SimpleSValBuilder.cpp revision 9f8862aa64300ef97b8fe85034ee93bbc03e3b7b
1// SimpleSValBuilder.cpp - A basic SValBuilder -----------------------*- C++ -*- 2// 3// The LLVM Compiler Infrastructure 4// 5// This file is distributed under the University of Illinois Open Source 6// License. See LICENSE.TXT for details. 7// 8//===----------------------------------------------------------------------===// 9// 10// This file defines SimpleSValBuilder, a basic implementation of SValBuilder. 11// 12//===----------------------------------------------------------------------===// 13 14#include "clang/StaticAnalyzer/Core/PathSensitive/SValBuilder.h" 15#include "clang/StaticAnalyzer/Core/PathSensitive/GRState.h" 16 17using namespace clang; 18using namespace ento; 19 20namespace { 21class SimpleSValBuilder : public SValBuilder { 22protected: 23 virtual SVal evalCastFromNonLoc(NonLoc val, QualType castTy); 24 virtual SVal evalCastFromLoc(Loc val, QualType castTy); 25 26public: 27 SimpleSValBuilder(llvm::BumpPtrAllocator &alloc, ASTContext &context, 28 GRStateManager &stateMgr) 29 : SValBuilder(alloc, context, stateMgr) {} 30 virtual ~SimpleSValBuilder() {} 31 32 virtual SVal evalMinus(NonLoc val); 33 virtual SVal evalComplement(NonLoc val); 34 virtual SVal evalBinOpNN(const GRState *state, BinaryOperator::Opcode op, 35 NonLoc lhs, NonLoc rhs, QualType resultTy); 36 virtual SVal evalBinOpLL(const GRState *state, BinaryOperator::Opcode op, 37 Loc lhs, Loc rhs, QualType resultTy); 38 virtual SVal evalBinOpLN(const GRState *state, BinaryOperator::Opcode op, 39 Loc lhs, NonLoc rhs, QualType resultTy); 40 41 /// getKnownValue - evaluates a given SVal. If the SVal has only one possible 42 /// (integer) value, that value is returned. Otherwise, returns NULL. 43 virtual const llvm::APSInt *getKnownValue(const GRState *state, SVal V); 44 45 SVal MakeSymIntVal(const SymExpr *LHS, BinaryOperator::Opcode op, 46 const llvm::APSInt &RHS, QualType resultTy); 47}; 48} // end anonymous namespace 49 50SValBuilder *ento::createSimpleSValBuilder(llvm::BumpPtrAllocator &alloc, 51 ASTContext &context, 52 GRStateManager &stateMgr) { 53 return new SimpleSValBuilder(alloc, context, stateMgr); 54} 55 56//===----------------------------------------------------------------------===// 57// Transfer function for Casts. 58//===----------------------------------------------------------------------===// 59 60SVal SimpleSValBuilder::evalCastFromNonLoc(NonLoc val, QualType castTy) { 61 62 bool isLocType = Loc::isLocType(castTy); 63 64 if (nonloc::LocAsInteger *LI = dyn_cast<nonloc::LocAsInteger>(&val)) { 65 if (isLocType) 66 return LI->getLoc(); 67 68 // FIXME: Correctly support promotions/truncations. 69 unsigned castSize = Context.getTypeSize(castTy); 70 if (castSize == LI->getNumBits()) 71 return val; 72 return makeLocAsInteger(LI->getLoc(), castSize); 73 } 74 75 if (const SymExpr *se = val.getAsSymbolicExpression()) { 76 QualType T = Context.getCanonicalType(se->getType(Context)); 77 if (T == Context.getCanonicalType(castTy)) 78 return val; 79 80 // FIXME: Remove this hack when we support symbolic truncation/extension. 