SimpleSValBuilder.cpp revision 791dd0a3f855b61ee97387dca67af86a1edff9f2
1846eabd187be4bfe992e8bca131166b734d86e0dTed Kremenek// SimpleSValBuilder.cpp - A basic SValBuilder -----------------------*- C++ -*- 2e8391728af4ce37c9c505be6efee6d2a5f926902Ted Kremenek// 3e8391728af4ce37c9c505be6efee6d2a5f926902Ted Kremenek// The LLVM Compiler Infrastructure 4e8391728af4ce37c9c505be6efee6d2a5f926902Ted Kremenek// 5e8391728af4ce37c9c505be6efee6d2a5f926902Ted Kremenek// This file is distributed under the University of Illinois Open Source 6e8391728af4ce37c9c505be6efee6d2a5f926902Ted Kremenek// License. See LICENSE.TXT for details. 7e8391728af4ce37c9c505be6efee6d2a5f926902Ted Kremenek// 8e8391728af4ce37c9c505be6efee6d2a5f926902Ted Kremenek//===----------------------------------------------------------------------===// 9e8391728af4ce37c9c505be6efee6d2a5f926902Ted Kremenek// 10846eabd187be4bfe992e8bca131166b734d86e0dTed Kremenek// This file defines SimpleSValBuilder, a basic implementation of SValBuilder. 11e8391728af4ce37c9c505be6efee6d2a5f926902Ted Kremenek// 12e8391728af4ce37c9c505be6efee6d2a5f926902Ted Kremenek//===----------------------------------------------------------------------===// 13e8391728af4ce37c9c505be6efee6d2a5f926902Ted Kremenek 14d3b6d99cd57522b15dcec0eb771a97d9599d4db2Jordy Rose#include "clang/StaticAnalyzer/Core/PathSensitive/APSIntType.h" 159b663716449b618ba0390b1dbebc54fa8e971124Ted Kremenek#include "clang/StaticAnalyzer/Core/PathSensitive/SValBuilder.h" 1618c66fdc3c4008d335885695fe36fb5353c5f672Ted Kremenek#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h" 17e8391728af4ce37c9c505be6efee6d2a5f926902Ted Kremenek 18e8391728af4ce37c9c505be6efee6d2a5f926902Ted Kremenekusing namespace clang; 199ef6537a894c33003359b1f9b9676e9178e028b7Ted Kremenekusing namespace ento; 20e8391728af4ce37c9c505be6efee6d2a5f926902Ted Kremenek 21e8391728af4ce37c9c505be6efee6d2a5f926902Ted Kremeneknamespace { 22846eabd187be4bfe992e8bca131166b734d86e0dTed Kremenekclass SimpleSValBuilder : public SValBuilder { 2332c3fa4195762ba93f0b7114ab36c0941bc34432Ted Kremenekprotected: 24aace9ef279be3dadd53b481aee568bd7701178b4Anna Zaks virtual SVal dispatchCast(SVal val, QualType castTy); 259f8862aa64300ef97b8fe85034ee93bbc03e3b7bZhanyong Wan virtual SVal evalCastFromNonLoc(NonLoc val, QualType castTy); 269f8862aa64300ef97b8fe85034ee93bbc03e3b7bZhanyong Wan virtual SVal evalCastFromLoc(Loc val, QualType castTy); 2732c3fa4195762ba93f0b7114ab36c0941bc34432Ted Kremenek 28e8391728af4ce37c9c505be6efee6d2a5f926902Ted Kremenekpublic: 29c8413fd03f73084a5c93028f8b4db619fc388087Ted Kremenek SimpleSValBuilder(llvm::BumpPtrAllocator &alloc, ASTContext &context, 3018c66fdc3c4008d335885695fe36fb5353c5f672Ted Kremenek ProgramStateManager &stateMgr) 31c8413fd03f73084a5c93028f8b4db619fc388087Ted Kremenek : SValBuilder(alloc, context, stateMgr) {} 32846eabd187be4bfe992e8bca131166b734d86e0dTed Kremenek virtual ~SimpleSValBuilder() {} 331eb4433ac451dc16f4133a88af2d002ac26c58efMike Stump 349c14953d0c84f7cf5adfb4cd3c0f05a9b1723c1cTed Kremenek virtual SVal evalMinus(NonLoc val); 359c14953d0c84f7cf5adfb4cd3c0f05a9b1723c1cTed Kremenek virtual SVal evalComplement(NonLoc val); 368bef8238181a30e52dea380789a7e2d760eac532Ted Kremenek virtual SVal evalBinOpNN(ProgramStateRef state, BinaryOperator::Opcode op, 37cd8f6ac9b613e1fe962ebf9c87d822ce765275e6Ted Kremenek NonLoc lhs, NonLoc rhs, QualType resultTy); 388bef8238181a30e52dea380789a7e2d760eac532Ted Kremenek virtual SVal evalBinOpLL(ProgramStateRef state, BinaryOperator::Opcode op, 39eac4a00e1d93aa963903031ed76425c231f0f0b9Jordy Rose Loc lhs, Loc rhs, QualType resultTy); 408bef8238181a30e52dea380789a7e2d760eac532Ted Kremenek virtual SVal evalBinOpLN(ProgramStateRef state, BinaryOperator::Opcode op, 41e8391728af4ce37c9c505be6efee6d2a5f926902Ted Kremenek Loc lhs, NonLoc rhs, QualType resultTy); 4232f2656b90900ac04c4b50e87c16749d0ceb9ef2Jordy Rose 439c14953d0c84f7cf5adfb4cd3c0f05a9b1723c1cTed Kremenek /// getKnownValue - evaluates a given SVal. If the SVal has only one possible 4432f2656b90900ac04c4b50e87c16749d0ceb9ef2Jordy Rose /// (integer) value, that value is returned. Otherwise, returns NULL. 458bef8238181a30e52dea380789a7e2d760eac532Ted Kremenek virtual const llvm::APSInt *getKnownValue(ProgramStateRef state, SVal V); 4643fdb7f3b46059d4af11a702af35bc8e5d0f678aJordy Rose 4743fdb7f3b46059d4af11a702af35bc8e5d0f678aJordy Rose SVal MakeSymIntVal(const SymExpr *LHS, BinaryOperator::Opcode op, 4843fdb7f3b46059d4af11a702af35bc8e5d0f678aJordy Rose const llvm::APSInt &RHS, QualType resultTy); 491eb4433ac451dc16f4133a88af2d002ac26c58efMike Stump}; 50e8391728af4ce37c9c505be6efee6d2a5f926902Ted Kremenek} // end anonymous namespace 51e8391728af4ce37c9c505be6efee6d2a5f926902Ted Kremenek 529ef6537a894c33003359b1f9b9676e9178e028b7Ted KremenekSValBuilder *ento::createSimpleSValBuilder(llvm::BumpPtrAllocator &alloc, 539ef6537a894c33003359b1f9b9676e9178e028b7Ted Kremenek ASTContext &context, 5418c66fdc3c4008d335885695fe36fb5353c5f672Ted Kremenek ProgramStateManager &stateMgr) { 55c8413fd03f73084a5c93028f8b4db619fc388087Ted Kremenek return new SimpleSValBuilder(alloc, context, stateMgr); 56e8391728af4ce37c9c505be6efee6d2a5f926902Ted Kremenek} 57e8391728af4ce37c9c505be6efee6d2a5f926902Ted Kremenek 58e8391728af4ce37c9c505be6efee6d2a5f926902Ted Kremenek//===----------------------------------------------------------------------===// 59e8391728af4ce37c9c505be6efee6d2a5f926902Ted Kremenek// Transfer function for Casts. 60e8391728af4ce37c9c505be6efee6d2a5f926902Ted Kremenek//===----------------------------------------------------------------------===// 61e8391728af4ce37c9c505be6efee6d2a5f926902Ted Kremenek 62bcb3b981da3d29844fea4099c529b43e814b6d7dAnna ZaksSVal SimpleSValBuilder::dispatchCast(SVal Val, QualType CastTy) { 63bcb3b981da3d29844fea4099c529b43e814b6d7dAnna Zaks assert(isa<Loc>(&Val) || isa<NonLoc>(&Val)); 64bcb3b981da3d29844fea4099c529b43e814b6d7dAnna Zaks return isa<Loc>(Val) ? evalCastFromLoc(cast<Loc>(Val), CastTy) 65bcb3b981da3d29844fea4099c529b43e814b6d7dAnna Zaks : evalCastFromNonLoc(cast<NonLoc>(Val), CastTy); 66aace9ef279be3dadd53b481aee568bd7701178b4Anna Zaks} 67aace9ef279be3dadd53b481aee568bd7701178b4Anna Zaks 689f8862aa64300ef97b8fe85034ee93bbc03e3b7bZhanyong WanSVal SimpleSValBuilder::evalCastFromNonLoc(NonLoc val, QualType castTy) { 691eb4433ac451dc16f4133a88af2d002ac26c58efMike Stump 707dfc9420babe83e236a47e752f8723bd06070d9dZhanyong Wan bool isLocType = Loc::isLocType(castTy); 711eb4433ac451dc16f4133a88af2d002ac26c58efMike Stump 729031dd7a989f893be0c3a9d8915b1218646be763Ted Kremenek if (nonloc::LocAsInteger *LI = dyn_cast<nonloc::LocAsInteger>(&val)) { 739031dd7a989f893be0c3a9d8915b1218646be763Ted Kremenek if (isLocType) 74dd6611426b96019516ed473ce25a8664065e9865Ted Kremenek return LI->getLoc(); 751eb4433ac451dc16f4133a88af2d002ac26c58efMike Stump 76c50e6df965ff264952d8d5805d151f89c89af302Ted Kremenek // FIXME: Correctly support promotions/truncations. 77c8413fd03f73084a5c93028f8b4db619fc388087Ted Kremenek unsigned castSize = Context.getTypeSize(castTy); 78c50e6df965ff264952d8d5805d151f89c89af302Ted Kremenek if (castSize == LI->getNumBits()) 799031dd7a989f893be0c3a9d8915b1218646be763Ted Kremenek return val; 80c8413fd03f73084a5c93028f8b4db619fc388087Ted Kremenek return makeLocAsInteger(LI->getLoc(), castSize); 819031dd7a989f893be0c3a9d8915b1218646be763Ted Kremenek } 829031dd7a989f893be0c3a9d8915b1218646be763Ted Kremenek 839031dd7a989f893be0c3a9d8915b1218646be763Ted Kremenek if (const SymExpr *se = val.getAsSymbolicExpression()) { 84c8413fd03f73084a5c93028f8b4db619fc388087Ted Kremenek QualType T = Context.getCanonicalType(se->getType(Context)); 85432a4558b8161c362efc319f8a38e074e74da201Anna Zaks // If types are the same or both are integers, ignore the cast. 8680417471b01ab2726cd04773b2ab700ce564073cTed Kremenek // FIXME: Remove this hack when we support symbolic truncation/extension. 8780417471b01ab2726cd04773b2ab700ce564073cTed Kremenek // HACK: If both castTy and T are integers, ignore the cast. This is 8880417471b01ab2726cd04773b2ab700ce564073cTed Kremenek // not a permanent solution. Eventually we want to precisely handle 8980417471b01ab2726cd04773b2ab700ce564073cTed Kremenek // extension/truncation of symbolic integers. This prevents us from losing 9080417471b01ab2726cd04773b2ab700ce564073cTed Kremenek // precision when we assign 'x = y' and 'y' is symbolic and x and y are 9180417471b01ab2726cd04773b2ab700ce564073cTed Kremenek // different integer types. 92432a4558b8161c362efc319f8a38e074e74da201Anna Zaks if (haveSameType(T, castTy)) 9380417471b01ab2726cd04773b2ab700ce564073cTed Kremenek return val; 941eb4433ac451dc16f4133a88af2d002ac26c58efMike Stump 95aace9ef279be3dadd53b481aee568bd7701178b4Anna Zaks if (!isLocType) 96aace9ef279be3dadd53b481aee568bd7701178b4Anna Zaks return makeNonLoc(se, T, castTy); 979031dd7a989f893be0c3a9d8915b1218646be763Ted Kremenek return UnknownVal(); 989031dd7a989f893be0c3a9d8915b1218646be763Ted Kremenek } 991eb4433ac451dc16f4133a88af2d002ac26c58efMike Stump 1005fc7def35ee858791e591d005b4ae343632ca931Anna Zaks // If value is a non integer constant, produce unknown. 101e8391728af4ce37c9c505be6efee6d2a5f926902Ted Kremenek if (!isa<nonloc::ConcreteInt>(val)) 102e8391728af4ce37c9c505be6efee6d2a5f926902Ted Kremenek return UnknownVal(); 1031eb4433ac451dc16f4133a88af2d002ac26c58efMike Stump 1045fc7def35ee858791e591d005b4ae343632ca931Anna Zaks // Only handle casts from integers to integers - if val is an integer constant 1055fc7def35ee858791e591d005b4ae343632ca931Anna Zaks // being cast to a non integer type, produce unknown. 