1846eabd187be4bfe992e8bca131166b734d86e0dTed Kremenek// SValBuilder.cpp - Basic class for all SValBuilder implementations -*- C++ -*- 232c3fa4195762ba93f0b7114ab36c0941bc34432Ted Kremenek// 332c3fa4195762ba93f0b7114ab36c0941bc34432Ted Kremenek// The LLVM Compiler Infrastructure 432c3fa4195762ba93f0b7114ab36c0941bc34432Ted Kremenek// 532c3fa4195762ba93f0b7114ab36c0941bc34432Ted Kremenek// This file is distributed under the University of Illinois Open Source 632c3fa4195762ba93f0b7114ab36c0941bc34432Ted Kremenek// License. See LICENSE.TXT for details. 732c3fa4195762ba93f0b7114ab36c0941bc34432Ted Kremenek// 832c3fa4195762ba93f0b7114ab36c0941bc34432Ted Kremenek//===----------------------------------------------------------------------===// 932c3fa4195762ba93f0b7114ab36c0941bc34432Ted Kremenek// 10846eabd187be4bfe992e8bca131166b734d86e0dTed Kremenek// This file defines SValBuilder, the base class for all (complete) SValBuilder 1132c3fa4195762ba93f0b7114ab36c0941bc34432Ted Kremenek// implementations. 1232c3fa4195762ba93f0b7114ab36c0941bc34432Ted Kremenek// 1332c3fa4195762ba93f0b7114ab36c0941bc34432Ted Kremenek//===----------------------------------------------------------------------===// 1432c3fa4195762ba93f0b7114ab36c0941bc34432Ted Kremenek 1555fc873017f10f6f566b182b70f6fc22aefa3464Chandler Carruth#include "clang/StaticAnalyzer/Core/PathSensitive/SValBuilder.h" 1610f77ad7fc5e5cf3f37a9b14ff5843468b8b84d2Ted Kremenek#include "clang/AST/DeclCXX.h" 1755fc873017f10f6f566b182b70f6fc22aefa3464Chandler Carruth#include "clang/AST/ExprCXX.h" 1855fc873017f10f6f566b182b70f6fc22aefa3464Chandler Carruth#include "clang/StaticAnalyzer/Core/PathSensitive/BasicValueFactory.h" 199b663716449b618ba0390b1dbebc54fa8e971124Ted Kremenek#include "clang/StaticAnalyzer/Core/PathSensitive/MemRegion.h" 2018c66fdc3c4008d335885695fe36fb5353c5f672Ted Kremenek#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h" 2155fc873017f10f6f566b182b70f6fc22aefa3464Chandler Carruth#include "clang/StaticAnalyzer/Core/PathSensitive/SVals.h" 2232c3fa4195762ba93f0b7114ab36c0941bc34432Ted Kremenek 2332c3fa4195762ba93f0b7114ab36c0941bc34432Ted Kremenekusing namespace clang; 249ef6537a894c33003359b1f9b9676e9178e028b7Ted Kremenekusing namespace ento; 2532c3fa4195762ba93f0b7114ab36c0941bc34432Ted Kremenek 26c8413fd03f73084a5c93028f8b4db619fc388087Ted Kremenek//===----------------------------------------------------------------------===// 27c8413fd03f73084a5c93028f8b4db619fc388087Ted Kremenek// Basic SVal creation. 28c8413fd03f73084a5c93028f8b4db619fc388087Ted Kremenek//===----------------------------------------------------------------------===// 29c8413fd03f73084a5c93028f8b4db619fc388087Ted Kremenek 3099ba9e3bd70671f3441fb974895f226a83ce0e66David Blaikievoid SValBuilder::anchor() { } 3199ba9e3bd70671f3441fb974895f226a83ce0e66David Blaikie 329f8862aa64300ef97b8fe85034ee93bbc03e3b7bZhanyong WanDefinedOrUnknownSVal SValBuilder::makeZeroVal(QualType type) { 339f8862aa64300ef97b8fe85034ee93bbc03e3b7bZhanyong Wan if (Loc::isLocType(type)) 34c8413fd03f73084a5c93028f8b4db619fc388087Ted Kremenek return makeNull(); 35c8413fd03f73084a5c93028f8b4db619fc388087Ted Kremenek 36a5796f87229b4aeebca71fa6ee1790ae7a5a0382Jordan Rose if (type->isIntegralOrEnumerationType()) 379f8862aa64300ef97b8fe85034ee93bbc03e3b7bZhanyong Wan return makeIntVal(0, type); 38c8413fd03f73084a5c93028f8b4db619fc388087Ted Kremenek 39c8413fd03f73084a5c93028f8b4db619fc388087Ted Kremenek // FIXME: Handle floats. 40c8413fd03f73084a5c93028f8b4db619fc388087Ted Kremenek // FIXME: Handle structs. 41c8413fd03f73084a5c93028f8b4db619fc388087Ted Kremenek return UnknownVal(); 42c8413fd03f73084a5c93028f8b4db619fc388087Ted Kremenek} 43c8413fd03f73084a5c93028f8b4db619fc388087Ted Kremenek 44c8413fd03f73084a5c93028f8b4db619fc388087Ted KremenekNonLoc SValBuilder::makeNonLoc(const SymExpr *lhs, BinaryOperator::Opcode op, 459f8862aa64300ef97b8fe85034ee93bbc03e3b7bZhanyong Wan const llvm::APSInt& rhs, QualType type) { 46c8413fd03f73084a5c93028f8b4db619fc388087Ted Kremenek // The Environment ensures we always get a persistent APSInt in 47c8413fd03f73084a5c93028f8b4db619fc388087Ted Kremenek // BasicValueFactory, so we don't need to get the APSInt from 48c8413fd03f73084a5c93028f8b4db619fc388087Ted Kremenek // BasicValueFactory again. 490d339d06f8721d14befd6311bd306ac485772188Anna Zaks assert(lhs); 509f8862aa64300ef97b8fe85034ee93bbc03e3b7bZhanyong Wan assert(!Loc::isLocType(type)); 515344baa704f42b22d9df25c24ffbbf6b4716603bAnna Zaks return nonloc::SymbolVal(SymMgr.getSymIntExpr(lhs, op, rhs, type)); 52c8413fd03f73084a5c93028f8b4db619fc388087Ted Kremenek} 53c8413fd03f73084a5c93028f8b4db619fc388087Ted Kremenek 5424d052cdb75d3c1afa5bef32eacaa224e9d0b85dAnna ZaksNonLoc SValBuilder::makeNonLoc(const llvm::APSInt& lhs, 5524d052cdb75d3c1afa5bef32eacaa224e9d0b85dAnna Zaks BinaryOperator::Opcode op, const SymExpr *rhs, 5624d052cdb75d3c1afa5bef32eacaa224e9d0b85dAnna Zaks QualType type) { 5724d052cdb75d3c1afa5bef32eacaa224e9d0b85dAnna Zaks assert(rhs); 5824d052cdb75d3c1afa5bef32eacaa224e9d0b85dAnna Zaks assert(!Loc::isLocType(type)); 5924d052cdb75d3c1afa5bef32eacaa224e9d0b85dAnna Zaks return nonloc::SymbolVal(SymMgr.getIntSymExpr(lhs, op, rhs, type)); 6024d052cdb75d3c1afa5bef32eacaa224e9d0b85dAnna Zaks} 6124d052cdb75d3c1afa5bef32eacaa224e9d0b85dAnna Zaks 62c8413fd03f73084a5c93028f8b4db619fc388087Ted KremenekNonLoc SValBuilder::makeNonLoc(const SymExpr *lhs, BinaryOperator::Opcode op, 639f8862aa64300ef97b8fe85034ee93bbc03e3b7bZhanyong Wan const SymExpr *rhs, QualType type) { 640d339d06f8721d14befd6311bd306ac485772188Anna Zaks assert(lhs && rhs); 659f8862aa64300ef97b8fe85034ee93bbc03e3b7bZhanyong Wan