ExprEngineC.cpp revision 540dda6f2e4982b3eab0300c804345f5b6104c11
1//=-- ExprEngineC.cpp - ExprEngine support for C expressions ----*- C++ -*-===// 2// 3// The LLVM Compiler Infrastructure 4// 5// This file is distributed under the University of Illinois Open Source 6// License. See LICENSE.TXT for details. 7// 8//===----------------------------------------------------------------------===// 9// 10// This file defines ExprEngine's support for C expressions. 11// 12//===----------------------------------------------------------------------===// 13 14#include "clang/StaticAnalyzer/Core/CheckerManager.h" 15#include "clang/StaticAnalyzer/Core/PathSensitive/ExprEngine.h" 16#include "clang/Analysis/Support/SaveAndRestore.h" 17 18using namespace clang; 19using namespace ento; 20using llvm::APSInt; 21 22void ExprEngine::VisitBinaryOperator(const BinaryOperator* B, 23 ExplodedNode *Pred, 24 ExplodedNodeSet &Dst) { 25 26 Expr *LHS = B->getLHS()->IgnoreParens(); 27 Expr *RHS = B->getRHS()->IgnoreParens(); 28 29 // FIXME: Prechecks eventually go in ::Visit(). 30 ExplodedNodeSet CheckedSet; 31 ExplodedNodeSet Tmp2; 32 getCheckerManager().runCheckersForPreStmt(CheckedSet, Pred, B, *this); 33 34 // With both the LHS and RHS evaluated, process the operation itself. 35 for (ExplodedNodeSet::iterator it=CheckedSet.begin(), ei=CheckedSet.end(); 36 it != ei; ++it) { 37 38 const ProgramState *state = (*it)->getState(); 39 SVal LeftV = state->getSVal(LHS); 40 SVal RightV = state->getSVal(RHS); 41 42 BinaryOperator::Opcode Op = B->getOpcode(); 43 44 if (Op == BO_Assign) { 45 // EXPERIMENTAL: "Conjured" symbols. 46 // FIXME: Handle structs. 47 if (RightV.isUnknown() || 48 !getConstraintManager().canReasonAbout(RightV)) { 49 unsigned Count = Builder->getCurrentBlockCount(); 50 RightV = svalBuilder.getConjuredSymbolVal(NULL, B->getRHS(), Count); 51 } 52 // Simulate the effects of a "store": bind the value of the RHS 53 // to the L-Value represented by the LHS. 54 SVal ExprVal = B->isLValue() ? LeftV : RightV; 55 evalStore(Tmp2, B, LHS, *it, state->BindExpr(B, ExprVal), LeftV, RightV); 56 continue; 57 } 58 59 if (!B->isAssignmentOp()) { 60 // Process non-assignments except commas or short-circuited 61 // logical expressions (LAnd and LOr). 62 SVal Result = evalBinOp(state, Op, LeftV, RightV, B->getType()); 63 if (Result.isUnknown()) { 64 MakeNode(Tmp2, B, *it, state); 65 continue; 66 } 67 68 state = state->BindExpr(B, Result); 69 MakeNode(Tmp2, B, *it, state); 70 continue; 71 } 72 73 assert (B->isCompoundAssignmentOp()); 74 75 switch (Op) { 76 default: 77 assert(0 && "Invalid opcode for compound assignment."); 78 case BO_MulAssign: Op = BO_Mul; break; 79 case BO_DivAssign: Op = BO_Div; break; 80 case BO_RemAssign: Op = BO_Rem; break; 81 case BO_AddAssign: Op = BO_Add; break; 82 case BO_SubAssign: Op = BO_Sub; break; 83 case BO_ShlAssign: Op = BO_Shl; break; 84 case BO_ShrAssign: Op = BO_Shr; break; 85 case BO_AndAssign: Op = BO_And; break; 86 case BO_XorAssign: Op = BO_Xor; break; 87 case BO_OrAssign: Op = BO_Or; break; 88 } 89 90 // Perform a load (the LHS). This performs the checks for 91 // null dereferences, and so on. 92 ExplodedNodeSet Tmp; 93 SVal location = LeftV; 94 evalLoad(Tmp, LHS, *it, state, location); 95 96 for (ExplodedNodeSet::iterator I = Tmp.begin(), E = Tmp.end(); I != E; 97 ++I) { 98 99 state = (*I)->getState(); 100 SVal V = state->getSVal(LHS); 101 102 // Get the computation type. 103 QualType CTy = 104 cast<CompoundAssignOperator>(B)->getComputationResultType(); 105 CTy = getContext().getCanonicalType(CTy); 106 107 QualType CLHSTy = 108 cast<CompoundAssignOperator>(B)->getComputationLHSType(); 109 CLHSTy = getContext().getCanonicalType(CLHSTy); 110 111 QualType LTy = getContext().getCanonicalType(LHS->getType()); 112 113 // Promote LHS. 114 V = svalBuilder.evalCast(V, CLHSTy, LTy); 115 116 // Compute the result of the operation. 117 SVal Result = svalBuilder.evalCast(evalBinOp(state, Op, V, RightV, CTy), 118 B->getType(), CTy); 119 120 // EXPERIMENTAL: "Conjured" symbols. 121 // FIXME: Handle structs. 122 123 SVal LHSVal; 124 125 if (Result.isUnknown() || 126 !getConstraintManager().canReasonAbout(Result)) { 127 128 unsigned Count = Builder->getCurrentBlockCount(); 129 130 // The symbolic value is actually for the type of the left-hand side 131 // expression, not the computation type, as this is the value the 132 // LValue on the LHS will bind to. 133 LHSVal = svalBuilder.getConjuredSymbolVal(NULL, B->getRHS(), LTy, 134 Count); 135 136 // However, we need to convert the symbol to the computation type. 137 Result = svalBuilder.evalCast(LHSVal, CTy, LTy); 138 } 139 else { 140 // The left-hand side may bind to a different value then the 141 // computation type. 142 LHSVal = svalBuilder.evalCast(Result, LTy, CTy); 143 } 144 145 // In C++, assignment and compound assignment operators return an 146 // lvalue. 147 if (B->isLValue()) 148 state = state->BindExpr(B, location); 149 else 150 state = state->BindExpr(B, Result); 151 152 evalStore(Tmp2, B, LHS, *I, state, location, LHSVal); 153 } 154 } 155 156 // FIXME: postvisits eventually go in ::Visit() 157 getCheckerManager().runCheckersForPostStmt(Dst, Tmp2, B, *this); 158} 159 160void ExprEngine::VisitBlockExpr(const BlockExpr *BE, ExplodedNode *Pred, 161 ExplodedNodeSet &Dst) { 162 163 CanQualType T = getContext().getCanonicalType(BE->getType()); 164 SVal V = svalBuilder.getBlockPointer(BE->getBlockDecl(), T, 165 Pred->getLocationContext()); 166 167 ExplodedNodeSet Tmp; 168 MakeNode(Tmp, BE, Pred, Pred->getState()->BindExpr(BE, V), 169 ProgramPoint::PostLValueKind); 170 171 // FIXME: Move all post/pre visits to ::Visit(). 172 getCheckerManager().runCheckersForPostStmt(Dst, Tmp, BE, *this); 173} 174 175void ExprEngine::VisitCast(const CastExpr *CastE, const Expr *Ex, 176 ExplodedNode *Pred, ExplodedNodeSet &Dst) { 177 178 ExplodedNodeSet dstPreStmt; 179 getCheckerManager().runCheckersForPreStmt(dstPreStmt, Pred, CastE, *this); 180 181 if (CastE->getCastKind() == CK_LValueToRValue || 182 CastE->getCastKind() == CK_GetObjCProperty) { 183 for (ExplodedNodeSet::iterator I = dstPreStmt.begin(), E = dstPreStmt.end(); 184 I!