SimpleSValBuilder.cpp revision 8569281fb7ce9b5ca164a0528b876acbb45eb989
1// SimpleSValBuilder.cpp - A basic SValBuilder -----------------------*- C++ -*- 2// 3// The LLVM Compiler Infrastructure 4// 5// This file is distributed under the University of Illinois Open Source 6// License. See LICENSE.TXT for details. 7// 8//===----------------------------------------------------------------------===// 9// 10// This file defines SimpleSValBuilder, a basic implementation of SValBuilder. 11// 12//===----------------------------------------------------------------------===// 13 14#include "clang/StaticAnalyzer/Core/PathSensitive/SValBuilder.h" 15#include "clang/StaticAnalyzer/Core/PathSensitive/APSIntType.h" 16#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h" 17 18using namespace clang; 19using namespace ento; 20 21namespace { 22class SimpleSValBuilder : public SValBuilder { 23protected: 24 virtual SVal dispatchCast(SVal val, QualType castTy); 25 virtual SVal evalCastFromNonLoc(NonLoc val, QualType castTy); 26 virtual SVal evalCastFromLoc(Loc val, QualType castTy); 27 28public: 29 SimpleSValBuilder(llvm::BumpPtrAllocator &alloc, ASTContext &context, 30 ProgramStateManager &stateMgr) 31 : SValBuilder(alloc, context, stateMgr) {} 32 virtual ~SimpleSValBuilder() {} 33 34 virtual SVal evalMinus(NonLoc val); 35 virtual SVal evalComplement(NonLoc val); 36 virtual SVal evalBinOpNN(ProgramStateRef state, BinaryOperator::Opcode op, 37 NonLoc lhs, NonLoc rhs, QualType resultTy); 38 virtual SVal evalBinOpLL(ProgramStateRef state, BinaryOperator::Opcode op, 39 Loc lhs, Loc rhs, QualType resultTy); 40 virtual SVal evalBinOpLN(ProgramStateRef state, BinaryOperator::Opcode op, 41 Loc lhs, NonLoc rhs, QualType resultTy); 42 43 /// getKnownValue - evaluates a given SVal. If the SVal has only one possible 44 /// (integer) value, that value is returned. Otherwise, returns NULL. 45 virtual const llvm::APSInt *getKnownValue(ProgramStateRef state, SVal V); 46 47 SVal MakeSymIntVal(const SymExpr *LHS, BinaryOperator::Opcode op, 48 const llvm::APSInt &RHS, QualType resultTy); 49}; 50} // end anonymous namespace 51 52SValBuilder *ento::createSimpleSValBuilder(llvm::BumpPtrAllocator &alloc, 53 ASTContext &context, 54 ProgramStateManager &stateMgr) { 55 return new SimpleSValBuilder(alloc, context, stateMgr); 56} 57 58//===----------------------------------------------------------------------===// 59// Transfer function for Casts. 60//===----------------------------------------------------------------------===// 61 62SVal SimpleSValBuilder::dispatchCast(SVal Val, QualType CastTy) { 63 assert(Val.getAs<Loc>() || Val.getAs<NonLoc>()); 64 return Val.getAs<Loc>() ? evalCastFromLoc(Val.castAs<Loc>(), CastTy) 65 : evalCastFromNonLoc(Val.castAs<NonLoc>(), CastTy); 66} 67 68SVal SimpleSValBuilder::evalCastFromNonLoc(NonLoc val, QualType castTy) { 69 70 bool isLocType = Loc::isLocType(castTy); 71 72 if (Optional<nonloc::LocAsInteger> LI = val.getAs<nonloc::LocAsInteger>()) { 73 if (isLocType) 74 return LI->getLoc(); 75 76 // FIXME: Correctly support promotions/truncations. 77 unsigned castSize = Context.getTypeSize(castTy); 78 if (castSize == LI->getNumBits()) 79 return val; 80 return makeLocAsInteger(LI->getLoc(), castSize); 81 } 82 83 if (const SymExpr *se = val.getAsSymbolicExpression()) { 84 QualType T = Context.getCanonicalType(se->getType()); 85 // If types are the same or both are integers, ignore the cast. 86 // FIXME: Remove this hack when we support symbolic truncation/extension. 87 // HACK: If both castTy and T are integers, ignore the cast. This is 88 // not a permanent solution. Eventually we want to precisely handle 89 // extension/truncation of symbolic integers. This prevents us from losing 90 // precision when we assign 'x = y' and 'y' is symbolic and x and y are 91 // different integer types. 92 if (haveSameType(T, castTy)) 93 return val; 94 95 if (!isLocType) 96 return makeNonLoc(se, T, castTy); 97 return UnknownVal(); 98 } 99 100 // If value is a non integer constant, produce unknown. 