SimpleSValBuilder.cpp revision 9b663716449b618ba0390b1dbebc54fa8e971124
1// SimpleSValBuilder.cpp - A basic SValBuilder -----------------------*- C++ -*- 2// 3// The LLVM Compiler Infrastructure 4// 5// This file is distributed under the University of Illinois Open Source 6// License. See LICENSE.TXT for details. 7// 8//===----------------------------------------------------------------------===// 9// 10// This file defines SimpleSValBuilder, a basic implementation of SValBuilder. 11// 12//===----------------------------------------------------------------------===// 13 14#include "clang/StaticAnalyzer/Core/PathSensitive/SValBuilder.h" 15#include "clang/StaticAnalyzer/Core/PathSensitive/GRState.h" 16 17using namespace clang; 18using namespace ento; 19 20namespace { 21class SimpleSValBuilder : public SValBuilder { 22protected: 23 virtual SVal evalCastNL(NonLoc val, QualType castTy); 24 virtual SVal evalCastL(Loc val, QualType castTy); 25 26public: 27 SimpleSValBuilder(llvm::BumpPtrAllocator &alloc, ASTContext &context, 28 GRStateManager &stateMgr) 29 : SValBuilder(alloc, context, stateMgr) {} 30 virtual ~SimpleSValBuilder() {} 31 32 virtual SVal evalMinus(NonLoc val); 33 virtual SVal evalComplement(NonLoc val); 34 virtual SVal evalBinOpNN(const GRState *state, BinaryOperator::Opcode op, 35 NonLoc lhs, NonLoc rhs, QualType resultTy); 36 virtual SVal evalBinOpLL(const GRState *state, BinaryOperator::Opcode op, 37 Loc lhs, Loc rhs, QualType resultTy); 38 virtual SVal evalBinOpLN(const GRState *state, BinaryOperator::Opcode op, 39 Loc lhs, NonLoc rhs, QualType resultTy); 40 41 /// getKnownValue - evaluates a given SVal. If the SVal has only one possible 42 /// (integer) value, that value is returned. Otherwise, returns NULL. 43 virtual const llvm::APSInt *getKnownValue(const GRState *state, SVal V); 44 45 SVal MakeSymIntVal(const SymExpr *LHS, BinaryOperator::Opcode op, 46 const llvm::APSInt &RHS, QualType resultTy); 47}; 48} // end anonymous namespace 49 50SValBuilder *ento::createSimpleSValBuilder(llvm::BumpPtrAllocator &alloc, 51 ASTContext &context, 52 GRStateManager &stateMgr) { 53 return new SimpleSValBuilder(alloc, context, stateMgr); 54} 55 56//===----------------------------------------------------------------------===// 57// Transfer function for Casts. 58//===----------------------------------------------------------------------===// 59 60SVal SimpleSValBuilder::evalCastNL(NonLoc val, QualType castTy) { 61 62 bool isLocType = Loc::IsLocType(castTy); 63 64 if (nonloc::LocAsInteger *LI = dyn_cast<nonloc::LocAsInteger>(&val)) { 65 if (isLocType) 66 return LI->getLoc(); 67 68 // FIXME: Correctly support promotions/truncations. 69 unsigned castSize = Context.getTypeSize(castTy); 70 if (castSize == LI->getNumBits()) 71 return val; 72 return makeLocAsInteger(LI->getLoc(), castSize); 73 } 74 75 if (const SymExpr *se = val.getAsSymbolicExpression()) { 76 QualType T = Context.getCanonicalType(se->getType(Context)); 77 if (T == Context.getCanonicalType(castTy)) 78 return val; 79 80 // FIXME: Remove this hack when we support symbolic truncation/extension. 81 // HACK: If both castTy and T are integers, ignore the cast. This is 82 // not a permanent solution. Eventually we want to precisely handle 83 // extension/truncation of symbolic integers. This prevents us from losing 84 // precision when we assign 'x = y' and 'y' is symbolic and x and y are 85 // different integer types. 86 if (T->isIntegerType() && castTy->isIntegerType()) 87 return val; 88 89 return UnknownVal(); 90 } 91 92 if (!isa<nonloc::ConcreteInt>(val)) 93 return UnknownVal(); 94 95 // Only handle casts from integers to integers. 