assert(!Loc::isLocType(type)); 665344baa704f42b22d9df25c24ffbbf6b4716603bAnna Zaks return nonloc::SymbolVal(SymMgr.getSymSymExpr(lhs, op, rhs, type)); 67c8413fd03f73084a5c93028f8b4db619fc388087Ted Kremenek} 68c8413fd03f73084a5c93028f8b4db619fc388087Ted Kremenek 69aace9ef279be3dadd53b481aee568bd7701178b4Anna ZaksNonLoc SValBuilder::makeNonLoc(const SymExpr *operand, 70aace9ef279be3dadd53b481aee568bd7701178b4Anna Zaks QualType fromTy, QualType toTy) { 71aace9ef279be3dadd53b481aee568bd7701178b4Anna Zaks assert(operand); 72aace9ef279be3dadd53b481aee568bd7701178b4Anna Zaks assert(!Loc::isLocType(toTy)); 73aace9ef279be3dadd53b481aee568bd7701178b4Anna Zaks return nonloc::SymbolVal(SymMgr.getCastSymbol(operand, fromTy, toTy)); 74aace9ef279be3dadd53b481aee568bd7701178b4Anna Zaks} 75c8413fd03f73084a5c93028f8b4db619fc388087Ted Kremenek 769f8862aa64300ef97b8fe85034ee93bbc03e3b7bZhanyong WanSVal SValBuilder::convertToArrayIndex(SVal val) { 779f8862aa64300ef97b8fe85034ee93bbc03e3b7bZhanyong Wan if (val.isUnknownOrUndef()) 789f8862aa64300ef97b8fe85034ee93bbc03e3b7bZhanyong Wan return val; 79c8413fd03f73084a5c93028f8b4db619fc388087Ted Kremenek 80c8413fd03f73084a5c93028f8b4db619fc388087Ted Kremenek // Common case: we have an appropriately sized integer. 81dc84cd5efdd3430efb22546b4ac656aa0540b210David Blaikie if (Optional<nonloc::ConcreteInt> CI = val.getAs<nonloc::ConcreteInt>()) { 82c8413fd03f73084a5c93028f8b4db619fc388087Ted Kremenek const llvm::APSInt& I = CI->getValue(); 83c8413fd03f73084a5c93028f8b4db619fc388087Ted Kremenek if (I.getBitWidth() == ArrayIndexWidth && I.isSigned()) 849f8862aa64300ef97b8fe85034ee93bbc03e3b7bZhanyong Wan return val; 85c8413fd03f73084a5c93028f8b4db619fc388087Ted Kremenek } 86c8413fd03f73084a5c93028f8b4db619fc388087Ted Kremenek 875251abea41b446c26e3239c8dd6c7edea6fc335dDavid Blaikie return evalCastFromNonLoc(val.castAs<NonLoc>(), ArrayIndexTy); 88c8413fd03f73084a5c93028f8b4db619fc388087Ted Kremenek} 89c8413fd03f73084a5c93028f8b4db619fc388087Ted Kremenek 90c35fb7d67d515659ad2325b4f6ec97c9fe64fb63Benjamin Kramernonloc::ConcreteInt SValBuilder::makeBoolVal(const CXXBoolLiteralExpr *boolean){ 91c35fb7d67d515659ad2325b4f6ec97c9fe64fb63Benjamin Kramer return makeTruthVal(boolean->getValue()); 92c35fb7d67d515659ad2325b4f6ec97c9fe64fb63Benjamin Kramer} 93c35fb7d67d515659ad2325b4f6ec97c9fe64fb63Benjamin Kramer 94c8413fd03f73084a5c93028f8b4db619fc388087Ted KremenekDefinedOrUnknownSVal 959697934650354bed2e509d8e7e44f21a1fb00f76Ted KremenekSValBuilder::getRegionValueSymbolVal(const TypedValueRegion* region) { 969f8862aa64300ef97b8fe85034ee93bbc03e3b7bZhanyong Wan QualType T = region->getValueType(); 97c8413fd03f73084a5c93028f8b4db619fc388087Ted Kremenek 98c8413fd03f73084a5c93028f8b4db619fc388087Ted Kremenek if (!SymbolManager::canSymbolicate(T)) 99c8413fd03f73084a5c93028f8b4db619fc388087Ted Kremenek return UnknownVal(); 100c8413fd03f73084a5c93028f8b4db619fc388087Ted Kremenek 1019f8862aa64300ef97b8fe85034ee93bbc03e3b7bZhanyong Wan SymbolRef sym = SymMgr.getRegionValueSymbol(region); 102c8413fd03f73084a5c93028f8b4db619fc388087Ted Kremenek 1037dfc9420babe83e236a47e752f8723bd06070d9dZhanyong Wan if (Loc::isLocType(T)) 104c8413fd03f73084a5c93028f8b4db619fc388087Ted Kremenek return loc::MemRegionVal(MemMgr.getSymbolicRegion(sym)); 105c8413fd03f73084a5c93028f8b4db619fc388087Ted Kremenek 106c8413fd03f73084a5c93028f8b4db619fc388087Ted Kremenek return nonloc::SymbolVal(sym); 107c8413fd03f73084a5c93028f8b4db619fc388087Ted Kremenek} 108c8413fd03f73084a5c93028f8b4db619fc388087Ted Kremenek 109d8eeac5bd5e3cca0b3ff3993ee479ec9e66f386eAnna ZaksDefinedOrUnknownSVal SValBuilder::conjureSymbolVal(const void *SymbolTag, 110d8eeac5bd5e3cca0b3ff3993ee479ec9e66f386eAnna Zaks const Expr *Ex, 1113b1df8bb941a18c4a7256d7cfcbccb9de7e39995Ted Kremenek const LocationContext *LCtx, 112d8eeac5bd5e3cca0b3ff3993ee479ec9e66f386eAnna Zaks unsigned Count) { 113d8eeac5bd5e3cca0b3ff3993ee479ec9e66f386eAnna Zaks QualType T = Ex->getType(); 114d8eeac5bd5e3cca0b3ff3993ee479ec9e66f386eAnna Zaks 115d8eeac5bd5e3cca0b3ff3993ee479ec9e66f386eAnna Zaks // Compute the type of the result. If the expression is not an R-value, the 116d8eeac5bd5e3cca0b3ff3993ee479ec9e66f386eAnna Zaks // result should be a location. 117d8eeac5bd5e3cca0b3ff3993ee479ec9e66f386eAnna Zaks QualType ExType = Ex->getType(); 118d8eeac5bd5e3cca0b3ff3993ee479ec9e66f386eAnna Zaks if (Ex->isGLValue()) 119d8eeac5bd5e3cca0b3ff3993ee479ec9e66f386eAnna Zaks T = LCtx->getAnalysisDeclContext()->getASTContext().getPointerType(ExType); 120d8eeac5bd5e3cca0b3ff3993ee479ec9e66f386eAnna Zaks 121d8eeac5bd5e3cca0b3ff3993ee479ec9e66f386eAnna Zaks return conjureSymbolVal(SymbolTag, Ex, LCtx, T, Count); 122c8413fd03f73084a5c93028f8b4db619fc388087Ted Kremenek} 123c8413fd03f73084a5c93028f8b4db619fc388087Ted Kremenek 1243b1df8bb941a18c4a7256d7cfcbccb9de7e39995Ted KremenekDefinedOrUnknownSVal SValBuilder::conjureSymbolVal(const void *symbolTag, 1253b1df8bb941a18c4a7256d7cfcbccb9de7e39995Ted Kremenek const Expr *expr, 1263b1df8bb941a18c4a7256d7cfcbccb9de7e39995Ted Kremenek const LocationContext *LCtx, 1273b1df8bb941a18c4a7256d7cfcbccb9de7e39995Ted Kremenek QualType type, 1283b1df8bb941a18c4a7256d7cfcbccb9de7e39995Ted Kremenek unsigned count) { 1299f8862aa64300ef97b8fe85034ee93bbc03e3b7bZhanyong Wan if (!SymbolManager::canSymbolicate(type)) 130c8413fd03f73084a5c93028f8b4db619fc388087Ted Kremenek return UnknownVal(); 131c8413fd03f73084a5c93028f8b4db619fc388087Ted Kremenek 1323b1df8bb941a18c4a7256d7cfcbccb9de7e39995Ted Kremenek SymbolRef sym = SymMgr.conjureSymbol(expr, LCtx, type, count, symbolTag); 133c8413fd03f73084a5c93028f8b4db619fc388087Ted Kremenek 1349f8862aa64300ef97b8fe85034ee93bbc03e3b7bZhanyong