101 if (!val.getAs<nonloc::ConcreteInt>()) 102 return UnknownVal(); 103 104 // Handle casts to a boolean type. 105 if (castTy->isBooleanType()) { 106 bool b = val.castAs<nonloc::ConcreteInt>().getValue().getBoolValue(); 107 return makeTruthVal(b, castTy); 108 } 109 110 // Only handle casts from integers to integers - if val is an integer constant 111 // being cast to a non integer type, produce unknown. 112 if (!isLocType && !castTy->isIntegerType()) 113 return UnknownVal(); 114 115 llvm::APSInt i = val.castAs<nonloc::ConcreteInt>().getValue(); 116 BasicVals.getAPSIntType(castTy).apply(i); 117 118 if (isLocType) 119 return makeIntLocVal(i); 120 else 121 return makeIntVal(i); 122} 123 124SVal SimpleSValBuilder::evalCastFromLoc(Loc val, QualType castTy) { 125 126 // Casts from pointers -> pointers, just return the lval. 127 // 128 // Casts from pointers -> references, just return the lval. These 129 // can be introduced by the frontend for corner cases, e.g 130 // casting from va_list* to __builtin_va_list&. 131 // 132 if (Loc::isLocType(castTy) || castTy->isReferenceType()) 133 return val; 134 135 // FIXME: Handle transparent unions where a value can be "transparently" 136 // lifted into a union type. 137 if (castTy->isUnionType()) 138 return UnknownVal(); 139 140 if (castTy->isIntegerType()) { 141 unsigned BitWidth = Context.getTypeSize(castTy); 142 143 if (!val.getAs<loc::ConcreteInt>()) 144 return makeLocAsInteger(val, BitWidth); 145 146 llvm::APSInt i = val.castAs<loc::ConcreteInt>().getValue(); 147 BasicVals.getAPSIntType(castTy).apply(i); 148 return makeIntVal(i); 149 } 150 151 // All other cases: return 'UnknownVal'. This includes casting pointers 152 // to floats, which is probably badness it itself, but this is a good 153 // intermediate solution until we do something better. 154 return UnknownVal(); 155} 156 157//===----------------------------------------------------------------------===// 158// Transfer function for unary operators. 159//===----------------------------------------------------------------------===// 160 161SVal SimpleSValBuilder::evalMinus(NonLoc val) { 162 switch (val.getSubKind()) { 163 case nonloc::ConcreteIntKind: 164 return val.castAs<nonloc::ConcreteInt>().evalMinus(*this); 165 default: 166 return UnknownVal(); 167 } 168} 169 170SVal SimpleSValBuilder::evalComplement(NonLoc X) { 171 switch (X.getSubKind()) { 172 case nonloc::ConcreteIntKind: 173 return X.castAs<nonloc::ConcreteInt>().evalComplement(*this); 174 default: 175 return UnknownVal(); 176 } 177} 178 179//===----------------------------------------------------------------------===// 180// Transfer function for binary operators. 181//===----------------------------------------------------------------------===// 182 183SVal SimpleSValBuilder::MakeSymIntVal(const SymExpr *LHS, 184 BinaryOperator::Opcode op, 185 const llvm::APSInt &RHS, 186 QualType resultTy) { 187 bool isIdempotent = false; 188 189 // Check for a few special cases with known reductions first. 190 switch (op) { 191 default: 192 // We can't reduce this case; just treat it normally. 193 break; 194 case BO_Mul: 195 // a*0 and a*1 196 if (RHS == 0) 197 return makeIntVal(0, resultTy); 198 else if (RHS == 1) 199 isIdempotent = true; 200 break; 201 case BO_Div: 202 // a/0 and a/1 203 if (RHS == 0) 204 // This is also handled elsewhere. 205 return UndefinedVal(); 206 else if (RHS == 1) 207 isIdempotent = true; 208 break; 209 case BO_Rem: 210 // a%0 and a%1 211 if (RHS == 0) 212 // This is also handled elsewhere. 213 return UndefinedVal(); 214 else if (RHS == 1) 215 return makeIntVal(0, resultTy); 216 break; 217 case BO_Add: 218 case BO_Sub: 219 case BO_Shl: 220 case BO_Shr: 221 case BO_Xor: 222 // a+0, a-0, a<<0, a>>0, a^0 223 if (RHS == 0) 224 isIdempotent = true; 225 break; 226 case BO_And: 227 // a&0 and a&(~0) 228 if (RHS == 0) 229 return makeIntVal(0, resultTy); 230 else if (RHS.isAllOnesValue()) 231 isIdempotent = true; 232 break; 233 case BO_Or: 234 // a|0 and a|(~0) 235 if (RHS == 0) 236 isIdempotent = true; 237 else if (RHS.isAllOnesValue()) { 238 const llvm::APSInt &Result = BasicVals.Convert(resultTy, RHS); 239 return nonloc::ConcreteInt(Result); 240 } 241 break; 242 } 243 244 // Idempotent ops (like a*1) can still change the type of an expression. 