/build/llvm-toolchain-snapshot-14~++20210828111110+16086d47c0d0/clang/lib/StaticAnalyzer/Checkers/CStringChecker.cpp

Bug Summary

File:	clang/lib/StaticAnalyzer/Checkers/CStringChecker.cpp
Warning:	line 1453, column 17 Called C++ object pointer is null

Annotated Source Code

Press '?' to see keyboard shortcuts

Show analyzer invocation

clang -cc1 -cc1 -triple x86_64-pc-linux-gnu -analyze -disable-free -disable-llvm-verifier -discard-value-names -main-file-name CStringChecker.cpp -analyzer-store=region -analyzer-opt-analyze-nested-blocks -analyzer-checker=core -analyzer-checker=apiModeling -analyzer-checker=unix -analyzer-checker=deadcode -analyzer-checker=cplusplus -analyzer-checker=security.insecureAPI.UncheckedReturn -analyzer-checker=security.insecureAPI.getpw -analyzer-checker=security.insecureAPI.gets -analyzer-checker=security.insecureAPI.mktemp -analyzer-checker=security.insecureAPI.mkstemp -analyzer-checker=security.insecureAPI.vfork -analyzer-checker=nullability.NullPassedToNonnull -analyzer-checker=nullability.NullReturnedFromNonnull -analyzer-output plist -w -setup-static-analyzer -analyzer-config-compatibility-mode=true -mrelocation-model pic -pic-level 2 -mframe-pointer=none -relaxed-aliasing -fmath-errno -fno-rounding-math -mconstructor-aliases -munwind-tables -target-cpu x86-64 -tune-cpu generic -debugger-tuning=gdb -ffunction-sections -fdata-sections -fcoverage-compilation-dir=/build/llvm-toolchain-snapshot-14~++20210828111110+16086d47c0d0/build-llvm/tools/clang/lib/StaticAnalyzer/Checkers -resource-dir /usr/lib/llvm-14/lib/clang/14.0.0 -D CLANG_ROUND_TRIP_CC1_ARGS=ON -D _DEBUG -D _GNU_SOURCE -D __STDC_CONSTANT_MACROS -D __STDC_FORMAT_MACROS -D __STDC_LIMIT_MACROS -I /build/llvm-toolchain-snapshot-14~++20210828111110+16086d47c0d0/build-llvm/tools/clang/lib/StaticAnalyzer/Checkers -I /build/llvm-toolchain-snapshot-14~++20210828111110+16086d47c0d0/clang/lib/StaticAnalyzer/Checkers -I /build/llvm-toolchain-snapshot-14~++20210828111110+16086d47c0d0/clang/include -I /build/llvm-toolchain-snapshot-14~++20210828111110+16086d47c0d0/build-llvm/tools/clang/include -I /build/llvm-toolchain-snapshot-14~++20210828111110+16086d47c0d0/build-llvm/include -I /build/llvm-toolchain-snapshot-14~++20210828111110+16086d47c0d0/llvm/include -D NDEBUG -U NDEBUG -internal-isystem /usr/lib/gcc/x86_64-linux-gnu/10/../../../../include/c++/10 -internal-isystem /usr/lib/gcc/x86_64-linux-gnu/10/../../../../include/x86_64-linux-gnu/c++/10 -internal-isystem /usr/lib/gcc/x86_64-linux-gnu/10/../../../../include/c++/10/backward -internal-isystem /usr/lib/llvm-14/lib/clang/14.0.0/include -internal-isystem /usr/local/include -internal-isystem /usr/lib/gcc/x86_64-linux-gnu/10/../../../../x86_64-linux-gnu/include -internal-externc-isystem /usr/include/x86_64-linux-gnu -internal-externc-isystem /include -internal-externc-isystem /usr/include -O2 -Wno-unused-parameter -Wwrite-strings -Wno-missing-field-initializers -Wno-long-long -Wno-maybe-uninitialized -Wno-class-memaccess -Wno-redundant-move -Wno-pessimizing-move -Wno-noexcept-type -Wno-comment -std=c++14 -fdeprecated-macro -fdebug-compilation-dir=/build/llvm-toolchain-snapshot-14~++20210828111110+16086d47c0d0/build-llvm/tools/clang/lib/StaticAnalyzer/Checkers -fdebug-prefix-map=/build/llvm-toolchain-snapshot-14~++20210828111110+16086d47c0d0=. -ferror-limit 19 -fvisibility-inlines-hidden -stack-protector 2 -fgnuc-version=4.2.1 -vectorize-loops -vectorize-slp -analyzer-output=html -analyzer-config stable-report-filename=true -faddrsig -D__GCC_HAVE_DWARF2_CFI_ASM=1 -o /tmp/scan-build-2021-08-28-193554-24367-1 -x c++ /build/llvm-toolchain-snapshot-14~++20210828111110+16086d47c0d0/clang/lib/StaticAnalyzer/Checkers/CStringChecker.cpp

/build/llvm-toolchain-snapshot-14~++20210828111110+16086d47c0d0/clang/lib/StaticAnalyzer/Checkers/CStringChecker.cpp

→

1//= CStringChecker.cpp - Checks calls to C string functions --------*- C++ -*-//
2//
3// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4// See https://llvm.org/LICENSE.txt for license information.
5// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6//
7//===----------------------------------------------------------------------===//
8//
9// This defines CStringChecker, which is an assortment of checks on calls
10// to functions in <string.h>.
11//
12//===----------------------------------------------------------------------===//

14#include "InterCheckerAPI.h"
15#include "clang/Basic/CharInfo.h"
16#include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"
17#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
18#include "clang/StaticAnalyzer/Core/Checker.h"
19#include "clang/StaticAnalyzer/Core/CheckerManager.h"
20#include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h"
21#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
22#include "clang/StaticAnalyzer/Core/PathSensitive/DynamicExtent.h"
23#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramStateTrait.h"
24#include "llvm/ADT/STLExtras.h"
25#include "llvm/ADT/SmallString.h"
26#include "llvm/ADT/StringExtras.h"
27#include "llvm/Support/raw_ostream.h"

29using namespace clang;
30using namespace ento;

32namespace {
33struct AnyArgExpr {
// FIXME: Remove constructor in C++17 to turn it into an aggregate.
AnyArgExpr(const Expr *Expression, unsigned ArgumentIndex)
    : Expression{Expression}, ArgumentIndex{ArgumentIndex} {}
const Expr *Expression;
unsigned ArgumentIndex;
39};

41struct SourceArgExpr : AnyArgExpr {
using AnyArgExpr::AnyArgExpr; // FIXME: Remove using in C++17.
43};

45struct DestinationArgExpr : AnyArgExpr {
using AnyArgExpr::AnyArgExpr; // FIXME: Same.
47};

49struct SizeArgExpr : AnyArgExpr {
using AnyArgExpr::AnyArgExpr; // FIXME: Same.
51};

53using ErrorMessage = SmallString<128>;
54enum class AccessKind { write, read };

56static ErrorMessage createOutOfBoundErrorMsg(StringRef FunctionDescription,
                                           AccessKind Access) {
ErrorMessage Message;
llvm::raw_svector_ostream Os(Message);

// Function classification like: Memory copy function
Os << toUppercase(FunctionDescription.front())
   << &FunctionDescription.data()[1];

if (Access == AccessKind::write) {
  Os << " overflows the destination buffer";
} else { // read access
  Os << " accesses out-of-bound array element";
}

return Message;
72}

74enum class ConcatFnKind { none = 0, strcat = 1, strlcat = 2 };
75class CStringChecker : public Checker< eval::Call,
                                       check::PreStmt<DeclStmt>,
                                       check::LiveSymbols,
                                       check::DeadSymbols,
                                       check::RegionChanges
                                       > {
mutable std::unique_ptr<BugType> BT_Null, BT_Bounds, BT_Overlap,
    BT_NotCString, BT_AdditionOverflow;

mutable const char *CurrentFunctionDescription;

86public:
/// The filter is used to filter out the diagnostics which are not enabled by
/// the user.
struct CStringChecksFilter {
  DefaultBool CheckCStringNullArg;
  DefaultBool CheckCStringOutOfBounds;
  DefaultBool CheckCStringBufferOverlap;
  DefaultBool CheckCStringNotNullTerm;

  CheckerNameRef CheckNameCStringNullArg;
  CheckerNameRef CheckNameCStringOutOfBounds;
  CheckerNameRef CheckNameCStringBufferOverlap;
  CheckerNameRef CheckNameCStringNotNullTerm;
};

CStringChecksFilter Filter;

static void *getTag() { static int tag; return &tag; }

bool evalCall(const CallEvent &Call, CheckerContext &C) const;
void checkPreStmt(const DeclStmt *DS, CheckerContext &C) const;
void checkLiveSymbols(ProgramStateRef state, SymbolReaper &SR) const;
void checkDeadSymbols(SymbolReaper &SR, CheckerContext &C) const;

ProgramStateRef
  checkRegionChanges(ProgramStateRef state,
                     const InvalidatedSymbols *,
                     ArrayRef<const MemRegion *> ExplicitRegions,
                     ArrayRef<const MemRegion *> Regions,
                     const LocationContext *LCtx,
                     const CallEvent *Call) const;

typedef void (CStringChecker::*FnCheck)(CheckerContext &,
                                        const CallExpr *) const;
CallDescriptionMap<FnCheck> Callbacks = {
    {{CDF_MaybeBuiltin, "memcpy", 3}, &CStringChecker::evalMemcpy},
    {{CDF_MaybeBuiltin, "mempcpy", 3}, &CStringChecker::evalMempcpy},
    {{CDF_MaybeBuiltin, "memcmp", 3}, &CStringChecker::evalMemcmp},
    {{CDF_MaybeBuiltin, "memmove", 3}, &CStringChecker::evalMemmove},
    {{CDF_MaybeBuiltin, "memset", 3}, &CStringChecker::evalMemset},
    {{CDF_MaybeBuiltin, "explicit_memset", 3}, &CStringChecker::evalMemset},
    {{CDF_MaybeBuiltin, "strcpy", 2}, &CStringChecker::evalStrcpy},
    {{CDF_MaybeBuiltin, "strncpy", 3}, &CStringChecker::evalStrncpy},
    {{CDF_MaybeBuiltin, "stpcpy", 2}, &CStringChecker::evalStpcpy},
    {{CDF_MaybeBuiltin, "strlcpy", 3}, &CStringChecker::evalStrlcpy},
    {{CDF_MaybeBuiltin, "strcat", 2}, &CStringChecker::evalStrcat},
    {{CDF_MaybeBuiltin, "strncat", 3}, &CStringChecker::evalStrncat},
    {{CDF_MaybeBuiltin, "strlcat", 3}, &CStringChecker::evalStrlcat},
    {{CDF_MaybeBuiltin, "strlen", 1}, &CStringChecker::evalstrLength},
    {{CDF_MaybeBuiltin, "strnlen", 2}, &CStringChecker::evalstrnLength},
    {{CDF_MaybeBuiltin, "strcmp", 2}, &CStringChecker::evalStrcmp},
    {{CDF_MaybeBuiltin, "strncmp", 3}, &CStringChecker::evalStrncmp},
    {{CDF_MaybeBuiltin, "strcasecmp", 2}, &CStringChecker::evalStrcasecmp},
    {{CDF_MaybeBuiltin, "strncasecmp", 3}, &CStringChecker::evalStrncasecmp},
    {{CDF_MaybeBuiltin, "strsep", 2}, &CStringChecker::evalStrsep},
    {{CDF_MaybeBuiltin, "bcopy", 3}, &CStringChecker::evalBcopy},
    {{CDF_MaybeBuiltin, "bcmp", 3}, &CStringChecker::evalMemcmp},
    {{CDF_MaybeBuiltin, "bzero", 2}, &CStringChecker::evalBzero},
    {{CDF_MaybeBuiltin, "explicit_bzero", 2}, &CStringChecker::evalBzero},
};

// These require a bit of special handling.
CallDescription StdCopy{{"std", "copy"}, 3},
    StdCopyBackward{{"std", "copy_backward"}, 3};

FnCheck identifyCall(const CallEvent &Call, CheckerContext &C) const;
void evalMemcpy(CheckerContext &C, const CallExpr *CE) const;
void evalMempcpy(CheckerContext &C, const CallExpr *CE) const;
void evalMemmove(CheckerContext &C, const CallExpr *CE) const;
void evalBcopy(CheckerContext &C, const CallExpr *CE) const;
void evalCopyCommon(CheckerContext &C, const CallExpr *CE,
                    ProgramStateRef state, SizeArgExpr Size,
                    DestinationArgExpr Dest, SourceArgExpr Source,
                    bool Restricted, bool IsMempcpy) const;

void evalMemcmp(CheckerContext &C, const CallExpr *CE) const;

void evalstrLength(CheckerContext &C, const CallExpr *CE) const;
void evalstrnLength(CheckerContext &C, const CallExpr *CE) const;
void evalstrLengthCommon(CheckerContext &C,
                         const CallExpr *CE,
                         bool IsStrnlen = false) const;

void evalStrcpy(CheckerContext &C, const CallExpr *CE) const;
void evalStrncpy(CheckerContext &C, const CallExpr *CE) const;
void evalStpcpy(CheckerContext &C, const CallExpr *CE) const;
void evalStrlcpy(CheckerContext &C, const CallExpr *CE) const;
void evalStrcpyCommon(CheckerContext &C, const CallExpr *CE, bool ReturnEnd,
                      bool IsBounded, ConcatFnKind appendK,
                      bool returnPtr = true) const;

void evalStrcat(CheckerContext &C, const CallExpr *CE) const;
void evalStrncat(CheckerContext &C, const CallExpr *CE) const;
void evalStrlcat(CheckerContext &C, const CallExpr *CE) const;

void evalStrcmp(CheckerContext &C, const CallExpr *CE) const;
void evalStrncmp(CheckerContext &C, const CallExpr *CE) const;
void evalStrcasecmp(CheckerContext &C, const CallExpr *CE) const;
void evalStrncasecmp(CheckerContext &C, const CallExpr *CE) const;
void evalStrcmpCommon(CheckerContext &C,
                      const CallExpr *CE,
                      bool IsBounded = false,
                      bool IgnoreCase = false) const;

void evalStrsep(CheckerContext &C, const CallExpr *CE) const;

void evalStdCopy(CheckerContext &C, const CallExpr *CE) const;
void evalStdCopyBackward(CheckerContext &C, const CallExpr *CE) const;
void evalStdCopyCommon(CheckerContext &C, const CallExpr *CE) const;
void evalMemset(CheckerContext &C, const CallExpr *CE) const;
void evalBzero(CheckerContext &C, const CallExpr *CE) const;

// Utility methods
std::pair<ProgramStateRef , ProgramStateRef >
static assumeZero(CheckerContext &C,
                  ProgramStateRef state, SVal V, QualType Ty);

static ProgramStateRef setCStringLength(ProgramStateRef state,
                                            const MemRegion *MR,
                                            SVal strLength);
static SVal getCStringLengthForRegion(CheckerContext &C,
                                      ProgramStateRef &state,
                                      const Expr *Ex,
                                      const MemRegion *MR,
                                      bool hypothetical);
SVal getCStringLength(CheckerContext &C,
                      ProgramStateRef &state,
                      const Expr *Ex,
                      SVal Buf,
                      bool hypothetical = false) const;

const StringLiteral *getCStringLiteral(CheckerContext &C,
                                       ProgramStateRef &state,
                                       const Expr *expr,
                                       SVal val) const;

static ProgramStateRef InvalidateBuffer(CheckerContext &C,
                                        ProgramStateRef state,
                                        const Expr *Ex, SVal V,
                                        bool IsSourceBuffer,
                                        const Expr *Size);

static bool SummarizeRegion(raw_ostream &os, ASTContext &Ctx,
                            const MemRegion *MR);

static bool memsetAux(const Expr *DstBuffer, SVal CharE,
                      const Expr *Size, CheckerContext &C,
                      ProgramStateRef &State);

// Re-usable checks
ProgramStateRef checkNonNull(CheckerContext &C, ProgramStateRef State,
                             AnyArgExpr Arg, SVal l) const;
ProgramStateRef CheckLocation(CheckerContext &C, ProgramStateRef state,
                              AnyArgExpr Buffer, SVal Element,
                              AccessKind Access) const;
ProgramStateRef CheckBufferAccess(CheckerContext &C, ProgramStateRef State,
                                  AnyArgExpr Buffer, SizeArgExpr Size,
                                  AccessKind Access) const;
ProgramStateRef CheckOverlap(CheckerContext &C, ProgramStateRef state,
                             SizeArgExpr Size, AnyArgExpr First,
                             AnyArgExpr Second) const;
void emitOverlapBug(CheckerContext &C,
                    ProgramStateRef state,
                    const Stmt *First,
                    const Stmt *Second) const;

void emitNullArgBug(CheckerContext &C, ProgramStateRef State, const Stmt *S,
                    StringRef WarningMsg) const;
void emitOutOfBoundsBug(CheckerContext &C, ProgramStateRef State,
                        const Stmt *S, StringRef WarningMsg) const;
void emitNotCStringBug(CheckerContext &C, ProgramStateRef State,
                       const Stmt *S, StringRef WarningMsg) const;
void emitAdditionOverflowBug(CheckerContext &C, ProgramStateRef State) const;

ProgramStateRef checkAdditionOverflow(CheckerContext &C,
                                          ProgramStateRef state,
                                          NonLoc left,
                                          NonLoc right) const;

// Return true if the destination buffer of the copy function may be in bound.
// Expects SVal of Size to be positive and unsigned.
// Expects SVal of FirstBuf to be a FieldRegion.
static bool IsFirstBufInBound(CheckerContext &C,
                              ProgramStateRef state,
                              const Expr *FirstBuf,
                              const Expr *Size);
272};

274} //end anonymous namespace

276REGISTER_MAP_WITH_PROGRAMSTATE(CStringLength, const MemRegion *, SVal)namespace { class CStringLength {}; using CStringLengthTy = llvm
::ImmutableMap<const MemRegion *, SVal>; } namespace clang
 { namespace ento { template <> struct ProgramStateTrait
<CStringLength> : public ProgramStatePartialTrait<CStringLengthTy
> { static void *GDMIndex() { static int Index; return &
Index; } }; } }

278//===----------------------------------------------------------------------===//
279// Individual checks and utility methods.
280//===----------------------------------------------------------------------===//

282std::pair<ProgramStateRef , ProgramStateRef >
283CStringChecker::assumeZero(CheckerContext &C, ProgramStateRef state, SVal V,
                         QualType Ty) {
Optional<DefinedSVal> val = V.getAs<DefinedSVal>();
if (!val)
  return std::pair<ProgramStateRef , ProgramStateRef >(state, state);

SValBuilder &svalBuilder = C.getSValBuilder();
DefinedOrUnknownSVal zero = svalBuilder.makeZeroVal(Ty);
return state->assume(svalBuilder.evalEQ(state, *val, zero));
292}

294ProgramStateRef CStringChecker::checkNonNull(CheckerContext &C,
                                           ProgramStateRef State,
                                           AnyArgExpr Arg, SVal l) const {
// If a previous check has failed, propagate the failure.
if (!State)
  return nullptr;

ProgramStateRef stateNull, stateNonNull;
std::tie(stateNull, stateNonNull) =
    assumeZero(C, State, l, Arg.Expression->getType());

if (stateNull && !stateNonNull) {
  if (Filter.CheckCStringNullArg) {
    SmallString<80> buf;
    llvm::raw_svector_ostream OS(buf);
    assert(CurrentFunctionDescription)(static_cast <bool> (CurrentFunctionDescription) ? void
 (0) : __assert_fail ("CurrentFunctionDescription", "/build/llvm-toolchain-snapshot-14~++20210828111110+16086d47c0d0/clang/lib/StaticAnalyzer/Checkers/CStringChecker.cpp"
, 309, __extension__ __PRETTY_FUNCTION__));
    OS << "Null pointer passed as " << (Arg.ArgumentIndex + 1)
       << llvm::getOrdinalSuffix(Arg.ArgumentIndex + 1) << " argument to "
       << CurrentFunctionDescription;

    emitNullArgBug(C, stateNull, Arg.Expression, OS.str());
  }
  return nullptr;
}

// From here on, assume that the value is non-null.
assert(stateNonNull)(static_cast <bool> (stateNonNull) ? void (0) : __assert_fail
 ("stateNonNull", "/build/llvm-toolchain-snapshot-14~++20210828111110+16086d47c0d0/clang/lib/StaticAnalyzer/Checkers/CStringChecker.cpp"
, 320, __extension__ __PRETTY_FUNCTION__));
return stateNonNull;
322}

324// FIXME: This was originally copied from ArrayBoundChecker.cpp. Refactor?
325ProgramStateRef CStringChecker::CheckLocation(CheckerContext &C,
                                            ProgramStateRef state,
                                            AnyArgExpr Buffer, SVal Element,
                                            AccessKind Access) const {

// If a previous check has failed, propagate the failure.
if (!state)
  return nullptr;

// Check for out of bound array element access.
const MemRegion *R = Element.getAsRegion();
if (!R)
  return state;

const auto *ER = dyn_cast<ElementRegion>(R);
if (!ER)
  return state;

if (ER->getValueType() != C.getASTContext().CharTy)
  return state;

// Get the size of the array.
const auto *superReg = cast<SubRegion>(ER->getSuperRegion());
DefinedOrUnknownSVal Size =
    getDynamicExtent(state, superReg, C.getSValBuilder());

// Get the index of the accessed element.
DefinedOrUnknownSVal Idx = ER->getIndex().castAs<DefinedOrUnknownSVal>();

ProgramStateRef StInBound = state->assumeInBound(Idx, Size, true);
ProgramStateRef StOutBound = state->assumeInBound(Idx, Size, false);
if (StOutBound && !StInBound) {
  // These checks are either enabled by the CString out-of-bounds checker
  // explicitly or implicitly by the Malloc checker.
  // In the latter case we only do modeling but do not emit warning.
  if (!Filter.CheckCStringOutOfBounds)
    return nullptr;

  // Emit a bug report.
  ErrorMessage Message =
      createOutOfBoundErrorMsg(CurrentFunctionDescription, Access);
  emitOutOfBoundsBug(C, StOutBound, Buffer.Expression, Message);
  return nullptr;
}

// Array bound check succeeded.  From this point forward the array bound
// should always succeed.
return StInBound;
373}

375ProgramStateRef CStringChecker::CheckBufferAccess(CheckerContext &C,
                                                ProgramStateRef State,
                                                AnyArgExpr Buffer,
                                                SizeArgExpr Size,
                                                AccessKind Access) const {
// If a previous check has failed, propagate the failure.
if (!State)
  return nullptr;

SValBuilder &svalBuilder = C.getSValBuilder();
ASTContext &Ctx = svalBuilder.getContext();

QualType SizeTy = Size.Expression->getType();
QualType PtrTy = Ctx.getPointerType(Ctx.CharTy);

// Check that the first buffer is non-null.
SVal BufVal = C.getSVal(Buffer.Expression);
State = checkNonNull(C, State, Buffer, BufVal);
if (!State)
  return nullptr;

// If out-of-bounds checking is turned off, skip the rest.
if (!Filter.CheckCStringOutOfBounds)
  return State;

// Get the access length and make sure it is known.
// FIXME: This assumes the caller has already checked that the access length
// is positive. And that it's unsigned.
SVal LengthVal = C.getSVal(Size.Expression);
Optional<NonLoc> Length = LengthVal.getAs<NonLoc>();
if (!Length)
  return State;

// Compute the offset of the last element to be accessed: size-1.
NonLoc One = svalBuilder.makeIntVal(1, SizeTy).castAs<NonLoc>();
SVal Offset = svalBuilder.evalBinOpNN(State, BO_Sub, *Length, One, SizeTy);
if (Offset.isUnknown())
  return nullptr;
NonLoc LastOffset = Offset.castAs<NonLoc>();

// Check that the first buffer is sufficiently long.
SVal BufStart =
    svalBuilder.evalCast(BufVal, PtrTy, Buffer.Expression->getType());
if (Optional<Loc> BufLoc = BufStart.getAs<Loc>()) {

  SVal BufEnd =
      svalBuilder.evalBinOpLN(State, BO_Add, *BufLoc, LastOffset, PtrTy);

  State = CheckLocation(C, State, Buffer, BufEnd, Access);

  // If the buffer isn't large enough, abort.
  if (!State)
    return nullptr;
}

// Large enough or not, return this state!
return State;
432}

434ProgramStateRef CStringChecker::CheckOverlap(CheckerContext &C,
                                           ProgramStateRef state,
                                           SizeArgExpr Size, AnyArgExpr First,
                                           AnyArgExpr Second) const {
if (!Filter.CheckCStringBufferOverlap)
  return state;

// Do a simple check for overlap: if the two arguments are from the same
// buffer, see if the end of the first is greater than the start of the second
// or vice versa.

// If a previous check has failed, propagate the failure.
if (!state)
  return nullptr;

ProgramStateRef stateTrue, stateFalse;

// Get the buffer values and make sure they're known locations.
const LocationContext *LCtx = C.getLocationContext();
SVal firstVal = state->getSVal(First.Expression, LCtx);
SVal secondVal = state->getSVal(Second.Expression, LCtx);

Optional<Loc> firstLoc = firstVal.getAs<Loc>();
if (!firstLoc)
  return state;

Optional<Loc> secondLoc = secondVal.getAs<Loc>();
if (!secondLoc)
  return state;

// Are the two values the same?
SValBuilder &svalBuilder = C.getSValBuilder();
std::tie(stateTrue, stateFalse) =
    state->assume(svalBuilder.evalEQ(state, *firstLoc, *secondLoc));

if (stateTrue && !stateFalse) {
  // If the values are known to be equal, that's automatically an overlap.
  emitOverlapBug(C, stateTrue, First.Expression, Second.Expression);
  return nullptr;
}

// assume the two expressions are not equal.
assert(stateFalse)(static_cast <bool> (stateFalse) ? void (0) : __assert_fail
 ("stateFalse", "/build/llvm-toolchain-snapshot-14~++20210828111110+16086d47c0d0/clang/lib/StaticAnalyzer/Checkers/CStringChecker.cpp"
, 476, __extension__ __PRETTY_FUNCTION__));
state = stateFalse;

// Which value comes first?
QualType cmpTy = svalBuilder.getConditionType();
SVal reverse =
    svalBuilder.evalBinOpLL(state, BO_GT, *firstLoc, *secondLoc, cmpTy);
Optional<DefinedOrUnknownSVal> reverseTest =
    reverse.getAs<DefinedOrUnknownSVal>();
if (!reverseTest)
  return state;

std::tie(stateTrue, stateFalse) = state->assume(*reverseTest);
if (stateTrue) {
  if (stateFalse) {
    // If we don't know which one comes first, we can't perform this test.
    return state;
  } else {
    // Switch the values so that firstVal is before secondVal.
    std::swap(firstLoc, secondLoc);

    // Switch the Exprs as well, so that they still correspond.
    std::swap(First, Second);
  }
}

// Get the length, and make sure it too is known.
SVal LengthVal = state->getSVal(Size.Expression, LCtx);
Optional<NonLoc> Length = LengthVal.getAs<NonLoc>();
if (!Length)
  return state;

// Convert the first buffer's start address to char*.
// Bail out if the cast fails.
ASTContext &Ctx = svalBuilder.getContext();
QualType CharPtrTy = Ctx.getPointerType(Ctx.CharTy);
SVal FirstStart =
    svalBuilder.evalCast(*firstLoc, CharPtrTy, First.Expression->getType());
Optional<Loc> FirstStartLoc = FirstStart.getAs<Loc>();
if (!FirstStartLoc)
  return state;

// Compute the end of the first buffer. Bail out if THAT fails.
SVal FirstEnd = svalBuilder.evalBinOpLN(state, BO_Add, *FirstStartLoc,
                                        *Length, CharPtrTy);
Optional<Loc> FirstEndLoc = FirstEnd.getAs<Loc>();
if (!FirstEndLoc)
  return state;

// Is the end of the first buffer past the start of the second buffer?
SVal Overlap =
    svalBuilder.evalBinOpLL(state, BO_GT, *FirstEndLoc, *secondLoc, cmpTy);
Optional<DefinedOrUnknownSVal> OverlapTest =
    Overlap.getAs<DefinedOrUnknownSVal>();
if (!OverlapTest)
  return state;

std::tie(stateTrue, stateFalse) = state->assume(*OverlapTest);

if (stateTrue && !stateFalse) {
  // Overlap!
  emitOverlapBug(C, stateTrue, First.Expression, Second.Expression);
  return nullptr;
}

// assume the two expressions don't overlap.
assert(stateFalse)(static_cast <bool> (stateFalse) ? void (0) : __assert_fail
 ("stateFalse", "/build/llvm-toolchain-snapshot-14~++20210828111110+16086d47c0d0/clang/lib/StaticAnalyzer/Checkers/CStringChecker.cpp"
, 542, __extension__ __PRETTY_FUNCTION__));
return stateFalse;
544}

546void CStringChecker::emitOverlapBug(CheckerContext &C, ProgramStateRef state,
                                const Stmt *First, const Stmt *Second) const {
ExplodedNode *N = C.generateErrorNode(state);
if (!N)
  return;

if (!BT_Overlap)
  BT_Overlap.reset(new BugType(Filter.CheckNameCStringBufferOverlap,
                               categories::UnixAPI, "Improper arguments"));

// Generate a report for this bug.
auto report = std::make_unique<PathSensitiveBugReport>(
    *BT_Overlap, "Arguments must not be overlapping buffers", N);
report->addRange(First->getSourceRange());
report->addRange(Second->getSourceRange());

C.emitReport(std::move(report));
563}

565void CStringChecker::emitNullArgBug(CheckerContext &C, ProgramStateRef State,
                                  const Stmt *S, StringRef WarningMsg) const {
if (ExplodedNode *N = C.generateErrorNode(State)) {
  if (!BT_Null)
    BT_Null.reset(new BuiltinBug(
        Filter.CheckNameCStringNullArg, categories::UnixAPI,
        "Null pointer argument in call to byte string function"));

  BuiltinBug *BT = static_cast<BuiltinBug *>(BT_Null.get());
  auto Report = std::make_unique<PathSensitiveBugReport>(*BT, WarningMsg, N);
  Report->addRange(S->getSourceRange());
  if (const auto *Ex = dyn_cast<Expr>(S))
    bugreporter::trackExpressionValue(N, Ex, *Report);
  C.emitReport(std::move(Report));
}
580}

582void CStringChecker::emitOutOfBoundsBug(CheckerContext &C,
                                      ProgramStateRef State, const Stmt *S,
                                      StringRef WarningMsg) const {
if (ExplodedNode *N = C.generateErrorNode(State)) {
  if (!BT_Bounds)
    BT_Bounds.reset(new BuiltinBug(
        Filter.CheckCStringOutOfBounds ? Filter.CheckNameCStringOutOfBounds
                                       : Filter.CheckNameCStringNullArg,
        "Out-of-bound array access",
        "Byte string function accesses out-of-bound array element"));

  BuiltinBug *BT = static_cast<BuiltinBug *>(BT_Bounds.get());

  // FIXME: It would be nice to eventually make this diagnostic more clear,
  // e.g., by referencing the original declaration or by saying *why* this
  // reference is outside the range.
  auto Report = std::make_unique<PathSensitiveBugReport>(*BT, WarningMsg, N);
  Report->addRange(S->getSourceRange());
  C.emitReport(std::move(Report));
}
602}

604void CStringChecker::emitNotCStringBug(CheckerContext &C, ProgramStateRef State,
                                     const Stmt *S,
                                     StringRef WarningMsg) const {
if (ExplodedNode *N = C.generateNonFatalErrorNode(State)) {
  if (!BT_NotCString)
    BT_NotCString.reset(new BuiltinBug(
        Filter.CheckNameCStringNotNullTerm, categories::UnixAPI,
        "Argument is not a null-terminated string."));

  auto Report =
      std::make_unique<PathSensitiveBugReport>(*BT_NotCString, WarningMsg, N);

  Report->addRange(S->getSourceRange());
  C.emitReport(std::move(Report));
}
619}

621void CStringChecker::emitAdditionOverflowBug(CheckerContext &C,
                                           ProgramStateRef State) const {
if (ExplodedNode *N = C.generateErrorNode(State)) {
  if (!BT_NotCString)
    BT_NotCString.reset(
        new BuiltinBug(Filter.CheckNameCStringOutOfBounds, "API",
                       "Sum of expressions causes overflow."));

  // This isn't a great error message, but this should never occur in real
  // code anyway -- you'd have to create a buffer longer than a size_t can
  // represent, which is sort of a contradiction.
  const char *WarningMsg =
      "This expression will create a string whose length is too big to "
      "be represented as a size_t";

  auto Report =
      std::make_unique<PathSensitiveBugReport>(*BT_NotCString, WarningMsg, N);
  C.emitReport(std::move(Report));
}
640}

642ProgramStateRef CStringChecker::checkAdditionOverflow(CheckerContext &C,
                                                   ProgramStateRef state,
                                                   NonLoc left,
                                                   NonLoc right) const {
// If out-of-bounds checking is turned off, skip the rest.
if (!Filter.CheckCStringOutOfBounds)
  return state;

// If a previous check has failed, propagate the failure.
if (!state)
  return nullptr;

SValBuilder &svalBuilder = C.getSValBuilder();
BasicValueFactory &BVF = svalBuilder.getBasicValueFactory();

QualType sizeTy = svalBuilder.getContext().getSizeType();
const llvm::APSInt &maxValInt = BVF.getMaxValue(sizeTy);
NonLoc maxVal = svalBuilder.makeIntVal(maxValInt);

SVal maxMinusRight;
if (right.getAs<nonloc::ConcreteInt>()) {
  maxMinusRight = svalBuilder.evalBinOpNN(state, BO_Sub, maxVal, right,
                                               sizeTy);
} else {
  // Try switching the operands. (The order of these two assignments is
  // important!)
  maxMinusRight = svalBuilder.evalBinOpNN(state, BO_Sub, maxVal, left,
                                          sizeTy);
  left = right;
}

if (Optional<NonLoc> maxMinusRightNL = maxMinusRight.getAs<NonLoc>()) {
  QualType cmpTy = svalBuilder.getConditionType();
  // If left > max - right, we have an overflow.
  SVal willOverflow = svalBuilder.evalBinOpNN(state, BO_GT, left,
                                              *maxMinusRightNL, cmpTy);

