Replace current_expr_value with expression temporaries.

include/clang/AST/CanonBounds.h

@@ -10,6 +10,13 @@
 //  This file defines the interface for comparing and canonicalizing
 //  bounds expressions.
 //
+//  Bounds expressions must be non-modifying expressions, so these
+//  comparison methods should only be called on non-modifying expressions.
+//  In addition, sets of equivalent expressions should also only involve
+//  non-modifying expressions.
+//
+//  TODO: check the invariant about expressions being non-modifying.
+//
 //===----------------------------------------------------------------------===//
 
 #ifndef LLVM_CLANG_CANON_BOUNDS_H
@@ -99,6 +106,8 @@ namespace clang {
     Result CompareImpl(const PositionalParameterExpr *E1,
                    const PositionalParameterExpr *E2);
     Result CompareImpl(const BoundsCastExpr *E1, const BoundsCastExpr *E2);
+    Result CompareImpl(const CHKCBindTemporaryExpr *E1,
+                       const CHKCBindTemporaryExpr *E2);
     Result CompareImpl(const BoundsValueExpr *E1, const BoundsValueExpr *E2);
     Result CompareImpl(const AtomicExpr *E1, const AtomicExpr *E2);
     Result CompareImpl(const BlockExpr *E1, const BlockExpr *E2);

include/clang/AST/Expr.h

@@ -788,6 +788,14 @@ class Expr : public Stmt {
     return const_cast<Expr*>(this)->ignoreParenBaseCasts();
   }
 
+  /// Ignore Checked C expression temporaries (CHCKBindTemporaryExpr).
+  Expr *IgnoreExprTmp() LLVM_READONLY;
+
+  const Expr *IgnoreExprTmp() const LLVM_READONLY {
+    return const_cast<Expr*>(this)->IgnoreExprTmp();
+  }
+
+
   /// \brief Determine whether this expression is a default function argument.
   ///
   /// Default arguments are implicitly generated in the abstract syntax tree
@@ -5441,29 +5449,85 @@ class PositionalParameterExpr : public Expr {
     }
 };
 
-// \brief Represents the \c _Currrent_expr_value and _Return_value expressions
-// in Checked C.  These expressions can be used within bounds expressions.
+/// \brief Represents binding the result of evaluating an expression
+/// to an anonymous temporary.  We use the binding node itself to
+/// represent the temporary.
+///
+/// When a bounds expression is computed for an expression E, this
+/// lets the bounds expression reference the value of a subexpression
+/// of E.
+class CHKCBindTemporaryExpr : public Expr {
+  Stmt *SubExpr;
+
+public:
+  CHKCBindTemporaryExpr(Expr* SubExpr)
+   : Expr(CHKCBindTemporaryExprClass, SubExpr->getType(),
+          SubExpr->getValueKind(), SubExpr->getObjectKind(), SubExpr->isTypeDependent(),
+          SubExpr->isValueDependent(),
+          SubExpr->isInstantiationDependent(),
+          SubExpr->containsUnexpandedParameterPack()), SubExpr(SubExpr) { }
+
+  CHKCBindTemporaryExpr(EmptyShell Empty)
+    : Expr(CHKCBindTemporaryExprClass, Empty), SubExpr(nullptr) {}
+
+  const Expr *getSubExpr() const { return cast<Expr>(SubExpr); }
+  Expr *getSubExpr() { return cast<Expr>(SubExpr); }
+  void setSubExpr(Expr *E) { SubExpr = E; }
+
+  SourceLocation getLocStart() const LLVM_READONLY {
+    return SubExpr->getLocStart();
+  }
+
+  SourceLocation getLocEnd() const LLVM_READONLY { return SubExpr->getLocEnd();}
+
+  // Implement isa/cast/dyncast/etc.
+  static bool classof(const Stmt *T) {
+    return T->getStmtClass() == CHKCBindTemporaryExprClass;
+  }
+
+  // Iterators
+  child_range children() { return child_range(&SubExpr, &SubExpr + 1); }
+};
+
+
+/// \brief Represent uses of expression temporaries and _Return_value
+/// expressions. These expressions can be used within bounds expressions.
+///
+/// Uses of expression temporaries cannot be written at the source level.
+/// These are constructed by the compiler during bounds inference.
 class BoundsValueExpr : public Expr {
 public:
   enum Kind {
-    Current,
+    Temporary,
     Return
   };
 
 private:
+  CHKCBindTemporaryExpr *Temp;  // Binding which represents a temporary.
   SourceLocation Loc;
   Kind ValueExprKind;
 