245 // Wrap the LHS up in a NonLoc again and let evalCastFromNonLoc do the 246 // dirty work. 247 if (isIdempotent) 248 return evalCastFromNonLoc(nonloc::SymbolVal(LHS), resultTy); 249 250 // If we reach this point, the expression cannot be simplified. 251 // Make a SymbolVal for the entire expression, after converting the RHS. 252 const llvm::APSInt *ConvertedRHS = &RHS; 253 if (BinaryOperator::isComparisonOp(op)) { 254 // We're looking for a type big enough to compare the symbolic value 255 // with the given constant. 256 // FIXME: This is an approximation of Sema::UsualArithmeticConversions. 257 ASTContext &Ctx = getContext(); 258 QualType SymbolType = LHS->getType(); 259 uint64_t ValWidth = RHS.getBitWidth(); 260 uint64_t TypeWidth = Ctx.getTypeSize(SymbolType); 261 262 if (ValWidth < TypeWidth) { 263 // If the value is too small, extend it. 264 ConvertedRHS = &BasicVals.Convert(SymbolType, RHS); 265 } else if (ValWidth == TypeWidth) { 266 // If the value is signed but the symbol is unsigned, do the comparison 267 // in unsigned space. [C99 6.3.1.8] 268 // (For the opposite case, the value is already unsigned.) 269 if (RHS.isSigned() && !SymbolType->isSignedIntegerOrEnumerationType()) 270 ConvertedRHS = &BasicVals.Convert(SymbolType, RHS); 271 } 272 } else 273 ConvertedRHS = &BasicVals.Convert(resultTy, RHS); 274 275 return makeNonLoc(LHS, op, *ConvertedRHS, resultTy); 276} 277 278SVal SimpleSValBuilder::evalBinOpNN(ProgramStateRef state, 279 BinaryOperator::Opcode op, 280 NonLoc lhs, NonLoc rhs, 281 QualType resultTy) { 282 NonLoc InputLHS = lhs; 283 NonLoc InputRHS = rhs; 284 285 // Handle trivial case where left-side and right-side are the same. 286 if (lhs == rhs) 287 switch (op) { 288 default: 289 break; 290 case BO_EQ: 291 case BO_LE: 292 case BO_GE: 293 return makeTruthVal(true, resultTy); 294 case BO_LT: 295 case BO_GT: 296 case BO_NE: 297 return makeTruthVal(false, resultTy); 298 case BO_Xor: 299 case BO_Sub: 300 if (resultTy->isIntegralOrEnumerationType()) 301 return makeIntVal(0, resultTy); 302 return evalCastFromNonLoc(makeIntVal(0, /*Unsigned=*/false), resultTy); 303 case BO_Or: 304 case BO_And: 305 return evalCastFromNonLoc(lhs, resultTy); 306 } 307 308 while (1) { 309 switch (lhs.getSubKind()) { 310 default: 311 return makeSymExprValNN(state, op, lhs, rhs, resultTy); 312 case nonloc::LocAsIntegerKind: { 313 Loc lhsL = lhs.castAs<nonloc::LocAsInteger>().getLoc(); 314 switch (rhs.getSubKind()) { 315 case nonloc::LocAsIntegerKind: 316 return evalBinOpLL(state, op, lhsL, 317 rhs.castAs<nonloc::LocAsInteger>().getLoc(), 318 resultTy); 319 case nonloc::ConcreteIntKind: { 320 // Transform the integer into a location and compare. 321 llvm::APSInt i = rhs.castAs<nonloc::ConcreteInt>().getValue(); 322 BasicVals.getAPSIntType(Context.VoidPtrTy).apply(i); 323 return evalBinOpLL(state, op, lhsL, makeLoc(i), resultTy); 324 } 325 default: 326 switch (op) { 327 case BO_EQ: 328 return makeTruthVal(false, resultTy); 329 case BO_NE: 330 return makeTruthVal(true, resultTy); 331 default: 332 // This case also handles pointer arithmetic. 333 return makeSymExprValNN(state, op, InputLHS, InputRHS, resultTy); 334 } 335 } 336 } 337 case nonloc::ConcreteIntKind: { 338 llvm::APSInt LHSValue = lhs.castAs<nonloc::ConcreteInt>().getValue(); 339 340 // If we're dealing with two known constants, just perform the operation. 341 if (const llvm::APSInt *KnownRHSValue = getKnownValue(state, rhs)) { 342 llvm::APSInt RHSValue = *KnownRHSValue; 343 if (BinaryOperator::isComparisonOp(op)) { 344 // We're looking for a type big enough to compare the two values. 345 // FIXME: This is not correct. char + short will result in a promotion 346 // to int. Unfortunately we have lost types by this point. 