RegionStore.cpp revision eac8c45f0d6528a21e68bf2651c3082d8e44132e
1//== RegionStore.cpp - Field-sensitive store model --------------*- C++ -*--==// 2// 3// The LLVM Compiler Infrastructure 4// 5// This file is distributed under the University of Illinois Open Source 6// License. See LICENSE.TXT for details. 7// 8//===----------------------------------------------------------------------===// 9// 10// This file defines a basic region store model. In this model, we do have field 11// sensitivity. But we assume nothing about the heap shape. So recursive data 12// structures are largely ignored. Basically we do 1-limiting analysis. 13// Parameter pointers are assumed with no aliasing. Pointee objects of 14// parameters are created lazily. 15// 16//===----------------------------------------------------------------------===// 17#include "clang/AST/Attr.h" 18#include "clang/AST/CharUnits.h" 19#include "clang/Analysis/Analyses/LiveVariables.h" 20#include "clang/Analysis/AnalysisContext.h" 21#include "clang/Basic/TargetInfo.h" 22#include "clang/StaticAnalyzer/Core/PathSensitive/AnalysisManager.h" 23#include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h" 24#include "clang/StaticAnalyzer/Core/PathSensitive/MemRegion.h" 25#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h" 26#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramStateTrait.h" 27#include "clang/StaticAnalyzer/Core/PathSensitive/SubEngine.h" 28#include "llvm/ADT/ImmutableList.h" 29#include "llvm/ADT/ImmutableMap.h" 30#include "llvm/ADT/Optional.h" 31#include "llvm/Support/raw_ostream.h" 32 33using namespace clang; 34using namespace ento; 35 36//===----------------------------------------------------------------------===// 37// Representation of binding keys. 38//===----------------------------------------------------------------------===// 39 40namespace { 41class BindingKey { 42public: 43 enum Kind { Default = 0x0, Direct = 0x1 }; 44private: 45 enum { Symbolic = 0x2 }; 46 47 llvm::PointerIntPair<const MemRegion *, 2> P; 48 uint64_t Data; 49 50 /// Create a key for a binding to region \p r, which has a symbolic offset 51 /// from region \p Base. 52 explicit BindingKey(const SubRegion *r, const SubRegion *Base, Kind k) 53 : P(r, k | Symbolic), Data(reinterpret_cast<uintptr_t>(Base)) { 54 assert(r && Base && "Must have known regions."); 55 assert(getConcreteOffsetRegion() == Base && "Failed to store base region"); 56 } 57 58 /// Create a key for a binding at \p offset from base region \p r. 59 explicit BindingKey(const MemRegion *r, uint64_t offset, Kind k) 60 : P(r, k), Data(offset) { 61 assert(r && "Must have known regions."); 62 assert(getOffset() == offset && "Failed to store offset"); 63 assert((r == r->getBaseRegion() || isa<ObjCIvarRegion>(r)) && "Not a base"); 64 } 65public: 66 67 bool isDirect() const { return P.getInt() & Direct; } 68 bool hasSymbolicOffset() const { return P.getInt() & Symbolic; } 69 70 const MemRegion *getRegion() const { return P.getPointer(); } 71 uint64_t getOffset() const { 72 assert(!hasSymbolicOffset()); 73 return Data; 74 } 75 76 const SubRegion *getConcreteOffsetRegion() const { 77 assert(hasSymbolicOffset()); 78 return reinterpret_cast<const SubRegion *>(static_cast<uintptr_t>(Data)); 79 } 80 81 const MemRegion *getBaseRegion() const { 82 if (hasSymbolicOffset()) 83 return getConcreteOffsetRegion()->getBaseRegion(); 84 return getRegion()->getBaseRegion(); 85 } 86 87 void Profile(llvm::FoldingSetNodeID& ID) const { 88 ID.AddPointer(P.getOpaqueValue()); 89 ID.AddInteger(Data); 90 } 91 92 static BindingKey Make(const MemRegion *R, Kind k); 93 94 bool operator<(const BindingKey &X) const { 95 if (P.getOpaqueValue() < X.P.getOpaqueValue()) 96 return true; 97 if (P.getOpaqueValue() > X.P.getOpaqueValue()) 98 return false; 99 return Data < X.Data; 100 } 101 102 bool operator==(const BindingKey &X) const { 103 return P.getOpaqueValue() == X.P.getOpaqueValue() && 104 Data == X.Data; 105 } 106 107 LLVM_ATTRIBUTE_USED void dump() const; 108}; 109} // end anonymous namespace 110 111BindingKey BindingKey::Make(const MemRegion *R, Kind k) { 112 const RegionOffset &RO = R->getAsOffset(); 113 if (RO.hasSymbolicOffset()) 114 return BindingKey(cast<SubRegion>(R), cast<SubRegion>(RO.getRegion()), k); 115 116 return BindingKey(RO.getRegion(), RO.getOffset(), k); 117} 118 119namespace llvm { 120 static inline 121 raw_ostream &operator<<(raw_ostream &os, BindingKey K) { 122 os << '(' << K.getRegion(); 123 if (!K.hasSymbolicOffset()) 124 os << ',' << K.getOffset(); 125 os << ',' << (K.isDirect() ? "direct" : "default") 126 << ')'; 127 return os; 128 } 129 130 template <typename T> struct isPodLike; 131 template <> struct isPodLike<BindingKey> { 132 static const bool value = true; 133 }; 134} // end llvm namespace 135 136void BindingKey::dump() const { 137 llvm::errs() << *this; 138} 139 140//===----------------------------------------------------------------------===// 141// Actual Store type. 142//===----------------------------------------------------------------------===// 143 144typedef llvm::ImmutableMap<BindingKey, SVal> ClusterBindings; 145typedef llvm::ImmutableMapRef<BindingKey, SVal> ClusterBindingsRef; 146typedef std::pair<BindingKey, SVal> BindingPair; 147 148typedef llvm::ImmutableMap<const MemRegion *, ClusterBindings> 149 RegionBindings; 150 151namespace { 152class RegionBindingsRef : public llvm::ImmutableMapRef<const MemRegion *, 153 ClusterBindings> { 154 ClusterBindings::Factory &CBFactory; 155public: 156 typedef llvm::ImmutableMapRef<const MemRegion *, ClusterBindings> 157 ParentTy; 158 159 RegionBindingsRef(ClusterBindings::Factory &CBFactory, 160 const RegionBindings::TreeTy *T, 161 RegionBindings::TreeTy::Factory *F) 162 : llvm::ImmutableMapRef<const MemRegion *, ClusterBindings>(T, F), 163 CBFactory(CBFactory) {} 164 165 RegionBindingsRef(const ParentTy &P, ClusterBindings::Factory &CBFactory) 166 : llvm::ImmutableMapRef<const MemRegion *, ClusterBindings>(P), 167 CBFactory(CBFactory) {} 168 169 RegionBindingsRef add(key_type_ref K, data_type_ref D) const { 170 return RegionBindingsRef(static_cast<const ParentTy*>(this)->add(K, D), 171 CBFactory); 172 } 173 174 RegionBindingsRef remove(key_type_ref K) const { 175 return RegionBindingsRef(static_cast<const ParentTy*>(this)->remove(K), 176 CBFactory); 177 } 178 179 RegionBindingsRef addBinding(BindingKey K, SVal V) const; 180 181 RegionBindingsRef addBinding(const MemRegion *R, 182 BindingKey::Kind k, SVal V) const; 183 184 RegionBindingsRef &operator=(const RegionBindingsRef &X) { 185 *static_cast<ParentTy*>(this) = X; 186 return *this; 187 } 188 189 const SVal *lookup(BindingKey K) const; 190 const SVal *lookup(const MemRegion *R, BindingKey::Kind k) const; 191 const ClusterBindings *lookup(const MemRegion *R) const { 192 return static_cast<const ParentTy*>(this)->lookup(R); 193 } 194 195 RegionBindingsRef removeBinding(BindingKey K); 196 197 RegionBindingsRef removeBinding(const MemRegion *R, 198 BindingKey::Kind k); 199 200 RegionBindingsRef removeBinding(const MemRegion *R) { 201 return removeBinding(R, BindingKey::Direct). 202 removeBinding(R, BindingKey::Default); 203 } 204 205 Optional<SVal> getDirectBinding(const MemRegion *R) const; 206 207 /// getDefaultBinding - Returns an SVal* representing an optional default 208 /// binding associated with a region and its subregions. 209 Optional<SVal> getDefaultBinding(const MemRegion *R) const; 210 211 /// Return the internal tree as a Store. 212 Store asStore() const { 213 return asImmutableMap().getRootWithoutRetain(); 214 } 215 216 void dump(raw_ostream &OS, const char *nl) const { 217 for (iterator I = begin(), E = end(); I != E; ++I) { 218 const ClusterBindings &Cluster = I.getData(); 219 for (ClusterBindings::iterator CI = Cluster.begin(), CE = Cluster.end(); 220 CI != CE; ++CI) { 221 OS << ' ' << CI.getKey() << " : " << CI.getData() << nl; 222 } 223 OS << nl; 224 } 225 } 226 227 LLVM_ATTRIBUTE_USED void dump() const { 228 dump(llvm::errs(), "\n"); 229 } 230}; 231} // end anonymous namespace 232 233typedef const RegionBindingsRef& RegionBindingsConstRef; 234 235Optional<SVal> RegionBindingsRef::getDirectBinding(const MemRegion *R) const { 236 return Optional<SVal>::create(lookup(R, BindingKey::Direct)); 237} 238 239Optional<SVal> RegionBindingsRef::getDefaultBinding(const MemRegion *R) const { 240 if (R->isBoundable()) 241 if (const TypedValueRegion *TR = dyn_cast<TypedValueRegion>(R)) 242 if (TR->getValueType()->isUnionType()) 243 return UnknownVal(); 244 245 return Optional<SVal>::create(lookup(R, BindingKey::Default)); 246} 247 248RegionBindingsRef RegionBindingsRef::addBinding(BindingKey K, SVal V) const { 249 const MemRegion *Base = K.getBaseRegion(); 250 251 const ClusterBindings *ExistingCluster = lookup(Base); 252 ClusterBindings Cluster = (ExistingCluster ? *ExistingCluster 253 : CBFactory.getEmptyMap()); 254 255 ClusterBindings NewCluster = CBFactory.add(Cluster, K, V); 256 return add(Base, NewCluster); 257} 258 259 260RegionBindingsRef RegionBindingsRef::addBinding(const MemRegion *R, 261 BindingKey::Kind k, 262 SVal V) const { 263 return addBinding(BindingKey::Make(R, k), V); 264} 265 266const SVal *RegionBindingsRef::lookup(BindingKey K) const { 267 const ClusterBindings *Cluster = lookup(K.getBaseRegion()); 268 if (!Cluster) 269 return 0; 270 return Cluster->lookup(K); 271} 272 273const SVal *RegionBindingsRef::lookup(const MemRegion *R, 274 BindingKey::Kind k) const { 275 return lookup(BindingKey::Make(R, k)); 276} 277 278RegionBindingsRef RegionBindingsRef::removeBinding(BindingKey K) { 279 const MemRegion *Base = K.getBaseRegion(); 280 const ClusterBindings *Cluster = lookup(Base); 281 if (!Cluster) 282 return *this; 283 284 ClusterBindings NewCluster = CBFactory.remove(*Cluster, K); 285 if (NewCluster.isEmpty()) 286 return remove(Base); 287 return add(Base, NewCluster); 288} 289 290RegionBindingsRef RegionBindingsRef::removeBinding(const MemRegion *R, 291 BindingKey::Kind k){ 292 return removeBinding(BindingKey::Make(R, k)); 293} 294 295//===----------------------------------------------------------------------===// 296// Fine-grained control of RegionStoreManager. 297//===----------------------------------------------------------------------===// 298 299namespace { 300struct minimal_features_tag {}; 301struct maximal_features_tag {}; 302 303class RegionStoreFeatures { 304 bool SupportsFields; 305public: 306 RegionStoreFeatures(minimal_features_tag) : 307 SupportsFields(false) {} 308 309 RegionStoreFeatures(maximal_features_tag) : 310 SupportsFields(true) {} 311 312 void enableFields(bool t) { SupportsFields = t; } 313 314 bool supportsFields() const { return SupportsFields; } 315}; 316} 317 318//===----------------------------------------------------------------------===// 319// Main RegionStore logic. 