 public:
   BoundsValueExpr(SourceLocation L, QualType Type, Kind K)
     : Expr(BoundsValueExprClass, Type, VK_RValue, OK_Ordinary,
-           false, false, false, false), Loc(L), ValueExprKind(K) { }
+           false, false, false, false), Temp(nullptr), Loc(L),
+      ValueExprKind(K) { }
+
+  // Create a use of an expression temporary.
+  BoundsValueExpr(SourceLocation L, CHKCBindTemporaryExpr *Temp)
+    : Expr(BoundsValueExprClass, Temp->getType(), Temp->getValueKind(), OK_Ordinary,
+           false, false, false, false), Temp(Temp), Loc(L),
+      ValueExprKind(Kind::Temporary) { }
 
   BoundsValueExpr(EmptyShell Empty) : Expr(BoundsValueExprClass, Empty) {}
 
   SourceLocation getLocation() const { return Loc; }
   void setLocation(SourceLocation L) { Loc = L; }
 
+  CHKCBindTemporaryExpr *getTemporaryBinding() { return Temp; }
+  const CHKCBindTemporaryExpr *getTemporaryBinding() const { return Temp; }
+  void setTemporaryBinding(CHKCBindTemporaryExpr *T) { Temp = T; }
+
   SourceLocation getLocStart() const LLVM_READONLY { return Loc; }
   SourceLocation getLocEnd() const LLVM_READONLY { return Loc; }
 

include/clang/AST/RecursiveASTVisitor.h

@@ -2556,6 +2556,7 @@ DEF_TRAVERSE_STMT(RangeBoundsExpr, {})
 DEF_TRAVERSE_STMT(InteropTypeExpr, {})
 DEF_TRAVERSE_STMT(PositionalParameterExpr, {})
 DEF_TRAVERSE_STMT(BoundsValueExpr, {})
+DEF_TRAVERSE_STMT(CHKCBindTemporaryExpr, {})
 
 // For coroutines expressions, traverse either the operand
 // as written or the implied calls, depending on what the

include/clang/Basic/StmtNodes.td

@@ -183,6 +183,7 @@ def RangeBoundsExpr : DStmt<BoundsExpr>;
 def InteropTypeExpr : DStmt<Expr>;
 def PositionalParameterExpr : DStmt<Expr>;
 def BoundsCastExpr : DStmt<ExplicitCastExpr>;
+def CHKCBindTemporaryExpr : DStmt<Expr>;
 def BoundsValueExpr : DStmt<Expr>;
 
 // CUDA Expressions.

include/clang/Sema/Sema.h

@@ -4730,6 +4730,9 @@ class Sema {
     NMM_Note
   };
 
+  /// \brief Checks whether an expression is non-modifying
+  /// (see Checked C Spec, 3.6.1).  Returns true if the expression is non-modifying,
+  /// false otherwise.
   bool CheckIsNonModifying(Expr *E, NonModifyingContext Req =
                                NonModifyingContext::NMC_Unknown,
                             NonModifyingMessage = NMM_Error);

include/clang/Serialization/ASTBitCodes.h

@@ -1495,7 +1495,9 @@ namespace clang {
       EXPR_INTEROPTYPE_BOUNDS_ANNOTATION,// InteropTypeBoundsAnnotation
       EXPR_POSITIONAL_PARAMETER_EXPR, // PositionalParameterExpr
       EXPR_BOUNDS_CAST,
-      EXPR_BOUNDS_VALUE_EXPR,      // BoundsValueExpr
+      EXPR_BOUNDS_VALUE_EXPR,        // BoundsValueExpr
+      EXPR_CHKC_BIND_TEMPORARY_EXPR, // CHKCBindTemporaryExpr
+
       // OpenCL
       EXPR_ASTYPE,                 // AsTypeExpr
 

include/clang/StaticAnalyzer/Core/PathSensitive/ExprEngine.h

@@ -460,6 +460,12 @@ class ExprEngine : public SubEngine {
   void VisitCXXDeleteExpr(const CXXDeleteExpr *CDE, ExplodedNode *Pred,
                           ExplodedNodeSet &Dst);
 