347 APSIntType CompareType = std::max(APSIntType(LHSValue), 348 APSIntType(RHSValue)); 349 CompareType.apply(LHSValue); 350 CompareType.apply(RHSValue); 351 } else if (!BinaryOperator::isShiftOp(op)) { 352 APSIntType IntType = BasicVals.getAPSIntType(resultTy); 353 IntType.apply(LHSValue); 354 IntType.apply(RHSValue); 355 } 356 357 const llvm::APSInt *Result = 358 BasicVals.evalAPSInt(op, LHSValue, RHSValue); 359 if (!Result) 360 return UndefinedVal(); 361 362 return nonloc::ConcreteInt(*Result); 363 } 364 365 // Swap the left and right sides and flip the operator if doing so 366 // allows us to better reason about the expression (this is a form 367 // of expression canonicalization). 368 // While we're at it, catch some special cases for non-commutative ops. 369 switch (op) { 370 case BO_LT: 371 case BO_GT: 372 case BO_LE: 373 case BO_GE: 374 op = BinaryOperator::reverseComparisonOp(op); 375 // FALL-THROUGH 376 case BO_EQ: 377 case BO_NE: 378 case BO_Add: 379 case BO_Mul: 380 case BO_And: 381 case BO_Xor: 382 case BO_Or: 383 std::swap(lhs, rhs); 384 continue; 385 case BO_Shr: 386 // (~0)>>a 387 if (LHSValue.isAllOnesValue() && LHSValue.isSigned()) 388 return evalCastFromNonLoc(lhs, resultTy); 389 // FALL-THROUGH 390 case BO_Shl: 391 // 0<<a and 0>>a 392 if (LHSValue == 0) 393 return evalCastFromNonLoc(lhs, resultTy); 394 return makeSymExprValNN(state, op, InputLHS, InputRHS, resultTy); 395 default: 396 return makeSymExprValNN(state, op, InputLHS, InputRHS, resultTy); 397 } 398 } 399 case nonloc::SymbolValKind: { 400 // We only handle LHS as simple symbols or SymIntExprs. 401 SymbolRef Sym = lhs.castAs<nonloc::SymbolVal>().getSymbol(); 402 403 // LHS is a symbolic expression. 404 if (const SymIntExpr *symIntExpr = dyn_cast<SymIntExpr>(Sym)) { 405 406 // Is this a logical not? (!x is represented as x == 0.) 407 if (op == BO_EQ && rhs.isZeroConstant()) { 408 // We know how to negate certain expressions. Simplify them here. 409 410 BinaryOperator::Opcode opc = symIntExpr->getOpcode(); 411 switch (opc) { 412 default: 413 // We don't know how to negate this operation. 414 // Just handle it as if it were a normal comparison to 0. 415 break; 416 case BO_LAnd: 417 case BO_LOr: 418 llvm_unreachable("Logical operators handled by branching logic."); 419 case BO_Assign: 420 case BO_MulAssign: 421 case BO_DivAssign: 422 case BO_RemAssign: 423 case BO_AddAssign: 424 case BO_SubAssign: 425 case BO_ShlAssign: 426 case BO_ShrAssign: 427 case BO_AndAssign: 428 case BO_XorAssign: 429 case BO_OrAssign: 430 case BO_Comma: 431 llvm_unreachable("'=' and ',' operators handled by ExprEngine."); 432 case BO_PtrMemD: 433 case BO_PtrMemI: 434 llvm_unreachable("Pointer arithmetic not handled here."); 435 case BO_LT: 436 case BO_GT: 437 case BO_LE: 438 case BO_GE: 439 case BO_EQ: 440 case BO_NE: 441 // Negate the comparison and make a value. 442 opc = BinaryOperator::negateComparisonOp(opc); 443 assert(symIntExpr->getType() == resultTy); 444 return makeNonLoc(symIntExpr->getLHS(), opc, 445 symIntExpr->getRHS(), resultTy); 446 } 447 } 448 449 // For now, only handle expressions whose RHS is a constant. 450 if (const llvm::APSInt *RHSValue = getKnownValue(state, rhs)) { 451 // If both the LHS and the current expression are additive, 452 // fold their constants and try again. 453 if (BinaryOperator::isAdditiveOp(op)) { 454 BinaryOperator::Opcode lop = symIntExpr->getOpcode(); 455 if (BinaryOperator::isAdditiveOp(lop)) { 456 // Convert the two constants to a common type, then combine them. 457 458 // resultTy may not be the best type to convert to, but it's 459 // probably the best choice in expressions with mixed type 460 // (such as x+1U+2LL). The rules for implicit conversions should 461 // choose a reasonable type to preserve the expression, and will 462 // at least match how the value is going to be used. 463 APSIntType IntType = BasicVals.getAPSIntType(resultTy); 464 const llvm::APSInt &first = IntType.convert(symIntExpr->getRHS()); 465 const llvm::APSInt &second = IntType.convert(*RHSValue); 466 467 const llvm::APSInt *newRHS; 468 if (lop == op) 469 newRHS = BasicVals.evalAPSInt(BO_Add, first, second); 470 else 471 newRHS = BasicVals.evalAPSInt(BO_Sub, first, second); 472 473 assert(newRHS && "Invalid operation despite common type!"); 474 rhs = nonloc::ConcreteInt(*newRHS); 475 lhs = nonloc::SymbolVal(symIntExpr->getLHS()); 476 op = lop; 477 continue; 478 } 479 } 480 481 // Otherwise, make a SymIntExpr out of the expression. 