  ProgramStateRef stateOverflow, stateOkay;
  std::tie(stateOverflow, stateOkay) =
    state->assume(willOverflow.castAs<DefinedOrUnknownSVal>());

  if (stateOverflow && !stateOkay) {
    // We have an overflow. Emit a bug report.
    emitAdditionOverflowBug(C, stateOverflow);
    return nullptr;
  }

  // From now on, assume an overflow didn't occur.
  assert(stateOkay)(static_cast <bool> (stateOkay) ? void (0) : __assert_fail
 ("stateOkay", "/build/llvm-toolchain-snapshot-14~++20210828111110+16086d47c0d0/clang/lib/StaticAnalyzer/Checkers/CStringChecker.cpp"
, 690, __extension__ __PRETTY_FUNCTION__));
  state = stateOkay;
}

return state;
695}

697ProgramStateRef CStringChecker::setCStringLength(ProgramStateRef state,
                                              const MemRegion *MR,
                                              SVal strLength) {
assert(!strLength.isUndef() && "Attempt to set an undefined string length")(static_cast <bool> (!strLength.isUndef() && "Attempt to set an undefined string length"
) ? void (0) : __assert_fail ("!strLength.isUndef() && \"Attempt to set an undefined string length\""
, "/build/llvm-toolchain-snapshot-14~++20210828111110+16086d47c0d0/clang/lib/StaticAnalyzer/Checkers/CStringChecker.cpp"
, 700, __extension__ __PRETTY_FUNCTION__));

MR = MR->StripCasts();

switch (MR->getKind()) {
case MemRegion::StringRegionKind:
  // FIXME: This can happen if we strcpy() into a string region. This is
  // undefined [C99 6.4.5p6], but we should still warn about it.
  return state;

case MemRegion::SymbolicRegionKind:
case MemRegion::AllocaRegionKind:
case MemRegion::NonParamVarRegionKind:
case MemRegion::ParamVarRegionKind:
case MemRegion::FieldRegionKind:
case MemRegion::ObjCIvarRegionKind:
  // These are the types we can currently track string lengths for.
  break;

case MemRegion::ElementRegionKind:
  // FIXME: Handle element regions by upper-bounding the parent region's
  // string length.
  return state;

default:
  // Other regions (mostly non-data) can't have a reliable C string length.
  // For now, just ignore the change.
  // FIXME: These are rare but not impossible. We should output some kind of
  // warning for things like strcpy((char[]){'a', 0}, "b");
  return state;
}

if (strLength.isUnknown())
  return state->remove<CStringLength>(MR);

return state->set<CStringLength>(MR, strLength);
736}

738SVal CStringChecker::getCStringLengthForRegion(CheckerContext &C,
                                             ProgramStateRef &state,
                                             const Expr *Ex,
                                             const MemRegion *MR,
                                             bool hypothetical) {
if (!hypothetical) {
  // If there's a recorded length, go ahead and return it.
  const SVal *Recorded = state->get<CStringLength>(MR);
  if (Recorded)
    return *Recorded;
}

// Otherwise, get a new symbol and update the state.
SValBuilder &svalBuilder = C.getSValBuilder();
QualType sizeTy = svalBuilder.getContext().getSizeType();
SVal strLength = svalBuilder.getMetadataSymbolVal(CStringChecker::getTag(),
                                                  MR, Ex, sizeTy,
                                                  C.getLocationContext(),
                                                  C.blockCount());

if (!hypothetical) {
  if (Optional<NonLoc> strLn = strLength.getAs<NonLoc>()) {
    // In case of unbounded calls strlen etc bound the range to SIZE_MAX/4
    BasicValueFactory &BVF = svalBuilder.getBasicValueFactory();
    const llvm::APSInt &maxValInt = BVF.getMaxValue(sizeTy);
    llvm::APSInt fourInt = APSIntType(maxValInt).getValue(4);
    const llvm::APSInt *maxLengthInt = BVF.evalAPSInt(BO_Div, maxValInt,
                                                      fourInt);
    NonLoc maxLength = svalBuilder.makeIntVal(*maxLengthInt);
    SVal evalLength = svalBuilder.evalBinOpNN(state, BO_LE, *strLn,
                                              maxLength, sizeTy);
    state = state->assume(evalLength.castAs<DefinedOrUnknownSVal>(), true);
  }
  state = state->set<CStringLength>(MR, strLength);
}

return strLength;
775}

777SVal CStringChecker::getCStringLength(CheckerContext &C, ProgramStateRef &state,
                                    const Expr *Ex, SVal Buf,
                                    bool hypothetical) const {
const MemRegion *MR = Buf.getAsRegion();
if (!MR) {
  // If we can't get a region, see if it's something we /know/ isn't a
  // C string. In the context of locations, the only time we can issue such
  // a warning is for labels.
  if (Optional<loc::GotoLabel> Label = Buf.getAs<loc::GotoLabel>()) {
    if (Filter.CheckCStringNotNullTerm) {
      SmallString<120> buf;
      llvm::raw_svector_ostream os(buf);
      assert(CurrentFunctionDescription)(static_cast <bool> (CurrentFunctionDescription) ? void
 (0) : __assert_fail ("CurrentFunctionDescription", "/build/llvm-toolchain-snapshot-14~++20210828111110+16086d47c0d0/clang/lib/StaticAnalyzer/Checkers/CStringChecker.cpp"
, 789, __extension__ __PRETTY_FUNCTION__));
      os << "Argument to " << CurrentFunctionDescription
         << " is the address of the label '" << Label->getLabel()->getName()
         << "', which is not a null-terminated string";

      emitNotCStringBug(C, state, Ex, os.str());
    }
    return UndefinedVal();
  }

  // If it's not a region and not a label, give up.
  return UnknownVal();
}

// If we have a region, strip casts from it and see if we can figure out
// its length. For anything we can't figure out, just return UnknownVal.
MR = MR->StripCasts();

switch (MR->getKind()) {
case MemRegion::StringRegionKind: {
  // Modifying the contents of string regions is undefined [C99 6.4.5p6],
  // so we can assume that the byte length is the correct C string length.
  SValBuilder &svalBuilder = C.getSValBuilder();
  QualType sizeTy = svalBuilder.getContext().getSizeType();
  const StringLiteral *strLit = cast<StringRegion>(MR)->getStringLiteral();
  return svalBuilder.makeIntVal(strLit->getByteLength(), sizeTy);
}
case MemRegion::SymbolicRegionKind:
case MemRegion::AllocaRegionKind:
case MemRegion::NonParamVarRegionKind:
case MemRegion::ParamVarRegionKind:
case MemRegion::FieldRegionKind:
case MemRegion::ObjCIvarRegionKind:
  return getCStringLengthForRegion(C, state, Ex, MR, hypothetical);
case MemRegion::CompoundLiteralRegionKind:
  // FIXME: Can we track this? Is it necessary?
  return UnknownVal();
case MemRegion::ElementRegionKind:
  // FIXME: How can we handle this? It's not good enough to subtract the
  // offset from the base string length; consider "123\x00567" and &a[5].
  return UnknownVal();
default:
  // Other regions (mostly non-data) can't have a reliable C string length.
  // In this case, an error is emitted and UndefinedVal is returned.
  // The caller should always be prepared to handle this case.
  if (Filter.CheckCStringNotNullTerm) {
    SmallString<120> buf;
    llvm::raw_svector_ostream os(buf);

    assert(CurrentFunctionDescription)(static_cast <bool> (CurrentFunctionDescription) ? void
 (0) : __assert_fail ("CurrentFunctionDescription", "/build/llvm-toolchain-snapshot-14~++20210828111110+16086d47c0d0/clang/lib/StaticAnalyzer/Checkers/CStringChecker.cpp"
, 838, __extension__ __PRETTY_FUNCTION__));
    os << "Argument to " << CurrentFunctionDescription << " is ";

    if (SummarizeRegion(os, C.getASTContext(), MR))
      os << ", which is not a null-terminated string";
    else
      os << "not a null-terminated string";

    emitNotCStringBug(C, state, Ex, os.str());
  }
  return UndefinedVal();
}
850}

852const StringLiteral *CStringChecker::getCStringLiteral(CheckerContext &C,
ProgramStateRef &state, const Expr *expr, SVal val) const {

// Get the memory region pointed to by the val.
const MemRegion *bufRegion = val.getAsRegion();
if (!bufRegion)
  return nullptr;

// Strip casts off the memory region.
bufRegion = bufRegion->StripCasts();

// Cast the memory region to a string region.
const StringRegion *strRegion= dyn_cast<StringRegion>(bufRegion);
if (!strRegion)
  return nullptr;

// Return the actual string in the string region.
return strRegion->getStringLiteral();
870}

872bool CStringChecker::IsFirstBufInBound(CheckerContext &C,
                                     ProgramStateRef state,
                                     const Expr *FirstBuf,
                                     const Expr *Size) {
// If we do not know that the buffer is long enough we return 'true'.
// Otherwise the parent region of this field region would also get
// invalidated, which would lead to warnings based on an unknown state.

// Originally copied from CheckBufferAccess and CheckLocation.
SValBuilder &svalBuilder = C.getSValBuilder();
ASTContext &Ctx = svalBuilder.getContext();
const LocationContext *LCtx = C.getLocationContext();

QualType sizeTy = Size->getType();
QualType PtrTy = Ctx.getPointerType(Ctx.CharTy);
SVal BufVal = state->getSVal(FirstBuf, LCtx);

SVal LengthVal = state->getSVal(Size, LCtx);
Optional<NonLoc> Length = LengthVal.getAs<NonLoc>();
if (!Length)
  return true; // cf top comment.

// Compute the offset of the last element to be accessed: size-1.
NonLoc One = svalBuilder.makeIntVal(1, sizeTy).castAs<NonLoc>();
SVal Offset = svalBuilder.evalBinOpNN(state, BO_Sub, *Length, One, sizeTy);
if (Offset.isUnknown())
  return true; // cf top comment
NonLoc LastOffset = Offset.castAs<NonLoc>();

// Check that the first buffer is sufficiently long.
SVal BufStart = svalBuilder.evalCast(BufVal, PtrTy, FirstBuf->getType());
Optional<Loc> BufLoc = BufStart.getAs<Loc>();
if (!BufLoc)
  return true; // cf top comment.

SVal BufEnd =
    svalBuilder.evalBinOpLN(state, BO_Add, *BufLoc, LastOffset, PtrTy);

// Check for out of bound array element access.
const MemRegion *R = BufEnd.getAsRegion();
if (!R)
  return true; // cf top comment.

const ElementRegion *ER = dyn_cast<ElementRegion>(R);
if (!ER)
  return true; // cf top comment.

// FIXME: Does this crash when a non-standard definition
// of a library function is encountered?
assert(ER->getValueType() == C.getASTContext().CharTy &&(static_cast <bool> (ER->getValueType() == C.getASTContext
().CharTy && "IsFirstBufInBound should only be called with char* ElementRegions"
) ? void (0) : __assert_fail ("ER->getValueType() == C.getASTContext().CharTy && \"IsFirstBufInBound should only be called with char* ElementRegions\""
, "/build/llvm-toolchain-snapshot-14~++20210828111110+16086d47c0d0/clang/lib/StaticAnalyzer/Checkers/CStringChecker.cpp"
, 922, __extension__ __PRETTY_FUNCTION__))
       "IsFirstBufInBound should only be called with char* ElementRegions")(static_cast <bool> (ER->getValueType() == C.getASTContext
().CharTy && "IsFirstBufInBound should only be called with char* ElementRegions"
) ? void (0) : __assert_fail ("ER->getValueType() == C.getASTContext().CharTy && \"IsFirstBufInBound should only be called with char* ElementRegions\""
, "/build/llvm-toolchain-snapshot-14~++20210828111110+16086d47c0d0/clang/lib/StaticAnalyzer/Checkers/CStringChecker.cpp"
, 922, __extension__ __PRETTY_FUNCTION__));

// Get the size of the array.
const SubRegion *superReg = cast<SubRegion>(ER->getSuperRegion());
DefinedOrUnknownSVal SizeDV = getDynamicExtent(state, superReg, svalBuilder);

// Get the index of the accessed element.
DefinedOrUnknownSVal Idx = ER->getIndex().castAs<DefinedOrUnknownSVal>();

ProgramStateRef StInBound = state->assumeInBound(Idx, SizeDV, true);

return static_cast<bool>(StInBound);
934}

936ProgramStateRef CStringChecker::InvalidateBuffer(CheckerContext &C,
                                               ProgramStateRef state,
                                               const Expr *E, SVal V,
                                               bool IsSourceBuffer,
                                               const Expr *Size) {
Optional<Loc> L = V.getAs<Loc>();
if (!L)
  return state;

// FIXME: This is a simplified version of what's in CFRefCount.cpp -- it makes
// some assumptions about the value that CFRefCount can't. Even so, it should
// probably be refactored.
if (Optional<loc::MemRegionVal> MR = L->getAs<loc::MemRegionVal>()) {
  const MemRegion *R = MR->getRegion()->StripCasts();

  // Are we dealing with an ElementRegion?  If so, we should be invalidating
  // the super-region.
  if (const ElementRegion *ER = dyn_cast<ElementRegion>(R)) {
    R = ER->getSuperRegion();
    // FIXME: What about layers of ElementRegions?
  }

  // Invalidate this region.
  const LocationContext *LCtx = C.getPredecessor()->getLocationContext();

  bool CausesPointerEscape = false;
  RegionAndSymbolInvalidationTraits ITraits;
  // Invalidate and escape only indirect regions accessible through the source
  // buffer.
  if (IsSourceBuffer) {
    ITraits.setTrait(R->getBaseRegion(),
                     RegionAndSymbolInvalidationTraits::TK_PreserveContents);
    ITraits.setTrait(R, RegionAndSymbolInvalidationTraits::TK_SuppressEscape);
    CausesPointerEscape = true;
  } else {
    const MemRegion::Kind& K = R->getKind();
    if (K == MemRegion::FieldRegionKind)
      if (Size && IsFirstBufInBound(C, state, E, Size)) {
        // If destination buffer is a field region and access is in bound,
        // do not invalidate its super region.
        ITraits.setTrait(
            R,
            RegionAndSymbolInvalidationTraits::TK_DoNotInvalidateSuperRegion);
      }
  }

  return state->invalidateRegions(R, E, C.blockCount(), LCtx,
                                  CausesPointerEscape, nullptr, nullptr,
                                  &ITraits);
}

// If we have a non-region value by chance, just remove the binding.
// FIXME: is this necessary or correct? This handles the non-Region
//  cases.  Is it ever valid to store to these?
return state->killBinding(*L);
991}

993bool CStringChecker::SummarizeRegion(raw_ostream &os, ASTContext &Ctx,
                                   const MemRegion *MR) {
switch (MR->getKind()) {
case MemRegion::FunctionCodeRegionKind: {
  if (const auto *FD = cast<FunctionCodeRegion>(MR)->getDecl())
    os << "the address of the function '" << *FD << '\'';
  else
    os << "the address of a function";
  return true;
}
case MemRegion::BlockCodeRegionKind:
  os << "block text";
  return true;
case MemRegion::BlockDataRegionKind:
  os << "a block";
  return true;
case MemRegion::CXXThisRegionKind:
case MemRegion::CXXTempObjectRegionKind:
  os << "a C++ temp object of type "
     << cast<TypedValueRegion>(MR)->getValueType().getAsString();
  return true;
case MemRegion::NonParamVarRegionKind:
  os << "a variable of type"
     << cast<TypedValueRegion>(MR)->getValueType().getAsString();
  return true;
case MemRegion::ParamVarRegionKind:
  os << "a parameter of type"
     << cast<TypedValueRegion>(MR)->getValueType().getAsString();
  return true;
case MemRegion::FieldRegionKind:
  os << "a field of type "
     << cast<TypedValueRegion>(MR)->getValueType().getAsString();
  return true;
case MemRegion::ObjCIvarRegionKind:
  os << "an instance variable of type "
     << cast<TypedValueRegion>(MR)->getValueType().getAsString();
  return true;
default:
  return false;
}
1033}

1035bool CStringChecker::memsetAux(const Expr *DstBuffer, SVal CharVal,
                             const Expr *Size, CheckerContext &C,
                             ProgramStateRef &State) {
SVal MemVal = C.getSVal(DstBuffer);
SVal SizeVal = C.getSVal(Size);
const MemRegion *MR = MemVal.getAsRegion();
if (!MR)
  return false;

// We're about to model memset by producing a "default binding" in the Store.
// Our current implementation - RegionStore - doesn't support default bindings
// that don't cover the whole base region. So we should first get the offset
// and the base region to figure out whether the offset of buffer is 0.
RegionOffset Offset = MR->getAsOffset();
const MemRegion *BR = Offset.getRegion();

Optional<NonLoc> SizeNL = SizeVal.getAs<NonLoc>();
if (!SizeNL)
  return false;

SValBuilder &svalBuilder = C.getSValBuilder();
ASTContext &Ctx = C.getASTContext();

// void *memset(void *dest, int ch, size_t count);
// For now we can only handle the case of offset is 0 and concrete char value.
if (Offset.isValid() && !Offset.hasSymbolicOffset() &&
    Offset.getOffset() == 0) {
  // Get the base region's size.
  DefinedOrUnknownSVal SizeDV = getDynamicExtent(State, BR, svalBuilder);

  ProgramStateRef StateWholeReg, StateNotWholeReg;
  std::tie(StateWholeReg, StateNotWholeReg) =
      State->assume(svalBuilder.evalEQ(State, SizeDV, *SizeNL));

  // With the semantic of 'memset()', we should convert the CharVal to
  // unsigned char.
  CharVal = svalBuilder.evalCast(CharVal, Ctx.UnsignedCharTy, Ctx.IntTy);

  ProgramStateRef StateNullChar, StateNonNullChar;
  std::tie(StateNullChar, StateNonNullChar) =
      assumeZero(C, State, CharVal, Ctx.UnsignedCharTy);

  if (StateWholeReg && !StateNotWholeReg && StateNullChar &&
      !StateNonNullChar) {
    // If the 'memset()' acts on the whole region of destination buffer and
    // the value of the second argument of 'memset()' is zero, bind the second
    // argument's value to the destination buffer with 'default binding'.
    // FIXME: Since there is no perfect way to bind the non-zero character, we
    // can only deal with zero value here. In the future, we need to deal with
    // the binding of non-zero value in the case of whole region.
    State = State->bindDefaultZero(svalBuilder.makeLoc(BR),
                                   C.getLocationContext());
  } else {
    // If the destination buffer's extent is not equal to the value of
    // third argument, just invalidate buffer.
    State = InvalidateBuffer(C, State, DstBuffer, MemVal,
                             /*IsSourceBuffer*/ false, Size);
  }

  if (StateNullChar && !StateNonNullChar) {
    // If the value of the second argument of 'memset()' is zero, set the
    // string length of destination buffer to 0 directly.
    State = setCStringLength(State, MR,
                             svalBuilder.makeZeroVal(Ctx.getSizeType()));
  } else if (!StateNullChar && StateNonNullChar) {
    SVal NewStrLen = svalBuilder.getMetadataSymbolVal(
        CStringChecker::getTag(), MR, DstBuffer, Ctx.getSizeType(),
        C.getLocationContext(), C.blockCount());

    // If the value of second argument is not zero, then the string length
    // is at least the size argument.
    SVal NewStrLenGESize = svalBuilder.evalBinOp(
        State, BO_GE, NewStrLen, SizeVal, svalBuilder.getConditionType());

    State = setCStringLength(
        State->assume(NewStrLenGESize.castAs<DefinedOrUnknownSVal>(), true),
        MR, NewStrLen);
  }
} else {
  // If the offset is not zero and char value is not concrete, we can do
  // nothing but invalidate the buffer.
  State = InvalidateBuffer(C, State, DstBuffer, MemVal,
                           /*IsSourceBuffer*/ false, Size);
}
return true;
1120}

1122//===----------------------------------------------------------------------===//
1123// evaluation of individual function calls.
1124//===----------------------------------------------------------------------===//

1126void CStringChecker::evalCopyCommon(CheckerContext &C, const CallExpr *CE,
                                  ProgramStateRef state, SizeArgExpr Size,
                                  DestinationArgExpr Dest,
                                  SourceArgExpr Source, bool Restricted,
                                  bool IsMempcpy) const {
CurrentFunctionDescription = "memory copy function";

// See if the size argument is zero.
const LocationContext *LCtx = C.getLocationContext();
SVal sizeVal = state->getSVal(Size.Expression, LCtx);
QualType sizeTy = Size.Expression->getType();

ProgramStateRef stateZeroSize, stateNonZeroSize;
std::tie(stateZeroSize, stateNonZeroSize) =
    assumeZero(C, state, sizeVal, sizeTy);

// Get the value of the Dest.
SVal destVal = state->getSVal(Dest.Expression, LCtx);

// If the size is zero, there won't be any actual memory access, so
// just bind the return value to the destination buffer and return.
if (stateZeroSize && !stateNonZeroSize) {
  stateZeroSize = stateZeroSize->BindExpr(CE, LCtx, destVal);
  C.addTransition(stateZeroSize);
  return;
}

// If the size can be nonzero, we have to check the other arguments.
if (stateNonZeroSize) {
  state = stateNonZeroSize;

  // Ensure the destination is not null. If it is NULL there will be a
  // NULL pointer dereference.
  state = checkNonNull(C, state, Dest, destVal);
  if (!state)
    return;

  // Get the value of the Src.
  SVal srcVal = state->getSVal(Source.Expression, LCtx);

  // Ensure the source is not null. If it is NULL there will be a
  // NULL pointer dereference.
  state = checkNonNull(C, state, Source, srcVal);
  if (!state)
    return;

  // Ensure the accesses are valid and that the buffers do not overlap.
  state = CheckBufferAccess(C, state, Dest, Size, AccessKind::write);
  state = CheckBufferAccess(C, state, Source, Size, AccessKind::read);

  if (Restricted)
    state = CheckOverlap(C, state, Size, Dest, Source);

  if (!state)
    return;

  // If this is mempcpy, get the byte after the last byte copied and
  // bind the expr.
  if (IsMempcpy) {
    // Get the byte after the last byte copied.
    SValBuilder &SvalBuilder = C.getSValBuilder();
    ASTContext &Ctx = SvalBuilder.getContext();
    QualType CharPtrTy = Ctx.getPointerType(Ctx.CharTy);
    SVal DestRegCharVal =
        SvalBuilder.evalCast(destVal, CharPtrTy, Dest.Expression->getType());
    SVal lastElement = C.getSValBuilder().evalBinOp(
        state, BO_Add, DestRegCharVal, sizeVal, Dest.Expression->getType());
    // If we don't know how much we copied, we can at least
    // conjure a return value for later.
    if (lastElement.isUnknown())
      lastElement = C.getSValBuilder().conjureSymbolVal(nullptr, CE, LCtx,
                                                        C.blockCount());

    // The byte after the last byte copied is the return value.
    state = state->BindExpr(CE, LCtx, lastElement);
  } else {
    // All other copies return the destination buffer.
    // (Well, bcopy() has a void return type, but this won't hurt.)
    state = state->BindExpr(CE, LCtx, destVal);
  }

  // Invalidate the destination (regular invalidation without pointer-escaping
  // the address of the top-level region).
  // FIXME: Even if we can't perfectly model the copy, we should see if we
  // can use LazyCompoundVals to copy the source values into the destination.
  // This would probably remove any existing bindings past the end of the
  // copied region, but that's still an improvement over blank invalidation.
  state =
      InvalidateBuffer(C, state, Dest.Expression, C.getSVal(Dest.Expression),
                       /*IsSourceBuffer*/ false, Size.Expression);

  // Invalidate the source (const-invalidation without const-pointer-escaping
  // the address of the top-level region).
  state = InvalidateBuffer(C, state, Source.Expression,
                           C.getSVal(Source.Expression),
                           /*IsSourceBuffer*/ true, nullptr);

  C.addTransition(state);
}
1225}

1227void CStringChecker::evalMemcpy(CheckerContext &C, const CallExpr *CE) const {
// void *memcpy(void *restrict dst, const void *restrict src, size_t n);
// The return value is the address of the destination buffer.
DestinationArgExpr Dest = {CE->getArg(0), 0};
SourceArgExpr Src = {CE->getArg(1), 1};
SizeArgExpr Size = {CE->getArg(2), 2};

ProgramStateRef State = C.getState();

constexpr bool IsRestricted = true;
constexpr bool IsMempcpy = false;
evalCopyCommon(C, CE, State, Size, Dest, Src, IsRestricted, IsMempcpy);
1239}

1241void CStringChecker::evalMempcpy(CheckerContext &C, const CallExpr *CE) const {
// void *mempcpy(void *restrict dst, const void *restrict src, size_t n);
// The return value is a pointer to the byte following the last written byte.
DestinationArgExpr Dest = {CE->getArg(0), 0};
SourceArgExpr Src = {CE->getArg(1), 1};
SizeArgExpr Size = {CE->getArg(2), 2};

constexpr bool IsRestricted = true;
constexpr bool IsMempcpy = true;
evalCopyCommon(C, CE, C.getState(), Size, Dest, Src, IsRestricted, IsMempcpy);
1251}

1253void CStringChecker::evalMemmove(CheckerContext &C, const CallExpr *CE) const {
// void *memmove(void *dst, const void *src, size_t n);
// The return value is the address of the destination buffer.
DestinationArgExpr Dest = {CE->getArg(0), 0};
SourceArgExpr Src = {CE->getArg(1), 1};
SizeArgExpr Size = {CE->getArg(2), 2};

constexpr bool IsRestricted = false;
constexpr bool IsMempcpy = false;
evalCopyCommon(C, CE, C.getState(), Size, Dest, Src, IsRestricted, IsMempcpy);
1263}

1265void CStringChecker::evalBcopy(CheckerContext &C, const CallExpr *CE) const {
// void bcopy(const void *src, void *dst, size_t n);
SourceArgExpr Src(CE->getArg(0), 0);
DestinationArgExpr Dest = {CE->getArg(1), 1};
SizeArgExpr Size = {CE->getArg(2), 2};

constexpr bool IsRestricted = false;
constexpr bool IsMempcpy = false;
evalCopyCommon(C, CE, C.getState(), Size, Dest, Src, IsRestricted, IsMempcpy);
1274}

1276void CStringChecker::evalMemcmp(CheckerContext &C, const CallExpr *CE) const {
// int memcmp(const void *s1, const void *s2, size_t n);
CurrentFunctionDescription = "memory comparison function";

AnyArgExpr Left = {CE->getArg(0), 0};
AnyArgExpr Right = {CE->getArg(1), 1};
SizeArgExpr Size = {CE->getArg(2), 2};

ProgramStateRef State = C.getState();
SValBuilder &Builder = C.getSValBuilder();
const LocationContext *LCtx = C.getLocationContext();

// See if the size argument is zero.
SVal sizeVal = State->getSVal(Size.Expression, LCtx);
QualType sizeTy = Size.Expression->getType();

ProgramStateRef stateZeroSize, stateNonZeroSize;
std::tie(stateZeroSize, stateNonZeroSize) =
    assumeZero(C, State, sizeVal, sizeTy);

// If the size can be zero, the result will be 0 in that case, and we don't
// have to check either of the buffers.
if (stateZeroSize) {
  State = stateZeroSize;
  State = State->BindExpr(CE, LCtx, Builder.makeZeroVal(CE->getType()));
  C.addTransition(State);
}

// If the size can be nonzero, we have to check the other arguments.
if (stateNonZeroSize) {
  State = stateNonZeroSize;
  // If we know the two buffers are the same, we know the result is 0.
  // First, get the two buffers' addresses. Another checker will have already
  // made sure they're not undefined.
  DefinedOrUnknownSVal LV =
      State->getSVal(Left.Expression, LCtx).castAs<DefinedOrUnknownSVal>();
  DefinedOrUnknownSVal RV =
      State->getSVal(Right.Expression, LCtx).castAs<DefinedOrUnknownSVal>();

  // See if they are the same.
  ProgramStateRef SameBuffer, NotSameBuffer;
  std::tie(SameBuffer, NotSameBuffer) =
      State->assume(Builder.evalEQ(State, LV, RV));

  // If the two arguments are the same buffer, we know the result is 0,
  // and we only need to check one size.
  if (SameBuffer && !NotSameBuffer) {
    State = SameBuffer;
    State = CheckBufferAccess(C, State, Left, Size, AccessKind::read);
    if (State) {
      State =
          SameBuffer->BindExpr(CE, LCtx, Builder.makeZeroVal(CE->getType()));
      C.addTransition(State);
    }
    return;
  }

  // If the two arguments might be different buffers, we have to check
  // the size of both of them.
  assert(NotSameBuffer)(static_cast <bool> (NotSameBuffer) ? void (0) : __assert_fail
 ("NotSameBuffer", "/build/llvm-toolchain-snapshot-14~++20210828111110+16086d47c0d0/clang/lib/StaticAnalyzer/Checkers/CStringChecker.cpp"
, 1335, __extension__ __PRETTY_FUNCTION__));
  State = CheckBufferAccess(C, State, Right, Size, AccessKind::read);
  State = CheckBufferAccess(C, State, Left, Size, AccessKind::read);
  if (State) {
    // The return value is the comparison result, which we don't know.
    SVal CmpV = Builder.conjureSymbolVal(nullptr, CE, LCtx, C.blockCount());
    State = State->BindExpr(CE, LCtx, CmpV);
    C.addTransition(State);
  }
}
1345}

1347void CStringChecker::evalstrLength(CheckerContext &C,
                                 const CallExpr *CE) const {
// size_t strlen(const char *s);
evalstrLengthCommon(C, CE, /* IsStrnlen = */ false);
1351}

1353void CStringChecker::evalstrnLength(CheckerContext &C,
                                  const CallExpr *CE) const {
// size_t strnlen(const char *s, size_t maxlen);
evalstrLengthCommon(C, CE, /* IsStrnlen = */ true);
1
Calling 'CStringChecker::evalstrLengthCommon'→
1357}

1359void CStringChecker::evalstrLengthCommon(CheckerContext &C, const CallExpr *CE,
                                       bool IsStrnlen) const {
CurrentFunctionDescription = "string length function";
ProgramStateRef state = C.getState();
2
←
Calling copy constructor for 'IntrusiveRefCntPtr<const clang::ento::ProgramState>'→
7
←
Returning from copy constructor for 'IntrusiveRefCntPtr<const clang::ento::ProgramState>'→
const LocationContext *LCtx = C.getLocationContext();

if (IsStrnlen7.1
'IsStrnlen' is true
1
'IsStrnlen' is true
1
'IsStrnlen' is true
1
'IsStrnlen' is true
1
'IsStrnlen' is true
1
'IsStrnlen' is true
) {
8
←
Taking true branch→
  const Expr *maxlenExpr = CE->getArg(1);
  SVal maxlenVal = state->getSVal(maxlenExpr, LCtx);

  ProgramStateRef stateZeroSize, stateNonZeroSize;
  std::tie(stateZeroSize, stateNonZeroSize) =
9
←
Calling 'tie<llvm::IntrusiveRefCntPtr<const clang::ento::ProgramState>, llvm::IntrusiveRefCntPtr<const clang::ento::ProgramState>>'→
18
←
Returning from 'tie<llvm::IntrusiveRefCntPtr<const clang::ento::ProgramState>, llvm::IntrusiveRefCntPtr<const clang::ento::ProgramState>>'→
    assumeZero(C, state, maxlenVal, maxlenExpr->getType());

  // If the size can be zero, the result will be 0 in that case, and we don't
  // have to check the string itself.
  if (stateZeroSize) {
19
←
Taking true branch→
    SVal zero = C.getSValBuilder().makeZeroVal(CE->getType());
    stateZeroSize = stateZeroSize->BindExpr(CE, LCtx, zero);
    C.addTransition(stateZeroSize);
  }

  // If the size is GUARANTEED to be zero, we're done!
  if (!stateNonZeroSize)
20
←
Taking false branch→
    return;

  // Otherwise, record the assumption that the size is nonzero.
  state = stateNonZeroSize;
}

// Check that the string argument is non-null.
AnyArgExpr Arg = {CE->getArg(0), 0};
SVal ArgVal = state->getSVal(Arg.Expression, LCtx);
state = checkNonNull(C, state, Arg, ArgVal);

if (!state)
21
←
Assuming the condition is false→
22
←
Taking false branch→
  return;

SVal strLength = getCStringLength(C, state, Arg.Expression, ArgVal);

// If the argument isn't a valid C string, there's no valid state to
// transition to.
if (strLength.isUndef())
23
←
Calling 'SVal::isUndef'→
26
←
Returning from 'SVal::isUndef'→
27
←
Taking false branch→
  return;

DefinedOrUnknownSVal result = UnknownVal();

// If the check is for strnlen() then bind the return value to no more than
// the maxlen value.
if (IsStrnlen27.1
'IsStrnlen' is true
1
'IsStrnlen' is true
1
'IsStrnlen' is true
1
'IsStrnlen' is true
1
'IsStrnlen' is true
1
'IsStrnlen' is true
) {
28
←
Taking true branch→
  QualType cmpTy = C.getSValBuilder().getConditionType();

  // It's a little unfortunate to be getting this again,
  // but it's not that expensive...
  const Expr *maxlenExpr = CE->getArg(1);
  SVal maxlenVal = state->getSVal(maxlenExpr, LCtx);

  Optional<NonLoc> strLengthNL = strLength.getAs<NonLoc>();
  Optional<NonLoc> maxlenValNL = maxlenVal.getAs<NonLoc>();

  if (strLengthNL && maxlenValNL) {
29
←
Assuming the condition is true→
30
←
Assuming the condition is true→
31
←
Taking true branch→
    ProgramStateRef stateStringTooLong, stateStringNotTooLong;