320//===----------------------------------------------------------------------===// 321 322namespace { 323class invalidateRegionsWorker; 324 325class RegionStoreManager : public StoreManager { 326public: 327 const RegionStoreFeatures Features; 328 329 RegionBindings::Factory RBFactory; 330 mutable ClusterBindings::Factory CBFactory; 331 332 typedef std::vector<SVal> SValListTy; 333private: 334 typedef llvm::DenseMap<const LazyCompoundValData *, 335 SValListTy> LazyBindingsMapTy; 336 LazyBindingsMapTy LazyBindingsMap; 337 338 /// The largest number of fields a struct can have and still be 339 /// considered "small". 340 /// 341 /// This is currently used to decide whether or not it is worth "forcing" a 342 /// LazyCompoundVal on bind. 343 /// 344 /// This is controlled by 'region-store-small-struct-limit' option. 345 /// To disable all small-struct-dependent behavior, set the option to "0". 346 unsigned SmallStructLimit; 347 348 /// \brief A helper used to populate the work list with the given set of 349 /// regions. 350 void populateWorkList(invalidateRegionsWorker &W, 351 ArrayRef<SVal> Values, 352 InvalidatedRegions *TopLevelRegions); 353 354public: 355 RegionStoreManager(ProgramStateManager& mgr, const RegionStoreFeatures &f) 356 : StoreManager(mgr), Features(f), 357 RBFactory(mgr.getAllocator()), CBFactory(mgr.getAllocator()), 358 SmallStructLimit(0) { 359 if (SubEngine *Eng = StateMgr.getOwningEngine()) { 360 AnalyzerOptions &Options = Eng->getAnalysisManager().options; 361 SmallStructLimit = 362 Options.getOptionAsInteger("region-store-small-struct-limit", 2); 363 } 364 } 365 366 367 /// setImplicitDefaultValue - Set the default binding for the provided 368 /// MemRegion to the value implicitly defined for compound literals when 369 /// the value is not specified. 370 RegionBindingsRef setImplicitDefaultValue(RegionBindingsConstRef B, 371 const MemRegion *R, QualType T); 372 373 /// ArrayToPointer - Emulates the "decay" of an array to a pointer 374 /// type. 'Array' represents the lvalue of the array being decayed 375 /// to a pointer, and the returned SVal represents the decayed 376 /// version of that lvalue (i.e., a pointer to the first element of 377 /// the array). This is called by ExprEngine when evaluating 378 /// casts from arrays to pointers. 379 SVal ArrayToPointer(Loc Array, QualType ElementTy); 380 381 StoreRef getInitialStore(const LocationContext *InitLoc) { 382 return StoreRef(RBFactory.getEmptyMap().getRootWithoutRetain(), *this); 383 } 384 385 //===-------------------------------------------------------------------===// 386 // Binding values to regions. 387 //===-------------------------------------------------------------------===// 388 RegionBindingsRef invalidateGlobalRegion(MemRegion::Kind K, 389 const Expr *Ex, 390 unsigned Count, 391 const LocationContext *LCtx, 392 RegionBindingsRef B, 393 InvalidatedRegions *Invalidated); 394 395 StoreRef invalidateRegions(Store store, 396 ArrayRef<SVal> Values, 397 const Expr *E, unsigned Count, 398 const LocationContext *LCtx, 399 const CallEvent *Call, 400 InvalidatedSymbols &IS, 401 RegionAndSymbolInvalidationTraits &ITraits, 402 InvalidatedRegions *Invalidated, 403 InvalidatedRegions *InvalidatedTopLevel); 404 405 bool scanReachableSymbols(Store S, const MemRegion *R, 406 ScanReachableSymbols &Callbacks); 407 408 RegionBindingsRef removeSubRegionBindings(RegionBindingsConstRef B, 409 const SubRegion *R); 410 411public: // Part of public interface to class. 412 413 virtual StoreRef Bind(Store store, Loc LV, SVal V) { 414 return StoreRef(bind(getRegionBindings(store), LV, V).asStore(), *this); 415 } 416 417 RegionBindingsRef bind(RegionBindingsConstRef B, Loc LV, SVal V); 418 419 // BindDefault is only used to initialize a region with a default value. 420 StoreRef BindDefault(Store store, const MemRegion *R, SVal V) { 421 RegionBindingsRef B = getRegionBindings(store); 422 assert(!B.lookup(R, BindingKey::Direct)); 423 424 BindingKey Key = BindingKey::Make(R, BindingKey::Default); 425 if (B.lookup(Key)) { 426 const SubRegion *SR = cast<SubRegion>(R); 427 assert(SR->getAsOffset().getOffset() == 428 SR->getSuperRegion()->getAsOffset().getOffset() && 429 "A default value must come from a super-region"); 430 B = removeSubRegionBindings(B, SR); 431 } else { 432 B = B.addBinding(Key, V); 433 } 434 435 return StoreRef(B.asImmutableMap().getRootWithoutRetain(), *this); 436 } 437 438 /// Attempt to extract the fields of \p LCV and bind them to the struct region 439 /// \p R. 440 /// 441 /// This path is used when it seems advantageous to "force" loading the values 442 /// within a LazyCompoundVal to bind memberwise to the struct region, rather 443 /// than using a Default binding at the base of the entire region. This is a 444 /// heuristic attempting to avoid building long chains of LazyCompoundVals. 445 /// 446 /// \returns The updated store bindings, or \c None if binding non-lazily 447 /// would be too expensive. 448 Optional<RegionBindingsRef> tryBindSmallStruct(RegionBindingsConstRef B, 449 const TypedValueRegion *R, 450 const RecordDecl *RD, 451 nonloc::LazyCompoundVal LCV); 452 453 /// BindStruct - Bind a compound value to a structure. 454 RegionBindingsRef bindStruct(RegionBindingsConstRef B, 455 const TypedValueRegion* R, SVal V); 456 457 /// BindVector - Bind a compound value to a vector. 458 RegionBindingsRef bindVector(RegionBindingsConstRef B, 459 const TypedValueRegion* R, SVal V); 460 461 RegionBindingsRef bindArray(RegionBindingsConstRef B, 462 const TypedValueRegion* R, 463 SVal V); 464 465 /// Clears out all bindings in the given region and assigns a new value 466 /// as a Default binding. 467 RegionBindingsRef bindAggregate(RegionBindingsConstRef B, 468 const TypedRegion *R, 469 SVal DefaultVal); 470 471 /// \brief Create a new store with the specified binding removed. 472 /// \param ST the original store, that is the basis for the new store. 473 /// \param L the location whose binding should be removed. 474 virtual StoreRef killBinding(Store ST, Loc L); 475 476 void incrementReferenceCount(Store store) { 477 getRegionBindings(store).manualRetain(); 478 } 479 480 /// If the StoreManager supports it, decrement the reference count of 481 /// the specified Store object. If the reference count hits 0, the memory 482 /// associated with the object is recycled. 483 void decrementReferenceCount(Store store) { 484 getRegionBindings(store).manualRelease(); 485 } 486 487 bool includedInBindings(Store store, const MemRegion *region) const; 488 489 /// \brief Return the value bound to specified location in a given state. 490 /// 491 /// The high level logic for this method is this: 492 /// getBinding (L) 493 /// if L has binding 494 /// return L's binding 495 /// else if L is in killset 496 /// return unknown 497 /// else 498 /// if L is on stack or heap 499 /// return undefined 500 /// else 501 /// return symbolic 502 virtual SVal getBinding(Store S, Loc L, QualType T) { 503 return getBinding(getRegionBindings(S), L, T); 504 } 505 506 SVal getBinding(RegionBindingsConstRef B, Loc L, QualType T = QualType()); 507 508 SVal getBindingForElement(RegionBindingsConstRef B, const ElementRegion *R); 509 510 SVal getBindingForField(RegionBindingsConstRef B, const FieldRegion *R); 511 512 SVal getBindingForObjCIvar(RegionBindingsConstRef B, const ObjCIvarRegion *R); 513 514 SVal getBindingForVar(RegionBindingsConstRef B, const VarRegion *R); 515 516 SVal getBindingForLazySymbol(const TypedValueRegion *R); 517 518 SVal getBindingForFieldOrElementCommon(RegionBindingsConstRef B, 519 const TypedValueRegion *R, 520 QualType Ty); 521 522 SVal getLazyBinding(const SubRegion *LazyBindingRegion, 523 RegionBindingsRef LazyBinding); 524 525 /// Get bindings for the values in a struct and return a CompoundVal, used 526 /// when doing struct copy: 527 /// struct s x, y; 528 /// x = y; 529 /// y's value is retrieved by this method. 530 SVal getBindingForStruct(RegionBindingsConstRef B, const TypedValueRegion *R); 531 SVal getBindingForArray(RegionBindingsConstRef B, const TypedValueRegion *R); 532 NonLoc createLazyBinding(RegionBindingsConstRef B, const TypedValueRegion *R); 533 534 /// Used to lazily generate derived symbols for bindings that are defined 535 /// implicitly by default bindings in a super region. 536 /// 537 /// Note that callers may need to specially handle LazyCompoundVals, which 538 /// are returned as is in case the caller needs to treat them differently. 539 Optional<SVal> getBindingForDerivedDefaultValue(RegionBindingsConstRef B, 540 const MemRegion *superR, 541 const TypedValueRegion *R, 542 QualType Ty); 543 544 /// Get the state and region whose binding this region \p R corresponds to. 545 /// 546 /// If there is no lazy binding for \p R, the returned value will have a null 547 /// \c second. Note that a null pointer can represents a valid Store. 548 std::pair<Store, const SubRegion *> 549 findLazyBinding(RegionBindingsConstRef B, const SubRegion *R, 550 const SubRegion *originalRegion); 551 552 /// Returns the cached set of interesting SVals contained within a lazy 553 /// binding. 554 /// 555 /// The precise value of "interesting" is determined for the purposes of 556 /// RegionStore's internal analysis. It must always contain all regions and 557 /// symbols, but may omit constants and other kinds of SVal. 558 const SValListTy &getInterestingValues(nonloc::LazyCompoundVal LCV); 559 560 //===------------------------------------------------------------------===// 561 // State pruning. 562 //===------------------------------------------------------------------===// 563 564 /// removeDeadBindings - Scans the RegionStore of 'state' for dead values. 565 /// It returns a new Store with these values removed. 566 StoreRef removeDeadBindings(Store store, const StackFrameContext *LCtx, 567 SymbolReaper& SymReaper); 568 569 //===------------------------------------------------------------------===// 570 // Region "extents". 571 //===------------------------------------------------------------------===// 572 573 // FIXME: This method will soon be eliminated; see the note in Store.h. 574 DefinedOrUnknownSVal getSizeInElements(ProgramStateRef state, 575 const MemRegion* R, QualType EleTy); 576 577 //===------------------------------------------------------------------===// 578 // Utility methods. 