106e8391728af4ce37c9c505be6efee6d2a5f926902Ted Kremenek if (!isLocType && !castTy->isIntegerType()) 107e8391728af4ce37c9c505be6efee6d2a5f926902Ted Kremenek return UnknownVal(); 1081eb4433ac451dc16f4133a88af2d002ac26c58efMike Stump 109e8391728af4ce37c9c505be6efee6d2a5f926902Ted Kremenek llvm::APSInt i = cast<nonloc::ConcreteInt>(val).getValue(); 110d3b6d99cd57522b15dcec0eb771a97d9599d4db2Jordy Rose BasicVals.getAPSIntType(castTy).apply(i); 111e8391728af4ce37c9c505be6efee6d2a5f926902Ted Kremenek 112e8391728af4ce37c9c505be6efee6d2a5f926902Ted Kremenek if (isLocType) 113c8413fd03f73084a5c93028f8b4db619fc388087Ted Kremenek return makeIntLocVal(i); 114e8391728af4ce37c9c505be6efee6d2a5f926902Ted Kremenek else 115c8413fd03f73084a5c93028f8b4db619fc388087Ted Kremenek return makeIntVal(i); 116e8391728af4ce37c9c505be6efee6d2a5f926902Ted Kremenek} 117e8391728af4ce37c9c505be6efee6d2a5f926902Ted Kremenek 1189f8862aa64300ef97b8fe85034ee93bbc03e3b7bZhanyong WanSVal SimpleSValBuilder::evalCastFromLoc(Loc val, QualType castTy) { 1191eb4433ac451dc16f4133a88af2d002ac26c58efMike Stump 120e8391728af4ce37c9c505be6efee6d2a5f926902Ted Kremenek // Casts from pointers -> pointers, just return the lval. 121e8391728af4ce37c9c505be6efee6d2a5f926902Ted Kremenek // 122e8391728af4ce37c9c505be6efee6d2a5f926902Ted Kremenek // Casts from pointers -> references, just return the lval. These 123e8391728af4ce37c9c505be6efee6d2a5f926902Ted Kremenek // can be introduced by the frontend for corner cases, e.g 124e8391728af4ce37c9c505be6efee6d2a5f926902Ted Kremenek // casting from va_list* to __builtin_va_list&. 125e8391728af4ce37c9c505be6efee6d2a5f926902Ted Kremenek // 1267dfc9420babe83e236a47e752f8723bd06070d9dZhanyong Wan if (Loc::isLocType(castTy) || castTy->isReferenceType()) 127e8391728af4ce37c9c505be6efee6d2a5f926902Ted Kremenek return val; 1281eb4433ac451dc16f4133a88af2d002ac26c58efMike Stump 129e8391728af4ce37c9c505be6efee6d2a5f926902Ted Kremenek // FIXME: Handle transparent unions where a value can be "transparently" 130e8391728af4ce37c9c505be6efee6d2a5f926902Ted Kremenek // lifted into a union type. 131e8391728af4ce37c9c505be6efee6d2a5f926902Ted Kremenek if (castTy->isUnionType()) 132e8391728af4ce37c9c505be6efee6d2a5f926902Ted Kremenek return UnknownVal(); 1331eb4433ac451dc16f4133a88af2d002ac26c58efMike Stump 134d617b85d12169ccb4bdf281836a281d0c173ba6aTed Kremenek if (castTy->isIntegerType()) { 135c8413fd03f73084a5c93028f8b4db619fc388087Ted Kremenek unsigned BitWidth = Context.getTypeSize(castTy); 136e8391728af4ce37c9c505be6efee6d2a5f926902Ted Kremenek 137d617b85d12169ccb4bdf281836a281d0c173ba6aTed Kremenek if (!isa<loc::ConcreteInt>(val)) 138c8413fd03f73084a5c93028f8b4db619fc388087Ted Kremenek return makeLocAsInteger(val, BitWidth); 1391eb4433ac451dc16f4133a88af2d002ac26c58efMike Stump 140d617b85d12169ccb4bdf281836a281d0c173ba6aTed Kremenek llvm::APSInt i = cast<loc::ConcreteInt>(val).getValue(); 141d3b6d99cd57522b15dcec0eb771a97d9599d4db2Jordy Rose BasicVals.getAPSIntType(castTy).apply(i); 142c8413fd03f73084a5c93028f8b4db619fc388087Ted Kremenek return makeIntVal(i); 143d617b85d12169ccb4bdf281836a281d0c173ba6aTed Kremenek } 144d617b85d12169ccb4bdf281836a281d0c173ba6aTed Kremenek 145d617b85d12169ccb4bdf281836a281d0c173ba6aTed Kremenek // All other cases: return 'UnknownVal'. This includes casting pointers 146d617b85d12169ccb4bdf281836a281d0c173ba6aTed Kremenek // to floats, which is probably badness it itself, but this is a good 147d617b85d12169ccb4bdf281836a281d0c173ba6aTed Kremenek // intermediate solution until we do something better. 148d617b85d12169ccb4bdf281836a281d0c173ba6aTed Kremenek return UnknownVal(); 149e8391728af4ce37c9c505be6efee6d2a5f926902Ted Kremenek} 150e8391728af4ce37c9c505be6efee6d2a5f926902Ted Kremenek 151e8391728af4ce37c9c505be6efee6d2a5f926902Ted Kremenek//===----------------------------------------------------------------------===// 152e8391728af4ce37c9c505be6efee6d2a5f926902Ted Kremenek// Transfer function for unary operators. 153e8391728af4ce37c9c505be6efee6d2a5f926902Ted Kremenek//===----------------------------------------------------------------------===// 154e8391728af4ce37c9c505be6efee6d2a5f926902Ted Kremenek 1559c14953d0c84f7cf5adfb4cd3c0f05a9b1723c1cTed KremenekSVal SimpleSValBuilder::evalMinus(NonLoc val) { 1561eb4433ac451dc16f4133a88af2d002ac26c58efMike Stump switch (val.getSubKind()) { 157e8391728af4ce37c9c505be6efee6d2a5f926902Ted Kremenek case nonloc::ConcreteIntKind: 158c8413fd03f73084a5c93028f8b4db619fc388087Ted Kremenek return cast<nonloc::ConcreteInt>(val).evalMinus(*this); 159e8391728af4ce37c9c505be6efee6d2a5f926902Ted Kremenek default: 160e8391728af4ce37c9c505be6efee6d2a5f926902Ted Kremenek return UnknownVal(); 161e8391728af4ce37c9c505be6efee6d2a5f926902Ted Kremenek } 162e8391728af4ce37c9c505be6efee6d2a5f926902Ted Kremenek} 163e8391728af4ce37c9c505be6efee6d2a5f926902Ted Kremenek 1649c14953d0c84f7cf5adfb4cd3c0f05a9b1723c1cTed KremenekSVal SimpleSValBuilder::evalComplement(NonLoc X) { 165e8391728af4ce37c9c505be6efee6d2a5f926902Ted Kremenek switch (X.getSubKind()) { 166e8391728af4ce37c9c505be6efee6d2a5f926902Ted Kremenek case nonloc::ConcreteIntKind: 167c8413fd03f73084a5c93028f8b4db619fc388087Ted Kremenek return cast<nonloc::ConcreteInt>(X).evalComplement(*this); 168e8391728af4ce37c9c505be6efee6d2a5f926902Ted Kremenek default: 169e8391728af4ce37c9c505be6efee6d2a5f926902Ted Kremenek return UnknownVal(); 170e8391728af4ce37c9c505be6efee6d2a5f926902Ted Kremenek } 171e8391728af4ce37c9c505be6efee6d2a5f926902Ted Kremenek} 172e8391728af4ce37c9c505be6efee6d2a5f926902Ted Kremenek 173e8391728af4ce37c9c505be6efee6d2a5f926902Ted Kremenek//===----------------------------------------------------------------------===// 174e8391728af4ce37c9c505be6efee6d2a5f926902Ted Kremenek// Transfer function for binary operators. 175e8391728af4ce37c9c505be6efee6d2a5f926902Ted Kremenek//===----------------------------------------------------------------------===// 176e8391728af4ce37c9c505be6efee6d2a5f926902Ted Kremenek 177e8391728af4ce37c9c505be6efee6d2a5f926902Ted Kremenekstatic BinaryOperator::Opcode NegateComparison(BinaryOperator::Opcode op) { 178e8391728af4ce37c9c505be6efee6d2a5f926902Ted Kremenek switch (op) { 179e8391728af4ce37c9c505be6efee6d2a5f926902Ted Kremenek default: 180b219cfc4d75f0a03630b7c4509ef791b7e97b2c8David Blaikie llvm_unreachable("Invalid opcode."); 1812de56d1d0c3a504ad1529de2677628bdfbb95cd4John McCall case BO_LT: return BO_GE; 1822de56d1d0c3a504ad1529de2677628bdfbb95cd4John McCall case BO_GT: return BO_LE; 1832de56d1d0c3a504ad1529de2677628bdfbb95cd4John McCall case BO_LE: return BO_GT; 1842de56d1d0c3a504ad1529de2677628bdfbb95cd4John McCall case BO_GE: return BO_LT; 1852de56d1d0c3a504ad1529de2677628bdfbb95cd4John McCall case BO_EQ: return BO_NE; 1862de56d1d0c3a504ad1529de2677628bdfbb95cd4John McCall case BO_NE: return BO_EQ; 187e8391728af4ce37c9c505be6efee6d2a5f926902Ted Kremenek } 188e8391728af4ce37c9c505be6efee6d2a5f926902Ted Kremenek} 189e8391728af4ce37c9c505be6efee6d2a5f926902Ted Kremenek 190eac4a00e1d93aa963903031ed76425c231f0f0b9Jordy Rosestatic BinaryOperator::Opcode ReverseComparison(BinaryOperator::Opcode op) { 191eac4a00e1d93aa963903031ed76425c231f0f0b9Jordy Rose switch (op) { 192eac4a00e1d93aa963903031ed76425c231f0f0b9Jordy Rose default: 193b219cfc4d75f0a03630b7c4509ef791b7e97b2c8David Blaikie llvm_unreachable("Invalid opcode."); 1942de56d1d0c3a504ad1529de2677628bdfbb95cd4John McCall case BO_LT: return BO_GT; 1952de56d1d0c3a504ad1529de2677628bdfbb95cd4John McCall case BO_GT: return BO_LT; 1962de56d1d0c3a504ad1529de2677628bdfbb95cd4John McCall case BO_LE: return BO_GE; 1972de56d1d0c3a504ad1529de2677628bdfbb95cd4John McCall case BO_GE: return BO_LE; 1982de56d1d0c3a504ad1529de2677628bdfbb95cd4John McCall case BO_EQ: 1992de56d1d0c3a504ad1529de2677628bdfbb95cd4John McCall case BO_NE: 200eac4a00e1d93aa963903031ed76425c231f0f0b9Jordy Rose return op; 201e8391728af4ce37c9c505be6efee6d2a5f926902Ted Kremenek } 202e8391728af4ce37c9c505be6efee6d2a5f926902Ted Kremenek} 203e8391728af4ce37c9c505be6efee6d2a5f926902Ted Kremenek 204846eabd187be4bfe992e8bca131166b734d86e0dTed KremenekSVal SimpleSValBuilder::MakeSymIntVal(const SymExpr *LHS, 20543fdb7f3b46059d4af11a702af35bc8e5d0f678aJordy Rose BinaryOperator::Opcode op, 20643fdb7f3b46059d4af11a702af35bc8e5d0f678aJordy Rose const llvm::APSInt &RHS, 20743fdb7f3b46059d4af11a702af35bc8e5d0f678aJordy Rose QualType resultTy) { 20843fdb7f3b46059d4af11a702af35bc8e5d0f678aJordy Rose bool isIdempotent = false; 20943fdb7f3b46059d4af11a702af35bc8e5d0f678aJordy Rose 21043fdb7f3b46059d4af11a702af35bc8e5d0f678aJordy Rose // Check for a few special cases with known reductions first. 21143fdb7f3b46059d4af11a702af35bc8e5d0f678aJordy Rose switch (op) { 21243fdb7f3b46059d4af11a702af35bc8e5d0f678aJordy Rose default: 21343fdb7f3b46059d4af11a702af35bc8e5d0f678aJordy Rose // We can't reduce this case; just treat it normally. 21443fdb7f3b46059d4af11a702af35bc8e5d0f678aJordy Rose break; 2152de56d1d0c3a504ad1529de2677628bdfbb95cd4John McCall case BO_Mul: 21643fdb7f3b46059d4af11a702af35bc8e5d0f678aJordy Rose // a*0 and a*1 21743fdb7f3b46059d4af11a702af35bc8e5d0f678aJordy Rose if (RHS == 0) 218c8413fd03f73084a5c93028f8b4db619fc388087Ted Kremenek return makeIntVal(0, resultTy); 21943fdb7f3b46059d4af11a702af35bc8e5d0f678aJordy Rose else if (RHS == 1) 22043fdb7f3b46059d4af11a702af35bc8e5d0f678aJordy Rose isIdempotent = true; 22143fdb7f3b46059d4af11a702af35bc8e5d0f678aJordy Rose break; 2222de56d1d0c3a504ad1529de2677628bdfbb95cd4John McCall case BO_Div: 22343fdb7f3b46059d4af11a702af35bc8e5d0f678aJordy Rose // a/0 and a/1 22443fdb7f3b46059d4af11a702af35bc8e5d0f678aJordy Rose if (RHS == 0) 22543fdb7f3b46059d4af11a702af35bc8e5d0f678aJordy Rose // This is also handled elsewhere. 22643fdb7f3b46059d4af11a702af35bc8e5d0f678aJordy Rose return UndefinedVal(); 22743fdb7f3b46059d4af11a702af35bc8e5d0f678aJordy Rose else if (RHS == 1) 22843fdb7f3b46059d4af11a702af35bc8e5d0f678aJordy Rose isIdempotent = true; 22943fdb7f3b46059d4af11a702af35bc8e5d0f678aJordy Rose break; 2302de56d1d0c3a504ad1529de2677628bdfbb95cd4John McCall case BO_Rem: 23143fdb7f3b46059d4af11a702af35bc8e5d0f678aJordy Rose // a%0 and a%1 23243fdb7f3b46059d4af11a702af35bc8e5d0f678aJordy Rose if (RHS == 0) 23343fdb7f3b46059d4af11a702af35bc8e5d0f678aJordy Rose // This is also handled elsewhere. 