96 if (!isLocType && !castTy->isIntegerType()) 97 return UnknownVal(); 98 99 llvm::APSInt i = cast<nonloc::ConcreteInt>(val).getValue(); 100 i.setIsUnsigned(castTy->isUnsignedIntegerType() || Loc::IsLocType(castTy)); 101 i = i.extOrTrunc(Context.getTypeSize(castTy)); 102 103 if (isLocType) 104 return makeIntLocVal(i); 105 else 106 return makeIntVal(i); 107} 108 109SVal SimpleSValBuilder::evalCastL(Loc val, QualType castTy) { 110 111 // Casts from pointers -> pointers, just return the lval. 112 // 113 // Casts from pointers -> references, just return the lval. These 114 // can be introduced by the frontend for corner cases, e.g 115 // casting from va_list* to __builtin_va_list&. 116 // 117 if (Loc::IsLocType(castTy) || castTy->isReferenceType()) 118 return val; 119 120 // FIXME: Handle transparent unions where a value can be "transparently" 121 // lifted into a union type. 122 if (castTy->isUnionType()) 123 return UnknownVal(); 124 125 if (castTy->isIntegerType()) { 126 unsigned BitWidth = Context.getTypeSize(castTy); 127 128 if (!isa<loc::ConcreteInt>(val)) 129 return makeLocAsInteger(val, BitWidth); 130 131 llvm::APSInt i = cast<loc::ConcreteInt>(val).getValue(); 132 i.setIsUnsigned(castTy->isUnsignedIntegerType() || Loc::IsLocType(castTy)); 133 i = i.extOrTrunc(BitWidth); 134 return makeIntVal(i); 135 } 136 137 // All other cases: return 'UnknownVal'. This includes casting pointers 138 // to floats, which is probably badness it itself, but this is a good 139 // intermediate solution until we do something better. 140 return UnknownVal(); 141} 142 143//===----------------------------------------------------------------------===// 144// Transfer function for unary operators. 145//===----------------------------------------------------------------------===// 146 147SVal SimpleSValBuilder::evalMinus(NonLoc val) { 148 switch (val.getSubKind()) { 149 case nonloc::ConcreteIntKind: 150 return cast<nonloc::ConcreteInt>(val).evalMinus(*this); 151 default: 152 return UnknownVal(); 153 } 154} 155 156SVal SimpleSValBuilder::evalComplement(NonLoc X) { 157 switch (X.getSubKind()) { 158 case nonloc::ConcreteIntKind: 159 return cast<nonloc::ConcreteInt>(X).evalComplement(*this); 160 default: 161 return UnknownVal(); 162 } 163} 164 165//===----------------------------------------------------------------------===// 166// Transfer function for binary operators. 167//===----------------------------------------------------------------------===// 168 169static BinaryOperator::Opcode NegateComparison(BinaryOperator::Opcode op) { 170 switch (op) { 171 default: 172 assert(false && "Invalid opcode."); 173 case BO_LT: return BO_GE; 174 case BO_GT: return BO_LE; 175 case BO_LE: return BO_GT; 176 case BO_GE: return BO_LT; 177 case BO_EQ: return BO_NE; 178 case BO_NE: return BO_EQ; 179 } 180} 181 182static BinaryOperator::Opcode ReverseComparison(BinaryOperator::Opcode op) { 183 switch (op) { 184 default: 185 assert(false && "Invalid opcode."); 186 case BO_LT: return BO_GT; 187 case BO_GT: return BO_LT; 188 case BO_LE: return BO_GE; 189 case BO_GE: return BO_LE; 190 case BO_EQ: 191 case BO_NE: 192 return op; 193 } 194} 195 196SVal SimpleSValBuilder::MakeSymIntVal(const SymExpr *LHS, 197 BinaryOperator::Opcode op, 198 const llvm::APSInt &RHS, 199 QualType resultTy) { 200 bool isIdempotent = false; 201 202 // Check for a few special cases with known reductions first. 203 switch (op) { 204 default: 205 // We can't reduce this case; just treat it normally. 206 break; 207 case BO_Mul: 208 // a*0 and a*1 209 if (RHS == 0) 210 return makeIntVal(0, resultTy); 211 else if (RHS == 1) 212 isIdempotent = true; 213 break; 214 case BO_Div: 215 // a/0 and a/1 216 if (RHS == 0) 217 // This is also handled elsewhere. 218 return UndefinedVal(); 219 else if (RHS == 1) 220 isIdempotent = true; 221 break; 222 case BO_Rem: 223 // a%0 and a%1 224 if (RHS == 0) 225 // This is also handled elsewhere. 