579 //===------------------------------------------------------------------===// 580 581 RegionBindingsRef getRegionBindings(Store store) const { 582 return RegionBindingsRef(CBFactory, 583 static_cast<const RegionBindings::TreeTy*>(store), 584 RBFactory.getTreeFactory()); 585 } 586 587 void print(Store store, raw_ostream &Out, const char* nl, 588 const char *sep); 589 590 void iterBindings(Store store, BindingsHandler& f) { 591 RegionBindingsRef B = getRegionBindings(store); 592 for (RegionBindingsRef::iterator I = B.begin(), E = B.end(); I != E; ++I) { 593 const ClusterBindings &Cluster = I.getData(); 594 for (ClusterBindings::iterator CI = Cluster.begin(), CE = Cluster.end(); 595 CI != CE; ++CI) { 596 const BindingKey &K = CI.getKey(); 597 if (!K.isDirect()) 598 continue; 599 if (const SubRegion *R = dyn_cast<SubRegion>(K.getRegion())) { 600 // FIXME: Possibly incorporate the offset? 601 if (!f.HandleBinding(*this, store, R, CI.getData())) 602 return; 603 } 604 } 605 } 606 } 607}; 608 609} // end anonymous namespace 610 611//===----------------------------------------------------------------------===// 612// RegionStore creation. 613//===----------------------------------------------------------------------===// 614 615StoreManager *ento::CreateRegionStoreManager(ProgramStateManager& StMgr) { 616 RegionStoreFeatures F = maximal_features_tag(); 617 return new RegionStoreManager(StMgr, F); 618} 619 620StoreManager * 621ento::CreateFieldsOnlyRegionStoreManager(ProgramStateManager &StMgr) { 622 RegionStoreFeatures F = minimal_features_tag(); 623 F.enableFields(true); 624 return new RegionStoreManager(StMgr, F); 625} 626 627 628//===----------------------------------------------------------------------===// 629// Region Cluster analysis. 630//===----------------------------------------------------------------------===// 631 632namespace { 633/// Used to determine which global regions are automatically included in the 634/// initial worklist of a ClusterAnalysis. 635enum GlobalsFilterKind { 636 /// Don't include any global regions. 637 GFK_None, 638 /// Only include system globals. 639 GFK_SystemOnly, 640 /// Include all global regions. 641 GFK_All 642}; 643 644template <typename DERIVED> 645class ClusterAnalysis { 646protected: 647 typedef llvm::DenseMap<const MemRegion *, const ClusterBindings *> ClusterMap; 648 typedef const MemRegion * WorkListElement; 649 typedef SmallVector<WorkListElement, 10> WorkList; 650 651 llvm::SmallPtrSet<const ClusterBindings *, 16> Visited; 652 653 WorkList WL; 654 655 RegionStoreManager &RM; 656 ASTContext &Ctx; 657 SValBuilder &svalBuilder; 658 659 RegionBindingsRef B; 660 661private: 662 GlobalsFilterKind GlobalsFilter; 663 664protected: 665 const ClusterBindings *getCluster(const MemRegion *R) { 666 return B.lookup(R); 667 } 668 669 /// Returns true if the memory space of the given region is one of the global 670 /// regions specially included at the start of analysis. 671 bool isInitiallyIncludedGlobalRegion(const MemRegion *R) { 672 switch (GlobalsFilter) { 673 case GFK_None: 674 return false; 675 case GFK_SystemOnly: 676 return isa<GlobalSystemSpaceRegion>(R->getMemorySpace()); 677 case GFK_All: 678 return isa<NonStaticGlobalSpaceRegion>(R->getMemorySpace()); 679 } 680 681 llvm_unreachable("unknown globals filter"); 682 } 683 684public: 685 ClusterAnalysis(RegionStoreManager &rm, ProgramStateManager &StateMgr, 686 RegionBindingsRef b, GlobalsFilterKind GFK) 687 : RM(rm), Ctx(StateMgr.getContext()), 688 svalBuilder(StateMgr.getSValBuilder()), 689 B(b), GlobalsFilter(GFK) {} 690 691 RegionBindingsRef getRegionBindings() const { return B; } 692 693 bool isVisited(const MemRegion *R) { 694 return Visited.count(getCluster(R)); 695 } 696 697 void GenerateClusters() { 698 // Scan the entire set of bindings and record the region clusters. 699 for (RegionBindingsRef::iterator RI = B.begin(), RE = B.end(); 700 RI != RE; ++RI){ 701 const MemRegion *Base = RI.getKey(); 702 703 const ClusterBindings &Cluster = RI.getData(); 704 assert(!Cluster.isEmpty() && "Empty clusters should be removed"); 705 static_cast<DERIVED*>(this)->VisitAddedToCluster(Base, Cluster); 706 707 // If this is an interesting global region, add it the work list up front. 708 if (isInitiallyIncludedGlobalRegion(Base)) 709 AddToWorkList(WorkListElement(Base), &Cluster); 710 } 711 } 712 713 bool AddToWorkList(WorkListElement E, const ClusterBindings *C) { 714 if (C && !Visited.insert(C)) 715 return false; 716 WL.push_back(E); 717 return true; 718 } 719 720 bool AddToWorkList(const MemRegion *R) { 721 const MemRegion *BaseR = R->getBaseRegion(); 722 return AddToWorkList(WorkListElement(BaseR), getCluster(BaseR)); 723 } 724 725 void RunWorkList() { 726 while (!WL.empty()) { 727 WorkListElement E = WL.pop_back_val(); 728 const MemRegion *BaseR = E; 729 730 static_cast<DERIVED*>(this)->VisitCluster(BaseR, getCluster(BaseR)); 731 } 732 } 733 734 void VisitAddedToCluster(const MemRegion *baseR, const ClusterBindings &C) {} 735 void VisitCluster(const MemRegion *baseR, const ClusterBindings *C) {} 736 737 void VisitCluster(const MemRegion *BaseR, const ClusterBindings *C, 738 bool Flag) { 739 static_cast<DERIVED*>(this)->VisitCluster(BaseR, C); 740 } 741}; 742} 743 744//===----------------------------------------------------------------------===// 745// Binding invalidation. 746//===----------------------------------------------------------------------===// 747 748bool RegionStoreManager::scanReachableSymbols(Store S, const MemRegion *R, 749 ScanReachableSymbols &Callbacks) { 750 assert(R == R->getBaseRegion() && "Should only be called for base regions"); 751 RegionBindingsRef B = getRegionBindings(S); 752 const ClusterBindings *Cluster = B.lookup(R); 753 754 if (!Cluster) 755 return true; 756 757 for (ClusterBindings::iterator RI = Cluster->begin(), RE = Cluster->end(); 758 RI != RE; ++RI) { 759 if (!Callbacks.scan(RI.getData())) 760 return false; 761 } 762 763 return true; 764} 765 766static inline bool isUnionField(const FieldRegion *FR) { 767 return FR->getDecl()->getParent()->isUnion(); 768} 769 770typedef SmallVector<const FieldDecl *, 8> FieldVector; 771 772void getSymbolicOffsetFields(BindingKey K, FieldVector &Fields) { 773 assert(K.hasSymbolicOffset() && "Not implemented for concrete offset keys"); 774 775 const MemRegion *Base = K.getConcreteOffsetRegion(); 776 const MemRegion *R = K.getRegion(); 777 778 while (R != Base) { 779 if (const FieldRegion *FR = dyn_cast<FieldRegion>(R)) 780 if (!isUnionField(FR)) 781 Fields.push_back(FR->getDecl()); 782 783 R = cast<SubRegion>(R)->getSuperRegion(); 784 } 785} 786 787static bool isCompatibleWithFields(BindingKey K, const FieldVector &Fields) { 788 assert(K.hasSymbolicOffset() && "Not implemented for concrete offset keys"); 789 790 if (Fields.empty()) 791 return true; 792 793 FieldVector FieldsInBindingKey; 794 getSymbolicOffsetFields(K, FieldsInBindingKey); 795 796 ptrdiff_t Delta = FieldsInBindingKey.size() - Fields.size(); 797 if (Delta >= 0) 798 return std::equal(FieldsInBindingKey.begin() + Delta, 799 FieldsInBindingKey.end(), 800 Fields.begin()); 801 else 802 return std::equal(FieldsInBindingKey.begin(), FieldsInBindingKey.end(), 803 Fields.begin() - Delta); 804} 805 806/// Collects all bindings in \p Cluster that may refer to bindings within 807/// \p Top. 808/// 809/// Each binding is a pair whose \c first is the key (a BindingKey) and whose 810/// \c second is the value (an SVal). 811/// 812/// The \p IncludeAllDefaultBindings parameter specifies whether to include 813/// default bindings that may extend beyond \p Top itself, e.g. if \p Top is 814/// an aggregate within a larger aggregate with a default binding. 815static void 816collectSubRegionBindings(SmallVectorImpl<BindingPair> &Bindings, 817 SValBuilder &SVB, const ClusterBindings &Cluster, 818 const SubRegion *Top, BindingKey TopKey, 819 bool IncludeAllDefaultBindings) { 820 FieldVector FieldsInSymbolicSubregions; 821 if (TopKey.hasSymbolicOffset()) { 822 getSymbolicOffsetFields(TopKey, FieldsInSymbolicSubregions); 823 Top = cast<SubRegion>(TopKey.getConcreteOffsetRegion()); 824 TopKey = BindingKey::Make(Top, BindingKey::Default); 825 } 826 827 // Find the length (in bits) of the region being invalidated. 828 uint64_t Length = UINT64_MAX; 829 SVal Extent = Top->getExtent(SVB); 830 if (Optional<nonloc::ConcreteInt> ExtentCI = 831 Extent.getAs<nonloc::ConcreteInt>()) { 832 const llvm::APSInt &ExtentInt = ExtentCI->getValue(); 833 assert(ExtentInt.isNonNegative() || ExtentInt.isUnsigned()); 834 // Extents are in bytes but region offsets are in bits. Be careful! 835 Length = ExtentInt.getLimitedValue() * SVB.getContext().getCharWidth(); 836 } else if (const FieldRegion *FR = dyn_cast<FieldRegion>(Top)) { 837 if (FR->getDecl()->isBitField()) 838 Length = FR->getDecl()->getBitWidthValue(SVB.getContext()); 839 } 840 841 for (ClusterBindings::iterator I = Cluster.begin(), E = Cluster.end(); 842 I != E; ++I) { 843 BindingKey NextKey = I.getKey(); 844 if (NextKey.getRegion() == TopKey.getRegion()) { 845 // FIXME: This doesn't catch the case where we're really invalidating a 846 // region with a symbolic offset. Example: 847 // R: points[i].y 848 // Next: points[0].x 849 850 if (NextKey.getOffset() > TopKey.getOffset() && 851 NextKey.getOffset() - TopKey.getOffset() < Length) { 852 // Case 1: The next binding is inside the region we're invalidating. 853 // Include it. 854 Bindings.push_back(*I); 855 856 } else if (NextKey.getOffset() == TopKey.getOffset()) { 857 // Case 2: The next binding is at the same offset as the region we're 858 // invalidating. In this case, we need to leave default bindings alone, 859 // since they may be providing a default value for a regions beyond what 860 // we're invalidating. 861 // FIXME: This is probably incorrect; consider invalidating an outer 862 // struct whose first field is bound to a LazyCompoundVal. 863 if (IncludeAllDefaultBindings || NextKey.isDirect()) 864 Bindings.push_back(*I); 865 } 866 867 } else if (NextKey.hasSymbolicOffset()) { 868 const MemRegion *Base = NextKey.getConcreteOffsetRegion(); 869 if (Top->isSubRegionOf(Base)) { 870 // Case 3: The next key is symbolic and we just changed something within 871 // its concrete region. We don't know if the binding is still valid, so 872 // we'll be conservative and include it. 873 if (IncludeAllDefaultBindings || NextKey.isDirect()) 874 if (isCompatibleWithFields(NextKey, FieldsInSymbolicSubregions)) 875 Bindings.push_back(*I); 876 } else if (const SubRegion *BaseSR = dyn_cast<SubRegion>(Base)) { 877 // Case 4: The next key is symbolic, but we changed a known 878 // super-region. In this case the binding is certainly included. 