xref: /llvm-project/clang/lib/StaticAnalyzer/Core/CheckerManager.cpp (revision ed8c05cc99c3b21ca0667908881df6b10eebc5b5) 
1 //===- CheckerManager.cpp - Static Analyzer Checker Manager ---------------===//
2 //
3 //                     The LLVM Compiler Infrastructure
4 //
5 // This file is distributed under the University of Illinois Open Source
6 // License. See LICENSE.TXT for details.
7 //
8 //===----------------------------------------------------------------------===//
9 //
10 // Defines the Static Analyzer Checker Manager.
11 //
12 //===----------------------------------------------------------------------===//
13 
14 #include "clang/StaticAnalyzer/Core/CheckerManager.h"
15 #include "clang/AST/DeclBase.h"
16 #include "clang/AST/Stmt.h"
17 #include "clang/Analysis/ProgramPoint.h"
18 #include "clang/Basic/LLVM.h"
19 #include "clang/StaticAnalyzer/Core/Checker.h"
20 #include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h"
21 #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
22 #include "clang/StaticAnalyzer/Core/PathSensitive/CoreEngine.h"
23 #include "clang/StaticAnalyzer/Core/PathSensitive/ExprEngine.h"
24 #include "clang/StaticAnalyzer/Core/PathSensitive/SVals.h"
25 #include "llvm/ADT/SmallVector.h"
26 #include "llvm/Support/Casting.h"
27 #include "llvm/Support/ErrorHandling.h"
28 #include <cassert>
29 #include <vector>
30 
31 using namespace clang;
32 using namespace ento;
33 
34 bool CheckerManager::hasPathSensitiveCheckers() const {
35   return !StmtCheckers.empty()              ||
36          !PreObjCMessageCheckers.empty()    ||
37          !PostObjCMessageCheckers.empty()   ||
38          !PreCallCheckers.empty()    ||
39          !PostCallCheckers.empty()   ||
40          !LocationCheckers.empty()          ||
41          !BindCheckers.empty()              ||
42          !EndAnalysisCheckers.empty()       ||
43          !EndFunctionCheckers.empty()           ||
44          !BranchConditionCheckers.empty()   ||
45          !LiveSymbolsCheckers.empty()       ||
46          !DeadSymbolsCheckers.empty()       ||
47          !RegionChangesCheckers.empty()     ||
48          !EvalAssumeCheckers.empty()        ||
49          !EvalCallCheckers.empty();
50 }
51 
52 void CheckerManager::finishedCheckerRegistration() {
53 #ifndef NDEBUG
54   // Make sure that for every event that has listeners, there is at least
55   // one dispatcher registered for it.
56   for (const auto &Event : Events)
57     assert(Event.second.HasDispatcher &&
58            "No dispatcher registered for an event");
59 #endif
60 }
61 
62 //===----------------------------------------------------------------------===//
63 // Functions for running checkers for AST traversing..
64 //===----------------------------------------------------------------------===//
65 
66 void CheckerManager::runCheckersOnASTDecl(const Decl *D, AnalysisManager& mgr,
67                                           BugReporter &BR) {
68   assert(D);
69 
70   unsigned DeclKind = D->getKind();
71   CachedDeclCheckers *checkers = nullptr;
72   CachedDeclCheckersMapTy::iterator CCI = CachedDeclCheckersMap.find(DeclKind);
73   if (CCI != CachedDeclCheckersMap.end()) {
74     checkers = &(CCI->second);
75   } else {
76     // Find the checkers that should run for this Decl and cache them.
77     checkers = &CachedDeclCheckersMap[DeclKind];
78     for (const auto &info : DeclCheckers)
79       if (info.IsForDeclFn(D))
80         checkers->push_back(info.CheckFn);
81   }
82 
83   assert(checkers);
84   for (const auto checker : *checkers)
85     checker(D, mgr, BR);
86 }
87 
88 void CheckerManager::runCheckersOnASTBody(const Decl *D, AnalysisManager& mgr,
89                                           BugReporter &BR) {
90   assert(D && D->hasBody());
91 
92   for (const auto BodyChecker : BodyCheckers)
93     BodyChecker(D, mgr, BR);
94 }
95 
96 //===----------------------------------------------------------------------===//
97 // Functions for running checkers for path-sensitive checking.