Wan if (Loc::isLocType(type)) 135c8413fd03f73084a5c93028f8b4db619fc388087Ted Kremenek return loc::MemRegionVal(MemMgr.getSymbolicRegion(sym)); 136c8413fd03f73084a5c93028f8b4db619fc388087Ted Kremenek 137c8413fd03f73084a5c93028f8b4db619fc388087Ted Kremenek return nonloc::SymbolVal(sym); 138c8413fd03f73084a5c93028f8b4db619fc388087Ted Kremenek} 139c8413fd03f73084a5c93028f8b4db619fc388087Ted Kremenek 140337e4dbc6859589b8878146a88bebf754e916702Ted Kremenek 1413b1df8bb941a18c4a7256d7cfcbccb9de7e39995Ted KremenekDefinedOrUnknownSVal SValBuilder::conjureSymbolVal(const Stmt *stmt, 1423b1df8bb941a18c4a7256d7cfcbccb9de7e39995Ted Kremenek const LocationContext *LCtx, 1433b1df8bb941a18c4a7256d7cfcbccb9de7e39995Ted Kremenek QualType type, 1443b1df8bb941a18c4a7256d7cfcbccb9de7e39995Ted Kremenek unsigned visitCount) { 145337e4dbc6859589b8878146a88bebf754e916702Ted Kremenek if (!SymbolManager::canSymbolicate(type)) 146337e4dbc6859589b8878146a88bebf754e916702Ted Kremenek return UnknownVal(); 147337e4dbc6859589b8878146a88bebf754e916702Ted Kremenek 1483b1df8bb941a18c4a7256d7cfcbccb9de7e39995Ted Kremenek SymbolRef sym = SymMgr.conjureSymbol(stmt, LCtx, type, visitCount); 149337e4dbc6859589b8878146a88bebf754e916702Ted Kremenek 150337e4dbc6859589b8878146a88bebf754e916702Ted Kremenek if (Loc::isLocType(type)) 151337e4dbc6859589b8878146a88bebf754e916702Ted Kremenek return loc::MemRegionVal(MemMgr.getSymbolicRegion(sym)); 152337e4dbc6859589b8878146a88bebf754e916702Ted Kremenek 153337e4dbc6859589b8878146a88bebf754e916702Ted Kremenek return nonloc::SymbolVal(sym); 154337e4dbc6859589b8878146a88bebf754e916702Ted Kremenek} 155337e4dbc6859589b8878146a88bebf754e916702Ted Kremenek 156e17fdb2d5dbf0ffefd417587003eebbe5baf5984Anna ZaksDefinedOrUnknownSVal 157e17fdb2d5dbf0ffefd417587003eebbe5baf5984Anna ZaksSValBuilder::getConjuredHeapSymbolVal(const Expr *E, 158e17fdb2d5dbf0ffefd417587003eebbe5baf5984Anna Zaks const LocationContext *LCtx, 159e17fdb2d5dbf0ffefd417587003eebbe5baf5984Anna Zaks unsigned VisitCount) { 160e17fdb2d5dbf0ffefd417587003eebbe5baf5984Anna Zaks QualType T = E->getType(); 161e17fdb2d5dbf0ffefd417587003eebbe5baf5984Anna Zaks assert(Loc::isLocType(T)); 162e17fdb2d5dbf0ffefd417587003eebbe5baf5984Anna Zaks assert(SymbolManager::canSymbolicate(T)); 163e17fdb2d5dbf0ffefd417587003eebbe5baf5984Anna Zaks 1643b1df8bb941a18c4a7256d7cfcbccb9de7e39995Ted Kremenek SymbolRef sym = SymMgr.conjureSymbol(E, LCtx, T, VisitCount); 165e17fdb2d5dbf0ffefd417587003eebbe5baf5984Anna Zaks return loc::MemRegionVal(MemMgr.getSymbolicHeapRegion(sym)); 166e17fdb2d5dbf0ffefd417587003eebbe5baf5984Anna Zaks} 167e17fdb2d5dbf0ffefd417587003eebbe5baf5984Anna Zaks 1689f8862aa64300ef97b8fe85034ee93bbc03e3b7bZhanyong WanDefinedSVal SValBuilder::getMetadataSymbolVal(const void *symbolTag, 1699f8862aa64300ef97b8fe85034ee93bbc03e3b7bZhanyong Wan const MemRegion *region, 1709f8862aa64300ef97b8fe85034ee93bbc03e3b7bZhanyong Wan const Expr *expr, QualType type, 1719f8862aa64300ef97b8fe85034ee93bbc03e3b7bZhanyong Wan unsigned count) { 1729f8862aa64300ef97b8fe85034ee93bbc03e3b7bZhanyong Wan assert(SymbolManager::canSymbolicate(type) && "Invalid metadata symbol type"); 173c8413fd03f73084a5c93028f8b4db619fc388087Ted Kremenek 1749f8862aa64300ef97b8fe85034ee93bbc03e3b7bZhanyong Wan SymbolRef sym = 1759f8862aa64300ef97b8fe85034ee93bbc03e3b7bZhanyong Wan SymMgr.getMetadataSymbol(region, expr, type, count, symbolTag); 176c8413fd03f73084a5c93028f8b4db619fc388087Ted Kremenek 1779f8862aa64300ef97b8fe85034ee93bbc03e3b7bZhanyong Wan if (Loc::isLocType(type)) 178c8413fd03f73084a5c93028f8b4db619fc388087Ted Kremenek return loc::MemRegionVal(MemMgr.getSymbolicRegion(sym)); 179c8413fd03f73084a5c93028f8b4db619fc388087Ted Kremenek 180c8413fd03f73084a5c93028f8b4db619fc388087Ted Kremenek return nonloc::SymbolVal(sym); 181c8413fd03f73084a5c93028f8b4db619fc388087Ted Kremenek} 182c8413fd03f73084a5c93028f8b4db619fc388087Ted Kremenek 183c8413fd03f73084a5c93028f8b4db619fc388087Ted KremenekDefinedOrUnknownSVal 184c8413fd03f73084a5c93028f8b4db619fc388087Ted KremenekSValBuilder::getDerivedRegionValueSymbolVal(SymbolRef parentSymbol, 1859697934650354bed2e509d8e7e44f21a1fb00f76Ted Kremenek const TypedValueRegion *region) { 1869f8862aa64300ef97b8fe85034ee93bbc03e3b7bZhanyong Wan QualType T = region->getValueType(); 187c8413fd03f73084a5c93028f8b4db619fc388087Ted Kremenek 188c8413fd03f73084a5c93028f8b4db619fc388087Ted Kremenek if (!SymbolManager::canSymbolicate(T)) 189c8413fd03f73084a5c93028f8b4db619fc388087Ted Kremenek return UnknownVal(); 190c8413fd03f73084a5c93028f8b4db619fc388087Ted Kremenek 1919f8862aa64300ef97b8fe85034ee93bbc03e3b7bZhanyong Wan SymbolRef sym = SymMgr.getDerivedSymbol(parentSymbol, region); 192c8413fd03f73084a5c93028f8b4db619fc388087Ted Kremenek 1937dfc9420babe83e236a47e752f8723bd06070d9dZhanyong Wan if (Loc::isLocType(T)) 194c8413fd03f73084a5c93028f8b4db619fc388087Ted Kremenek return loc::MemRegionVal(MemMgr.getSymbolicRegion(sym)); 195c8413fd03f73084a5c93028f8b4db619fc388087Ted Kremenek 196c8413fd03f73084a5c93028f8b4db619fc388087Ted Kremenek return nonloc::SymbolVal(sym); 197c8413fd03f73084a5c93028f8b4db619fc388087Ted Kremenek} 198c8413fd03f73084a5c93028f8b4db619fc388087Ted Kremenek 1999c378f705405d37f49795d5e915989de774fe11fTed KremenekDefinedSVal SValBuilder::getFunctionPointer(const FunctionDecl *func) { 2009f8862aa64300ef97b8fe85034ee93bbc03e3b7bZhanyong Wan return loc::MemRegionVal(MemMgr.getFunctionTextRegion(func)); 201c8413fd03f73084a5c93028f8b4db619fc388087Ted Kremenek} 202c8413fd03f73084a5c93028f8b4db619fc388087Ted Kremenek 2039f8862aa64300ef97b8fe85034ee93bbc03e3b7bZhanyong WanDefinedSVal SValBuilder::getBlockPointer(const