81 // HACK: If both castTy and T are integers, ignore the cast. This is 82 // not a permanent solution. Eventually we want to precisely handle 83 // extension/truncation of symbolic integers. This prevents us from losing 84 // precision when we assign 'x = y' and 'y' is symbolic and x and y are 85 // different integer types. 86 if (T->isIntegerType() && castTy->isIntegerType()) 87 return val; 88 89 return UnknownVal(); 90 } 91 92 if (!isa<nonloc::ConcreteInt>(val)) 93 return UnknownVal(); 94 95 // Only handle casts from integers to integers. 96 if (!isLocType && !castTy->isIntegerType()) 97 return UnknownVal(); 98 99 llvm::APSInt i = cast<nonloc::ConcreteInt>(val).getValue(); 100 i.setIsUnsigned(castTy->isUnsignedIntegerType() || Loc::isLocType(castTy)); 101 i = i.extOrTrunc(Context.getTypeSize(castTy)); 102 103 if (isLocType) 104 return makeIntLocVal(i); 105 else 106 return makeIntVal(i); 107} 108 109SVal SimpleSValBuilder::evalCastFromLoc(Loc val, QualType castTy) { 110 111 // Casts from pointers -> pointers, just return the lval. 112 // 113 // Casts from pointers -> references, just return the lval. These 114 // can be introduced by the frontend for corner cases, e.g 115 // casting from va_list* to __builtin_va_list&. 116 // 117 if (Loc::isLocType(castTy) || castTy->isReferenceType()) 118 return val; 119 120 // FIXME: Handle transparent unions where a value can be "transparently" 121 // lifted into a union type. 122 if (castTy->isUnionType()) 123 return UnknownVal(); 124 125 if (castTy->isIntegerType()) { 126 unsigned BitWidth = Context.getTypeSize(castTy); 127 128 if (!isa<loc::ConcreteInt>(val)) 129 return makeLocAsInteger(val, BitWidth); 130 131 llvm::APSInt i = cast<loc::ConcreteInt>(val).getValue(); 132 i.setIsUnsigned(castTy->isUnsignedIntegerType() || Loc::isLocType(castTy)); 133 i = i.extOrTrunc(BitWidth); 134 return makeIntVal(i); 135 } 136 137 // All other cases: return 'UnknownVal'. This includes casting pointers 138 // to floats, which is probably badness it itself, but this is a good 139 // intermediate solution until we do something better. 140 return UnknownVal(); 141} 142 143//===----------------------------------------------------------------------===// 144// Transfer function for unary operators. 145//===----------------------------------------------------------------------===// 146 147SVal SimpleSValBuilder::evalMinus(NonLoc val) { 148 switch (val.getSubKind()) { 149 case nonloc::ConcreteIntKind: 150 return cast<nonloc::ConcreteInt>(val).evalMinus(*this); 151 default: 152 return UnknownVal(); 153 } 154} 155 156SVal SimpleSValBuilder::evalComplement(NonLoc X) { 157 switch (X.getSubKind()) { 158 case nonloc::ConcreteIntKind: 159 return cast<nonloc::ConcreteInt>(X).evalComplement(*this); 160 default: 161 return UnknownVal(); 162 } 163} 164 165//===----------------------------------------------------------------------===// 166// Transfer function for binary operators. 