879 if (Top == Base || BaseSR->isSubRegionOf(Top)) 880 if (isCompatibleWithFields(NextKey, FieldsInSymbolicSubregions)) 881 Bindings.push_back(*I); 882 } 883 } 884 } 885} 886 887static void 888collectSubRegionBindings(SmallVectorImpl<BindingPair> &Bindings, 889 SValBuilder &SVB, const ClusterBindings &Cluster, 890 const SubRegion *Top, bool IncludeAllDefaultBindings) { 891 collectSubRegionBindings(Bindings, SVB, Cluster, Top, 892 BindingKey::Make(Top, BindingKey::Default), 893 IncludeAllDefaultBindings); 894} 895 896RegionBindingsRef 897RegionStoreManager::removeSubRegionBindings(RegionBindingsConstRef B, 898 const SubRegion *Top) { 899 BindingKey TopKey = BindingKey::Make(Top, BindingKey::Default); 900 const MemRegion *ClusterHead = TopKey.getBaseRegion(); 901 902 if (Top == ClusterHead) { 903 // We can remove an entire cluster's bindings all in one go. 904 return B.remove(Top); 905 } 906 907 const ClusterBindings *Cluster = B.lookup(ClusterHead); 908 if (!Cluster) { 909 // If we're invalidating a region with a symbolic offset, we need to make 910 // sure we don't treat the base region as uninitialized anymore. 911 if (TopKey.hasSymbolicOffset()) { 912 const SubRegion *Concrete = TopKey.getConcreteOffsetRegion(); 913 return B.addBinding(Concrete, BindingKey::Default, UnknownVal()); 914 } 915 return B; 916 } 917 918 SmallVector<BindingPair, 32> Bindings; 919 collectSubRegionBindings(Bindings, svalBuilder, *Cluster, Top, TopKey, 920 /*IncludeAllDefaultBindings=*/false); 921 922 ClusterBindingsRef Result(*Cluster, CBFactory); 923 for (SmallVectorImpl<BindingPair>::const_iterator I = Bindings.begin(), 924 E = Bindings.end(); 925 I != E; ++I) 926 Result = Result.remove(I->first); 927 928 // If we're invalidating a region with a symbolic offset, we need to make sure 929 // we don't treat the base region as uninitialized anymore. 930 // FIXME: This isn't very precise; see the example in 931 // collectSubRegionBindings. 932 if (TopKey.hasSymbolicOffset()) { 933 const SubRegion *Concrete = TopKey.getConcreteOffsetRegion(); 934 Result = Result.add(BindingKey::Make(Concrete, BindingKey::Default), 935 UnknownVal()); 936 } 937 938 if (Result.isEmpty()) 939 return B.remove(ClusterHead); 940 return B.add(ClusterHead, Result.asImmutableMap()); 941} 942 943namespace { 944class invalidateRegionsWorker : public ClusterAnalysis<invalidateRegionsWorker> 945{ 946 const Expr *Ex; 947 unsigned Count; 948 const LocationContext *LCtx; 949 InvalidatedSymbols &IS; 950 RegionAndSymbolInvalidationTraits &ITraits; 951 StoreManager::InvalidatedRegions *Regions; 952public: 953 invalidateRegionsWorker(RegionStoreManager &rm, 954 ProgramStateManager &stateMgr, 955 RegionBindingsRef b, 956 const Expr *ex, unsigned count, 957 const LocationContext *lctx, 958 InvalidatedSymbols &is, 959 RegionAndSymbolInvalidationTraits &ITraitsIn, 960 StoreManager::InvalidatedRegions *r, 961 GlobalsFilterKind GFK) 962 : ClusterAnalysis<invalidateRegionsWorker>(rm, stateMgr, b, GFK), 963 Ex(ex), Count(count), LCtx(lctx), IS(is), ITraits(ITraitsIn), Regions(r){} 964 965 void VisitCluster(const MemRegion *baseR, const ClusterBindings *C); 966 void VisitBinding(SVal V); 967}; 968} 969 970void invalidateRegionsWorker::VisitBinding(SVal V) { 971 // A symbol? Mark it touched by the invalidation. 972 if (SymbolRef Sym = V.getAsSymbol()) 973 IS.insert(Sym); 974 975 if (const MemRegion *R = V.getAsRegion()) { 976 AddToWorkList(R); 977 return; 978 } 979 980 // Is it a LazyCompoundVal? All references get invalidated as well. 981 if (Optional<nonloc::LazyCompoundVal> LCS = 982 V.getAs<nonloc::LazyCompoundVal>()) { 983 984 const RegionStoreManager::SValListTy &Vals = RM.getInterestingValues(*LCS); 985 986 for (RegionStoreManager::SValListTy::const_iterator I = Vals.begin(), 987 E = Vals.end(); 988 I != E; ++I) 989 VisitBinding(*I); 990 991 return; 992 } 993} 994 995void invalidateRegionsWorker::VisitCluster(const MemRegion *baseR, 996 const ClusterBindings *C) { 997 998 bool PreserveRegionsContents = 999 ITraits.hasTrait(baseR, 1000 RegionAndSymbolInvalidationTraits::TK_PreserveContents); 1001 1002 if (C) { 1003 for (ClusterBindings::iterator I = C->begin(), E = C->end(); I != E; ++I) 1004 VisitBinding(I.getData()); 1005 1006 // Invalidate regions contents. 1007 if (!PreserveRegionsContents) 1008 B = B.remove(baseR); 1009 } 1010 1011 // BlockDataRegion? If so, invalidate captured variables that are passed 1012 // by reference. 1013 if (const BlockDataRegion *BR = dyn_cast<BlockDataRegion>(baseR)) { 1014 for (BlockDataRegion::referenced_vars_iterator 1015 BI = BR->referenced_vars_begin(), BE = BR->referenced_vars_end() ; 1016 BI != BE; ++BI) { 1017 const VarRegion *VR = BI.getCapturedRegion(); 1018 const VarDecl *VD = VR->getDecl(); 1019 if (VD->getAttr<BlocksAttr>() || !VD->hasLocalStorage()) { 1020 AddToWorkList(VR); 1021 } 1022 else if (Loc::isLocType(VR->getValueType())) { 1023 // Map the current bindings to a Store to retrieve the value 1024 // of the binding. If that binding itself is a region, we should 1025 // invalidate that region. This is because a block may capture 1026 // a pointer value, but the thing pointed by that pointer may 1027 // get invalidated. 1028 SVal V = RM.getBinding(B, loc::MemRegionVal(VR)); 1029 if (Optional<Loc> L = V.getAs<Loc>()) { 1030 if (const MemRegion *LR = L->getAsRegion()) 1031 AddToWorkList(LR); 1032 } 1033 } 1034 } 1035 return; 1036 } 1037 1038 // Symbolic region? 1039 if (const SymbolicRegion *SR = dyn_cast<SymbolicRegion>(baseR)) 1040 IS.insert(SR->getSymbol()); 1041 1042 // Nothing else should be done in the case when we preserve regions context. 1043 if (PreserveRegionsContents) 1044 return; 1045 1046 // Otherwise, we have a normal data region. Record that we touched the region. 1047 if (Regions) 1048 Regions->push_back(baseR); 1049 1050 if (isa<AllocaRegion>(baseR) || isa<SymbolicRegion>(baseR)) { 1051 // Invalidate the region by setting its default value to 1052 // conjured symbol. The type of the symbol is irrelevant. 1053 DefinedOrUnknownSVal V = 1054 svalBuilder.conjureSymbolVal(baseR, Ex, LCtx, Ctx.IntTy, Count); 1055 B = B.addBinding(baseR, BindingKey::Default, V); 1056 return; 1057 } 1058 1059 if (!baseR->isBoundable()) 1060 return; 1061 1062 const TypedValueRegion *TR = cast<TypedValueRegion>(baseR); 1063 QualType T = TR->getValueType(); 1064 1065 if (isInitiallyIncludedGlobalRegion(baseR)) { 1066 // If the region is a global and we are invalidating all globals, 1067 // erasing the entry is good enough. This causes all globals to be lazily 1068 // symbolicated from the same base symbol. 1069 return; 1070 } 1071 1072 if (T->isStructureOrClassType()) { 1073 // Invalidate the region by setting its default value to 1074 // conjured symbol. The type of the symbol is irrelevant. 1075 DefinedOrUnknownSVal V = svalBuilder.conjureSymbolVal(baseR, Ex, LCtx, 1076 Ctx.IntTy, Count); 1077 B = B.addBinding(baseR, BindingKey::Default, V); 1078 return; 1079 } 1080 1081 if (const ArrayType *AT = Ctx.getAsArrayType(T)) { 1082 // Set the default value of the array to conjured symbol. 1083 DefinedOrUnknownSVal V = 1084 svalBuilder.conjureSymbolVal(baseR, Ex, LCtx, 1085 AT->getElementType(), Count); 1086 B = B.addBinding(baseR, BindingKey::Default, V); 1087 return; 1088 } 1089 1090 DefinedOrUnknownSVal V = svalBuilder.conjureSymbolVal(baseR, Ex, LCtx, 1091 T,Count); 1092 assert(SymbolManager::canSymbolicate(T) || V.isUnknown()); 1093 B = B.addBinding(baseR, BindingKey::Direct, V); 1094} 1095 1096RegionBindingsRef 1097RegionStoreManager::invalidateGlobalRegion(MemRegion::Kind K, 1098 const Expr *Ex, 1099 unsigned Count, 1100 const LocationContext *LCtx, 1101 RegionBindingsRef B, 1102 InvalidatedRegions *Invalidated) { 1103 // Bind the globals memory space to a new symbol that we will use to derive 1104 // the bindings for all globals. 1105 const GlobalsSpaceRegion *GS = MRMgr.getGlobalsRegion(K); 1106 SVal V = svalBuilder.conjureSymbolVal(/* SymbolTag = */ (const void*) GS, Ex, LCtx, 1107 /* type does not matter */ Ctx.IntTy, 1108 Count); 1109 1110 B = B.removeBinding(GS) 1111 .addBinding(BindingKey::Make(GS, BindingKey::Default), V); 1112 1113 // Even if there are no bindings in the global scope, we still need to 1114 // record that we touched it. 1115 if (Invalidated) 1116 Invalidated->push_back(GS); 1117 1118 return B; 1119} 1120 1121void RegionStoreManager::populateWorkList(invalidateRegionsWorker &W, 1122 ArrayRef<SVal> Values, 1123 InvalidatedRegions *TopLevelRegions) { 1124 for (ArrayRef<SVal>::iterator I = Values.begin(), 1125 E = Values.end(); I != E; ++I) { 1126 SVal V = *I; 1127 if (Optional<nonloc::LazyCompoundVal> LCS = 1128 V.getAs<nonloc::LazyCompoundVal>()) { 1129 1130 const SValListTy &Vals = getInterestingValues(*LCS); 1131 1132 for (SValListTy::const_iterator I = Vals.begin(), 1133 E = Vals.end(); I != E; ++I) { 1134 // Note: the last argument is false here because these are 1135 // non-top-level regions. 1136 if (const MemRegion *R = (*I).getAsRegion()) 1137 W.AddToWorkList(R); 1138 } 1139 continue; 1140 } 1141 1142 if (const MemRegion *R = V.getAsRegion()) { 1143 if (TopLevelRegions) 1144 TopLevelRegions->push_back(R); 1145 W.AddToWorkList(R); 1146 continue; 1147 } 1148 } 1149} 1150 1151StoreRef 1152RegionStoreManager::invalidateRegions(Store store, 1153 ArrayRef<SVal> Values, 1154 const Expr *Ex, unsigned Count, 1155 const LocationContext *LCtx, 1156 const CallEvent *Call, 1157 InvalidatedSymbols &IS, 1158 RegionAndSymbolInvalidationTraits &ITraits, 1159 InvalidatedRegions *TopLevelRegions, 1160 InvalidatedRegions *Invalidated) { 1161 GlobalsFilterKind GlobalsFilter; 1162 if (Call) { 1163 if (Call->isInSystemHeader()) 1164 GlobalsFilter = GFK_SystemOnly; 1165 else 1166 GlobalsFilter = GFK_All; 1167 } else { 1168 GlobalsFilter = GFK_None; 1169 } 1170 1171 RegionBindingsRef B = getRegionBindings(store); 1172 invalidateRegionsWorker W(*this, StateMgr, B, Ex, Count, LCtx, IS, ITraits, 1173 Invalidated, GlobalsFilter); 1174 1175 // Scan the bindings and generate the clusters. 1176 W.GenerateClusters(); 1177 1178 // Add the regions to the worklist. 1179 populateWorkList(W, Values, TopLevelRegions); 1180 1181 W.RunWorkList(); 1182 1183 // Return the new bindings. 1184 B = W.getRegionBindings(); 1185 1186 // For calls, determine which global regions should be invalidated and 1187 // invalidate them. (Note that function-static and immutable globals are never 1188 // invalidated by this.) 1189 // TODO: This could possibly be more precise with modules. 