23443fdb7f3b46059d4af11a702af35bc8e5d0f678aJordy Rose return UndefinedVal(); 23543fdb7f3b46059d4af11a702af35bc8e5d0f678aJordy Rose else if (RHS == 1) 236c8413fd03f73084a5c93028f8b4db619fc388087Ted Kremenek return makeIntVal(0, resultTy); 23743fdb7f3b46059d4af11a702af35bc8e5d0f678aJordy Rose break; 2382de56d1d0c3a504ad1529de2677628bdfbb95cd4John McCall case BO_Add: 2392de56d1d0c3a504ad1529de2677628bdfbb95cd4John McCall case BO_Sub: 2402de56d1d0c3a504ad1529de2677628bdfbb95cd4John McCall case BO_Shl: 2412de56d1d0c3a504ad1529de2677628bdfbb95cd4John McCall case BO_Shr: 2422de56d1d0c3a504ad1529de2677628bdfbb95cd4John McCall case BO_Xor: 24343fdb7f3b46059d4af11a702af35bc8e5d0f678aJordy Rose // a+0, a-0, a<<0, a>>0, a^0 24443fdb7f3b46059d4af11a702af35bc8e5d0f678aJordy Rose if (RHS == 0) 24543fdb7f3b46059d4af11a702af35bc8e5d0f678aJordy Rose isIdempotent = true; 24643fdb7f3b46059d4af11a702af35bc8e5d0f678aJordy Rose break; 2472de56d1d0c3a504ad1529de2677628bdfbb95cd4John McCall case BO_And: 24843fdb7f3b46059d4af11a702af35bc8e5d0f678aJordy Rose // a&0 and a&(~0) 24943fdb7f3b46059d4af11a702af35bc8e5d0f678aJordy Rose if (RHS == 0) 250c8413fd03f73084a5c93028f8b4db619fc388087Ted Kremenek return makeIntVal(0, resultTy); 25143fdb7f3b46059d4af11a702af35bc8e5d0f678aJordy Rose else if (RHS.isAllOnesValue()) 25243fdb7f3b46059d4af11a702af35bc8e5d0f678aJordy Rose isIdempotent = true; 25343fdb7f3b46059d4af11a702af35bc8e5d0f678aJordy Rose break; 2542de56d1d0c3a504ad1529de2677628bdfbb95cd4John McCall case BO_Or: 25543fdb7f3b46059d4af11a702af35bc8e5d0f678aJordy Rose // a|0 and a|(~0) 25643fdb7f3b46059d4af11a702af35bc8e5d0f678aJordy Rose if (RHS == 0) 25743fdb7f3b46059d4af11a702af35bc8e5d0f678aJordy Rose isIdempotent = true; 25843fdb7f3b46059d4af11a702af35bc8e5d0f678aJordy Rose else if (RHS.isAllOnesValue()) { 259c8413fd03f73084a5c93028f8b4db619fc388087Ted Kremenek const llvm::APSInt &Result = BasicVals.Convert(resultTy, RHS); 26043fdb7f3b46059d4af11a702af35bc8e5d0f678aJordy Rose return nonloc::ConcreteInt(Result); 26143fdb7f3b46059d4af11a702af35bc8e5d0f678aJordy Rose } 26243fdb7f3b46059d4af11a702af35bc8e5d0f678aJordy Rose break; 26343fdb7f3b46059d4af11a702af35bc8e5d0f678aJordy Rose } 26443fdb7f3b46059d4af11a702af35bc8e5d0f678aJordy Rose 26543fdb7f3b46059d4af11a702af35bc8e5d0f678aJordy Rose // Idempotent ops (like a*1) can still change the type of an expression. 2669f8862aa64300ef97b8fe85034ee93bbc03e3b7bZhanyong Wan // Wrap the LHS up in a NonLoc again and let evalCastFromNonLoc do the 2679f8862aa64300ef97b8fe85034ee93bbc03e3b7bZhanyong Wan // dirty work. 2685344baa704f42b22d9df25c24ffbbf6b4716603bAnna Zaks if (isIdempotent) 26976462f00854171d2aa3ebc34f9aac1c60021b0eaAnna Zaks return evalCastFromNonLoc(nonloc::SymbolVal(LHS), resultTy); 27043fdb7f3b46059d4af11a702af35bc8e5d0f678aJordy Rose 27143fdb7f3b46059d4af11a702af35bc8e5d0f678aJordy Rose // If we reach this point, the expression cannot be simplified. 272c838fd2ab889ffbb82c90da0cd634ef75b614b2cJordy Rose // Make a SymbolVal for the entire expression, after converting the RHS. 273c838fd2ab889ffbb82c90da0cd634ef75b614b2cJordy Rose const llvm::APSInt *ConvertedRHS = &RHS; 274c838fd2ab889ffbb82c90da0cd634ef75b614b2cJordy Rose if (BinaryOperator::isComparisonOp(op)) { 275c838fd2ab889ffbb82c90da0cd634ef75b614b2cJordy Rose // We're looking for a type big enough to compare the symbolic value 276c838fd2ab889ffbb82c90da0cd634ef75b614b2cJordy Rose // with the given constant. 277c838fd2ab889ffbb82c90da0cd634ef75b614b2cJordy Rose // FIXME: This is an approximation of Sema::UsualArithmeticConversions. 278c838fd2ab889ffbb82c90da0cd634ef75b614b2cJordy Rose ASTContext &Ctx = getContext(); 279c838fd2ab889ffbb82c90da0cd634ef75b614b2cJordy Rose QualType SymbolType = LHS->getType(Ctx); 280c838fd2ab889ffbb82c90da0cd634ef75b614b2cJordy Rose uint64_t ValWidth = RHS.getBitWidth(); 281c838fd2ab889ffbb82c90da0cd634ef75b614b2cJordy Rose uint64_t TypeWidth = Ctx.getTypeSize(SymbolType); 282c838fd2ab889ffbb82c90da0cd634ef75b614b2cJordy Rose 283c838fd2ab889ffbb82c90da0cd634ef75b614b2cJordy Rose if (ValWidth < TypeWidth) { 284c838fd2ab889ffbb82c90da0cd634ef75b614b2cJordy Rose // If the value is too small, extend it. 285c838fd2ab889ffbb82c90da0cd634ef75b614b2cJordy Rose ConvertedRHS = &BasicVals.Convert(SymbolType, RHS); 286c838fd2ab889ffbb82c90da0cd634ef75b614b2cJordy Rose } else if (ValWidth == TypeWidth) { 287c838fd2ab889ffbb82c90da0cd634ef75b614b2cJordy Rose // If the value is signed but the symbol is unsigned, do the comparison 288c838fd2ab889ffbb82c90da0cd634ef75b614b2cJordy Rose // in unsigned space. [C99 6.3.1.8] 289c838fd2ab889ffbb82c90da0cd634ef75b614b2cJordy Rose // (For the opposite case, the value is already unsigned.) 290c838fd2ab889ffbb82c90da0cd634ef75b614b2cJordy Rose if (RHS.isSigned() && !SymbolType->isSignedIntegerOrEnumerationType()) 291c838fd2ab889ffbb82c90da0cd634ef75b614b2cJordy Rose ConvertedRHS = &BasicVals.Convert(SymbolType, RHS); 292c838fd2ab889ffbb82c90da0cd634ef75b614b2cJordy Rose } 293c838fd2ab889ffbb82c90da0cd634ef75b614b2cJordy Rose } else 294c838fd2ab889ffbb82c90da0cd634ef75b614b2cJordy Rose ConvertedRHS = &BasicVals.Convert(resultTy, RHS); 295c838fd2ab889ffbb82c90da0cd634ef75b614b2cJordy Rose 296c838fd2ab889ffbb82c90da0cd634ef75b614b2cJordy Rose return makeNonLoc(LHS, op, *ConvertedRHS, resultTy); 29743fdb7f3b46059d4af11a702af35bc8e5d0f678aJordy Rose} 29843fdb7f3b46059d4af11a702af35bc8e5d0f678aJordy Rose 2998bef8238181a30e52dea380789a7e2d760eac532Ted KremenekSVal SimpleSValBuilder::evalBinOpNN(ProgramStateRef state, 300cd8f6ac9b613e1fe962ebf9c87d822ce765275e6Ted Kremenek BinaryOperator::Opcode op, 301e8391728af4ce37c9c505be6efee6d2a5f926902Ted Kremenek NonLoc lhs, NonLoc rhs, 30254ca9b1d45fbfb0b3eeab581e0d10403cc922e62Ted Kremenek QualType resultTy) { 303da3960347a5d563d6746cb363b25466282a09ce3Anna Zaks NonLoc InputLHS = lhs; 304da3960347a5d563d6746cb363b25466282a09ce3Anna Zaks NonLoc InputRHS = rhs; 305da3960347a5d563d6746cb363b25466282a09ce3Anna Zaks 30654ca9b1d45fbfb0b3eeab581e0d10403cc922e62Ted Kremenek // Handle trivial case where left-side and right-side are the same. 30754ca9b1d45fbfb0b3eeab581e0d10403cc922e62Ted Kremenek if (lhs == rhs) 30854ca9b1d45fbfb0b3eeab581e0d10403cc922e62Ted Kremenek switch (op) { 30954ca9b1d45fbfb0b3eeab581e0d10403cc922e62Ted Kremenek default: 31054ca9b1d45fbfb0b3eeab581e0d10403cc922e62Ted Kremenek break; 3112de56d1d0c3a504ad1529de2677628bdfbb95cd4John McCall case BO_EQ: 3122de56d1d0c3a504ad1529de2677628bdfbb95cd4John McCall case BO_LE: 3132de56d1d0c3a504ad1529de2677628bdfbb95cd4John McCall case BO_GE: 314c8413fd03f73084a5c93028f8b4db619fc388087Ted Kremenek return makeTruthVal(true, resultTy); 3152de56d1d0c3a504ad1529de2677628bdfbb95cd4John McCall case BO_LT: 3162de56d1d0c3a504ad1529de2677628bdfbb95cd4John McCall case BO_GT: 3172de56d1d0c3a504ad1529de2677628bdfbb95cd4John McCall case BO_NE: 318c8413fd03f73084a5c93028f8b4db619fc388087Ted Kremenek return makeTruthVal(false, resultTy); 3192de56d1d0c3a504ad1529de2677628bdfbb95cd4John McCall case BO_Xor: 3202de56d1d0c3a504ad1529de2677628bdfbb95cd4John McCall case BO_Sub: 321791dd0a3f855b61ee97387dca67af86a1edff9f2Jordan Rose if (resultTy->isIntegralOrEnumerationType()) 322791dd0a3f855b61ee97387dca67af86a1edff9f2Jordan Rose return makeIntVal(0, resultTy); 323791dd0a3f855b61ee97387dca67af86a1edff9f2Jordan Rose return evalCastFromNonLoc(makeIntVal(0, /*Unsigned=*/false), resultTy); 3242de56d1d0c3a504ad1529de2677628bdfbb95cd4John McCall case BO_Or: 3252de56d1d0c3a504ad1529de2677628bdfbb95cd4John McCall case BO_And: 3269f8862aa64300ef97b8fe85034ee93bbc03e3b7bZhanyong Wan return evalCastFromNonLoc(lhs, resultTy); 32754ca9b1d45fbfb0b3eeab581e0d10403cc922e62Ted Kremenek } 3281eb4433ac451dc16f4133a88af2d002ac26c58efMike Stump 329e8391728af4ce37c9c505be6efee6d2a5f926902Ted Kremenek while (1) { 330e8391728af4ce37c9c505be6efee6d2a5f926902Ted Kremenek switch (lhs.getSubKind()) { 331e8391728af4ce37c9c505be6efee6d2a5f926902Ted Kremenek default: 332e2241cbb0455a60ba27d6c4b9d601ffef3ed103fAnna Zaks return makeSymExprValNN(state, op, lhs, rhs, resultTy); 333e8391728af4ce37c9c505be6efee6d2a5f926902Ted Kremenek case nonloc::LocAsIntegerKind: { 3341eb4433ac451dc16f4133a88af2d002ac26c58efMike Stump Loc lhsL = cast<nonloc::LocAsInteger>(lhs).getLoc(); 335e8391728af4ce37c9c505be6efee6d2a5f926902Ted Kremenek switch (rhs.getSubKind()) { 336e8391728af4ce37c9c505be6efee6d2a5f926902Ted Kremenek case nonloc::LocAsIntegerKind: 3379c14953d0c84f7cf5adfb4cd3c0f05a9b1723c1cTed Kremenek return evalBinOpLL(state, op, lhsL, 338eac4a00e1d93aa963903031ed76425c231f0f0b9Jordy Rose cast<nonloc::LocAsInteger>(rhs).getLoc(), 3391eb4433ac451dc16f4133a88af2d002ac26c58efMike Stump resultTy); 340e8391728af4ce37c9c505be6efee6d2a5f926902Ted Kremenek case nonloc::ConcreteIntKind: { 341e8391728af4ce37c9c505be6efee6d2a5f926902Ted Kremenek // Transform the integer into a location and compare. 342e8391728af4ce37c9c505be6efee6d2a5f926902Ted Kremenek llvm::APSInt i = cast<nonloc::ConcreteInt>(rhs).getValue(); 343d3b6d99cd57522b15dcec0eb771a97d9599d4db2Jordy Rose BasicVals.getAPSIntType(Context.VoidPtrTy).apply(i); 344c8413fd03f73084a5c93028f8b4db619fc388087Ted Kremenek return evalBinOpLL(state, op, lhsL, makeLoc(i), resultTy); 345e8391728af4ce37c9c505be6efee6d2a5f926902Ted Kremenek } 3461eb4433ac451dc16f4133a88af2d002ac26c58efMike Stump default: 347e8391728af4ce37c9c505be6efee6d2a5f926902Ted Kremenek switch (op) { 3482de56d1d0c3a504ad1529de2677628bdfbb95cd4John McCall case BO_EQ: 349c8413fd03f73084a5c93028f8b4db619fc388087Ted Kremenek return makeTruthVal(false, resultTy); 3502de56d1d0c3a504ad1529de2677628bdfbb95cd4John McCall case BO_NE: 351c8413fd03f73084a5c93028f8b4db619fc388087Ted Kremenek return makeTruthVal(true, resultTy); 352e8391728af4ce37c9c505be6efee6d2a5f926902Ted Kremenek default: 353e8391728af4ce37c9c505be6efee6d2a5f926902Ted Kremenek // This case also handles pointer arithmetic. 354da3960347a5d563d6746cb363b25466282a09ce3Anna Zaks return makeSymExprValNN(state, op, InputLHS, InputRHS, resultTy); 355e8391728af4ce37c9c505be6efee6d2a5f926902Ted Kremenek } 356e8391728af4ce37c9c505be6efee6d2a5f926902Ted Kremenek } 3571eb4433ac451dc16f4133a88af2d002ac26c58efMike Stump } 3581eb4433ac451dc16f4133a88af2d002ac26c58efMike Stump case nonloc::ConcreteIntKind: { 359c838fd2ab889ffbb82c90da0cd634ef75b614b2cJordy Rose llvm::APSInt LHSValue = cast<nonloc::ConcreteInt>(lhs).getValue(); 360c838fd2ab889ffbb82c90da0cd634ef75b614b2cJordy Rose 361c838fd2ab889ffbb82c90da0cd634ef75b614b2cJordy Rose // If we're dealing with two known constants, just perform the operation. 