=E; ++I) { 185 ExplodedNode *subExprNode = *I; 186 const ProgramState *state = subExprNode->getState(); 187 evalLoad(Dst, CastE, subExprNode, state, state->getSVal(Ex)); 188 } 189 return; 190 } 191 192 // All other casts. 193 QualType T = CastE->getType(); 194 QualType ExTy = Ex->getType(); 195 196 if (const ExplicitCastExpr *ExCast=dyn_cast_or_null<ExplicitCastExpr>(CastE)) 197 T = ExCast->getTypeAsWritten(); 198 199 for (ExplodedNodeSet::iterator I = dstPreStmt.begin(), E = dstPreStmt.end(); 200 I != E; ++I) { 201 202 Pred = *I; 203 204 switch (CastE->getCastKind()) { 205 case CK_LValueToRValue: 206 assert(false && "LValueToRValue casts handled earlier."); 207 case CK_GetObjCProperty: 208 assert(false && "GetObjCProperty casts handled earlier."); 209 case CK_ToVoid: 210 Dst.Add(Pred); 211 continue; 212 // The analyzer doesn't do anything special with these casts, 213 // since it understands retain/release semantics already. 214 case CK_ObjCProduceObject: 215 case CK_ObjCConsumeObject: 216 case CK_ObjCReclaimReturnedObject: // Fall-through. 217 // True no-ops. 218 case CK_NoOp: 219 case CK_FunctionToPointerDecay: { 220 // Copy the SVal of Ex to CastE. 221 const ProgramState *state = Pred->getState(); 222 SVal V = state->getSVal(Ex); 223 state = state->BindExpr(CastE, V); 224 MakeNode(Dst, CastE, Pred, state); 225 continue; 226 } 227 case CK_Dependent: 228 case CK_ArrayToPointerDecay: 229 case CK_BitCast: 230 case CK_LValueBitCast: 231 case CK_IntegralCast: 232 case CK_NullToPointer: 233 case CK_IntegralToPointer: 234 case CK_PointerToIntegral: 235 case CK_PointerToBoolean: 236 case CK_IntegralToBoolean: 237 case CK_IntegralToFloating: 238 case CK_FloatingToIntegral: 239 case CK_FloatingToBoolean: 240 case CK_FloatingCast: 241 case CK_FloatingRealToComplex: 242 case CK_FloatingComplexToReal: 243 case CK_FloatingComplexToBoolean: 244 case CK_FloatingComplexCast: 245 case CK_FloatingComplexToIntegralComplex: 246 case CK_IntegralRealToComplex: 247 case CK_IntegralComplexToReal: 248 case CK_IntegralComplexToBoolean: 249 case CK_IntegralComplexCast: 250 case CK_IntegralComplexToFloatingComplex: 251 case CK_AnyPointerToObjCPointerCast: 252 case CK_AnyPointerToBlockPointerCast: 253 case CK_ObjCObjectLValueCast: { 254 // Delegate to SValBuilder to process. 255 const ProgramState *state = Pred->getState(); 256 SVal V = state->getSVal(Ex); 257 V = svalBuilder.evalCast(V, T, ExTy); 258 state = state->BindExpr(CastE, V); 259 MakeNode(Dst, CastE, Pred, state); 260 continue; 261 } 262 case CK_DerivedToBase: 263 case CK_UncheckedDerivedToBase: { 264 // For DerivedToBase cast, delegate to the store manager. 