226 return UndefinedVal(); 227 else if (RHS == 1) 228 return makeIntVal(0, resultTy); 229 break; 230 case BO_Add: 231 case BO_Sub: 232 case BO_Shl: 233 case BO_Shr: 234 case BO_Xor: 235 // a+0, a-0, a<<0, a>>0, a^0 236 if (RHS == 0) 237 isIdempotent = true; 238 break; 239 case BO_And: 240 // a&0 and a&(~0) 241 if (RHS == 0) 242 return makeIntVal(0, resultTy); 243 else if (RHS.isAllOnesValue()) 244 isIdempotent = true; 245 break; 246 case BO_Or: 247 // a|0 and a|(~0) 248 if (RHS == 0) 249 isIdempotent = true; 250 else if (RHS.isAllOnesValue()) { 251 const llvm::APSInt &Result = BasicVals.Convert(resultTy, RHS); 252 return nonloc::ConcreteInt(Result); 253 } 254 break; 255 } 256 257 // Idempotent ops (like a*1) can still change the type of an expression. 258 // Wrap the LHS up in a NonLoc again and let evalCastNL do the dirty work. 259 if (isIdempotent) { 260 if (SymbolRef LHSSym = dyn_cast<SymbolData>(LHS)) 261 return evalCastNL(nonloc::SymbolVal(LHSSym), resultTy); 262 return evalCastNL(nonloc::SymExprVal(LHS), resultTy); 263 } 264 265 // If we reach this point, the expression cannot be simplified. 266 // Make a SymExprVal for the entire thing. 267 return makeNonLoc(LHS, op, RHS, resultTy); 268} 269 270SVal SimpleSValBuilder::evalBinOpNN(const GRState *state, 271 BinaryOperator::Opcode op, 272 NonLoc lhs, NonLoc rhs, 273 QualType resultTy) { 274 // Handle trivial case where left-side and right-side are the same. 275 if (lhs == rhs) 276 switch (op) { 277 default: 278 break; 279 case BO_EQ: 280 case BO_LE: 281 case BO_GE: 282 return makeTruthVal(true, resultTy); 283 case BO_LT: 284 case BO_GT: 285 case BO_NE: 286 return makeTruthVal(false, resultTy); 287 case BO_Xor: 288 case BO_Sub: 289 return makeIntVal(0, resultTy); 290 case BO_Or: 291 case BO_And: 292 return evalCastNL(lhs, resultTy); 293 } 294 295 while (1) { 296 switch (lhs.getSubKind()) { 297 default: 298 return UnknownVal(); 299 case nonloc::LocAsIntegerKind: { 300 Loc lhsL = cast<nonloc::LocAsInteger>(lhs).getLoc(); 301 switch (rhs.getSubKind()) { 302 case nonloc::LocAsIntegerKind: 303 return evalBinOpLL(state, op, lhsL, 304 cast<nonloc::LocAsInteger>(rhs).getLoc(), 305 resultTy); 306 case nonloc::ConcreteIntKind: { 307 // Transform the integer into a location and compare. 308 llvm::APSInt i = cast<nonloc::ConcreteInt>(rhs).getValue(); 309 i.setIsUnsigned(true); 310 i = i.extOrTrunc(Context.getTypeSize(Context.VoidPtrTy)); 311 return evalBinOpLL(state, op, lhsL, makeLoc(i), resultTy); 312 } 313 default: 314 switch (op) { 315 case BO_EQ: 316 return makeTruthVal(false, resultTy); 317 case BO_NE: 318 return makeTruthVal(true, resultTy); 319 default: 320 // This case also handles pointer arithmetic. 321 return UnknownVal(); 322 } 323 } 324 } 325 case nonloc::SymExprValKind: { 326 nonloc::SymExprVal *selhs = cast<nonloc::SymExprVal>(&lhs); 327 328 // Only handle LHS of the form "$sym op constant", at least for now. 329 const SymIntExpr *symIntExpr = 330 dyn_cast<SymIntExpr>(selhs->getSymbolicExpression()); 331 332 if (!symIntExpr) 333 return UnknownVal(); 334 335 // Is this a logical not? (!x is represented as x == 0.) 336 if (op == BO_EQ && rhs.isZeroConstant()) { 337 // We know how to negate certain expressions. Simplify them here. 338 339 BinaryOperator::Opcode opc = symIntExpr->getOpcode(); 340 switch (opc) { 341 default: 342 // We don't know how to negate this operation. 343 // Just handle it as if it were a normal comparison to 0. 344 break; 345 case BO_LAnd: 346 case BO_LOr: 347 assert(false && "Logical operators handled by branching logic."); 348 return UnknownVal(); 349 case BO_Assign: 350 case BO_MulAssign: 351 case BO_DivAssign: 352 case BO_RemAssign: 353 case BO_AddAssign: 354 case BO_SubAssign: 355 case BO_ShlAssign: 356 case BO_ShrAssign: 357 case BO_AndAssign: 358 case BO_XorAssign: 359 case BO_OrAssign: 360 case BO_Comma: 361 assert(false && "'=' and ',' operators handled by ExprEngine."); 362 return UnknownVal(); 363 case BO_PtrMemD: 364 case BO_PtrMemI: 365 assert(false && "Pointer arithmetic not handled here."); 366 return UnknownVal(); 367 case BO_LT: 368 case BO_GT: 369 case BO_LE: 370 case BO_GE: 371 case BO_EQ: 372 case BO_NE: 373 // Negate the comparison and make a value. 