Do horrible things to create a call event

Author: nuudlman

clang/lib/StaticAnalyzer/Core/ExprEngineCallAndReturn.cpp

@@ -533,11 +533,70 @@ void ExprEngine::ctuBifurcate(const CallEvent &Call, const Decl *D,
   inlineCall(Engine.getWorkList(), Call, D, Bldr, Pred, State);
 }
 
+// XXX: We only handle pthreads currently
+#pragma clang optimize off
 void ExprEngine::threadBifurcate(CallEvent const &Call, Decl const *D,
                                  NodeBuilder &Bldr, ExplodedNode *Pred,
                                  ProgramStateRef State) {
-
+  // The declaration for pthread_create(3):
+  /* int pthread_create(pthread_t *thread,
+                          const pthread_attr_t *attr,
+                          void *(*start_routine)(void *),
+                          void *arg);
+   */
+  assert(Call.getNumArgs() == 4 && "pthread_create(3) should have 4 args");
+
+  // 1. Extract the expr for the thread's start routine
+  auto const *SRExpr = Call.getArgExpr(2);
+  assert(SRExpr && "start_routine should exist");
+  auto const *SRInit = Call.getArgExpr(3);
+  assert(SRInit && "start_routine should have an init param");
+
+  // 2. Convert the expr into a function pointer
+  auto const SRV = Pred->getSVal(SRExpr);
+  auto const *SRR = SRV.getAsRegion();
+  assert(SRR && "start_routine should be a pointer");
+
+  FunctionDecl const *StartRoutine = nullptr;
+  if (auto const *FR = dyn_cast<FunctionCodeRegion>(SRR))
+    StartRoutine = dyn_cast<FunctionDecl>(FR->getDecl());
+
+  assert(StartRoutine && "start_routine should be a valid function pointer");
+  assert(StartRoutine->hasBody() && "start_routine must be well defined");
+
+  // 3. Create a CallEvent for calling the function pointer
+
+  auto *SRCtx = AMgr.getAnalysisDeclContext(StartRoutine);
+
+  auto &CEMgr = State->getStateManager().getCallEventManager();
+  auto const *LC = Pred->getLocationContext();
+
+  // We need to construct a fake CallExpr for the worker thread, since it doesn't exist
+
+  auto *srexpr = DeclRefExpr::Create(
+    SRR->getContext(),
+    NestedNameSpecifierLoc(),
+    SourceLocation(),
+    const_cast<FunctionDecl*>(StartRoutine),
+    false,
+    SourceLocation(),
+    StartRoutine->getType(),
+    VK_LValue);
+
+  CallExpr *srcall = CallExpr::Create(
+    SRR->getContext(),
+    srexpr,
+    {const_cast<Expr*>(SRInit)},
+    StartRoutine->getType(),
+    VK_LValue,
+SourceLocation(),
+FPOptionsOverride());
+
+  auto call = CEMgr.getSimpleCall(srcall, State, LC, getCFGElementRef());
+
+  inlineCall(Engine.getWorkList(), *call, StartRoutine, Bldr, Pred, State);
 }
+#pragma clang optimize on
 
 void ExprEngine::inlineCall(WorkList *WList, const CallEvent &Call,
                             const Decl *D, NodeBuilder &Bldr,