482 return MakeSymIntVal(symIntExpr, op, *RHSValue, resultTy); 483 } 484 } 485 486 // Does the symbolic expression simplify to a constant? 487 // If so, "fold" the constant by setting 'lhs' to a ConcreteInt 488 // and try again. 489 ConstraintManager &CMgr = state->getConstraintManager(); 490 if (const llvm::APSInt *Constant = CMgr.getSymVal(state, Sym)) { 491 lhs = nonloc::ConcreteInt(*Constant); 492 continue; 493 } 494 495 // Is the RHS a constant? 496 if (const llvm::APSInt *RHSValue = getKnownValue(state, rhs)) 497 return MakeSymIntVal(Sym, op, *RHSValue, resultTy); 498 499 // Give up -- this is not a symbolic expression we can handle. 500 return makeSymExprValNN(state, op, InputLHS, InputRHS, resultTy); 501 } 502 } 503 } 504} 505 506// FIXME: all this logic will change if/when we have MemRegion::getLocation(). 507SVal SimpleSValBuilder::evalBinOpLL(ProgramStateRef state, 508 BinaryOperator::Opcode op, 509 Loc lhs, Loc rhs, 510 QualType resultTy) { 511 // Only comparisons and subtractions are valid operations on two pointers. 512 // See [C99 6.5.5 through 6.5.14] or [C++0x 5.6 through 5.15]. 513 // However, if a pointer is casted to an integer, evalBinOpNN may end up 514 // calling this function with another operation (PR7527). We don't attempt to 515 // model this for now, but it could be useful, particularly when the 516 // "location" is actually an integer value that's been passed through a void*. 517 if (!(BinaryOperator::isComparisonOp(op) || op == BO_Sub)) 518 return UnknownVal(); 519 520 // Special cases for when both sides are identical. 521 if (lhs == rhs) { 522 switch (op) { 523 default: 524 llvm_unreachable("Unimplemented operation for two identical values"); 525 case BO_Sub: 526 return makeZeroVal(resultTy); 527 case BO_EQ: 528 case BO_LE: 529 case BO_GE: 530 return makeTruthVal(true, resultTy); 531 case BO_NE: 532 case BO_LT: 533 case BO_GT: 534 return makeTruthVal(false, resultTy); 535 } 536 } 537 538 switch (lhs.getSubKind()) { 539 default: 540 llvm_unreachable("Ordering not implemented for this Loc."); 541 542 case loc::GotoLabelKind: 543 // The only thing we know about labels is that they're non-null. 544 if (rhs.isZeroConstant()) { 545 switch (op) { 546 default: 547 break; 548 case BO_Sub: 549 return evalCastFromLoc(lhs, resultTy); 550 case BO_EQ: 551 case BO_LE: 552 case BO_LT: 553 return makeTruthVal(false, resultTy); 554 case BO_NE: 555 case BO_GT: 556 case BO_GE: 557 return makeTruthVal(true, resultTy); 558 } 559 } 560 // There may be two labels for the same location, and a function region may 561 // have the same address as a label at the start of the function (depending 562 // on the ABI). 563 // FIXME: we can probably do a comparison against other MemRegions, though. 564 // FIXME: is there a way to tell if two labels refer to the same location? 565 return UnknownVal(); 566 567 case loc::ConcreteIntKind: { 568 // If one of the operands is a symbol and the other is a constant, 569 // build an expression for use by the constraint manager. 570 if (SymbolRef rSym = rhs.getAsLocSymbol()) { 571 // We can only build expressions with symbols on the left, 572 // so we need a reversible operator. 573 if (!BinaryOperator::isComparisonOp(op)) 574 return UnknownVal(); 575 576 const llvm::APSInt &lVal = lhs.castAs<loc::ConcreteInt>().getValue(); 577 op = BinaryOperator::reverseComparisonOp(op); 578 return makeNonLoc(rSym, op, lVal, resultTy); 579 } 580 581 // If both operands are constants, just perform the operation. 582 if (Optional<loc::ConcreteInt> rInt = rhs.getAs<loc::ConcreteInt>()) { 583 SVal ResultVal = 584 lhs.castAs<loc::ConcreteInt>().evalBinOp(BasicVals, op, *rInt); 585 if (Optional<Loc> Result = ResultVal.getAs<Loc>()) 586 return evalCastFromLoc(*Result, resultTy); 587 else 588 return UnknownVal(); 589 } 590 591 // Special case comparisons against NULL. 592 // This must come after the test if the RHS is a symbol, which is used to 593 // build constraints. The address of any non-symbolic region is guaranteed 594 // to be non-NULL, as is any label. 