374 opc = NegateComparison(opc); 375 assert(symIntExpr->getType(Context) == resultTy); 376 return makeNonLoc(symIntExpr->getLHS(), opc, 377 symIntExpr->getRHS(), resultTy); 378 } 379 } 380 381 // For now, only handle expressions whose RHS is a constant. 382 const nonloc::ConcreteInt *rhsInt = dyn_cast<nonloc::ConcreteInt>(&rhs); 383 if (!rhsInt) 384 return UnknownVal(); 385 386 // If both the LHS and the current expression are additive, 387 // fold their constants. 388 if (BinaryOperator::isAdditiveOp(op)) { 389 BinaryOperator::Opcode lop = symIntExpr->getOpcode(); 390 if (BinaryOperator::isAdditiveOp(lop)) { 391 // resultTy may not be the best type to convert to, but it's 392 // probably the best choice in expressions with mixed type 393 // (such as x+1U+2LL). The rules for implicit conversions should 394 // choose a reasonable type to preserve the expression, and will 395 // at least match how the value is going to be used. 396 const llvm::APSInt &first = 397 BasicVals.Convert(resultTy, symIntExpr->getRHS()); 398 const llvm::APSInt &second = 399 BasicVals.Convert(resultTy, rhsInt->getValue()); 400 const llvm::APSInt *newRHS; 401 if (lop == op) 402 newRHS = BasicVals.evalAPSInt(BO_Add, first, second); 403 else 404 newRHS = BasicVals.evalAPSInt(BO_Sub, first, second); 405 return MakeSymIntVal(symIntExpr->getLHS(), lop, *newRHS, resultTy); 406 } 407 } 408 409 // Otherwise, make a SymExprVal out of the expression. 410 return MakeSymIntVal(symIntExpr, op, rhsInt->getValue(), resultTy); 411 } 412 case nonloc::ConcreteIntKind: { 413 const nonloc::ConcreteInt& lhsInt = cast<nonloc::ConcreteInt>(lhs); 414 415 if (isa<nonloc::ConcreteInt>(rhs)) { 416 return lhsInt.evalBinOp(*this, op, cast<nonloc::ConcreteInt>(rhs)); 417 } else { 418 const llvm::APSInt& lhsValue = lhsInt.getValue(); 419 420 // Swap the left and right sides and flip the operator if doing so 421 // allows us to better reason about the expression (this is a form 422 // of expression canonicalization). 423 // While we're at it, catch some special cases for non-commutative ops. 424 NonLoc tmp = rhs; 425 rhs = lhs; 426 lhs = tmp; 427 428 switch (op) { 429 case BO_LT: 430 case BO_GT: 431 case BO_LE: 432 case BO_GE: 433 op = ReverseComparison(op); 434 continue; 435 case BO_EQ: 436 case BO_NE: 437 case BO_Add: 438 case BO_Mul: 439 case BO_And: 440 case BO_Xor: 441 case BO_Or: 442 continue; 443 case BO_Shr: 444 if (lhsValue.isAllOnesValue() && lhsValue.isSigned()) 445 // At this point lhs and rhs have been swapped. 446 return rhs; 447 // FALL-THROUGH 448 case BO_Shl: 449 if (lhsValue == 0) 450 // At this point lhs and rhs have been swapped. 451 return rhs; 452 return UnknownVal(); 453 default: 454 return UnknownVal(); 455 } 456 } 457 } 458 case nonloc::SymbolValKind: { 459 nonloc::SymbolVal *slhs = cast<nonloc::SymbolVal>(&lhs); 460 SymbolRef Sym = slhs->getSymbol(); 461 // Does the symbol simplify to a constant? If so, "fold" the constant 462 // by setting 'lhs' to a ConcreteInt and try again. 463 if (Sym->getType(Context)->isIntegerType()) 464 if (const llvm::APSInt *Constant = state->getSymVal(Sym)) { 465 // The symbol evaluates to a constant. If necessary, promote the 466 // folded constant (LHS) to the result type. 467 const llvm::APSInt &lhs_I = BasicVals.Convert(resultTy, *Constant); 468 lhs = nonloc::ConcreteInt(lhs_I); 469 470 // Also promote the RHS (if necessary). 471 472 // For shifts, it is not necessary to promote the RHS. 473 if (BinaryOperator::isShiftOp(op)) 474 continue; 475 476 // Other operators: do an implicit conversion. This shouldn't be 477 // necessary once we support truncation/extension of symbolic values. 