1190 switch (GlobalsFilter) { 1191 case GFK_All: 1192 B = invalidateGlobalRegion(MemRegion::GlobalInternalSpaceRegionKind, 1193 Ex, Count, LCtx, B, Invalidated); 1194 // FALLTHROUGH 1195 case GFK_SystemOnly: 1196 B = invalidateGlobalRegion(MemRegion::GlobalSystemSpaceRegionKind, 1197 Ex, Count, LCtx, B, Invalidated); 1198 // FALLTHROUGH 1199 case GFK_None: 1200 break; 1201 } 1202 1203 return StoreRef(B.asStore(), *this); 1204} 1205 1206//===----------------------------------------------------------------------===// 1207// Extents for regions. 1208//===----------------------------------------------------------------------===// 1209 1210DefinedOrUnknownSVal 1211RegionStoreManager::getSizeInElements(ProgramStateRef state, 1212 const MemRegion *R, 1213 QualType EleTy) { 1214 SVal Size = cast<SubRegion>(R)->getExtent(svalBuilder); 1215 const llvm::APSInt *SizeInt = svalBuilder.getKnownValue(state, Size); 1216 if (!SizeInt) 1217 return UnknownVal(); 1218 1219 CharUnits RegionSize = CharUnits::fromQuantity(SizeInt->getSExtValue()); 1220 1221 if (Ctx.getAsVariableArrayType(EleTy)) { 1222 // FIXME: We need to track extra state to properly record the size 1223 // of VLAs. Returning UnknownVal here, however, is a stop-gap so that 1224 // we don't have a divide-by-zero below. 1225 return UnknownVal(); 1226 } 1227 1228 CharUnits EleSize = Ctx.getTypeSizeInChars(EleTy); 1229 1230 // If a variable is reinterpreted as a type that doesn't fit into a larger 1231 // type evenly, round it down. 1232 // This is a signed value, since it's used in arithmetic with signed indices. 1233 return svalBuilder.makeIntVal(RegionSize / EleSize, false); 1234} 1235 1236//===----------------------------------------------------------------------===// 1237// Location and region casting. 1238//===----------------------------------------------------------------------===// 1239 1240/// ArrayToPointer - Emulates the "decay" of an array to a pointer 1241/// type. 'Array' represents the lvalue of the array being decayed 1242/// to a pointer, and the returned SVal represents the decayed 1243/// version of that lvalue (i.e., a pointer to the first element of 1244/// the array). This is called by ExprEngine when evaluating casts 1245/// from arrays to pointers. 1246SVal RegionStoreManager::ArrayToPointer(Loc Array, QualType T) { 1247 if (!Array.getAs<loc::MemRegionVal>()) 1248 return UnknownVal(); 1249 1250 const MemRegion* R = Array.castAs<loc::MemRegionVal>().getRegion(); 1251 NonLoc ZeroIdx = svalBuilder.makeZeroArrayIndex(); 1252 return loc::MemRegionVal(MRMgr.getElementRegion(T, ZeroIdx, R, Ctx)); 1253} 1254 1255//===----------------------------------------------------------------------===// 1256// Loading values from regions. 1257//===----------------------------------------------------------------------===// 1258 1259SVal RegionStoreManager::getBinding(RegionBindingsConstRef B, Loc L, QualType T) { 1260 assert(!L.getAs<UnknownVal>() && "location unknown"); 1261 assert(!L.getAs<UndefinedVal>() && "location undefined"); 1262 1263 // For access to concrete addresses, return UnknownVal. Checks 1264 // for null dereferences (and similar errors) are done by checkers, not 1265 // the Store. 1266 // FIXME: We can consider lazily symbolicating such memory, but we really 1267 // should defer this when we can reason easily about symbolicating arrays 1268 // of bytes. 1269 if (L.getAs<loc::ConcreteInt>()) { 1270 return UnknownVal(); 1271 } 1272 if (!L.getAs<loc::MemRegionVal>()) { 1273 return UnknownVal(); 1274 } 1275 1276 const MemRegion *MR = L.castAs<loc::MemRegionVal>().getRegion(); 1277 1278 if (isa<AllocaRegion>(MR) || 1279 isa<SymbolicRegion>(MR) || 1280 isa<CodeTextRegion>(MR)) { 1281 if (T.isNull()) { 1282 if (const TypedRegion *TR = dyn_cast<TypedRegion>(MR)) 1283 T = TR->getLocationType(); 1284 else { 1285 const SymbolicRegion *SR = cast<SymbolicRegion>(MR); 1286 T = SR->getSymbol()->getType(); 1287 } 1288 } 1289 MR = GetElementZeroRegion(MR, T); 1290 } 1291 1292 // FIXME: Perhaps this method should just take a 'const MemRegion*' argument 1293 // instead of 'Loc', and have the other Loc cases handled at a higher level. 1294 const TypedValueRegion *R = cast<TypedValueRegion>(MR); 1295 QualType RTy = R->getValueType(); 1296 1297 // FIXME: we do not yet model the parts of a complex type, so treat the 1298 // whole thing as "unknown". 1299 if (RTy->isAnyComplexType()) 1300 return UnknownVal(); 1301 1302 // FIXME: We should eventually handle funny addressing. e.g.: 1303 // 1304 // int x = ...; 1305 // int *p = &x; 1306 // char *q = (char*) p; 1307 // char c = *q; // returns the first byte of 'x'. 1308 // 1309 // Such funny addressing will occur due to layering of regions. 1310 if (RTy->isStructureOrClassType()) 1311 return getBindingForStruct(B, R); 1312 1313 // FIXME: Handle unions. 1314 if (RTy->isUnionType()) 1315 return UnknownVal(); 1316 1317 if (RTy->isArrayType()) { 1318 if (RTy->isConstantArrayType()) 1319 return getBindingForArray(B, R); 1320 else 1321 return UnknownVal(); 1322 } 1323 1324 // FIXME: handle Vector types. 1325 if (RTy->isVectorType()) 1326 return UnknownVal(); 1327 1328 if (const FieldRegion* FR = dyn_cast<FieldRegion>(R)) 1329 return CastRetrievedVal(getBindingForField(B, FR), FR, T, false); 1330 1331 if (const ElementRegion* ER = dyn_cast<ElementRegion>(R)) { 1332 // FIXME: Here we actually perform an implicit conversion from the loaded 1333 // value to the element type. Eventually we want to compose these values 1334 // more intelligently. For example, an 'element' can encompass multiple 1335 // bound regions (e.g., several bound bytes), or could be a subset of 1336 // a larger value. 1337 return CastRetrievedVal(getBindingForElement(B, ER), ER, T, false); 1338 } 1339 1340 if (const ObjCIvarRegion *IVR = dyn_cast<ObjCIvarRegion>(R)) { 1341 // FIXME: Here we actually perform an implicit conversion from the loaded 1342 // value to the ivar type. What we should model is stores to ivars 1343 // that blow past the extent of the ivar. If the address of the ivar is 1344 // reinterpretted, it is possible we stored a different value that could 1345 // fit within the ivar. Either we need to cast these when storing them 1346 // or reinterpret them lazily (as we do here). 1347 return CastRetrievedVal(getBindingForObjCIvar(B, IVR), IVR, T, false); 1348 } 1349 1350 if (const VarRegion *VR = dyn_cast<VarRegion>(R)) { 1351 // FIXME: Here we actually perform an implicit conversion from the loaded 1352 // value to the variable type. What we should model is stores to variables 1353 // that blow past the extent of the variable. If the address of the 1354 // variable is reinterpretted, it is possible we stored a different value 1355 // that could fit within the variable. Either we need to cast these when 1356 // storing them or reinterpret them lazily (as we do here). 1357 return CastRetrievedVal(getBindingForVar(B, VR), VR, T, false); 1358 } 1359 1360 const SVal *V = B.lookup(R, BindingKey::Direct); 1361 1362 // Check if the region has a binding. 1363 if (V) 1364 return *V; 1365 1366 // The location does not have a bound value. This means that it has 1367 // the value it had upon its creation and/or entry to the analyzed 1368 // function/method. These are either symbolic values or 'undefined'. 1369 if (R->hasStackNonParametersStorage()) { 1370 // All stack variables are considered to have undefined values 1371 // upon creation. All heap allocated blocks are considered to 1372 // have undefined values as well unless they are explicitly bound 1373 // to specific values. 1374 return UndefinedVal(); 1375 } 1376 1377 // All other values are symbolic. 1378 return svalBuilder.getRegionValueSymbolVal(R); 1379} 1380 1381static QualType getUnderlyingType(const SubRegion *R) { 1382 QualType RegionTy; 1383 if (const TypedValueRegion *TVR = dyn_cast<TypedValueRegion>(R)) 1384 RegionTy = TVR->getValueType(); 1385 1386 if (const SymbolicRegion *SR = dyn_cast<SymbolicRegion>(R)) 1387 RegionTy = SR->getSymbol()->getType(); 1388 1389 return RegionTy; 1390} 1391 1392/// Checks to see if store \p B has a lazy binding for region \p R. 1393/// 1394/// If \p AllowSubregionBindings is \c false, a lazy binding will be rejected 1395/// if there are additional bindings within \p R. 1396/// 1397/// Note that unlike RegionStoreManager::findLazyBinding, this will not search 1398/// for lazy bindings for super-regions of \p R. 1399static Optional<nonloc::LazyCompoundVal> 1400getExistingLazyBinding(SValBuilder &SVB, RegionBindingsConstRef B, 1401 const SubRegion *R, bool AllowSubregionBindings) { 1402 Optional<SVal> V = B.getDefaultBinding(R); 1403 if (!V) 1404 return None; 1405 1406 Optional<nonloc::LazyCompoundVal> LCV = V->getAs<nonloc::LazyCompoundVal>(); 1407 if (!LCV) 1408 return None; 1409 1410 // If the LCV is for a subregion, the types might not match, and we shouldn't 1411 // reuse the binding. 1412 QualType RegionTy = getUnderlyingType(R); 1413 if (!RegionTy.isNull() && 1414 !RegionTy->isVoidPointerType()) { 1415 QualType SourceRegionTy = LCV->getRegion()->getValueType(); 1416 if (!SVB.getContext().hasSameUnqualifiedType(RegionTy, SourceRegionTy)) 1417 return None; 1418 } 1419 1420 if (!AllowSubregionBindings) { 1421 // If there are any other bindings within this region, we shouldn't reuse 1422 // the top-level binding. 1423 SmallVector<BindingPair, 16> Bindings; 1424 collectSubRegionBindings(Bindings, SVB, *B.lookup(R->getBaseRegion()), R, 1425 /*IncludeAllDefaultBindings=*/true); 1426 if (Bindings.size() > 1) 1427 return None; 1428 } 1429 1430 return *LCV; 1431} 1432 1433 1434std::pair<Store, const SubRegion *> 1435RegionStoreManager::findLazyBinding(RegionBindingsConstRef B, 1436 const SubRegion *R, 1437 const SubRegion *originalRegion) { 1438 if (originalRegion != R) { 1439 if (Optional<nonloc::LazyCompoundVal> V = 1440 getExistingLazyBinding(svalBuilder, B, R, true)) 1441 return std::make_pair(V->getStore(), V->getRegion()); 1442 } 1443 1444 typedef std::pair<Store, const SubRegion *> StoreRegionPair; 1445 StoreRegionPair Result = StoreRegionPair(); 1446 1447 if (const ElementRegion *ER = dyn_cast<ElementRegion>(R)) { 1448 Result = findLazyBinding(B, cast<SubRegion>(ER->getSuperRegion()), 1449 originalRegion); 1450 1451 if (Result.second) 1452 Result.second = MRMgr.getElementRegionWithSuper(ER, Result.second); 1453 1454 } else if (const FieldRegion *FR = dyn_cast<FieldRegion>(R)) { 1455 Result = findLazyBinding(B, cast<SubRegion>(FR->getSuperRegion()), 1456 originalRegion); 1457 1458 if (Result.second) 1459 Result.second = MRMgr.getFieldRegionWithSuper(FR, Result.second); 1460 1461 } else if (const CXXBaseObjectRegion *BaseReg = 1462 dyn_cast<CXXBaseObjectRegion>(R)) { 1463 // C++ base object region is another kind of region that we should blast 1464 // through to look for lazy compound value. It is like a field region. 