167//===----------------------------------------------------------------------===// 168 169static BinaryOperator::Opcode NegateComparison(BinaryOperator::Opcode op) { 170 switch (op) { 171 default: 172 assert(false && "Invalid opcode."); 173 case BO_LT: return BO_GE; 174 case BO_GT: return BO_LE; 175 case BO_LE: return BO_GT; 176 case BO_GE: return BO_LT; 177 case BO_EQ: return BO_NE; 178 case BO_NE: return BO_EQ; 179 } 180} 181 182static BinaryOperator::Opcode ReverseComparison(BinaryOperator::Opcode op) { 183 switch (op) { 184 default: 185 assert(false && "Invalid opcode."); 186 case BO_LT: return BO_GT; 187 case BO_GT: return BO_LT; 188 case BO_LE: return BO_GE; 189 case BO_GE: return BO_LE; 190 case BO_EQ: 191 case BO_NE: 192 return op; 193 } 194} 195 196SVal SimpleSValBuilder::MakeSymIntVal(const SymExpr *LHS, 197 BinaryOperator::Opcode op, 198 const llvm::APSInt &RHS, 199 QualType resultTy) { 200 bool isIdempotent = false; 201 202 // Check for a few special cases with known reductions first. 203 switch (op) { 204 default: 205 // We can't reduce this case; just treat it normally. 206 break; 207 case BO_Mul: 208 // a*0 and a*1 209 if (RHS == 0) 210 return makeIntVal(0, resultTy); 211 else if (RHS == 1) 212 isIdempotent = true; 213 break; 214 case BO_Div: 215 // a/0 and a/1 216 if (RHS == 0) 217 // This is also handled elsewhere. 218 return UndefinedVal(); 219 else if (RHS == 1) 220 isIdempotent = true; 221 break; 222 case BO_Rem: 223 // a%0 and a%1 224 if (RHS == 0) 225 // This is also handled elsewhere. 226 return UndefinedVal(); 227 else if (RHS == 1) 228 return makeIntVal(0, resultTy); 229 break; 230 case BO_Add: 231 case BO_Sub: 232 case BO_Shl: 233 case BO_Shr: 234 case BO_Xor: 235 // a+0, a-0, a<<0, a>>0, a^0 236 if (RHS == 0) 237 isIdempotent = true; 238 break; 239 case BO_And: 240 // a&0 and a&(~0) 241 if (RHS == 0) 242 return makeIntVal(0, resultTy); 243 else if (RHS.isAllOnesValue()) 244 isIdempotent = true; 245 break; 246 case BO_Or: 247 // a|0 and a|(~0) 248 if (RHS == 0) 249 isIdempotent = true; 250 else if (RHS.isAllOnesValue()) { 251 const llvm::APSInt &Result = BasicVals.Convert(resultTy, RHS); 252 return nonloc::ConcreteInt(Result); 253 } 254 break; 255 } 256 257 // Idempotent ops (like a*1) can still change the type of an expression. 258 // Wrap the LHS up in a NonLoc again and let evalCastFromNonLoc do the 259 // dirty work. 260 if (isIdempotent) { 261 if (SymbolRef LHSSym = dyn_cast<SymbolData>(LHS)) 262 return evalCastFromNonLoc(nonloc::SymbolVal(LHSSym), resultTy); 263 return evalCastFromNonLoc(nonloc::SymExprVal(LHS), resultTy); 264 } 265 266 // If we reach this point, the expression cannot be simplified. 267 // Make a SymExprVal for the entire thing. 268 return makeNonLoc(LHS, op, RHS, resultTy); 269} 270 271SVal SimpleSValBuilder::evalBinOpNN(const GRState *state, 272 BinaryOperator::Opcode op, 273 NonLoc lhs, NonLoc rhs, 274 QualType resultTy) { 275 // Handle trivial case where left-side and right-side are the same. 276 if (lhs == rhs) 277 switch (op) { 278 default: 279 break; 280 case BO_EQ: 281 case BO_LE: 282 case BO_GE: 283 return makeTruthVal(true, resultTy); 284 case BO_LT: 285 case BO_GT: 286 case BO_NE: 287 return makeTruthVal(false, resultTy); 288 case BO_Xor: 289 case BO_Sub: 290 return makeIntVal(0, resultTy); 291 case BO_Or: 292 case BO_And: 293 return evalCastFromNonLoc(lhs, resultTy); 294 } 295 296 while (1) { 297 switch (lhs.getSubKind()) { 298 default: 299 return UnknownVal(); 300 case nonloc::LocAsIntegerKind: { 301 Loc lhsL = cast<nonloc::LocAsInteger>(lhs).getLoc(); 302 switch (rhs.getSubKind()) { 303 case nonloc::LocAsIntegerKind: 304 return evalBinOpLL(state, op, lhsL, 305 cast<nonloc::LocAsInteger>(rhs).getLoc(), 306 resultTy); 307 case nonloc::ConcreteIntKind: { 308 // Transform the integer into a location and compare. 