98 //===----------------------------------------------------------------------===//
99 
100 template <typename CHECK_CTX>
101 static void expandGraphWithCheckers(CHECK_CTX checkCtx,
102                                     ExplodedNodeSet &Dst,
103                                     const ExplodedNodeSet &Src) {
104   const NodeBuilderContext &BldrCtx = checkCtx.Eng.getBuilderContext();
105   if (Src.empty())
106     return;
107 
108   typename CHECK_CTX::CheckersTy::const_iterator
109       I = checkCtx.checkers_begin(), E = checkCtx.checkers_end();
110   if (I == E) {
111     Dst.insert(Src);
112     return;
113   }
114 
115   ExplodedNodeSet Tmp1, Tmp2;
116   const ExplodedNodeSet *PrevSet = &Src;
117 
118   for (; I != E; ++I) {
119     ExplodedNodeSet *CurrSet = nullptr;
120     if (I+1 == E)
121       CurrSet = &Dst;
122     else {
123       CurrSet = (PrevSet == &Tmp1) ? &Tmp2 : &Tmp1;
124       CurrSet->clear();
125     }
126 
127     NodeBuilder B(*PrevSet, *CurrSet, BldrCtx);
128     for (const auto &NI : *PrevSet)
129       checkCtx.runChecker(*I, B, NI);
130 
131     // If all the produced transitions are sinks, stop.
132     if (CurrSet->empty())
133       return;
134 
135     // Update which NodeSet is the current one.
136     PrevSet = CurrSet;
137   }
138 }
139 
140 namespace {
141 
142   struct CheckStmtContext {
143     using CheckersTy = SmallVectorImpl<CheckerManager::CheckStmtFunc>;
144 
145     bool IsPreVisit;
146     const CheckersTy &Checkers;
147     const Stmt *S;
148     ExprEngine &Eng;
149     bool WasInlined;
150 
151     CheckStmtContext(bool isPreVisit, const CheckersTy &checkers,
152                      const Stmt *s, ExprEngine &eng, bool wasInlined = false)
153         : IsPreVisit(isPreVisit), Checkers(checkers), S(s), Eng(eng),
154           WasInlined(wasInlined) {}
155 
156     CheckersTy::const_iterator checkers_begin() { return Checkers.begin(); }
157     CheckersTy::const_iterator checkers_end() { return Checkers.end(); }
158 
159     void runChecker(CheckerManager::CheckStmtFunc checkFn,
160                     NodeBuilder &Bldr, ExplodedNode *Pred) {
161       // FIXME: Remove respondsToCallback from CheckerContext;
162       ProgramPoint::Kind K =  IsPreVisit ? ProgramPoint::PreStmtKind :
163                                            ProgramPoint::PostStmtKind;
164       const ProgramPoint &L = ProgramPoint::getProgramPoint(S, K,
165                                 Pred->getLocationContext(), checkFn.Checker);
166       CheckerContext C(Bldr, Eng, Pred, L, WasInlined);
167       checkFn(S, C);
168     }
169   };
170 
171 } // namespace
172 
173 /// Run checkers for visiting Stmts.
174 void CheckerManager::runCheckersForStmt(bool isPreVisit,
175                                         ExplodedNodeSet &Dst,
176                                         const ExplodedNodeSet &Src,
177                                         const Stmt *S,
178                                         ExprEngine &Eng,
179                                         bool WasInlined) {
180   CheckStmtContext C(isPreVisit, getCachedStmtCheckersFor(S, isPreVisit),
181                      S, Eng, WasInlined);
182   expandGraphWithCheckers(C, Dst, Src);
183 }
184 
185 namespace {
186 
187   struct CheckObjCMessageContext {
188     using CheckersTy = std::vector<CheckerManager::CheckObjCMessageFunc>;
189 
190     ObjCMessageVisitKind Kind;
191     bool WasInlined;
192     const CheckersTy &Checkers;
193     const ObjCMethodCall &Msg;
194     ExprEngine &Eng;
195 
196     CheckObjCMessageContext(ObjCMessageVisitKind visitKind,
197                             const CheckersTy &checkers,
198                             const ObjCMethodCall &msg, ExprEngine &eng,
199                             bool wasInlined)
200         : Kind(visitKind), WasInlined(wasInlined), Checkers(checkers), Msg(msg),
201           Eng(eng) {}
202 
203     CheckersTy::const_iterator checkers_begin() { return Checkers.begin(); }
204     CheckersTy::const_iterator checkers_end() { return Checkers.end(); }
205 
206     void runChecker(CheckerManager::CheckObjCMessageFunc checkFn,
207                     NodeBuilder &Bldr, ExplodedNode *Pred) {
208       bool IsPreVisit;
209 
210       switch (Kind) {
211         case ObjCMessageVisitKind::Pre:
212           IsPreVisit = true;
213           break;
214         case ObjCMessageVisitKind::MessageNil:
215         case ObjCMessageVisitKind::Post:
216           IsPreVisit = false;
217           break;
218       }
219 
220       const ProgramPoint &L = Msg.getProgramPoint(IsPreVisit,checkFn.Checker);
221       CheckerContext C(Bldr, Eng, Pred, L, WasInlined);
222 
223       checkFn(*Msg.cloneWithState<ObjCMethodCall>(Pred->getState()), C);
224     }
225   };
226 
227 } // namespace
228 
229 /// Run checkers for visiting obj-c messages.