BlockDecl *block, 2049f8862aa64300ef97b8fe85034ee93bbc03e3b7bZhanyong Wan CanQualType locTy, 2053eb52bb5d791630f926ff2226dae25012315ad9aBill Wendling const LocationContext *locContext, 2063eb52bb5d791630f926ff2226dae25012315ad9aBill Wendling unsigned blockCount) { 207c8413fd03f73084a5c93028f8b4db619fc388087Ted Kremenek const BlockTextRegion *BC = 2081d26f48dc2eea1c07431ca1519d7034a21b9bcffTed Kremenek MemMgr.getBlockTextRegion(block, locTy, locContext->getAnalysisDeclContext()); 2093eb52bb5d791630f926ff2226dae25012315ad9aBill Wendling const BlockDataRegion *BD = MemMgr.getBlockDataRegion(BC, locContext, 2103eb52bb5d791630f926ff2226dae25012315ad9aBill Wendling blockCount); 211c8413fd03f73084a5c93028f8b4db619fc388087Ted Kremenek return loc::MemRegionVal(BD); 212c8413fd03f73084a5c93028f8b4db619fc388087Ted Kremenek} 213c8413fd03f73084a5c93028f8b4db619fc388087Ted Kremenek 21410f77ad7fc5e5cf3f37a9b14ff5843468b8b84d2Ted Kremenek/// Return a memory region for the 'this' object reference. 21510f77ad7fc5e5cf3f37a9b14ff5843468b8b84d2Ted Kremenekloc::MemRegionVal SValBuilder::getCXXThis(const CXXMethodDecl *D, 21610f77ad7fc5e5cf3f37a9b14ff5843468b8b84d2Ted Kremenek const StackFrameContext *SFC) { 21710f77ad7fc5e5cf3f37a9b14ff5843468b8b84d2Ted Kremenek return loc::MemRegionVal(getRegionManager(). 21810f77ad7fc5e5cf3f37a9b14ff5843468b8b84d2Ted Kremenek getCXXThisRegion(D->getThisType(getContext()), SFC)); 21910f77ad7fc5e5cf3f37a9b14ff5843468b8b84d2Ted Kremenek} 22010f77ad7fc5e5cf3f37a9b14ff5843468b8b84d2Ted Kremenek 22110f77ad7fc5e5cf3f37a9b14ff5843468b8b84d2Ted Kremenek/// Return a memory region for the 'this' object reference. 22210f77ad7fc5e5cf3f37a9b14ff5843468b8b84d2Ted Kremenekloc::MemRegionVal SValBuilder::getCXXThis(const CXXRecordDecl *D, 22310f77ad7fc5e5cf3f37a9b14ff5843468b8b84d2Ted Kremenek const StackFrameContext *SFC) { 22410f77ad7fc5e5cf3f37a9b14ff5843468b8b84d2Ted Kremenek const Type *T = D->getTypeForDecl(); 22510f77ad7fc5e5cf3f37a9b14ff5843468b8b84d2Ted Kremenek QualType PT = getContext().getPointerType(QualType(T, 0)); 22610f77ad7fc5e5cf3f37a9b14ff5843468b8b84d2Ted Kremenek return loc::MemRegionVal(getRegionManager().getCXXThisRegion(PT, SFC)); 22710f77ad7fc5e5cf3f37a9b14ff5843468b8b84d2Ted Kremenek} 22810f77ad7fc5e5cf3f37a9b14ff5843468b8b84d2Ted Kremenek 229e2b1246a24e8babf2f58c93713fba16b8edb8e2dJordan RoseOptional<SVal> SValBuilder::getConstantVal(const Expr *E) { 230e2b1246a24e8babf2f58c93713fba16b8edb8e2dJordan Rose E = E->IgnoreParens(); 231e2b1246a24e8babf2f58c93713fba16b8edb8e2dJordan Rose 232e2b1246a24e8babf2f58c93713fba16b8edb8e2dJordan Rose switch (E->getStmtClass()) { 233e2b1246a24e8babf2f58c93713fba16b8edb8e2dJordan Rose // Handle expressions that we treat differently from the AST's constant 234e2b1246a24e8babf2f58c93713fba16b8edb8e2dJordan Rose // evaluator. 235e2b1246a24e8babf2f58c93713fba16b8edb8e2dJordan Rose case Stmt::AddrLabelExprClass: 236e2b1246a24e8babf2f58c93713fba16b8edb8e2dJordan Rose return makeLoc(cast<AddrLabelExpr>(E)); 237e2b1246a24e8babf2f58c93713fba16b8edb8e2dJordan Rose 238e2b1246a24e8babf2f58c93713fba16b8edb8e2dJordan Rose case Stmt::CXXScalarValueInitExprClass: 239e2b1246a24e8babf2f58c93713fba16b8edb8e2dJordan Rose case Stmt::ImplicitValueInitExprClass: 240e2b1246a24e8babf2f58c93713fba16b8edb8e2dJordan Rose return makeZeroVal(E->getType()); 241e2b1246a24e8babf2f58c93713fba16b8edb8e2dJordan Rose 242e2b1246a24e8babf2f58c93713fba16b8edb8e2dJordan Rose case Stmt::ObjCStringLiteralClass: { 243e2b1246a24e8babf2f58c93713fba16b8edb8e2dJordan Rose const ObjCStringLiteral *SL = cast<ObjCStringLiteral>(E); 244e2b1246a24e8babf2f58c93713fba16b8edb8e2dJordan Rose return makeLoc(getRegionManager().getObjCStringRegion(SL)); 245e2b1246a24e8babf2f58c93713fba16b8edb8e2dJordan Rose } 246e2b1246a24e8babf2f58c93713fba16b8edb8e2dJordan Rose 247e2b1246a24e8babf2f58c93713fba16b8edb8e2dJordan Rose case Stmt::StringLiteralClass: { 248e2b1246a24e8babf2f58c93713fba16b8edb8e2dJordan Rose const StringLiteral *SL = cast<StringLiteral>(E); 249e2b1246a24e8babf2f58c93713fba16b8edb8e2dJordan Rose return makeLoc(getRegionManager().getStringRegion(SL)); 250e2b1246a24e8babf2f58c93713fba16b8edb8e2dJordan Rose } 251e2b1246a24e8babf2f58c93713fba16b8edb8e2dJordan Rose 252e2b1246a24e8babf2f58c93713fba16b8edb8e2dJordan Rose // Fast-path some expressions to avoid the overhead of going through the AST's 253e2b1246a24e8babf2f58c93713fba16b8edb8e2dJordan Rose // constant evaluator 254e2b1246a24e8babf2f58c93713fba16b8edb8e2dJordan Rose case Stmt::CharacterLiteralClass: { 255e2b1246a24e8babf2f58c93713fba16b8edb8e2dJordan Rose const CharacterLiteral *C = cast<CharacterLiteral>(E); 256e2b1246a24e8babf2f58c93713fba16b8edb8e2dJordan Rose return makeIntVal(C->getValue(), C->getType()); 257e2b1246a24e8babf2f58c93713fba16b8edb8e2dJordan Rose } 258e2b1246a24e8babf2f58c93713fba16b8edb8e2dJordan Rose 259e2b1246a24e8babf2f58c93713fba16b8edb8e2dJordan Rose case Stmt::CXXBoolLiteralExprClass: 260e2b1246a24e8babf2f58c93713fba16b8edb8e2dJordan Rose return makeBoolVal(cast<CXXBoolLiteralExpr>(E)); 261e2b1246a24e8babf2f58c93713fba16b8edb8e2dJordan Rose 262e2b1246a24e8babf2f58c93713fba16b8edb8e2dJordan Rose case Stmt::IntegerLiteralClass: 263e2b1246a24e8babf2f58c93713fba16b8edb8e2dJordan Rose return makeIntVal(cast<IntegerLiteral>(E)); 264e2b1246a24e8babf2f58c93713fba16b8edb8e2dJordan Rose 265e2b1246a24e8babf2f58c93713fba16b8edb8e2dJordan Rose case Stmt::ObjCBoolLiteralExprClass: 266e2b1246a24e8babf2f58c93713fba16b8edb8e2dJordan Rose return makeBoolVal(cast<ObjCBoolLiteralExpr>(E)); 267e2b1246a24e8babf2f58c93713fba16b8edb8e2dJordan Rose 268e2b1246a24e8babf2f58c93713fba16b8edb8e2dJordan Rose case