309 llvm::APSInt i = cast<nonloc::ConcreteInt>(rhs).getValue(); 310 i.setIsUnsigned(true); 311 i = i.extOrTrunc(Context.getTypeSize(Context.VoidPtrTy)); 312 return evalBinOpLL(state, op, lhsL, makeLoc(i), resultTy); 313 } 314 default: 315 switch (op) { 316 case BO_EQ: 317 return makeTruthVal(false, resultTy); 318 case BO_NE: 319 return makeTruthVal(true, resultTy); 320 default: 321 // This case also handles pointer arithmetic. 322 return UnknownVal(); 323 } 324 } 325 } 326 case nonloc::SymExprValKind: { 327 nonloc::SymExprVal *selhs = cast<nonloc::SymExprVal>(&lhs); 328 329 // Only handle LHS of the form "$sym op constant", at least for now. 330 const SymIntExpr *symIntExpr = 331 dyn_cast<SymIntExpr>(selhs->getSymbolicExpression()); 332 333 if (!symIntExpr) 334 return UnknownVal(); 335 336 // Is this a logical not? (!x is represented as x == 0.) 337 if (op == BO_EQ && rhs.isZeroConstant()) { 338 // We know how to negate certain expressions. Simplify them here. 339 340 BinaryOperator::Opcode opc = symIntExpr->getOpcode(); 341 switch (opc) { 342 default: 343 // We don't know how to negate this operation. 344 // Just handle it as if it were a normal comparison to 0. 345 break; 346 case BO_LAnd: 347 case BO_LOr: 348 assert(false && "Logical operators handled by branching logic."); 349 return UnknownVal(); 350 case BO_Assign: 351 case BO_MulAssign: 352 case BO_DivAssign: 353 case BO_RemAssign: 354 case BO_AddAssign: 355 case BO_SubAssign: 356 case BO_ShlAssign: 357 case BO_ShrAssign: 358 case BO_AndAssign: 359 case BO_XorAssign: 360 case BO_OrAssign: 361 case BO_Comma: 362 assert(false && "'=' and ',' operators handled by ExprEngine."); 363 return UnknownVal(); 364 case BO_PtrMemD: 365 case BO_PtrMemI: 366 assert(false && "Pointer arithmetic not handled here."); 367 return UnknownVal(); 368 case BO_LT: 369 case BO_GT: 370 case BO_LE: 371 case BO_GE: 372 case BO_EQ: 373 case BO_NE: 374 // Negate the comparison and make a value. 375 opc = NegateComparison(opc); 376 assert(symIntExpr->getType(Context) == resultTy); 377 return makeNonLoc(symIntExpr->getLHS(), opc, 378 symIntExpr->getRHS(), resultTy); 379 } 380 } 381 382 // For now, only handle expressions whose RHS is a constant. 383 const nonloc::ConcreteInt *rhsInt = dyn_cast<nonloc::ConcreteInt>(&rhs); 384 if (!rhsInt) 385 return UnknownVal(); 386 387 // If both the LHS and the current expression are additive, 388 // fold their constants. 389 if (BinaryOperator::isAdditiveOp(op)) { 390 BinaryOperator::Opcode lop = symIntExpr->getOpcode(); 391 if (BinaryOperator::isAdditiveOp(lop)) { 392 // resultTy may not be the best type to convert to, but it's 393 // probably the best choice in expressions with mixed type 394 // (such as x+1U+2LL). The rules for implicit conversions should 395 // choose a reasonable type to preserve the expression, and will 396 // at least match how the value is going to be used. 397 const llvm::APSInt &first = 398 BasicVals.Convert(resultTy, symIntExpr->getRHS()); 399 const llvm::APSInt &second = 400 BasicVals.Convert(resultTy, rhsInt->getValue()); 401 const llvm::APSInt *newRHS; 402 if (lop == op) 403 newRHS = BasicVals.evalAPSInt(BO_Add, first, second); 404 else 405 newRHS = BasicVals.evalAPSInt(BO_Sub, first, second); 406 return MakeSymIntVal(symIntExpr->getLHS(), lop, *newRHS, resultTy); 407 } 408 } 409 410 // Otherwise, make a SymExprVal out of the expression. 