230 void CheckerManager::runCheckersForObjCMessage(ObjCMessageVisitKind visitKind,
231                                                ExplodedNodeSet &Dst,
232                                                const ExplodedNodeSet &Src,
233                                                const ObjCMethodCall &msg,
234                                                ExprEngine &Eng,
235                                                bool WasInlined) {
236   auto &checkers = getObjCMessageCheckers(visitKind);
237   CheckObjCMessageContext C(visitKind, checkers, msg, Eng, WasInlined);
238   expandGraphWithCheckers(C, Dst, Src);
239 }
240 
241 const std::vector<CheckerManager::CheckObjCMessageFunc> &
242 CheckerManager::getObjCMessageCheckers(ObjCMessageVisitKind Kind) {
243   switch (Kind) {
244   case ObjCMessageVisitKind::Pre:
245     return PreObjCMessageCheckers;
246     break;
247   case ObjCMessageVisitKind::Post:
248     return PostObjCMessageCheckers;
249   case ObjCMessageVisitKind::MessageNil:
250     return ObjCMessageNilCheckers;
251   }
252   llvm_unreachable("Unknown Kind");
253 }
254 
255 namespace {
256 
257   // FIXME: This has all the same signatures as CheckObjCMessageContext.
258   // Is there a way we can merge the two?
259   struct CheckCallContext {
260     using CheckersTy = std::vector<CheckerManager::CheckCallFunc>;
261 
262     bool IsPreVisit, WasInlined;
263     const CheckersTy &Checkers;
264     const CallEvent &Call;
265     ExprEngine &Eng;
266 
267     CheckCallContext(bool isPreVisit, const CheckersTy &checkers,
268                      const CallEvent &call, ExprEngine &eng,
269                      bool wasInlined)
270         : IsPreVisit(isPreVisit), WasInlined(wasInlined), Checkers(checkers),
271           Call(call), Eng(eng) {}
272 
273     CheckersTy::const_iterator checkers_begin() { return Checkers.begin(); }
274     CheckersTy::const_iterator checkers_end() { return Checkers.end(); }
275 
276     void runChecker(CheckerManager::CheckCallFunc checkFn,
277                     NodeBuilder &Bldr, ExplodedNode *Pred) {
278       const ProgramPoint &L = Call.getProgramPoint(IsPreVisit,checkFn.Checker);
279       CheckerContext C(Bldr, Eng, Pred, L, WasInlined);
280 
281       checkFn(*Call.cloneWithState(Pred->getState()), C);
282     }
283   };
284 
285 } // namespace
286 
287 /// Run checkers for visiting an abstract call event.
288 void CheckerManager::runCheckersForCallEvent(bool isPreVisit,
289                                              ExplodedNodeSet &Dst,
290                                              const ExplodedNodeSet &Src,
291                                              const CallEvent &Call,
292                                              ExprEngine &Eng,
293                                              bool WasInlined) {
294   CheckCallContext C(isPreVisit,
295                      isPreVisit ? PreCallCheckers
296                                 : PostCallCheckers,
297                      Call, Eng, WasInlined);
298   expandGraphWithCheckers(C, Dst, Src);
299 }
300 
301 namespace {
302 
303   struct CheckLocationContext {
304     using CheckersTy = std::vector<CheckerManager::CheckLocationFunc>;
305 
306     const CheckersTy &Checkers;
307     SVal Loc;
308     bool IsLoad;
309     const Stmt *NodeEx; /* Will become a CFGStmt */
310     const Stmt *BoundEx;
311     ExprEngine &Eng;
312 
313     CheckLocationContext(const CheckersTy &checkers,
314                          SVal loc, bool isLoad, const Stmt *NodeEx,
315                          const Stmt *BoundEx,
316                          ExprEngine &eng)
317         : Checkers(checkers), Loc(loc), IsLoad(isLoad), NodeEx(NodeEx),
318           BoundEx(BoundEx), Eng(eng) {}
319 
320     CheckersTy::const_iterator checkers_begin() { return Checkers.begin(); }
321     CheckersTy::const_iterator checkers_end() { return Checkers.end(); }
322 
323     void runChecker(CheckerManager::CheckLocationFunc checkFn,
324                     NodeBuilder &Bldr, ExplodedNode *Pred) {
325       ProgramPoint::Kind K =  IsLoad ? ProgramPoint::PreLoadKind :
326                                        ProgramPoint::PreStoreKind;
327       const ProgramPoint &L =
328         ProgramPoint::getProgramPoint(NodeEx, K,
329                                       Pred->getLocationContext(),
330                                       checkFn.Checker);
331       CheckerContext C(Bldr, Eng, Pred, L);
332       checkFn(Loc, IsLoad, BoundEx, C);
333     }
334   };
335 
336 } // namespace
337 
338 /// Run checkers for load/store of a location.