Stmt::CXXNullPtrLiteralExprClass: 269e2b1246a24e8babf2f58c93713fba16b8edb8e2dJordan Rose return makeNull(); 270e2b1246a24e8babf2f58c93713fba16b8edb8e2dJordan Rose 271df70700f5aa5744d7f70fb3e6610ff434f643a71Jordan Rose case Stmt::ImplicitCastExprClass: { 272df70700f5aa5744d7f70fb3e6610ff434f643a71Jordan Rose const CastExpr *CE = cast<CastExpr>(E); 273df70700f5aa5744d7f70fb3e6610ff434f643a71Jordan Rose if (CE->getCastKind() == CK_ArrayToPointerDecay) { 274df70700f5aa5744d7f70fb3e6610ff434f643a71Jordan Rose Optional<SVal> ArrayVal = getConstantVal(CE->getSubExpr()); 275df70700f5aa5744d7f70fb3e6610ff434f643a71Jordan Rose if (!ArrayVal) 276df70700f5aa5744d7f70fb3e6610ff434f643a71Jordan Rose return None; 277df70700f5aa5744d7f70fb3e6610ff434f643a71Jordan Rose return evalCast(*ArrayVal, CE->getType(), CE->getSubExpr()->getType()); 278df70700f5aa5744d7f70fb3e6610ff434f643a71Jordan Rose } 279df70700f5aa5744d7f70fb3e6610ff434f643a71Jordan Rose // FALLTHROUGH 280df70700f5aa5744d7f70fb3e6610ff434f643a71Jordan Rose } 281df70700f5aa5744d7f70fb3e6610ff434f643a71Jordan Rose 282e2b1246a24e8babf2f58c93713fba16b8edb8e2dJordan Rose // If we don't have a special case, fall back to the AST's constant evaluator. 283e2b1246a24e8babf2f58c93713fba16b8edb8e2dJordan Rose default: { 2844b75085f5669efc6407c662b5686361624c3ff2fJordan Rose // Don't try to come up with a value for materialized temporaries. 2854b75085f5669efc6407c662b5686361624c3ff2fJordan Rose if (E->isGLValue()) 2864b75085f5669efc6407c662b5686361624c3ff2fJordan Rose return None; 2874b75085f5669efc6407c662b5686361624c3ff2fJordan Rose 288e2b1246a24e8babf2f58c93713fba16b8edb8e2dJordan Rose ASTContext &Ctx = getContext(); 289e2b1246a24e8babf2f58c93713fba16b8edb8e2dJordan Rose llvm::APSInt Result; 290e2b1246a24e8babf2f58c93713fba16b8edb8e2dJordan Rose if (E->EvaluateAsInt(Result, Ctx)) 291e2b1246a24e8babf2f58c93713fba16b8edb8e2dJordan Rose return makeIntVal(Result); 292e2b1246a24e8babf2f58c93713fba16b8edb8e2dJordan Rose 2934b75085f5669efc6407c662b5686361624c3ff2fJordan Rose if (Loc::isLocType(E->getType())) 2944b75085f5669efc6407c662b5686361624c3ff2fJordan Rose if (E->isNullPointerConstant(Ctx, Expr::NPC_ValueDependentIsNotNull)) 2954b75085f5669efc6407c662b5686361624c3ff2fJordan Rose return makeNull(); 296e2b1246a24e8babf2f58c93713fba16b8edb8e2dJordan Rose 297e2b1246a24e8babf2f58c93713fba16b8edb8e2dJordan Rose return None; 298e2b1246a24e8babf2f58c93713fba16b8edb8e2dJordan Rose } 299e2b1246a24e8babf2f58c93713fba16b8edb8e2dJordan Rose } 300e2b1246a24e8babf2f58c93713fba16b8edb8e2dJordan Rose} 301e2b1246a24e8babf2f58c93713fba16b8edb8e2dJordan Rose 302c8413fd03f73084a5c93028f8b4db619fc388087Ted Kremenek//===----------------------------------------------------------------------===// 303ff4264dae31cf42807b64ecc114906b0b835690aTed Kremenek 304e2241cbb0455a60ba27d6c4b9d601ffef3ed103fAnna ZaksSVal SValBuilder::makeSymExprValNN(ProgramStateRef State, 3052a6e30d9ec947e26df55b4ea4eb5b583bb85ee96Anna Zaks BinaryOperator::Opcode Op, 3062a6e30d9ec947e26df55b4ea4eb5b583bb85ee96Anna Zaks NonLoc LHS, NonLoc RHS, 3072a6e30d9ec947e26df55b4ea4eb5b583bb85ee96Anna Zaks QualType ResultTy) { 30831595e22b7e0d21b0b7c4c4fb196e97d3edc2a08Anna Zaks if (!State->isTainted(RHS) && !State->isTainted(LHS)) 30931595e22b7e0d21b0b7c4c4fb196e97d3edc2a08Anna Zaks return UnknownVal(); 31031595e22b7e0d21b0b7c4c4fb196e97d3edc2a08Anna Zaks 3112a6e30d9ec947e26df55b4ea4eb5b583bb85ee96Anna Zaks const SymExpr *symLHS = LHS.getAsSymExpr(); 3122a6e30d9ec947e26df55b4ea4eb5b583bb85ee96Anna Zaks const SymExpr *symRHS = RHS.getAsSymExpr(); 313baeaa9ad120f60b1c5b6f1a84286b507dbe2b55dAnna Zaks // TODO: When the Max Complexity is reached, we should conjure a symbol 314baeaa9ad120f60b1c5b6f1a84286b507dbe2b55dAnna Zaks // instead of generating an Unknown value and propagate the taint info to it. 315baeaa9ad120f60b1c5b6f1a84286b507dbe2b55dAnna Zaks const unsigned MaxComp = 10000; // 100000 28X 316e2241cbb0455a60ba27d6c4b9d601ffef3ed103fAnna Zaks 317baeaa9ad120f60b1c5b6f1a84286b507dbe2b55dAnna Zaks if (symLHS && symRHS && 318baeaa9ad120f60b1c5b6f1a84286b507dbe2b55dAnna Zaks (symLHS->computeComplexity() + symRHS->computeComplexity()) < MaxComp) 3192a6e30d9ec947e26df55b4ea4eb5b583bb85ee96Anna Zaks return makeNonLoc(symLHS, Op, symRHS, ResultTy); 3202a6e30d9ec947e26df55b4ea4eb5b583bb85ee96Anna Zaks 321baeaa9ad120f60b1c5b6f1a84286b507dbe2b55dAnna Zaks if (symLHS && symLHS->computeComplexity() < MaxComp) 322dc84cd5efdd3430efb22546b4ac656aa0540b210David Blaikie if (Optional<nonloc::ConcreteInt> rInt = RHS.getAs<nonloc::ConcreteInt>()) 3232a6e30d9ec947e26df55b4ea4eb5b583bb85ee96Anna Zaks return makeNonLoc(symLHS, Op, rInt->getValue(), ResultTy); 324e2241cbb0455a60ba27d6c4b9d601ffef3ed103fAnna Zaks 325baeaa9ad120f60b1c5b6f1a84286b507dbe2b55dAnna Zaks if (symRHS && symRHS->computeComplexity() < MaxComp) 326dc84cd5efdd3430efb22546b4ac656aa0540b210David Blaikie if (Optional<nonloc::ConcreteInt> lInt = LHS.getAs<nonloc::ConcreteInt>()) 3272a6e30d9ec947e26df55b4ea4eb5b583bb85ee96Anna Zaks return makeNonLoc(lInt->getValue(), Op, symRHS, ResultTy); 3282a6e30d9ec947e26df55b4ea4eb5b583bb85ee96Anna Zaks 3292a6e30d9ec947e26df55b4ea4eb5b583bb85ee96Anna Zaks return UnknownVal(); 3300d339d06f8721d14befd6311bd306ac485772188Anna Zaks} 3310d339d06f8721d14befd6311bd306ac485772188Anna Zaks 3320d339d06f8721d14befd6311bd306ac485772188Anna Zaks 3338bef8238181a30e52dea380789a7e2d760eac532Ted KremenekSVal SValBuilder::evalBinOp(ProgramStateRef state, BinaryOperator::Opcode op, 3349f8862aa64300ef97b8fe85034ee93bbc03e3b7bZhanyong Wan SVal lhs, SVal rhs, QualType type) { 335ff4264dae31cf42807b64ecc114906b0b835690aTed Kremenek 