362c838fd2ab889ffbb82c90da0cd634ef75b614b2cJordy Rose if (const llvm::APSInt *KnownRHSValue = getKnownValue(state, rhs)) { 363c838fd2ab889ffbb82c90da0cd634ef75b614b2cJordy Rose llvm::APSInt RHSValue = *KnownRHSValue; 364c838fd2ab889ffbb82c90da0cd634ef75b614b2cJordy Rose if (BinaryOperator::isComparisonOp(op)) { 365c838fd2ab889ffbb82c90da0cd634ef75b614b2cJordy Rose // We're looking for a type big enough to compare the two values. 366d3b6d99cd57522b15dcec0eb771a97d9599d4db2Jordy Rose // FIXME: This is not correct. char + short will result in a promotion 367d3b6d99cd57522b15dcec0eb771a97d9599d4db2Jordy Rose // to int. Unfortunately we have lost types by this point. 368d3b6d99cd57522b15dcec0eb771a97d9599d4db2Jordy Rose APSIntType CompareType = std::max(APSIntType(LHSValue), 369d3b6d99cd57522b15dcec0eb771a97d9599d4db2Jordy Rose APSIntType(RHSValue)); 370d3b6d99cd57522b15dcec0eb771a97d9599d4db2Jordy Rose CompareType.apply(LHSValue); 371d3b6d99cd57522b15dcec0eb771a97d9599d4db2Jordy Rose CompareType.apply(RHSValue); 372c838fd2ab889ffbb82c90da0cd634ef75b614b2cJordy Rose } else if (!BinaryOperator::isShiftOp(op)) { 373d3b6d99cd57522b15dcec0eb771a97d9599d4db2Jordy Rose APSIntType IntType = BasicVals.getAPSIntType(resultTy); 374d3b6d99cd57522b15dcec0eb771a97d9599d4db2Jordy Rose IntType.apply(LHSValue); 375d3b6d99cd57522b15dcec0eb771a97d9599d4db2Jordy Rose IntType.apply(RHSValue); 376a9af8e71bba24d2a1d1827972ef4cd856c179e56Jordy Rose } 377c838fd2ab889ffbb82c90da0cd634ef75b614b2cJordy Rose 378c838fd2ab889ffbb82c90da0cd634ef75b614b2cJordy Rose const llvm::APSInt *Result = 379c838fd2ab889ffbb82c90da0cd634ef75b614b2cJordy Rose BasicVals.evalAPSInt(op, LHSValue, RHSValue); 380c838fd2ab889ffbb82c90da0cd634ef75b614b2cJordy Rose if (!Result) 381c838fd2ab889ffbb82c90da0cd634ef75b614b2cJordy Rose return UndefinedVal(); 382c838fd2ab889ffbb82c90da0cd634ef75b614b2cJordy Rose 383c838fd2ab889ffbb82c90da0cd634ef75b614b2cJordy Rose return nonloc::ConcreteInt(*Result); 384a9af8e71bba24d2a1d1827972ef4cd856c179e56Jordy Rose } 385a9af8e71bba24d2a1d1827972ef4cd856c179e56Jordy Rose 386c838fd2ab889ffbb82c90da0cd634ef75b614b2cJordy Rose // Swap the left and right sides and flip the operator if doing so 387c838fd2ab889ffbb82c90da0cd634ef75b614b2cJordy Rose // allows us to better reason about the expression (this is a form 388c838fd2ab889ffbb82c90da0cd634ef75b614b2cJordy Rose // of expression canonicalization). 389c838fd2ab889ffbb82c90da0cd634ef75b614b2cJordy Rose // While we're at it, catch some special cases for non-commutative ops. 390c838fd2ab889ffbb82c90da0cd634ef75b614b2cJordy Rose switch (op) { 391c838fd2ab889ffbb82c90da0cd634ef75b614b2cJordy Rose case BO_LT: 392c838fd2ab889ffbb82c90da0cd634ef75b614b2cJordy Rose case BO_GT: 393c838fd2ab889ffbb82c90da0cd634ef75b614b2cJordy Rose case BO_LE: 394c838fd2ab889ffbb82c90da0cd634ef75b614b2cJordy Rose case BO_GE: 395c838fd2ab889ffbb82c90da0cd634ef75b614b2cJordy Rose op = ReverseComparison(op); 396c838fd2ab889ffbb82c90da0cd634ef75b614b2cJordy Rose // FALL-THROUGH 397c838fd2ab889ffbb82c90da0cd634ef75b614b2cJordy Rose case BO_EQ: 398c838fd2ab889ffbb82c90da0cd634ef75b614b2cJordy Rose case BO_NE: 399c838fd2ab889ffbb82c90da0cd634ef75b614b2cJordy Rose case BO_Add: 400c838fd2ab889ffbb82c90da0cd634ef75b614b2cJordy Rose case BO_Mul: 401c838fd2ab889ffbb82c90da0cd634ef75b614b2cJordy Rose case BO_And: 402c838fd2ab889ffbb82c90da0cd634ef75b614b2cJordy Rose case BO_Xor: 403c838fd2ab889ffbb82c90da0cd634ef75b614b2cJordy Rose case BO_Or: 404c838fd2ab889ffbb82c90da0cd634ef75b614b2cJordy Rose std::swap(lhs, rhs); 405c838fd2ab889ffbb82c90da0cd634ef75b614b2cJordy Rose continue; 406c838fd2ab889ffbb82c90da0cd634ef75b614b2cJordy Rose case BO_Shr: 407c838fd2ab889ffbb82c90da0cd634ef75b614b2cJordy Rose // (~0)>>a 408c838fd2ab889ffbb82c90da0cd634ef75b614b2cJordy Rose if (LHSValue.isAllOnesValue() && LHSValue.isSigned()) 409c838fd2ab889ffbb82c90da0cd634ef75b614b2cJordy Rose return evalCastFromNonLoc(lhs, resultTy); 410c838fd2ab889ffbb82c90da0cd634ef75b614b2cJordy Rose // FALL-THROUGH 411c838fd2ab889ffbb82c90da0cd634ef75b614b2cJordy Rose case BO_Shl: 412c838fd2ab889ffbb82c90da0cd634ef75b614b2cJordy Rose // 0<<a and 0>>a 413c838fd2ab889ffbb82c90da0cd634ef75b614b2cJordy Rose if (LHSValue == 0) 414c838fd2ab889ffbb82c90da0cd634ef75b614b2cJordy Rose return evalCastFromNonLoc(lhs, resultTy); 415c838fd2ab889ffbb82c90da0cd634ef75b614b2cJordy Rose return makeSymExprValNN(state, op, InputLHS, InputRHS, resultTy); 416c838fd2ab889ffbb82c90da0cd634ef75b614b2cJordy Rose default: 417c838fd2ab889ffbb82c90da0cd634ef75b614b2cJordy Rose return makeSymExprValNN(state, op, InputLHS, InputRHS, resultTy); 418e8391728af4ce37c9c505be6efee6d2a5f926902Ted Kremenek } 419e8391728af4ce37c9c505be6efee6d2a5f926902Ted Kremenek } 420e8391728af4ce37c9c505be6efee6d2a5f926902Ted Kremenek case nonloc::SymbolValKind: { 421c838fd2ab889ffbb82c90da0cd634ef75b614b2cJordy Rose // We only handle LHS as simple symbols or SymIntExprs. 422c838fd2ab889ffbb82c90da0cd634ef75b614b2cJordy Rose SymbolRef Sym = cast<nonloc::SymbolVal>(lhs).getSymbol(); 4235344baa704f42b22d9df25c24ffbbf6b4716603bAnna Zaks 4245344baa704f42b22d9df25c24ffbbf6b4716603bAnna Zaks // LHS is a symbolic expression. 425c838fd2ab889ffbb82c90da0cd634ef75b614b2cJordy Rose if (const SymIntExpr *symIntExpr = dyn_cast<SymIntExpr>(Sym)) { 4265344baa704f42b22d9df25c24ffbbf6b4716603bAnna Zaks 4275344baa704f42b22d9df25c24ffbbf6b4716603bAnna Zaks // Is this a logical not? (!x is represented as x == 0.) 4285344baa704f42b22d9df25c24ffbbf6b4716603bAnna Zaks if (op == BO_EQ && rhs.isZeroConstant()) { 4295344baa704f42b22d9df25c24ffbbf6b4716603bAnna Zaks // We know how to negate certain expressions. Simplify them here. 4305344baa704f42b22d9df25c24ffbbf6b4716603bAnna Zaks 4315344baa704f42b22d9df25c24ffbbf6b4716603bAnna Zaks BinaryOperator::Opcode opc = symIntExpr->getOpcode(); 4325344baa704f42b22d9df25c24ffbbf6b4716603bAnna Zaks switch (opc) { 4335344baa704f42b22d9df25c24ffbbf6b4716603bAnna Zaks default: 4345344baa704f42b22d9df25c24ffbbf6b4716603bAnna Zaks // We don't know how to negate this operation. 4355344baa704f42b22d9df25c24ffbbf6b4716603bAnna Zaks // Just handle it as if it were a normal comparison to 0. 4365344baa704f42b22d9df25c24ffbbf6b4716603bAnna Zaks break; 4375344baa704f42b22d9df25c24ffbbf6b4716603bAnna Zaks case BO_LAnd: 4385344baa704f42b22d9df25c24ffbbf6b4716603bAnna Zaks case BO_LOr: 4395344baa704f42b22d9df25c24ffbbf6b4716603bAnna Zaks llvm_unreachable("Logical operators handled by branching logic."); 4405344baa704f42b22d9df25c24ffbbf6b4716603bAnna Zaks case BO_Assign: 4415344baa704f42b22d9df25c24ffbbf6b4716603bAnna Zaks case BO_MulAssign: 4425344baa704f42b22d9df25c24ffbbf6b4716603bAnna Zaks case BO_DivAssign: 4435344baa704f42b22d9df25c24ffbbf6b4716603bAnna Zaks case BO_RemAssign: 4445344baa704f42b22d9df25c24ffbbf6b4716603bAnna Zaks case BO_AddAssign: 4455344baa704f42b22d9df25c24ffbbf6b4716603bAnna Zaks case BO_SubAssign: 4465344baa704f42b22d9df25c24ffbbf6b4716603bAnna Zaks case BO_ShlAssign: 4475344baa704f42b22d9df25c24ffbbf6b4716603bAnna Zaks case BO_ShrAssign: 4485344baa704f42b22d9df25c24ffbbf6b4716603bAnna Zaks case BO_AndAssign: 4495344baa704f42b22d9df25c24ffbbf6b4716603bAnna Zaks case BO_XorAssign: 4505344baa704f42b22d9df25c24ffbbf6b4716603bAnna Zaks case BO_OrAssign: 4515344baa704f42b22d9df25c24ffbbf6b4716603bAnna Zaks case BO_Comma: 4525344baa704f42b22d9df25c24ffbbf6b4716603bAnna Zaks llvm_unreachable("'=' and ',' operators handled by ExprEngine."); 4535344baa704f42b22d9df25c24ffbbf6b4716603bAnna Zaks case BO_PtrMemD: 4545344baa704f42b22d9df25c24ffbbf6b4716603bAnna Zaks case BO_PtrMemI: 4555344baa704f42b22d9df25c24ffbbf6b4716603bAnna Zaks llvm_unreachable("Pointer arithmetic not handled here."); 4565344baa704f42b22d9df25c24ffbbf6b4716603bAnna Zaks case BO_LT: 4575344baa704f42b22d9df25c24ffbbf6b4716603bAnna Zaks case BO_GT: 4585344baa704f42b22d9df25c24ffbbf6b4716603bAnna Zaks case BO_LE: 4595344baa704f42b22d9df25c24ffbbf6b4716603bAnna Zaks case BO_GE: 4605344baa704f42b22d9df25c24ffbbf6b4716603bAnna Zaks case BO_EQ: 4615344baa704f42b22d9df25c24ffbbf6b4716603bAnna Zaks case BO_NE: 4625344baa704f42b22d9df25c24ffbbf6b4716603bAnna Zaks // Negate the comparison and make a value. 4635344baa704f42b22d9df25c24ffbbf6b4716603bAnna Zaks opc = NegateComparison(opc); 4645344baa704f42b22d9df25c24ffbbf6b4716603bAnna Zaks assert(symIntExpr->getType(Context) == resultTy); 4655344baa704f42b22d9df25c24ffbbf6b4716603bAnna Zaks return makeNonLoc(symIntExpr->getLHS(), opc, 4665344baa704f42b22d9df25c24ffbbf6b4716603bAnna Zaks symIntExpr->getRHS(), resultTy); 467b1d042212fbb3f6a08864b703b7bdf0dca58fd9cTed Kremenek } 468cd8f6ac9b613e1fe962ebf9c87d822ce765275e6Ted Kremenek } 469a277e7764bbe2752f900bf595654f9ad433f3961Jordy Rose 4705344baa704f42b22d9df25c24ffbbf6b4716603bAnna Zaks // For now, only handle expressions whose RHS is a constant. 471c838fd2ab889ffbb82c90da0cd634ef75b614b2cJordy Rose if (const llvm::APSInt *RHSValue = getKnownValue(state, rhs)) { 472c838fd2ab889ffbb82c90da0cd634ef75b614b2cJordy Rose // If both the LHS and the current expression are additive, 473c838fd2ab889ffbb82c90da0cd634ef75b614b2cJordy Rose // fold their constants and try again. 