilder<BlockEntrance> &nodeBuilder){
+  
+  // FIXME: Refactor this into a checker.
+  const CFGBlock *block = nodeBuilder.getProgramPoint().getBlock();
+  ExplodedNode *pred = nodeBuilder.getPredecessor();
+  
+  if (nodeBuilder.getBlockCounter().getNumVisited(
+                       pred->getLocationContext()->getCurrentStackFrame(), 
+                       block->getBlockID()) >= AMgr.getMaxVisit()) {
+
+    static int tag = 0;
+    const BlockEntrance &BE = nodeBuilder.getProgramPoint();
+    BlockEntrance BE_tagged(BE.getBlock(), BE.getLocationContext(), &tag);
+    nodeBuilder.generateNode(pred->getState(), pred, BE_tagged, true);
+  }
  }
  
  //===----------------------------------------------------------------------===//
diff --git a/lib/StaticAnalyzer/CoreEngine.cpp b/lib/StaticAnalyzer/CoreEngine.cpp

index d5158ad1689ce634f59bb9c1fc852e687f5ee365..9ccc4472f4feee30274d1e52ee2bd377ac570b54 100644 (file)
--- a/lib/StaticAnalyzer/CoreEngine.cpp
+++ b/lib/StaticAnalyzer/CoreEngine.cpp
@@ -288,13 +288,29 @@ void CoreEngine::HandleBlockEdge(const BlockEdge& L, ExplodedNode* Pred) {
      return;
    }
  
-  // FIXME: Should we allow processCFGBlockEntrance to also manipulate state?
-
-  if (SubEng.processCFGBlockEntrance(Blk, Pred, WList->getBlockCounter()))
-    generateNode(BlockEntrance(Blk, Pred->getLocationContext()),
-                 Pred->State, Pred);
+  // Call into the subengine to process entering the CFGBlock.
+  ExplodedNodeSet dstNodes;
+  BlockEntrance BE(Blk, Pred->getLocationContext());
+  GenericNodeBuilder<BlockEntrance> nodeBuilder(*this, Pred, BE);
+  SubEng.processCFGBlockEntrance(dstNodes, nodeBuilder);
+
+  if (dstNodes.empty()) {
+    if (!nodeBuilder.hasGeneratedNode()) {
+      // Auto-generate a node and enqueue it to the worklist.
+      generateNode(BE, Pred->State, Pred);    
+    }
+  }
    else {
-    blocksAborted.push_back(std::make_pair(L, Pred));
+    for (ExplodedNodeSet::iterator I = dstNodes.begin(), E = dstNodes.end();
+         I != E; ++I) {
+      WList->enqueue(*I);
+    }
+  }
+
+  for (llvm::SmallVectorImpl<ExplodedNode*>::const_iterator
+       I = nodeBuilder.sinks().begin(), E = nodeBuilder.sinks().end();
+       I != E; ++I) {
+    blocksAborted.push_back(std::make_pair(L, *I));
    }
  }
  
@@ -446,6 +462,27 @@ void CoreEngine::generateNode(const ProgramPoint& Loc,
    if (IsNew) WList->enqueue(Node);
  }
  
+ExplodedNode *
+GenericNodeBuilderImpl::generateNodeImpl(const GRState *state,
+                                         ExplodedNode *pred,
+                                         ProgramPoint programPoint,
+                                         bool asSink) {
+  
+  HasGeneratedNode = true;
+  bool isNew;
+  ExplodedNode *node = engine.getGraph().getNode(programPoint, state, &isNew);
+  if (pred)
+    node->addPredecessor(pred, engine.getGraph());
+  if (isNew) {
+    if (asSink) {
+      node->markAsSink();
+      sinksGenerated.push_back(node);
+    }
+    return node;
+  }
+  return 0;
+}
+
  StmtNodeBuilder::StmtNodeBuilder(const CFGBlock* b, unsigned idx,
                                       ExplodedNode* N, CoreEngine* e,
                                       GRStateManager &mgr)
diff --git a/test/Analysis/retain-release-region-store.m b/test/Analysis/retain-release-region-store.m

index 7b9855473dce9aa666eda4d678ebcb8c5e264a6f..05b91fcf5c567e60d373d855a8c85f47c4e00dec 100644 (file)
--- a/test/Analysis/retain-release-region-store.m
+++ b/test/Analysis/retain-release-region-store.m
@@ -1,4 +1,4 @@
-// RUN: %clang_cc1 -analyze -analyzer-check-objc-mem -analyzer-store=region -verify %s
+// RUN: %clang_cc1 -analyze -analyzer-check-objc-mem -analyzer-store=region -analyzer-max-loop 6 -verify %s
  
  //===----------------------------------------------------------------------===//
  // The following code is reduced using delta-debugging from
author	Ted Kremenek <kremenek@apple.com>
	Tue, 11 Jan 2011 06:37:47 +0000 (06:37 +0000)
committer	Ted Kremenek <kremenek@apple.com>
	Tue, 11 Jan 2011 06:37:47 +0000 (06:37 +0000)
include/clang/StaticAnalyzer/PathSensitive/CoreEngine.h		patch \| blob \| history
include/clang/StaticAnalyzer/PathSensitive/ExprEngine.h		patch \| blob \| history
include/clang/StaticAnalyzer/PathSensitive/SubEngine.h		patch \| blob \| history
lib/StaticAnalyzer/Checkers/ExprEngine.cpp		patch \| blob \| history
lib/StaticAnalyzer/CoreEngine.cpp		patch \| blob \| history
test/Analysis/retain-release-region-store.m		patch \| blob \| history