    // Check if the strLength is greater than the maxlen.
    std::tie(stateStringTooLong, stateStringNotTooLong) = state->assume(
        C.getSValBuilder()
            .evalBinOpNN(state, BO_GT, *strLengthNL, *maxlenValNL, cmpTy)
            .castAs<DefinedOrUnknownSVal>());

    if (stateStringTooLong && !stateStringNotTooLong) {
      // If the string is longer than maxlen, return maxlen.
      result = *maxlenValNL;
    } else if (stateStringNotTooLong && !stateStringTooLong) {
32
←
Taking false branch→
      // If the string is shorter than maxlen, return its length.
      result = *strLengthNL;
    }
  }

  if (result.isUnknown()) {
33
←
Calling 'SVal::isUnknown'→
35
←
Returning from 'SVal::isUnknown'→
36
←
Taking true branch→
    // If we don't have enough information for a comparison, there's
    // no guarantee the full string length will actually be returned.
    // All we know is the return value is the min of the string length
    // and the limit. This is better than nothing.
    result = C.getSValBuilder().conjureSymbolVal(nullptr, CE, LCtx,
                                                 C.blockCount());
    NonLoc resultNL = result.castAs<NonLoc>();

    if (strLengthNL) {
37
←
Taking true branch→
      state = state->assume(C.getSValBuilder().evalBinOpNN(
38
←
Calling 'ProgramState::assume'→
41
←
Returning from 'ProgramState::assume'→
42
←
Calling copy assignment operator for 'IntrusiveRefCntPtr<const clang::ento::ProgramState>'→
47
←
Returning from copy assignment operator for 'IntrusiveRefCntPtr<const clang::ento::ProgramState>'→
                                state, BO_LE, resultNL, *strLengthNL, cmpTy)
                                .castAs<DefinedOrUnknownSVal>(), true);
    }

    if (maxlenValNL) {
48
←
Calling 'Optional::operator bool'→
56
←
Returning from 'Optional::operator bool'→
57
←
Taking true branch→
      state = state->assume(C.getSValBuilder().evalBinOpNN(
58
←
Called C++ object pointer is null
                                state, BO_LE, resultNL, *maxlenValNL, cmpTy)
                                .castAs<DefinedOrUnknownSVal>(), true);
    }
  }

} else {
  // This is a plain strlen(), not strnlen().
  result = strLength.castAs<DefinedOrUnknownSVal>();

  // If we don't know the length of the string, conjure a return
  // value, so it can be used in constraints, at least.
  if (result.isUnknown()) {
    result = C.getSValBuilder().conjureSymbolVal(nullptr, CE, LCtx,
                                                 C.blockCount());
  }
}

// Bind the return value.
assert(!result.isUnknown() && "Should have conjured a value by now")(static_cast <bool> (!result.isUnknown() && "Should have conjured a value by now"
) ? void (0) : __assert_fail ("!result.isUnknown() && \"Should have conjured a value by now\""
, "/build/llvm-toolchain-snapshot-14~++20210828111110+16086d47c0d0/clang/lib/StaticAnalyzer/Checkers/CStringChecker.cpp"
, 1472, __extension__ __PRETTY_FUNCTION__));
state = state->BindExpr(CE, LCtx, result);
C.addTransition(state);
1475}

1477void CStringChecker::evalStrcpy(CheckerContext &C, const CallExpr *CE) const {
// char *strcpy(char *restrict dst, const char *restrict src);
evalStrcpyCommon(C, CE,
                 /* ReturnEnd = */ false,
                 /* IsBounded = */ false,
                 /* appendK = */ ConcatFnKind::none);
1483}

1485void CStringChecker::evalStrncpy(CheckerContext &C, const CallExpr *CE) const {
// char *strncpy(char *restrict dst, const char *restrict src, size_t n);
evalStrcpyCommon(C, CE,
                 /* ReturnEnd = */ false,
                 /* IsBounded = */ true,
                 /* appendK = */ ConcatFnKind::none);
1491}

1493void CStringChecker::evalStpcpy(CheckerContext &C, const CallExpr *CE) const {
// char *stpcpy(char *restrict dst, const char *restrict src);
evalStrcpyCommon(C, CE,
                 /* ReturnEnd = */ true,
                 /* IsBounded = */ false,
                 /* appendK = */ ConcatFnKind::none);
1499}

1501void CStringChecker::evalStrlcpy(CheckerContext &C, const CallExpr *CE) const {
// size_t strlcpy(char *dest, const char *src, size_t size);
evalStrcpyCommon(C, CE,
                 /* ReturnEnd = */ true,
                 /* IsBounded = */ true,
                 /* appendK = */ ConcatFnKind::none,
                 /* returnPtr = */ false);
1508}

1510void CStringChecker::evalStrcat(CheckerContext &C, const CallExpr *CE) const {
// char *strcat(char *restrict s1, const char *restrict s2);
evalStrcpyCommon(C, CE,
                 /* ReturnEnd = */ false,
                 /* IsBounded = */ false,
                 /* appendK = */ ConcatFnKind::strcat);
1516}

1518void CStringChecker::evalStrncat(CheckerContext &C, const CallExpr *CE) const {
//char *strncat(char *restrict s1, const char *restrict s2, size_t n);
evalStrcpyCommon(C, CE,
                 /* ReturnEnd = */ false,
                 /* IsBounded = */ true,
                 /* appendK = */ ConcatFnKind::strcat);
1524}

1526void CStringChecker::evalStrlcat(CheckerContext &C, const CallExpr *CE) const {
// size_t strlcat(char *dst, const char *src, size_t size);
// It will append at most size - strlen(dst) - 1 bytes,
// NULL-terminating the result.
evalStrcpyCommon(C, CE,
                 /* ReturnEnd = */ false,
                 /* IsBounded = */ true,
                 /* appendK = */ ConcatFnKind::strlcat,
                 /* returnPtr = */ false);
1535}

1537void CStringChecker::evalStrcpyCommon(CheckerContext &C, const CallExpr *CE,
                                    bool ReturnEnd, bool IsBounded,
                                    ConcatFnKind appendK,
                                    bool returnPtr) const {
if (appendK == ConcatFnKind::none)
  CurrentFunctionDescription = "string copy function";
else
  CurrentFunctionDescription = "string concatenation function";

ProgramStateRef state = C.getState();
const LocationContext *LCtx = C.getLocationContext();

// Check that the destination is non-null.
DestinationArgExpr Dst = {CE->getArg(0), 0};
SVal DstVal = state->getSVal(Dst.Expression, LCtx);
state = checkNonNull(C, state, Dst, DstVal);
if (!state)
  return;

// Check that the source is non-null.
SourceArgExpr srcExpr = {CE->getArg(1), 1};
SVal srcVal = state->getSVal(srcExpr.Expression, LCtx);
state = checkNonNull(C, state, srcExpr, srcVal);
if (!state)
  return;

// Get the string length of the source.
SVal strLength = getCStringLength(C, state, srcExpr.Expression, srcVal);
Optional<NonLoc> strLengthNL = strLength.getAs<NonLoc>();

// Get the string length of the destination buffer.
SVal dstStrLength = getCStringLength(C, state, Dst.Expression, DstVal);
Optional<NonLoc> dstStrLengthNL = dstStrLength.getAs<NonLoc>();

// If the source isn't a valid C string, give up.
if (strLength.isUndef())
  return;

SValBuilder &svalBuilder = C.getSValBuilder();
QualType cmpTy = svalBuilder.getConditionType();
QualType sizeTy = svalBuilder.getContext().getSizeType();

// These two values allow checking two kinds of errors:
// - actual overflows caused by a source that doesn't fit in the destination
// - potential overflows caused by a bound that could exceed the destination
SVal amountCopied = UnknownVal();
SVal maxLastElementIndex = UnknownVal();
const char *boundWarning = nullptr;

// FIXME: Why do we choose the srcExpr if the access has no size?
//  Note that the 3rd argument of the call would be the size parameter.
SizeArgExpr SrcExprAsSizeDummy = {srcExpr.Expression, srcExpr.ArgumentIndex};
state = CheckOverlap(
    C, state,
    (IsBounded ? SizeArgExpr{CE->getArg(2), 2} : SrcExprAsSizeDummy), Dst,
    srcExpr);

if (!state)
  return;

// If the function is strncpy, strncat, etc... it is bounded.
if (IsBounded) {
  // Get the max number of characters to copy.
  SizeArgExpr lenExpr = {CE->getArg(2), 2};
  SVal lenVal = state->getSVal(lenExpr.Expression, LCtx);

  // Protect against misdeclared strncpy().
  lenVal =
      svalBuilder.evalCast(lenVal, sizeTy, lenExpr.Expression->getType());

  Optional<NonLoc> lenValNL = lenVal.getAs<NonLoc>();

  // If we know both values, we might be able to figure out how much
  // we're copying.
  if (strLengthNL && lenValNL) {
    switch (appendK) {
    case ConcatFnKind::none:
    case ConcatFnKind::strcat: {
      ProgramStateRef stateSourceTooLong, stateSourceNotTooLong;
      // Check if the max number to copy is less than the length of the src.
      // If the bound is equal to the source length, strncpy won't null-
      // terminate the result!
      std::tie(stateSourceTooLong, stateSourceNotTooLong) = state->assume(
          svalBuilder
              .evalBinOpNN(state, BO_GE, *strLengthNL, *lenValNL, cmpTy)
              .castAs<DefinedOrUnknownSVal>());

      if (stateSourceTooLong && !stateSourceNotTooLong) {
        // Max number to copy is less than the length of the src, so the
        // actual strLength copied is the max number arg.
        state = stateSourceTooLong;
        amountCopied = lenVal;

      } else if (!stateSourceTooLong && stateSourceNotTooLong) {
        // The source buffer entirely fits in the bound.
        state = stateSourceNotTooLong;
        amountCopied = strLength;
      }
      break;
    }
    case ConcatFnKind::strlcat:
      if (!dstStrLengthNL)
        return;

      // amountCopied = min (size - dstLen - 1 , srcLen)
      SVal freeSpace = svalBuilder.evalBinOpNN(state, BO_Sub, *lenValNL,
                                               *dstStrLengthNL, sizeTy);
      if (!freeSpace.getAs<NonLoc>())
        return;
      freeSpace =
          svalBuilder.evalBinOp(state, BO_Sub, freeSpace,
                                svalBuilder.makeIntVal(1, sizeTy), sizeTy);
      Optional<NonLoc> freeSpaceNL = freeSpace.getAs<NonLoc>();

      // While unlikely, it is possible that the subtraction is
      // too complex to compute, let's check whether it succeeded.
      if (!freeSpaceNL)
        return;
      SVal hasEnoughSpace = svalBuilder.evalBinOpNN(
          state, BO_LE, *strLengthNL, *freeSpaceNL, cmpTy);

      ProgramStateRef TrueState, FalseState;
      std::tie(TrueState, FalseState) =
          state->assume(hasEnoughSpace.castAs<DefinedOrUnknownSVal>());

      // srcStrLength <= size - dstStrLength -1
      if (TrueState && !FalseState) {
        amountCopied = strLength;
      }

      // srcStrLength > size - dstStrLength -1
      if (!TrueState && FalseState) {
        amountCopied = freeSpace;
      }

      if (TrueState && FalseState)
        amountCopied = UnknownVal();
      break;
    }
  }
  // We still want to know if the bound is known to be too large.
  if (lenValNL) {
    switch (appendK) {
    case ConcatFnKind::strcat:
      // For strncat, the check is strlen(dst) + lenVal < sizeof(dst)

      // Get the string length of the destination. If the destination is
      // memory that can't have a string length, we shouldn't be copying
      // into it anyway.
      if (dstStrLength.isUndef())
        return;

      if (dstStrLengthNL) {
        maxLastElementIndex = svalBuilder.evalBinOpNN(
            state, BO_Add, *lenValNL, *dstStrLengthNL, sizeTy);

        boundWarning = "Size argument is greater than the free space in the "
                       "destination buffer";
      }
      break;
    case ConcatFnKind::none:
    case ConcatFnKind::strlcat:
      // For strncpy and strlcat, this is just checking
      //  that lenVal <= sizeof(dst).
      // (Yes, strncpy and strncat differ in how they treat termination.
      // strncat ALWAYS terminates, but strncpy doesn't.)

      // We need a special case for when the copy size is zero, in which
      // case strncpy will do no work at all. Our bounds check uses n-1
      // as the last element accessed, so n == 0 is problematic.
      ProgramStateRef StateZeroSize, StateNonZeroSize;
      std::tie(StateZeroSize, StateNonZeroSize) =
          assumeZero(C, state, *lenValNL, sizeTy);

      // If the size is known to be zero, we're done.
      if (StateZeroSize && !StateNonZeroSize) {
        if (returnPtr) {
          StateZeroSize = StateZeroSize->BindExpr(CE, LCtx, DstVal);
        } else {
          if (appendK == ConcatFnKind::none) {
            // strlcpy returns strlen(src)
            StateZeroSize = StateZeroSize->BindExpr(CE, LCtx, strLength);
          } else {
            // strlcat returns strlen(src) + strlen(dst)
            SVal retSize = svalBuilder.evalBinOp(
                state, BO_Add, strLength, dstStrLength, sizeTy);
            StateZeroSize = StateZeroSize->BindExpr(CE, LCtx, retSize);
          }
        }
        C.addTransition(StateZeroSize);
        return;
      }

      // Otherwise, go ahead and figure out the last element we'll touch.
      // We don't record the non-zero assumption here because we can't
      // be sure. We won't warn on a possible zero.
      NonLoc one = svalBuilder.makeIntVal(1, sizeTy).castAs<NonLoc>();
      maxLastElementIndex =
          svalBuilder.evalBinOpNN(state, BO_Sub, *lenValNL, one, sizeTy);
      boundWarning = "Size argument is greater than the length of the "
                     "destination buffer";
      break;
    }
  }
} else {
  // The function isn't bounded. The amount copied should match the length
  // of the source buffer.
  amountCopied = strLength;
}

assert(state)(static_cast <bool> (state) ? void (0) : __assert_fail (
"state", "/build/llvm-toolchain-snapshot-14~++20210828111110+16086d47c0d0/clang/lib/StaticAnalyzer/Checkers/CStringChecker.cpp"
, 1747, __extension__ __PRETTY_FUNCTION__));

// This represents the number of characters copied into the destination
// buffer. (It may not actually be the strlen if the destination buffer
// is not terminated.)
SVal finalStrLength = UnknownVal();
SVal strlRetVal = UnknownVal();

if (appendK == ConcatFnKind::none && !returnPtr) {
  // strlcpy returns the sizeof(src)
  strlRetVal = strLength;
}

// If this is an appending function (strcat, strncat...) then set the
// string length to strlen(src) + strlen(dst) since the buffer will
// ultimately contain both.
if (appendK != ConcatFnKind::none) {
  // Get the string length of the destination. If the destination is memory
  // that can't have a string length, we shouldn't be copying into it anyway.
  if (dstStrLength.isUndef())
    return;

  if (appendK == ConcatFnKind::strlcat && dstStrLengthNL && strLengthNL) {
    strlRetVal = svalBuilder.evalBinOpNN(state, BO_Add, *strLengthNL,
                                         *dstStrLengthNL, sizeTy);
  }

  Optional<NonLoc> amountCopiedNL = amountCopied.getAs<NonLoc>();

  // If we know both string lengths, we might know the final string length.
  if (amountCopiedNL && dstStrLengthNL) {
    // Make sure the two lengths together don't overflow a size_t.
    state = checkAdditionOverflow(C, state, *amountCopiedNL, *dstStrLengthNL);
    if (!state)
      return;

    finalStrLength = svalBuilder.evalBinOpNN(state, BO_Add, *amountCopiedNL,
                                             *dstStrLengthNL, sizeTy);
  }

  // If we couldn't get a single value for the final string length,
  // we can at least bound it by the individual lengths.
  if (finalStrLength.isUnknown()) {
    // Try to get a "hypothetical" string length symbol, which we can later
    // set as a real value if that turns out to be the case.
    finalStrLength = getCStringLength(C, state, CE, DstVal, true);
    assert(!finalStrLength.isUndef())(static_cast <bool> (!finalStrLength.isUndef()) ? void (
0) : __assert_fail ("!finalStrLength.isUndef()", "/build/llvm-toolchain-snapshot-14~++20210828111110+16086d47c0d0/clang/lib/StaticAnalyzer/Checkers/CStringChecker.cpp"
, 1793, __extension__ __PRETTY_FUNCTION__));

    if (Optional<NonLoc> finalStrLengthNL = finalStrLength.getAs<NonLoc>()) {
      if (amountCopiedNL && appendK == ConcatFnKind::none) {
        // we overwrite dst string with the src
        // finalStrLength >= srcStrLength
        SVal sourceInResult = svalBuilder.evalBinOpNN(
            state, BO_GE, *finalStrLengthNL, *amountCopiedNL, cmpTy);
        state = state->assume(sourceInResult.castAs<DefinedOrUnknownSVal>(),
                              true);
        if (!state)
          return;
      }

      if (dstStrLengthNL && appendK != ConcatFnKind::none) {
        // we extend the dst string with the src
        // finalStrLength >= dstStrLength
        SVal destInResult = svalBuilder.evalBinOpNN(state, BO_GE,
                                                    *finalStrLengthNL,
                                                    *dstStrLengthNL,
                                                    cmpTy);
        state =
            state->assume(destInResult.castAs<DefinedOrUnknownSVal>(), true);
        if (!state)
          return;
      }
    }
  }

} else {
  // Otherwise, this is a copy-over function (strcpy, strncpy, ...), and
  // the final string length will match the input string length.
  finalStrLength = amountCopied;
}

SVal Result;

if (returnPtr) {
  // The final result of the function will either be a pointer past the last
  // copied element, or a pointer to the start of the destination buffer.
  Result = (ReturnEnd ? UnknownVal() : DstVal);
} else {
  if (appendK == ConcatFnKind::strlcat || appendK == ConcatFnKind::none)
    //strlcpy, strlcat
    Result = strlRetVal;
  else
    Result = finalStrLength;
}

assert(state)(static_cast <bool> (state) ? void (0) : __assert_fail (
"state", "/build/llvm-toolchain-snapshot-14~++20210828111110+16086d47c0d0/clang/lib/StaticAnalyzer/Checkers/CStringChecker.cpp"
, 1842, __extension__ __PRETTY_FUNCTION__));

// If the destination is a MemRegion, try to check for a buffer overflow and
// record the new string length.
if (Optional<loc::MemRegionVal> dstRegVal =
    DstVal.getAs<loc::MemRegionVal>()) {
  QualType ptrTy = Dst.Expression->getType();

  // If we have an exact value on a bounded copy, use that to check for
  // overflows, rather than our estimate about how much is actually copied.
  if (Optional<NonLoc> maxLastNL = maxLastElementIndex.getAs<NonLoc>()) {
    SVal maxLastElement =
        svalBuilder.evalBinOpLN(state, BO_Add, *dstRegVal, *maxLastNL, ptrTy);

    state = CheckLocation(C, state, Dst, maxLastElement, AccessKind::write);
    if (!state)
      return;
  }

  // Then, if the final length is known...
  if (Optional<NonLoc> knownStrLength = finalStrLength.getAs<NonLoc>()) {
    SVal lastElement = svalBuilder.evalBinOpLN(state, BO_Add, *dstRegVal,
        *knownStrLength, ptrTy);

    // ...and we haven't checked the bound, we'll check the actual copy.
    if (!boundWarning) {
      state = CheckLocation(C, state, Dst, lastElement, AccessKind::write);
      if (!state)
        return;
    }

    // If this is a stpcpy-style copy, the last element is the return value.
    if (returnPtr && ReturnEnd)
      Result = lastElement;
  }

  // Invalidate the destination (regular invalidation without pointer-escaping
  // the address of the top-level region). This must happen before we set the
  // C string length because invalidation will clear the length.
  // FIXME: Even if we can't perfectly model the copy, we should see if we
  // can use LazyCompoundVals to copy the source values into the destination.
  // This would probably remove any existing bindings past the end of the
  // string, but that's still an improvement over blank invalidation.
  state = InvalidateBuffer(C, state, Dst.Expression, *dstRegVal,
                           /*IsSourceBuffer*/ false, nullptr);

  // Invalidate the source (const-invalidation without const-pointer-escaping
  // the address of the top-level region).
  state = InvalidateBuffer(C, state, srcExpr.Expression, srcVal,
                           /*IsSourceBuffer*/ true, nullptr);

  // Set the C string length of the destination, if we know it.
  if (IsBounded && (appendK == ConcatFnKind::none)) {
    // strncpy is annoying in that it doesn't guarantee to null-terminate
    // the result string. If the original string didn't fit entirely inside
    // the bound (including the null-terminator), we don't know how long the
    // result is.
    if (amountCopied != strLength)
      finalStrLength = UnknownVal();
  }
  state = setCStringLength(state, dstRegVal->getRegion(), finalStrLength);
}

assert(state)(static_cast <bool> (state) ? void (0) : __assert_fail (
"state", "/build/llvm-toolchain-snapshot-14~++20210828111110+16086d47c0d0/clang/lib/StaticAnalyzer/Checkers/CStringChecker.cpp"
, 1905, __extension__ __PRETTY_FUNCTION__));

if (returnPtr) {
  // If this is a stpcpy-style copy, but we were unable to check for a buffer
  // overflow, we still need a result. Conjure a return value.
  if (ReturnEnd && Result.isUnknown()) {
    Result = svalBuilder.conjureSymbolVal(nullptr, CE, LCtx, C.blockCount());
  }
}
// Set the return value.
state = state->BindExpr(CE, LCtx, Result);
C.addTransition(state);
1917}

1919void CStringChecker::evalStrcmp(CheckerContext &C, const CallExpr *CE) const {
//int strcmp(const char *s1, const char *s2);
evalStrcmpCommon(C, CE, /* IsBounded = */ false, /* IgnoreCase = */ false);
1922}

1924void CStringChecker::evalStrncmp(CheckerContext &C, const CallExpr *CE) const {
//int strncmp(const char *s1, const char *s2, size_t n);
evalStrcmpCommon(C, CE, /* IsBounded = */ true, /* IgnoreCase = */ false);
1927}

1929void CStringChecker::evalStrcasecmp(CheckerContext &C,
  const CallExpr *CE) const {
//int strcasecmp(const char *s1, const char *s2);
evalStrcmpCommon(C, CE, /* IsBounded = */ false, /* IgnoreCase = */ true);
1933}

1935void CStringChecker::evalStrncasecmp(CheckerContext &C,
  const CallExpr *CE) const {
//int strncasecmp(const char *s1, const char *s2, size_t n);
evalStrcmpCommon(C, CE, /* IsBounded = */ true, /* IgnoreCase = */ true);
1939}

1941void CStringChecker::evalStrcmpCommon(CheckerContext &C, const CallExpr *CE,
  bool IsBounded, bool IgnoreCase) const {
CurrentFunctionDescription = "string comparison function";
ProgramStateRef state = C.getState();
const LocationContext *LCtx = C.getLocationContext();

// Check that the first string is non-null
AnyArgExpr Left = {CE->getArg(0), 0};
SVal LeftVal = state->getSVal(Left.Expression, LCtx);
state = checkNonNull(C, state, Left, LeftVal);
if (!state)
  return;

// Check that the second string is non-null.
AnyArgExpr Right = {CE->getArg(1), 1};
SVal RightVal = state->getSVal(Right.Expression, LCtx);
state = checkNonNull(C, state, Right, RightVal);
if (!state)
  return;

// Get the string length of the first string or give up.
SVal LeftLength = getCStringLength(C, state, Left.Expression, LeftVal);
if (LeftLength.isUndef())
  return;

// Get the string length of the second string or give up.
SVal RightLength = getCStringLength(C, state, Right.Expression, RightVal);
if (RightLength.isUndef())
  return;

// If we know the two buffers are the same, we know the result is 0.
// First, get the two buffers' addresses. Another checker will have already
// made sure they're not undefined.
DefinedOrUnknownSVal LV = LeftVal.castAs<DefinedOrUnknownSVal>();
DefinedOrUnknownSVal RV = RightVal.castAs<DefinedOrUnknownSVal>();

// See if they are the same.
SValBuilder &svalBuilder = C.getSValBuilder();
DefinedOrUnknownSVal SameBuf = svalBuilder.evalEQ(state, LV, RV);
ProgramStateRef StSameBuf, StNotSameBuf;
std::tie(StSameBuf, StNotSameBuf) = state->assume(SameBuf);

// If the two arguments might be the same buffer, we know the result is 0,
// and we only need to check one size.
if (StSameBuf) {
  StSameBuf = StSameBuf->BindExpr(CE, LCtx,
      svalBuilder.makeZeroVal(CE->getType()));
  C.addTransition(StSameBuf);

  // If the two arguments are GUARANTEED to be the same, we're done!
  if (!StNotSameBuf)
    return;
}

assert(StNotSameBuf)(static_cast <bool> (StNotSameBuf) ? void (0) : __assert_fail
 ("StNotSameBuf", "/build/llvm-toolchain-snapshot-14~++20210828111110+16086d47c0d0/clang/lib/StaticAnalyzer/Checkers/CStringChecker.cpp"
, 1995, __extension__ __PRETTY_FUNCTION__));
state = StNotSameBuf;

// At this point we can go about comparing the two buffers.
// For now, we only do this if they're both known string literals.

// Attempt to extract string literals from both expressions.
const StringLiteral *LeftStrLiteral =
    getCStringLiteral(C, state, Left.Expression, LeftVal);
const StringLiteral *RightStrLiteral =
    getCStringLiteral(C, state, Right.Expression, RightVal);
bool canComputeResult = false;
SVal resultVal = svalBuilder.conjureSymbolVal(nullptr, CE, LCtx,
    C.blockCount());

if (LeftStrLiteral && RightStrLiteral) {
  StringRef LeftStrRef = LeftStrLiteral->getString();
  StringRef RightStrRef = RightStrLiteral->getString();

  if (IsBounded) {
    // Get the max number of characters to compare.
    const Expr *lenExpr = CE->getArg(2);
    SVal lenVal = state->getSVal(lenExpr, LCtx);

    // If the length is known, we can get the right substrings.
    if (const llvm::APSInt *len = svalBuilder.getKnownValue(state, lenVal)) {
      // Create substrings of each to compare the prefix.
      LeftStrRef = LeftStrRef.substr(0, (size_t)len->getZExtValue());
      RightStrRef = RightStrRef.substr(0, (size_t)len->getZExtValue());
      canComputeResult = true;
    }
  } else {
    // This is a normal, unbounded strcmp.
    canComputeResult = true;
  }

  if (canComputeResult) {
    // Real strcmp stops at null characters.
    size_t s1Term = LeftStrRef.find('\0');
    if (s1Term != StringRef::npos)
      LeftStrRef = LeftStrRef.substr(0, s1Term);

    size_t s2Term = RightStrRef.find('\0');
    if (s2Term != StringRef::npos)
      RightStrRef = RightStrRef.substr(0, s2Term);

    // Use StringRef's comparison methods to compute the actual result.
    int compareRes = IgnoreCase ? LeftStrRef.compare_insensitive(RightStrRef)
                                : LeftStrRef.compare(RightStrRef);

    // The strcmp function returns an integer greater than, equal to, or less
    // than zero, [c11, p7.24.4.2].
    if (compareRes == 0) {
      resultVal = svalBuilder.makeIntVal(compareRes, CE->getType());
    }
    else {
      DefinedSVal zeroVal = svalBuilder.makeIntVal(0, CE->getType());
      // Constrain strcmp's result range based on the result of StringRef's
      // comparison methods.
      BinaryOperatorKind op = (compareRes == 1) ? BO_GT : BO_LT;
      SVal compareWithZero =
        svalBuilder.evalBinOp(state, op, resultVal, zeroVal,
            svalBuilder.getConditionType());
      DefinedSVal compareWithZeroVal = compareWithZero.castAs<DefinedSVal>();
      state = state->assume(compareWithZeroVal, true);
    }
  }
}

state = state->BindExpr(CE, LCtx, resultVal);

// Record this as a possible path.
C.addTransition(state);
2068}

2070void CStringChecker::evalStrsep(CheckerContext &C, const CallExpr *CE) const {
//char *strsep(char **stringp, const char *delim);
// Sanity: does the search string parameter match the return type?
SourceArgExpr SearchStrPtr = {CE->getArg(0), 0};

QualType CharPtrTy = SearchStrPtr.Expression->getType()->getPointeeType();
if (CharPtrTy.isNull() ||
    CE->getType().getUnqualifiedType() != CharPtrTy.getUnqualifiedType())
  return;

CurrentFunctionDescription = "strsep()";
ProgramStateRef State = C.getState();
const LocationContext *LCtx = C.getLocationContext();

// Check that the search string pointer is non-null (though it may point to
// a null string).
SVal SearchStrVal = State->getSVal(SearchStrPtr.Expression, LCtx);
State = checkNonNull(C, State, SearchStrPtr, SearchStrVal);
if (!State)
  return;

// Check that the delimiter string is non-null.
AnyArgExpr DelimStr = {CE->getArg(1), 1};
SVal DelimStrVal = State->getSVal(DelimStr.Expression, LCtx);
State = checkNonNull(C, State, DelimStr, DelimStrVal);
if (!State)
  return;

SValBuilder &SVB = C.getSValBuilder();
SVal Result;
if (Optional<Loc> SearchStrLoc = SearchStrVal.getAs<Loc>()) {
  // Get the current value of the search string pointer, as a char*.
  Result = State->getSVal(*SearchStrLoc, CharPtrTy);

  // Invalidate the search string, representing the change of one delimiter
  // character to NUL.
  State = InvalidateBuffer(C, State, SearchStrPtr.Expression, Result,
                           /*IsSourceBuffer*/ false, nullptr);

  // Overwrite the search string pointer. The new value is either an address
  // further along in the same string, or NULL if there are no more tokens.
  State = State->bindLoc(*SearchStrLoc,
      SVB.conjureSymbolVal(getTag(),
        CE,
        LCtx,
        CharPtrTy,
        C.blockCount()),
      LCtx);
} else {
  assert(SearchStrVal.isUnknown())(static_cast <bool> (SearchStrVal.isUnknown()) ? void (
0) : __assert_fail ("SearchStrVal.isUnknown()", "/build/llvm-toolchain-snapshot-14~++20210828111110+16086d47c0d0/clang/lib/StaticAnalyzer/Checkers/CStringChecker.cpp"
, 2119, __extension__ __PRETTY_FUNCTION__));
  // Conjure a symbolic value. It's the best we can do.
  Result = SVB.conjureSymbolVal(nullptr, CE, LCtx, C.blockCount());
}

// Set the return value, and finish.
State = State->BindExpr(CE, LCtx, Result);
C.addTransition(State);
2127}

2129// These should probably be moved into a C++ standard library checker.
2130void CStringChecker::evalStdCopy(CheckerContext &C, const CallExpr *CE) const {
evalStdCopyCommon(C, CE);
2132}

2134void CStringChecker::evalStdCopyBackward(CheckerContext &C,
  const CallExpr *CE) const {
evalStdCopyCommon(C, CE);
2137}

2139void CStringChecker::evalStdCopyCommon(CheckerContext &C,
  const CallExpr *CE) const {
if (!CE->getArg(2)->getType()->isPointerType())
  return;

ProgramStateRef State = C.getState();

const LocationContext *LCtx = C.getLocationContext();

// template <class _InputIterator, class _OutputIterator>
// _OutputIterator
// copy(_InputIterator __first, _InputIterator __last,
//        _OutputIterator __result)

// Invalidate the destination buffer
const Expr *Dst = CE->getArg(2);
SVal DstVal = State->getSVal(Dst, LCtx);
State = InvalidateBuffer(C, State, Dst, DstVal, /*IsSource=*/false,
    /*Size=*/nullptr);

SValBuilder &SVB = C.getSValBuilder();

SVal ResultVal = SVB.conjureSymbolVal(nullptr, CE, LCtx, C.blockCount());
State = State->BindExpr(CE, LCtx, ResultVal);

C.addTransition(State);
2165}

2167void CStringChecker::evalMemset(CheckerContext &C, const CallExpr *CE) const {
// void *memset(void *s, int c, size_t n);
CurrentFunctionDescription = "memory set function";

DestinationArgExpr Buffer = {CE->getArg(0), 0};
AnyArgExpr CharE = {CE->getArg(1), 1};
SizeArgExpr Size = {CE->getArg(2), 2};

ProgramStateRef State = C.getState();

// See if the size argument is zero.
const LocationContext *LCtx = C.getLocationContext();
SVal SizeVal = C.getSVal(Size.Expression);
QualType SizeTy = Size.Expression->getType();

ProgramStateRef ZeroSize, NonZeroSize;
std::tie(ZeroSize, NonZeroSize) = assumeZero(C, State, SizeVal, SizeTy);

// Get the value of the memory area.
SVal BufferPtrVal = C.getSVal(Buffer.Expression);

// If the size is zero, there won't be any actual memory access, so
// just bind the return value to the buffer and return.
if (ZeroSize && !NonZeroSize) {
  ZeroSize = ZeroSize->BindExpr(CE, LCtx, BufferPtrVal);
  C.addTransition(ZeroSize);
  return;
}

// Ensure the memory area is not null.
// If it is NULL there will be a NULL pointer dereference.
State = checkNonNull(C, NonZeroSize, Buffer, BufferPtrVal);
if (!State)
  return;

State = CheckBufferAccess(C, State, Buffer, Size, AccessKind::write);
if (!State)
  return;

// According to the values of the arguments, bind the value of the second
// argument to the destination buffer and set string length, or just
// invalidate the destination buffer.
if (!memsetAux(Buffer.Expression, C.getSVal(CharE.Expression),
               Size.Expression, C, State))
  return;

State = State->BindExpr(CE, LCtx, BufferPtrVal);
C.addTransition(State);
2215}

2217void CStringChecker::evalBzero(CheckerContext &C, const CallExpr *CE) const {
CurrentFunctionDescription = "memory clearance function";

DestinationArgExpr Buffer = {CE->getArg(0), 0};
SizeArgExpr Size = {CE->getArg(1), 1};
SVal Zero = C.getSValBuilder().makeZeroVal(C.getASTContext().IntTy);