265 const ProgramState *state = Pred->getState(); 266 SVal val = state->getSVal(Ex); 267 val = getStoreManager().evalDerivedToBase(val, T); 268 state = state->BindExpr(CastE, val); 269 MakeNode(Dst, CastE, Pred, state); 270 continue; 271 } 272 // Various C++ casts that are not handled yet. 273 case CK_Dynamic: 274 case CK_ToUnion: 275 case CK_BaseToDerived: 276 case CK_NullToMemberPointer: 277 case CK_BaseToDerivedMemberPointer: 278 case CK_DerivedToBaseMemberPointer: 279 case CK_UserDefinedConversion: 280 case CK_ConstructorConversion: 281 case CK_VectorSplat: 282 case CK_MemberPointerToBoolean: { 283 // Recover some path-sensitivty by conjuring a new value. 284 QualType resultType = CastE->getType(); 285 if (CastE->isLValue()) 286 resultType = getContext().getPointerType(resultType); 287 288 SVal result = 289 svalBuilder.getConjuredSymbolVal(NULL, CastE, resultType, 290 Builder->getCurrentBlockCount()); 291 292 const ProgramState *state = Pred->getState()->BindExpr(CastE, result); 293 MakeNode(Dst, CastE, Pred, state); 294 continue; 295 } 296 } 297 } 298} 299 300void ExprEngine::VisitCompoundLiteralExpr(const CompoundLiteralExpr *CL, 301 ExplodedNode *Pred, 302 ExplodedNodeSet &Dst) { 303 const InitListExpr *ILE 304 = cast<InitListExpr>(CL->getInitializer()->IgnoreParens()); 305 306 const ProgramState *state = Pred->getState(); 307 SVal ILV = state->getSVal(ILE); 308 const LocationContext *LC = Pred->getLocationContext(); 309 state = state->bindCompoundLiteral(CL, LC, ILV); 310 311 if (CL->isLValue()) 312 MakeNode(Dst, CL, Pred, state->BindExpr(CL, state->getLValue(CL, LC))); 313 else 314 MakeNode(Dst, CL, Pred, state->BindExpr(CL, ILV)); 315} 316 317void ExprEngine::VisitDeclStmt(const DeclStmt *DS, ExplodedNode *Pred, 318 ExplodedNodeSet &Dst) { 319 320 // FIXME: static variables may have an initializer, but the second 321 // time a function is called those values may not be current. 322 // This may need to be reflected in the CFG. 323 324 // Assumption: The CFG has one DeclStmt per Decl. 325 const Decl *D = *DS->decl_begin(); 326 327 if (!D || !isa<VarDecl>(D)) 328 return; 329 330 // FIXME: all pre/post visits should eventually be handled by ::Visit(). 331 ExplodedNodeSet dstPreVisit; 332 getCheckerManager().runCheckersForPreStmt(dstPreVisit, Pred, DS, *this); 333 334 const VarDecl *VD = dyn_cast<VarDecl>(D); 335 336 for (ExplodedNodeSet::iterator I = dstPreVisit.begin(), E = dstPreVisit.end(); 337 I!=E; ++I) { 338 ExplodedNode *N = *I; 339 const ProgramState *state = N->getState(); 340 341 // Decls without InitExpr are not initialized explicitly. 342 const LocationContext *LC = N->getLocationContext(); 343 344 if (const Expr *InitEx = VD->getInit()) { 345 SVal InitVal = state->getSVal(InitEx); 346 347 // We bound the temp obj region to the CXXConstructExpr. Now recover 348 // the lazy compound value when the variable is not a reference. 349 if (AMgr.getLangOptions().CPlusPlus && VD->getType()->isRecordType() && 350 !VD->getType()->isReferenceType() && isa<loc::MemRegionVal>(InitVal)){ 351 InitVal = state->getSVal(cast<loc::MemRegionVal>(InitVal).getRegion()); 352 assert(isa<nonloc::LazyCompoundVal>(InitVal)); 353 } 354 355 // Recover some path-sensitivity if a scalar value evaluated to 356 // UnknownVal. 