474c838fd2ab889ffbb82c90da0cd634ef75b614b2cJordy Rose if (BinaryOperator::isAdditiveOp(op)) { 475c838fd2ab889ffbb82c90da0cd634ef75b614b2cJordy Rose BinaryOperator::Opcode lop = symIntExpr->getOpcode(); 476c838fd2ab889ffbb82c90da0cd634ef75b614b2cJordy Rose if (BinaryOperator::isAdditiveOp(lop)) { 477c838fd2ab889ffbb82c90da0cd634ef75b614b2cJordy Rose // Convert the two constants to a common type, then combine them. 478c838fd2ab889ffbb82c90da0cd634ef75b614b2cJordy Rose 479c838fd2ab889ffbb82c90da0cd634ef75b614b2cJordy Rose // resultTy may not be the best type to convert to, but it's 480c838fd2ab889ffbb82c90da0cd634ef75b614b2cJordy Rose // probably the best choice in expressions with mixed type 481c838fd2ab889ffbb82c90da0cd634ef75b614b2cJordy Rose // (such as x+1U+2LL). The rules for implicit conversions should 482c838fd2ab889ffbb82c90da0cd634ef75b614b2cJordy Rose // choose a reasonable type to preserve the expression, and will 483c838fd2ab889ffbb82c90da0cd634ef75b614b2cJordy Rose // at least match how the value is going to be used. 484d3b6d99cd57522b15dcec0eb771a97d9599d4db2Jordy Rose APSIntType IntType = BasicVals.getAPSIntType(resultTy); 485d3b6d99cd57522b15dcec0eb771a97d9599d4db2Jordy Rose const llvm::APSInt &first = IntType.convert(symIntExpr->getRHS()); 486d3b6d99cd57522b15dcec0eb771a97d9599d4db2Jordy Rose const llvm::APSInt &second = IntType.convert(*RHSValue); 487c838fd2ab889ffbb82c90da0cd634ef75b614b2cJordy Rose 488c838fd2ab889ffbb82c90da0cd634ef75b614b2cJordy Rose const llvm::APSInt *newRHS; 489c838fd2ab889ffbb82c90da0cd634ef75b614b2cJordy Rose if (lop == op) 490c838fd2ab889ffbb82c90da0cd634ef75b614b2cJordy Rose newRHS = BasicVals.evalAPSInt(BO_Add, first, second); 491c838fd2ab889ffbb82c90da0cd634ef75b614b2cJordy Rose else 492c838fd2ab889ffbb82c90da0cd634ef75b614b2cJordy Rose newRHS = BasicVals.evalAPSInt(BO_Sub, first, second); 493c838fd2ab889ffbb82c90da0cd634ef75b614b2cJordy Rose 494c838fd2ab889ffbb82c90da0cd634ef75b614b2cJordy Rose assert(newRHS && "Invalid operation despite common type!"); 495c838fd2ab889ffbb82c90da0cd634ef75b614b2cJordy Rose rhs = nonloc::ConcreteInt(*newRHS); 496c838fd2ab889ffbb82c90da0cd634ef75b614b2cJordy Rose lhs = nonloc::SymbolVal(symIntExpr->getLHS()); 497c838fd2ab889ffbb82c90da0cd634ef75b614b2cJordy Rose op = lop; 498c838fd2ab889ffbb82c90da0cd634ef75b614b2cJordy Rose continue; 499c838fd2ab889ffbb82c90da0cd634ef75b614b2cJordy Rose } 500a277e7764bbe2752f900bf595654f9ad433f3961Jordy Rose } 501c838fd2ab889ffbb82c90da0cd634ef75b614b2cJordy Rose 502c838fd2ab889ffbb82c90da0cd634ef75b614b2cJordy Rose // Otherwise, make a SymIntExpr out of the expression. 503c838fd2ab889ffbb82c90da0cd634ef75b614b2cJordy Rose return MakeSymIntVal(symIntExpr, op, *RHSValue, resultTy); 504a277e7764bbe2752f900bf595654f9ad433f3961Jordy Rose } 505a277e7764bbe2752f900bf595654f9ad433f3961Jordy Rose 506e8391728af4ce37c9c505be6efee6d2a5f926902Ted Kremenek 507c838fd2ab889ffbb82c90da0cd634ef75b614b2cJordy Rose } else if (isa<SymbolData>(Sym)) { 5085344baa704f42b22d9df25c24ffbbf6b4716603bAnna Zaks // Does the symbol simplify to a constant? If so, "fold" the constant 5095344baa704f42b22d9df25c24ffbbf6b4716603bAnna Zaks // by setting 'lhs' to a ConcreteInt and try again. 510c838fd2ab889ffbb82c90da0cd634ef75b614b2cJordy Rose if (const llvm::APSInt *Constant = state->getSymVal(Sym)) { 511c838fd2ab889ffbb82c90da0cd634ef75b614b2cJordy Rose lhs = nonloc::ConcreteInt(*Constant); 512c838fd2ab889ffbb82c90da0cd634ef75b614b2cJordy Rose continue; 5135344baa704f42b22d9df25c24ffbbf6b4716603bAnna Zaks } 5145344baa704f42b22d9df25c24ffbbf6b4716603bAnna Zaks 515c838fd2ab889ffbb82c90da0cd634ef75b614b2cJordy Rose // Is the RHS a constant? 516c838fd2ab889ffbb82c90da0cd634ef75b614b2cJordy Rose if (const llvm::APSInt *RHSValue = getKnownValue(state, rhs)) 517c838fd2ab889ffbb82c90da0cd634ef75b614b2cJordy Rose return MakeSymIntVal(Sym, op, *RHSValue, resultTy); 5185344baa704f42b22d9df25c24ffbbf6b4716603bAnna Zaks } 519c838fd2ab889ffbb82c90da0cd634ef75b614b2cJordy Rose 520c838fd2ab889ffbb82c90da0cd634ef75b614b2cJordy Rose // Give up -- this is not a symbolic expression we can handle. 521c838fd2ab889ffbb82c90da0cd634ef75b614b2cJordy Rose return makeSymExprValNN(state, op, InputLHS, InputRHS, resultTy); 522e8391728af4ce37c9c505be6efee6d2a5f926902Ted Kremenek } 523e8391728af4ce37c9c505be6efee6d2a5f926902Ted Kremenek } 524e8391728af4ce37c9c505be6efee6d2a5f926902Ted Kremenek } 525e8391728af4ce37c9c505be6efee6d2a5f926902Ted Kremenek} 526e8391728af4ce37c9c505be6efee6d2a5f926902Ted Kremenek 527eac4a00e1d93aa963903031ed76425c231f0f0b9Jordy Rose// FIXME: all this logic will change if/when we have MemRegion::getLocation(). 5288bef8238181a30e52dea380789a7e2d760eac532Ted KremenekSVal SimpleSValBuilder::evalBinOpLL(ProgramStateRef state, 529eac4a00e1d93aa963903031ed76425c231f0f0b9Jordy Rose BinaryOperator::Opcode op, 530eac4a00e1d93aa963903031ed76425c231f0f0b9Jordy Rose Loc lhs, Loc rhs, 5311eb4433ac451dc16f4133a88af2d002ac26c58efMike Stump QualType resultTy) { 532eac4a00e1d93aa963903031ed76425c231f0f0b9Jordy Rose // Only comparisons and subtractions are valid operations on two pointers. 533eac4a00e1d93aa963903031ed76425c231f0f0b9Jordy Rose // See [C99 6.5.5 through 6.5.14] or [C++0x 5.6 through 5.15]. 5349c14953d0c84f7cf5adfb4cd3c0f05a9b1723c1cTed Kremenek // However, if a pointer is casted to an integer, evalBinOpNN may end up 535a274148a5cf85f758e469d5785fb72736f93f58bJordy Rose // calling this function with another operation (PR7527). We don't attempt to 536a274148a5cf85f758e469d5785fb72736f93f58bJordy Rose // model this for now, but it could be useful, particularly when the 537a274148a5cf85f758e469d5785fb72736f93f58bJordy Rose // "location" is actually an integer value that's been passed through a void*. 5382de56d1d0c3a504ad1529de2677628bdfbb95cd4John McCall if (!(BinaryOperator::isComparisonOp(op) || op == BO_Sub)) 539a274148a5cf85f758e469d5785fb72736f93f58bJordy Rose return UnknownVal(); 540eac4a00e1d93aa963903031ed76425c231f0f0b9Jordy Rose 541eac4a00e1d93aa963903031ed76425c231f0f0b9Jordy Rose // Special cases for when both sides are identical. 542eac4a00e1d93aa963903031ed76425c231f0f0b9Jordy Rose if (lhs == rhs) { 543eac4a00e1d93aa963903031ed76425c231f0f0b9Jordy Rose switch (op) { 544e8391728af4ce37c9c505be6efee6d2a5f926902Ted Kremenek default: 545b219cfc4d75f0a03630b7c4509ef791b7e97b2c8David Blaikie llvm_unreachable("Unimplemented operation for two identical values"); 5462de56d1d0c3a504ad1529de2677628bdfbb95cd4John McCall case BO_Sub: 547c8413fd03f73084a5c93028f8b4db619fc388087Ted Kremenek return makeZeroVal(resultTy); 5482de56d1d0c3a504ad1529de2677628bdfbb95cd4John McCall case BO_EQ: 5492de56d1d0c3a504ad1529de2677628bdfbb95cd4John McCall case BO_LE: 5502de56d1d0c3a504ad1529de2677628bdfbb95cd4John McCall case BO_GE: 551c8413fd03f73084a5c93028f8b4db619fc388087Ted Kremenek return makeTruthVal(true, resultTy); 5522de56d1d0c3a504ad1529de2677628bdfbb95cd4John McCall case BO_NE: 5532de56d1d0c3a504ad1529de2677628bdfbb95cd4John McCall case BO_LT: 5542de56d1d0c3a504ad1529de2677628bdfbb95cd4John McCall case BO_GT: 555c8413fd03f73084a5c93028f8b4db619fc388087Ted Kremenek return makeTruthVal(false, resultTy); 556eac4a00e1d93aa963903031ed76425c231f0f0b9Jordy Rose } 557eac4a00e1d93aa963903031ed76425c231f0f0b9Jordy Rose } 558eac4a00e1d93aa963903031ed76425c231f0f0b9Jordy Rose 559eac4a00e1d93aa963903031ed76425c231f0f0b9Jordy Rose switch (lhs.getSubKind()) { 560eac4a00e1d93aa963903031ed76425c231f0f0b9Jordy Rose default: 561b219cfc4d75f0a03630b7c4509ef791b7e97b2c8David Blaikie llvm_unreachable("Ordering not implemented for this Loc."); 562eac4a00e1d93aa963903031ed76425c231f0f0b9Jordy Rose 563eac4a00e1d93aa963903031ed76425c231f0f0b9Jordy Rose case loc::GotoLabelKind: 564eac4a00e1d93aa963903031ed76425c231f0f0b9Jordy Rose // The only thing we know about labels is that they're non-null. 565eac4a00e1d93aa963903031ed76425c231f0f0b9Jordy Rose if (rhs.isZeroConstant()) { 566eac4a00e1d93aa963903031ed76425c231f0f0b9Jordy Rose switch (op) { 567eac4a00e1d93aa963903031ed76425c231f0f0b9Jordy Rose default: 568eac4a00e1d93aa963903031ed76425c231f0f0b9Jordy Rose break; 5692de56d1d0c3a504ad1529de2677628bdfbb95cd4John McCall case BO_Sub: 5709f8862aa64300ef97b8fe85034ee93bbc03e3b7bZhanyong Wan return evalCastFromLoc(lhs, resultTy); 5712de56d1d0c3a504ad1529de2677628bdfbb95cd4John McCall case BO_EQ: 5722de56d1d0c3a504ad1529de2677628bdfbb95cd4John McCall case BO_LE: 5732de56d1d0c3a504ad1529de2677628bdfbb95cd4John McCall case BO_LT: 574c8413fd03f73084a5c93028f8b4db619fc388087Ted Kremenek return makeTruthVal(false, resultTy); 5752de56d1d0c3a504ad1529de2677628bdfbb95cd4John McCall case BO_NE: 5762de56d1d0c3a504ad1529de2677628bdfbb95cd4John McCall case BO_GT: 5772de56d1d0c3a504ad1529de2677628bdfbb95cd4John McCall case BO_GE: 578c8413fd03f73084a5c93028f8b4db619fc388087Ted Kremenek return makeTruthVal(true, resultTy); 579eac4a00e1d93aa963903031ed76425c231f0f0b9Jordy Rose } 580eac4a00e1d93aa963903031ed76425c231f0f0b9Jordy Rose } 581eac4a00e1d93aa963903031ed76425c231f0f0b9Jordy Rose // There may be two labels for the same location, and a function region may 582eac4a00e1d93aa963903031ed76425c231f0f0b9Jordy Rose // have the same address as a label at the start of the function (depending 583eac4a00e1d93aa963903031ed76425c231f0f0b9Jordy Rose // on the ABI). 584eac4a00e1d93aa963903031ed76425c231f0f0b9Jordy Rose // FIXME: we can probably do a comparison against other MemRegions, though. 585eac4a00e1d93aa963903031ed76425c231f0f0b9Jordy Rose // FIXME: is there a way to tell if two labels refer to the same location? 586eac4a00e1d93aa963903031ed76425c231f0f0b9Jordy Rose return UnknownVal(); 587eac4a00e1d93aa963903031ed76425c231f0f0b9Jordy Rose 588eac4a00e1d93aa963903031ed76425c231f0f0b9Jordy Rose case loc::ConcreteIntKind: { 589eac4a00e1d93aa963903031ed76425c231f0f0b9Jordy Rose // If one of the operands is a symbol and the other is a constant, 590eac4a00e1d93aa963903031ed76425c231f0f0b9Jordy Rose // build an expression for use by the constraint manager. 591eac4a00e1d93aa963903031ed76425c231f0f0b9Jordy Rose if (SymbolRef rSym = rhs.getAsLocSymbol()) { 592eac4a00e1d93aa963903031ed76425c231f0f0b9Jordy Rose // We can only build expressions with symbols on the left, 593eac4a00e1d93aa963903031ed76425c231f0f0b9Jordy Rose // so we need a reversible operator. 594eac4a00e1d93aa963903031ed76425c231f0f0b9Jordy Rose if (!BinaryOperator::isComparisonOp(op)) 595eac4a00e1d93aa963903031ed76425c231f0f0b9Jordy Rose return UnknownVal(); 596eac4a00e1d93aa963903031ed76425c231f0f0b9Jordy Rose 597eac4a00e1d93aa963903031ed76425c231f0f0b9Jordy Rose const llvm::APSInt &lVal = cast<loc::ConcreteInt>(lhs).getValue(); 598c8413fd03f73084a5c93028f8b4db619fc388087Ted Kremenek return makeNonLoc(rSym, ReverseComparison(op), lVal, resultTy); 599eac4a00e1d93aa963903031ed76425c231f0f0b9Jordy Rose } 600eac4a00e1d93aa963903031ed76425c231f0f0b9Jordy Rose 601eac4a00e1d93aa963903031ed76425c231f0f0b9Jordy Rose // If both operands are constants, just perform the operation. 