339 
340 void CheckerManager::runCheckersForLocation(ExplodedNodeSet &Dst,
341                                             const ExplodedNodeSet &Src,
342                                             SVal location, bool isLoad,
343                                             const Stmt *NodeEx,
344                                             const Stmt *BoundEx,
345                                             ExprEngine &Eng) {
346   CheckLocationContext C(LocationCheckers, location, isLoad, NodeEx,
347                          BoundEx, Eng);
348   expandGraphWithCheckers(C, Dst, Src);
349 }
350 
351 namespace {
352 
353   struct CheckBindContext {
354     using CheckersTy = std::vector<CheckerManager::CheckBindFunc>;
355 
356     const CheckersTy &Checkers;
357     SVal Loc;
358     SVal Val;
359     const Stmt *S;
360     ExprEngine &Eng;
361     const ProgramPoint &PP;
362 
363     CheckBindContext(const CheckersTy &checkers,
364                      SVal loc, SVal val, const Stmt *s, ExprEngine &eng,
365                      const ProgramPoint &pp)
366         : Checkers(checkers), Loc(loc), Val(val), S(s), Eng(eng), PP(pp) {}
367 
368     CheckersTy::const_iterator checkers_begin() { return Checkers.begin(); }
369     CheckersTy::const_iterator checkers_end() { return Checkers.end(); }
370 
371     void runChecker(CheckerManager::CheckBindFunc checkFn,
372                     NodeBuilder &Bldr, ExplodedNode *Pred) {
373       const ProgramPoint &L = PP.withTag(checkFn.Checker);
374       CheckerContext C(Bldr, Eng, Pred, L);
375 
376       checkFn(Loc, Val, S, C);
377     }
378   };
379 
380 } // namespace
381 
382 /// Run checkers for binding of a value to a location.
383 void CheckerManager::runCheckersForBind(ExplodedNodeSet &Dst,
384                                         const ExplodedNodeSet &Src,
385                                         SVal location, SVal val,
386                                         const Stmt *S, ExprEngine &Eng,
387                                         const ProgramPoint &PP) {
388   CheckBindContext C(BindCheckers, location, val, S, Eng, PP);
389   expandGraphWithCheckers(C, Dst, Src);
390 }
391 
392 void CheckerManager::runCheckersForEndAnalysis(ExplodedGraph &G,
393                                                BugReporter &BR,
394                                                ExprEngine &Eng) {
395   for (const auto EndAnalysisChecker : EndAnalysisCheckers)
396     EndAnalysisChecker(G, BR, Eng);
397 }
398 
399 namespace {
400 
401 struct CheckBeginFunctionContext {
402   using CheckersTy = std::vector<CheckerManager::CheckBeginFunctionFunc>;
403 
404   const CheckersTy &Checkers;
405   ExprEngine &Eng;
406   const ProgramPoint &PP;
407 
408   CheckBeginFunctionContext(const CheckersTy &Checkers, ExprEngine &Eng,
409                             const ProgramPoint &PP)
410       : Checkers(Checkers), Eng(Eng), PP(PP) {}
411 
412   CheckersTy::const_iterator checkers_begin() { return Checkers.begin(); }
413   CheckersTy::const_iterator checkers_end() { return Checkers.end(); }
414 
415   void runChecker(CheckerManager::CheckBeginFunctionFunc checkFn,
416                   NodeBuilder &Bldr, ExplodedNode *Pred) {
417     const ProgramPoint &L = PP.withTag(checkFn.Checker);
418     CheckerContext C(Bldr, Eng, Pred, L);
419 
420     checkFn(C);
421   }
422 };
423 
424 } // namespace
425 
426 void CheckerManager::runCheckersForBeginFunction(ExplodedNodeSet &Dst,
427                                                  const BlockEdge &L,
428                                                  ExplodedNode *Pred,
429                                                  ExprEngine &Eng) {
430   ExplodedNodeSet Src;
431   Src.insert(Pred);
432   CheckBeginFunctionContext C(BeginFunctionCheckers, Eng, L);
433   expandGraphWithCheckers(C, Dst, Src);
434 }
435 
436 /// Run checkers for end of path.