357 if ((InitVal.isUnknown() || 358 !getConstraintManager().canReasonAbout(InitVal)) && 359 !VD->getType()->isReferenceType()) { 360 InitVal = svalBuilder.getConjuredSymbolVal(NULL, InitEx, 361 Builder->getCurrentBlockCount()); 362 } 363 364 evalBind(Dst, DS, N, state, 365 loc::MemRegionVal(state->getRegion(VD, LC)), InitVal, true); 366 } 367 else { 368 MakeNode(Dst, DS, N, state->bindDeclWithNoInit(state->getRegion(VD, LC))); 369 } 370 } 371} 372 373void ExprEngine::VisitLogicalExpr(const BinaryOperator* B, ExplodedNode *Pred, 374 ExplodedNodeSet &Dst) { 375 376 assert(B->getOpcode() == BO_LAnd || 377 B->getOpcode() == BO_LOr); 378 379 const ProgramState *state = Pred->getState(); 380 SVal X = state->getSVal(B); 381 assert(X.isUndef()); 382 383 const Expr *Ex = (const Expr*) cast<UndefinedVal>(X).getData(); 384 assert(Ex); 385 386 if (Ex == B->getRHS()) { 387 X = state->getSVal(Ex); 388 389 // Handle undefined values. 390 if (X.isUndef()) { 391 MakeNode(Dst, B, Pred, state->BindExpr(B, X)); 392 return; 393 } 394 395 DefinedOrUnknownSVal XD = cast<DefinedOrUnknownSVal>(X); 396 397 // We took the RHS. Because the value of the '&&' or '||' expression must 398 // evaluate to 0 or 1, we must assume the value of the RHS evaluates to 0 399 // or 1. Alternatively, we could take a lazy approach, and calculate this 400 // value later when necessary. We don't have the machinery in place for 401 // this right now, and since most logical expressions are used for branches, 402 // the payoff is not likely to be large. Instead, we do eager evaluation. 403 if (const ProgramState *newState = state->assume(XD, true)) 404 MakeNode(Dst, B, Pred, 405 newState->BindExpr(B, svalBuilder.makeIntVal(1U, B->getType()))); 406 407 if (const ProgramState *newState = state->assume(XD, false)) 408 MakeNode(Dst, B, Pred, 409 newState->BindExpr(B, svalBuilder.makeIntVal(0U, B->getType()))); 410 } 411 else { 412 // We took the LHS expression. Depending on whether we are '&&' or 413 // '||' we know what the value of the expression is via properties of 414 // the short-circuiting. 415 X = svalBuilder.makeIntVal(B->getOpcode() == BO_LAnd ? 0U : 1U, 416 B->getType()); 417 MakeNode(Dst, B, Pred, state->BindExpr(B, X)); 418 } 419} 420 421void ExprEngine::VisitInitListExpr(const InitListExpr *IE, 422 ExplodedNode *Pred, 423 ExplodedNodeSet &Dst) { 424 425 const ProgramState *state = Pred->getState(); 426 QualType T = getContext().getCanonicalType(IE->getType()); 427 unsigned NumInitElements = IE->getNumInits(); 428 429 if (T->isArrayType() || T->isRecordType() || T->isVectorType()) { 430 llvm::ImmutableList<SVal> vals = getBasicVals().getEmptySValList(); 431 432 // Handle base case where the initializer has no elements. 