478 if (nonloc::ConcreteInt *rhs_I = dyn_cast<nonloc::ConcreteInt>(&rhs)){ 479 rhs = nonloc::ConcreteInt(BasicVals.Convert(resultTy, 480 rhs_I->getValue())); 481 } 482 483 continue; 484 } 485 486 // Is the RHS a symbol we can simplify? 487 if (const nonloc::SymbolVal *srhs = dyn_cast<nonloc::SymbolVal>(&rhs)) { 488 SymbolRef RSym = srhs->getSymbol(); 489 if (RSym->getType(Context)->isIntegerType()) { 490 if (const llvm::APSInt *Constant = state->getSymVal(RSym)) { 491 // The symbol evaluates to a constant. 492 const llvm::APSInt &rhs_I = BasicVals.Convert(resultTy, *Constant); 493 rhs = nonloc::ConcreteInt(rhs_I); 494 } 495 } 496 } 497 498 if (isa<nonloc::ConcreteInt>(rhs)) { 499 return MakeSymIntVal(slhs->getSymbol(), op, 500 cast<nonloc::ConcreteInt>(rhs).getValue(), 501 resultTy); 502 } 503 504 return UnknownVal(); 505 } 506 } 507 } 508} 509 510// FIXME: all this logic will change if/when we have MemRegion::getLocation(). 511SVal SimpleSValBuilder::evalBinOpLL(const GRState *state, 512 BinaryOperator::Opcode op, 513 Loc lhs, Loc rhs, 514 QualType resultTy) { 515 // Only comparisons and subtractions are valid operations on two pointers. 516 // See [C99 6.5.5 through 6.5.14] or [C++0x 5.6 through 5.15]. 517 // However, if a pointer is casted to an integer, evalBinOpNN may end up 518 // calling this function with another operation (PR7527). We don't attempt to 519 // model this for now, but it could be useful, particularly when the 520 // "location" is actually an integer value that's been passed through a void*. 521 if (!(BinaryOperator::isComparisonOp(op) || op == BO_Sub)) 522 return UnknownVal(); 523 524 // Special cases for when both sides are identical. 525 if (lhs == rhs) { 526 switch (op) { 527 default: 528 assert(false && "Unimplemented operation for two identical values"); 529 return UnknownVal(); 530 case BO_Sub: 531 return makeZeroVal(resultTy); 532 case BO_EQ: 533 case BO_LE: 534 case BO_GE: 535 return makeTruthVal(true, resultTy); 536 case BO_NE: 537 case BO_LT: 538 case BO_GT: 539 return makeTruthVal(false, resultTy); 540 } 541 } 542 543 switch (lhs.getSubKind()) { 544 default: 545 assert(false && "Ordering not implemented for this Loc."); 546 return UnknownVal(); 547 548 case loc::GotoLabelKind: 549 // The only thing we know about labels is that they're non-null. 550 if (rhs.isZeroConstant()) { 551 switch (op) { 552 default: 553 break; 554 case BO_Sub: 555 return evalCastL(lhs, resultTy); 556 case BO_EQ: 557 case BO_LE: 558 case BO_LT: 559 return makeTruthVal(false, resultTy); 560 case BO_NE: 561 case BO_GT: 562 case BO_GE: 563 return makeTruthVal(true, resultTy); 564 } 565 } 566 // There may be two labels for the same location, and a function region may 567 // have the same address as a label at the start of the function (depending 568 // on the ABI). 569 // FIXME: we can probably do a comparison against other MemRegions, though. 570 // FIXME: is there a way to tell if two labels refer to the same location? 571 return UnknownVal(); 572 573 case loc::ConcreteIntKind: { 574 // If one of the operands is a symbol and the other is a constant, 575 // build an expression for use by the constraint manager. 576 if (SymbolRef rSym = rhs.getAsLocSymbol()) { 577 // We can only build expressions with symbols on the left, 578 // so we need a reversible operator. 579 if (!BinaryOperator::isComparisonOp(op)) 580 return UnknownVal(); 581 582 const llvm::APSInt &lVal = cast<loc::ConcreteInt>(lhs).getValue(); 583 return makeNonLoc(rSym, ReverseComparison(op), lVal, resultTy); 584 } 585 586 // If both operands are constants, just perform the operation. 