1465 Result = findLazyBinding(B, cast<SubRegion>(BaseReg->getSuperRegion()), 1466 originalRegion); 1467 1468 if (Result.second) 1469 Result.second = MRMgr.getCXXBaseObjectRegionWithSuper(BaseReg, 1470 Result.second); 1471 } 1472 1473 return Result; 1474} 1475 1476SVal RegionStoreManager::getBindingForElement(RegionBindingsConstRef B, 1477 const ElementRegion* R) { 1478 // We do not currently model bindings of the CompoundLiteralregion. 1479 if (isa<CompoundLiteralRegion>(R->getBaseRegion())) 1480 return UnknownVal(); 1481 1482 // Check if the region has a binding. 1483 if (const Optional<SVal> &V = B.getDirectBinding(R)) 1484 return *V; 1485 1486 const MemRegion* superR = R->getSuperRegion(); 1487 1488 // Check if the region is an element region of a string literal. 1489 if (const StringRegion *StrR=dyn_cast<StringRegion>(superR)) { 1490 // FIXME: Handle loads from strings where the literal is treated as 1491 // an integer, e.g., *((unsigned int*)"hello") 1492 QualType T = Ctx.getAsArrayType(StrR->getValueType())->getElementType(); 1493 if (!Ctx.hasSameUnqualifiedType(T, R->getElementType())) 1494 return UnknownVal(); 1495 1496 const StringLiteral *Str = StrR->getStringLiteral(); 1497 SVal Idx = R->getIndex(); 1498 if (Optional<nonloc::ConcreteInt> CI = Idx.getAs<nonloc::ConcreteInt>()) { 1499 int64_t i = CI->getValue().getSExtValue(); 1500 // Abort on string underrun. This can be possible by arbitrary 1501 // clients of getBindingForElement(). 1502 if (i < 0) 1503 return UndefinedVal(); 1504 int64_t length = Str->getLength(); 1505 // Technically, only i == length is guaranteed to be null. 1506 // However, such overflows should be caught before reaching this point; 1507 // the only time such an access would be made is if a string literal was 1508 // used to initialize a larger array. 1509 char c = (i >= length) ? '\0' : Str->getCodeUnit(i); 1510 return svalBuilder.makeIntVal(c, T); 1511 } 1512 } 1513 1514 // Check for loads from a code text region. For such loads, just give up. 1515 if (isa<CodeTextRegion>(superR)) 1516 return UnknownVal(); 1517 1518 // Handle the case where we are indexing into a larger scalar object. 1519 // For example, this handles: 1520 // int x = ... 1521 // char *y = &x; 1522 // return *y; 1523 // FIXME: This is a hack, and doesn't do anything really intelligent yet. 1524 const RegionRawOffset &O = R->getAsArrayOffset(); 1525 1526 // If we cannot reason about the offset, return an unknown value. 1527 if (!O.getRegion()) 1528 return UnknownVal(); 1529 1530 if (const TypedValueRegion *baseR = 1531 dyn_cast_or_null<TypedValueRegion>(O.getRegion())) { 1532 QualType baseT = baseR->getValueType(); 1533 if (baseT->isScalarType()) { 1534 QualType elemT = R->getElementType(); 1535 if (elemT->isScalarType()) { 1536 if (Ctx.getTypeSizeInChars(baseT) >= Ctx.getTypeSizeInChars(elemT)) { 1537 if (const Optional<SVal> &V = B.getDirectBinding(superR)) { 1538 if (SymbolRef parentSym = V->getAsSymbol()) 1539 return svalBuilder.getDerivedRegionValueSymbolVal(parentSym, R); 1540 1541 if (V->isUnknownOrUndef()) 1542 return *V; 1543 // Other cases: give up. We are indexing into a larger object 1544 // that has some value, but we don't know how to handle that yet. 1545 return UnknownVal(); 1546 } 1547 } 1548 } 1549 } 1550 } 1551 return getBindingForFieldOrElementCommon(B, R, R->getElementType()); 1552} 1553 1554SVal RegionStoreManager::getBindingForField(RegionBindingsConstRef B, 1555 const FieldRegion* R) { 1556 1557 // Check if the region has a binding. 1558 if (const Optional<SVal> &V = B.getDirectBinding(R)) 1559 return *V; 1560 1561 QualType Ty = R->getValueType(); 1562 return getBindingForFieldOrElementCommon(B, R, Ty); 1563} 1564 1565Optional<SVal> 1566RegionStoreManager::getBindingForDerivedDefaultValue(RegionBindingsConstRef B, 1567 const MemRegion *superR, 1568 const TypedValueRegion *R, 1569 QualType Ty) { 1570 1571 if (const Optional<SVal> &D = B.getDefaultBinding(superR)) { 1572 const SVal &val = D.getValue(); 1573 if (SymbolRef parentSym = val.getAsSymbol()) 1574 return svalBuilder.getDerivedRegionValueSymbolVal(parentSym, R); 1575 1576 if (val.isZeroConstant()) 1577 return svalBuilder.makeZeroVal(Ty); 1578 1579 if (val.isUnknownOrUndef()) 1580 return val; 1581 1582 // Lazy bindings are usually handled through getExistingLazyBinding(). 1583 // We should unify these two code paths at some point. 1584 if (val.getAs<nonloc::LazyCompoundVal>()) 1585 return val; 1586 1587 llvm_unreachable("Unknown default value"); 1588 } 1589 1590 return None; 1591} 1592 1593SVal RegionStoreManager::getLazyBinding(const SubRegion *LazyBindingRegion, 1594 RegionBindingsRef LazyBinding) { 1595 SVal Result; 1596 if (const ElementRegion *ER = dyn_cast<ElementRegion>(LazyBindingRegion)) 1597 Result = getBindingForElement(LazyBinding, ER); 1598 else 1599 Result = getBindingForField(LazyBinding, 1600 cast<FieldRegion>(LazyBindingRegion)); 1601 1602 // FIXME: This is a hack to deal with RegionStore's inability to distinguish a 1603 // default value for /part/ of an aggregate from a default value for the 1604 // /entire/ aggregate. The most common case of this is when struct Outer 1605 // has as its first member a struct Inner, which is copied in from a stack 1606 // variable. In this case, even if the Outer's default value is symbolic, 0, 1607 // or unknown, it gets overridden by the Inner's default value of undefined. 1608 // 1609 // This is a general problem -- if the Inner is zero-initialized, the Outer 1610 // will now look zero-initialized. The proper way to solve this is with a 1611 // new version of RegionStore that tracks the extent of a binding as well 1612 // as the offset. 1613 // 1614 // This hack only takes care of the undefined case because that can very 1615 // quickly result in a warning. 1616 if (Result.isUndef()) 1617 Result = UnknownVal(); 1618 1619 return Result; 1620} 1621 1622SVal 1623RegionStoreManager::getBindingForFieldOrElementCommon(RegionBindingsConstRef B, 1624 const TypedValueRegion *R, 1625 QualType Ty) { 1626 1627 // At this point we have already checked in either getBindingForElement or 1628 // getBindingForField if 'R' has a direct binding. 1629 1630 // Lazy binding? 1631 Store lazyBindingStore = NULL; 1632 const SubRegion *lazyBindingRegion = NULL; 1633 llvm::tie(lazyBindingStore, lazyBindingRegion) = findLazyBinding(B, R, R); 1634 if (lazyBindingRegion) 1635 return getLazyBinding(lazyBindingRegion, 1636 getRegionBindings(lazyBindingStore)); 1637 1638 // Record whether or not we see a symbolic index. That can completely 1639 // be out of scope of our lookup. 1640 bool hasSymbolicIndex = false; 1641 1642 // FIXME: This is a hack to deal with RegionStore's inability to distinguish a 1643 // default value for /part/ of an aggregate from a default value for the 1644 // /entire/ aggregate. The most common case of this is when struct Outer 1645 // has as its first member a struct Inner, which is copied in from a stack 1646 // variable. In this case, even if the Outer's default value is symbolic, 0, 1647 // or unknown, it gets overridden by the Inner's default value of undefined. 1648 // 1649 // This is a general problem -- if the Inner is zero-initialized, the Outer 1650 // will now look zero-initialized. The proper way to solve this is with a 1651 // new version of RegionStore that tracks the extent of a binding as well 1652 // as the offset. 1653 // 1654 // This hack only takes care of the undefined case because that can very 1655 // quickly result in a warning. 1656 bool hasPartialLazyBinding = false; 1657 1658 const SubRegion *SR = dyn_cast<SubRegion>(R); 1659 while (SR) { 1660 const MemRegion *Base = SR->getSuperRegion(); 1661 if (Optional<SVal> D = getBindingForDerivedDefaultValue(B, Base, R, Ty)) { 1662 if (D->getAs<nonloc::LazyCompoundVal>()) { 1663 hasPartialLazyBinding = true; 1664 break; 1665 } 1666 1667 return *D; 1668 } 1669 1670 if (const ElementRegion *ER = dyn_cast<ElementRegion>(Base)) { 1671 NonLoc index = ER->getIndex(); 1672 if (!index.isConstant()) 1673 hasSymbolicIndex = true; 1674 } 1675 1676 // If our super region is a field or element itself, walk up the region 1677 // hierarchy to see if there is a default value installed in an ancestor. 1678 SR = dyn_cast<SubRegion>(Base); 1679 } 1680 1681 if (R->hasStackNonParametersStorage()) { 1682 if (isa<ElementRegion>(R)) { 1683 // Currently we don't reason specially about Clang-style vectors. Check 1684 // if superR is a vector and if so return Unknown. 1685 if (const TypedValueRegion *typedSuperR = 1686 dyn_cast<TypedValueRegion>(R->getSuperRegion())) { 1687 if (typedSuperR->getValueType()->isVectorType()) 1688 return UnknownVal(); 1689 } 1690 } 1691 1692 // FIXME: We also need to take ElementRegions with symbolic indexes into 1693 // account. This case handles both directly accessing an ElementRegion 1694 // with a symbolic offset, but also fields within an element with 1695 // a symbolic offset. 1696 if (hasSymbolicIndex) 1697 return UnknownVal(); 1698 1699 if (!hasPartialLazyBinding) 1700 return UndefinedVal(); 1701 } 1702 1703 // All other values are symbolic. 1704 return svalBuilder.getRegionValueSymbolVal(R); 1705} 1706 1707SVal RegionStoreManager::getBindingForObjCIvar(RegionBindingsConstRef B, 1708 const ObjCIvarRegion* R) { 1709 // Check if the region has a binding. 1710 if (const Optional<SVal> &V = B.getDirectBinding(R)) 1711 return *V; 1712 1713 const MemRegion *superR = R->getSuperRegion(); 1714 1715 // Check if the super region has a default binding. 1716 if (const Optional<SVal> &V = B.getDefaultBinding(superR)) { 1717 if (SymbolRef parentSym = V->getAsSymbol()) 1718 return svalBuilder.getDerivedRegionValueSymbolVal(parentSym, R); 1719 1720 // Other cases: give up. 1721 return UnknownVal(); 1722 } 1723 1724 return getBindingForLazySymbol(R); 1725} 1726 1727SVal RegionStoreManager::getBindingForVar(RegionBindingsConstRef B, 1728 const VarRegion *R) { 1729 1730 // Check if the region has a binding. 1731 if (const Optional<SVal> &V = B.getDirectBinding(R)) 1732 return *V; 1733 1734 // Lazily derive a value for the VarRegion. 1735 const VarDecl *VD = R->getDecl(); 1736 const MemSpaceRegion *MS = R->getMemorySpace(); 1737 1738 // Arguments are always symbolic. 1739 if (isa<StackArgumentsSpaceRegion>(MS)) 1740 return svalBuilder.getRegionValueSymbolVal(R); 1741 1742 // Is 'VD' declared constant? If so, retrieve the constant value. 1743 if (VD->getType().isConstQualified()) 1744 if (const Expr *Init = VD->getInit()) 1745 if (Optional<SVal> V = svalBuilder.getConstantVal(Init)) 1746 return *V; 1747 1748 // This must come after the check for constants because closure-captured 1749 // constant variables may appear in UnknownSpaceRegion. 