437 // Note, We do not chain the checker output (like in expandGraphWithCheckers)
438 // for this callback since end of path nodes are expected to be final.
439 void CheckerManager::runCheckersForEndFunction(NodeBuilderContext &BC,
440                                                ExplodedNodeSet &Dst,
441                                                ExplodedNode *Pred,
442                                                ExprEngine &Eng,
443                                                const ReturnStmt *RS) {
444   // We define the builder outside of the loop bacause if at least one checkers
445   // creates a sucsessor for Pred, we do not need to generate an
446   // autotransition for it.
447   NodeBuilder Bldr(Pred, Dst, BC);
448   for (const auto checkFn : EndFunctionCheckers) {
449     const ProgramPoint &L = BlockEntrance(BC.Block,
450                                           Pred->getLocationContext(),
451                                           checkFn.Checker);
452     CheckerContext C(Bldr, Eng, Pred, L);
453     checkFn(RS, C);
454   }
455 }
456 
457 namespace {
458 
459   struct CheckBranchConditionContext {
460     using CheckersTy = std::vector<CheckerManager::CheckBranchConditionFunc>;
461 
462     const CheckersTy &Checkers;
463     const Stmt *Condition;
464     ExprEngine &Eng;
465 
466     CheckBranchConditionContext(const CheckersTy &checkers,
467                                 const Stmt *Cond, ExprEngine &eng)
468         : Checkers(checkers), Condition(Cond), Eng(eng) {}
469 
470     CheckersTy::const_iterator checkers_begin() { return Checkers.begin(); }
471     CheckersTy::const_iterator checkers_end() { return Checkers.end(); }
472 
473     void runChecker(CheckerManager::CheckBranchConditionFunc checkFn,
474                     NodeBuilder &Bldr, ExplodedNode *Pred) {
475       ProgramPoint L = PostCondition(Condition, Pred->getLocationContext(),
476                                      checkFn.Checker);
477       CheckerContext C(Bldr, Eng, Pred, L);
478       checkFn(Condition, C);
479     }
480   };
481 
482 } // namespace
483 
484 /// Run checkers for branch condition.
485 void CheckerManager::runCheckersForBranchCondition(const Stmt *Condition,
486                                                    ExplodedNodeSet &Dst,
487                                                    ExplodedNode *Pred,
488                                                    ExprEngine &Eng) {
489   ExplodedNodeSet Src;
490   Src.insert(Pred);
491   CheckBranchConditionContext C(BranchConditionCheckers, Condition, Eng);
492   expandGraphWithCheckers(C, Dst, Src);
493 }
494 
495 namespace {
496 
497   struct CheckNewAllocatorContext {
498     using CheckersTy = std::vector<CheckerManager::CheckNewAllocatorFunc>;
499 
500     const CheckersTy &Checkers;
501     const CXXNewExpr *NE;
502     SVal Target;
503     bool WasInlined;
504     ExprEngine &Eng;
505 
506     CheckNewAllocatorContext(const CheckersTy &Checkers, const CXXNewExpr *NE,
507                              SVal Target, bool WasInlined, ExprEngine &Eng)
508         : Checkers(Checkers), NE(NE), Target(Target), WasInlined(WasInlined),
509           Eng(Eng) {}
510 
511     CheckersTy::const_iterator checkers_begin() { return Checkers.begin(); }
512     CheckersTy::const_iterator checkers_end() { return Checkers.end(); }
513 
514     void runChecker(CheckerManager::CheckNewAllocatorFunc checkFn,
515                     NodeBuilder &Bldr, ExplodedNode *Pred) {
516       ProgramPoint L = PostAllocatorCall(NE, Pred->getLocationContext());
517       CheckerContext C(Bldr, Eng, Pred, L, WasInlined);
518       checkFn(NE, Target, C);
519     }
520   };
521 
522 } // namespace
523 
524 void CheckerManager::runCheckersForNewAllocator(
525     const CXXNewExpr *NE, SVal Target, ExplodedNodeSet &Dst, ExplodedNode *Pred,
526     ExprEngine &Eng, bool WasInlined) {
527   ExplodedNodeSet Src;
528   Src.insert(Pred);
529   CheckNewAllocatorContext C(NewAllocatorCheckers, NE, Target, WasInlined, Eng);
530   expandGraphWithCheckers(C, Dst, Src);
531 }
532 
533 /// Run checkers for live symbols.