602eac4a00e1d93aa963903031ed76425c231f0f0b9Jordy Rose if (loc::ConcreteInt *rInt = dyn_cast<loc::ConcreteInt>(&rhs)) { 603c8413fd03f73084a5c93028f8b4db619fc388087Ted Kremenek SVal ResultVal = cast<loc::ConcreteInt>(lhs).evalBinOp(BasicVals, op, 604c8413fd03f73084a5c93028f8b4db619fc388087Ted Kremenek *rInt); 605eac4a00e1d93aa963903031ed76425c231f0f0b9Jordy Rose if (Loc *Result = dyn_cast<Loc>(&ResultVal)) 6069f8862aa64300ef97b8fe85034ee93bbc03e3b7bZhanyong Wan return evalCastFromLoc(*Result, resultTy); 607eac4a00e1d93aa963903031ed76425c231f0f0b9Jordy Rose else 608eac4a00e1d93aa963903031ed76425c231f0f0b9Jordy Rose return UnknownVal(); 609eac4a00e1d93aa963903031ed76425c231f0f0b9Jordy Rose } 610eac4a00e1d93aa963903031ed76425c231f0f0b9Jordy Rose 611eac4a00e1d93aa963903031ed76425c231f0f0b9Jordy Rose // Special case comparisons against NULL. 612eac4a00e1d93aa963903031ed76425c231f0f0b9Jordy Rose // This must come after the test if the RHS is a symbol, which is used to 613eac4a00e1d93aa963903031ed76425c231f0f0b9Jordy Rose // build constraints. The address of any non-symbolic region is guaranteed 614eac4a00e1d93aa963903031ed76425c231f0f0b9Jordy Rose // to be non-NULL, as is any label. 615eac4a00e1d93aa963903031ed76425c231f0f0b9Jordy Rose assert(isa<loc::MemRegionVal>(rhs) || isa<loc::GotoLabel>(rhs)); 616eac4a00e1d93aa963903031ed76425c231f0f0b9Jordy Rose if (lhs.isZeroConstant()) { 617eac4a00e1d93aa963903031ed76425c231f0f0b9Jordy Rose switch (op) { 618eac4a00e1d93aa963903031ed76425c231f0f0b9Jordy Rose default: 619eac4a00e1d93aa963903031ed76425c231f0f0b9Jordy Rose break; 6202de56d1d0c3a504ad1529de2677628bdfbb95cd4John McCall case BO_EQ: 6212de56d1d0c3a504ad1529de2677628bdfbb95cd4John McCall case BO_GT: 6222de56d1d0c3a504ad1529de2677628bdfbb95cd4John McCall case BO_GE: 623c8413fd03f73084a5c93028f8b4db619fc388087Ted Kremenek return makeTruthVal(false, resultTy); 6242de56d1d0c3a504ad1529de2677628bdfbb95cd4John McCall case BO_NE: 6252de56d1d0c3a504ad1529de2677628bdfbb95cd4John McCall case BO_LT: 6262de56d1d0c3a504ad1529de2677628bdfbb95cd4John McCall case BO_LE: 627c8413fd03f73084a5c93028f8b4db619fc388087Ted Kremenek return makeTruthVal(true, resultTy); 628eac4a00e1d93aa963903031ed76425c231f0f0b9Jordy Rose } 629eac4a00e1d93aa963903031ed76425c231f0f0b9Jordy Rose } 630eac4a00e1d93aa963903031ed76425c231f0f0b9Jordy Rose 631eac4a00e1d93aa963903031ed76425c231f0f0b9Jordy Rose // Comparing an arbitrary integer to a region or label address is 632eac4a00e1d93aa963903031ed76425c231f0f0b9Jordy Rose // completely unknowable. 633eac4a00e1d93aa963903031ed76425c231f0f0b9Jordy Rose return UnknownVal(); 634eac4a00e1d93aa963903031ed76425c231f0f0b9Jordy Rose } 635eac4a00e1d93aa963903031ed76425c231f0f0b9Jordy Rose case loc::MemRegionKind: { 636eac4a00e1d93aa963903031ed76425c231f0f0b9Jordy Rose if (loc::ConcreteInt *rInt = dyn_cast<loc::ConcreteInt>(&rhs)) { 637eac4a00e1d93aa963903031ed76425c231f0f0b9Jordy Rose // If one of the operands is a symbol and the other is a constant, 638eac4a00e1d93aa963903031ed76425c231f0f0b9Jordy Rose // build an expression for use by the constraint manager. 639eac4a00e1d93aa963903031ed76425c231f0f0b9Jordy Rose if (SymbolRef lSym = lhs.getAsLocSymbol()) 640eac4a00e1d93aa963903031ed76425c231f0f0b9Jordy Rose return MakeSymIntVal(lSym, op, rInt->getValue(), resultTy); 641eac4a00e1d93aa963903031ed76425c231f0f0b9Jordy Rose 642eac4a00e1d93aa963903031ed76425c231f0f0b9Jordy Rose // Special case comparisons to NULL. 643eac4a00e1d93aa963903031ed76425c231f0f0b9Jordy Rose // This must come after the test if the LHS is a symbol, which is used to 644eac4a00e1d93aa963903031ed76425c231f0f0b9Jordy Rose // build constraints. The address of any non-symbolic region is guaranteed 645eac4a00e1d93aa963903031ed76425c231f0f0b9Jordy Rose // to be non-NULL. 646eac4a00e1d93aa963903031ed76425c231f0f0b9Jordy Rose if (rInt->isZeroConstant()) { 647eac4a00e1d93aa963903031ed76425c231f0f0b9Jordy Rose switch (op) { 648eac4a00e1d93aa963903031ed76425c231f0f0b9Jordy Rose default: 649eac4a00e1d93aa963903031ed76425c231f0f0b9Jordy Rose break; 6502de56d1d0c3a504ad1529de2677628bdfbb95cd4John McCall case BO_Sub: 6519f8862aa64300ef97b8fe85034ee93bbc03e3b7bZhanyong Wan return evalCastFromLoc(lhs, resultTy); 6522de56d1d0c3a504ad1529de2677628bdfbb95cd4John McCall case BO_EQ: 6532de56d1d0c3a504ad1529de2677628bdfbb95cd4John McCall case BO_LT: 6542de56d1d0c3a504ad1529de2677628bdfbb95cd4John McCall case BO_LE: 655c8413fd03f73084a5c93028f8b4db619fc388087Ted Kremenek return makeTruthVal(false, resultTy); 6562de56d1d0c3a504ad1529de2677628bdfbb95cd4John McCall case BO_NE: 6572de56d1d0c3a504ad1529de2677628bdfbb95cd4John McCall case BO_GT: 6582de56d1d0c3a504ad1529de2677628bdfbb95cd4John McCall case BO_GE: 659c8413fd03f73084a5c93028f8b4db619fc388087Ted Kremenek return makeTruthVal(true, resultTy); 660eac4a00e1d93aa963903031ed76425c231f0f0b9Jordy Rose } 661eac4a00e1d93aa963903031ed76425c231f0f0b9Jordy Rose } 662eac4a00e1d93aa963903031ed76425c231f0f0b9Jordy Rose 663eac4a00e1d93aa963903031ed76425c231f0f0b9Jordy Rose // Comparing a region to an arbitrary integer is completely unknowable. 664eac4a00e1d93aa963903031ed76425c231f0f0b9Jordy Rose return UnknownVal(); 665eac4a00e1d93aa963903031ed76425c231f0f0b9Jordy Rose } 666eac4a00e1d93aa963903031ed76425c231f0f0b9Jordy Rose 667eac4a00e1d93aa963903031ed76425c231f0f0b9Jordy Rose // Get both values as regions, if possible. 668eac4a00e1d93aa963903031ed76425c231f0f0b9Jordy Rose const MemRegion *LeftMR = lhs.getAsRegion(); 669eac4a00e1d93aa963903031ed76425c231f0f0b9Jordy Rose assert(LeftMR && "MemRegionKind SVal doesn't have a region!"); 670eac4a00e1d93aa963903031ed76425c231f0f0b9Jordy Rose 671eac4a00e1d93aa963903031ed76425c231f0f0b9Jordy Rose const MemRegion *RightMR = rhs.getAsRegion(); 672eac4a00e1d93aa963903031ed76425c231f0f0b9Jordy Rose if (!RightMR) 673eac4a00e1d93aa963903031ed76425c231f0f0b9Jordy Rose // The RHS is probably a label, which in theory could address a region. 674eac4a00e1d93aa963903031ed76425c231f0f0b9Jordy Rose // FIXME: we can probably make a more useful statement about non-code 675eac4a00e1d93aa963903031ed76425c231f0f0b9Jordy Rose // regions, though. 676eac4a00e1d93aa963903031ed76425c231f0f0b9Jordy Rose return UnknownVal(); 677eac4a00e1d93aa963903031ed76425c231f0f0b9Jordy Rose 678e17fdb2d5dbf0ffefd417587003eebbe5baf5984Anna Zaks const MemSpaceRegion *LeftMS = LeftMR->getMemorySpace(); 679e17fdb2d5dbf0ffefd417587003eebbe5baf5984Anna Zaks const MemSpaceRegion *RightMS = RightMR->getMemorySpace(); 680e17fdb2d5dbf0ffefd417587003eebbe5baf5984Anna Zaks const MemSpaceRegion *UnknownMS = MemMgr.getUnknownRegion(); 681eac4a00e1d93aa963903031ed76425c231f0f0b9Jordy Rose const MemRegion *LeftBase = LeftMR->getBaseRegion(); 682eac4a00e1d93aa963903031ed76425c231f0f0b9Jordy Rose const MemRegion *RightBase = RightMR->getBaseRegion(); 683e17fdb2d5dbf0ffefd417587003eebbe5baf5984Anna Zaks 684e17fdb2d5dbf0ffefd417587003eebbe5baf5984Anna Zaks // If the two regions are from different known memory spaces they cannot be 685e17fdb2d5dbf0ffefd417587003eebbe5baf5984Anna Zaks // equal. Also, assume that no symbolic region (whose memory space is 686e17fdb2d5dbf0ffefd417587003eebbe5baf5984Anna Zaks // unknown) is on the stack. 687e17fdb2d5dbf0ffefd417587003eebbe5baf5984Anna Zaks if (LeftMS != RightMS && 688e17fdb2d5dbf0ffefd417587003eebbe5baf5984Anna Zaks ((LeftMS != UnknownMS && RightMS != UnknownMS) || 689e17fdb2d5dbf0ffefd417587003eebbe5baf5984Anna Zaks (isa<StackSpaceRegion>(LeftMS) || isa<StackSpaceRegion>(RightMS)))) { 690eac4a00e1d93aa963903031ed76425c231f0f0b9Jordy Rose switch (op) { 691eac4a00e1d93aa963903031ed76425c231f0f0b9Jordy Rose default: 692eac4a00e1d93aa963903031ed76425c231f0f0b9Jordy Rose return UnknownVal(); 6932de56d1d0c3a504ad1529de2677628bdfbb95cd4John McCall case BO_EQ: 694c8413fd03f73084a5c93028f8b4db619fc388087Ted Kremenek return makeTruthVal(false, resultTy); 6952de56d1d0c3a504ad1529de2677628bdfbb95cd4John McCall case BO_NE: 696c8413fd03f73084a5c93028f8b4db619fc388087Ted Kremenek return makeTruthVal(true, resultTy); 697eac4a00e1d93aa963903031ed76425c231f0f0b9Jordy Rose } 698eac4a00e1d93aa963903031ed76425c231f0f0b9Jordy Rose } 699eac4a00e1d93aa963903031ed76425c231f0f0b9Jordy Rose 700e17fdb2d5dbf0ffefd417587003eebbe5baf5984Anna Zaks // If both values wrap regions, see if they're from different base regions. 701e17fdb2d5dbf0ffefd417587003eebbe5baf5984Anna Zaks // Note, heap base symbolic regions are assumed to not alias with 702e17fdb2d5dbf0ffefd417587003eebbe5baf5984Anna Zaks // each other; for example, we assume that malloc returns different address 703e17fdb2d5dbf0ffefd417587003eebbe5baf5984Anna Zaks // on each invocation. 704e17fdb2d5dbf0ffefd417587003eebbe5baf5984Anna Zaks if (LeftBase != RightBase && 705e17fdb2d5dbf0ffefd417587003eebbe5baf5984Anna Zaks ((!isa<SymbolicRegion>(LeftBase) && !isa<SymbolicRegion>(RightBase)) || 706783f0087ecb5af27d2f8caed7d6b904797c3d752Anna Zaks (isa<HeapSpaceRegion>(LeftMS) || isa<HeapSpaceRegion>(RightMS))) ){ 707a99f874bf2ade1e32f0feda7d5b8211171440f02Ted Kremenek switch (op) { 708e17fdb2d5dbf0ffefd417587003eebbe5baf5984Anna Zaks default: 709e17fdb2d5dbf0ffefd417587003eebbe5baf5984Anna Zaks return UnknownVal(); 710e17fdb2d5dbf0ffefd417587003eebbe5baf5984Anna Zaks case BO_EQ: 711e17fdb2d5dbf0ffefd417587003eebbe5baf5984Anna Zaks return makeTruthVal(false, resultTy); 712e17fdb2d5dbf0ffefd417587003eebbe5baf5984Anna Zaks case BO_NE: 713e17fdb2d5dbf0ffefd417587003eebbe5baf5984Anna Zaks return makeTruthVal(true, resultTy); 714a99f874bf2ade1e32f0feda7d5b8211171440f02Ted Kremenek } 715a99f874bf2ade1e32f0feda7d5b8211171440f02Ted Kremenek } 716eac4a00e1d93aa963903031ed76425c231f0f0b9Jordy Rose 717eac4a00e1d93aa963903031ed76425c231f0f0b9Jordy Rose // FIXME: If/when there is a getAsRawOffset() for FieldRegions, this 718eac4a00e1d93aa963903031ed76425c231f0f0b9Jordy Rose // ElementRegion path and the FieldRegion path below should be unified. 719eac4a00e1d93aa963903031ed76425c231f0f0b9Jordy Rose if (const ElementRegion *LeftER = dyn_cast<ElementRegion>(LeftMR)) { 720eac4a00e1d93aa963903031ed76425c231f0f0b9Jordy Rose // First see if the right region is also an ElementRegion. 