595 assert(rhs.getAs<loc::MemRegionVal>() || rhs.getAs<loc::GotoLabel>()); 596 if (lhs.isZeroConstant()) { 597 switch (op) { 598 default: 599 break; 600 case BO_EQ: 601 case BO_GT: 602 case BO_GE: 603 return makeTruthVal(false, resultTy); 604 case BO_NE: 605 case BO_LT: 606 case BO_LE: 607 return makeTruthVal(true, resultTy); 608 } 609 } 610 611 // Comparing an arbitrary integer to a region or label address is 612 // completely unknowable. 613 return UnknownVal(); 614 } 615 case loc::MemRegionKind: { 616 if (Optional<loc::ConcreteInt> rInt = rhs.getAs<loc::ConcreteInt>()) { 617 // If one of the operands is a symbol and the other is a constant, 618 // build an expression for use by the constraint manager. 619 if (SymbolRef lSym = lhs.getAsLocSymbol()) 620 return MakeSymIntVal(lSym, op, rInt->getValue(), resultTy); 621 622 // Special case comparisons to NULL. 623 // This must come after the test if the LHS is a symbol, which is used to 624 // build constraints. The address of any non-symbolic region is guaranteed 625 // to be non-NULL. 626 if (rInt->isZeroConstant()) { 627 switch (op) { 628 default: 629 break; 630 case BO_Sub: 631 return evalCastFromLoc(lhs, resultTy); 632 case BO_EQ: 633 case BO_LT: 634 case BO_LE: 635 return makeTruthVal(false, resultTy); 636 case BO_NE: 637 case BO_GT: 638 case BO_GE: 639 return makeTruthVal(true, resultTy); 640 } 641 } 642 643 // Comparing a region to an arbitrary integer is completely unknowable. 644 return UnknownVal(); 645 } 646 647 // Get both values as regions, if possible. 648 const MemRegion *LeftMR = lhs.getAsRegion(); 649 assert(LeftMR && "MemRegionKind SVal doesn't have a region!"); 650 651 const MemRegion *RightMR = rhs.getAsRegion(); 652 if (!RightMR) 653 // The RHS is probably a label, which in theory could address a region. 654 // FIXME: we can probably make a more useful statement about non-code 655 // regions, though. 656 return UnknownVal(); 657 658 const MemRegion *LeftBase = LeftMR->getBaseRegion(); 659 const MemRegion *RightBase = RightMR->getBaseRegion(); 660 const MemSpaceRegion *LeftMS = LeftBase->getMemorySpace(); 661 const MemSpaceRegion *RightMS = RightBase->getMemorySpace(); 662 const MemSpaceRegion *UnknownMS = MemMgr.getUnknownRegion(); 663 664 // If the two regions are from different known memory spaces they cannot be 665 // equal. Also, assume that no symbolic region (whose memory space is 666 // unknown) is on the stack. 667 if (LeftMS != RightMS && 668 ((LeftMS != UnknownMS && RightMS != UnknownMS) || 669 (isa<StackSpaceRegion>(LeftMS) || isa<StackSpaceRegion>(RightMS)))) { 670 switch (op) { 671 default: 672 return UnknownVal(); 673 case BO_EQ: 674 return makeTruthVal(false, resultTy); 675 case BO_NE: 676 return makeTruthVal(true, resultTy); 677 } 678 } 679 680 // If both values wrap regions, see if they're from different base regions. 681 // Note, heap base symbolic regions are assumed to not alias with 682 // each other; for example, we assume that malloc returns different address 683 // on each invocation. 684 if (LeftBase != RightBase && 685 ((!isa<SymbolicRegion>(LeftBase) && !isa<SymbolicRegion>(RightBase)) || 686 (isa<HeapSpaceRegion>(LeftMS) || isa<HeapSpaceRegion>(RightMS))) ){ 687 switch (op) { 688 default: 689 return UnknownVal(); 690 case BO_EQ: 691 return makeTruthVal(false, resultTy); 692 case BO_NE: 693 return makeTruthVal(true, resultTy); 694 } 695 } 696 697 // FIXME: If/when there is a getAsRawOffset() for FieldRegions, this 698 // ElementRegion path and the FieldRegion path below should be unified. 699 if (const ElementRegion *LeftER = dyn_cast<ElementRegion>(LeftMR)) { 700 // First see if the right region is also an ElementRegion. 701 const ElementRegion *RightER = dyn_cast<ElementRegion>(RightMR); 702 if (!RightER) 703 return UnknownVal(); 704 705 // Next, see if the two ERs have the same super-region and matching types. 706 // FIXME: This should do something useful even if the types don't match, 707 // though if both indexes are constant the RegionRawOffset path will 708 // give the correct answer. 