3369f8862aa64300ef97b8fe85034ee93bbc03e3b7bZhanyong Wan if (lhs.isUndef() || rhs.isUndef()) 337ff4264dae31cf42807b64ecc114906b0b835690aTed Kremenek return UndefinedVal(); 3381eb4433ac451dc16f4133a88af2d002ac26c58efMike Stump 3399f8862aa64300ef97b8fe85034ee93bbc03e3b7bZhanyong Wan if (lhs.isUnknown() || rhs.isUnknown()) 340ff4264dae31cf42807b64ecc114906b0b835690aTed Kremenek return UnknownVal(); 3411eb4433ac451dc16f4133a88af2d002ac26c58efMike Stump 342dc84cd5efdd3430efb22546b4ac656aa0540b210David Blaikie if (Optional<Loc> LV = lhs.getAs<Loc>()) { 343dc84cd5efdd3430efb22546b4ac656aa0540b210David Blaikie if (Optional<Loc> RV = rhs.getAs<Loc>()) 3445251abea41b446c26e3239c8dd6c7edea6fc335dDavid Blaikie return evalBinOpLL(state, op, *LV, *RV, type); 345ff4264dae31cf42807b64ecc114906b0b835690aTed Kremenek 3465251abea41b446c26e3239c8dd6c7edea6fc335dDavid Blaikie return evalBinOpLN(state, op, *LV, rhs.castAs<NonLoc>(), type); 347ff4264dae31cf42807b64ecc114906b0b835690aTed Kremenek } 3481eb4433ac451dc16f4133a88af2d002ac26c58efMike Stump 349dc84cd5efdd3430efb22546b4ac656aa0540b210David Blaikie if (Optional<Loc> RV = rhs.getAs<Loc>()) { 350eac4a00e1d93aa963903031ed76425c231f0f0b9Jordy Rose // Support pointer arithmetic where the addend is on the left 351eac4a00e1d93aa963903031ed76425c231f0f0b9Jordy Rose // and the pointer on the right. 3529f8862aa64300ef97b8fe85034ee93bbc03e3b7bZhanyong Wan assert(op == BO_Add); 3531eb4433ac451dc16f4133a88af2d002ac26c58efMike Stump 354ff4264dae31cf42807b64ecc114906b0b835690aTed Kremenek // Commute the operands. 3555251abea41b446c26e3239c8dd6c7edea6fc335dDavid Blaikie return evalBinOpLN(state, op, *RV, lhs.castAs<NonLoc>(), type); 356ff4264dae31cf42807b64ecc114906b0b835690aTed Kremenek } 357ff4264dae31cf42807b64ecc114906b0b835690aTed Kremenek 3585251abea41b446c26e3239c8dd6c7edea6fc335dDavid Blaikie return evalBinOpNN(state, op, lhs.castAs<NonLoc>(), rhs.castAs<NonLoc>(), 3595251abea41b446c26e3239c8dd6c7edea6fc335dDavid Blaikie type); 360ff4264dae31cf42807b64ecc114906b0b835690aTed Kremenek} 361ff4264dae31cf42807b64ecc114906b0b835690aTed Kremenek 3628bef8238181a30e52dea380789a7e2d760eac532Ted KremenekDefinedOrUnknownSVal SValBuilder::evalEQ(ProgramStateRef state, 3639f8862aa64300ef97b8fe85034ee93bbc03e3b7bZhanyong Wan DefinedOrUnknownSVal lhs, 3649f8862aa64300ef97b8fe85034ee93bbc03e3b7bZhanyong Wan DefinedOrUnknownSVal rhs) { 365651f13cea278ec967336033dd032faef0e9fc2ecStephen Hines return evalBinOp(state, BO_EQ, lhs, rhs, getConditionType()) 3665251abea41b446c26e3239c8dd6c7edea6fc335dDavid Blaikie .castAs<DefinedOrUnknownSVal>(); 3675b9bd2137ebef350af803c634e3fdf5d74678100Ted Kremenek} 3685b9bd2137ebef350af803c634e3fdf5d74678100Ted Kremenek 369b71d1570417d81de7b064ad788bea690e2c89111Anna Zaks/// Recursively check if the pointer types are equal modulo const, volatile, 370beca02fc66db76eacdaced9df3bc79530c064842Anna Zaks/// and restrict qualifiers. Also, assume that all types are similar to 'void'. 371beca02fc66db76eacdaced9df3bc79530c064842Anna Zaks/// Assumes the input types are canonical. 372beca02fc66db76eacdaced9df3bc79530c064842Anna Zaksstatic bool shouldBeModeledWithNoOp(ASTContext &Context, QualType ToTy, 373beca02fc66db76eacdaced9df3bc79530c064842Anna Zaks QualType FromTy) { 374beca02fc66db76eacdaced9df3bc79530c064842Anna Zaks while (Context.UnwrapSimilarPointerTypes(ToTy, FromTy)) { 375b71d1570417d81de7b064ad788bea690e2c89111Anna Zaks Qualifiers Quals1, Quals2; 376beca02fc66db76eacdaced9df3bc79530c064842Anna Zaks ToTy = Context.getUnqualifiedArrayType(ToTy, Quals1); 377beca02fc66db76eacdaced9df3bc79530c064842Anna Zaks FromTy = Context.getUnqualifiedArrayType(FromTy, Quals2); 378b71d1570417d81de7b064ad788bea690e2c89111Anna Zaks 379651f13cea278ec967336033dd032faef0e9fc2ecStephen Hines // Make sure that non-cvr-qualifiers the other qualifiers (e.g., address 380b71d1570417d81de7b064ad788bea690e2c89111Anna Zaks // spaces) are identical. 381b71d1570417d81de7b064ad788bea690e2c89111Anna Zaks Quals1.removeCVRQualifiers(); 382b71d1570417d81de7b064ad788bea690e2c89111Anna Zaks Quals2.removeCVRQualifiers(); 383b71d1570417d81de7b064ad788bea690e2c89111Anna Zaks if (Quals1 != Quals2) 384b71d1570417d81de7b064ad788bea690e2c89111Anna Zaks return false; 385b71d1570417d81de7b064ad788bea690e2c89111Anna Zaks } 386b71d1570417d81de7b064ad788bea690e2c89111Anna Zaks 387beca02fc66db76eacdaced9df3bc79530c064842Anna Zaks // If we are casting to void, the 'From' value can be used to represent the 388beca02fc66db76eacdaced9df3bc79530c064842Anna Zaks // 'To' value. 389beca02fc66db76eacdaced9df3bc79530c064842Anna Zaks if (ToTy->isVoidType()) 390beca02fc66db76eacdaced9df3bc79530c064842Anna Zaks return true; 391beca02fc66db76eacdaced9df3bc79530c064842Anna Zaks 392beca02fc66db76eacdaced9df3bc79530c064842Anna Zaks if (ToTy != FromTy) 393b71d1570417d81de7b064ad788bea690e2c89111Anna Zaks return false; 394b71d1570417d81de7b064ad788bea690e2c89111Anna Zaks 395b71d1570417d81de7b064ad788bea690e2c89111Anna Zaks return true; 396b71d1570417d81de7b064ad788bea690e2c89111Anna Zaks} 397b71d1570417d81de7b064ad788bea690e2c89111Anna Zaks 398dc1ad2ce2acbf9d99061a40980c83715ad39f0f0Zhongxing Xu// FIXME: should rewrite according to the cast kind. 3999c14953d0c84f7cf5adfb4cd3c0f05a9b1723c1cTed KremenekSVal SValBuilder::evalCast(SVal val, QualType castTy, QualType originalTy) { 400b71d1570417d81de7b064ad788bea690e2c89111Anna Zaks castTy = Context.getCanonicalType(castTy); 401b71d1570417d81de7b064ad788bea690e2c89111Anna Zaks originalTy = Context.getCanonicalType(originalTy); 40232c3fa4195762ba93f0b7114ab36c0941bc34432Ted Kremenek if (val.isUnknownOrUndef() || castTy == originalTy) 403814e6b915450456eb2a1ba15d82fc7f8ae3bc8a6Zhongxing