721eac4a00e1d93aa963903031ed76425c231f0f0b9Jordy Rose const ElementRegion *RightER = dyn_cast<ElementRegion>(RightMR); 722eac4a00e1d93aa963903031ed76425c231f0f0b9Jordy Rose if (!RightER) 723eac4a00e1d93aa963903031ed76425c231f0f0b9Jordy Rose return UnknownVal(); 724eac4a00e1d93aa963903031ed76425c231f0f0b9Jordy Rose 725eac4a00e1d93aa963903031ed76425c231f0f0b9Jordy Rose // Next, see if the two ERs have the same super-region and matching types. 726eac4a00e1d93aa963903031ed76425c231f0f0b9Jordy Rose // FIXME: This should do something useful even if the types don't match, 727eac4a00e1d93aa963903031ed76425c231f0f0b9Jordy Rose // though if both indexes are constant the RegionRawOffset path will 728eac4a00e1d93aa963903031ed76425c231f0f0b9Jordy Rose // give the correct answer. 729eac4a00e1d93aa963903031ed76425c231f0f0b9Jordy Rose if (LeftER->getSuperRegion() == RightER->getSuperRegion() && 730eac4a00e1d93aa963903031ed76425c231f0f0b9Jordy Rose LeftER->getElementType() == RightER->getElementType()) { 731eac4a00e1d93aa963903031ed76425c231f0f0b9Jordy Rose // Get the left index and cast it to the correct type. 732eac4a00e1d93aa963903031ed76425c231f0f0b9Jordy Rose // If the index is unknown or undefined, bail out here. 733eac4a00e1d93aa963903031ed76425c231f0f0b9Jordy Rose SVal LeftIndexVal = LeftER->getIndex(); 734eac4a00e1d93aa963903031ed76425c231f0f0b9Jordy Rose NonLoc *LeftIndex = dyn_cast<NonLoc>(&LeftIndexVal); 735eac4a00e1d93aa963903031ed76425c231f0f0b9Jordy Rose if (!LeftIndex) 736eac4a00e1d93aa963903031ed76425c231f0f0b9Jordy Rose return UnknownVal(); 7379f8862aa64300ef97b8fe85034ee93bbc03e3b7bZhanyong Wan LeftIndexVal = evalCastFromNonLoc(*LeftIndex, resultTy); 738eac4a00e1d93aa963903031ed76425c231f0f0b9Jordy Rose LeftIndex = dyn_cast<NonLoc>(&LeftIndexVal); 739eac4a00e1d93aa963903031ed76425c231f0f0b9Jordy Rose if (!LeftIndex) 740eac4a00e1d93aa963903031ed76425c231f0f0b9Jordy Rose return UnknownVal(); 741eac4a00e1d93aa963903031ed76425c231f0f0b9Jordy Rose 742eac4a00e1d93aa963903031ed76425c231f0f0b9Jordy Rose // Do the same for the right index. 743eac4a00e1d93aa963903031ed76425c231f0f0b9Jordy Rose SVal RightIndexVal = RightER->getIndex(); 744eac4a00e1d93aa963903031ed76425c231f0f0b9Jordy Rose NonLoc *RightIndex = dyn_cast<NonLoc>(&RightIndexVal); 745eac4a00e1d93aa963903031ed76425c231f0f0b9Jordy Rose if (!RightIndex) 746eac4a00e1d93aa963903031ed76425c231f0f0b9Jordy Rose return UnknownVal(); 7479f8862aa64300ef97b8fe85034ee93bbc03e3b7bZhanyong Wan RightIndexVal = evalCastFromNonLoc(*RightIndex, resultTy); 748eac4a00e1d93aa963903031ed76425c231f0f0b9Jordy Rose RightIndex = dyn_cast<NonLoc>(&RightIndexVal); 749eac4a00e1d93aa963903031ed76425c231f0f0b9Jordy Rose if (!RightIndex) 750eac4a00e1d93aa963903031ed76425c231f0f0b9Jordy Rose return UnknownVal(); 751eac4a00e1d93aa963903031ed76425c231f0f0b9Jordy Rose 752eac4a00e1d93aa963903031ed76425c231f0f0b9Jordy Rose // Actually perform the operation. 7539c14953d0c84f7cf5adfb4cd3c0f05a9b1723c1cTed Kremenek // evalBinOpNN expects the two indexes to already be the right type. 7549c14953d0c84f7cf5adfb4cd3c0f05a9b1723c1cTed Kremenek return evalBinOpNN(state, op, *LeftIndex, *RightIndex, resultTy); 755eac4a00e1d93aa963903031ed76425c231f0f0b9Jordy Rose } 756eac4a00e1d93aa963903031ed76425c231f0f0b9Jordy Rose 757eac4a00e1d93aa963903031ed76425c231f0f0b9Jordy Rose // If the element indexes aren't comparable, see if the raw offsets are. 7587caf9b369cba6edaf6eac25121cbc65ee938f14dZhongxing Xu RegionRawOffset LeftOffset = LeftER->getAsArrayOffset(); 7597caf9b369cba6edaf6eac25121cbc65ee938f14dZhongxing Xu RegionRawOffset RightOffset = RightER->getAsArrayOffset(); 760eac4a00e1d93aa963903031ed76425c231f0f0b9Jordy Rose 761eac4a00e1d93aa963903031ed76425c231f0f0b9Jordy Rose if (LeftOffset.getRegion() != NULL && 762eac4a00e1d93aa963903031ed76425c231f0f0b9Jordy Rose LeftOffset.getRegion() == RightOffset.getRegion()) { 7639ff2b13aee0f89d23ef4820218f9b88bb5e5c1c1Ken Dyck CharUnits left = LeftOffset.getOffset(); 7649ff2b13aee0f89d23ef4820218f9b88bb5e5c1c1Ken Dyck CharUnits right = RightOffset.getOffset(); 765eac4a00e1d93aa963903031ed76425c231f0f0b9Jordy Rose 766eac4a00e1d93aa963903031ed76425c231f0f0b9Jordy Rose switch (op) { 767eac4a00e1d93aa963903031ed76425c231f0f0b9Jordy Rose default: 768eac4a00e1d93aa963903031ed76425c231f0f0b9Jordy Rose return UnknownVal(); 7692de56d1d0c3a504ad1529de2677628bdfbb95cd4John McCall case BO_LT: 770c8413fd03f73084a5c93028f8b4db619fc388087Ted Kremenek return makeTruthVal(left < right, resultTy); 7712de56d1d0c3a504ad1529de2677628bdfbb95cd4John McCall case BO_GT: 772c8413fd03f73084a5c93028f8b4db619fc388087Ted Kremenek return makeTruthVal(left > right, resultTy); 7732de56d1d0c3a504ad1529de2677628bdfbb95cd4John McCall case BO_LE: 774c8413fd03f73084a5c93028f8b4db619fc388087Ted Kremenek return makeTruthVal(left <= right, resultTy); 7752de56d1d0c3a504ad1529de2677628bdfbb95cd4John McCall case BO_GE: 776c8413fd03f73084a5c93028f8b4db619fc388087Ted Kremenek return makeTruthVal(left >= right, resultTy); 7772de56d1d0c3a504ad1529de2677628bdfbb95cd4John McCall case BO_EQ: 778c8413fd03f73084a5c93028f8b4db619fc388087Ted Kremenek return makeTruthVal(left == right, resultTy); 7792de56d1d0c3a504ad1529de2677628bdfbb95cd4John McCall case BO_NE: 780c8413fd03f73084a5c93028f8b4db619fc388087Ted Kremenek return makeTruthVal(left != right, resultTy); 781eac4a00e1d93aa963903031ed76425c231f0f0b9Jordy Rose } 782eac4a00e1d93aa963903031ed76425c231f0f0b9Jordy Rose } 783eac4a00e1d93aa963903031ed76425c231f0f0b9Jordy Rose 784eac4a00e1d93aa963903031ed76425c231f0f0b9Jordy Rose // If we get here, we have no way of comparing the ElementRegions. 785cd8f6ac9b613e1fe962ebf9c87d822ce765275e6Ted Kremenek return UnknownVal(); 786eac4a00e1d93aa963903031ed76425c231f0f0b9Jordy Rose } 787eac4a00e1d93aa963903031ed76425c231f0f0b9Jordy Rose 788eac4a00e1d93aa963903031ed76425c231f0f0b9Jordy Rose // See if both regions are fields of the same structure. 789eac4a00e1d93aa963903031ed76425c231f0f0b9Jordy Rose // FIXME: This doesn't handle nesting, inheritance, or Objective-C ivars. 790eac4a00e1d93aa963903031ed76425c231f0f0b9Jordy Rose if (const FieldRegion *LeftFR = dyn_cast<FieldRegion>(LeftMR)) { 791eac4a00e1d93aa963903031ed76425c231f0f0b9Jordy Rose // Only comparisons are meaningful here! 792eac4a00e1d93aa963903031ed76425c231f0f0b9Jordy Rose if (!BinaryOperator::isComparisonOp(op)) 793eac4a00e1d93aa963903031ed76425c231f0f0b9Jordy Rose return UnknownVal(); 794eac4a00e1d93aa963903031ed76425c231f0f0b9Jordy Rose 795eac4a00e1d93aa963903031ed76425c231f0f0b9Jordy Rose // First see if the right region is also a FieldRegion. 796eac4a00e1d93aa963903031ed76425c231f0f0b9Jordy Rose const FieldRegion *RightFR = dyn_cast<FieldRegion>(RightMR); 797eac4a00e1d93aa963903031ed76425c231f0f0b9Jordy Rose if (!RightFR) 798eac4a00e1d93aa963903031ed76425c231f0f0b9Jordy Rose return UnknownVal(); 799eac4a00e1d93aa963903031ed76425c231f0f0b9Jordy Rose 800eac4a00e1d93aa963903031ed76425c231f0f0b9Jordy Rose // Next, see if the two FRs have the same super-region. 801eac4a00e1d93aa963903031ed76425c231f0f0b9Jordy Rose // FIXME: This doesn't handle casts yet, and simply stripping the casts 802eac4a00e1d93aa963903031ed76425c231f0f0b9Jordy Rose // doesn't help. 803eac4a00e1d93aa963903031ed76425c231f0f0b9Jordy Rose if (LeftFR->getSuperRegion() != RightFR->getSuperRegion()) 804eac4a00e1d93aa963903031ed76425c231f0f0b9Jordy Rose return UnknownVal(); 805eac4a00e1d93aa963903031ed76425c231f0f0b9Jordy Rose 806eac4a00e1d93aa963903031ed76425c231f0f0b9Jordy Rose const FieldDecl *LeftFD = LeftFR->getDecl(); 807eac4a00e1d93aa963903031ed76425c231f0f0b9Jordy Rose const FieldDecl *RightFD = RightFR->getDecl(); 808eac4a00e1d93aa963903031ed76425c231f0f0b9Jordy Rose const RecordDecl *RD = LeftFD->getParent(); 809eac4a00e1d93aa963903031ed76425c231f0f0b9Jordy Rose 810eac4a00e1d93aa963903031ed76425c231f0f0b9Jordy Rose // Make sure the two FRs are from the same kind of record. Just in case! 811eac4a00e1d93aa963903031ed76425c231f0f0b9Jordy Rose // FIXME: This is probably where inheritance would be a problem. 812eac4a00e1d93aa963903031ed76425c231f0f0b9Jordy Rose if (RD != RightFD->getParent()) 813eac4a00e1d93aa963903031ed76425c231f0f0b9Jordy Rose return UnknownVal(); 814eac4a00e1d93aa963903031ed76425c231f0f0b9Jordy Rose 815eac4a00e1d93aa963903031ed76425c231f0f0b9Jordy Rose // We know for sure that the two fields are not the same, since that 816eac4a00e1d93aa963903031ed76425c231f0f0b9Jordy Rose // would have given us the same SVal. 8172de56d1d0c3a504ad1529de2677628bdfbb95cd4John McCall if (op == BO_EQ) 818c8413fd03f73084a5c93028f8b4db619fc388087Ted Kremenek return makeTruthVal(false, resultTy); 8192de56d1d0c3a504ad1529de2677628bdfbb95cd4John McCall if (op == BO_NE) 820c8413fd03f73084a5c93028f8b4db619fc388087Ted Kremenek return makeTruthVal(true, resultTy); 821eac4a00e1d93aa963903031ed76425c231f0f0b9Jordy Rose 822eac4a00e1d93aa963903031ed76425c231f0f0b9Jordy Rose // Iterate through the fields and see which one comes first. 823eac4a00e1d93aa963903031ed76425c231f0f0b9Jordy Rose // [C99 6.7.2.1.13] "Within a structure object, the non-bit-field 824eac4a00e1d93aa963903031ed76425c231f0f0b9Jordy Rose // members and the units in which bit-fields reside have addresses that 825eac4a00e1d93aa963903031ed76425c231f0f0b9Jordy Rose // increase in the order in which they are declared." 8262de56d1d0c3a504ad1529de2677628bdfbb95cd4John McCall bool leftFirst = (op == BO_LT || op == BO_LE); 827eac4a00e1d93aa963903031ed76425c231f0f0b9Jordy Rose for (RecordDecl::field_iterator I = RD->field_begin(), 828eac4a00e1d93aa963903031ed76425c231f0f0b9Jordy Rose E = RD->field_end(); I!=E; ++I) { 829581deb3da481053c4993c7600f97acf7768caac5David Blaikie if (*I == LeftFD) 830c8413fd03f73084a5c93028f8b4db619fc388087Ted Kremenek return makeTruthVal(leftFirst, resultTy); 831581deb3da481053c4993c7600f97acf7768caac5David Blaikie if (*I == RightFD) 832c8413fd03f73084a5c93028f8b4db619fc388087Ted Kremenek return makeTruthVal(!leftFirst, resultTy); 833eac4a00e1d93aa963903031ed76425c231f0f0b9Jordy Rose } 834eac4a00e1d93aa963903031ed76425c231f0f0b9Jordy Rose 835b219cfc4d75f0a03630b7c4509ef791b7e97b2c8David Blaikie llvm_unreachable("Fields not found in parent record's definition"); 836eac4a00e1d93aa963903031ed76425c231f0f0b9Jordy Rose } 837eac4a00e1d93aa963903031ed76425c231f0f0b9Jordy Rose 838eac4a00e1d93aa963903031ed76425c231f0f0b9Jordy Rose // If we get here, we have no way of comparing the regions. 