ProgramStateRef State = C.getState();

// See if the size argument is zero.
SVal SizeVal = C.getSVal(Size.Expression);
QualType SizeTy = Size.Expression->getType();

ProgramStateRef StateZeroSize, StateNonZeroSize;
std::tie(StateZeroSize, StateNonZeroSize) =
  assumeZero(C, State, SizeVal, SizeTy);

// If the size is zero, there won't be any actual memory access,
// In this case we just return.
if (StateZeroSize && !StateNonZeroSize) {
  C.addTransition(StateZeroSize);
  return;
}

// Get the value of the memory area.
SVal MemVal = C.getSVal(Buffer.Expression);

// Ensure the memory area is not null.
// If it is NULL there will be a NULL pointer dereference.
State = checkNonNull(C, StateNonZeroSize, Buffer, MemVal);
if (!State)
  return;

State = CheckBufferAccess(C, State, Buffer, Size, AccessKind::write);
if (!State)
  return;

if (!memsetAux(Buffer.Expression, Zero, Size.Expression, C, State))
  return;

C.addTransition(State);
2258}

2260//===----------------------------------------------------------------------===//
2261// The driver method, and other Checker callbacks.
2262//===----------------------------------------------------------------------===//

2264CStringChecker::FnCheck CStringChecker::identifyCall(const CallEvent &Call,
                                                   CheckerContext &C) const {
const auto *CE = dyn_cast_or_null<CallExpr>(Call.getOriginExpr());
if (!CE)
  return nullptr;

const FunctionDecl *FD = dyn_cast_or_null<FunctionDecl>(Call.getDecl());
if (!FD)
  return nullptr;

if (Call.isCalled(StdCopy)) {
  return &CStringChecker::evalStdCopy;
} else if (Call.isCalled(StdCopyBackward)) {
  return &CStringChecker::evalStdCopyBackward;
}

// Pro-actively check that argument types are safe to do arithmetic upon.
// We do not want to crash if someone accidentally passes a structure
// into, say, a C++ overload of any of these functions. We could not check
// that for std::copy because they may have arguments of other types.
for (auto I : CE->arguments()) {
  QualType T = I->getType();
  if (!T->isIntegralOrEnumerationType() && !T->isPointerType())
    return nullptr;
}

const FnCheck *Callback = Callbacks.lookup(Call);
if (Callback)
  return *Callback;

return nullptr;
2295}

2297bool CStringChecker::evalCall(const CallEvent &Call, CheckerContext &C) const {
FnCheck Callback = identifyCall(Call, C);

// If the callee isn't a string function, let another checker handle it.
if (!Callback)
  return false;

// Check and evaluate the call.
const auto *CE = cast<CallExpr>(Call.getOriginExpr());
(this->*Callback)(C, CE);

// If the evaluate call resulted in no change, chain to the next eval call
// handler.
// Note, the custom CString evaluation calls assume that basic safety
// properties are held. However, if the user chooses to turn off some of these
// checks, we ignore the issues and leave the call evaluation to a generic
// handler.
return C.isDifferent();
2315}

2317void CStringChecker::checkPreStmt(const DeclStmt *DS, CheckerContext &C) const {
// Record string length for char a[] = "abc";
ProgramStateRef state = C.getState();

for (const auto *I : DS->decls()) {
  const VarDecl *D = dyn_cast<VarDecl>(I);
  if (!D)
    continue;

  // FIXME: Handle array fields of structs.
  if (!D->getType()->isArrayType())
    continue;

  const Expr *Init = D->getInit();
  if (!Init)
    continue;
  if (!isa<StringLiteral>(Init))
    continue;

  Loc VarLoc = state->getLValue(D, C.getLocationContext());
  const MemRegion *MR = VarLoc.getAsRegion();
  if (!MR)
    continue;

  SVal StrVal = C.getSVal(Init);
  assert(StrVal.isValid() && "Initializer string is unknown or undefined")(static_cast <bool> (StrVal.isValid() && "Initializer string is unknown or undefined"
) ? void (0) : __assert_fail ("StrVal.isValid() && \"Initializer string is unknown or undefined\""
, "/build/llvm-toolchain-snapshot-14~++20210828111110+16086d47c0d0/clang/lib/StaticAnalyzer/Checkers/CStringChecker.cpp"
, 2342, __extension__ __PRETTY_FUNCTION__));
  DefinedOrUnknownSVal strLength =
    getCStringLength(C, state, Init, StrVal).castAs<DefinedOrUnknownSVal>();

  state = state->set<CStringLength>(MR, strLength);
}

C.addTransition(state);
2350}

2352ProgramStateRef
2353CStringChecker::checkRegionChanges(ProgramStateRef state,
  const InvalidatedSymbols *,
  ArrayRef<const MemRegion *> ExplicitRegions,
  ArrayRef<const MemRegion *> Regions,
  const LocationContext *LCtx,
  const CallEvent *Call) const {
CStringLengthTy Entries = state->get<CStringLength>();
if (Entries.isEmpty())
  return state;

llvm::SmallPtrSet<const MemRegion *, 8> Invalidated;
llvm::SmallPtrSet<const MemRegion *, 32> SuperRegions;

// First build sets for the changed regions and their super-regions.
for (ArrayRef<const MemRegion *>::iterator
    I = Regions.begin(), E = Regions.end(); I != E; ++I) {
  const MemRegion *MR = *I;
  Invalidated.insert(MR);

  SuperRegions.insert(MR);
  while (const SubRegion *SR = dyn_cast<SubRegion>(MR)) {
    MR = SR->getSuperRegion();
    SuperRegions.insert(MR);
  }
}

CStringLengthTy::Factory &F = state->get_context<CStringLength>();

// Then loop over the entries in the current state.
for (CStringLengthTy::iterator I = Entries.begin(),
    E = Entries.end(); I != E; ++I) {
  const MemRegion *MR = I.getKey();

  // Is this entry for a super-region of a changed region?
  if (SuperRegions.count(MR)) {
    Entries = F.remove(Entries, MR);
    continue;
  }

  // Is this entry for a sub-region of a changed region?
  const MemRegion *Super = MR;
  while (const SubRegion *SR = dyn_cast<SubRegion>(Super)) {
    Super = SR->getSuperRegion();
    if (Invalidated.count(Super)) {
      Entries = F.remove(Entries, MR);
      break;
    }
  }
}

return state->set<CStringLength>(Entries);
2404}

2406void CStringChecker::checkLiveSymbols(ProgramStateRef state,
  SymbolReaper &SR) const {
// Mark all symbols in our string length map as valid.
CStringLengthTy Entries = state->get<CStringLength>();

for (CStringLengthTy::iterator I = Entries.begin(), E = Entries.end();
    I != E; ++I) {
  SVal Len = I.getData();

  for (SymExpr::symbol_iterator si = Len.symbol_begin(),
      se = Len.symbol_end(); si != se; ++si)
    SR.markInUse(*si);
}
2419}

2421void CStringChecker::checkDeadSymbols(SymbolReaper &SR,
  CheckerContext &C) const {
ProgramStateRef state = C.getState();
CStringLengthTy Entries = state->get<CStringLength>();
if (Entries.isEmpty())
  return;

CStringLengthTy::Factory &F = state->get_context<CStringLength>();
for (CStringLengthTy::iterator I = Entries.begin(), E = Entries.end();
    I != E; ++I) {
  SVal Len = I.getData();
  if (SymbolRef Sym = Len.getAsSymbol()) {
    if (SR.isDead(Sym))
      Entries = F.remove(Entries, I.getKey());
  }
}

state = state->set<CStringLength>(Entries);
C.addTransition(state);
2440}

2442void ento::registerCStringModeling(CheckerManager &Mgr) {
Mgr.registerChecker<CStringChecker>();
2444}

2446bool ento::shouldRegisterCStringModeling(const CheckerManager &mgr) {
return true;
2448}

2450#define REGISTER_CHECKER(name)void ento::registername(CheckerManager &mgr) { CStringChecker
 *checker = mgr.getChecker<CStringChecker>(); checker->
Filter.Checkname = true; checker->Filter.CheckNamename = mgr
.getCurrentCheckerName(); } bool ento::shouldRegistername(const
 CheckerManager &mgr) { return true; }                                                 \
void ento::register##name(CheckerManager &mgr) {                             \
  CStringChecker *checker = mgr.getChecker<CStringChecker>();                \
  checker->Filter.Check##name = true;                                        \
  checker->Filter.CheckName##name = mgr.getCurrentCheckerName();             \
}                                                                            \
                                                                             \
bool ento::shouldRegister##name(const CheckerManager &mgr) { return true; }

2459REGISTER_CHECKER(CStringNullArg)void ento::registerCStringNullArg(CheckerManager &mgr) { CStringChecker
 *checker = mgr.getChecker<CStringChecker>(); checker->
Filter.CheckCStringNullArg = true; checker->Filter.CheckNameCStringNullArg
 = mgr.getCurrentCheckerName(); } bool ento::shouldRegisterCStringNullArg
(const CheckerManager &mgr) { return true; }
2460REGISTER_CHECKER(CStringOutOfBounds)void ento::registerCStringOutOfBounds(CheckerManager &mgr
) { CStringChecker *checker = mgr.getChecker<CStringChecker
>(); checker->Filter.CheckCStringOutOfBounds = true; checker
->Filter.CheckNameCStringOutOfBounds = mgr.getCurrentCheckerName
(); } bool ento::shouldRegisterCStringOutOfBounds(const CheckerManager
 &mgr) { return true; }
2461REGISTER_CHECKER(CStringBufferOverlap)void ento::registerCStringBufferOverlap(CheckerManager &mgr
) { CStringChecker *checker = mgr.getChecker<CStringChecker
>(); checker->Filter.CheckCStringBufferOverlap = true; checker
->Filter.CheckNameCStringBufferOverlap = mgr.getCurrentCheckerName
(); } bool ento::shouldRegisterCStringBufferOverlap(const CheckerManager
 &mgr) { return true; }
2462REGISTER_CHECKER(CStringNotNullTerm)void ento::registerCStringNotNullTerm(CheckerManager &mgr
) { CStringChecker *checker = mgr.getChecker<CStringChecker
>(); checker->Filter.CheckCStringNotNullTerm = true; checker
->Filter.CheckNameCStringNotNullTerm = mgr.getCurrentCheckerName
(); } bool ento::shouldRegisterCStringNotNullTerm(const CheckerManager
 &mgr) { return true; }

←

/build/llvm-toolchain-snapshot-14~++20210828111110+16086d47c0d0/llvm/include/llvm/ADT/IntrusiveRefCntPtr.h

→

1//==- llvm/ADT/IntrusiveRefCntPtr.h - Smart Refcounting Pointer --*- C++ -*-==//
2//
3// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4// See https://llvm.org/LICENSE.txt for license information.
5// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6//
7//===----------------------------------------------------------------------===//
8//
9// This file defines the RefCountedBase, ThreadSafeRefCountedBase, and
10// IntrusiveRefCntPtr classes.
11//
12// IntrusiveRefCntPtr is a smart pointer to an object which maintains a
13// reference count.  (ThreadSafe)RefCountedBase is a mixin class that adds a
14// refcount member variable and methods for updating the refcount.  An object
15// that inherits from (ThreadSafe)RefCountedBase deletes itself when its
16// refcount hits zero.
17//
18// For example:
19//
20//   class MyClass : public RefCountedBase<MyClass> {};
21//
22//   void foo() {
23//     // Constructing an IntrusiveRefCntPtr increases the pointee's refcount by
24//     // 1 (from 0 in this case).
25//     IntrusiveRefCntPtr<MyClass> Ptr1(new MyClass());
26//
27//     // Copying an IntrusiveRefCntPtr increases the pointee's refcount by 1.
28//     IntrusiveRefCntPtr<MyClass> Ptr2(Ptr1);
29//
30//     // Constructing an IntrusiveRefCntPtr has no effect on the object's
31//     // refcount.  After a move, the moved-from pointer is null.
32//     IntrusiveRefCntPtr<MyClass> Ptr3(std::move(Ptr1));
33//     assert(Ptr1 == nullptr);
34//
35//     // Clearing an IntrusiveRefCntPtr decreases the pointee's refcount by 1.
36//     Ptr2.reset();
37//
38//     // The object deletes itself when we return from the function, because
39//     // Ptr3's destructor decrements its refcount to 0.
40//   }
41//
42// You can use IntrusiveRefCntPtr with isa<T>(), dyn_cast<T>(), etc.:
43//
44//   IntrusiveRefCntPtr<MyClass> Ptr(new MyClass());
45//   OtherClass *Other = dyn_cast<OtherClass>(Ptr);  // Ptr.get() not required
46//
47// IntrusiveRefCntPtr works with any class that
48//
49//  - inherits from (ThreadSafe)RefCountedBase,
50//  - has Retain() and Release() methods, or
51//  - specializes IntrusiveRefCntPtrInfo.
52//
53//===----------------------------------------------------------------------===//
54 
55#ifndef LLVM_ADT_INTRUSIVEREFCNTPTR_H
56#define LLVM_ADT_INTRUSIVEREFCNTPTR_H
57 
58#include <atomic>
59#include <cassert>
60#include <cstddef>
61#include <memory>
62 
63namespace llvm {
64 
65/// A CRTP mixin class that adds reference counting to a type.
66///
67/// The lifetime of an object which inherits from RefCountedBase is managed by
68/// calls to Release() and Retain(), which increment and decrement the object's
69/// refcount, respectively.  When a Release() call decrements the refcount to 0,
70/// the object deletes itself.
71template <class Derived> class RefCountedBase {
72  mutable unsigned RefCount = 0;
73 
74protected:
75  RefCountedBase() = default;
76  RefCountedBase(const RefCountedBase &) {}
77  RefCountedBase &operator=(const RefCountedBase &) = delete;
78 
79#ifndef NDEBUG
80  ~RefCountedBase() {
81    assert(RefCount == 0 &&(static_cast <bool> (RefCount == 0 && "Destruction occured when there are still references to this."
) ? void (0) : __assert_fail ("RefCount == 0 && \"Destruction occured when there are still references to this.\""
, "/build/llvm-toolchain-snapshot-14~++20210828111110+16086d47c0d0/llvm/include/llvm/ADT/IntrusiveRefCntPtr.h"
, 82, __extension__ __PRETTY_FUNCTION__))
82           "Destruction occured when there are still references to this.")(static_cast <bool> (RefCount == 0 && "Destruction occured when there are still references to this."
) ? void (0) : __assert_fail ("RefCount == 0 && \"Destruction occured when there are still references to this.\""
, "/build/llvm-toolchain-snapshot-14~++20210828111110+16086d47c0d0/llvm/include/llvm/ADT/IntrusiveRefCntPtr.h"
, 82, __extension__ __PRETTY_FUNCTION__));
83  }
84#else
85  // Default the destructor in release builds, A trivial destructor may enable
86  // better codegen.
87  ~RefCountedBase() = default;
88#endif
89 
90public:
91  void Retain() const { ++RefCount; }
92 
93  void Release() const {
94    assert(RefCount > 0 && "Reference count is already zero.")(static_cast <bool> (RefCount > 0 && "Reference count is already zero."
) ? void (0) : __assert_fail ("RefCount > 0 && \"Reference count is already zero.\""
, "/build/llvm-toolchain-snapshot-14~++20210828111110+16086d47c0d0/llvm/include/llvm/ADT/IntrusiveRefCntPtr.h"
, 94, __extension__ __PRETTY_FUNCTION__));
95    if (--RefCount == 0)
96      delete static_cast<const Derived *>(this);
97  }
98};
99 
100/// A thread-safe version of \c RefCountedBase.
101template <class Derived> class ThreadSafeRefCountedBase {
102  mutable std::atomic<int> RefCount{0};
103 
104protected:
105  ThreadSafeRefCountedBase() = default;
106  ThreadSafeRefCountedBase(const ThreadSafeRefCountedBase &) {}
107  ThreadSafeRefCountedBase &
108  operator=(const ThreadSafeRefCountedBase &) = delete;
109 
110#ifndef NDEBUG
111  ~ThreadSafeRefCountedBase() {
112    assert(RefCount == 0 &&(static_cast <bool> (RefCount == 0 && "Destruction occured when there are still references to this."
) ? void (0) : __assert_fail ("RefCount == 0 && \"Destruction occured when there are still references to this.\""
, "/build/llvm-toolchain-snapshot-14~++20210828111110+16086d47c0d0/llvm/include/llvm/ADT/IntrusiveRefCntPtr.h"
, 113, __extension__ __PRETTY_FUNCTION__))
113           "Destruction occured when there are still references to this.")(static_cast <bool> (RefCount == 0 && "Destruction occured when there are still references to this."
) ? void (0) : __assert_fail ("RefCount == 0 && \"Destruction occured when there are still references to this.\""
, "/build/llvm-toolchain-snapshot-14~++20210828111110+16086d47c0d0/llvm/include/llvm/ADT/IntrusiveRefCntPtr.h"
, 113, __extension__ __PRETTY_FUNCTION__));
114  }
115#else
116  // Default the destructor in release builds, A trivial destructor may enable
117  // better codegen.
118  ~ThreadSafeRefCountedBase() = default;
119#endif
120 
121public:
122  void Retain() const { RefCount.fetch_add(1, std::memory_order_relaxed); }
123 
124  void Release() const {
125    int NewRefCount = RefCount.fetch_sub(1, std::memory_order_acq_rel) - 1;
126    assert(NewRefCount >= 0 && "Reference count was already zero.")(static_cast <bool> (NewRefCount >= 0 && "Reference count was already zero."
) ? void (0) : __assert_fail ("NewRefCount >= 0 && \"Reference count was already zero.\""
, "/build/llvm-toolchain-snapshot-14~++20210828111110+16086d47c0d0/llvm/include/llvm/ADT/IntrusiveRefCntPtr.h"
, 126, __extension__ __PRETTY_FUNCTION__));
127    if (NewRefCount == 0)
128      delete static_cast<const Derived *>(this);
129  }
130};
131 
132/// Class you can specialize to provide custom retain/release functionality for
133/// a type.
134///
135/// Usually specializing this class is not necessary, as IntrusiveRefCntPtr
136/// works with any type which defines Retain() and Release() functions -- you
137/// can define those functions yourself if RefCountedBase doesn't work for you.
138///
139/// One case when you might want to specialize this type is if you have
140///  - Foo.h defines type Foo and includes Bar.h, and
141///  - Bar.h uses IntrusiveRefCntPtr<Foo> in inline functions.
142///
143/// Because Foo.h includes Bar.h, Bar.h can't include Foo.h in order to pull in
144/// the declaration of Foo.  Without the declaration of Foo, normally Bar.h
145/// wouldn't be able to use IntrusiveRefCntPtr<Foo>, which wants to call
146/// T::Retain and T::Release.
147///
148/// To resolve this, Bar.h could include a third header, FooFwd.h, which
149/// forward-declares Foo and specializes IntrusiveRefCntPtrInfo<Foo>.  Then
150/// Bar.h could use IntrusiveRefCntPtr<Foo>, although it still couldn't call any
151/// functions on Foo itself, because Foo would be an incomplete type.
152template <typename T> struct IntrusiveRefCntPtrInfo {
153  static void retain(T *obj) { obj->Retain(); }
154  static void release(T *obj) { obj->Release(); }
155};
156 
157/// A smart pointer to a reference-counted object that inherits from
158/// RefCountedBase or ThreadSafeRefCountedBase.
159///
160/// This class increments its pointee's reference count when it is created, and
161/// decrements its refcount when it's destroyed (or is changed to point to a
162/// different object).
163template <typename T> class IntrusiveRefCntPtr {
164  T *Obj = nullptr;
165 
166public:
167  using element_type = T;
168 
169  explicit IntrusiveRefCntPtr() = default;
170  IntrusiveRefCntPtr(T *obj) : Obj(obj) { retain(); }
171  IntrusiveRefCntPtr(const IntrusiveRefCntPtr &S) : Obj(S.Obj) { retain(); }
3
←
Calling 'IntrusiveRefCntPtr::retain'→
6
←
Returning from 'IntrusiveRefCntPtr::retain'→
172  IntrusiveRefCntPtr(IntrusiveRefCntPtr &&S) : Obj(S.Obj) { S.Obj = nullptr; }
173 
174  template <class X,
175            std::enable_if_t<std::is_convertible<X *, T *>::value, bool> = true>
176  IntrusiveRefCntPtr(IntrusiveRefCntPtr<X> S) : Obj(S.get()) {
177    S.Obj = nullptr;
178  }
179 
180  template <class X,
181            std::enable_if_t<std::is_convertible<X *, T *>::value, bool> = true>
182  IntrusiveRefCntPtr(std::unique_ptr<X> S) : Obj(S.release()) {
183    retain();
184  }
185 
186  ~IntrusiveRefCntPtr() { release(); }
187 
188  IntrusiveRefCntPtr &operator=(IntrusiveRefCntPtr S) {
189    swap(S);
43
←
Calling 'IntrusiveRefCntPtr::swap'→
46
←
Returning from 'IntrusiveRefCntPtr::swap'→
190    return *this;
191  }
192 
193  T &operator*() const { return *Obj; }
194  T *operator->() const { return Obj; }
195  T *get() const { return Obj; }
196  explicit operator bool() const { return Obj; }
197 
198  void swap(IntrusiveRefCntPtr &other) {
199    T *tmp = other.Obj;
44
←
'tmp' initialized here→
200    other.Obj = Obj;
201    Obj = tmp;
45
←
The value of 'tmp' is assigned to 'state.Obj'→
202  }
203 
204  void reset() {
205    release();
206    Obj = nullptr;
207  }
208 
209  void resetWithoutRelease() { Obj = nullptr; }
210 
211private:
212  void retain() {
213    if (Obj)
4
←
Assuming field 'Obj' is non-null, which participates in a condition later→
5
←
Taking true branch→
214      IntrusiveRefCntPtrInfo<T>::retain(Obj);
215  }
216 
217  void release() {
218    if (Obj)
219      IntrusiveRefCntPtrInfo<T>::release(Obj);
220  }
221 
222  template <typename X> friend class IntrusiveRefCntPtr;
223};
224 
225template <class T, class U>
226inline bool operator==(const IntrusiveRefCntPtr<T> &A,
227                       const IntrusiveRefCntPtr<U> &B) {
228  return A.get() == B.get();
229}
230 
231template <class T, class U>
232inline bool operator!=(const IntrusiveRefCntPtr<T> &A,
233                       const IntrusiveRefCntPtr<U> &B) {
234  return A.get() != B.get();
235}
236 
237template <class T, class U>
238inline bool operator==(const IntrusiveRefCntPtr<T> &A, U *B) {
239  return A.get() == B;
240}
241 
242template <class T, class U>
243inline bool operator!=(const IntrusiveRefCntPtr<T> &A, U *B) {
244  return A.get() != B;
245}
246 
247template <class T, class U>
248inline bool operator==(T *A, const IntrusiveRefCntPtr<U> &B) {
249  return A == B.get();
250}
251 
252template <class T, class U>
253inline bool operator!=(T *A, const IntrusiveRefCntPtr<U> &B) {
254  return A != B.get();
255}
256 
257template <class T>
258bool operator==(std::nullptr_t, const IntrusiveRefCntPtr<T> &B) {
259  return !B;
260}
261 
262template <class T>
263bool operator==(const IntrusiveRefCntPtr<T> &A, std::nullptr_t B) {
264  return B == A;
265}
266 
267template <class T>
268bool operator!=(std::nullptr_t A, const IntrusiveRefCntPtr<T> &B) {
269  return !(A == B);
270}
271 
272template <class T>
273bool operator!=(const IntrusiveRefCntPtr<T> &A, std::nullptr_t B) {
274  return !(A == B);
275}
276 
277// Make IntrusiveRefCntPtr work with dyn_cast, isa, and the other idioms from
278// Casting.h.
279template <typename From> struct simplify_type;
280 
281template <class T> struct simplify_type<IntrusiveRefCntPtr<T>> {
282  using SimpleType = T *;
283 
284  static SimpleType getSimplifiedValue(IntrusiveRefCntPtr<T> &Val) {
285    return Val.get();
286  }
287};
288 
289template <class T> struct simplify_type<const IntrusiveRefCntPtr<T>> {
290  using SimpleType = /*const*/ T *;
291 
292  static SimpleType getSimplifiedValue(const IntrusiveRefCntPtr<T> &Val) {
293    return Val.get();
294  }
295};
296 
297/// Factory function for creating intrusive ref counted pointers.
298template <typename T, typename... Args>
299IntrusiveRefCntPtr<T> makeIntrusiveRefCnt(Args &&...A) {
300  return IntrusiveRefCntPtr<T>(new T(std::forward<Args>(A)...));
301}
302 
303} // end namespace llvm
304 
305#endif // LLVM_ADT_INTRUSIVEREFCNTPTR_H

←

/usr/lib/gcc/x86_64-linux-gnu/10/../../../../include/c++/10/tuple

→

1// <tuple> -*- C++ -*-

3// Copyright (C) 2007-2020 Free Software Foundation, Inc.
4//
5// This file is part of the GNU ISO C++ Library.  This library is free
6// software; you can redistribute it and/or modify it under the
7// terms of the GNU General Public License as published by the
8// Free Software Foundation; either version 3, or (at your option)
9// any later version.

11// This library is distributed in the hope that it will be useful,
12// but WITHOUT ANY WARRANTY; without even the implied warranty of
13// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
14// GNU General Public License for more details.

16// Under Section 7 of GPL version 3, you are granted additional
17// permissions described in the GCC Runtime Library Exception, version
18// 3.1, as published by the Free Software Foundation.

20// You should have received a copy of the GNU General Public License and
21// a copy of the GCC Runtime Library Exception along with this program;
22// see the files COPYING3 and COPYING.RUNTIME respectively.  If not, see
23// <http://www.gnu.org/licenses/>.

25/** @file include/tuple
*  This is a Standard C++ Library header.
*/

29#ifndef _GLIBCXX_TUPLE1
30#define _GLIBCXX_TUPLE1 1

32#pragma GCC system_header

34#if __cplusplus201402L < 201103L
35# include <bits/c++0x_warning.h>
36#else

38#include <utility>
39#include <array>
40#include <bits/uses_allocator.h>
41#include <bits/invoke.h>
42#if __cplusplus201402L > 201703L
43# include <compare>
44# define __cpp_lib_constexpr_tuple 201811L
45#endif

47namespace std _GLIBCXX_VISIBILITY(default)__attribute__ ((__visibility__ ("default")))
48{
49_GLIBCXX_BEGIN_NAMESPACE_VERSION

/**
 *  @addtogroup utilities
 *  @{
 */

template<typename... _Elements>
  class tuple;

template<typename _Tp>
  struct __is_empty_non_tuple : is_empty<_Tp> { };

// Using EBO for elements that are tuples causes ambiguous base errors.
template<typename _El0, typename... _El>
  struct __is_empty_non_tuple<tuple<_El0, _El...>> : false_type { };

// Use the Empty Base-class Optimization for empty, non-final types.
template<typename _Tp>
  using __empty_not_final
  = typename conditional<__is_final(_Tp), false_type,
	   __is_empty_non_tuple<_Tp>>::type;

template<std::size_t _Idx, typename _Head,
  bool = __empty_not_final<_Head>::value>
  struct _Head_base;

template<std::size_t _Idx, typename _Head>
  struct _Head_base<_Idx, _Head, true>
  : public _Head
  {
    constexpr _Head_base()
    : _Head() { }

    constexpr _Head_base(const _Head& __h)
    : _Head(__h) { }

    constexpr _Head_base(const _Head_base&) = default;
    constexpr _Head_base(_Head_base&&) = default;

    template<typename _UHead>
      constexpr _Head_base(_UHead&& __h)
: _Head(std::forward<_UHead>(__h)) { }

    _Head_base(allocator_arg_t, __uses_alloc0)
    : _Head() { }

    template<typename _Alloc>
_Head_base(allocator_arg_t, __uses_alloc1<_Alloc> __a)
: _Head(allocator_arg, *__a._M_a) { }

    template<typename _Alloc>
_Head_base(allocator_arg_t, __uses_alloc2<_Alloc> __a)
: _Head(*__a._M_a) { }

    template<typename _UHead>
_Head_base(__uses_alloc0, _UHead&& __uhead)
: _Head(std::forward<_UHead>(__uhead)) { }

    template<typename _Alloc, typename _UHead>
_Head_base(__uses_alloc1<_Alloc> __a, _UHead&& __uhead)
: _Head(allocator_arg, *__a._M_a, std::forward<_UHead>(__uhead)) { }

    template<typename _Alloc, typename _UHead>
_Head_base(__uses_alloc2<_Alloc> __a, _UHead&& __uhead)
: _Head(std::forward<_UHead>(__uhead), *__a._M_a) { }

    static constexpr _Head&
    _M_head(_Head_base& __b) noexcept { return __b; }

    static constexpr const _Head&
    _M_head(const _Head_base& __b) noexcept { return __b; }
  };

template<std::size_t _Idx, typename _Head>
  struct _Head_base<_Idx, _Head, false>
  {
    constexpr _Head_base()
    : _M_head_impl() { }

    constexpr _Head_base(const _Head& __h)
    : _M_head_impl(__h) { }

    constexpr _Head_base(const _Head_base&) = default;
    constexpr _Head_base(_Head_base&&) = default;

    template<typename _UHead>
      constexpr _Head_base(_UHead&& __h)
: _M_head_impl(std::forward<_UHead>(__h)) { }

    _GLIBCXX20_CONSTEXPR
    _Head_base(allocator_arg_t, __uses_alloc0)
    : _M_head_impl() { }

    template<typename _Alloc>
_Head_base(allocator_arg_t, __uses_alloc1<_Alloc> __a)
: _M_head_impl(allocator_arg, *__a._M_a) { }

    template<typename _Alloc>
_Head_base(allocator_arg_t, __uses_alloc2<_Alloc> __a)
: _M_head_impl(*__a._M_a) { }

    template<typename _UHead>
_GLIBCXX20_CONSTEXPR
_Head_base(__uses_alloc0, _UHead&& __uhead)
: _M_head_impl(std::forward<_UHead>(__uhead)) { }

    template<typename _Alloc, typename _UHead>
_Head_base(__uses_alloc1<_Alloc> __a, _UHead&& __uhead)
: _M_head_impl(allocator_arg, *__a._M_a, std::forward<_UHead>(__uhead))
{ }

    template<typename _Alloc, typename _UHead>
_Head_base(__uses_alloc2<_Alloc> __a, _UHead&& __uhead)
: _M_head_impl(std::forward<_UHead>(__uhead), *__a._M_a) { }

    static constexpr _Head&
    _M_head(_Head_base& __b) noexcept { return __b._M_head_impl; }

    static constexpr const _Head&
    _M_head(const _Head_base& __b) noexcept { return __b._M_head_impl; }

    _Head _M_head_impl;
  };

/**
 * Contains the actual implementation of the @c tuple template, stored
 * as a recursive inheritance hierarchy from the first element (most
 * derived class) to the last (least derived class). The @c Idx
 * parameter gives the 0-based index of the element stored at this
 * point in the hierarchy; we use it to implement a constant-time
 * get() operation.
 */
template<std::size_t _Idx, typename... _Elements>
  struct _Tuple_impl;

/**
 * Recursive tuple implementation. Here we store the @c Head element
 * and derive from a @c Tuple_impl containing the remaining elements
 * (which contains the @c Tail).
 */
template<std::size_t _Idx, typename _Head, typename... _Tail>
  struct _Tuple_impl<_Idx, _Head, _Tail...>
  : public _Tuple_impl<_Idx + 1, _Tail...>,
    private _Head_base<_Idx, _Head>
  {
    template<std::size_t, typename...> friend class _Tuple_impl;

    typedef _Tuple_impl<_Idx + 1, _Tail...> _Inherited;
    typedef _Head_base<_Idx, _Head> _Base;

    static constexpr _Head&
    _M_head(_Tuple_impl& __t) noexcept { return _Base::_M_head(__t); }

    static constexpr const _Head&
    _M_head(const _Tuple_impl& __t) noexcept { return _Base::_M_head(__t); }

    static constexpr _Inherited&
    _M_tail(_Tuple_impl& __t) noexcept { return __t; }

    static constexpr const _Inherited&
    _M_tail(const _Tuple_impl& __t) noexcept { return __t; }

    constexpr _Tuple_impl()
    : _Inherited(), _Base() { }

    explicit
    constexpr _Tuple_impl(const _Head& __head, const _Tail&... __tail)
    : _Inherited(__tail...), _Base(__head) { }
12
←
Calling constructor for '_Tuple_impl<1UL, llvm::IntrusiveRefCntPtr<const clang::ento::ProgramState> &>'→
15
←
Returning from constructor for '_Tuple_impl<1UL, llvm::IntrusiveRefCntPtr<const clang::ento::ProgramState> &>'→

    template<typename _UHead, typename... _UTail, typename = typename
             enable_if<sizeof...(_Tail) == sizeof...(_UTail)>::type>
      explicit
      constexpr _Tuple_impl(_UHead&& __head, _UTail&&... __tail)
: _Inherited(std::forward<_UTail>(__tail)...),
 _Base(std::forward<_UHead>(__head)) { }

    constexpr _Tuple_impl(const _Tuple_impl&) = default;

