void UndefBranchChecker::checkBranchCondition(const Stmt *Condition,
BranchNodeBuilder &Builder,
ExprEngine &Eng) const {
const GRState *state = Builder.getState();
SVal X = state->getSVal(Condition);
if (X.isUndef()) {
ExplodedNode *N = Builder.generateNode(state, true);
if (N) {
N->markAsSink();
if (!BT)
BT.reset(
new BuiltinBug("Branch condition evaluates to a garbage value"));
// What's going on here: we want to highlight the subexpression of the
// condition that is the most likely source of the "uninitialized
// branch condition." We do a recursive walk of the condition's
// subexpressions and roughly look for the most nested subexpression
// that binds to Undefined. We then highlight that expression's range.
BlockEdge B = cast<BlockEdge>(N->getLocation());
const Expr* Ex = cast<Expr>(B.getSrc()->getTerminatorCondition());
assert (Ex && "Block must have a terminator.");
// Get the predecessor node and check if is a PostStmt with the Stmt
// being the terminator condition. We want to inspect the state
// of that node instead because it will contain main information about
// the subexpressions.
assert (!N->pred_empty());
// Note: any predecessor will do. They should have identical state,
// since all the BlockEdge did was act as an error sink since the value
// had to already be undefined.
ExplodedNode *PrevN = *N->pred_begin();
ProgramPoint P = PrevN->getLocation();
const GRState* St = N->getState();
if (PostStmt* PS = dyn_cast<PostStmt>(&P))
if (PS->getStmt() == Ex)
St = PrevN->getState();
FindUndefExpr FindIt(Eng.getStateManager(), St);
Ex = FindIt.FindExpr(Ex);
// Emit the bug report.
EnhancedBugReport *R = new EnhancedBugReport(*BT, BT->getDescription(),N);
R->addVisitorCreator(bugreporter::registerTrackNullOrUndefValue, Ex);
R->addRange(Ex->getSourceRange());
Eng.getBugReporter().EmitReport(R);
}
Builder.markInfeasible(true);
Builder.markInfeasible(false);
}
}
ExplodedNode *StmtNodeBuilder::MakeNode(ExplodedNodeSet &Dst,
const Stmt *S,
ExplodedNode *Pred,
const ProgramState *St,
ProgramPoint::Kind K) {
ExplodedNode *N = generateNode(S, St, Pred, K);
if (N) {
if (BuildSinks)
N->markAsSink();
else
Dst.Add(N);
}
return N;
}
ExplodedNode *
GenericNodeBuilderImpl::generateNodeImpl(const ProgramState *state,
ExplodedNode *pred,
ProgramPoint programPoint,
bool asSink) {
hasGeneratedNode = true;
bool isNew;
ExplodedNode *node = engine.getGraph().getNode(programPoint, state, &isNew);
if (pred)
node->addPredecessor(pred, engine.getGraph());
if (isNew) {
if (asSink) {
node->markAsSink();
sinksGenerated.push_back(node);
}
return node;
}
return 0;
}
ExplodedNode*
GRIndirectGotoNodeBuilder::generateNode(const iterator& I, const GRState* St,
bool isSink) {
bool IsNew;
ExplodedNode* Succ = Eng.G->getNode(BlockEdge(Src, I.getBlock(),
Pred->getLocationContext()), St, &IsNew);
Succ->addPredecessor(Pred, *Eng.G);
if (IsNew) {
if (isSink)
Succ->markAsSink();
else
Eng.WList->Enqueue(Succ);
return Succ;
}
return NULL;
}
ExplodedNode*
GRSwitchNodeBuilder::generateDefaultCaseNode(const GRState* St, bool isSink) {
// Get the block for the default case.