534 void CheckerManager::runCheckersForLiveSymbols(ProgramStateRef state,
535                                                SymbolReaper &SymReaper) {
536   for (const auto LiveSymbolsChecker : LiveSymbolsCheckers)
537     LiveSymbolsChecker(state, SymReaper);
538 }
539 
540 namespace {
541 
542   struct CheckDeadSymbolsContext {
543     using CheckersTy = std::vector<CheckerManager::CheckDeadSymbolsFunc>;
544 
545     const CheckersTy &Checkers;
546     SymbolReaper &SR;
547     const Stmt *S;
548     ExprEngine &Eng;
549     ProgramPoint::Kind ProgarmPointKind;
550 
551     CheckDeadSymbolsContext(const CheckersTy &checkers, SymbolReaper &sr,
552                             const Stmt *s, ExprEngine &eng,
553                             ProgramPoint::Kind K)
554         : Checkers(checkers), SR(sr), S(s), Eng(eng), ProgarmPointKind(K) {}
555 
556     CheckersTy::const_iterator checkers_begin() { return Checkers.begin(); }
557     CheckersTy::const_iterator checkers_end() { return Checkers.end(); }
558 
559     void runChecker(CheckerManager::CheckDeadSymbolsFunc checkFn,
560                     NodeBuilder &Bldr, ExplodedNode *Pred) {
561       const ProgramPoint &L = ProgramPoint::getProgramPoint(S, ProgarmPointKind,
562                                 Pred->getLocationContext(), checkFn.Checker);
563       CheckerContext C(Bldr, Eng, Pred, L);
564 
565       // Note, do not pass the statement to the checkers without letting them
566       // differentiate if we ran remove dead bindings before or after the
567       // statement.
568       checkFn(SR, C);
569     }
570   };
571 
572 } // namespace
573 
574 /// Run checkers for dead symbols.
575 void CheckerManager::runCheckersForDeadSymbols(ExplodedNodeSet &Dst,
576                                                const ExplodedNodeSet &Src,
577                                                SymbolReaper &SymReaper,
578                                                const Stmt *S,
579                                                ExprEngine &Eng,
580                                                ProgramPoint::Kind K) {
581   CheckDeadSymbolsContext C(DeadSymbolsCheckers, SymReaper, S, Eng, K);
582   expandGraphWithCheckers(C, Dst, Src);
583 }
584 
585 /// Run checkers for region changes.
586 ProgramStateRef
587 CheckerManager::runCheckersForRegionChanges(ProgramStateRef state,
588                                             const InvalidatedSymbols *invalidated,
589                                             ArrayRef<const MemRegion *> ExplicitRegions,
590                                             ArrayRef<const MemRegion *> Regions,
591                                             const LocationContext *LCtx,
592                                             const CallEvent *Call) {
593   for (const auto RegionChangesChecker : RegionChangesCheckers) {
594     // If any checker declares the state infeasible (or if it starts that way),
595     // bail out.
596     if (!state)
597       return nullptr;
598     state = RegionChangesChecker(state, invalidated, ExplicitRegions, Regions,
599                                  LCtx, Call);
600   }
601   return state;
602 }
603 
604 /// Run checkers to process symbol escape event.
605 ProgramStateRef
606 CheckerManager::runCheckersForPointerEscape(ProgramStateRef State,
607                                    const InvalidatedSymbols &Escaped,
608                                    const CallEvent *Call,
609                                    PointerEscapeKind Kind,
610                                    RegionAndSymbolInvalidationTraits *ETraits) {
611   assert((Call != nullptr ||
612           (Kind != PSK_DirectEscapeOnCall &&
613            Kind != PSK_IndirectEscapeOnCall)) &&
614          "Call must not be NULL when escaping on call");
615   for (const auto PointerEscapeChecker : PointerEscapeCheckers) {
616     // If any checker declares the state infeasible (or if it starts that
617     //  way), bail out.
618     if (!State)
619       return nullptr;
620     State = PointerEscapeChecker(State, Escaped, Call, Kind, ETraits);
621   }
622   return State;
623 }
624 
625 /// Run checkers for handling assumptions on symbolic values.