839eac4a00e1d93aa963903031ed76425c231f0f0b9Jordy Rose return UnknownVal(); 840eac4a00e1d93aa963903031ed76425c231f0f0b9Jordy Rose } 841e8391728af4ce37c9c505be6efee6d2a5f926902Ted Kremenek } 842e8391728af4ce37c9c505be6efee6d2a5f926902Ted Kremenek} 843e8391728af4ce37c9c505be6efee6d2a5f926902Ted Kremenek 8448bef8238181a30e52dea380789a7e2d760eac532Ted KremenekSVal SimpleSValBuilder::evalBinOpLN(ProgramStateRef state, 845e8391728af4ce37c9c505be6efee6d2a5f926902Ted Kremenek BinaryOperator::Opcode op, 8461eb4433ac451dc16f4133a88af2d002ac26c58efMike Stump Loc lhs, NonLoc rhs, QualType resultTy) { 847a6b0b96e5376cd9cf182a3e240e0537feed43cdeTed Kremenek 848a6b0b96e5376cd9cf182a3e240e0537feed43cdeTed Kremenek // Special case: rhs is a zero constant. 849a6b0b96e5376cd9cf182a3e240e0537feed43cdeTed Kremenek if (rhs.isZeroConstant()) 850a6b0b96e5376cd9cf182a3e240e0537feed43cdeTed Kremenek return lhs; 851a6b0b96e5376cd9cf182a3e240e0537feed43cdeTed Kremenek 852e8391728af4ce37c9c505be6efee6d2a5f926902Ted Kremenek // Special case: 'rhs' is an integer that has the same width as a pointer and 853e8391728af4ce37c9c505be6efee6d2a5f926902Ted Kremenek // we are using the integer location in a comparison. Normally this cannot be 854e8391728af4ce37c9c505be6efee6d2a5f926902Ted Kremenek // triggered, but transfer functions like those for OSCommpareAndSwapBarrier32 855e8391728af4ce37c9c505be6efee6d2a5f926902Ted Kremenek // can generate comparisons that trigger this code. 856e8391728af4ce37c9c505be6efee6d2a5f926902Ted Kremenek // FIXME: Are all locations guaranteed to have pointer width? 857eac4a00e1d93aa963903031ed76425c231f0f0b9Jordy Rose if (BinaryOperator::isComparisonOp(op)) { 858e8391728af4ce37c9c505be6efee6d2a5f926902Ted Kremenek if (nonloc::ConcreteInt *rhsInt = dyn_cast<nonloc::ConcreteInt>(&rhs)) { 859e8391728af4ce37c9c505be6efee6d2a5f926902Ted Kremenek const llvm::APSInt *x = &rhsInt->getValue(); 860c8413fd03f73084a5c93028f8b4db619fc388087Ted Kremenek ASTContext &ctx = Context; 861e8391728af4ce37c9c505be6efee6d2a5f926902Ted Kremenek if (ctx.getTypeSize(ctx.VoidPtrTy) == x->getBitWidth()) { 862e8391728af4ce37c9c505be6efee6d2a5f926902Ted Kremenek // Convert the signedness of the integer (if necessary). 863e8391728af4ce37c9c505be6efee6d2a5f926902Ted Kremenek if (x->isSigned()) 864c8413fd03f73084a5c93028f8b4db619fc388087Ted Kremenek x = &getBasicValueFactory().getValue(*x, true); 865e8391728af4ce37c9c505be6efee6d2a5f926902Ted Kremenek 8669c14953d0c84f7cf5adfb4cd3c0f05a9b1723c1cTed Kremenek return evalBinOpLL(state, op, lhs, loc::ConcreteInt(*x), resultTy); 867e8391728af4ce37c9c505be6efee6d2a5f926902Ted Kremenek } 868e8391728af4ce37c9c505be6efee6d2a5f926902Ted Kremenek } 8696400f02ab2048eb9aa2bc31b26db9f19a99d35f4Anna Zaks return UnknownVal(); 870e8391728af4ce37c9c505be6efee6d2a5f926902Ted Kremenek } 87156af4462781d2fcd30dcf9a742cb66400e5e55b7Ted Kremenek 87256af4462781d2fcd30dcf9a742cb66400e5e55b7Ted Kremenek // We are dealing with pointer arithmetic. 87356af4462781d2fcd30dcf9a742cb66400e5e55b7Ted Kremenek 87456af4462781d2fcd30dcf9a742cb66400e5e55b7Ted Kremenek // Handle pointer arithmetic on constant values. 87556af4462781d2fcd30dcf9a742cb66400e5e55b7Ted Kremenek if (nonloc::ConcreteInt *rhsInt = dyn_cast<nonloc::ConcreteInt>(&rhs)) { 87656af4462781d2fcd30dcf9a742cb66400e5e55b7Ted Kremenek if (loc::ConcreteInt *lhsInt = dyn_cast<loc::ConcreteInt>(&lhs)) { 87756af4462781d2fcd30dcf9a742cb66400e5e55b7Ted Kremenek const llvm::APSInt &leftI = lhsInt->getValue(); 87856af4462781d2fcd30dcf9a742cb66400e5e55b7Ted Kremenek assert(leftI.isUnsigned()); 87956af4462781d2fcd30dcf9a742cb66400e5e55b7Ted Kremenek llvm::APSInt rightI(rhsInt->getValue(), /* isUnsigned */ true); 88056af4462781d2fcd30dcf9a742cb66400e5e55b7Ted Kremenek 88156af4462781d2fcd30dcf9a742cb66400e5e55b7Ted Kremenek // Convert the bitwidth of rightI. This should deal with overflow 88256af4462781d2fcd30dcf9a742cb66400e5e55b7Ted Kremenek // since we are dealing with concrete values. 8839f71a8f4c7a182a5236da9e747d57cc1d1bd24c2Jay Foad rightI = rightI.extOrTrunc(leftI.getBitWidth()); 88456af4462781d2fcd30dcf9a742cb66400e5e55b7Ted Kremenek 88556af4462781d2fcd30dcf9a742cb66400e5e55b7Ted Kremenek // Offset the increment by the pointer size. 88656af4462781d2fcd30dcf9a742cb66400e5e55b7Ted Kremenek llvm::APSInt Multiplicand(rightI.getBitWidth(), /* isUnsigned */ true); 88756af4462781d2fcd30dcf9a742cb66400e5e55b7Ted Kremenek rightI *= Multiplicand; 88856af4462781d2fcd30dcf9a742cb66400e5e55b7Ted Kremenek 88956af4462781d2fcd30dcf9a742cb66400e5e55b7Ted Kremenek // Compute the adjusted pointer. 89056af4462781d2fcd30dcf9a742cb66400e5e55b7Ted Kremenek switch (op) { 89156af4462781d2fcd30dcf9a742cb66400e5e55b7Ted Kremenek case BO_Add: 89256af4462781d2fcd30dcf9a742cb66400e5e55b7Ted Kremenek rightI = leftI + rightI; 89356af4462781d2fcd30dcf9a742cb66400e5e55b7Ted Kremenek break; 89456af4462781d2fcd30dcf9a742cb66400e5e55b7Ted Kremenek case BO_Sub: 89556af4462781d2fcd30dcf9a742cb66400e5e55b7Ted Kremenek rightI = leftI - rightI; 89656af4462781d2fcd30dcf9a742cb66400e5e55b7Ted Kremenek break; 89756af4462781d2fcd30dcf9a742cb66400e5e55b7Ted Kremenek default: 89856af4462781d2fcd30dcf9a742cb66400e5e55b7Ted Kremenek llvm_unreachable("Invalid pointer arithmetic operation"); 89956af4462781d2fcd30dcf9a742cb66400e5e55b7Ted Kremenek } 900c8413fd03f73084a5c93028f8b4db619fc388087Ted Kremenek return loc::ConcreteInt(getBasicValueFactory().getValue(rightI)); 90156af4462781d2fcd30dcf9a742cb66400e5e55b7Ted Kremenek } 90256af4462781d2fcd30dcf9a742cb66400e5e55b7Ted Kremenek } 9031eb4433ac451dc16f4133a88af2d002ac26c58efMike Stump 904a6b0b96e5376cd9cf182a3e240e0537feed43cdeTed Kremenek // Handle cases where 'lhs' is a region. 905a6b0b96e5376cd9cf182a3e240e0537feed43cdeTed Kremenek if (const MemRegion *region = lhs.getAsRegion()) { 906a6b0b96e5376cd9cf182a3e240e0537feed43cdeTed Kremenek rhs = cast<NonLoc>(convertToArrayIndex(rhs)); 907a6b0b96e5376cd9cf182a3e240e0537feed43cdeTed Kremenek SVal index = UnknownVal(); 908a6b0b96e5376cd9cf182a3e240e0537feed43cdeTed Kremenek const MemRegion *superR = 0; 909a6b0b96e5376cd9cf182a3e240e0537feed43cdeTed Kremenek QualType elementType; 910a6b0b96e5376cd9cf182a3e240e0537feed43cdeTed Kremenek 911a6b0b96e5376cd9cf182a3e240e0537feed43cdeTed Kremenek if (const ElementRegion *elemReg = dyn_cast<ElementRegion>(region)) { 9123bab50b802f402b7020aeb3ba6cec90bb149678cTed Kremenek assert(op == BO_Add || op == BO_Sub); 9133bab50b802f402b7020aeb3ba6cec90bb149678cTed Kremenek index = evalBinOpNN(state, op, elemReg->getIndex(), rhs, 914a6b0b96e5376cd9cf182a3e240e0537feed43cdeTed Kremenek getArrayIndexType()); 915a6b0b96e5376cd9cf182a3e240e0537feed43cdeTed Kremenek superR = elemReg->getSuperRegion(); 916a6b0b96e5376cd9cf182a3e240e0537feed43cdeTed Kremenek elementType = elemReg->getElementType(); 917a6b0b96e5376cd9cf182a3e240e0537feed43cdeTed Kremenek } 918a6b0b96e5376cd9cf182a3e240e0537feed43cdeTed Kremenek else if (isa<SubRegion>(region)) { 919a6b0b96e5376cd9cf182a3e240e0537feed43cdeTed Kremenek superR = region; 920a6b0b96e5376cd9cf182a3e240e0537feed43cdeTed Kremenek index = rhs; 921a6b0b96e5376cd9cf182a3e240e0537feed43cdeTed Kremenek if (const PointerType *PT = resultTy->getAs<PointerType>()) { 922a6b0b96e5376cd9cf182a3e240e0537feed43cdeTed Kremenek elementType = PT->getPointeeType(); 923a6b0b96e5376cd9cf182a3e240e0537feed43cdeTed Kremenek } 924a6b0b96e5376cd9cf182a3e240e0537feed43cdeTed Kremenek else { 925a6b0b96e5376cd9cf182a3e240e0537feed43cdeTed Kremenek const ObjCObjectPointerType *OT = 926a6b0b96e5376cd9cf182a3e240e0537feed43cdeTed Kremenek resultTy->getAs<ObjCObjectPointerType>(); 927a6b0b96e5376cd9cf182a3e240e0537feed43cdeTed Kremenek elementType = OT->getPointeeType(); 928a6b0b96e5376cd9cf182a3e240e0537feed43cdeTed Kremenek } 929a6b0b96e5376cd9cf182a3e240e0537feed43cdeTed Kremenek } 930a6b0b96e5376cd9cf182a3e240e0537feed43cdeTed Kremenek 931a6b0b96e5376cd9cf182a3e240e0537feed43cdeTed Kremenek if (NonLoc *indexV = dyn_cast<NonLoc>(&index)) { 932a6b0b96e5376cd9cf182a3e240e0537feed43cdeTed Kremenek return loc::MemRegionVal(MemMgr.getElementRegion(elementType, *indexV, 933a6b0b96e5376cd9cf182a3e240e0537feed43cdeTed Kremenek superR, getContext())); 934a6b0b96e5376cd9cf182a3e240e0537feed43cdeTed Kremenek } 935a6b0b96e5376cd9cf182a3e240e0537feed43cdeTed Kremenek } 936a6b0b96e5376cd9cf182a3e240e0537feed43cdeTed Kremenek return UnknownVal(); 937e8391728af4ce37c9c505be6efee6d2a5f926902Ted Kremenek} 93832f2656b90900ac04c4b50e87c16749d0ceb9ef2Jordy Rose 9398bef8238181a30e52dea380789a7e2d760eac532Ted Kremenekconst llvm::APSInt *SimpleSValBuilder::getKnownValue(ProgramStateRef state, 94032f2656b90900ac04c4b50e87c16749d0ceb9ef2Jordy Rose SVal V) { 94132f2656b90900ac04c4b50e87c16749d0ceb9ef2Jordy Rose if (V.isUnknownOrUndef()) 94232f2656b90900ac04c4b50e87c16749d0ceb9ef2Jordy Rose return NULL; 94332f2656b90900ac04c4b50e87c16749d0ceb9ef2Jordy Rose 94432f2656b90900ac04c4b50e87c16749d0ceb9ef2Jordy Rose if (loc::ConcreteInt* X = dyn_cast<loc::ConcreteInt>(&V)) 94532f2656b90900ac04c4b50e87c16749d0ceb9ef2Jordy Rose return &X->getValue(); 94632f2656b90900ac04c4b50e87c16749d0ceb9ef2Jordy Rose 94732f2656b90900ac04c4b50e87c16749d0ceb9ef2Jordy Rose if (nonloc::ConcreteInt* X = dyn_cast<nonloc::ConcreteInt>(&V)) 94832f2656b90900ac04c4b50e87c16749d0ceb9ef2Jordy Rose return &X->getValue(); 94932f2656b90900ac04c4b50e87c16749d0ceb9ef2Jordy Rose 95032f2656b90900ac04c4b50e87c16749d0ceb9ef2Jordy Rose if (SymbolRef Sym = V.getAsSymbol()) 95132f2656b90900ac04c4b50e87c16749d0ceb9ef2Jordy Rose return state->getSymVal(Sym); 95232f2656b90900ac04c4b50e87c16749d0ceb9ef2Jordy Rose 95332f2656b90900ac04c4b50e87c16749d0ceb9ef2Jordy Rose // FIXME: Add support for SymExprs. 95432f2656b90900ac04c4b50e87c16749d0ceb9ef2Jordy Rose return NULL; 95532f2656b90900ac04c4b50e87c16749d0ceb9ef2Jordy Rose} 956