Xu return val; 4041eb4433ac451dc16f4133a88af2d002ac26c58efMike Stump 405112344ab7f96cf482bce80530676712c282756d5Jordan Rose if (castTy->isBooleanType()) { 406112344ab7f96cf482bce80530676712c282756d5Jordan Rose if (val.isUnknownOrUndef()) 407112344ab7f96cf482bce80530676712c282756d5Jordan Rose return val; 408112344ab7f96cf482bce80530676712c282756d5Jordan Rose if (val.isConstant()) 409112344ab7f96cf482bce80530676712c282756d5Jordan Rose return makeTruthVal(!val.isZeroConstant(), castTy); 410d76cec5567cb5b04cb5cc48a477a0c71b910053cJordan Rose if (!Loc::isLocType(originalTy) && 411d76cec5567cb5b04cb5cc48a477a0c71b910053cJordan Rose !originalTy->isIntegralOrEnumerationType() && 412d76cec5567cb5b04cb5cc48a477a0c71b910053cJordan Rose !originalTy->isMemberPointerType()) 413d76cec5567cb5b04cb5cc48a477a0c71b910053cJordan Rose return UnknownVal(); 4143aa6f431897edf5fec32cbede8fcddbfb8fa16f7Jordan Rose if (SymbolRef Sym = val.getAsSymbol(true)) { 415112344ab7f96cf482bce80530676712c282756d5Jordan Rose BasicValueFactory &BVF = getBasicValueFactory(); 416112344ab7f96cf482bce80530676712c282756d5Jordan Rose // FIXME: If we had a state here, we could see if the symbol is known to 417112344ab7f96cf482bce80530676712c282756d5Jordan Rose // be zero, but we don't. 418112344ab7f96cf482bce80530676712c282756d5Jordan Rose return makeNonLoc(Sym, BO_NE, BVF.getValue(0, Sym->getType()), castTy); 419112344ab7f96cf482bce80530676712c282756d5Jordan Rose } 4203aa6f431897edf5fec32cbede8fcddbfb8fa16f7Jordan Rose // Loc values are not always true, they could be weakly linked functions. 4213aa6f431897edf5fec32cbede8fcddbfb8fa16f7Jordan Rose if (Optional<Loc> L = val.getAs<Loc>()) 4223aa6f431897edf5fec32cbede8fcddbfb8fa16f7Jordan Rose return evalCastFromLoc(*L, castTy); 423112344ab7f96cf482bce80530676712c282756d5Jordan Rose 4243aa6f431897edf5fec32cbede8fcddbfb8fa16f7Jordan Rose Loc L = val.castAs<nonloc::LocAsInteger>().getLoc(); 4253aa6f431897edf5fec32cbede8fcddbfb8fa16f7Jordan Rose return evalCastFromLoc(L, castTy); 426112344ab7f96cf482bce80530676712c282756d5Jordan Rose } 427112344ab7f96cf482bce80530676712c282756d5Jordan Rose 428beca02fc66db76eacdaced9df3bc79530c064842Anna Zaks // For const casts, casts to void, just propagate the value. 4295ea95fc163e9fb4fd7506b6a0c26decd67022943Zhongxing Xu if (!castTy->isVariableArrayType() && !originalTy->isVariableArrayType()) 430beca02fc66db76eacdaced9df3bc79530c064842Anna Zaks if (shouldBeModeledWithNoOp(Context, Context.getPointerType(castTy), 431beca02fc66db76eacdaced9df3bc79530c064842Anna Zaks Context.getPointerType(originalTy))) 432814e6b915450456eb2a1ba15d82fc7f8ae3bc8a6Zhongxing Xu return val; 433f68170481d4c36e1e930ee9a3bce58e2ae5a95cbTed Kremenek 43432c3fa4195762ba93f0b7114ab36c0941bc34432Ted Kremenek // Check for casts from pointers to integers. 435a5796f87229b4aeebca71fa6ee1790ae7a5a0382Jordan Rose if (castTy->isIntegralOrEnumerationType() && Loc::isLocType(originalTy)) 4365251abea41b446c26e3239c8dd6c7edea6fc335dDavid Blaikie return evalCastFromLoc(val.castAs<Loc>(), castTy); 4371eb4433ac451dc16f4133a88af2d002ac26c58efMike Stump 43832c3fa4195762ba93f0b7114ab36c0941bc34432Ted Kremenek // Check for casts from integers to pointers. 439a5796f87229b4aeebca71fa6ee1790ae7a5a0382Jordan Rose if (Loc::isLocType(castTy) && originalTy->isIntegralOrEnumerationType()) { 440dc84cd5efdd3430efb22546b4ac656aa0540b210David Blaikie if (Optional<nonloc::LocAsInteger> LV = val.getAs<nonloc::LocAsInteger>()) { 4415bbc8e76408af22a0c706a4199c684bf5f5a5cb3Ted Kremenek if (const MemRegion *R = LV->getLoc().getAsRegion()) { 442c8413fd03f73084a5c93028f8b4db619fc388087Ted Kremenek StoreManager &storeMgr = StateMgr.getStoreManager(); 4432534528c22260211a073e192c38d0db84c70c327Ted Kremenek R = storeMgr.castRegion(R, castTy); 444814e6b915450456eb2a1ba15d82fc7f8ae3bc8a6Zhongxing Xu return R ? SVal(loc::MemRegionVal(R)) : UnknownVal(); 4455bbc8e76408af22a0c706a4199c684bf5f5a5cb3Ted Kremenek } 446814e6b915450456eb2a1ba15d82fc7f8ae3bc8a6Zhongxing Xu return LV->getLoc(); 44732c3fa4195762ba93f0b7114ab36c0941bc34432Ted Kremenek } 448aace9ef279be3dadd53b481aee568bd7701178b4Anna Zaks return dispatchCast(val, castTy); 44932c3fa4195762ba93f0b7114ab36c0941bc34432Ted Kremenek } 4501eb4433ac451dc16f4133a88af2d002ac26c58efMike Stump 45132c3fa4195762ba93f0b7114ab36c0941bc34432Ted Kremenek // Just pass through function and block pointers. 45232c3fa4195762ba93f0b7114ab36c0941bc34432Ted Kremenek if (originalTy->isBlockPointerType() || originalTy->isFunctionPointerType()) { 4537dfc9420babe83e236a47e752f8723bd06070d9dZhanyong Wan assert(Loc::isLocType(castTy)); 454814e6b915450456eb2a1ba15d82fc7f8ae3bc8a6Zhongxing Xu return val; 45532c3fa4195762ba93f0b7114ab36c0941bc34432Ted Kremenek } 4561eb4433ac451dc16f4133a88af2d002ac26c58efMike Stump 45732c3fa4195762ba93f0b7114ab36c0941bc34432Ted Kremenek // Check for casts from array type to another type. 4587f1fd2f182717d5ce6cde60398128910c90f98beAnna Zaks if (const ArrayType *arrayT = 4597f1fd2f182717d5ce6cde60398128910c90f98beAnna Zaks dyn_cast<ArrayType>(originalTy.getCanonicalType())) { 46032c3fa4195762ba93f0b7114ab36c0941bc34432Ted Kremenek // We will always decay to a pointer. 4617f1fd2f182717d5ce6cde60398128910c90f98beAnna Zaks QualType elemTy = arrayT->getElementType(); 4627f1fd2f182717d5ce6cde60398128910c90f98beAnna Zaks val = StateMgr.ArrayToPointer(val.castAs<Loc>(), elemTy); 4631eb4433ac451dc16f4133a88af2d002ac26c58efMike Stump 46432c3fa4195762ba93f0b7114ab36c0941bc34432Ted Kremenek // Are we casting from an array to a pointer? If so just pass on 46532c3fa4195762ba93f0b7114ab36c0941bc34432Ted Kremenek // the decayed value. 