626 ProgramStateRef
627 CheckerManager::runCheckersForEvalAssume(ProgramStateRef state,
628                                          SVal Cond, bool Assumption) {
629   for (const auto EvalAssumeChecker : EvalAssumeCheckers) {
630     // If any checker declares the state infeasible (or if it starts that way),
631     // bail out.
632     if (!state)
633       return nullptr;
634     state = EvalAssumeChecker(state, Cond, Assumption);
635   }
636   return state;
637 }
638 
639 /// Run checkers for evaluating a call.
640 /// Only one checker will evaluate the call.
641 void CheckerManager::runCheckersForEvalCall(ExplodedNodeSet &Dst,
642                                             const ExplodedNodeSet &Src,
643                                             const CallEvent &Call,
644                                             ExprEngine &Eng) {
645   const CallExpr *CE = cast<CallExpr>(Call.getOriginExpr());
646   for (const auto Pred : Src) {
647     bool anyEvaluated = false;
648 
649     ExplodedNodeSet checkDst;
650     NodeBuilder B(Pred, checkDst, Eng.getBuilderContext());
651 
652     // Check if any of the EvalCall callbacks can evaluate the call.
653     for (const auto EvalCallChecker : EvalCallCheckers) {
654       ProgramPoint::Kind K = ProgramPoint::PostStmtKind;
655       const ProgramPoint &L =
656           ProgramPoint::getProgramPoint(CE, K, Pred->getLocationContext(),
657                                         EvalCallChecker.Checker);
658       bool evaluated = false;
659       { // CheckerContext generates transitions(populates checkDest) on
660         // destruction, so introduce the scope to make sure it gets properly
661         // populated.
662         CheckerContext C(B, Eng, Pred, L);
663         evaluated = EvalCallChecker(CE, C);
664       }
665       assert(!(evaluated && anyEvaluated)
666              && "There are more than one checkers evaluating the call");
667       if (evaluated) {
668         anyEvaluated = true;
669         Dst.insert(checkDst);
670 #ifdef NDEBUG
671         break; // on release don't check that no other checker also evals.
672 #endif
673       }
674     }
675 
676     // If none of the checkers evaluated the call, ask ExprEngine to handle it.
677     if (!anyEvaluated) {
678       NodeBuilder B(Pred, Dst, Eng.getBuilderContext());
679       Eng.defaultEvalCall(B, Pred, Call);
680     }
681   }
682 }
683 
684 /// Run checkers for the entire Translation Unit.
685 void CheckerManager::runCheckersOnEndOfTranslationUnit(
686                                                   const TranslationUnitDecl *TU,
687                                                   AnalysisManager &mgr,
688                                                   BugReporter &BR) {
689   for (const auto EndOfTranslationUnitChecker : EndOfTranslationUnitCheckers)
690     EndOfTranslationUnitChecker(TU, mgr, BR);
691 }
692 
693 void CheckerManager::runCheckersForPrintState(raw_ostream &Out,
694                                               ProgramStateRef State,
695                                               const char *NL, const char *Sep) {
696   for (const auto &CheckerTag : CheckerTags)
697     CheckerTag.second->printState(Out, State, NL, Sep);
698 }
699 
700 //===----------------------------------------------------------------------===//
701 // Internal registration functions for AST traversing.
702 //===----------------------------------------------------------------------===//
703 
704 void CheckerManager::_registerForDecl(CheckDeclFunc checkfn,
705                                       HandlesDeclFunc isForDeclFn) {
706   DeclCheckerInfo info = { checkfn, isForDeclFn };
707   DeclCheckers.push_back(info);
708 }
709 
710 void CheckerManager::_registerForBody(CheckDeclFunc checkfn) {
711   BodyCheckers.push_back(checkfn);
712 }
713 
714 //===----------------------------------------------------------------------===//
715 // Internal registration functions for path-sensitive checking.