709 if (LeftER->getSuperRegion() == RightER->getSuperRegion() && 710 LeftER->getElementType() == RightER->getElementType()) { 711 // Get the left index and cast it to the correct type. 712 // If the index is unknown or undefined, bail out here. 713 SVal LeftIndexVal = LeftER->getIndex(); 714 Optional<NonLoc> LeftIndex = LeftIndexVal.getAs<NonLoc>(); 715 if (!LeftIndex) 716 return UnknownVal(); 717 LeftIndexVal = evalCastFromNonLoc(*LeftIndex, ArrayIndexTy); 718 LeftIndex = LeftIndexVal.getAs<NonLoc>(); 719 if (!LeftIndex) 720 return UnknownVal(); 721 722 // Do the same for the right index. 723 SVal RightIndexVal = RightER->getIndex(); 724 Optional<NonLoc> RightIndex = RightIndexVal.getAs<NonLoc>(); 725 if (!RightIndex) 726 return UnknownVal(); 727 RightIndexVal = evalCastFromNonLoc(*RightIndex, ArrayIndexTy); 728 RightIndex = RightIndexVal.getAs<NonLoc>(); 729 if (!RightIndex) 730 return UnknownVal(); 731 732 // Actually perform the operation. 733 // evalBinOpNN expects the two indexes to already be the right type. 734 return evalBinOpNN(state, op, *LeftIndex, *RightIndex, resultTy); 735 } 736 737 // If the element indexes aren't comparable, see if the raw offsets are. 738 RegionRawOffset LeftOffset = LeftER->getAsArrayOffset(); 739 RegionRawOffset RightOffset = RightER->getAsArrayOffset(); 740 741 if (LeftOffset.getRegion() != NULL && 742 LeftOffset.getRegion() == RightOffset.getRegion()) { 743 CharUnits left = LeftOffset.getOffset(); 744 CharUnits right = RightOffset.getOffset(); 745 746 switch (op) { 747 default: 748 return UnknownVal(); 749 case BO_LT: 750 return makeTruthVal(left < right, resultTy); 751 case BO_GT: 752 return makeTruthVal(left > right, resultTy); 753 case BO_LE: 754 return makeTruthVal(left <= right, resultTy); 755 case BO_GE: 756 return makeTruthVal(left >= right, resultTy); 757 case BO_EQ: 758 return makeTruthVal(left == right, resultTy); 759 case BO_NE: 760 return makeTruthVal(left != right, resultTy); 761 } 762 } 763 764 // If we get here, we have no way of comparing the ElementRegions. 765 } 766 767 // See if both regions are fields of the same structure. 768 // FIXME: This doesn't handle nesting, inheritance, or Objective-C ivars. 769 if (const FieldRegion *LeftFR = dyn_cast<FieldRegion>(LeftMR)) { 770 // Only comparisons are meaningful here! 771 if (!BinaryOperator::isComparisonOp(op)) 772 return UnknownVal(); 773 774 // First see if the right region is also a FieldRegion. 775 const FieldRegion *RightFR = dyn_cast<FieldRegion>(RightMR); 776 if (!RightFR) 777 return UnknownVal(); 778 779 // Next, see if the two FRs have the same super-region. 780 // FIXME: This doesn't handle casts yet, and simply stripping the casts 781 // doesn't help. 782 if (LeftFR->getSuperRegion() != RightFR->getSuperRegion()) 783 return UnknownVal(); 784 785 const FieldDecl *LeftFD = LeftFR->getDecl(); 786 const FieldDecl *RightFD = RightFR->getDecl(); 787 const RecordDecl *RD = LeftFD->getParent(); 788 789 // Make sure the two FRs are from the same kind of record. Just in case! 790 // FIXME: This is probably where inheritance would be a problem. 791 if (RD != RightFD->getParent()) 792 return UnknownVal(); 793 794 // We know for sure that the two fields are not the same, since that 795 // would have given us the same SVal. 796 if (op == BO_EQ) 797 return makeTruthVal(false, resultTy); 798 if (op == BO_NE) 799 return makeTruthVal(true, resultTy); 800 801 // Iterate through the fields and see which one comes first. 802 // [C99 6.7.2.1.13] "Within a structure object, the non-bit-field 803 // members and the units in which bit-fields reside have addresses that 804 // increase in the order in which they are declared." 805 bool leftFirst = (op == BO_LT || op == BO_LE); 806 for (RecordDecl::field_iterator I = RD->field_begin(), 807 E = RD->field_end(); I!=E; ++I) { 808 if (*I == LeftFD) 809 return makeTruthVal(leftFirst, resultTy); 810 if (*I == RightFD) 811 return makeTruthVal(!leftFirst, resultTy); 812 } 813 814 llvm_unreachable("Fields not found in parent record's definition"); 815 } 816 817 // At this point we're not going to get a good answer, but we can try 818 // conjuring an expression instead. 