46617eb65f1bfcc33d2a9ecefe32368cb374155dbdcAnna Zaks if (castTy->isPointerType() || castTy->isReferenceType()) 467814e6b915450456eb2a1ba15d82fc7f8ae3bc8a6Zhongxing Xu return val; 4681eb4433ac451dc16f4133a88af2d002ac26c58efMike Stump 46932c3fa4195762ba93f0b7114ab36c0941bc34432Ted Kremenek // Are we casting from an array to an integer? If so, cast the decayed 47032c3fa4195762ba93f0b7114ab36c0941bc34432Ted Kremenek // pointer value to an integer. 471a5796f87229b4aeebca71fa6ee1790ae7a5a0382Jordan Rose assert(castTy->isIntegralOrEnumerationType()); 4721eb4433ac451dc16f4133a88af2d002ac26c58efMike Stump 47332c3fa4195762ba93f0b7114ab36c0941bc34432Ted Kremenek // FIXME: Keep these here for now in case we decide soon that we 47432c3fa4195762ba93f0b7114ab36c0941bc34432Ted Kremenek // need the original decayed type. 47532c3fa4195762ba93f0b7114ab36c0941bc34432Ted Kremenek // QualType elemTy = cast<ArrayType>(originalTy)->getElementType(); 47632c3fa4195762ba93f0b7114ab36c0941bc34432Ted Kremenek // QualType pointerTy = C.getPointerType(elemTy); 4775251abea41b446c26e3239c8dd6c7edea6fc335dDavid Blaikie return evalCastFromLoc(val.castAs<Loc>(), castTy); 47832c3fa4195762ba93f0b7114ab36c0941bc34432Ted Kremenek } 4791eb4433ac451dc16f4133a88af2d002ac26c58efMike Stump 48032c3fa4195762ba93f0b7114ab36c0941bc34432Ted Kremenek // Check for casts from a region to a specific type. 48132c3fa4195762ba93f0b7114ab36c0941bc34432Ted Kremenek if (const MemRegion *R = val.getAsRegion()) { 482140d0c64417e2fb5fc4dd40ce0d46b037ac11b02Ted Kremenek // Handle other casts of locations to integers. 483a5796f87229b4aeebca71fa6ee1790ae7a5a0382Jordan Rose if (castTy->isIntegralOrEnumerationType()) 484140d0c64417e2fb5fc4dd40ce0d46b037ac11b02Ted Kremenek return evalCastFromLoc(loc::MemRegionVal(R), castTy); 485140d0c64417e2fb5fc4dd40ce0d46b037ac11b02Ted Kremenek 48632c3fa4195762ba93f0b7114ab36c0941bc34432Ted Kremenek // FIXME: We should handle the case where we strip off view layers to get 48732c3fa4195762ba93f0b7114ab36c0941bc34432Ted Kremenek // to a desugared type. 4887dfc9420babe83e236a47e752f8723bd06070d9dZhanyong Wan if (!Loc::isLocType(castTy)) { 489948163b4986dfb5060c0dbd2e5910431640e56d1Ted Kremenek // FIXME: There can be gross cases where one casts the result of a function 490948163b4986dfb5060c0dbd2e5910431640e56d1Ted Kremenek // (that returns a pointer) to some other value that happens to fit 491948163b4986dfb5060c0dbd2e5910431640e56d1Ted Kremenek // within that pointer value. We currently have no good way to 492948163b4986dfb5060c0dbd2e5910431640e56d1Ted Kremenek // model such operations. When this happens, the underlying operation 493948163b4986dfb5060c0dbd2e5910431640e56d1Ted Kremenek // is that the caller is reasoning about bits. Conceptually we are 494948163b4986dfb5060c0dbd2e5910431640e56d1Ted Kremenek // layering a "view" of a location on top of those bits. Perhaps 495948163b4986dfb5060c0dbd2e5910431640e56d1Ted Kremenek // we need to be more lazy about mutual possible views, even on an 496948163b4986dfb5060c0dbd2e5910431640e56d1Ted Kremenek // SVal? This may be necessary for bit-level reasoning as well. 497948163b4986dfb5060c0dbd2e5910431640e56d1Ted Kremenek return UnknownVal(); 498948163b4986dfb5060c0dbd2e5910431640e56d1Ted Kremenek } 499948163b4986dfb5060c0dbd2e5910431640e56d1Ted Kremenek 50032c3fa4195762ba93f0b7114ab36c0941bc34432Ted Kremenek // We get a symbolic function pointer for a dereference of a function 50132c3fa4195762ba93f0b7114ab36c0941bc34432Ted Kremenek // pointer, but it is of function type. Example: 5021eb4433ac451dc16f4133a88af2d002ac26c58efMike Stump 50332c3fa4195762ba93f0b7114ab36c0941bc34432Ted Kremenek // struct FPRec { 5041eb4433ac451dc16f4133a88af2d002ac26c58efMike Stump // void (*my_func)(int * x); 50532c3fa4195762ba93f0b7114ab36c0941bc34432Ted Kremenek // }; 50632c3fa4195762ba93f0b7114ab36c0941bc34432Ted Kremenek // 50732c3fa4195762ba93f0b7114ab36c0941bc34432Ted Kremenek // int bar(int x); 50832c3fa4195762ba93f0b7114ab36c0941bc34432Ted Kremenek // 50932c3fa4195762ba93f0b7114ab36c0941bc34432Ted Kremenek // int f1_a(struct FPRec* foo) { 51032c3fa4195762ba93f0b7114ab36c0941bc34432Ted Kremenek // int x; 51132c3fa4195762ba93f0b7114ab36c0941bc34432Ted Kremenek // (*foo->my_func)(&x); 51232c3fa4195762ba93f0b7114ab36c0941bc34432Ted Kremenek // return bar(x)+1; // no-warning 51332c3fa4195762ba93f0b7114ab36c0941bc34432Ted Kremenek // } 5141eb4433ac451dc16f4133a88af2d002ac26c58efMike Stump 5157dfc9420babe83e236a47e752f8723bd06070d9dZhanyong Wan assert(Loc::isLocType(originalTy) || originalTy->isFunctionType() || 516b14175a5371a6c71f3b2dbe4e7aa14803ac38c54Argyrios Kyrtzidis originalTy->isBlockPointerType() || castTy->isReferenceType()); 5171eb4433ac451dc16f4133a88af2d002ac26c58efMike Stump 518c8413fd03f73084a5c93028f8b4db619fc388087Ted Kremenek StoreManager &storeMgr = StateMgr.getStoreManager(); 5191eb4433ac451dc16f4133a88af2d002ac26c58efMike Stump 52009270cc1b9cdd4c50012cb7984df8745e05833e5Zhongxing Xu // Delegate to store manager to get the result of casting a region to a 52109270cc1b9cdd4c50012cb7984df8745e05833e5Zhongxing Xu // different type. If the MemRegion* returned is NULL, this expression 5229c14953d0c84f7cf5adfb4cd3c0f05a9b1723c1cTed Kremenek // Evaluates to UnknownVal. 5232534528c22260211a073e192c38d0db84c70c327Ted Kremenek R = storeMgr.castRegion(R, castTy); 524814e6b915450456eb2a1ba15d82fc7f8ae3bc8a6Zhongxing Xu return R ? SVal(loc::MemRegionVal(R)) : UnknownVal(); 52532c3fa4195762ba93f0b7114ab36c0941bc34432Ted Kremenek } 5261eb4433ac451dc16f4133a88af2d002ac26c58efMike Stump 527aace9ef279be3dadd53b481aee568bd7701178b4Anna Zaks return dispatchCast(val, castTy); 5285b9bd2137ebef350af803c634e3fdf5d74678100Ted Kremenek} 529