1750 if (isa<UnknownSpaceRegion>(MS)) 1751 return svalBuilder.getRegionValueSymbolVal(R); 1752 1753 if (isa<GlobalsSpaceRegion>(MS)) { 1754 QualType T = VD->getType(); 1755 1756 // Function-scoped static variables are default-initialized to 0; if they 1757 // have an initializer, it would have been processed by now. 1758 if (isa<StaticGlobalSpaceRegion>(MS)) 1759 return svalBuilder.makeZeroVal(T); 1760 1761 if (Optional<SVal> V = getBindingForDerivedDefaultValue(B, MS, R, T)) { 1762 assert(!V->getAs<nonloc::LazyCompoundVal>()); 1763 return V.getValue(); 1764 } 1765 1766 return svalBuilder.getRegionValueSymbolVal(R); 1767 } 1768 1769 return UndefinedVal(); 1770} 1771 1772SVal RegionStoreManager::getBindingForLazySymbol(const TypedValueRegion *R) { 1773 // All other values are symbolic. 1774 return svalBuilder.getRegionValueSymbolVal(R); 1775} 1776 1777const RegionStoreManager::SValListTy & 1778RegionStoreManager::getInterestingValues(nonloc::LazyCompoundVal LCV) { 1779 // First, check the cache. 1780 LazyBindingsMapTy::iterator I = LazyBindingsMap.find(LCV.getCVData()); 1781 if (I != LazyBindingsMap.end()) 1782 return I->second; 1783 1784 // If we don't have a list of values cached, start constructing it. 1785 SValListTy List; 1786 1787 const SubRegion *LazyR = LCV.getRegion(); 1788 RegionBindingsRef B = getRegionBindings(LCV.getStore()); 1789 1790 // If this region had /no/ bindings at the time, there are no interesting 1791 // values to return. 1792 const ClusterBindings *Cluster = B.lookup(LazyR->getBaseRegion()); 1793 if (!Cluster) 1794 return (LazyBindingsMap[LCV.getCVData()] = llvm_move(List)); 1795 1796 SmallVector<BindingPair, 32> Bindings; 1797 collectSubRegionBindings(Bindings, svalBuilder, *Cluster, LazyR, 1798 /*IncludeAllDefaultBindings=*/true); 1799 for (SmallVectorImpl<BindingPair>::const_iterator I = Bindings.begin(), 1800 E = Bindings.end(); 1801 I != E; ++I) { 1802 SVal V = I->second; 1803 if (V.isUnknownOrUndef() || V.isConstant()) 1804 continue; 1805 1806 if (Optional<nonloc::LazyCompoundVal> InnerLCV = 1807 V.getAs<nonloc::LazyCompoundVal>()) { 1808 const SValListTy &InnerList = getInterestingValues(*InnerLCV); 1809 List.insert(List.end(), InnerList.begin(), InnerList.end()); 1810 continue; 1811 } 1812 1813 List.push_back(V); 1814 } 1815 1816 return (LazyBindingsMap[LCV.getCVData()] = llvm_move(List)); 1817} 1818 1819NonLoc RegionStoreManager::createLazyBinding(RegionBindingsConstRef B, 1820 const TypedValueRegion *R) { 1821 if (Optional<nonloc::LazyCompoundVal> V = 1822 getExistingLazyBinding(svalBuilder, B, R, false)) 1823 return *V; 1824 1825 return svalBuilder.makeLazyCompoundVal(StoreRef(B.asStore(), *this), R); 1826} 1827 1828static bool isRecordEmpty(const RecordDecl *RD) { 1829 if (!RD->field_empty()) 1830 return false; 1831 if (const CXXRecordDecl *CRD = dyn_cast<CXXRecordDecl>(RD)) 1832 return CRD->getNumBases() == 0; 1833 return true; 1834} 1835 1836SVal RegionStoreManager::getBindingForStruct(RegionBindingsConstRef B, 1837 const TypedValueRegion *R) { 1838 const RecordDecl *RD = R->getValueType()->castAs<RecordType>()->getDecl(); 1839 if (!RD->getDefinition() || isRecordEmpty(RD)) 1840 return UnknownVal(); 1841 1842 return createLazyBinding(B, R); 1843} 1844 1845SVal RegionStoreManager::getBindingForArray(RegionBindingsConstRef B, 1846 const TypedValueRegion *R) { 1847 assert(Ctx.getAsConstantArrayType(R->getValueType()) && 1848 "Only constant array types can have compound bindings."); 1849 1850 return createLazyBinding(B, R); 1851} 1852 1853bool RegionStoreManager::includedInBindings(Store store, 1854 const MemRegion *region) const { 1855 RegionBindingsRef B = getRegionBindings(store); 1856 region = region->getBaseRegion(); 1857 1858 // Quick path: if the base is the head of a cluster, the region is live. 1859 if (B.lookup(region)) 1860 return true; 1861 1862 // Slow path: if the region is the VALUE of any binding, it is live. 1863 for (RegionBindingsRef::iterator RI = B.begin(), RE = B.end(); RI != RE; ++RI) { 1864 const ClusterBindings &Cluster = RI.getData(); 1865 for (ClusterBindings::iterator CI = Cluster.begin(), CE = Cluster.end(); 1866 CI != CE; ++CI) { 1867 const SVal &D = CI.getData(); 1868 if (const MemRegion *R = D.getAsRegion()) 1869 if (R->getBaseRegion() == region) 1870 return true; 1871 } 1872 } 1873 1874 return false; 1875} 1876 1877//===----------------------------------------------------------------------===// 1878// Binding values to regions. 1879//===----------------------------------------------------------------------===// 1880 1881StoreRef RegionStoreManager::killBinding(Store ST, Loc L) { 1882 if (Optional<loc::MemRegionVal> LV = L.getAs<loc::MemRegionVal>()) 1883 if (const MemRegion* R = LV->getRegion()) 1884 return StoreRef(getRegionBindings(ST).removeBinding(R) 1885 .asImmutableMap() 1886 .getRootWithoutRetain(), 1887 *this); 1888 1889 return StoreRef(ST, *this); 1890} 1891 1892RegionBindingsRef 1893RegionStoreManager::bind(RegionBindingsConstRef B, Loc L, SVal V) { 1894 if (L.getAs<loc::ConcreteInt>()) 1895 return B; 1896 1897 // If we get here, the location should be a region. 1898 const MemRegion *R = L.castAs<loc::MemRegionVal>().getRegion(); 1899 1900 // Check if the region is a struct region. 1901 if (const TypedValueRegion* TR = dyn_cast<TypedValueRegion>(R)) { 1902 QualType Ty = TR->getValueType(); 1903 if (Ty->isArrayType()) 1904 return bindArray(B, TR, V); 1905 if (Ty->isStructureOrClassType()) 1906 return bindStruct(B, TR, V); 1907 if (Ty->isVectorType()) 1908 return bindVector(B, TR, V); 1909 } 1910 1911 if (const SymbolicRegion *SR = dyn_cast<SymbolicRegion>(R)) { 1912 // Binding directly to a symbolic region should be treated as binding 1913 // to element 0. 1914 QualType T = SR->getSymbol()->getType(); 1915 if (T->isAnyPointerType() || T->isReferenceType()) 1916 T = T->getPointeeType(); 1917 1918 R = GetElementZeroRegion(SR, T); 1919 } 1920 1921 // Clear out bindings that may overlap with this binding. 1922 RegionBindingsRef NewB = removeSubRegionBindings(B, cast<SubRegion>(R)); 1923 return NewB.addBinding(BindingKey::Make(R, BindingKey::Direct), V); 1924} 1925 1926RegionBindingsRef 1927RegionStoreManager::setImplicitDefaultValue(RegionBindingsConstRef B, 1928 const MemRegion *R, 1929 QualType T) { 1930 SVal V; 1931 1932 if (Loc::isLocType(T)) 1933 V = svalBuilder.makeNull(); 1934 else if (T->isIntegralOrEnumerationType()) 1935 V = svalBuilder.makeZeroVal(T); 1936 else if (T->isStructureOrClassType() || T->isArrayType()) { 1937 // Set the default value to a zero constant when it is a structure 1938 // or array. The type doesn't really matter. 1939 V = svalBuilder.makeZeroVal(Ctx.IntTy); 1940 } 1941 else { 1942 // We can't represent values of this type, but we still need to set a value 1943 // to record that the region has been initialized. 1944 // If this assertion ever fires, a new case should be added above -- we 1945 // should know how to default-initialize any value we can symbolicate. 1946 assert(!SymbolManager::canSymbolicate(T) && "This type is representable"); 1947 V = UnknownVal(); 1948 } 1949 1950 return B.addBinding(R, BindingKey::Default, V); 1951} 1952 1953RegionBindingsRef 1954RegionStoreManager::bindArray(RegionBindingsConstRef B, 1955 const TypedValueRegion* R, 1956 SVal Init) { 1957 1958 const ArrayType *AT =cast<ArrayType>(Ctx.getCanonicalType(R->getValueType())); 1959 QualType ElementTy = AT->getElementType(); 1960 Optional<uint64_t> Size; 1961 1962 if (const ConstantArrayType* CAT = dyn_cast<ConstantArrayType>(AT)) 1963 Size = CAT->getSize().getZExtValue(); 1964 1965 // Check if the init expr is a string literal. 1966 if (Optional<loc::MemRegionVal> MRV = Init.getAs<loc::MemRegionVal>()) { 1967 const StringRegion *S = cast<StringRegion>(MRV->getRegion()); 1968 1969 // Treat the string as a lazy compound value. 1970 StoreRef store(B.asStore(), *this); 1971 nonloc::LazyCompoundVal LCV = svalBuilder.makeLazyCompoundVal(store, S) 1972 .castAs<nonloc::LazyCompoundVal>(); 1973 return bindAggregate(B, R, LCV); 1974 } 1975 1976 // Handle lazy compound values. 1977 if (Init.getAs<nonloc::LazyCompoundVal>()) 1978 return bindAggregate(B, R, Init); 1979 1980 // Remaining case: explicit compound values. 1981 1982 if (Init.isUnknown()) 1983 return setImplicitDefaultValue(B, R, ElementTy); 1984 1985 const nonloc::CompoundVal& CV = Init.castAs<nonloc::CompoundVal>(); 1986 nonloc::CompoundVal::iterator VI = CV.begin(), VE = CV.end(); 1987 uint64_t i = 0; 1988 1989 RegionBindingsRef NewB(B); 1990 1991 for (; Size.hasValue() ? i < Size.getValue() : true ; ++i, ++VI) { 1992 // The init list might be shorter than the array length. 1993 if (VI == VE) 1994 break; 1995 1996 const NonLoc &Idx = svalBuilder.makeArrayIndex(i); 1997 const ElementRegion *ER = MRMgr.getElementRegion(ElementTy, Idx, R, Ctx); 1998 1999 if (ElementTy->isStructureOrClassType()) 2000 NewB = bindStruct(NewB, ER, *VI); 2001 else if (ElementTy->isArrayType()) 2002 NewB = bindArray(NewB, ER, *VI); 2003 else 2004 NewB = bind(NewB, loc::MemRegionVal(ER), *VI); 2005 } 2006 2007 // If the init list is shorter than the array length, set the 2008 // array default value. 2009 if (Size.hasValue() && i < Size.getValue()) 2010 NewB = setImplicitDefaultValue(NewB, R, ElementTy); 2011 2012 return NewB; 2013} 2014 2015RegionBindingsRef RegionStoreManager::bindVector(RegionBindingsConstRef B, 2016 const TypedValueRegion* R, 2017 SVal V) { 2018 QualType T = R->getValueType(); 2019 assert(T->isVectorType()); 2020 const VectorType *VT = T->getAs<VectorType>(); // Use getAs for typedefs. 2021 2022 // Handle lazy compound values and symbolic values. 2023 if (V.getAs<nonloc::LazyCompoundVal>() || V.getAs<nonloc::SymbolVal>()) 2024 return bindAggregate(B, R, V); 2025 2026 // We may get non-CompoundVal accidentally due to imprecise cast logic or 2027 // that we are binding symbolic struct value. Kill the field values, and if 2028 // the value is symbolic go and bind it as a "default" binding. 