716 //===----------------------------------------------------------------------===//
717 
718 void CheckerManager::_registerForPreStmt(CheckStmtFunc checkfn,
719                                          HandlesStmtFunc isForStmtFn) {
720   StmtCheckerInfo info = { checkfn, isForStmtFn, /*IsPreVisit*/true };
721   StmtCheckers.push_back(info);
722 }
723 
724 void CheckerManager::_registerForPostStmt(CheckStmtFunc checkfn,
725                                           HandlesStmtFunc isForStmtFn) {
726   StmtCheckerInfo info = { checkfn, isForStmtFn, /*IsPreVisit*/false };
727   StmtCheckers.push_back(info);
728 }
729 
730 void CheckerManager::_registerForPreObjCMessage(CheckObjCMessageFunc checkfn) {
731   PreObjCMessageCheckers.push_back(checkfn);
732 }
733 
734 void CheckerManager::_registerForObjCMessageNil(CheckObjCMessageFunc checkfn) {
735   ObjCMessageNilCheckers.push_back(checkfn);
736 }
737 
738 void CheckerManager::_registerForPostObjCMessage(CheckObjCMessageFunc checkfn) {
739   PostObjCMessageCheckers.push_back(checkfn);
740 }
741 
742 void CheckerManager::_registerForPreCall(CheckCallFunc checkfn) {
743   PreCallCheckers.push_back(checkfn);
744 }
745 void CheckerManager::_registerForPostCall(CheckCallFunc checkfn) {
746   PostCallCheckers.push_back(checkfn);
747 }
748 
749 void CheckerManager::_registerForLocation(CheckLocationFunc checkfn) {
750   LocationCheckers.push_back(checkfn);
751 }
752 
753 void CheckerManager::_registerForBind(CheckBindFunc checkfn) {
754   BindCheckers.push_back(checkfn);
755 }
756 
757 void CheckerManager::_registerForEndAnalysis(CheckEndAnalysisFunc checkfn) {
758   EndAnalysisCheckers.push_back(checkfn);
759 }
760 
761 void CheckerManager::_registerForBeginFunction(CheckBeginFunctionFunc checkfn) {
762   BeginFunctionCheckers.push_back(checkfn);
763 }
764 
765 void CheckerManager::_registerForEndFunction(CheckEndFunctionFunc checkfn) {
766   EndFunctionCheckers.push_back(checkfn);
767 }
768 
769 void CheckerManager::_registerForBranchCondition(
770                                              CheckBranchConditionFunc checkfn) {
771   BranchConditionCheckers.push_back(checkfn);
772 }
773 
774 void CheckerManager::_registerForNewAllocator(CheckNewAllocatorFunc checkfn) {
775   NewAllocatorCheckers.push_back(checkfn);
776 }
777 
778 void CheckerManager::_registerForLiveSymbols(CheckLiveSymbolsFunc checkfn) {
779   LiveSymbolsCheckers.push_back(checkfn);
780 }
781 
782 void CheckerManager::_registerForDeadSymbols(CheckDeadSymbolsFunc checkfn) {
783   DeadSymbolsCheckers.push_back(checkfn);
784 }
785 
786 void CheckerManager::_registerForRegionChanges(CheckRegionChangesFunc checkfn) {
787   RegionChangesCheckers.push_back(checkfn);
788 }
789 
790 void CheckerManager::_registerForPointerEscape(CheckPointerEscapeFunc checkfn){
791   PointerEscapeCheckers.push_back(checkfn);
792 }
793 
794 void CheckerManager::_registerForConstPointerEscape(
795                                           CheckPointerEscapeFunc checkfn) {
796   PointerEscapeCheckers.push_back(checkfn);
797 }
798 
799 void CheckerManager::_registerForEvalAssume(EvalAssumeFunc checkfn) {
800   EvalAssumeCheckers.push_back(checkfn);
801 }
802 
803 void CheckerManager::_registerForEvalCall(EvalCallFunc checkfn) {
804   EvalCallCheckers.push_back(checkfn);
805 }
806 
807 void CheckerManager::_registerForEndOfTranslationUnit(
808                                             CheckEndOfTranslationUnit checkfn) {
809   EndOfTranslationUnitCheckers.push_back(checkfn);
810 }
811 
812 //===----------------------------------------------------------------------===//
813 // Implementation details.
814 //===----------------------------------------------------------------------===//
815 
816 const CheckerManager::CachedStmtCheckers &
817 CheckerManager::getCachedStmtCheckersFor(const Stmt *S, bool isPreVisit) {
818   assert(S);
819 
820   unsigned Key = (S->getStmtClass() << 1) | unsigned(isPreVisit);
821   CachedStmtCheckersMapTy::iterator CCI = CachedStmtCheckersMap.find(Key);
822   if (CCI != CachedStmtCheckersMap.end())
823     return CCI->second;
824 
825   // Find the checkers that should run for this Stmt and cache them.
826   CachedStmtCheckers &Checkers = CachedStmtCheckersMap[Key];
827   for (const auto &Info : StmtCheckers)
828     if (Info.IsPreVisit == isPreVisit && Info.IsForStmtFn(S))
829       Checkers.push_back(Info.CheckFn);
830   return Checkers;
831 }
832 
833 CheckerManager::~CheckerManager() {
834   for (const auto CheckerDtor : CheckerDtors)
835     CheckerDtor();
836 }
837