587 if (loc::ConcreteInt *rInt = dyn_cast<loc::ConcreteInt>(&rhs)) { 588 SVal ResultVal = cast<loc::ConcreteInt>(lhs).evalBinOp(BasicVals, op, 589 *rInt); 590 if (Loc *Result = dyn_cast<Loc>(&ResultVal)) 591 return evalCastL(*Result, resultTy); 592 else 593 return UnknownVal(); 594 } 595 596 // Special case comparisons against NULL. 597 // This must come after the test if the RHS is a symbol, which is used to 598 // build constraints. The address of any non-symbolic region is guaranteed 599 // to be non-NULL, as is any label. 600 assert(isa<loc::MemRegionVal>(rhs) || isa<loc::GotoLabel>(rhs)); 601 if (lhs.isZeroConstant()) { 602 switch (op) { 603 default: 604 break; 605 case BO_EQ: 606 case BO_GT: 607 case BO_GE: 608 return makeTruthVal(false, resultTy); 609 case BO_NE: 610 case BO_LT: 611 case BO_LE: 612 return makeTruthVal(true, resultTy); 613 } 614 } 615 616 // Comparing an arbitrary integer to a region or label address is 617 // completely unknowable. 618 return UnknownVal(); 619 } 620 case loc::MemRegionKind: { 621 if (loc::ConcreteInt *rInt = dyn_cast<loc::ConcreteInt>(&rhs)) { 622 // If one of the operands is a symbol and the other is a constant, 623 // build an expression for use by the constraint manager. 624 if (SymbolRef lSym = lhs.getAsLocSymbol()) 625 return MakeSymIntVal(lSym, op, rInt->getValue(), resultTy); 626 627 // Special case comparisons to NULL. 628 // This must come after the test if the LHS is a symbol, which is used to 629 // build constraints. The address of any non-symbolic region is guaranteed 630 // to be non-NULL. 631 if (rInt->isZeroConstant()) { 632 switch (op) { 633 default: 634 break; 635 case BO_Sub: 636 return evalCastL(lhs, resultTy); 637 case BO_EQ: 638 case BO_LT: 639 case BO_LE: 640 return makeTruthVal(false, resultTy); 641 case BO_NE: 642 case BO_GT: 643 case BO_GE: 644 return makeTruthVal(true, resultTy); 645 } 646 } 647 648 // Comparing a region to an arbitrary integer is completely unknowable. 649 return UnknownVal(); 650 } 651 652 // Get both values as regions, if possible. 653 const MemRegion *LeftMR = lhs.getAsRegion(); 654 assert(LeftMR && "MemRegionKind SVal doesn't have a region!"); 655 656 const MemRegion *RightMR = rhs.getAsRegion(); 657 if (!RightMR) 658 // The RHS is probably a label, which in theory could address a region. 659 // FIXME: we can probably make a more useful statement about non-code 660 // regions, though. 661 return UnknownVal(); 662 663 // If both values wrap regions, see if they're from different base regions. 664 const MemRegion *LeftBase = LeftMR->getBaseRegion(); 665 const MemRegion *RightBase = RightMR->getBaseRegion(); 666 if (LeftBase != RightBase && 667 !isa<SymbolicRegion>(LeftBase) && !isa<SymbolicRegion>(RightBase)) { 668 switch (op) { 669 default: 670 return UnknownVal(); 671 case BO_EQ: 672 return makeTruthVal(false, resultTy); 673 case BO_NE: 674 return makeTruthVal(true, resultTy); 675 } 676 } 677 678 // The two regions are from the same base region. See if they're both a 679 // type of region we know how to compare. 680 681 // FIXME: If/when there is a getAsRawOffset() for FieldRegions, this 682 // ElementRegion path and the FieldRegion path below should be unified. 683 if (const ElementRegion *LeftER = dyn_cast<ElementRegion>(LeftMR)) { 684 // First see if the right region is also an ElementRegion. 685 const ElementRegion *RightER = dyn_cast<ElementRegion>(RightMR); 686 if (!RightER) 687 return UnknownVal(); 688 689 // Next, see if the two ERs have the same super-region and matching types. 690 // FIXME: This should do something useful even if the types don't match, 691 // though if both indexes are constant the RegionRawOffset path will 692 // give the correct answer. 