    // _GLIBCXX_RESOLVE_LIB_DEFECTS
    // 2729. Missing SFINAE on std::pair::operator=
    _Tuple_impl& operator=(const _Tuple_impl&) = delete;

    constexpr
    _Tuple_impl(_Tuple_impl&& __in)
    noexcept(__and_<is_nothrow_move_constructible<_Head>,
             is_nothrow_move_constructible<_Inherited>>::value)
    : _Inherited(std::move(_M_tail(__in))),
_Base(std::forward<_Head>(_M_head(__in))) { }

    template<typename... _UElements>
      constexpr _Tuple_impl(const _Tuple_impl<_Idx, _UElements...>& __in)
: _Inherited(_Tuple_impl<_Idx, _UElements...>::_M_tail(__in)),
 _Base(_Tuple_impl<_Idx, _UElements...>::_M_head(__in)) { }

    template<typename _UHead, typename... _UTails>
      constexpr _Tuple_impl(_Tuple_impl<_Idx, _UHead, _UTails...>&& __in)
: _Inherited(std::move
     (_Tuple_impl<_Idx, _UHead, _UTails...>::_M_tail(__in))),
 _Base(std::forward<_UHead>
(_Tuple_impl<_Idx, _UHead, _UTails...>::_M_head(__in))) { }

    template<typename _Alloc>
_GLIBCXX20_CONSTEXPR
_Tuple_impl(allocator_arg_t __tag, const _Alloc& __a)
: _Inherited(__tag, __a),
        _Base(__tag, __use_alloc<_Head>(__a)) { }

    template<typename _Alloc>
_Tuple_impl(allocator_arg_t __tag, const _Alloc& __a,
    const _Head& __head, const _Tail&... __tail)
: _Inherited(__tag, __a, __tail...),
        _Base(__use_alloc<_Head, _Alloc, _Head>(__a), __head) { }

    template<typename _Alloc, typename _UHead, typename... _UTail,
             typename = typename enable_if<sizeof...(_Tail)
			     == sizeof...(_UTail)>::type>
_GLIBCXX20_CONSTEXPR
_Tuple_impl(allocator_arg_t __tag, const _Alloc& __a,
           _UHead&& __head, _UTail&&... __tail)
: _Inherited(__tag, __a, std::forward<_UTail>(__tail)...),
        _Base(__use_alloc<_Head, _Alloc, _UHead>(__a),
       std::forward<_UHead>(__head)) { }

    template<typename _Alloc>
_GLIBCXX20_CONSTEXPR
      _Tuple_impl(allocator_arg_t __tag, const _Alloc& __a,
           const _Tuple_impl& __in)
: _Inherited(__tag, __a, _M_tail(__in)),
        _Base(__use_alloc<_Head, _Alloc, _Head>(__a), _M_head(__in)) { }

    template<typename _Alloc>
_GLIBCXX20_CONSTEXPR
_Tuple_impl(allocator_arg_t __tag, const _Alloc& __a,
           _Tuple_impl&& __in)
: _Inherited(__tag, __a, std::move(_M_tail(__in))),
 _Base(__use_alloc<_Head, _Alloc, _Head>(__a),
       std::forward<_Head>(_M_head(__in))) { }

    template<typename _Alloc, typename _UHead, typename... _UTails>
_GLIBCXX20_CONSTEXPR
_Tuple_impl(allocator_arg_t __tag, const _Alloc& __a,
    const _Tuple_impl<_Idx, _UHead, _UTails...>& __in)
: _Inherited(__tag, __a,
     _Tuple_impl<_Idx, _UHead, _UTails...>::_M_tail(__in)),
 _Base(__use_alloc<_Head, _Alloc, const _UHead&>(__a),
_Tuple_impl<_Idx, _UHead, _UTails...>::_M_head(__in)) { }

    template<typename _Alloc, typename _UHead, typename... _UTails>
_GLIBCXX20_CONSTEXPR
_Tuple_impl(allocator_arg_t __tag, const _Alloc& __a,
           _Tuple_impl<_Idx, _UHead, _UTails...>&& __in)
: _Inherited(__tag, __a, std::move
     (_Tuple_impl<_Idx, _UHead, _UTails...>::_M_tail(__in))),
 _Base(__use_alloc<_Head, _Alloc, _UHead>(__a),
              std::forward<_UHead>
(_Tuple_impl<_Idx, _UHead, _UTails...>::_M_head(__in))) { }

    template<typename... _UElements>
_GLIBCXX20_CONSTEXPR
      void
      _M_assign(const _Tuple_impl<_Idx, _UElements...>& __in)
      {
 _M_head(*this) = _Tuple_impl<_Idx, _UElements...>::_M_head(__in);
 _M_tail(*this)._M_assign(
     _Tuple_impl<_Idx, _UElements...>::_M_tail(__in));
}

    template<typename _UHead, typename... _UTails>
_GLIBCXX20_CONSTEXPR
      void
      _M_assign(_Tuple_impl<_Idx, _UHead, _UTails...>&& __in)
      {
 _M_head(*this) = std::forward<_UHead>
   (_Tuple_impl<_Idx, _UHead, _UTails...>::_M_head(__in));
 _M_tail(*this)._M_assign(
     std::move(_Tuple_impl<_Idx, _UHead, _UTails...>::_M_tail(__in)));
}

  protected:
    _GLIBCXX20_CONSTEXPR
    void
    _M_swap(_Tuple_impl& __in)
    {
using std::swap;
swap(_M_head(*this), _M_head(__in));
_Inherited::_M_swap(_M_tail(__in));
    }
  };

// Basis case of inheritance recursion.
template<std::size_t _Idx, typename _Head>
  struct _Tuple_impl<_Idx, _Head>
  : private _Head_base<_Idx, _Head>
  {
    template<std::size_t, typename...> friend class _Tuple_impl;

    typedef _Head_base<_Idx, _Head> _Base;

    static constexpr _Head&
    _M_head(_Tuple_impl& __t) noexcept { return _Base::_M_head(__t); }

    static constexpr const _Head&
    _M_head(const _Tuple_impl& __t) noexcept { return _Base::_M_head(__t); }

    constexpr _Tuple_impl()
    : _Base() { }

    explicit
    constexpr _Tuple_impl(const _Head& __head)
    : _Base(__head) { }
13
←
Calling constructor for '_Head_base<1UL, llvm::IntrusiveRefCntPtr<const clang::ento::ProgramState> &, false>'→
14
←
Returning from constructor for '_Head_base<1UL, llvm::IntrusiveRefCntPtr<const clang::ento::ProgramState> &, false>'→

    template<typename _UHead>
      explicit
      constexpr _Tuple_impl(_UHead&& __head)
: _Base(std::forward<_UHead>(__head)) { }

    constexpr _Tuple_impl(const _Tuple_impl&) = default;

    // _GLIBCXX_RESOLVE_LIB_DEFECTS
    // 2729. Missing SFINAE on std::pair::operator=
    _Tuple_impl& operator=(const _Tuple_impl&) = delete;

    constexpr
    _Tuple_impl(_Tuple_impl&& __in)
    noexcept(is_nothrow_move_constructible<_Head>::value)
    : _Base(std::forward<_Head>(_M_head(__in))) { }

    template<typename _UHead>
      constexpr _Tuple_impl(const _Tuple_impl<_Idx, _UHead>& __in)
: _Base(_Tuple_impl<_Idx, _UHead>::_M_head(__in)) { }

    template<typename _UHead>
      constexpr _Tuple_impl(_Tuple_impl<_Idx, _UHead>&& __in)
: _Base(std::forward<_UHead>(_Tuple_impl<_Idx, _UHead>::_M_head(__in)))
{ }

    template<typename _Alloc>
_GLIBCXX20_CONSTEXPR
_Tuple_impl(allocator_arg_t __tag, const _Alloc& __a)
: _Base(__tag, __use_alloc<_Head>(__a)) { }

    template<typename _Alloc>
_Tuple_impl(allocator_arg_t __tag, const _Alloc& __a,
    const _Head& __head)
: _Base(__use_alloc<_Head, _Alloc, _Head>(__a), __head) { }

    template<typename _Alloc, typename _UHead>
_GLIBCXX20_CONSTEXPR
_Tuple_impl(allocator_arg_t __tag, const _Alloc& __a,
           _UHead&& __head)
: _Base(__use_alloc<_Head, _Alloc, _UHead>(__a),
       std::forward<_UHead>(__head)) { }

    template<typename _Alloc>
_GLIBCXX20_CONSTEXPR
      _Tuple_impl(allocator_arg_t __tag, const _Alloc& __a,
           const _Tuple_impl& __in)
: _Base(__use_alloc<_Head, _Alloc, _Head>(__a), _M_head(__in)) { }

    template<typename _Alloc>
_GLIBCXX20_CONSTEXPR
_Tuple_impl(allocator_arg_t __tag, const _Alloc& __a,
           _Tuple_impl&& __in)
: _Base(__use_alloc<_Head, _Alloc, _Head>(__a),
       std::forward<_Head>(_M_head(__in))) { }

    template<typename _Alloc, typename _UHead>
_GLIBCXX20_CONSTEXPR
_Tuple_impl(allocator_arg_t __tag, const _Alloc& __a,
           const _Tuple_impl<_Idx, _UHead>& __in)
: _Base(__use_alloc<_Head, _Alloc, const _UHead&>(__a),
_Tuple_impl<_Idx, _UHead>::_M_head(__in)) { }

    template<typename _Alloc, typename _UHead>
_GLIBCXX20_CONSTEXPR
_Tuple_impl(allocator_arg_t __tag, const _Alloc& __a,
           _Tuple_impl<_Idx, _UHead>&& __in)
: _Base(__use_alloc<_Head, _Alloc, _UHead>(__a),
              std::forward<_UHead>(_Tuple_impl<_Idx, _UHead>::_M_head(__in)))
{ }

    template<typename _UHead>
_GLIBCXX20_CONSTEXPR
      void
      _M_assign(const _Tuple_impl<_Idx, _UHead>& __in)
      {
 _M_head(*this) = _Tuple_impl<_Idx, _UHead>::_M_head(__in);
}

    template<typename _UHead>
_GLIBCXX20_CONSTEXPR
      void
      _M_assign(_Tuple_impl<_Idx, _UHead>&& __in)
      {
 _M_head(*this)
   = std::forward<_UHead>(_Tuple_impl<_Idx, _UHead>::_M_head(__in));
}

  protected:
    _GLIBCXX20_CONSTEXPR
    void
    _M_swap(_Tuple_impl& __in)
    {
using std::swap;
swap(_M_head(*this), _M_head(__in));
    }
  };

// Concept utility functions, reused in conditionally-explicit
// constructors.
template<bool, typename... _Types>
  struct _TupleConstraints
  {
    // Constraint for a non-explicit constructor.
    // True iff each Ti in _Types... can be constructed from Ui in _UTypes...
    // and every Ui is implicitly convertible to Ti.
    template<typename... _UTypes>
static constexpr bool __is_implicitly_constructible()
{
 return __and_<is_constructible<_Types, _UTypes>...,
	is_convertible<_UTypes, _Types>...
	>::value;
}

    // Constraint for a non-explicit constructor.
    // True iff each Ti in _Types... can be constructed from Ui in _UTypes...
    // but not every Ui is implicitly convertible to Ti.
    template<typename... _UTypes>
static constexpr bool __is_explicitly_constructible()
{
 return __and_<is_constructible<_Types, _UTypes>...,
	__not_<__and_<is_convertible<_UTypes, _Types>...>>
	>::value;
}

    static constexpr bool __is_implicitly_default_constructible()
    {
return __and_<std::__is_implicitly_default_constructible<_Types>...
      >::value;
    }

    static constexpr bool __is_explicitly_default_constructible()
    {
return __and_<is_default_constructible<_Types>...,
      __not_<__and_<
	std::__is_implicitly_default_constructible<_Types>...>
      >>::value;
    }
  };

// Partial specialization used when a required precondition isn't met,
// e.g. when sizeof...(_Types) != sizeof...(_UTypes).
template<typename... _Types>
  struct _TupleConstraints<false, _Types...>
  {
    template<typename... _UTypes>
static constexpr bool __is_implicitly_constructible()
{ return false; }

    template<typename... _UTypes>
static constexpr bool __is_explicitly_constructible()
{ return false; }
  };

/// Primary class template, tuple
template<typename... _Elements>
  class tuple : public _Tuple_impl<0, _Elements...>
  {
    typedef _Tuple_impl<0, _Elements...> _Inherited;

    template<bool _Cond>
using _TCC = _TupleConstraints<_Cond, _Elements...>;

    // Constraint for non-explicit default constructor
    template<bool _Dummy>
using _ImplicitDefaultCtor = __enable_if_t<
 _TCC<_Dummy>::__is_implicitly_default_constructible(),
 bool>;

    // Constraint for explicit default constructor
    template<bool _Dummy>
using _ExplicitDefaultCtor = __enable_if_t<
 _TCC<_Dummy>::__is_explicitly_default_constructible(),
 bool>;

    // Constraint for non-explicit constructors
    template<bool _Cond, typename... _Args>
using _ImplicitCtor = __enable_if_t<
 _TCC<_Cond>::template __is_implicitly_constructible<_Args...>(),
 bool>;

    // Constraint for non-explicit constructors
    template<bool _Cond, typename... _Args>
using _ExplicitCtor = __enable_if_t<
 _TCC<_Cond>::template __is_explicitly_constructible<_Args...>(),
 bool>;

    template<typename... _UElements>
static constexpr
__enable_if_t<sizeof...(_UElements) == sizeof...(_Elements), bool>
__assignable()
{ return __and_<is_assignable<_Elements&, _UElements>...>::value; }

    // Condition for noexcept-specifier of an assignment operator.
    template<typename... _UElements>
static constexpr bool __nothrow_assignable()
{
 return
   __and_<is_nothrow_assignable<_Elements&, _UElements>...>::value;
}

    // Condition for noexcept-specifier of a constructor.
    template<typename... _UElements>
static constexpr bool __nothrow_constructible()
{
 return
   __and_<is_nothrow_constructible<_Elements, _UElements>...>::value;
}

    // Constraint for tuple(_UTypes&&...) where sizeof...(_UTypes) == 1.
    template<typename _Up>
static constexpr bool __valid_args()
{
 return sizeof...(_Elements) == 1
   && !is_same<tuple, __remove_cvref_t<_Up>>::value;
}

    // Constraint for tuple(_UTypes&&...) where sizeof...(_UTypes) > 1.
    template<typename, typename, typename... _Tail>
static constexpr bool __valid_args()
{ return (sizeof...(_Tail) + 2) == sizeof...(_Elements); }

    /* Constraint for constructors with a tuple<UTypes...> parameter ensures
     * that the constructor is only viable when it would not interfere with
     * tuple(UTypes&&...) or tuple(const tuple&) or tuple(tuple&&).
     * Such constructors are only viable if:
     * either sizeof...(Types) != 1,
     * or (when Types... expands to T and UTypes... expands to U)
     * is_convertible_v<TUPLE, T>, is_constructible_v<T, TUPLE>,
     * and is_same_v<T, U> are all false.
     */
    template<typename _Tuple, typename = tuple,
      typename = __remove_cvref_t<_Tuple>>
struct _UseOtherCtor
: false_type
{ };
    // If TUPLE is convertible to the single element in *this,
    // then TUPLE should match tuple(UTypes&&...) instead.
    template<typename _Tuple, typename _Tp, typename _Up>
struct _UseOtherCtor<_Tuple, tuple<_Tp>, tuple<_Up>>
: __or_<is_convertible<_Tuple, _Tp>, is_constructible<_Tp, _Tuple>>
{ };
    // If TUPLE and *this each have a single element of the same type,
    // then TUPLE should match a copy/move constructor instead.
    template<typename _Tuple, typename _Tp>
struct _UseOtherCtor<_Tuple, tuple<_Tp>, tuple<_Tp>>
: true_type
{ };

    // Return true iff sizeof...(Types) == 1 && tuple_size_v<TUPLE> == 1
    // and the single element in Types can be initialized from TUPLE,
    // or is the same type as tuple_element_t<0, TUPLE>.
    template<typename _Tuple>
static constexpr bool __use_other_ctor()
{ return _UseOtherCtor<_Tuple>::value; }

  public:
    template<typename _Dummy = void,
      _ImplicitDefaultCtor<is_void<_Dummy>::value> = true>
constexpr
tuple()
noexcept(__and_<is_nothrow_default_constructible<_Elements>...>::value)
: _Inherited() { }

    template<typename _Dummy = void,
      _ExplicitDefaultCtor<is_void<_Dummy>::value> = false>
explicit constexpr
tuple()
noexcept(__and_<is_nothrow_default_constructible<_Elements>...>::value)
: _Inherited() { }

    template<bool _NotEmpty = (sizeof...(_Elements) >= 1),
      _ImplicitCtor<_NotEmpty, const _Elements&...> = true>
constexpr
tuple(const _Elements&... __elements)
noexcept(__nothrow_constructible<const _Elements&...>())
: _Inherited(__elements...) { }

    template<bool _NotEmpty = (sizeof...(_Elements) >= 1),
      _ExplicitCtor<_NotEmpty, const _Elements&...> = false>
explicit constexpr
tuple(const _Elements&... __elements)
noexcept(__nothrow_constructible<const _Elements&...>())
: _Inherited(__elements...) { }

    template<typename... _UElements,
      bool _Valid = __valid_args<_UElements...>(),
      _ImplicitCtor<_Valid, _UElements...> = true>
constexpr
tuple(_UElements&&... __elements)
noexcept(__nothrow_constructible<_UElements...>())
: _Inherited(std::forward<_UElements>(__elements)...) { }

    template<typename... _UElements,
      bool _Valid = __valid_args<_UElements...>(),
      _ExplicitCtor<_Valid, _UElements...> = false>
explicit constexpr
tuple(_UElements&&... __elements)
noexcept(__nothrow_constructible<_UElements...>())
: _Inherited(std::forward<_UElements>(__elements)...) {	}

    constexpr tuple(const tuple&) = default;

    constexpr tuple(tuple&&) = default;

    template<typename... _UElements,
      bool _Valid = (sizeof...(_Elements) == sizeof...(_UElements))
	   && !__use_other_ctor<const tuple<_UElements...>&>(),
      _ImplicitCtor<_Valid, const _UElements&...> = true>
constexpr
tuple(const tuple<_UElements...>& __in)
noexcept(__nothrow_constructible<const _UElements&...>())
: _Inherited(static_cast<const _Tuple_impl<0, _UElements...>&>(__in))
{ }

    template<typename... _UElements,
      bool _Valid = (sizeof...(_Elements) == sizeof...(_UElements))
	   && !__use_other_ctor<const tuple<_UElements...>&>(),
      _ExplicitCtor<_Valid, const _UElements&...> = false>
explicit constexpr
tuple(const tuple<_UElements...>& __in)
noexcept(__nothrow_constructible<const _UElements&...>())
: _Inherited(static_cast<const _Tuple_impl<0, _UElements...>&>(__in))
{ }

    template<typename... _UElements,
      bool _Valid = (sizeof...(_Elements) == sizeof...(_UElements))
	     && !__use_other_ctor<tuple<_UElements...>&&>(),
      _ImplicitCtor<_Valid, _UElements...> = true>
constexpr
tuple(tuple<_UElements...>&& __in)
noexcept(__nothrow_constructible<_UElements...>())
: _Inherited(static_cast<_Tuple_impl<0, _UElements...>&&>(__in)) { }

    template<typename... _UElements,
      bool _Valid = (sizeof...(_Elements) == sizeof...(_UElements))
	     && !__use_other_ctor<tuple<_UElements...>&&>(),
      _ExplicitCtor<_Valid, _UElements...> = false>
explicit constexpr
tuple(tuple<_UElements...>&& __in)
noexcept(__nothrow_constructible<_UElements...>())
: _Inherited(static_cast<_Tuple_impl<0, _UElements...>&&>(__in)) { }

    // Allocator-extended constructors.

    template<typename _Alloc,
      _ImplicitDefaultCtor<is_object<_Alloc>::value> = true>
_GLIBCXX20_CONSTEXPR
tuple(allocator_arg_t __tag, const _Alloc& __a)
: _Inherited(__tag, __a) { }

    template<typename _Alloc, bool _NotEmpty = (sizeof...(_Elements) >= 1),
      _ImplicitCtor<_NotEmpty, const _Elements&...> = true>
_GLIBCXX20_CONSTEXPR
tuple(allocator_arg_t __tag, const _Alloc& __a,
     const _Elements&... __elements)
: _Inherited(__tag, __a, __elements...) { }

    template<typename _Alloc, bool _NotEmpty = (sizeof...(_Elements) >= 1),
      _ExplicitCtor<_NotEmpty, const _Elements&...> = false>
_GLIBCXX20_CONSTEXPR
explicit
tuple(allocator_arg_t __tag, const _Alloc& __a,
     const _Elements&... __elements)
: _Inherited(__tag, __a, __elements...) { }

    template<typename _Alloc, typename... _UElements,
      bool _Valid = __valid_args<_UElements...>(),
      _ImplicitCtor<_Valid, _UElements...> = true>
_GLIBCXX20_CONSTEXPR
tuple(allocator_arg_t __tag, const _Alloc& __a,
     _UElements&&... __elements)
: _Inherited(__tag, __a, std::forward<_UElements>(__elements)...)
{ }

    template<typename _Alloc, typename... _UElements,
 bool _Valid = __valid_args<_UElements...>(),
      _ExplicitCtor<_Valid, _UElements...> = false>
_GLIBCXX20_CONSTEXPR
explicit
tuple(allocator_arg_t __tag, const _Alloc& __a,
     _UElements&&... __elements)
: _Inherited(__tag, __a, std::forward<_UElements>(__elements)...)
{ }

    template<typename _Alloc>
_GLIBCXX20_CONSTEXPR
tuple(allocator_arg_t __tag, const _Alloc& __a, const tuple& __in)
: _Inherited(__tag, __a, static_cast<const _Inherited&>(__in)) { }

    template<typename _Alloc>
_GLIBCXX20_CONSTEXPR
tuple(allocator_arg_t __tag, const _Alloc& __a, tuple&& __in)
: _Inherited(__tag, __a, static_cast<_Inherited&&>(__in)) { }

    template<typename _Alloc, typename... _UElements,
      bool _Valid = (sizeof...(_Elements) == sizeof...(_UElements))
	     && !__use_other_ctor<const tuple<_UElements...>&>(),
      _ImplicitCtor<_Valid, const _UElements&...> = true>
_GLIBCXX20_CONSTEXPR
tuple(allocator_arg_t __tag, const _Alloc& __a,
     const tuple<_UElements...>& __in)
: _Inherited(__tag, __a,
            static_cast<const _Tuple_impl<0, _UElements...>&>(__in))
{ }

    template<typename _Alloc, typename... _UElements,
      bool _Valid = (sizeof...(_Elements) == sizeof...(_UElements))
	     && !__use_other_ctor<const tuple<_UElements...>&>(),
      _ExplicitCtor<_Valid, const _UElements&...> = false>
_GLIBCXX20_CONSTEXPR
explicit
tuple(allocator_arg_t __tag, const _Alloc& __a,
     const tuple<_UElements...>& __in)
: _Inherited(__tag, __a,
            static_cast<const _Tuple_impl<0, _UElements...>&>(__in))
{ }

    template<typename _Alloc, typename... _UElements,
      bool _Valid = (sizeof...(_Elements) == sizeof...(_UElements))
	     && !__use_other_ctor<tuple<_UElements...>&&>(),
      _ImplicitCtor<_Valid, _UElements...> = true>
_GLIBCXX20_CONSTEXPR
tuple(allocator_arg_t __tag, const _Alloc& __a,
     tuple<_UElements...>&& __in)
: _Inherited(__tag, __a,
            static_cast<_Tuple_impl<0, _UElements...>&&>(__in))
{ }

    template<typename _Alloc, typename... _UElements,
      bool _Valid = (sizeof...(_Elements) == sizeof...(_UElements))
	     && !__use_other_ctor<tuple<_UElements...>&&>(),
      _ExplicitCtor<_Valid, _UElements...> = false>
_GLIBCXX20_CONSTEXPR
explicit
tuple(allocator_arg_t __tag, const _Alloc& __a,
     tuple<_UElements...>&& __in)
: _Inherited(__tag, __a,
            static_cast<_Tuple_impl<0, _UElements...>&&>(__in))
{ }

    // tuple assignment

    _GLIBCXX20_CONSTEXPR
    tuple&
    operator=(typename conditional<__assignable<const _Elements&...>(),
		     const tuple&,
		     const __nonesuch&>::type __in)
    noexcept(__nothrow_assignable<const _Elements&...>())
    {
this->_M_assign(__in);
return *this;
    }

    _GLIBCXX20_CONSTEXPR
    tuple&
    operator=(typename conditional<__assignable<_Elements...>(),
		     tuple&&,
		     __nonesuch&&>::type __in)
    noexcept(__nothrow_assignable<_Elements...>())
    {
this->_M_assign(std::move(__in));
return *this;
    }

    template<typename... _UElements>
_GLIBCXX20_CONSTEXPR
__enable_if_t<__assignable<const _UElements&...>(), tuple&>
operator=(const tuple<_UElements...>& __in)
noexcept(__nothrow_assignable<const _UElements&...>())
{
 this->_M_assign(__in);
 return *this;
}

    template<typename... _UElements>
_GLIBCXX20_CONSTEXPR
__enable_if_t<__assignable<_UElements...>(), tuple&>
operator=(tuple<_UElements...>&& __in)
noexcept(__nothrow_assignable<_UElements...>())
{
 this->_M_assign(std::move(__in));
 return *this;
}

    // tuple swap
    _GLIBCXX20_CONSTEXPR
    void
    swap(tuple& __in)
    noexcept(__and_<__is_nothrow_swappable<_Elements>...>::value)
    { _Inherited::_M_swap(__in); }
  };

853#if __cpp_deduction_guides >= 201606
template<typename... _UTypes>
  tuple(_UTypes...) -> tuple<_UTypes...>;
template<typename _T1, typename _T2>
  tuple(pair<_T1, _T2>) -> tuple<_T1, _T2>;
template<typename _Alloc, typename... _UTypes>
  tuple(allocator_arg_t, _Alloc, _UTypes...) -> tuple<_UTypes...>;
template<typename _Alloc, typename _T1, typename _T2>
  tuple(allocator_arg_t, _Alloc, pair<_T1, _T2>) -> tuple<_T1, _T2>;
template<typename _Alloc, typename... _UTypes>
  tuple(allocator_arg_t, _Alloc, tuple<_UTypes...>) -> tuple<_UTypes...>;
864#endif

// Explicit specialization, zero-element tuple.
template<>
  class tuple<>
  {
  public:
    void swap(tuple&) noexcept { /* no-op */ }
    // We need the default since we're going to define no-op
    // allocator constructors.
    tuple() = default;
    // No-op allocator constructors.
    template<typename _Alloc>
_GLIBCXX20_CONSTEXPR
tuple(allocator_arg_t, const _Alloc&) noexcept { }
    template<typename _Alloc>
_GLIBCXX20_CONSTEXPR
tuple(allocator_arg_t, const _Alloc&, const tuple&) noexcept { }
  };

/// Partial specialization, 2-element tuple.
/// Includes construction and assignment from a pair.
template<typename _T1, typename _T2>
  class tuple<_T1, _T2> : public _Tuple_impl<0, _T1, _T2>
  {
    typedef _Tuple_impl<0, _T1, _T2> _Inherited;

    // Constraint for non-explicit default constructor
    template<bool _Dummy, typename _U1, typename _U2>
using _ImplicitDefaultCtor = __enable_if_t<
 _TupleConstraints<_Dummy, _U1, _U2>::
   __is_implicitly_default_constructible(),
 bool>;

    // Constraint for explicit default constructor
    template<bool _Dummy, typename _U1, typename _U2>
using _ExplicitDefaultCtor = __enable_if_t<
 _TupleConstraints<_Dummy, _U1, _U2>::
   __is_explicitly_default_constructible(),
 bool>;

    template<bool _Dummy>
using _TCC = _TupleConstraints<_Dummy, _T1, _T2>;

    // Constraint for non-explicit constructors
    template<bool _Cond, typename _U1, typename _U2>
using _ImplicitCtor = __enable_if_t<
 _TCC<_Cond>::template __is_implicitly_constructible<_U1, _U2>(),
 bool>;

    // Constraint for non-explicit constructors
    template<bool _Cond, typename _U1, typename _U2>
using _ExplicitCtor = __enable_if_t<
 _TCC<_Cond>::template __is_explicitly_constructible<_U1, _U2>(),
 bool>;

    template<typename _U1, typename _U2>
static constexpr bool __assignable()
{
 return __and_<is_assignable<_T1&, _U1>,
	is_assignable<_T2&, _U2>>::value;
}

    template<typename _U1, typename _U2>
static constexpr bool __nothrow_assignable()
{
 return __and_<is_nothrow_assignable<_T1&, _U1>,
	is_nothrow_assignable<_T2&, _U2>>::value;
}

    template<typename _U1, typename _U2>
static constexpr bool __nothrow_constructible()
{
 return __and_<is_nothrow_constructible<_T1, _U1>,
	    is_nothrow_constructible<_T2, _U2>>::value;
}

    static constexpr bool __nothrow_default_constructible()
    {
return __and_<is_nothrow_default_constructible<_T1>,
      is_nothrow_default_constructible<_T2>>::value;
    }

    template<typename _U1>
static constexpr bool __is_alloc_arg()
{ return is_same<__remove_cvref_t<_U1>, allocator_arg_t>::value; }

  public:
    template<bool _Dummy = true,
      _ImplicitDefaultCtor<_Dummy, _T1, _T2> = true>
constexpr
tuple()
noexcept(__nothrow_default_constructible())
: _Inherited() { }

    template<bool _Dummy = true,
      _ExplicitDefaultCtor<_Dummy, _T1, _T2> = false>
explicit constexpr
tuple()
noexcept(__nothrow_default_constructible())
: _Inherited() { }

    template<bool _Dummy = true,
      _ImplicitCtor<_Dummy, const _T1&, const _T2&> = true>
constexpr
tuple(const _T1& __a1, const _T2& __a2)
noexcept(__nothrow_constructible<const _T1&, const _T2&>())
: _Inherited(__a1, __a2) { }
11
←
Calling constructor for '_Tuple_impl<0UL, llvm::IntrusiveRefCntPtr<const clang::ento::ProgramState> &, llvm::IntrusiveRefCntPtr<const clang::ento::ProgramState> &>'→
16
←
Returning from constructor for '_Tuple_impl<0UL, llvm::IntrusiveRefCntPtr<const clang::ento::ProgramState> &, llvm::IntrusiveRefCntPtr<const clang::ento::ProgramState> &>'→

    template<bool _Dummy = true,
      _ExplicitCtor<_Dummy, const _T1&, const _T2&> = false>
explicit constexpr
tuple(const _T1& __a1, const _T2& __a2)
noexcept(__nothrow_constructible<const _T1&, const _T2&>())
: _Inherited(__a1, __a2) { }

    template<typename _U1, typename _U2,
      _ImplicitCtor<!__is_alloc_arg<_U1>(), _U1, _U2> = true>
constexpr
tuple(_U1&& __a1, _U2&& __a2)
noexcept(__nothrow_constructible<_U1, _U2>())
: _Inherited(std::forward<_U1>(__a1), std::forward<_U2>(__a2)) { }

    template<typename _U1, typename _U2,
      _ExplicitCtor<!__is_alloc_arg<_U1>(), _U1, _U2> = false>
explicit constexpr
tuple(_U1&& __a1, _U2&& __a2)
noexcept(__nothrow_constructible<_U1, _U2>())
: _Inherited(std::forward<_U1>(__a1), std::forward<_U2>(__a2)) { }

    constexpr tuple(const tuple&) = default;

    constexpr tuple(tuple&&) = default;

    template<typename _U1, typename _U2,
      _ImplicitCtor<true, const _U1&, const _U2&> = true>
constexpr
tuple(const tuple<_U1, _U2>& __in)
noexcept(__nothrow_constructible<const _U1&, const _U2&>())
: _Inherited(static_cast<const _Tuple_impl<0, _U1, _U2>&>(__in)) { }

    template<typename _U1, typename _U2,
      _ExplicitCtor<true, const _U1&, const _U2&> = false>
explicit constexpr
tuple(const tuple<_U1, _U2>& __in)
noexcept(__nothrow_constructible<const _U1&, const _U2&>())
: _Inherited(static_cast<const _Tuple_impl<0, _U1, _U2>&>(__in)) { }

    template<typename _U1, typename _U2,
      _ImplicitCtor<true, _U1, _U2> = true>
constexpr
tuple(tuple<_U1, _U2>&& __in)
noexcept(__nothrow_constructible<_U1, _U2>())
: _Inherited(static_cast<_Tuple_impl<0, _U1, _U2>&&>(__in)) { }

    template<typename _U1, typename _U2,
      _ExplicitCtor<true, _U1, _U2> = false>
explicit constexpr
tuple(tuple<_U1, _U2>&& __in)
noexcept(__nothrow_constructible<_U1, _U2>())
: _Inherited(static_cast<_Tuple_impl<0, _U1, _U2>&&>(__in)) { }

    template<typename _U1, typename _U2,
      _ImplicitCtor<true, const _U1&, const _U2&> = true>
constexpr
tuple(const pair<_U1, _U2>& __in)
noexcept(__nothrow_constructible<const _U1&, const _U2&>())
: _Inherited(__in.first, __in.second) { }

    template<typename _U1, typename _U2,
      _ExplicitCtor<true, const _U1&, const _U2&> = false>
explicit constexpr
tuple(const pair<_U1, _U2>& __in)
noexcept(__nothrow_constructible<const _U1&, const _U2&>())
: _Inherited(__in.first, __in.second) { }

    template<typename _U1, typename _U2,
      _ImplicitCtor<true, _U1, _U2> = true>
constexpr
tuple(pair<_U1, _U2>&& __in)
noexcept(__nothrow_constructible<_U1, _U2>())
: _Inherited(std::forward<_U1>(__in.first),
     std::forward<_U2>(__in.second)) { }

    template<typename _U1, typename _U2,
      _ExplicitCtor<true, _U1, _U2> = false>
explicit constexpr
tuple(pair<_U1, _U2>&& __in)
noexcept(__nothrow_constructible<_U1, _U2>())
: _Inherited(std::forward<_U1>(__in.first),
     std::forward<_U2>(__in.second)) { }

    // Allocator-extended constructors.

    template<typename _Alloc,
      _ImplicitDefaultCtor<is_object<_Alloc>::value, _T1, _T2> = true>
_GLIBCXX20_CONSTEXPR
tuple(allocator_arg_t __tag, const _Alloc& __a)
: _Inherited(__tag, __a) { }

    template<typename _Alloc, bool _Dummy = true,
      _ImplicitCtor<_Dummy, const _T1&, const _T2&> = true>
_GLIBCXX20_CONSTEXPR
tuple(allocator_arg_t __tag, const _Alloc& __a,
     const _T1& __a1, const _T2& __a2)
: _Inherited(__tag, __a, __a1, __a2) { }

    template<typename _Alloc, bool _Dummy = true,
      _ExplicitCtor<_Dummy, const _T1&, const _T2&> = false>
explicit
_GLIBCXX20_CONSTEXPR
tuple(allocator_arg_t __tag, const _Alloc& __a,
     const _T1& __a1, const _T2& __a2)
: _Inherited(__tag, __a, __a1, __a2) { }

    template<typename _Alloc, typename _U1, typename _U2,
      _ImplicitCtor<true, _U1, _U2> = true>
_GLIBCXX20_CONSTEXPR
tuple(allocator_arg_t __tag, const _Alloc& __a, _U1&& __a1, _U2&& __a2)
: _Inherited(__tag, __a, std::forward<_U1>(__a1),
            std::forward<_U2>(__a2)) { }

    template<typename _Alloc, typename _U1, typename _U2,
      _ExplicitCtor<true, _U1, _U2> = false>
explicit
_GLIBCXX20_CONSTEXPR
tuple(allocator_arg_t __tag, const _Alloc& __a,
     _U1&& __a1, _U2&& __a2)
: _Inherited(__tag, __a, std::forward<_U1>(__a1),
            std::forward<_U2>(__a2)) { }

    template<typename _Alloc>
_GLIBCXX20_CONSTEXPR
tuple(allocator_arg_t __tag, const _Alloc& __a, const tuple& __in)
: _Inherited(__tag, __a, static_cast<const _Inherited&>(__in)) { }

    template<typename _Alloc>
_GLIBCXX20_CONSTEXPR
tuple(allocator_arg_t __tag, const _Alloc& __a, tuple&& __in)
: _Inherited(__tag, __a, static_cast<_Inherited&&>(__in)) { }

    template<typename _Alloc, typename _U1, typename _U2,
      _ImplicitCtor<true, const _U1&, const _U2&> = true>
_GLIBCXX20_CONSTEXPR
tuple(allocator_arg_t __tag, const _Alloc& __a,
     const tuple<_U1, _U2>& __in)
: _Inherited(__tag, __a,
            static_cast<const _Tuple_impl<0, _U1, _U2>&>(__in))
{ }

    template<typename _Alloc, typename _U1, typename _U2,
      _ExplicitCtor<true, const _U1&, const _U2&> = false>
explicit
_GLIBCXX20_CONSTEXPR
tuple(allocator_arg_t __tag, const _Alloc& __a,
     const tuple<_U1, _U2>& __in)
: _Inherited(__tag, __a,
            static_cast<const _Tuple_impl<0, _U1, _U2>&>(__in))
{ }

    template<typename _Alloc, typename _U1, typename _U2,
      _ImplicitCtor<true, _U1, _U2> = true>
_GLIBCXX20_CONSTEXPR
tuple(allocator_arg_t __tag, const _Alloc& __a, tuple<_U1, _U2>&& __in)
: _Inherited(__tag, __a, static_cast<_Tuple_impl<0, _U1, _U2>&&>(__in))
{ }

    template<typename _Alloc, typename _U1, typename _U2,
      _ExplicitCtor<true, _U1, _U2> = false>
explicit
_GLIBCXX20_CONSTEXPR
tuple(allocator_arg_t __tag, const _Alloc& __a, tuple<_U1, _U2>&& __in)
: _Inherited(__tag, __a, static_cast<_Tuple_impl<0, _U1, _U2>&&>(__in))
{ }

    template<typename _Alloc, typename _U1, typename _U2,
      _ImplicitCtor<true, const _U1&, const _U2&> = true>
_GLIBCXX20_CONSTEXPR
tuple(allocator_arg_t __tag, const _Alloc& __a,
     const pair<_U1, _U2>& __in)
: _Inherited(__tag, __a, __in.first, __in.second) { }

    template<typename _Alloc, typename _U1, typename _U2,
      _ExplicitCtor<true, const _U1&, const _U2&> = false>
explicit
_GLIBCXX20_CONSTEXPR
tuple(allocator_arg_t __tag, const _Alloc& __a,
     const pair<_U1, _U2>& __in)
: _Inherited(__tag, __a, __in.first, __in.second) { }

    template<typename _Alloc, typename _U1, typename _U2,
      _ImplicitCtor<true, _U1, _U2> = true>
_GLIBCXX20_CONSTEXPR
tuple(allocator_arg_t __tag, const _Alloc& __a, pair<_U1, _U2>&& __in)
: _Inherited(__tag, __a, std::forward<_U1>(__in.first),
     std::forward<_U2>(__in.second)) { }

    template<typename _Alloc, typename _U1, typename _U2,
      _ExplicitCtor<true, _U1, _U2> = false>
explicit
_GLIBCXX20_CONSTEXPR
tuple(allocator_arg_t __tag, const _Alloc& __a, pair<_U1, _U2>&& __in)
: _Inherited(__tag, __a, std::forward<_U1>(__in.first),
     std::forward<_U2>(__in.second)) { }

    // Tuple assignment.