411 return MakeSymIntVal(symIntExpr, op, rhsInt->getValue(), resultTy); 412 } 413 case nonloc::ConcreteIntKind: { 414 const nonloc::ConcreteInt& lhsInt = cast<nonloc::ConcreteInt>(lhs); 415 416 if (isa<nonloc::ConcreteInt>(rhs)) { 417 return lhsInt.evalBinOp(*this, op, cast<nonloc::ConcreteInt>(rhs)); 418 } else { 419 const llvm::APSInt& lhsValue = lhsInt.getValue(); 420 421 // Swap the left and right sides and flip the operator if doing so 422 // allows us to better reason about the expression (this is a form 423 // of expression canonicalization). 424 // While we're at it, catch some special cases for non-commutative ops. 425 NonLoc tmp = rhs; 426 rhs = lhs; 427 lhs = tmp; 428 429 switch (op) { 430 case BO_LT: 431 case BO_GT: 432 case BO_LE: 433 case BO_GE: 434 op = ReverseComparison(op); 435 continue; 436 case BO_EQ: 437 case BO_NE: 438 case BO_Add: 439 case BO_Mul: 440 case BO_And: 441 case BO_Xor: 442 case BO_Or: 443 continue; 444 case BO_Shr: 445 if (lhsValue.isAllOnesValue() && lhsValue.isSigned()) 446 // At this point lhs and rhs have been swapped. 447 return rhs; 448 // FALL-THROUGH 449 case BO_Shl: 450 if (lhsValue == 0) 451 // At this point lhs and rhs have been swapped. 452 return rhs; 453 return UnknownVal(); 454 default: 455 return UnknownVal(); 456 } 457 } 458 } 459 case nonloc::SymbolValKind: { 460 nonloc::SymbolVal *slhs = cast<nonloc::SymbolVal>(&lhs); 461 SymbolRef Sym = slhs->getSymbol(); 462 // Does the symbol simplify to a constant? If so, "fold" the constant 463 // by setting 'lhs' to a ConcreteInt and try again. 464 if (Sym->getType(Context)->isIntegerType()) 465 if (const llvm::APSInt *Constant = state->getSymVal(Sym)) { 466 // The symbol evaluates to a constant. If necessary, promote the 467 // folded constant (LHS) to the result type. 468 const llvm::APSInt &lhs_I = BasicVals.Convert(resultTy, *Constant); 469 lhs = nonloc::ConcreteInt(lhs_I); 470 471 // Also promote the RHS (if necessary). 472 473 // For shifts, it is not necessary to promote the RHS. 474 if (BinaryOperator::isShiftOp(op)) 475 continue; 476 477 // Other operators: do an implicit conversion. This shouldn't be 478 // necessary once we support truncation/extension of symbolic values. 479 if (nonloc::ConcreteInt *rhs_I = dyn_cast<nonloc::ConcreteInt>(&rhs)){ 480 rhs = nonloc::ConcreteInt(BasicVals.Convert(resultTy, 481 rhs_I->getValue())); 482 } 483 484 continue; 485 } 486 487 // Is the RHS a symbol we can simplify? 488 if (const nonloc::SymbolVal *srhs = dyn_cast<nonloc::SymbolVal>(&rhs)) { 489 SymbolRef RSym = srhs->getSymbol(); 490 if (RSym->getType(Context)->isIntegerType()) { 491 if (const llvm::APSInt *Constant = state->getSymVal(RSym)) { 492 // The symbol evaluates to a constant. 493 const llvm::APSInt &rhs_I = BasicVals.Convert(resultTy, *Constant); 494 rhs = nonloc::ConcreteInt(rhs_I); 495 } 496 } 497 } 498 499 if (isa<nonloc::ConcreteInt>(rhs)) { 500 return MakeSymIntVal(slhs->getSymbol(), op, 501 cast<nonloc::ConcreteInt>(rhs).getValue(), 502 resultTy); 503 } 504 505 return UnknownVal(); 506 } 507 } 508 } 509} 510 511// FIXME: all this logic will change if/when we have MemRegion::getLocation(). 