693 if (LeftER->getSuperRegion() == RightER->getSuperRegion() && 694 LeftER->getElementType() == RightER->getElementType()) { 695 // Get the left index and cast it to the correct type. 696 // If the index is unknown or undefined, bail out here. 697 SVal LeftIndexVal = LeftER->getIndex(); 698 NonLoc *LeftIndex = dyn_cast<NonLoc>(&LeftIndexVal); 699 if (!LeftIndex) 700 return UnknownVal(); 701 LeftIndexVal = evalCastNL(*LeftIndex, resultTy); 702 LeftIndex = dyn_cast<NonLoc>(&LeftIndexVal); 703 if (!LeftIndex) 704 return UnknownVal(); 705 706 // Do the same for the right index. 707 SVal RightIndexVal = RightER->getIndex(); 708 NonLoc *RightIndex = dyn_cast<NonLoc>(&RightIndexVal); 709 if (!RightIndex) 710 return UnknownVal(); 711 RightIndexVal = evalCastNL(*RightIndex, resultTy); 712 RightIndex = dyn_cast<NonLoc>(&RightIndexVal); 713 if (!RightIndex) 714 return UnknownVal(); 715 716 // Actually perform the operation. 717 // evalBinOpNN expects the two indexes to already be the right type. 718 return evalBinOpNN(state, op, *LeftIndex, *RightIndex, resultTy); 719 } 720 721 // If the element indexes aren't comparable, see if the raw offsets are. 722 RegionRawOffset LeftOffset = LeftER->getAsArrayOffset(); 723 RegionRawOffset RightOffset = RightER->getAsArrayOffset(); 724 725 if (LeftOffset.getRegion() != NULL && 726 LeftOffset.getRegion() == RightOffset.getRegion()) { 727 CharUnits left = LeftOffset.getOffset(); 728 CharUnits right = RightOffset.getOffset(); 729 730 switch (op) { 731 default: 732 return UnknownVal(); 733 case BO_LT: 734 return makeTruthVal(left < right, resultTy); 735 case BO_GT: 736 return makeTruthVal(left > right, resultTy); 737 case BO_LE: 738 return makeTruthVal(left <= right, resultTy); 739 case BO_GE: 740 return makeTruthVal(left >= right, resultTy); 741 case BO_EQ: 742 return makeTruthVal(left == right, resultTy); 743 case BO_NE: 744 return makeTruthVal(left != right, resultTy); 745 } 746 } 747 748 // If we get here, we have no way of comparing the ElementRegions. 749 return UnknownVal(); 750 } 751 752 // See if both regions are fields of the same structure. 753 // FIXME: This doesn't handle nesting, inheritance, or Objective-C ivars. 754 if (const FieldRegion *LeftFR = dyn_cast<FieldRegion>(LeftMR)) { 755 // Only comparisons are meaningful here! 756 if (!BinaryOperator::isComparisonOp(op)) 757 return UnknownVal(); 758 759 // First see if the right region is also a FieldRegion. 760 const FieldRegion *RightFR = dyn_cast<FieldRegion>(RightMR); 761 if (!RightFR) 762 return UnknownVal(); 763 764 // Next, see if the two FRs have the same super-region. 765 // FIXME: This doesn't handle casts yet, and simply stripping the casts 766 // doesn't help. 767 if (LeftFR->getSuperRegion() != RightFR->getSuperRegion()) 768 return UnknownVal(); 769 770 const FieldDecl *LeftFD = LeftFR->getDecl(); 771 const FieldDecl *RightFD = RightFR->getDecl(); 772 const RecordDecl *RD = LeftFD->getParent(); 773 774 // Make sure the two FRs are from the same kind of record. Just in case! 775 // FIXME: This is probably where inheritance would be a problem. 776 if (RD != RightFD->getParent()) 777 return UnknownVal(); 778 779 // We know for sure that the two fields are not the same, since that 780 // would have given us the same SVal. 781 if (op == BO_EQ) 782 return makeTruthVal(false, resultTy); 783 if (op == BO_NE) 784 return makeTruthVal(true, resultTy); 785 786 // Iterate through the fields and see which one comes first. 787 // [C99 6.7.2.1.13] "Within a structure object, the non-bit-field 788 // members and the units in which bit-fields reside have addresses that 789 // increase in the order in which they are declared." 790 bool leftFirst = (op == BO_LT || op == BO_LE); 791 for (RecordDecl::field_iterator I = RD->field_begin(), 792 E = RD->field_end(); I!=E; ++I) { 793 if (*I == LeftFD) 794 return makeTruthVal(leftFirst, resultTy); 795 if (*I == RightFD) 796 return makeTruthVal(!leftFirst, resultTy); 797 } 798 799 assert(false && "Fields not found in parent record's definition"); 800 } 801 802 // If we get here, we have no way of comparing the regions. 