433 // e.g: static int* myArray[] = {}; 434 if (NumInitElements == 0) { 435 SVal V = svalBuilder.makeCompoundVal(T, vals); 436 MakeNode(Dst, IE, Pred, state->BindExpr(IE, V)); 437 return; 438 } 439 440 for (InitListExpr::const_reverse_iterator it = IE->rbegin(), 441 ei = IE->rend(); it != ei; ++it) { 442 vals = getBasicVals().consVals(state->getSVal(cast<Expr>(*it)), vals); 443 } 444 445 MakeNode(Dst, IE, Pred, 446 state->BindExpr(IE, svalBuilder.makeCompoundVal(T, vals))); 447 return; 448 } 449 450 if (Loc::isLocType(T) || T->isIntegerType()) { 451 assert(IE->getNumInits() == 1); 452 const Expr *initEx = IE->getInit(0); 453 MakeNode(Dst, IE, Pred, state->BindExpr(IE, state->getSVal(initEx))); 454 return; 455 } 456 457 llvm_unreachable("unprocessed InitListExpr type"); 458} 459 460void ExprEngine::VisitGuardedExpr(const Expr *Ex, 461 const Expr *L, 462 const Expr *R, 463 ExplodedNode *Pred, 464 ExplodedNodeSet &Dst) { 465 466 const ProgramState *state = Pred->getState(); 467 SVal X = state->getSVal(Ex); 468 assert (X.isUndef()); 469 const Expr *SE = (Expr*) cast<UndefinedVal>(X).getData(); 470 assert(SE); 471 X = state->getSVal(SE); 472 473 // Make sure that we invalidate the previous binding. 474 MakeNode(Dst, Ex, Pred, state->BindExpr(Ex, X, true)); 475} 476 477void ExprEngine:: 478VisitOffsetOfExpr(const OffsetOfExpr *OOE, 479 ExplodedNode *Pred, ExplodedNodeSet &Dst) { 480 Expr::EvalResult Res; 481 if (OOE->Evaluate(Res, getContext()) && Res.Val.isInt()) { 482 const APSInt &IV = Res.Val.getInt(); 483 assert(IV.getBitWidth() == getContext().getTypeSize(OOE->getType())); 484 assert(OOE->getType()->isIntegerType()); 485 assert(IV.isSigned() == OOE->getType()->isSignedIntegerOrEnumerationType()); 486 SVal X = svalBuilder.makeIntVal(IV); 487 MakeNode(Dst, OOE, Pred, Pred->getState()->BindExpr(OOE, X)); 488 return; 489 } 490 // FIXME: Handle the case where __builtin_offsetof is not a constant. 491 Dst.Add(Pred); 492} 493 494 495void ExprEngine:: 496VisitUnaryExprOrTypeTraitExpr(const UnaryExprOrTypeTraitExpr *Ex, 497 ExplodedNode *Pred, 498 ExplodedNodeSet &Dst) { 499 500 QualType T = Ex->getTypeOfArgument(); 501 502 if (Ex->getKind() == UETT_SizeOf) { 503 if (!T->isIncompleteType() && !T->isConstantSizeType()) { 504 assert(T->isVariableArrayType() && "Unknown non-constant-sized type."); 505 506 // FIXME: Add support for VLA type arguments and VLA expressions. 507 // When that happens, we should probably refactor VLASizeChecker's code. 508 Dst.Add(Pred); 509 return; 510 } 511 else if (T->getAs<ObjCObjectType>()) { 512 // Some code tries to take the sizeof an ObjCObjectType, relying that 513 // the compiler has laid out its representation. Just report Unknown 514 // for these. 515 Dst.Add(Pred); 516 return; 517 } 518 } 519 520 Expr::EvalResult Result; 521 Ex->Evaluate(Result, getContext()); 522 CharUnits amt = CharUnits::fromQuantity(Result.Val.getInt().getZExtValue()); 523 524 const ProgramState *state = Pred->getState(); 525 state = state->BindExpr(Ex, svalBuilder.makeIntVal(amt.getQuantity(), 526 Ex->getType())); 527 MakeNode(Dst, Ex, Pred, state); 528} 529 530void ExprEngine::VisitUnaryOperator(const UnaryOperator* U, 531 ExplodedNode *Pred, 532 ExplodedNodeSet &Dst) { 533 switch (U->getOpcode()) { 534 default: 535 break; 536 case UO_Real: { 537 const Expr *Ex = U->getSubExpr()->IgnoreParens(); 538 ExplodedNodeSet Tmp; 539 Visit(Ex, Pred, Tmp); 540 541 for (ExplodedNodeSet::iterator I=Tmp.begin(), E=Tmp.end(); I!