    _GLIBCXX20_CONSTEXPR
    tuple&
    operator=(typename conditional<__assignable<const _T1&, const _T2&>(),
		     const tuple&,
		     const __nonesuch&>::type __in)
    noexcept(__nothrow_assignable<const _T1&, const _T2&>())
    {
this->_M_assign(__in);
return *this;
    }

    _GLIBCXX20_CONSTEXPR
    tuple&
    operator=(typename conditional<__assignable<_T1, _T2>(),
		     tuple&&,
		     __nonesuch&&>::type __in)
    noexcept(__nothrow_assignable<_T1, _T2>())
    {
this->_M_assign(std::move(__in));
return *this;
    }

    template<typename _U1, typename _U2>
_GLIBCXX20_CONSTEXPR
__enable_if_t<__assignable<const _U1&, const _U2&>(), tuple&>
operator=(const tuple<_U1, _U2>& __in)
noexcept(__nothrow_assignable<const _U1&, const _U2&>())
{
 this->_M_assign(__in);
 return *this;
}

    template<typename _U1, typename _U2>
_GLIBCXX20_CONSTEXPR
__enable_if_t<__assignable<_U1, _U2>(), tuple&>
operator=(tuple<_U1, _U2>&& __in)
noexcept(__nothrow_assignable<_U1, _U2>())
{
 this->_M_assign(std::move(__in));
 return *this;
}

    template<typename _U1, typename _U2>
_GLIBCXX20_CONSTEXPR
__enable_if_t<__assignable<const _U1&, const _U2&>(), tuple&>
operator=(const pair<_U1, _U2>& __in)
noexcept(__nothrow_assignable<const _U1&, const _U2&>())
{
 this->_M_head(*this) = __in.first;
 this->_M_tail(*this)._M_head(*this) = __in.second;
 return *this;
}

    template<typename _U1, typename _U2>
_GLIBCXX20_CONSTEXPR
__enable_if_t<__assignable<_U1, _U2>(), tuple&>
operator=(pair<_U1, _U2>&& __in)
noexcept(__nothrow_assignable<_U1, _U2>())
{
 this->_M_head(*this) = std::forward<_U1>(__in.first);
 this->_M_tail(*this)._M_head(*this) = std::forward<_U2>(__in.second);
 return *this;
}

    _GLIBCXX20_CONSTEXPR
    void
    swap(tuple& __in)
    noexcept(__and_<__is_nothrow_swappable<_T1>,
      __is_nothrow_swappable<_T2>>::value)
    { _Inherited::_M_swap(__in); }
  };


/// class tuple_size
template<typename... _Elements>
  struct tuple_size<tuple<_Elements...>>
  : public integral_constant<std::size_t, sizeof...(_Elements)> { };

1249#if __cplusplus201402L > 201402L
template <typename _Tp>
  inline constexpr size_t tuple_size_v = tuple_size<_Tp>::value;
1252#endif

/**
 * Recursive case for tuple_element: strip off the first element in
 * the tuple and retrieve the (i-1)th element of the remaining tuple.
 */
template<std::size_t __i, typename _Head, typename... _Tail>
  struct tuple_element<__i, tuple<_Head, _Tail...> >
  : tuple_element<__i - 1, tuple<_Tail...> > { };

/**
 * Basis case for tuple_element: The first element is the one we're seeking.
 */
template<typename _Head, typename... _Tail>
  struct tuple_element<0, tuple<_Head, _Tail...> >
  {
    typedef _Head type;
  };

/**
 * Error case for tuple_element: invalid index.
 */
template<size_t __i>
  struct tuple_element<__i, tuple<>>
  {
    static_assert(__i < tuple_size<tuple<>>::value,
 "tuple index is in range");
  };

template<std::size_t __i, typename _Head, typename... _Tail>
  constexpr _Head&
  __get_helper(_Tuple_impl<__i, _Head, _Tail...>& __t) noexcept
  { return _Tuple_impl<__i, _Head, _Tail...>::_M_head(__t); }

template<std::size_t __i, typename _Head, typename... _Tail>
  constexpr const _Head&
  __get_helper(const _Tuple_impl<__i, _Head, _Tail...>& __t) noexcept
  { return _Tuple_impl<__i, _Head, _Tail...>::_M_head(__t); }

/// Return a reference to the ith element of a tuple.
template<std::size_t __i, typename... _Elements>
  constexpr __tuple_element_t<__i, tuple<_Elements...>>&
  get(tuple<_Elements...>& __t) noexcept
  { return std::__get_helper<__i>(__t); }

/// Return a const reference to the ith element of a const tuple.
template<std::size_t __i, typename... _Elements>
  constexpr const __tuple_element_t<__i, tuple<_Elements...>>&
  get(const tuple<_Elements...>& __t) noexcept
  { return std::__get_helper<__i>(__t); }

/// Return an rvalue reference to the ith element of a tuple rvalue.
template<std::size_t __i, typename... _Elements>
  constexpr __tuple_element_t<__i, tuple<_Elements...>>&&
  get(tuple<_Elements...>&& __t) noexcept
  {
    typedef __tuple_element_t<__i, tuple<_Elements...>> __element_type;
    return std::forward<__element_type&&>(std::get<__i>(__t));
  }

/// Return a const rvalue reference to the ith element of a const tuple rvalue.
template<std::size_t __i, typename... _Elements>
  constexpr const __tuple_element_t<__i, tuple<_Elements...>>&&
  get(const tuple<_Elements...>&& __t) noexcept
  {
    typedef __tuple_element_t<__i, tuple<_Elements...>> __element_type;
    return std::forward<const __element_type&&>(std::get<__i>(__t));
  }

1321#if __cplusplus201402L >= 201402L

1323#define __cpp_lib_tuples_by_type201304 201304

template<typename _Head, size_t __i, typename... _Tail>
  constexpr _Head&
  __get_helper2(_Tuple_impl<__i, _Head, _Tail...>& __t) noexcept
  { return _Tuple_impl<__i, _Head, _Tail...>::_M_head(__t); }

template<typename _Head, size_t __i, typename... _Tail>
  constexpr const _Head&
  __get_helper2(const _Tuple_impl<__i, _Head, _Tail...>& __t) noexcept
  { return _Tuple_impl<__i, _Head, _Tail...>::_M_head(__t); }

/// Return a reference to the unique element of type _Tp of a tuple.
template <typename _Tp, typename... _Types>
  constexpr _Tp&
  get(tuple<_Types...>& __t) noexcept
  { return std::__get_helper2<_Tp>(__t); }

/// Return a reference to the unique element of type _Tp of a tuple rvalue.
template <typename _Tp, typename... _Types>
  constexpr _Tp&&
  get(tuple<_Types...>&& __t) noexcept
  { return std::forward<_Tp&&>(std::__get_helper2<_Tp>(__t)); }

/// Return a const reference to the unique element of type _Tp of a tuple.
template <typename _Tp, typename... _Types>
  constexpr const _Tp&
  get(const tuple<_Types...>& __t) noexcept
  { return std::__get_helper2<_Tp>(__t); }

/// Return a const reference to the unique element of type _Tp of
/// a const tuple rvalue.
template <typename _Tp, typename... _Types>
  constexpr const _Tp&&
  get(const tuple<_Types...>&& __t) noexcept
  { return std::forward<const _Tp&&>(std::__get_helper2<_Tp>(__t)); }
1359#endif

// This class performs the comparison operations on tuples
template<typename _Tp, typename _Up, size_t __i, size_t __size>
  struct __tuple_compare
  {
    static constexpr bool
    __eq(const _Tp& __t, const _Up& __u)
    {
return bool(std::get<__i>(__t) == std::get<__i>(__u))
 && __tuple_compare<_Tp, _Up, __i + 1, __size>::__eq(__t, __u);
    }

    static constexpr bool
    __less(const _Tp& __t, const _Up& __u)
    {
return bool(std::get<__i>(__t) < std::get<__i>(__u))
 || (!bool(std::get<__i>(__u) < std::get<__i>(__t))
     && __tuple_compare<_Tp, _Up, __i + 1, __size>::__less(__t, __u));
    }
  };

template<typename _Tp, typename _Up, size_t __size>
  struct __tuple_compare<_Tp, _Up, __size, __size>
  {
    static constexpr bool
    __eq(const _Tp&, const _Up&) { return true; }

    static constexpr bool
    __less(const _Tp&, const _Up&) { return false; }
  };

template<typename... _TElements, typename... _UElements>
  constexpr bool
  operator==(const tuple<_TElements...>& __t,
      const tuple<_UElements...>& __u)
  {
    static_assert(sizeof...(_TElements) == sizeof...(_UElements),
 "tuple objects can only be compared if they have equal sizes.");
    using __compare = __tuple_compare<tuple<_TElements...>,
			tuple<_UElements...>,
			0, sizeof...(_TElements)>;
    return __compare::__eq(__t, __u);
  }

1404#if __cpp_lib_three_way_comparison
template<typename _Cat, typename _Tp, typename _Up>
  constexpr _Cat
  __tuple_cmp(const _Tp&, const _Up&, index_sequence<>)
  { return _Cat::equivalent; }

template<typename _Cat, typename _Tp, typename _Up,
  size_t _Idx0, size_t... _Idxs>
  constexpr _Cat
  __tuple_cmp(const _Tp& __t, const _Up& __u,
index_sequence<_Idx0, _Idxs...>)
  {
    auto __c
= __detail::__synth3way(std::get<_Idx0>(__t), std::get<_Idx0>(__u));
    if (__c != 0)
return __c;
    return std::__tuple_cmp<_Cat>(__t, __u, index_sequence<_Idxs...>());
  }

template<typename... _Tps, typename... _Ups>
  constexpr
  common_comparison_category_t<__detail::__synth3way_t<_Tps, _Ups>...>
  operator<=>(const tuple<_Tps...>& __t, const tuple<_Ups...>& __u)
  {
    using _Cat
= common_comparison_category_t<__detail::__synth3way_t<_Tps, _Ups>...>;
    return std::__tuple_cmp<_Cat>(__t, __u, index_sequence_for<_Tps...>());
  }
1432#else
template<typename... _TElements, typename... _UElements>
  constexpr bool
  operator<(const tuple<_TElements...>& __t,
     const tuple<_UElements...>& __u)
  {
    static_assert(sizeof...(_TElements) == sizeof...(_UElements),
 "tuple objects can only be compared if they have equal sizes.");
    using __compare = __tuple_compare<tuple<_TElements...>,
			tuple<_UElements...>,
			0, sizeof...(_TElements)>;
    return __compare::__less(__t, __u);
  }

template<typename... _TElements, typename... _UElements>
  constexpr bool
  operator!=(const tuple<_TElements...>& __t,
      const tuple<_UElements...>& __u)
  { return !(__t == __u); }

template<typename... _TElements, typename... _UElements>
  constexpr bool
  operator>(const tuple<_TElements...>& __t,
     const tuple<_UElements...>& __u)
  { return __u < __t; }

template<typename... _TElements, typename... _UElements>
  constexpr bool
  operator<=(const tuple<_TElements...>& __t,
      const tuple<_UElements...>& __u)
  { return !(__u < __t); }

template<typename... _TElements, typename... _UElements>
  constexpr bool
  operator>=(const tuple<_TElements...>& __t,
      const tuple<_UElements...>& __u)
  { return !(__t < __u); }
1469#endif // three_way_comparison

// NB: DR 705.
template<typename... _Elements>
  constexpr tuple<typename __decay_and_strip<_Elements>::__type...>
  make_tuple(_Elements&&... __args)
  {
    typedef tuple<typename __decay_and_strip<_Elements>::__type...>
__result_type;
    return __result_type(std::forward<_Elements>(__args)...);
  }

// _GLIBCXX_RESOLVE_LIB_DEFECTS
// 2275. Why is forward_as_tuple not constexpr?
/// std::forward_as_tuple
template<typename... _Elements>
  constexpr tuple<_Elements&&...>
  forward_as_tuple(_Elements&&... __args) noexcept
  { return tuple<_Elements&&...>(std::forward<_Elements>(__args)...); }

template<size_t, typename, typename, size_t>
  struct __make_tuple_impl;

template<size_t _Idx, typename _Tuple, typename... _Tp, size_t _Nm>
  struct __make_tuple_impl<_Idx, tuple<_Tp...>, _Tuple, _Nm>
  : __make_tuple_impl<_Idx + 1,
	tuple<_Tp..., __tuple_element_t<_Idx, _Tuple>>,
	_Tuple, _Nm>
  { };

template<std::size_t _Nm, typename _Tuple, typename... _Tp>
  struct __make_tuple_impl<_Nm, tuple<_Tp...>, _Tuple, _Nm>
  {
    typedef tuple<_Tp...> __type;
  };

template<typename _Tuple>
  struct __do_make_tuple
  : __make_tuple_impl<0, tuple<>, _Tuple, std::tuple_size<_Tuple>::value>
  { };

// Returns the std::tuple equivalent of a tuple-like type.
template<typename _Tuple>
  struct __make_tuple
  : public __do_make_tuple<__remove_cvref_t<_Tuple>>
  { };

// Combines several std::tuple's into a single one.
template<typename...>
  struct __combine_tuples;

template<>
  struct __combine_tuples<>
  {
    typedef tuple<> __type;
  };

template<typename... _Ts>
  struct __combine_tuples<tuple<_Ts...>>
  {
    typedef tuple<_Ts...> __type;
  };

template<typename... _T1s, typename... _T2s, typename... _Rem>
  struct __combine_tuples<tuple<_T1s...>, tuple<_T2s...>, _Rem...>
  {
    typedef typename __combine_tuples<tuple<_T1s..., _T2s...>,
			_Rem...>::__type __type;
  };

// Computes the result type of tuple_cat given a set of tuple-like types.
template<typename... _Tpls>
  struct __tuple_cat_result
  {
    typedef typename __combine_tuples
      <typename __make_tuple<_Tpls>::__type...>::__type __type;
  };

// Helper to determine the index set for the first tuple-like
// type of a given set.
template<typename...>
  struct __make_1st_indices;

template<>
  struct __make_1st_indices<>
  {
    typedef std::_Index_tuple<> __type;
  };

template<typename _Tp, typename... _Tpls>
  struct __make_1st_indices<_Tp, _Tpls...>
  {
    typedef typename std::_Build_index_tuple<std::tuple_size<
typename std::remove_reference<_Tp>::type>::value>::__type __type;
  };

// Performs the actual concatenation by step-wise expanding tuple-like
// objects into the elements,  which are finally forwarded into the
// result tuple.
template<typename _Ret, typename _Indices, typename... _Tpls>
  struct __tuple_concater;

template<typename _Ret, std::size_t... _Is, typename _Tp, typename... _Tpls>
  struct __tuple_concater<_Ret, std::_Index_tuple<_Is...>, _Tp, _Tpls...>
  {
    template<typename... _Us>
      static constexpr _Ret
      _S_do(_Tp&& __tp, _Tpls&&... __tps, _Us&&... __us)
      {
 typedef typename __make_1st_indices<_Tpls...>::__type __idx;
 typedef __tuple_concater<_Ret, __idx, _Tpls...>      __next;
 return __next::_S_do(std::forward<_Tpls>(__tps)...,
	       std::forward<_Us>(__us)...,
	       std::get<_Is>(std::forward<_Tp>(__tp))...);
}
  };

template<typename _Ret>
  struct __tuple_concater<_Ret, std::_Index_tuple<>>
  {
    template<typename... _Us>
static constexpr _Ret
_S_do(_Us&&... __us)
      {
 return _Ret(std::forward<_Us>(__us)...);
}
  };

/// tuple_cat
template<typename... _Tpls, typename = typename
         enable_if<__and_<__is_tuple_like<_Tpls>...>::value>::type>
  constexpr auto
  tuple_cat(_Tpls&&... __tpls)
  -> typename __tuple_cat_result<_Tpls...>::__type
  {
    typedef typename __tuple_cat_result<_Tpls...>::__type __ret;
    typedef typename __make_1st_indices<_Tpls...>::__type __idx;
    typedef __tuple_concater<__ret, __idx, _Tpls...> __concater;
    return __concater::_S_do(std::forward<_Tpls>(__tpls)...);
  }

// _GLIBCXX_RESOLVE_LIB_DEFECTS
// 2301. Why is tie not constexpr?
/// tie
template<typename... _Elements>
  constexpr tuple<_Elements&...>
  tie(_Elements&... __args) noexcept
  { return tuple<_Elements&...>(__args...); }
10
←
Calling constructor for 'tuple<llvm::IntrusiveRefCntPtr<const clang::ento::ProgramState> &, llvm::IntrusiveRefCntPtr<const clang::ento::ProgramState> &>'→
17
←
Returning from constructor for 'tuple<llvm::IntrusiveRefCntPtr<const clang::ento::ProgramState> &, llvm::IntrusiveRefCntPtr<const clang::ento::ProgramState> &>'→

/// swap
template<typename... _Elements>
  _GLIBCXX20_CONSTEXPR
  inline
1622#if __cplusplus201402L > 201402L || !defined(__STRICT_ANSI__1) // c++1z or gnu++11
  // Constrained free swap overload, see p0185r1
  typename enable_if<__and_<__is_swappable<_Elements>...>::value
    >::type
1626#else
  void
1628#endif
  swap(tuple<_Elements...>& __x, tuple<_Elements...>& __y)
  noexcept(noexcept(__x.swap(__y)))
  { __x.swap(__y); }

1633#if __cplusplus201402L > 201402L || !defined(__STRICT_ANSI__1) // c++1z or gnu++11
template<typename... _Elements>
  _GLIBCXX20_CONSTEXPR
  typename enable_if<!__and_<__is_swappable<_Elements>...>::value>::type
  swap(tuple<_Elements...>&, tuple<_Elements...>&) = delete;
1638#endif

// A class (and instance) which can be used in 'tie' when an element
// of a tuple is not required.
// _GLIBCXX14_CONSTEXPR
// 2933. PR for LWG 2773 could be clearer
struct _Swallow_assign
{
  template<class _Tp>
    _GLIBCXX14_CONSTEXPRconstexpr const _Swallow_assign&
    operator=(const _Tp&) const
    { return *this; }
};

// _GLIBCXX_RESOLVE_LIB_DEFECTS
// 2773. Making std::ignore constexpr
_GLIBCXX17_INLINE constexpr _Swallow_assign ignore{};

/// Partial specialization for tuples
template<typename... _Types, typename _Alloc>
  struct uses_allocator<tuple<_Types...>, _Alloc> : true_type { };

// See stl_pair.h...
/** "piecewise construction" using a tuple of arguments for each member.
 *
 * @param __first Arguments for the first member of the pair.
 * @param __second Arguments for the second member of the pair.
 *
 * The elements of each tuple will be used as the constructor arguments
 * for the data members of the pair.
*/
template<class _T1, class _T2>
  template<typename... _Args1, typename... _Args2>
    _GLIBCXX20_CONSTEXPR
    inline
    pair<_T1, _T2>::
    pair(piecewise_construct_t,
  tuple<_Args1...> __first, tuple<_Args2...> __second)
    : pair(__first, __second,
    typename _Build_index_tuple<sizeof...(_Args1)>::__type(),
    typename _Build_index_tuple<sizeof...(_Args2)>::__type())
    { }

template<class _T1, class _T2>
  template<typename... _Args1, std::size_t... _Indexes1,
           typename... _Args2, std::size_t... _Indexes2>
    _GLIBCXX20_CONSTEXPR inline
    pair<_T1, _T2>::
    pair(tuple<_Args1...>& __tuple1, tuple<_Args2...>& __tuple2,
  _Index_tuple<_Indexes1...>, _Index_tuple<_Indexes2...>)
    : first(std::forward<_Args1>(std::get<_Indexes1>(__tuple1))...),
      second(std::forward<_Args2>(std::get<_Indexes2>(__tuple2))...)
    { }

1692#if __cplusplus201402L >= 201703L

// Unpack a std::tuple into a type trait and use its value.
// For cv std::tuple<_Up> the result is _Trait<_Tp, cv _Up...>::value.
// For cv std::tuple<_Up>& the result is _Trait<_Tp, cv _Up&...>::value.
// Otherwise the result is false (because we don't know if std::get throws).
template<template<typename...> class _Trait, typename _Tp, typename _Tuple>
  inline constexpr bool __unpack_std_tuple = false;

template<template<typename...> class _Trait, typename _Tp, typename... _Up>
  inline constexpr bool __unpack_std_tuple<_Trait, _Tp, tuple<_Up...>>
    = _Trait<_Tp, _Up...>::value;

template<template<typename...> class _Trait, typename _Tp, typename... _Up>
  inline constexpr bool __unpack_std_tuple<_Trait, _Tp, tuple<_Up...>&>
    = _Trait<_Tp, _Up&...>::value;

template<template<typename...> class _Trait, typename _Tp, typename... _Up>
  inline constexpr bool __unpack_std_tuple<_Trait, _Tp, const tuple<_Up...>>
    = _Trait<_Tp, const _Up...>::value;

template<template<typename...> class _Trait, typename _Tp, typename... _Up>
  inline constexpr bool __unpack_std_tuple<_Trait, _Tp, const tuple<_Up...>&>
    = _Trait<_Tp, const _Up&...>::value;

1717# define __cpp_lib_apply 201603

template <typename _Fn, typename _Tuple, size_t... _Idx>
  constexpr decltype(auto)
  __apply_impl(_Fn&& __f, _Tuple&& __t, index_sequence<_Idx...>)
  {
    return std::__invoke(std::forward<_Fn>(__f),
	   std::get<_Idx>(std::forward<_Tuple>(__t))...);
  }

template <typename _Fn, typename _Tuple>
  constexpr decltype(auto)
  apply(_Fn&& __f, _Tuple&& __t)
  noexcept(__unpack_std_tuple<is_nothrow_invocable, _Fn, _Tuple>)
  {
    using _Indices
= make_index_sequence<tuple_size_v<remove_reference_t<_Tuple>>>;
    return std::__apply_impl(std::forward<_Fn>(__f),
	       std::forward<_Tuple>(__t),
	       _Indices{});
  }

1739#define __cpp_lib_make_from_tuple  201606

template <typename _Tp, typename _Tuple, size_t... _Idx>
  constexpr _Tp
  __make_from_tuple_impl(_Tuple&& __t, index_sequence<_Idx...>)
  { return _Tp(std::get<_Idx>(std::forward<_Tuple>(__t))...); }

template <typename _Tp, typename _Tuple>
  constexpr _Tp
  make_from_tuple(_Tuple&& __t)
  noexcept(__unpack_std_tuple<is_nothrow_constructible, _Tp, _Tuple>)
  {
    return __make_from_tuple_impl<_Tp>(
      std::forward<_Tuple>(__t),
make_index_sequence<tuple_size_v<remove_reference_t<_Tuple>>>{});
  }
1755#endif // C++17

/// @}

1759_GLIBCXX_END_NAMESPACE_VERSION
1760} // namespace std

1762#endif // C++11

1764#endif // _GLIBCXX_TUPLE

←

/build/llvm-toolchain-snapshot-14~++20210828111110+16086d47c0d0/clang/include/clang/StaticAnalyzer/Core/PathSensitive/SVals.h

→

1//===- SVals.h - Abstract Values for Static Analysis ------------*- C++ -*-===//
2//
3// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4// See https://llvm.org/LICENSE.txt for license information.
5// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6//
7//===----------------------------------------------------------------------===//
8//
9//  This file defines SVal, Loc, and NonLoc, classes that represent
10//  abstract r-values for use with path-sensitive value tracking.
11//
12//===----------------------------------------------------------------------===//

14#ifndef LLVM_CLANG_STATICANALYZER_CORE_PATHSENSITIVE_SVALS_H
15#define LLVM_CLANG_STATICANALYZER_CORE_PATHSENSITIVE_SVALS_H

17#include "clang/AST/Expr.h"
18#include "clang/AST/Type.h"
19#include "clang/Basic/LLVM.h"
20#include "clang/StaticAnalyzer/Core/PathSensitive/SymExpr.h"
21#include "llvm/ADT/FoldingSet.h"
22#include "llvm/ADT/ImmutableList.h"
23#include "llvm/ADT/None.h"
24#include "llvm/ADT/Optional.h"
25#include "llvm/ADT/PointerUnion.h"
26#include "llvm/Support/Casting.h"
27#include <cassert>
28#include <cstdint>
29#include <utility>

31//==------------------------------------------------------------------------==//
32//  Base SVal types.
33//==------------------------------------------------------------------------==//

35namespace clang {

37class CXXBaseSpecifier;
38class DeclaratorDecl;
39class FunctionDecl;
40class LabelDecl;

42namespace ento {

44class BasicValueFactory;
45class CompoundValData;
46class LazyCompoundValData;
47class MemRegion;
48class PointerToMemberData;
49class SValBuilder;
50class TypedValueRegion;

52namespace nonloc {

54/// Sub-kinds for NonLoc values.
55enum Kind {
56#define NONLOC_SVAL(Id, Parent) Id ## Kind,
57#include "clang/StaticAnalyzer/Core/PathSensitive/SVals.def"
58};

60} // namespace nonloc

62namespace loc {

64/// Sub-kinds for Loc values.
65enum Kind {
66#define LOC_SVAL(Id, Parent) Id ## Kind,
67#include "clang/StaticAnalyzer/Core/PathSensitive/SVals.def"
68};

70} // namespace loc

72/// SVal - This represents a symbolic expression, which can be either
73///  an L-value or an R-value.
74///
75class SVal {
76public:
enum BaseKind {
  // The enumerators must be representable using 2 bits.
79#define BASIC_SVAL(Id, Parent) Id ## Kind,
80#define ABSTRACT_SVAL_WITH_KIND(Id, Parent) Id ## Kind,
81#include "clang/StaticAnalyzer/Core/PathSensitive/SVals.def"
};
enum { BaseBits = 2, BaseMask = 0b11 };

85protected:
const void *Data = nullptr;

/// The lowest 2 bits are a BaseKind (0 -- 3).
///  The higher bits are an unsigned "kind" value.
unsigned Kind = 0;

explicit SVal(const void *d, bool isLoc, unsigned ValKind)
    : Data(d), Kind((isLoc ? LocKind : NonLocKind) | (ValKind << BaseBits)) {}

explicit SVal(BaseKind k, const void *D = nullptr) : Data(D), Kind(k) {}

97public:
explicit SVal() = default;

/// Convert to the specified SVal type, asserting that this SVal is of
/// the desired type.
template<typename T>
T castAs() const {
  assert(T::isKind(*this))(static_cast <bool> (T::isKind(*this)) ? void (0) : __assert_fail
 ("T::isKind(*this)", "/build/llvm-toolchain-snapshot-14~++20210828111110+16086d47c0d0/clang/include/clang/StaticAnalyzer/Core/PathSensitive/SVals.h"
, 104, __extension__ __PRETTY_FUNCTION__));
  return *static_cast<const T *>(this);
}

/// Convert to the specified SVal type, returning None if this SVal is
/// not of the desired type.
template<typename T>
Optional<T> getAs() const {
  if (!T::isKind(*this))
    return None;
  return *static_cast<const T *>(this);
}

unsigned getRawKind() const { return Kind; }
BaseKind getBaseKind() const { return (BaseKind) (Kind & BaseMask); }
unsigned getSubKind() const { return Kind >> BaseBits; }

// This method is required for using SVal in a FoldingSetNode.  It
// extracts a unique signature for this SVal object.
void Profile(llvm::FoldingSetNodeID &ID) const {
  ID.AddInteger((unsigned) getRawKind());
  ID.AddPointer(Data);
}

bool operator==(const SVal &R) const {
  return getRawKind() == R.getRawKind() && Data == R.Data;
}

bool operator!=(const SVal &R) const {
  return !(*this == R);
}

bool isUnknown() const {
  return getRawKind() == UnknownValKind;
34
←
Returning the value 1, which participates in a condition later→
}

bool isUndef() const {
  return getRawKind() == UndefinedValKind;
24
←
Assuming the condition is false→
25
←
Returning zero, which participates in a condition later→
}

bool isUnknownOrUndef() const {
  return getRawKind() <= UnknownValKind;
}

bool isValid() const {
  return getRawKind() > UnknownValKind;
}

bool isConstant() const;

bool isConstant(int I) const;

bool isZeroConstant() const;

/// hasConjuredSymbol - If this SVal wraps a conjured symbol, return true;
bool hasConjuredSymbol() const;

/// getAsFunctionDecl - If this SVal is a MemRegionVal and wraps a
/// CodeTextRegion wrapping a FunctionDecl, return that FunctionDecl.
/// Otherwise return 0.
const FunctionDecl *getAsFunctionDecl() const;

/// If this SVal is a location and wraps a symbol, return that
///  SymbolRef. Otherwise return 0.
///
/// Casts are ignored during lookup.
/// \param IncludeBaseRegions The boolean that controls whether the search
/// should continue to the base regions if the region is not symbolic.
SymbolRef getAsLocSymbol(bool IncludeBaseRegions = false) const;

/// Get the symbol in the SVal or its base region.
SymbolRef getLocSymbolInBase() const;

/// If this SVal wraps a symbol return that SymbolRef.
/// Otherwise, return 0.
///
/// Casts are ignored during lookup.
/// \param IncludeBaseRegions The boolean that controls whether the search
/// should continue to the base regions if the region is not symbolic.
SymbolRef getAsSymbol(bool IncludeBaseRegions = false) const;

const MemRegion *getAsRegion() const;