803 return UnknownVal(); 804 } 805 } 806} 807 808SVal SimpleSValBuilder::evalBinOpLN(const GRState *state, 809 BinaryOperator::Opcode op, 810 Loc lhs, NonLoc rhs, QualType resultTy) { 811 812 // Special case: rhs is a zero constant. 813 if (rhs.isZeroConstant()) 814 return lhs; 815 816 // Special case: 'rhs' is an integer that has the same width as a pointer and 817 // we are using the integer location in a comparison. Normally this cannot be 818 // triggered, but transfer functions like those for OSCommpareAndSwapBarrier32 819 // can generate comparisons that trigger this code. 820 // FIXME: Are all locations guaranteed to have pointer width? 821 if (BinaryOperator::isComparisonOp(op)) { 822 if (nonloc::ConcreteInt *rhsInt = dyn_cast<nonloc::ConcreteInt>(&rhs)) { 823 const llvm::APSInt *x = &rhsInt->getValue(); 824 ASTContext &ctx = Context; 825 if (ctx.getTypeSize(ctx.VoidPtrTy) == x->getBitWidth()) { 826 // Convert the signedness of the integer (if necessary). 827 if (x->isSigned()) 828 x = &getBasicValueFactory().getValue(*x, true); 829 830 return evalBinOpLL(state, op, lhs, loc::ConcreteInt(*x), resultTy); 831 } 832 } 833 } 834 835 // We are dealing with pointer arithmetic. 836 837 // Handle pointer arithmetic on constant values. 838 if (nonloc::ConcreteInt *rhsInt = dyn_cast<nonloc::ConcreteInt>(&rhs)) { 839 if (loc::ConcreteInt *lhsInt = dyn_cast<loc::ConcreteInt>(&lhs)) { 840 const llvm::APSInt &leftI = lhsInt->getValue(); 841 assert(leftI.isUnsigned()); 842 llvm::APSInt rightI(rhsInt->getValue(), /* isUnsigned */ true); 843 844 // Convert the bitwidth of rightI. This should deal with overflow 845 // since we are dealing with concrete values. 846 rightI = rightI.extOrTrunc(leftI.getBitWidth()); 847 848 // Offset the increment by the pointer size. 849 llvm::APSInt Multiplicand(rightI.getBitWidth(), /* isUnsigned */ true); 850 rightI *= Multiplicand; 851 852 // Compute the adjusted pointer. 853 switch (op) { 854 case BO_Add: 855 rightI = leftI + rightI; 856 break; 857 case BO_Sub: 858 rightI = leftI - rightI; 859 break; 860 default: 861 llvm_unreachable("Invalid pointer arithmetic operation"); 862 } 863 return loc::ConcreteInt(getBasicValueFactory().getValue(rightI)); 864 } 865 } 866 867 // Handle cases where 'lhs' is a region. 868 if (const MemRegion *region = lhs.getAsRegion()) { 869 rhs = cast<NonLoc>(convertToArrayIndex(rhs)); 870 SVal index = UnknownVal(); 871 const MemRegion *superR = 0; 872 QualType elementType; 873 874 if (const ElementRegion *elemReg = dyn_cast<ElementRegion>(region)) { 875 index = evalBinOpNN(state, BO_Add, elemReg->getIndex(), rhs, 876 getArrayIndexType()); 877 superR = elemReg->getSuperRegion(); 878 elementType = elemReg->getElementType(); 879 } 880 else if (isa<SubRegion>(region)) { 881 superR = region; 882 index = rhs; 883 if (const PointerType *PT = resultTy->getAs<PointerType>()) { 884 elementType = PT->getPointeeType(); 885 } 886 else { 887 const ObjCObjectPointerType *OT = 888 resultTy->getAs<ObjCObjectPointerType>(); 889 elementType = OT->getPointeeType(); 890 } 891 } 892 893 if (NonLoc *indexV = dyn_cast<NonLoc>(&index)) { 894 return loc::MemRegionVal(MemMgr.getElementRegion(elementType, *indexV, 895 superR, getContext())); 896 } 897 } 898 return UnknownVal(); 899} 900 901const llvm::APSInt *SimpleSValBuilder::getKnownValue(const GRState *state, 902 SVal V) { 903 if (V.isUnknownOrUndef()) 904 return NULL; 905 906 if (loc::ConcreteInt* X = dyn_cast<loc::ConcreteInt>(&V)) 907 return &X->getValue(); 908 909 if (nonloc::ConcreteInt* X = dyn_cast<nonloc::ConcreteInt>(&V)) 910 return &X->getValue(); 911 912 if (SymbolRef Sym = V.getAsSymbol()) 913 return state->getSymVal(Sym); 914 915 // FIXME: Add support for SymExprs. 916 return NULL; 917} 918