=E; ++I) { 542 543 // FIXME: We don't have complex SValues yet. 544 if (Ex->getType()->isAnyComplexType()) { 545 // Just report "Unknown." 546 Dst.Add(*I); 547 continue; 548 } 549 550 // For all other types, UO_Real is an identity operation. 551 assert (U->getType() == Ex->getType()); 552 const ProgramState *state = (*I)->getState(); 553 MakeNode(Dst, U, *I, state->BindExpr(U, state->getSVal(Ex))); 554 } 555 556 return; 557 } 558 559 case UO_Imag: { 560 561 const Expr *Ex = U->getSubExpr()->IgnoreParens(); 562 ExplodedNodeSet Tmp; 563 Visit(Ex, Pred, Tmp); 564 565 for (ExplodedNodeSet::iterator I=Tmp.begin(), E=Tmp.end(); I!=E; ++I) { 566 // FIXME: We don't have complex SValues yet. 567 if (Ex->getType()->isAnyComplexType()) { 568 // Just report "Unknown." 569 Dst.Add(*I); 570 continue; 571 } 572 573 // For all other types, UO_Imag returns 0. 574 const ProgramState *state = (*I)->getState(); 575 SVal X = svalBuilder.makeZeroVal(Ex->getType()); 576 MakeNode(Dst, U, *I, state->BindExpr(U, X)); 577 } 578 579 return; 580 } 581 582 case UO_Plus: 583 assert(!U->isLValue()); 584 // FALL-THROUGH. 585 case UO_Deref: 586 case UO_AddrOf: 587 case UO_Extension: { 588 589 // Unary "+" is a no-op, similar to a parentheses. We still have places 590 // where it may be a block-level expression, so we need to 591 // generate an extra node that just propagates the value of the 592 // subexpression. 593 594 const Expr *Ex = U->getSubExpr()->IgnoreParens(); 595 ExplodedNodeSet Tmp; 596 Visit(Ex, Pred, Tmp); 597 598 for (ExplodedNodeSet::iterator I=Tmp.begin(), E=Tmp.end(); I!=E; ++I) { 599 const ProgramState *state = (*I)->getState(); 600 MakeNode(Dst, U, *I, state->BindExpr(U, state->getSVal(Ex))); 601 } 602 603 return; 604 } 605 606 case UO_LNot: 607 case UO_Minus: 608 case UO_Not: { 609 assert (!U->isLValue()); 610 const Expr *Ex = U->getSubExpr()->IgnoreParens(); 611 ExplodedNodeSet Tmp; 612 Visit(Ex, Pred, Tmp); 613 614 for (ExplodedNodeSet::iterator I=Tmp.begin(), E=Tmp.end(); I!=E; ++I) { 615 const ProgramState *state = (*I)->getState(); 616 617 // Get the value of the subexpression. 618 SVal V = state->getSVal(Ex); 619 620 if (V.isUnknownOrUndef()) { 621 MakeNode(Dst, U, *I, state->BindExpr(U, V)); 622 continue; 623 } 624 625 switch (U->getOpcode()) { 626 default: 627 assert(false && "Invalid Opcode."); 628 break; 629 630 case UO_Not: 631 // FIXME: Do we need to handle promotions? 632 state = state->BindExpr(U, evalComplement(cast<NonLoc>(V))); 633 break; 634 635 case UO_Minus: 636 // FIXME: Do we need to handle promotions? 637 state = state->BindExpr(U, evalMinus(cast<NonLoc>(V))); 638 break; 639 640 case UO_LNot: 641 642 // C99 6.5.3.3: "The expression !E is equivalent to (0==E)." 643 // 644 // Note: technically we do "E == 0", but this is the same in the 645 // transfer functions as "0 == E". 