2029 if (!V.getAs<nonloc::CompoundVal>()) { 2030 return bindAggregate(B, R, UnknownVal()); 2031 } 2032 2033 QualType ElemType = VT->getElementType(); 2034 nonloc::CompoundVal CV = V.castAs<nonloc::CompoundVal>(); 2035 nonloc::CompoundVal::iterator VI = CV.begin(), VE = CV.end(); 2036 unsigned index = 0, numElements = VT->getNumElements(); 2037 RegionBindingsRef NewB(B); 2038 2039 for ( ; index != numElements ; ++index) { 2040 if (VI == VE) 2041 break; 2042 2043 NonLoc Idx = svalBuilder.makeArrayIndex(index); 2044 const ElementRegion *ER = MRMgr.getElementRegion(ElemType, Idx, R, Ctx); 2045 2046 if (ElemType->isArrayType()) 2047 NewB = bindArray(NewB, ER, *VI); 2048 else if (ElemType->isStructureOrClassType()) 2049 NewB = bindStruct(NewB, ER, *VI); 2050 else 2051 NewB = bind(NewB, loc::MemRegionVal(ER), *VI); 2052 } 2053 return NewB; 2054} 2055 2056Optional<RegionBindingsRef> 2057RegionStoreManager::tryBindSmallStruct(RegionBindingsConstRef B, 2058 const TypedValueRegion *R, 2059 const RecordDecl *RD, 2060 nonloc::LazyCompoundVal LCV) { 2061 FieldVector Fields; 2062 2063 if (const CXXRecordDecl *Class = dyn_cast<CXXRecordDecl>(RD)) 2064 if (Class->getNumBases() != 0 || Class->getNumVBases() != 0) 2065 return None; 2066 2067 for (RecordDecl::field_iterator I = RD->field_begin(), E = RD->field_end(); 2068 I != E; ++I) { 2069 const FieldDecl *FD = *I; 2070 if (FD->isUnnamedBitfield()) 2071 continue; 2072 2073 // If there are too many fields, or if any of the fields are aggregates, 2074 // just use the LCV as a default binding. 2075 if (Fields.size() == SmallStructLimit) 2076 return None; 2077 2078 QualType Ty = FD->getType(); 2079 if (!(Ty->isScalarType() || Ty->isReferenceType())) 2080 return None; 2081 2082 Fields.push_back(*I); 2083 } 2084 2085 RegionBindingsRef NewB = B; 2086 2087 for (FieldVector::iterator I = Fields.begin(), E = Fields.end(); I != E; ++I){ 2088 const FieldRegion *SourceFR = MRMgr.getFieldRegion(*I, LCV.getRegion()); 2089 SVal V = getBindingForField(getRegionBindings(LCV.getStore()), SourceFR); 2090 2091 const FieldRegion *DestFR = MRMgr.getFieldRegion(*I, R); 2092 NewB = bind(NewB, loc::MemRegionVal(DestFR), V); 2093 } 2094 2095 return NewB; 2096} 2097 2098RegionBindingsRef RegionStoreManager::bindStruct(RegionBindingsConstRef B, 2099 const TypedValueRegion* R, 2100 SVal V) { 2101 if (!Features.supportsFields()) 2102 return B; 2103 2104 QualType T = R->getValueType(); 2105 assert(T->isStructureOrClassType()); 2106 2107 const RecordType* RT = T->getAs<RecordType>(); 2108 const RecordDecl *RD = RT->getDecl(); 2109 2110 if (!RD->isCompleteDefinition()) 2111 return B; 2112 2113 // Handle lazy compound values and symbolic values. 2114 if (Optional<nonloc::LazyCompoundVal> LCV = 2115 V.getAs<nonloc::LazyCompoundVal>()) { 2116 if (Optional<RegionBindingsRef> NewB = tryBindSmallStruct(B, R, RD, *LCV)) 2117 return *NewB; 2118 return bindAggregate(B, R, V); 2119 } 2120 if (V.getAs<nonloc::SymbolVal>()) 2121 return bindAggregate(B, R, V); 2122 2123 // We may get non-CompoundVal accidentally due to imprecise cast logic or 2124 // that we are binding symbolic struct value. Kill the field values, and if 2125 // the value is symbolic go and bind it as a "default" binding. 2126 if (V.isUnknown() || !V.getAs<nonloc::CompoundVal>()) 2127 return bindAggregate(B, R, UnknownVal()); 2128 2129 const nonloc::CompoundVal& CV = V.castAs<nonloc::CompoundVal>(); 2130 nonloc::CompoundVal::iterator VI = CV.begin(), VE = CV.end(); 2131 2132 RecordDecl::field_iterator FI, FE; 2133 RegionBindingsRef NewB(B); 2134 2135 for (FI = RD->field_begin(), FE = RD->field_end(); FI != FE; ++FI) { 2136 2137 if (VI == VE) 2138 break; 2139 2140 // Skip any unnamed bitfields to stay in sync with the initializers. 2141 if (FI->isUnnamedBitfield()) 2142 continue; 2143 2144 QualType FTy = FI->getType(); 2145 const FieldRegion* FR = MRMgr.getFieldRegion(*FI, R); 2146 2147 if (FTy->isArrayType()) 2148 NewB = bindArray(NewB, FR, *VI); 2149 else if (FTy->isStructureOrClassType()) 2150 NewB = bindStruct(NewB, FR, *VI); 2151 else 2152 NewB = bind(NewB, loc::MemRegionVal(FR), *VI); 2153 ++VI; 2154 } 2155 2156 // There may be fewer values in the initialize list than the fields of struct. 2157 if (FI != FE) { 2158 NewB = NewB.addBinding(R, BindingKey::Default, 2159 svalBuilder.makeIntVal(0, false)); 2160 } 2161 2162 return NewB; 2163} 2164 2165RegionBindingsRef 2166RegionStoreManager::bindAggregate(RegionBindingsConstRef B, 2167 const TypedRegion *R, 2168 SVal Val) { 2169 // Remove the old bindings, using 'R' as the root of all regions 2170 // we will invalidate. Then add the new binding. 2171 return removeSubRegionBindings(B, R).addBinding(R, BindingKey::Default, Val); 2172} 2173 2174//===----------------------------------------------------------------------===// 2175// State pruning. 2176//===----------------------------------------------------------------------===// 2177 2178namespace { 2179class removeDeadBindingsWorker : 2180 public ClusterAnalysis<removeDeadBindingsWorker> { 2181 SmallVector<const SymbolicRegion*, 12> Postponed; 2182 SymbolReaper &SymReaper; 2183 const StackFrameContext *CurrentLCtx; 2184 2185public: 2186 removeDeadBindingsWorker(RegionStoreManager &rm, 2187 ProgramStateManager &stateMgr, 2188 RegionBindingsRef b, SymbolReaper &symReaper, 2189 const StackFrameContext *LCtx) 2190 : ClusterAnalysis<removeDeadBindingsWorker>(rm, stateMgr, b, GFK_None), 2191 SymReaper(symReaper), CurrentLCtx(LCtx) {} 2192 2193 // Called by ClusterAnalysis. 2194 void VisitAddedToCluster(const MemRegion *baseR, const ClusterBindings &C); 2195 void VisitCluster(const MemRegion *baseR, const ClusterBindings *C); 2196 using ClusterAnalysis<removeDeadBindingsWorker>::VisitCluster; 2197 2198 bool UpdatePostponed(); 2199 void VisitBinding(SVal V); 2200}; 2201} 2202 2203void removeDeadBindingsWorker::VisitAddedToCluster(const MemRegion *baseR, 2204 const ClusterBindings &C) { 2205 2206 if (const VarRegion *VR = dyn_cast<VarRegion>(baseR)) { 2207 if (SymReaper.isLive(VR)) 2208 AddToWorkList(baseR, &C); 2209 2210 return; 2211 } 2212 2213 if (const SymbolicRegion *SR = dyn_cast<SymbolicRegion>(baseR)) { 2214 if (SymReaper.isLive(SR->getSymbol())) 2215 AddToWorkList(SR, &C); 2216 else 2217 Postponed.push_back(SR); 2218 2219 return; 2220 } 2221 2222 if (isa<NonStaticGlobalSpaceRegion>(baseR)) { 2223 AddToWorkList(baseR, &C); 2224 return; 2225 } 2226 2227 // CXXThisRegion in the current or parent location context is live. 2228 if (const CXXThisRegion *TR = dyn_cast<CXXThisRegion>(baseR)) { 2229 const StackArgumentsSpaceRegion *StackReg = 2230 cast<StackArgumentsSpaceRegion>(TR->getSuperRegion()); 2231 const StackFrameContext *RegCtx = StackReg->getStackFrame(); 2232 if (CurrentLCtx && 2233 (RegCtx == CurrentLCtx || RegCtx->isParentOf(CurrentLCtx))) 2234 AddToWorkList(TR, &C); 2235 } 2236} 2237 2238void removeDeadBindingsWorker::VisitCluster(const MemRegion *baseR, 2239 const ClusterBindings *C) { 2240 if (!C) 2241 return; 2242 2243 // Mark the symbol for any SymbolicRegion with live bindings as live itself. 2244 // This means we should continue to track that symbol. 2245 if (const SymbolicRegion *SymR = dyn_cast<SymbolicRegion>(baseR)) 2246 SymReaper.markLive(SymR->getSymbol()); 2247 2248 for (ClusterBindings::iterator I = C->begin(), E = C->end(); I != E; ++I) 2249 VisitBinding(I.getData()); 2250} 2251 2252void removeDeadBindingsWorker::VisitBinding(SVal V) { 2253 // Is it a LazyCompoundVal? All referenced regions are live as well. 2254 if (Optional<nonloc::LazyCompoundVal> LCS = 2255 V.getAs<nonloc::LazyCompoundVal>()) { 2256 2257 const RegionStoreManager::SValListTy &Vals = RM.getInterestingValues(*LCS); 2258 2259 for (RegionStoreManager::SValListTy::const_iterator I = Vals.begin(), 2260 E = Vals.end(); 2261 I != E; ++I) 2262 VisitBinding(*I); 2263 2264 return; 2265 } 2266 2267 // If V is a region, then add it to the worklist. 2268 if (const MemRegion *R = V.getAsRegion()) { 2269 AddToWorkList(R); 2270 2271 // All regions captured by a block are also live. 2272 if (const BlockDataRegion *BR = dyn_cast<BlockDataRegion>(R)) { 2273 BlockDataRegion::referenced_vars_iterator I = BR->referenced_vars_begin(), 2274 E = BR->referenced_vars_end(); 2275 for ( ; I != E; ++I) 2276 AddToWorkList(I.getCapturedRegion()); 2277 } 2278 } 2279 2280 2281 // Update the set of live symbols. 2282 for (SymExpr::symbol_iterator SI = V.symbol_begin(), SE = V.symbol_end(); 2283 SI!=SE; ++SI) 2284 SymReaper.markLive(*SI); 2285} 2286 2287bool removeDeadBindingsWorker::UpdatePostponed() { 2288 // See if any postponed SymbolicRegions are actually live now, after 2289 // having done a scan. 2290 bool changed = false; 2291 2292 for (SmallVectorImpl<const SymbolicRegion*>::iterator 2293 I = Postponed.begin(), E = Postponed.end() ; I != E ; ++I) { 2294 if (const SymbolicRegion *SR = *I) { 2295 if (SymReaper.isLive(SR->getSymbol())) { 2296 changed |= AddToWorkList(SR); 2297 *I = NULL; 2298 } 2299 } 2300 } 2301 2302 return changed; 2303} 2304 2305StoreRef RegionStoreManager::removeDeadBindings(Store store, 2306 const StackFrameContext *LCtx, 2307 SymbolReaper& SymReaper) { 2308 RegionBindingsRef B = getRegionBindings(store); 2309 removeDeadBindingsWorker W(*this, StateMgr, B, SymReaper, LCtx); 2310 W.GenerateClusters(); 2311 2312 // Enqueue the region roots onto the worklist. 2313 for (SymbolReaper::region_iterator I = SymReaper.region_begin(), 2314 E = SymReaper.region_end(); I != E; ++I) { 2315 W.AddToWorkList(*I); 2316 } 2317 2318 do W.RunWorkList(); while (W.UpdatePostponed()); 2319 2320 // We have now scanned the store, marking reachable regions and symbols 2321 // as live. We now remove all the regions that are dead from the store 2322 // as well as update DSymbols with the set symbols that are now dead. 2323 for (RegionBindingsRef::iterator I = B.begin(), E = B.end(); I != E; ++I) { 2324 const MemRegion *Base = I.getKey(); 2325 2326 // If the cluster has been visited, we know the region has been marked. 2327 if (W.isVisited(Base)) 2328 continue; 2329 2330 // Remove the dead entry. 2331 B = B.remove(Base); 2332 2333 if (const SymbolicRegion *SymR = dyn_cast<SymbolicRegion>(Base)) 2334 SymReaper.maybeDead(SymR->getSymbol()); 2335 2336 // Mark all non-live symbols that this binding references as dead. 2337 const ClusterBindings &Cluster = I.getData(); 2338 for (ClusterBindings::iterator CI = Cluster.begin(), CE = Cluster.end(); 2339 CI != CE; ++CI) { 2340 SVal X = CI.getData(); 2341 SymExpr::symbol_iterator SI = X.symbol_begin(), SE = X.symbol_end(); 2342 for (; SI != SE; ++SI) 2343 SymReaper.maybeDead(*SI); 2344 } 2345 } 2346 2347 return StoreRef(B.asStore(), *this); 2348} 2349 2350//===----------------------------------------------------------------------===// 2351// Utility methods. 2352//===----------------------------------------------------------------------===// 2353 2354void RegionStoreManager::print(Store store, raw_ostream &OS, 2355 const char* nl, const char *sep) { 2356 RegionBindingsRef B = getRegionBindings(store); 2357 OS << "Store (direct and default bindings), " 2358 << B.asStore() 2359 << " :" << nl; 2360 B.dump(OS, nl); 2361} 2362