+  /// VisitCHKCBindTemporaryExpr - Transfer function logic for binding an
+  /// expression to a temporary
+  void VisitCHKCBindTemporaryExpr(const CHKCBindTemporaryExpr *Binding,
+                                  const Expr *SE, ExplodedNode *Pred,
+                                  ExplodedNodeSet &Dst);
+
   /// Create a C++ temporary object for an rvalue.
   void CreateCXXTemporaryObject(const MaterializeTemporaryExpr *ME,
                                 ExplodedNode *Pred, 

lib/AST/ASTDumper.cpp

@@ -2847,8 +2847,12 @@ void ASTDumper::VisitPositionalParameterExpr(
 
 void ASTDumper::VisitBoundsValueExpr(const BoundsValueExpr *Node) {
   VisitExpr(Node);
-  OS << (Node->getKind() == BoundsValueExpr::Kind::Current ?
-         " _Current_expr_value" : " _Return_value");
+  if (Node->getKind() == BoundsValueExpr::Kind::Temporary) {
+    OS << " _BoundTemporary ";
+    dumpPointer(Node->getTemporaryBinding());
+  }
+  else
+    OS << " _Return_value";
 }
 
 //===----------------------------------------------------------------------===//

lib/AST/CanonBounds.cpp

@@ -321,10 +321,22 @@ Result Lexicographic::CompareExpr(const Expr *Arg1, const Expr *Arg2) {
   if (E1 == E2)
     return Result::Equal;
 
-   // Commpare expressions structurally, recursively invoking
+  // The use of an expression temporary is equal to the
+  // value of the binding expression.
+  if (BoundsValueExpr *BV1 = dyn_cast<BoundsValueExpr>(E1))
+    if (BV1->getTemporaryBinding() == E2)
+      return Result::Equal;
+
+  if (BoundsValueExpr *BV2 = dyn_cast<BoundsValueExpr>(E2))
+    if (BV2->getTemporaryBinding() == E1)
+      return Result::Equal;
+
+   // Compare expressions structurally, recursively invoking
    // comparison for subcomponents.  If that fails, consult
    // EquivExprs to see if the expressions are considered
    // equivalent.
+   // - Treat different kinds of casts (implicit/explicit) as
+   //   equivalent if the operation kinds are the same.
    Stmt::StmtClass E1Kind = E1->getStmtClass();
    Stmt::StmtClass E2Kind = E2->getStmtClass();
    Result Cmp = CompareInteger(E1Kind, E2Kind);
@@ -383,6 +395,9 @@ Result Lexicographic::CompareExpr(const Expr *Arg1, const Expr *Arg2) {
      case Expr::PositionalParameterExprClass: Cmp = Compare<PositionalParameterExpr>(E1, E2); break;
      case Expr::BoundsCastExprClass: Cmp = Compare<BoundsCastExpr>(E1, E2); break;
      case Expr::BoundsValueExprClass: Cmp = Compare<BoundsValueExpr>(E1, E2); break;
+     // Binding of a tempoary to the result of an expression.  These are
+     // equal if their child expressions are equal.
+     case Expr::CHKCBindTemporaryExprClass: break;
 
      // Clang extensions
      case Expr::ShuffleVectorExprClass: break;
@@ -745,15 +760,38 @@ Lexicographic::CompareImpl(const BoundsCastExpr *E1,
   return CompareType(E1->getType(), E2->getType());
 }
 
+Result
+Lexicographic::CompareImpl(const CHKCBindTemporaryExpr *E1,
+                           const CHKCBindTemporaryExpr *E2) {
+  bool ordered;
+  Result Cmp = ComparePointers(E1, E2, ordered);
+  if (!ordered) {
+    // Order binding expressions by the source location of
+    // the source-level expression.
+    if (E1->getSubExpr()->getLocStart() <
+        E2->getSubExpr()->getLocStart())
+      Cmp = Result::LessThan;
+    else
+      Cmp = Result::GreaterThan;
+   }
+   return Cmp;
+}
+
 Result
 Lexicographic::CompareImpl(const BoundsValueExpr *E1,
                            const BoundsValueExpr *E2) {
   Result Cmp = CompareInteger(E1->getKind(), E2->getKind());
   if (Cmp != Result::Equal)
     return Cmp;
-  return CompareType(E1->getType(), E2->getType());
-}
 
+  // The type doesn't matter - the value is the same no matter what the type.
+
+  // If these are uses of an expression temporary, check that the binding
+  // expression is the same.
+  if (E1->getKind() == BoundsValueExpr::Kind::Temporary)
+     Cmp = CompareImpl(E1->getTemporaryBinding(), E2->getTemporaryBinding());
+  return Cmp;
+}
 
 Result
 Lexicographic::CompareImpl(const BlockExpr *E1, const BlockExpr *E2) {