819 SymbolRef LHSSym = lhs.getAsLocSymbol(); 820 SymbolRef RHSSym = rhs.getAsLocSymbol(); 821 if (LHSSym && RHSSym) 822 return makeNonLoc(LHSSym, op, RHSSym, resultTy); 823 824 // If we get here, we have no way of comparing the regions. 825 return UnknownVal(); 826 } 827 } 828} 829 830SVal SimpleSValBuilder::evalBinOpLN(ProgramStateRef state, 831 BinaryOperator::Opcode op, 832 Loc lhs, NonLoc rhs, QualType resultTy) { 833 834 // Special case: rhs is a zero constant. 835 if (rhs.isZeroConstant()) 836 return lhs; 837 838 // Special case: 'rhs' is an integer that has the same width as a pointer and 839 // we are using the integer location in a comparison. Normally this cannot be 840 // triggered, but transfer functions like those for OSCompareAndSwapBarrier32 841 // can generate comparisons that trigger this code. 842 // FIXME: Are all locations guaranteed to have pointer width? 843 if (BinaryOperator::isComparisonOp(op)) { 844 if (Optional<nonloc::ConcreteInt> rhsInt = 845 rhs.getAs<nonloc::ConcreteInt>()) { 846 const llvm::APSInt *x = &rhsInt->getValue(); 847 ASTContext &ctx = Context; 848 if (ctx.getTypeSize(ctx.VoidPtrTy) == x->getBitWidth()) { 849 // Convert the signedness of the integer (if necessary). 850 if (x->isSigned()) 851 x = &getBasicValueFactory().getValue(*x, true); 852 853 return evalBinOpLL(state, op, lhs, loc::ConcreteInt(*x), resultTy); 854 } 855 } 856 return UnknownVal(); 857 } 858 859 // We are dealing with pointer arithmetic. 860 861 // Handle pointer arithmetic on constant values. 862 if (Optional<nonloc::ConcreteInt> rhsInt = rhs.getAs<nonloc::ConcreteInt>()) { 863 if (Optional<loc::ConcreteInt> lhsInt = lhs.getAs<loc::ConcreteInt>()) { 864 const llvm::APSInt &leftI = lhsInt->getValue(); 865 assert(leftI.isUnsigned()); 866 llvm::APSInt rightI(rhsInt->getValue(), /* isUnsigned */ true); 867 868 // Convert the bitwidth of rightI. This should deal with overflow 869 // since we are dealing with concrete values. 870 rightI = rightI.extOrTrunc(leftI.getBitWidth()); 871 872 // Offset the increment by the pointer size. 873 llvm::APSInt Multiplicand(rightI.getBitWidth(), /* isUnsigned */ true); 874 rightI *= Multiplicand; 875 876 // Compute the adjusted pointer. 877 switch (op) { 878 case BO_Add: 879 rightI = leftI + rightI; 880 break; 881 case BO_Sub: 882 rightI = leftI - rightI; 883 break; 884 default: 885 llvm_unreachable("Invalid pointer arithmetic operation"); 886 } 887 return loc::ConcreteInt(getBasicValueFactory().getValue(rightI)); 888 } 889 } 890 891 // Handle cases where 'lhs' is a region. 892 if (const MemRegion *region = lhs.getAsRegion()) { 893 rhs = convertToArrayIndex(rhs).castAs<NonLoc>(); 894 SVal index = UnknownVal(); 895 const MemRegion *superR = 0; 896 QualType elementType; 897 898 if (const ElementRegion *elemReg = dyn_cast<ElementRegion>(region)) { 899 assert(op == BO_Add || op == BO_Sub); 900 index = evalBinOpNN(state, op, elemReg->getIndex(), rhs, 901 getArrayIndexType()); 902 superR = elemReg->getSuperRegion(); 903 elementType = elemReg->getElementType(); 904 } 905 else if (isa<SubRegion>(region)) { 906 superR = region; 907 index = rhs; 908 if (resultTy->isAnyPointerType()) 909 elementType = resultTy->getPointeeType(); 910 } 911 912 if (Optional<NonLoc> indexV = index.getAs<NonLoc>()) { 913 return loc::MemRegionVal(MemMgr.getElementRegion(elementType, *indexV, 914 superR, getContext())); 915 } 916 } 917 return UnknownVal(); 918} 919 920const llvm::APSInt *SimpleSValBuilder::getKnownValue(ProgramStateRef state, 921 SVal V) { 922 if (V.isUnknownOrUndef()) 923 return NULL; 924 925 if (Optional<loc::ConcreteInt> X = V.getAs<loc::ConcreteInt>()) 926 return &X->getValue(); 927 928 if (Optional<nonloc::ConcreteInt> X = V.getAs<nonloc::ConcreteInt>()) 929 return &X->getValue(); 930 931 if (SymbolRef Sym = V.getAsSymbol()) 932 return state->getConstraintManager().getSymVal(state, Sym); 933 934 // FIXME: Add support for SymExprs. 935 return NULL; 936} 937