assert (Src->succ_rbegin() != Src->succ_rend());
CFGBlock* DefaultBlock = *Src->succ_rbegin();
bool IsNew;
ExplodedNode* Succ = Eng.G->getNode(BlockEdge(Src, DefaultBlock,
Pred->getLocationContext()), St, &IsNew);
Succ->addPredecessor(Pred, *Eng.G);
if (IsNew) {
if (isSink)
Succ->markAsSink();
else
Eng.WList->Enqueue(Succ);
return Succ;
}
return NULL;
}
ExplodedGraph*
ExplodedGraph::TrimInternal(const ExplodedNode* const* BeginSources,
const ExplodedNode* const* EndSources,
InterExplodedGraphMap* M,
llvm::DenseMap<const void*, const void*> *InverseMap) const {
typedef llvm::DenseSet<const ExplodedNode*> Pass1Ty;
Pass1Ty Pass1;
typedef llvm::DenseMap<const ExplodedNode*, ExplodedNode*> Pass2Ty;
Pass2Ty& Pass2 = M->M;
SmallVector<const ExplodedNode*, 10> WL1, WL2;
// ===- Pass 1 (reverse DFS) -===
for (const ExplodedNode* const* I = BeginSources; I != EndSources; ++I) {
assert(*I);
WL1.push_back(*I);
}
// Process the first worklist until it is empty. Because it is a std::list
// it acts like a FIFO queue.
while (!WL1.empty()) {
const ExplodedNode *N = WL1.back();
WL1.pop_back();
// Have we already visited this node? If so, continue to the next one.
if (Pass1.count(N))
continue;
// Otherwise, mark this node as visited.
Pass1.insert(N);
// If this is a root enqueue it to the second worklist.
if (N->Preds.empty()) {
WL2.push_back(N);
continue;
}
// Visit our predecessors and enqueue them.
for (ExplodedNode** I=N->Preds.begin(), **E=N->Preds.end(); I!=E; ++I)
WL1.push_back(*I);
}
// We didn't hit a root? Return with a null pointer for the new graph.
if (WL2.empty())
return 0;
// Create an empty graph.
ExplodedGraph* G = MakeEmptyGraph();
// ===- Pass 2 (forward DFS to construct the new graph) -===
while (!WL2.empty()) {
const ExplodedNode *N = WL2.back();
WL2.pop_back();
// Skip this node if we have already processed it.
if (Pass2.find(N) != Pass2.end())
continue;
// Create the corresponding node in the new graph and record the mapping
// from the old node to the new node.
ExplodedNode *NewN = G->getNode(N->getLocation(), N->State, NULL);
Pass2[N] = NewN;
// Also record the reverse mapping from the new node to the old node.
if (InverseMap) (*InverseMap)[NewN] = N;
// If this node is a root, designate it as such in the graph.
if (N->Preds.empty())
G->addRoot(NewN);
// In the case that some of the intended predecessors of NewN have already
// been created, we should hook them up as predecessors.
// Walk through the predecessors of 'N' and hook up their corresponding
// nodes in the new graph (if any) to the freshly created node.
for (ExplodedNode **I=N->Preds.begin(), **E=N->Preds.end(); I!=E; ++I) {
Pass2Ty::iterator PI = Pass2.find(*I);
if (PI == Pass2.end())
continue;
NewN->addPredecessor(PI->second, *G);
}
// In the case that some of the intended successors of NewN have already
// been created, we should hook them up as successors. Otherwise, enqueue
// the new nodes from the original graph that should have nodes created
// in the new graph.
for (ExplodedNode **I=N->Succs.begin(), **E=N->Succs.end(); I!=E; ++I) {
Pass2Ty::iterator PI = Pass2.find(*I);
if (PI != Pass2.end()) {
PI->second->addPredecessor(NewN, *G);
continue;
}
// Enqueue nodes to the worklist that were marked during pass 1.
if (Pass1.count(*I))
WL2.push_back(*I);
}
// Finally, explicitly mark all nodes without any successors as sinks.
if (N->isSink())
NewN->markAsSink();
}
return G;
}