/// printJson - Pretty-prints in JSON format.
void printJson(raw_ostream &Out, bool AddQuotes) const;

void dumpToStream(raw_ostream &OS) const;
void dump() const;

SymExpr::symbol_iterator symbol_begin() const {
  const SymExpr *SE = getAsSymbol(/*IncludeBaseRegions=*/true);
  if (SE)
    return SE->symbol_begin();
  else
    return SymExpr::symbol_iterator();
}

SymExpr::symbol_iterator symbol_end() const {
  return SymExpr::symbol_end();
}

/// Try to get a reasonable type for the given value.
///
/// \returns The best approximation of the value type or Null.
/// In theory, all symbolic values should be typed, but this function
/// is still a WIP and might have a few blind spots.
///
/// \note This function should not be used when the user has access to the
/// bound expression AST node as well, since AST always has exact types.
///
/// \note Loc values are interpreted as pointer rvalues for the purposes of
/// this method.
QualType getType(const ASTContext &) const;
217};

219inline raw_ostream &operator<<(raw_ostream &os, clang::ento::SVal V) {
V.dumpToStream(os);
return os;
222}

224class UndefinedVal : public SVal {
225public:
UndefinedVal() : SVal(UndefinedValKind) {}

228private:
friend class SVal;

static bool isKind(const SVal& V) {
  return V.getBaseKind() == UndefinedValKind;
}
234};

236class DefinedOrUnknownSVal : public SVal {
237public:
// We want calling these methods to be a compiler error since they are
// tautologically false.
bool isUndef() const = delete;
bool isValid() const = delete;

243protected:
DefinedOrUnknownSVal() = default;
explicit DefinedOrUnknownSVal(const void *d, bool isLoc, unsigned ValKind)
    : SVal(d, isLoc, ValKind) {}
explicit DefinedOrUnknownSVal(BaseKind k, void *D = nullptr) : SVal(k, D) {}

249private:
friend class SVal;

static bool isKind(const SVal& V) {
  return !V.isUndef();
}
255};

257class UnknownVal : public DefinedOrUnknownSVal {
258public:
explicit UnknownVal() : DefinedOrUnknownSVal(UnknownValKind) {}

261private:
friend class SVal;

static bool isKind(const SVal &V) {
  return V.getBaseKind() == UnknownValKind;
}
267};

269class DefinedSVal : public DefinedOrUnknownSVal {
270public:
// We want calling these methods to be a compiler error since they are
// tautologically true/false.
bool isUnknown() const = delete;
bool isUnknownOrUndef() const = delete;
bool isValid() const = delete;

277protected:
DefinedSVal() = default;
explicit DefinedSVal(const void *d, bool isLoc, unsigned ValKind)
    : DefinedOrUnknownSVal(d, isLoc, ValKind) {}

282private:
friend class SVal;

static bool isKind(const SVal& V) {
  return !V.isUnknownOrUndef();
}
288};

290/// Represents an SVal that is guaranteed to not be UnknownVal.
291class KnownSVal : public SVal {
friend class SVal;

KnownSVal() = default;

static bool isKind(const SVal &V) {
  return !V.isUnknown();
}

300public:
KnownSVal(const DefinedSVal &V) : SVal(V) {}
KnownSVal(const UndefinedVal &V) : SVal(V) {}
303};

305class NonLoc : public DefinedSVal {
306protected:
NonLoc() = default;
explicit NonLoc(unsigned SubKind, const void *d)
    : DefinedSVal(d, false, SubKind) {}

311public:
void dumpToStream(raw_ostream &Out) const;

static bool isCompoundType(QualType T) {
  return T->isArrayType() || T->isRecordType() ||
         T->isAnyComplexType() || T->isVectorType();
}

319private:
friend class SVal;

static bool isKind(const SVal& V) {
  return V.getBaseKind() == NonLocKind;
}
325};

327class Loc : public DefinedSVal {
328protected:
Loc() = default;
explicit Loc(unsigned SubKind, const void *D)
    : DefinedSVal(const_cast<void *>(D), true, SubKind) {}

333public:
void dumpToStream(raw_ostream &Out) const;

static bool isLocType(QualType T) {
  return T->isAnyPointerType() || T->isBlockPointerType() ||
         T->isReferenceType() || T->isNullPtrType();
}

341private:
friend class SVal;

static bool isKind(const SVal& V) {
  return V.getBaseKind() == LocKind;
}
347};

349//==------------------------------------------------------------------------==//
350//  Subclasses of NonLoc.
351//==------------------------------------------------------------------------==//

353namespace nonloc {

355/// Represents symbolic expression that isn't a location.
356class SymbolVal : public NonLoc {
357public:
SymbolVal() = delete;
SymbolVal(SymbolRef sym) : NonLoc(SymbolValKind, sym) {
  assert(sym)(static_cast <bool> (sym) ? void (0) : __assert_fail ("sym"
, "/build/llvm-toolchain-snapshot-14~++20210828111110+16086d47c0d0/clang/include/clang/StaticAnalyzer/Core/PathSensitive/SVals.h"
, 360, __extension__ __PRETTY_FUNCTION__));
  assert(!Loc::isLocType(sym->getType()))(static_cast <bool> (!Loc::isLocType(sym->getType())
) ? void (0) : __assert_fail ("!Loc::isLocType(sym->getType())"
, "/build/llvm-toolchain-snapshot-14~++20210828111110+16086d47c0d0/clang/include/clang/StaticAnalyzer/Core/PathSensitive/SVals.h"
, 361, __extension__ __PRETTY_FUNCTION__));
}

SymbolRef getSymbol() const {
  return (const SymExpr *) Data;
}

bool isExpression() const {
  return !isa<SymbolData>(getSymbol());
}

372private:
friend class SVal;

static bool isKind(const SVal& V) {
  return V.getBaseKind() == NonLocKind &&
         V.getSubKind() == SymbolValKind;
}

static bool isKind(const NonLoc& V) {
  return V.getSubKind() == SymbolValKind;
}
383};

385/// Value representing integer constant.
386class ConcreteInt : public NonLoc {
387public:
explicit ConcreteInt(const llvm::APSInt& V) : NonLoc(ConcreteIntKind, &V) {}

const llvm::APSInt& getValue() const {
  return *static_cast<const llvm::APSInt *>(Data);
}

// Transfer functions for binary/unary operations on ConcreteInts.
SVal evalBinOp(SValBuilder &svalBuilder, BinaryOperator::Opcode Op,
               const ConcreteInt& R) const;

ConcreteInt evalComplement(SValBuilder &svalBuilder) const;

ConcreteInt evalMinus(SValBuilder &svalBuilder) const;

402private:
friend class SVal;

ConcreteInt() = default;

static bool isKind(const SVal& V) {
  return V.getBaseKind() == NonLocKind &&
         V.getSubKind() == ConcreteIntKind;
}

static bool isKind(const NonLoc& V) {
  return V.getSubKind() == ConcreteIntKind;
}
415};

417class LocAsInteger : public NonLoc {
friend class ento::SValBuilder;

explicit LocAsInteger(const std::pair<SVal, uintptr_t> &data)
    : NonLoc(LocAsIntegerKind, &data) {
  // We do not need to represent loc::ConcreteInt as LocAsInteger,
  // as it'd collapse into a nonloc::ConcreteInt instead.
  assert(data.first.getBaseKind() == LocKind &&(static_cast <bool> (data.first.getBaseKind() == LocKind
 && (data.first.getSubKind() == loc::MemRegionValKind
 || data.first.getSubKind() == loc::GotoLabelKind)) ? void (0
) : __assert_fail ("data.first.getBaseKind() == LocKind && (data.first.getSubKind() == loc::MemRegionValKind || data.first.getSubKind() == loc::GotoLabelKind)"
, "/build/llvm-toolchain-snapshot-14~++20210828111110+16086d47c0d0/clang/include/clang/StaticAnalyzer/Core/PathSensitive/SVals.h"
, 426, __extension__ __PRETTY_FUNCTION__))
         (data.first.getSubKind() == loc::MemRegionValKind ||(static_cast <bool> (data.first.getBaseKind() == LocKind
 && (data.first.getSubKind() == loc::MemRegionValKind
 || data.first.getSubKind() == loc::GotoLabelKind)) ? void (0
) : __assert_fail ("data.first.getBaseKind() == LocKind && (data.first.getSubKind() == loc::MemRegionValKind || data.first.getSubKind() == loc::GotoLabelKind)"
, "/build/llvm-toolchain-snapshot-14~++20210828111110+16086d47c0d0/clang/include/clang/StaticAnalyzer/Core/PathSensitive/SVals.h"
, 426, __extension__ __PRETTY_FUNCTION__))
          data.first.getSubKind() == loc::GotoLabelKind))(static_cast <bool> (data.first.getBaseKind() == LocKind
 && (data.first.getSubKind() == loc::MemRegionValKind
 || data.first.getSubKind() == loc::GotoLabelKind)) ? void (0
) : __assert_fail ("data.first.getBaseKind() == LocKind && (data.first.getSubKind() == loc::MemRegionValKind || data.first.getSubKind() == loc::GotoLabelKind)"
, "/build/llvm-toolchain-snapshot-14~++20210828111110+16086d47c0d0/clang/include/clang/StaticAnalyzer/Core/PathSensitive/SVals.h"
, 426, __extension__ __PRETTY_FUNCTION__));
}

429public:
Loc getLoc() const {
  const std::pair<SVal, uintptr_t> *D =
    static_cast<const std::pair<SVal, uintptr_t> *>(Data);
  return D->first.castAs<Loc>();
}

Loc getPersistentLoc() const {
  const std::pair<SVal, uintptr_t> *D =
    static_cast<const std::pair<SVal, uintptr_t> *>(Data);
  const SVal& V = D->first;
  return V.castAs<Loc>();
}

unsigned getNumBits() const {
  const std::pair<SVal, uintptr_t> *D =
    static_cast<const std::pair<SVal, uintptr_t> *>(Data);
  return D->second;
}

449private:
friend class SVal;

LocAsInteger() = default;

static bool isKind(const SVal& V) {
  return V.getBaseKind() == NonLocKind &&
         V.getSubKind() == LocAsIntegerKind;
}

static bool isKind(const NonLoc& V) {
  return V.getSubKind() == LocAsIntegerKind;
}
462};

464class CompoundVal : public NonLoc {
friend class ento::SValBuilder;

explicit CompoundVal(const CompoundValData* D) : NonLoc(CompoundValKind, D) {}

469public:
const CompoundValData* getValue() const {
  return static_cast<const CompoundValData *>(Data);
}

using iterator = llvm::ImmutableList<SVal>::iterator;

iterator begin() const;
iterator end() const;

479private:
friend class SVal;

CompoundVal() = default;

static bool isKind(const SVal& V) {
  return V.getBaseKind() == NonLocKind && V.getSubKind() == CompoundValKind;
}

static bool isKind(const NonLoc& V) {
  return V.getSubKind() == CompoundValKind;
}
491};

493class LazyCompoundVal : public NonLoc {
friend class ento::SValBuilder;

explicit LazyCompoundVal(const LazyCompoundValData *D)
    : NonLoc(LazyCompoundValKind, D) {}

499public:
const LazyCompoundValData *getCVData() const {
  return static_cast<const LazyCompoundValData *>(Data);
}

const void *getStore() const;
const TypedValueRegion *getRegion() const;

507private:
friend class SVal;

LazyCompoundVal() = default;

static bool isKind(const SVal& V) {
  return V.getBaseKind() == NonLocKind &&
         V.getSubKind() == LazyCompoundValKind;
}

static bool isKind(const NonLoc& V) {
  return V.getSubKind() == LazyCompoundValKind;
}
520};

522/// Value representing pointer-to-member.
523///
524/// This value is qualified as NonLoc because neither loading nor storing
525/// operations are applied to it. Instead, the analyzer uses the L-value coming
526/// from pointer-to-member applied to an object.
527/// This SVal is represented by a NamedDecl which can be a member function
528/// pointer or a member data pointer and an optional list of CXXBaseSpecifiers.
529/// This list is required to accumulate the pointer-to-member cast history to
530/// figure out the correct subobject field. In particular, implicit casts grow
531/// this list and explicit casts like static_cast shrink this list.
532class PointerToMember : public NonLoc {
friend class ento::SValBuilder;

535public:
using PTMDataType =
    llvm::PointerUnion<const NamedDecl *, const PointerToMemberData *>;

const PTMDataType getPTMData() const {
  return PTMDataType::getFromOpaqueValue(const_cast<void *>(Data));
}

bool isNullMemberPointer() const;

const NamedDecl *getDecl() const;

template<typename AdjustedDecl>
const AdjustedDecl *getDeclAs() const {
  return dyn_cast_or_null<AdjustedDecl>(getDecl());
}

using iterator = llvm::ImmutableList<const CXXBaseSpecifier *>::iterator;

iterator begin() const;
iterator end() const;

557private:
friend class SVal;

PointerToMember() = default;
explicit PointerToMember(const PTMDataType D)
    : NonLoc(PointerToMemberKind, D.getOpaqueValue()) {}

static bool isKind(const SVal& V) {
  return V.getBaseKind() == NonLocKind &&
         V.getSubKind() == PointerToMemberKind;
}

static bool isKind(const NonLoc& V) {
  return V.getSubKind() == PointerToMemberKind;
}
572};

574} // namespace nonloc

576//==------------------------------------------------------------------------==//
577//  Subclasses of Loc.
578//==------------------------------------------------------------------------==//

580namespace loc {

582class GotoLabel : public Loc {
583public:
explicit GotoLabel(const LabelDecl *Label) : Loc(GotoLabelKind, Label) {
  assert(Label)(static_cast <bool> (Label) ? void (0) : __assert_fail (
"Label", "/build/llvm-toolchain-snapshot-14~++20210828111110+16086d47c0d0/clang/include/clang/StaticAnalyzer/Core/PathSensitive/SVals.h"
, 585, __extension__ __PRETTY_FUNCTION__));
}

const LabelDecl *getLabel() const {
  return static_cast<const LabelDecl *>(Data);
}

592private:
friend class SVal;

GotoLabel() = default;

static bool isKind(const SVal& V) {
  return V.getBaseKind() == LocKind && V.getSubKind() == GotoLabelKind;
}

static bool isKind(const Loc& V) {
  return V.getSubKind() == GotoLabelKind;
}
604};

606class MemRegionVal : public Loc {
607public:
explicit MemRegionVal(const MemRegion* r) : Loc(MemRegionValKind, r) {
  assert(r)(static_cast <bool> (r) ? void (0) : __assert_fail ("r"
, "/build/llvm-toolchain-snapshot-14~++20210828111110+16086d47c0d0/clang/include/clang/StaticAnalyzer/Core/PathSensitive/SVals.h"
, 609, __extension__ __PRETTY_FUNCTION__));
}

/// Get the underlining region.
const MemRegion *getRegion() const {
  return static_cast<const MemRegion *>(Data);
}

/// Get the underlining region and strip casts.
const MemRegion* stripCasts(bool StripBaseCasts = true) const;

template <typename REGION>
const REGION* getRegionAs() const {
  return dyn_cast<REGION>(getRegion());
}

bool operator==(const MemRegionVal &R) const {
  return getRegion() == R.getRegion();
}

bool operator!=(const MemRegionVal &R) const {
  return getRegion() != R.getRegion();
}

633private:
friend class SVal;

MemRegionVal() = default;

static bool isKind(const SVal& V) {
  return V.getBaseKind() == LocKind &&
         V.getSubKind() == MemRegionValKind;
}

static bool isKind(const Loc& V) {
  return V.getSubKind() == MemRegionValKind;
}
646};

648class ConcreteInt : public Loc {
649public:
explicit ConcreteInt(const llvm::APSInt& V) : Loc(ConcreteIntKind, &V) {}

const llvm::APSInt &getValue() const {
  return *static_cast<const llvm::APSInt *>(Data);
}

// Transfer functions for binary/unary operations on ConcreteInts.
SVal evalBinOp(BasicValueFactory& BasicVals, BinaryOperator::Opcode Op,
               const ConcreteInt& R) const;

660private:
friend class SVal;

ConcreteInt() = default;

static bool isKind(const SVal& V) {
  return V.getBaseKind() == LocKind &&
         V.getSubKind() == ConcreteIntKind;
}

static bool isKind(const Loc& V) {
  return V.getSubKind() == ConcreteIntKind;
}
673};

675} // namespace loc

677} // namespace ento

679} // namespace clang

681#endif // LLVM_CLANG_STATICANALYZER_CORE_PATHSENSITIVE_SVALS_H

←

/build/llvm-toolchain-snapshot-14~++20210828111110+16086d47c0d0/clang/include/clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h

→

1//== ProgramState.h - Path-sensitive "State" for tracking values -*- C++ -*--=//
2//
3// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4// See https://llvm.org/LICENSE.txt for license information.
5// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6//
7//===----------------------------------------------------------------------===//
8//
9// This file defines the state of the program along the analysisa path.
10//
11//===----------------------------------------------------------------------===//

13#ifndef LLVM_CLANG_STATICANALYZER_CORE_PATHSENSITIVE_PROGRAMSTATE_H
14#define LLVM_CLANG_STATICANALYZER_CORE_PATHSENSITIVE_PROGRAMSTATE_H

16#include "clang/Basic/LLVM.h"
17#include "clang/StaticAnalyzer/Core/PathSensitive/ConstraintManager.h"
18#include "clang/StaticAnalyzer/Core/PathSensitive/DynamicTypeInfo.h"
19#include "clang/StaticAnalyzer/Core/PathSensitive/Environment.h"
20#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState_Fwd.h"
21#include "clang/StaticAnalyzer/Core/PathSensitive/SValBuilder.h"
22#include "clang/StaticAnalyzer/Core/PathSensitive/Store.h"
23#include "llvm/ADT/FoldingSet.h"
24#include "llvm/ADT/ImmutableMap.h"
25#include "llvm/Support/Allocator.h"
26#include <utility>

28namespace llvm {
29class APSInt;
30}

32namespace clang {
33class ASTContext;

35namespace ento {

37class AnalysisManager;
38class CallEvent;
39class CallEventManager;

41typedef std::unique_ptr<ConstraintManager>(*ConstraintManagerCreator)(
  ProgramStateManager &, ExprEngine *);
43typedef std::unique_ptr<StoreManager>(*StoreManagerCreator)(
  ProgramStateManager &);

46//===----------------------------------------------------------------------===//
47// ProgramStateTrait - Traits used by the Generic Data Map of a ProgramState.
48//===----------------------------------------------------------------------===//

50template <typename T> struct ProgramStatePartialTrait;

52template <typename T> struct ProgramStateTrait {
typedef typename T::data_type data_type;
static inline void *MakeVoidPtr(data_type D) { return (void*) D; }
static inline data_type MakeData(void *const* P) {
  return P ? (data_type) *P : (data_type) 0;
}
58};

60/// \class ProgramState
61/// ProgramState - This class encapsulates:
62///
63///    1. A mapping from expressions to values (Environment)
64///    2. A mapping from locations to values (Store)
65///    3. Constraints on symbolic values (GenericDataMap)
66///
67///  Together these represent the "abstract state" of a program.
68///
69///  ProgramState is intended to be used as a functional object; that is,
70///  once it is created and made "persistent" in a FoldingSet, its
71///  values will never change.
72class ProgramState : public llvm::FoldingSetNode {
73public:
typedef llvm::ImmutableSet<llvm::APSInt*>                IntSetTy;
typedef llvm::ImmutableMap<void*, void*>                 GenericDataMap;

77private:
void operator=(const ProgramState& R) = delete;

friend class ProgramStateManager;
friend class ExplodedGraph;
friend class ExplodedNode;

ProgramStateManager *stateMgr;
Environment Env;           // Maps a Stmt to its current SVal.
Store store;               // Maps a location to its current value.
GenericDataMap   GDM;      // Custom data stored by a client of this class.
unsigned refCount;

/// makeWithStore - Return a ProgramState with the same values as the current
///  state with the exception of using the specified Store.
ProgramStateRef makeWithStore(const StoreRef &store) const;

void setStore(const StoreRef &storeRef);

96public:
/// This ctor is used when creating the first ProgramState object.
ProgramState(ProgramStateManager *mgr, const Environment& env,
        StoreRef st, GenericDataMap gdm);

/// Copy ctor - We must explicitly define this or else the "Next" ptr
///  in FoldingSetNode will also get copied.
ProgramState(const ProgramState &RHS);

~ProgramState();

int64_t getID() const;

/// Return the ProgramStateManager associated with this state.
ProgramStateManager &getStateManager() const {
  return *stateMgr;
}

AnalysisManager &getAnalysisManager() const;

/// Return the ConstraintManager.
ConstraintManager &getConstraintManager() const;

/// getEnvironment - Return the environment associated with this state.
///  The environment is the mapping from expressions to values.
const Environment& getEnvironment() const { return Env; }

/// Return the store associated with this state.  The store
///  is a mapping from locations to values.
Store getStore() const { return store; }


/// getGDM - Return the generic data map associated with this state.
GenericDataMap getGDM() const { return GDM; }

void setGDM(GenericDataMap gdm) { GDM = gdm; }

/// Profile - Profile the contents of a ProgramState object for use in a
///  FoldingSet.  Two ProgramState objects are considered equal if they
///  have the same Environment, Store, and GenericDataMap.
static void Profile(llvm::FoldingSetNodeID& ID, const ProgramState *V) {
  V->Env.Profile(ID);
  ID.AddPointer(V->store);
  V->GDM.Profile(ID);
}

/// Profile - Used to profile the contents of this object for inclusion
///  in a FoldingSet.
void Profile(llvm::FoldingSetNodeID& ID) const {
  Profile(ID, this);
}

BasicValueFactory &getBasicVals() const;
SymbolManager &getSymbolManager() const;

//==---------------------------------------------------------------------==//
// Constraints on values.
//==---------------------------------------------------------------------==//
//
// Each ProgramState records constraints on symbolic values.  These constraints
// are managed using the ConstraintManager associated with a ProgramStateManager.
// As constraints gradually accrue on symbolic values, added constraints
// may conflict and indicate that a state is infeasible (as no real values
// could satisfy all the constraints).  This is the principal mechanism
// for modeling path-sensitivity in ExprEngine/ProgramState.
//
// Various "assume" methods form the interface for adding constraints to
// symbolic values.  A call to 'assume' indicates an assumption being placed
// on one or symbolic values.  'assume' methods take the following inputs:
//
//  (1) A ProgramState object representing the current state.
//
//  (2) The assumed constraint (which is specific to a given "assume" method).
//
//  (3) A binary value "Assumption" that indicates whether the constraint is
//      assumed to be true or false.
//
// The output of "assume*" is a new ProgramState object with the added constraints.
// If no new state is feasible, NULL is returned.
//

/// Assumes that the value of \p cond is zero (if \p assumption is "false")
/// or non-zero (if \p assumption is "true").
///
/// This returns a new state with the added constraint on \p cond.
/// If no new state is feasible, NULL is returned.
LLVM_NODISCARD[[clang::warn_unused_result]] ProgramStateRef assume(DefinedOrUnknownSVal cond,
                                      bool assumption) const;

/// Assumes both "true" and "false" for \p cond, and returns both
/// corresponding states (respectively).
///
/// This is more efficient than calling assume() twice. Note that one (but not
/// both) of the returned states may be NULL.
LLVM_NODISCARD[[clang::warn_unused_result]] std::pair<ProgramStateRef, ProgramStateRef>
assume(DefinedOrUnknownSVal cond) const;

LLVM_NODISCARD[[clang::warn_unused_result]] ProgramStateRef
assumeInBound(DefinedOrUnknownSVal idx, DefinedOrUnknownSVal upperBound,
              bool assumption, QualType IndexType = QualType()) const;

/// Assumes that the value of \p Val is bounded with [\p From; \p To]
/// (if \p assumption is "true") or it is fully out of this range
/// (if \p assumption is "false").
///
/// This returns a new state with the added constraint on \p cond.
/// If no new state is feasible, NULL is returned.
LLVM_NODISCARD[[clang::warn_unused_result]] ProgramStateRef assumeInclusiveRange(DefinedOrUnknownSVal Val,
                                                    const llvm::APSInt &From,
                                                    const llvm::APSInt &To,
                                                    bool assumption) const;

/// Assumes given range both "true" and "false" for \p Val, and returns both
/// corresponding states (respectively).
///
/// This is more efficient than calling assume() twice. Note that one (but not
/// both) of the returned states may be NULL.
LLVM_NODISCARD[[clang::warn_unused_result]] std::pair<ProgramStateRef, ProgramStateRef>
assumeInclusiveRange(DefinedOrUnknownSVal Val, const llvm::APSInt &From,
                     const llvm::APSInt &To) const;

/// Check if the given SVal is not constrained to zero and is not
///        a zero constant.
ConditionTruthVal isNonNull(SVal V) const;

/// Check if the given SVal is constrained to zero or is a zero
///        constant.
ConditionTruthVal isNull(SVal V) const;

/// \return Whether values \p Lhs and \p Rhs are equal.
ConditionTruthVal areEqual(SVal Lhs, SVal Rhs) const;

/// Utility method for getting regions.
const VarRegion* getRegion(const VarDecl *D, const LocationContext *LC) const;

//==---------------------------------------------------------------------==//
// Binding and retrieving values to/from the environment and symbolic store.
//==---------------------------------------------------------------------==//

/// Create a new state by binding the value 'V' to the statement 'S' in the
/// state's environment.
LLVM_NODISCARD[[clang::warn_unused_result]] ProgramStateRef BindExpr(const Stmt *S,
                                        const LocationContext *LCtx, SVal V,
                                        bool Invalidate = true) const;

LLVM_NODISCARD[[clang::warn_unused_result]] ProgramStateRef bindLoc(Loc location, SVal V,
                                       const LocationContext *LCtx,
                                       bool notifyChanges = true) const;

LLVM_NODISCARD[[clang::warn_unused_result]] ProgramStateRef bindLoc(SVal location, SVal V,
                                       const LocationContext *LCtx) const;

/// Initializes the region of memory represented by \p loc with an initial
/// value. Once initialized, all values loaded from any sub-regions of that
/// region will be equal to \p V, unless overwritten later by the program.
/// This method should not be used on regions that are already initialized.
/// If you need to indicate that memory contents have suddenly become unknown
/// within a certain region of memory, consider invalidateRegions().
LLVM_NODISCARD[[clang::warn_unused_result]] ProgramStateRef
bindDefaultInitial(SVal loc, SVal V, const LocationContext *LCtx) const;

/// Performs C++ zero-initialization procedure on the region of memory
/// represented by \p loc.
LLVM_NODISCARD[[clang::warn_unused_result]] ProgramStateRef
bindDefaultZero(SVal loc, const LocationContext *LCtx) const;

LLVM_NODISCARD[[clang::warn_unused_result]] ProgramStateRef killBinding(Loc LV) const;

/// Returns the state with bindings for the given regions
///  cleared from the store.
///
/// Optionally invalidates global regions as well.
///
/// \param Regions the set of regions to be invalidated.
/// \param E the expression that caused the invalidation.
/// \param BlockCount The number of times the current basic block has been
//         visited.
/// \param CausesPointerEscape the flag is set to true when
///        the invalidation entails escape of a symbol (representing a
///        pointer). For example, due to it being passed as an argument in a
///        call.
/// \param IS the set of invalidated symbols.
/// \param Call if non-null, the invalidated regions represent parameters to
///        the call and should be considered directly invalidated.
/// \param ITraits information about special handling for a particular
///        region/symbol.
LLVM_NODISCARD[[clang::warn_unused_result]] ProgramStateRef
invalidateRegions(ArrayRef<const MemRegion *> Regions, const Expr *E,
                  unsigned BlockCount, const LocationContext *LCtx,
                  bool CausesPointerEscape, InvalidatedSymbols *IS = nullptr,
                  const CallEvent *Call = nullptr,
                  RegionAndSymbolInvalidationTraits *ITraits = nullptr) const;

LLVM_NODISCARD[[clang::warn_unused_result]] ProgramStateRef
invalidateRegions(ArrayRef<SVal> Regions, const Expr *E,
                  unsigned BlockCount, const LocationContext *LCtx,
                  bool CausesPointerEscape, InvalidatedSymbols *IS = nullptr,
                  const CallEvent *Call = nullptr,
                  RegionAndSymbolInvalidationTraits *ITraits = nullptr) const;

/// enterStackFrame - Returns the state for entry to the given stack frame,
///  preserving the current state.
LLVM_NODISCARD[[clang::warn_unused_result]] ProgramStateRef enterStackFrame(
    const CallEvent &Call, const StackFrameContext *CalleeCtx) const;

/// Return the value of 'self' if available in the given context.
SVal getSelfSVal(const LocationContext *LC) const;

/// Get the lvalue for a base class object reference.
Loc getLValue(const CXXBaseSpecifier &BaseSpec, const SubRegion *Super) const;

/// Get the lvalue for a base class object reference.
Loc getLValue(const CXXRecordDecl *BaseClass, const SubRegion *Super,
              bool IsVirtual) const;

/// Get the lvalue for a parameter.
Loc getLValue(const Expr *Call, unsigned Index,
              const LocationContext *LC) const;

/// Get the lvalue for a variable reference.
Loc getLValue(const VarDecl *D, const LocationContext *LC) const;

Loc getLValue(const CompoundLiteralExpr *literal,
              const LocationContext *LC) const;

/// Get the lvalue for an ivar reference.
SVal getLValue(const ObjCIvarDecl *decl, SVal base) const;

/// Get the lvalue for a field reference.
SVal getLValue(const FieldDecl *decl, SVal Base) const;

/// Get the lvalue for an indirect field reference.
SVal getLValue(const IndirectFieldDecl *decl, SVal Base) const;

/// Get the lvalue for an array index.
SVal getLValue(QualType ElementType, SVal Idx, SVal Base) const;

/// Returns the SVal bound to the statement 'S' in the state's environment.
SVal getSVal(const Stmt *S, const LocationContext *LCtx) const;

SVal getSValAsScalarOrLoc(const Stmt *Ex, const LocationContext *LCtx) const;

/// Return the value bound to the specified location.
/// Returns UnknownVal() if none found.
SVal getSVal(Loc LV, QualType T = QualType()) const;

/// Returns the "raw" SVal bound to LV before any value simplfication.
SVal getRawSVal(Loc LV, QualType T= QualType()) const;

/// Return the value bound to the specified location.
/// Returns UnknownVal() if none found.
SVal getSVal(const MemRegion* R, QualType T = QualType()) const;

/// Return the value bound to the specified location, assuming
/// that the value is a scalar integer or an enumeration or a pointer.
/// Returns UnknownVal() if none found or the region is not known to hold
/// a value of such type.
SVal getSValAsScalarOrLoc(const MemRegion *R) const;

using region_iterator = const MemRegion **;

/// Visits the symbols reachable from the given SVal using the provided
/// SymbolVisitor.
///
/// This is a convenience API. Consider using ScanReachableSymbols class
/// directly when making multiple scans on the same state with the same
/// visitor to avoid repeated initialization cost.
/// \sa ScanReachableSymbols
bool scanReachableSymbols(SVal val, SymbolVisitor& visitor) const;

/// Visits the symbols reachable from the regions in the given
/// MemRegions range using the provided SymbolVisitor.
bool scanReachableSymbols(llvm::iterator_range<region_iterator> Reachable,
                          SymbolVisitor &visitor) const;

template <typename CB> CB scanReachableSymbols(SVal val) const;
template <typename CB> CB
scanReachableSymbols(llvm::iterator_range<region_iterator> Reachable) const;

//==---------------------------------------------------------------------==//
// Accessing the Generic Data Map (GDM).
//==---------------------------------------------------------------------==//

void *const* FindGDM(void *K) const;

template <typename T>
LLVM_NODISCARD[[clang::warn_unused_result]] ProgramStateRef
add(typename ProgramStateTrait<T>::key_type K) const;

template <typename T>
typename ProgramStateTrait<T>::data_type
get() const {
  return ProgramStateTrait<T>::MakeData(FindGDM(ProgramStateTrait<T>::GDMIndex()));
}

template<typename T>
typename ProgramStateTrait<T>::lookup_type
get(typename ProgramStateTrait<T>::key_type key) const {
  void *const* d = FindGDM(ProgramStateTrait<T>::GDMIndex());
  return ProgramStateTrait<T>::Lookup(ProgramStateTrait<T>::MakeData(d), key);
}

template <typename T>
typename ProgramStateTrait<T>::context_type get_context() const;

template <typename T>
LLVM_NODISCARD[[clang::warn_unused_result]] ProgramStateRef
remove(typename ProgramStateTrait<T>::key_type K) const;

template <typename T>
LLVM_NODISCARD[[clang::warn_unused_result]] ProgramStateRef
remove(typename ProgramStateTrait<T>::key_type K,
       typename ProgramStateTrait<T>::context_type C) const;

template <typename T> LLVM_NODISCARD[[clang::warn_unused_result]] ProgramStateRef remove() const;

template <typename T>
LLVM_NODISCARD[[clang::warn_unused_result]] ProgramStateRef
set(typename ProgramStateTrait<T>::data_type D) const;

template <typename T>
LLVM_NODISCARD[[clang::warn_unused_result]] ProgramStateRef
set(typename ProgramStateTrait<T>::key_type K,
    typename ProgramStateTrait<T>::value_type E) const;

template <typename T>
LLVM_NODISCARD[[clang::warn_unused_result]] ProgramStateRef
set(typename ProgramStateTrait<T>::key_type K,
    typename ProgramStateTrait<T>::value_type E,
    typename ProgramStateTrait<T>::context_type C) const;

template<typename T>
bool contains(typename ProgramStateTrait<T>::key_type key) const {
  void *const* d = FindGDM(ProgramStateTrait<T>::GDMIndex());
  return ProgramStateTrait<T>::Contains(ProgramStateTrait<T>::MakeData(d), key);
}