646 SVal Result; 647 648 if (isa<Loc>(V)) { 649 Loc X = svalBuilder.makeNull(); 650 Result = evalBinOp(state, BO_EQ, cast<Loc>(V), X, 651 U->getType()); 652 } 653 else { 654 nonloc::ConcreteInt X(getBasicVals().getValue(0, Ex->getType())); 655 Result = evalBinOp(state, BO_EQ, cast<NonLoc>(V), X, 656 U->getType()); 657 } 658 659 state = state->BindExpr(U, Result); 660 661 break; 662 } 663 664 MakeNode(Dst, U, *I, state); 665 } 666 667 return; 668 } 669 } 670 671 // Handle ++ and -- (both pre- and post-increment). 672 assert (U->isIncrementDecrementOp()); 673 ExplodedNodeSet Tmp; 674 const Expr *Ex = U->getSubExpr()->IgnoreParens(); 675 Visit(Ex, Pred, Tmp); 676 677 for (ExplodedNodeSet::iterator I = Tmp.begin(), E = Tmp.end(); I!=E; ++I) { 678 679 const ProgramState *state = (*I)->getState(); 680 SVal loc = state->getSVal(Ex); 681 682 // Perform a load. 683 ExplodedNodeSet Tmp2; 684 evalLoad(Tmp2, Ex, *I, state, loc); 685 686 for (ExplodedNodeSet::iterator I2=Tmp2.begin(), E2=Tmp2.end();I2!=E2;++I2) { 687 688 state = (*I2)->getState(); 689 SVal V2_untested = state->getSVal(Ex); 690 691 // Propagate unknown and undefined values. 692 if (V2_untested.isUnknownOrUndef()) { 693 MakeNode(Dst, U, *I2, state->BindExpr(U, V2_untested)); 694 continue; 695 } 696 DefinedSVal V2 = cast<DefinedSVal>(V2_untested); 697 698 // Handle all other values. 699 BinaryOperator::Opcode Op = U->isIncrementOp() ? BO_Add 700 : BO_Sub; 701 702 // If the UnaryOperator has non-location type, use its type to create the 703 // constant value. If the UnaryOperator has location type, create the 704 // constant with int type and pointer width. 705 SVal RHS; 706 707 if (U->getType()->isAnyPointerType()) 708 RHS = svalBuilder.makeArrayIndex(1); 709 else 710 RHS = svalBuilder.makeIntVal(1, U->getType()); 711 712 SVal Result = evalBinOp(state, Op, V2, RHS, U->getType()); 713 714 // Conjure a new symbol if necessary to recover precision. 715 if (Result.isUnknown() || !getConstraintManager().canReasonAbout(Result)){ 716 DefinedOrUnknownSVal SymVal = 717 svalBuilder.getConjuredSymbolVal(NULL, Ex, 718 Builder->getCurrentBlockCount()); 719 Result = SymVal; 720 721 // If the value is a location, ++/-- should always preserve 722 // non-nullness. Check if the original value was non-null, and if so 723 // propagate that constraint. 724 if (Loc::isLocType(U->getType())) { 725 DefinedOrUnknownSVal Constraint = 726 svalBuilder.evalEQ(state, V2,svalBuilder.makeZeroVal(U->getType())); 727 728 if (!state->assume(Constraint, true)) { 729 // It isn't feasible for the original value to be null. 730 // Propagate this constraint. 731 Constraint = svalBuilder.evalEQ(state, SymVal, 732 svalBuilder.makeZeroVal(U->getType())); 733 734 735 state = state->assume(Constraint, false); 736 assert(state); 737 } 738 } 739 } 740 741 // Since the lvalue-to-rvalue conversion is explicit in the AST, 742 // we bind an l-value if the operator is prefix and an lvalue (in C++). 743 if (U->isLValue()) 744 state = state->BindExpr(U, loc); 745 else 746 state = state->BindExpr(U, U->isPostfix() ? V2 : Result); 747 748 // Perform the store. 749 evalStore(Dst, NULL, U, *I2, state, loc, Result); 750 } 751 } 752} 753