// Pretty-printing.
void printJson(raw_ostream &Out, const LocationContext *LCtx = nullptr,
               const char *NL = "\n", unsigned int Space = 0,
               bool IsDot = false) const;

void printDOT(raw_ostream &Out, const LocationContext *LCtx = nullptr,
              unsigned int Space = 0) const;

void dump() const;

443private:
friend void ProgramStateRetain(const ProgramState *state);
friend void ProgramStateRelease(const ProgramState *state);

/// \sa invalidateValues()
/// \sa invalidateRegions()
ProgramStateRef
invalidateRegionsImpl(ArrayRef<SVal> Values,
                      const Expr *E, unsigned BlockCount,
                      const LocationContext *LCtx,
                      bool ResultsInSymbolEscape,
                      InvalidatedSymbols *IS,
                      RegionAndSymbolInvalidationTraits *HTraits,
                      const CallEvent *Call) const;
457};

459//===----------------------------------------------------------------------===//
460// ProgramStateManager - Factory object for ProgramStates.
461//===----------------------------------------------------------------------===//

463class ProgramStateManager {
friend class ProgramState;
friend void ProgramStateRelease(const ProgramState *state);
466private:
/// Eng - The ExprEngine that owns this state manager.
ExprEngine *Eng; /* Can be null. */

EnvironmentManager                   EnvMgr;
std::unique_ptr<StoreManager>        StoreMgr;
std::unique_ptr<ConstraintManager>   ConstraintMgr;

ProgramState::GenericDataMap::Factory     GDMFactory;

typedef llvm::DenseMap<void*,std::pair<void*,void (*)(void*)> > GDMContextsTy;
GDMContextsTy GDMContexts;

/// StateSet - FoldingSet containing all the states created for analyzing
///  a particular function.  This is used to unique states.
llvm::FoldingSet<ProgramState> StateSet;

/// Object that manages the data for all created SVals.
std::unique_ptr<SValBuilder> svalBuilder;

/// Manages memory for created CallEvents.
std::unique_ptr<CallEventManager> CallEventMgr;

/// A BumpPtrAllocator to allocate states.
llvm::BumpPtrAllocator &Alloc;

/// A vector of ProgramStates that we can reuse.
std::vector<ProgramState *> freeStates;

495public:
ProgramStateManager(ASTContext &Ctx,
               StoreManagerCreator CreateStoreManager,
               ConstraintManagerCreator CreateConstraintManager,
               llvm::BumpPtrAllocator& alloc,
               ExprEngine *expreng);

~ProgramStateManager();

ProgramStateRef getInitialState(const LocationContext *InitLoc);

ASTContext &getContext() { return svalBuilder->getContext(); }
const ASTContext &getContext() const { return svalBuilder->getContext(); }

BasicValueFactory &getBasicVals() {
  return svalBuilder->getBasicValueFactory();
}

SValBuilder &getSValBuilder() {
  return *svalBuilder;
}

const SValBuilder &getSValBuilder() const {
  return *svalBuilder;
}

SymbolManager &getSymbolManager() {
  return svalBuilder->getSymbolManager();
}
const SymbolManager &getSymbolManager() const {
  return svalBuilder->getSymbolManager();
}

llvm::BumpPtrAllocator& getAllocator() { return Alloc; }

MemRegionManager& getRegionManager() {
  return svalBuilder->getRegionManager();
}
const MemRegionManager &getRegionManager() const {
  return svalBuilder->getRegionManager();
}

CallEventManager &getCallEventManager() { return *CallEventMgr; }

StoreManager &getStoreManager() { return *StoreMgr; }
ConstraintManager &getConstraintManager() { return *ConstraintMgr; }
ExprEngine &getOwningEngine() { return *Eng; }

ProgramStateRef
removeDeadBindingsFromEnvironmentAndStore(ProgramStateRef St,
                                          const StackFrameContext *LCtx,
                                          SymbolReaper &SymReaper);

548public:

SVal ArrayToPointer(Loc Array, QualType ElementTy) {
  return StoreMgr->ArrayToPointer(Array, ElementTy);
}

// Methods that manipulate the GDM.
ProgramStateRef addGDM(ProgramStateRef St, void *Key, void *Data);
ProgramStateRef removeGDM(ProgramStateRef state, void *Key);

// Methods that query & manipulate the Store.

void iterBindings(ProgramStateRef state, StoreManager::BindingsHandler& F) {
  StoreMgr->iterBindings(state->getStore(), F);
}

ProgramStateRef getPersistentState(ProgramState &Impl);
ProgramStateRef getPersistentStateWithGDM(ProgramStateRef FromState,
                                         ProgramStateRef GDMState);

bool haveEqualConstraints(ProgramStateRef S1, ProgramStateRef S2) const {
  return ConstraintMgr->haveEqualConstraints(S1, S2);
}

bool haveEqualEnvironments(ProgramStateRef S1, ProgramStateRef S2) const {
  return S1->Env == S2->Env;
}

bool haveEqualStores(ProgramStateRef S1, ProgramStateRef S2) const {
  return S1->store == S2->store;
}

//==---------------------------------------------------------------------==//
// Generic Data Map methods.
//==---------------------------------------------------------------------==//
//
// ProgramStateManager and ProgramState support a "generic data map" that allows
// different clients of ProgramState objects to embed arbitrary data within a
// ProgramState object.  The generic data map is essentially an immutable map
// from a "tag" (that acts as the "key" for a client) and opaque values.
// Tags/keys and values are simply void* values.  The typical way that clients
// generate unique tags are by taking the address of a static variable.
// Clients are responsible for ensuring that data values referred to by a
// the data pointer are immutable (and thus are essentially purely functional
// data).
//
// The templated methods below use the ProgramStateTrait<T> class
// to resolve keys into the GDM and to return data values to clients.
//

// Trait based GDM dispatch.
template <typename T>
ProgramStateRef set(ProgramStateRef st, typename ProgramStateTrait<T>::data_type D) {
  return addGDM(st, ProgramStateTrait<T>::GDMIndex(),
                ProgramStateTrait<T>::MakeVoidPtr(D));
}

template<typename T>
ProgramStateRef set(ProgramStateRef st,
                   typename ProgramStateTrait<T>::key_type K,
                   typename ProgramStateTrait<T>::value_type V,
                   typename ProgramStateTrait<T>::context_type C) {

  return addGDM(st, ProgramStateTrait<T>::GDMIndex(),
   ProgramStateTrait<T>::MakeVoidPtr(ProgramStateTrait<T>::Set(st->get<T>(), K, V, C)));
}

template <typename T>
ProgramStateRef add(ProgramStateRef st,
                   typename ProgramStateTrait<T>::key_type K,
                   typename ProgramStateTrait<T>::context_type C) {
  return addGDM(st, ProgramStateTrait<T>::GDMIndex(),
      ProgramStateTrait<T>::MakeVoidPtr(ProgramStateTrait<T>::Add(st->get<T>(), K, C)));
}

template <typename T>
ProgramStateRef remove(ProgramStateRef st,
                      typename ProgramStateTrait<T>::key_type K,
                      typename ProgramStateTrait<T>::context_type C) {

  return addGDM(st, ProgramStateTrait<T>::GDMIndex(),
   ProgramStateTrait<T>::MakeVoidPtr(ProgramStateTrait<T>::Remove(st->get<T>(), K, C)));
}

template <typename T>
ProgramStateRef remove(ProgramStateRef st) {
  return removeGDM(st, ProgramStateTrait<T>::GDMIndex());
}

void *FindGDMContext(void *index,
                     void *(*CreateContext)(llvm::BumpPtrAllocator&),
                     void  (*DeleteContext)(void*));

template <typename T>
typename ProgramStateTrait<T>::context_type get_context() {
  void *p = FindGDMContext(ProgramStateTrait<T>::GDMIndex(),
                           ProgramStateTrait<T>::CreateContext,
                           ProgramStateTrait<T>::DeleteContext);

  return ProgramStateTrait<T>::MakeContext(p);
}
649};


652//===----------------------------------------------------------------------===//
653// Out-of-line method definitions for ProgramState.
654//===----------------------------------------------------------------------===//

656inline ConstraintManager &ProgramState::getConstraintManager() const {
return stateMgr->getConstraintManager();
658}

660inline const VarRegion* ProgramState::getRegion(const VarDecl *D,
                                              const LocationContext *LC) const
662{
return getStateManager().getRegionManager().getVarRegion(D, LC);
664}

666inline ProgramStateRef ProgramState::assume(DefinedOrUnknownSVal Cond,
                                    bool Assumption) const {
if (Cond.isUnknown())
39
←
Taking false branch→
  return this;

return getStateManager().ConstraintMgr
40
←
Value assigned to 'S.Obj'→
    ->assume(this, Cond.castAs<DefinedSVal>(), Assumption);
673}

675inline std::pair<ProgramStateRef , ProgramStateRef >
676ProgramState::assume(DefinedOrUnknownSVal Cond) const {
if (Cond.isUnknown())
  return std::make_pair(this, this);

return getStateManager().ConstraintMgr
    ->assumeDual(this, Cond.castAs<DefinedSVal>());
682}

684inline ProgramStateRef ProgramState::assumeInclusiveRange(
  DefinedOrUnknownSVal Val, const llvm::APSInt &From, const llvm::APSInt &To,
  bool Assumption) const {
if (Val.isUnknown())
  return this;

assert(Val.getAs<NonLoc>() && "Only NonLocs are supported!")(static_cast <bool> (Val.getAs<NonLoc>() &&
 "Only NonLocs are supported!") ? void (0) : __assert_fail ("Val.getAs<NonLoc>() && \"Only NonLocs are supported!\""
, "/build/llvm-toolchain-snapshot-14~++20210828111110+16086d47c0d0/clang/include/clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h"
, 690, __extension__ __PRETTY_FUNCTION__));

return getStateManager().ConstraintMgr->assumeInclusiveRange(
    this, Val.castAs<NonLoc>(), From, To, Assumption);
694}

696inline std::pair<ProgramStateRef, ProgramStateRef>
697ProgramState::assumeInclusiveRange(DefinedOrUnknownSVal Val,
                                 const llvm::APSInt &From,
                                 const llvm::APSInt &To) const {
if (Val.isUnknown())
  return std::make_pair(this, this);

assert(Val.getAs<NonLoc>() && "Only NonLocs are supported!")(static_cast <bool> (Val.getAs<NonLoc>() &&
 "Only NonLocs are supported!") ? void (0) : __assert_fail ("Val.getAs<NonLoc>() && \"Only NonLocs are supported!\""
, "/build/llvm-toolchain-snapshot-14~++20210828111110+16086d47c0d0/clang/include/clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h"
, 703, __extension__ __PRETTY_FUNCTION__));

return getStateManager().ConstraintMgr->assumeInclusiveRangeDual(
    this, Val.castAs<NonLoc>(), From, To);
707}

709inline ProgramStateRef ProgramState::bindLoc(SVal LV, SVal V, const LocationContext *LCtx) const {
if (Optional<Loc> L = LV.getAs<Loc>())
  return bindLoc(*L, V, LCtx);
return this;
713}

715inline Loc ProgramState::getLValue(const CXXBaseSpecifier &BaseSpec,
                                 const SubRegion *Super) const {
const auto *Base = BaseSpec.getType()->getAsCXXRecordDecl();
return loc::MemRegionVal(
         getStateManager().getRegionManager().getCXXBaseObjectRegion(
                                          Base, Super, BaseSpec.isVirtual()));
721}

723inline Loc ProgramState::getLValue(const CXXRecordDecl *BaseClass,
                                 const SubRegion *Super,
                                 bool IsVirtual) const {
return loc::MemRegionVal(
         getStateManager().getRegionManager().getCXXBaseObjectRegion(
                                                BaseClass, Super, IsVirtual));
729}

731inline Loc ProgramState::getLValue(const VarDecl *VD,
                             const LocationContext *LC) const {
return getStateManager().StoreMgr->getLValueVar(VD, LC);
734}

736inline Loc ProgramState::getLValue(const CompoundLiteralExpr *literal,
                             const LocationContext *LC) const {
return getStateManager().StoreMgr->getLValueCompoundLiteral(literal, LC);
739}

741inline SVal ProgramState::getLValue(const ObjCIvarDecl *D, SVal Base) const {
return getStateManager().StoreMgr->getLValueIvar(D, Base);
743}

745inline SVal ProgramState::getLValue(const FieldDecl *D, SVal Base) const {
return getStateManager().StoreMgr->getLValueField(D, Base);
747}

749inline SVal ProgramState::getLValue(const IndirectFieldDecl *D,
                                  SVal Base) const {
StoreManager &SM = *getStateManager().StoreMgr;
for (const auto *I : D->chain()) {
  Base = SM.getLValueField(cast<FieldDecl>(I), Base);
}

return Base;
757}

759inline SVal ProgramState::getLValue(QualType ElementType, SVal Idx, SVal Base) const{
if (Optional<NonLoc> N = Idx.getAs<NonLoc>())
  return getStateManager().StoreMgr->getLValueElement(ElementType, *N, Base);
return UnknownVal();
763}

765inline SVal ProgramState::getSVal(const Stmt *Ex,
                                const LocationContext *LCtx) const{
return Env.getSVal(EnvironmentEntry(Ex, LCtx),
                   *getStateManager().svalBuilder);
769}

771inline SVal
772ProgramState::getSValAsScalarOrLoc(const Stmt *S,
                                 const LocationContext *LCtx) const {
if (const Expr *Ex = dyn_cast<Expr>(S)) {
  QualType T = Ex->getType();
  if (Ex->isGLValue() || Loc::isLocType(T) ||
      T->isIntegralOrEnumerationType())
    return getSVal(S, LCtx);
}

return UnknownVal();
782}

784inline SVal ProgramState::getRawSVal(Loc LV, QualType T) const {
return getStateManager().StoreMgr->getBinding(getStore(), LV, T);
786}

788inline SVal ProgramState::getSVal(const MemRegion* R, QualType T) const {
return getStateManager().StoreMgr->getBinding(getStore(),
                                              loc::MemRegionVal(R),
                                              T);
792}

794inline BasicValueFactory &ProgramState::getBasicVals() const {
return getStateManager().getBasicVals();
796}

798inline SymbolManager &ProgramState::getSymbolManager() const {
return getStateManager().getSymbolManager();
800}

802template<typename T>
803ProgramStateRef ProgramState::add(typename ProgramStateTrait<T>::key_type K) const {
return getStateManager().add<T>(this, K, get_context<T>());
805}

807template <typename T>
808typename ProgramStateTrait<T>::context_type ProgramState::get_context() const {
return getStateManager().get_context<T>();
810}

812template<typename T>
813ProgramStateRef ProgramState::remove(typename ProgramStateTrait<T>::key_type K) const {
return getStateManager().remove<T>(this, K, get_context<T>());
815}

817template<typename T>
818ProgramStateRef ProgramState::remove(typename ProgramStateTrait<T>::key_type K,
                             typename ProgramStateTrait<T>::context_type C) const {
return getStateManager().remove<T>(this, K, C);
821}

823template <typename T>
824ProgramStateRef ProgramState::remove() const {
return getStateManager().remove<T>(this);
826}

828template<typename T>
829ProgramStateRef ProgramState::set(typename ProgramStateTrait<T>::data_type D) const {
return getStateManager().set<T>(this, D);
831}

833template<typename T>
834ProgramStateRef ProgramState::set(typename ProgramStateTrait<T>::key_type K,
                          typename ProgramStateTrait<T>::value_type E) const {
return getStateManager().set<T>(this, K, E, get_context<T>());
837}

839template<typename T>
840ProgramStateRef ProgramState::set(typename ProgramStateTrait<T>::key_type K,
                          typename ProgramStateTrait<T>::value_type E,
                          typename ProgramStateTrait<T>::context_type C) const {
return getStateManager().set<T>(this, K, E, C);
844}

846template <typename CB>
847CB ProgramState::scanReachableSymbols(SVal val) const {
CB cb(this);
scanReachableSymbols(val, cb);
return cb;
851}

853template <typename CB>
854CB ProgramState::scanReachableSymbols(
  llvm::iterator_range<region_iterator> Reachable) const {
CB cb(this);
scanReachableSymbols(Reachable, cb);
return cb;
859}

861/// \class ScanReachableSymbols
862/// A utility class that visits the reachable symbols using a custom
863/// SymbolVisitor. Terminates recursive traversal when the visitor function
864/// returns false.
865class ScanReachableSymbols {
typedef llvm::DenseSet<const void*> VisitedItems;

VisitedItems visited;
ProgramStateRef state;
SymbolVisitor &visitor;
871public:
ScanReachableSymbols(ProgramStateRef st, SymbolVisitor &v)
    : state(std::move(st)), visitor(v) {}

bool scan(nonloc::LazyCompoundVal val);
bool scan(nonloc::CompoundVal val);
bool scan(SVal val);
bool scan(const MemRegion *R);
bool scan(const SymExpr *sym);
880};

882} // end ento namespace

884} // end clang namespace

886#endif

←

/build/llvm-toolchain-snapshot-14~++20210828111110+16086d47c0d0/llvm/include/llvm/ADT/Optional.h

1//===- Optional.h - Simple variant for passing optional values --*- C++ -*-===//
2//
3// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4// See https://llvm.org/LICENSE.txt for license information.
5// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6//
7//===----------------------------------------------------------------------===//
8//
9//  This file provides Optional, a template class modeled in the spirit of
10//  OCaml's 'opt' variant.  The idea is to strongly type whether or not
11//  a value can be optional.
12//
13//===----------------------------------------------------------------------===//
14 
15#ifndef LLVM_ADT_OPTIONAL_H
16#define LLVM_ADT_OPTIONAL_H
17 
18#include "llvm/ADT/Hashing.h"
19#include "llvm/ADT/None.h"
20#include "llvm/ADT/STLForwardCompat.h"
21#include "llvm/Support/Compiler.h"
22#include "llvm/Support/type_traits.h"
23#include <cassert>
24#include <memory>
25#include <new>
26#include <utility>
27 
28namespace llvm {
29 
30class raw_ostream;
31 
32namespace optional_detail {
33 
34/// Storage for any type.
35//
36// The specialization condition intentionally uses
37// llvm::is_trivially_copy_constructible instead of
38// std::is_trivially_copy_constructible.  GCC versions prior to 7.4 may
39// instantiate the copy constructor of `T` when
40// std::is_trivially_copy_constructible is instantiated.  This causes
41// compilation to fail if we query the trivially copy constructible property of
42// a class which is not copy constructible.
43//
44// The current implementation of OptionalStorage insists that in order to use
45// the trivial specialization, the value_type must be trivially copy
46// constructible and trivially copy assignable due to =default implementations
47// of the copy/move constructor/assignment.  It does not follow that this is
48// necessarily the case std::is_trivially_copyable is true (hence the expanded
49// specialization condition).
50//
51// The move constructible / assignable conditions emulate the remaining behavior
52// of std::is_trivially_copyable.
53template <typename T, bool = (llvm::is_trivially_copy_constructible<T>::value &&
54                              std::is_trivially_copy_assignable<T>::value &&
55                              (std::is_trivially_move_constructible<T>::value ||
56                               !std::is_move_constructible<T>::value) &&
57                              (std::is_trivially_move_assignable<T>::value ||
58                               !std::is_move_assignable<T>::value))>
59class OptionalStorage {
60  union {
61    char empty;
62    T value;
63  };
64  bool hasVal;
65 
66public:
67  ~OptionalStorage() { reset(); }
68 
69  constexpr OptionalStorage() noexcept : empty(), hasVal(false) {}
70 
71  constexpr OptionalStorage(OptionalStorage const &other) : OptionalStorage() {
72    if (other.hasValue()) {
73      emplace(other.value);
74    }
75  }
76  constexpr OptionalStorage(OptionalStorage &&other) : OptionalStorage() {
77    if (other.hasValue()) {
78      emplace(std::move(other.value));
79    }
80  }
81 
82  template <class... Args>
83  constexpr explicit OptionalStorage(in_place_t, Args &&... args)
84      : value(std::forward<Args>(args)...), hasVal(true) {}
85 
86  void reset() noexcept {
87    if (hasVal) {
88      value.~T();
89      hasVal = false;
90    }
91  }
92 
93  constexpr bool hasValue() const noexcept { return hasVal; }
94 
95  T &getValue() LLVM_LVALUE_FUNCTION& noexcept {
96    assert(hasVal)(static_cast <bool> (hasVal) ? void (0) : __assert_fail
 ("hasVal", "/build/llvm-toolchain-snapshot-14~++20210828111110+16086d47c0d0/llvm/include/llvm/ADT/Optional.h"
, 96, __extension__ __PRETTY_FUNCTION__));
97    return value;
98  }
99  constexpr T const &getValue() const LLVM_LVALUE_FUNCTION& noexcept {
100    assert(hasVal)(static_cast <bool> (hasVal) ? void (0) : __assert_fail
 ("hasVal", "/build/llvm-toolchain-snapshot-14~++20210828111110+16086d47c0d0/llvm/include/llvm/ADT/Optional.h"
, 100, __extension__ __PRETTY_FUNCTION__));
101    return value;
102  }
103#if LLVM_HAS_RVALUE_REFERENCE_THIS1
104  T &&getValue() && noexcept {
105    assert(hasVal)(static_cast <bool> (hasVal) ? void (0) : __assert_fail
 ("hasVal", "/build/llvm-toolchain-snapshot-14~++20210828111110+16086d47c0d0/llvm/include/llvm/ADT/Optional.h"
, 105, __extension__ __PRETTY_FUNCTION__));
106    return std::move(value);
107  }
108#endif
109 
110  template <class... Args> void emplace(Args &&... args) {
111    reset();
112    ::new ((void *)std::addressof(value)) T(std::forward<Args>(args)...);
113    hasVal = true;
114  }
115 
116  OptionalStorage &operator=(T const &y) {
117    if (hasValue()) {
118      value = y;
119    } else {
120      ::new ((void *)std::addressof(value)) T(y);
121      hasVal = true;
122    }
123    return *this;
124  }
125  OptionalStorage &operator=(T &&y) {
126    if (hasValue()) {
127      value = std::move(y);
128    } else {
129      ::new ((void *)std::addressof(value)) T(std::move(y));
130      hasVal = true;
131    }
132    return *this;
133  }
134 
135  OptionalStorage &operator=(OptionalStorage const &other) {
136    if (other.hasValue()) {
137      if (hasValue()) {
138        value = other.value;
139      } else {
140        ::new ((void *)std::addressof(value)) T(other.value);
141        hasVal = true;
142      }
143    } else {
144      reset();
145    }
146    return *this;
147  }
148 
149  OptionalStorage &operator=(OptionalStorage &&other) {
150    if (other.hasValue()) {
151      if (hasValue()) {
152        value = std::move(other.value);
153      } else {
154        ::new ((void *)std::addressof(value)) T(std::move(other.value));
155        hasVal = true;
156      }
157    } else {
158      reset();
159    }
160    return *this;
161  }
162};
163 
164template <typename T> class OptionalStorage<T, true> {
165  union {
166    char empty;
167    T value;
168  };
169  bool hasVal = false;
170 
171public:
172  ~OptionalStorage() = default;
173 
174  constexpr OptionalStorage() noexcept : empty{} {}
175 
176  constexpr OptionalStorage(OptionalStorage const &other) = default;
177  constexpr OptionalStorage(OptionalStorage &&other) = default;
178 
179  OptionalStorage &operator=(OptionalStorage const &other) = default;
180  OptionalStorage &operator=(OptionalStorage &&other) = default;
181 
182  template <class... Args>
183  constexpr explicit OptionalStorage(in_place_t, Args &&... args)
184      : value(std::forward<Args>(args)...), hasVal(true) {}
185 
186  void reset() noexcept {
187    if (hasVal) {
188      value.~T();
189      hasVal = false;
190    }
191  }
192 
193  constexpr bool hasValue() const noexcept { return hasVal; }
51
←
Returning the value 1, which participates in a condition later→
194 
195  T &getValue() LLVM_LVALUE_FUNCTION& noexcept {
196    assert(hasVal)(static_cast <bool> (hasVal) ? void (0) : __assert_fail
 ("hasVal", "/build/llvm-toolchain-snapshot-14~++20210828111110+16086d47c0d0/llvm/include/llvm/ADT/Optional.h"
, 196, __extension__ __PRETTY_FUNCTION__));
197    return value;
198  }
199  constexpr T const &getValue() const LLVM_LVALUE_FUNCTION& noexcept {
200    assert(hasVal)(static_cast <bool> (hasVal) ? void (0) : __assert_fail
 ("hasVal", "/build/llvm-toolchain-snapshot-14~++20210828111110+16086d47c0d0/llvm/include/llvm/ADT/Optional.h"
, 200, __extension__ __PRETTY_FUNCTION__));
201    return value;
202  }
203#if LLVM_HAS_RVALUE_REFERENCE_THIS1
204  T &&getValue() && noexcept {
205    assert(hasVal)(static_cast <bool> (hasVal) ? void (0) : __assert_fail
 ("hasVal", "/build/llvm-toolchain-snapshot-14~++20210828111110+16086d47c0d0/llvm/include/llvm/ADT/Optional.h"
, 205, __extension__ __PRETTY_FUNCTION__));
206    return std::move(value);
207  }
208#endif
209 
210  template <class... Args> void emplace(Args &&... args) {
211    reset();
212    ::new ((void *)std::addressof(value)) T(std::forward<Args>(args)...);
213    hasVal = true;
214  }
215 
216  OptionalStorage &operator=(T const &y) {
217    if (hasValue()) {
218      value = y;
219    } else {
220      ::new ((void *)std::addressof(value)) T(y);
221      hasVal = true;
222    }
223    return *this;
224  }
225  OptionalStorage &operator=(T &&y) {
226    if (hasValue()) {
227      value = std::move(y);
228    } else {
229      ::new ((void *)std::addressof(value)) T(std::move(y));
230      hasVal = true;
231    }
232    return *this;
233  }
234};
235 
236} // namespace optional_detail
237 
238template <typename T> class Optional {
239  optional_detail::OptionalStorage<T> Storage;
240 
241public:
242  using value_type = T;
243 
244  constexpr Optional() {}
245  constexpr Optional(NoneType) {}
246 
247  constexpr Optional(const T &y) : Storage(in_place, y) {}
248  constexpr Optional(const Optional &O) = default;
249 
250  constexpr Optional(T &&y) : Storage(in_place, std::move(y)) {}
251  constexpr Optional(Optional &&O) = default;
252 
253  template <typename... ArgTypes>
254  constexpr Optional(in_place_t, ArgTypes &&...Args)
255      : Storage(in_place, std::forward<ArgTypes>(Args)...) {}
256 
257  Optional &operator=(T &&y) {
258    Storage = std::move(y);
259    return *this;
260  }
261  Optional &operator=(Optional &&O) = default;
262 
263  /// Create a new object by constructing it in place with the given arguments.
264  template <typename... ArgTypes> void emplace(ArgTypes &&... Args) {
265    Storage.emplace(std::forward<ArgTypes>(Args)...);
266  }
267 
268  static constexpr Optional create(const T *y) {
269    return y ? Optional(*y) : Optional();
270  }
271 
272  Optional &operator=(const T &y) {
273    Storage = y;
274    return *this;
275  }
276  Optional &operator=(const Optional &O) = default;
277 
278  void reset() { Storage.reset(); }
279 
280  constexpr const T *getPointer() const { return &Storage.getValue(); }
281  T *getPointer() { return &Storage.getValue(); }
282  constexpr const T &getValue() const LLVM_LVALUE_FUNCTION& {
283    return Storage.getValue();
284  }
285  T &getValue() LLVM_LVALUE_FUNCTION& { return Storage.getValue(); }
286 
287  constexpr explicit operator bool() const { return hasValue(); }
49
←
Calling 'Optional::hasValue'→
54
←
Returning from 'Optional::hasValue'→
55
←
Returning the value 1, which participates in a condition later→
288  constexpr bool hasValue() const { return Storage.hasValue(); }
50
←
Calling 'OptionalStorage::hasValue'→
52
←
Returning from 'OptionalStorage::hasValue'→
53
←
Returning the value 1, which participates in a condition later→
289  constexpr const T *operator->() const { return getPointer(); }
290  T *operator->() { return getPointer(); }
291  constexpr const T &operator*() const LLVM_LVALUE_FUNCTION& {
292    return getValue();
293  }
294  T &operator*() LLVM_LVALUE_FUNCTION& { return getValue(); }
295 
296  template <typename U>
297  constexpr T getValueOr(U &&value) const LLVM_LVALUE_FUNCTION& {
298    return hasValue() ? getValue() : std::forward<U>(value);
299  }
300 
301  /// Apply a function to the value if present; otherwise return None.
302  template <class Function>
303  auto map(const Function &F) const LLVM_LVALUE_FUNCTION&
304      -> Optional<decltype(F(getValue()))> {
305    if (*this) return F(getValue());
306    return None;
307  }
308 
309#if LLVM_HAS_RVALUE_REFERENCE_THIS1
310  T &&getValue() && { return std::move(Storage.getValue()); }
311  T &&operator*() && { return std::move(Storage.getValue()); }
312 
313  template <typename U>
314  T getValueOr(U &&value) && {
315    return hasValue() ? std::move(getValue()) : std::forward<U>(value);
316  }
317 
318  /// Apply a function to the value if present; otherwise return None.
319  template <class Function>
320  auto map(const Function &F) &&
321      -> Optional<decltype(F(std::move(*this).getValue()))> {
322    if (*this) return F(std::move(*this).getValue());
323    return None;
324  }
325#endif
326};
327 
328template <class T> llvm::hash_code hash_value(const Optional<T> &O) {
329  return O ? hash_combine(true, *O) : hash_value(false);
330}
331 
332template <typename T, typename U>
333constexpr bool operator==(const Optional<T> &X, const Optional<U> &Y) {
334  if (X && Y)
335    return *X == *Y;
336  return X.hasValue() == Y.hasValue();
337}
338 
339template <typename T, typename U>
340constexpr bool operator!=(const Optional<T> &X, const Optional<U> &Y) {
341  return !(X == Y);
342}
343 
344template <typename T, typename U>
345constexpr bool operator<(const Optional<T> &X, const Optional<U> &Y) {
346  if (X && Y)
347    return *X < *Y;
348  return X.hasValue() < Y.hasValue();
349}
350 
351template <typename T, typename U>
352constexpr bool operator<=(const Optional<T> &X, const Optional<U> &Y) {
353  return !(Y < X);
354}
355 
356template <typename T, typename U>
357constexpr bool operator>(const Optional<T> &X, const Optional<U> &Y) {
358  return Y < X;
359}
360 
361template <typename T, typename U>
362constexpr bool operator>=(const Optional<T> &X, const Optional<U> &Y) {
363  return !(X < Y);
364}
365 
366template <typename T>
367constexpr bool operator==(const Optional<T> &X, NoneType) {
368  return !X;
369}
370 
371template <typename T>
372constexpr bool operator==(NoneType, const Optional<T> &X) {
373  return X == None;
374}
375 
376template <typename T>
377constexpr bool operator!=(const Optional<T> &X, NoneType) {
378  return !(X == None);
379}
380 
381template <typename T>
382constexpr bool operator!=(NoneType, const Optional<T> &X) {
383  return X != None;
384}
385 
386template <typename T> constexpr bool operator<(const Optional<T> &, NoneType) {
387  return false;
388}
389 
390template <typename T> constexpr bool operator<(NoneType, const Optional<T> &X) {
391  return X.hasValue();
392}
393 
394template <typename T>
395constexpr bool operator<=(const Optional<T> &X, NoneType) {
396  return !(None < X);
397}
398 
399template <typename T>
400constexpr bool operator<=(NoneType, const Optional<T> &X) {
401  return !(X < None);
402}
403 
404template <typename T> constexpr bool operator>(const Optional<T> &X, NoneType) {
405  return None < X;
406}
407 
408template <typename T> constexpr bool operator>(NoneType, const Optional<T> &X) {
409  return X < None;
410}
411 
412template <typename T>
413constexpr bool operator>=(const Optional<T> &X, NoneType) {
414  return None <= X;
415}
416 
417template <typename T>
418constexpr bool operator>=(NoneType, const Optional<T> &X) {
419  return X <= None;
420}
421 
422template <typename T>
423constexpr bool operator==(const Optional<T> &X, const T &Y) {
424  return X && *X == Y;
425}
426 
427template <typename T>
428constexpr bool operator==(const T &X, const Optional<T> &Y) {
429  return Y && X == *Y;
430}
431 
432template <typename T>
433constexpr bool operator!=(const Optional<T> &X, const T &Y) {
434  return !(X == Y);
435}
436 
437template <typename T>
438constexpr bool operator!=(const T &X, const Optional<T> &Y) {
439  return !(X == Y);
440}
441 
442template <typename T>
443constexpr bool operator<(const Optional<T> &X, const T &Y) {
444  return !X || *X < Y;
445}
446 
447template <typename T>
448constexpr bool operator<(const T &X, const Optional<T> &Y) {
449  return Y && X < *Y;
450}
451 
452template <typename T>
453constexpr bool operator<=(const Optional<T> &X, const T &Y) {
454  return !(Y < X);
455}
456 
457template <typename T>
458constexpr bool operator<=(const T &X, const Optional<T> &Y) {
459  return !(Y < X);
460}
461 
462template <typename T>
463constexpr bool operator>(const Optional<T> &X, const T &Y) {
464  return Y < X;
465}
466 
467template <typename T>
468constexpr bool operator>(const T &X, const Optional<T> &Y) {
469  return Y < X;
470}
471 
472template <typename T>
473constexpr bool operator>=(const Optional<T> &X, const T &Y) {
474  return !(X < Y);
475}
476 
477template <typename T>
478constexpr bool operator>=(const T &X, const Optional<T> &Y) {
479  return !(X < Y);
480}
481 
482raw_ostream &operator<<(raw_ostream &OS, NoneType);
483 
484template <typename T, typename = decltype(std::declval<raw_ostream &>()
485                                          << std::declval<const T &>())>
486raw_ostream &operator<<(raw_ostream &OS, const Optional<T> &O) {
487  if (O)
488    OS << *O;
489  else
490    OS << None;
491  return OS;
492}
493 
494} // end namespace llvm
495 
496#endif // LLVM_ADT_OPTIONAL_H