512SVal SimpleSValBuilder::evalBinOpLL(const GRState *state, 513 BinaryOperator::Opcode op, 514 Loc lhs, Loc rhs, 515 QualType resultTy) { 516 // Only comparisons and subtractions are valid operations on two pointers. 517 // See [C99 6.5.5 through 6.5.14] or [C++0x 5.6 through 5.15]. 518 // However, if a pointer is casted to an integer, evalBinOpNN may end up 519 // calling this function with another operation (PR7527). We don't attempt to 520 // model this for now, but it could be useful, particularly when the 521 // "location" is actually an integer value that's been passed through a void*. 522 if (!(BinaryOperator::isComparisonOp(op) || op == BO_Sub)) 523 return UnknownVal(); 524 525 // Special cases for when both sides are identical. 526 if (lhs == rhs) { 527 switch (op) { 528 default: 529 assert(false && "Unimplemented operation for two identical values"); 530 return UnknownVal(); 531 case BO_Sub: 532 return makeZeroVal(resultTy); 533 case BO_EQ: 534 case BO_LE: 535 case BO_GE: 536 return makeTruthVal(true, resultTy); 537 case BO_NE: 538 case BO_LT: 539 case BO_GT: 540 return makeTruthVal(false, resultTy); 541 } 542 } 543 544 switch (lhs.getSubKind()) { 545 default: 546 assert(false && "Ordering not implemented for this Loc."); 547 return UnknownVal(); 548 549 case loc::GotoLabelKind: 550 // The only thing we know about labels is that they're non-null. 551 if (rhs.isZeroConstant()) { 552 switch (op) { 553 default: 554 break; 555 case BO_Sub: 556 return evalCastFromLoc(lhs, resultTy); 557 case BO_EQ: 558 case BO_LE: 559 case BO_LT: 560 return makeTruthVal(false, resultTy); 561 case BO_NE: 562 case BO_GT: 563 case BO_GE: 564 return makeTruthVal(true, resultTy); 565 } 566 } 567 // There may be two labels for the same location, and a function region may 568 // have the same address as a label at the start of the function (depending 569 // on the ABI). 570 // FIXME: we can probably do a comparison against other MemRegions, though. 571 // FIXME: is there a way to tell if two labels refer to the same location? 572 return UnknownVal(); 573 574 case loc::ConcreteIntKind: { 575 // If one of the operands is a symbol and the other is a constant, 576 // build an expression for use by the constraint manager. 577 if (SymbolRef rSym = rhs.getAsLocSymbol()) { 578 // We can only build expressions with symbols on the left, 579 // so we need a reversible operator. 580 if (!BinaryOperator::isComparisonOp(op)) 581 return UnknownVal(); 582 583 const llvm::APSInt &lVal = cast<loc::ConcreteInt>(lhs).getValue(); 584 return makeNonLoc(rSym, ReverseComparison(op), lVal, resultTy); 585 } 586 587 // If both operands are constants, just perform the operation. 588 if (loc::ConcreteInt *rInt = dyn_cast<loc::ConcreteInt>(&rhs)) { 589 SVal ResultVal = cast<loc::ConcreteInt>(lhs).evalBinOp(BasicVals, op, 590 *rInt); 591 if (Loc *Result = dyn_cast<Loc>(&ResultVal)) 592 return evalCastFromLoc(*Result, resultTy); 593 else 594 return UnknownVal(); 595 } 596 597 // Special case comparisons against NULL. 598 // This must come after the test if the RHS is a symbol, which is used to 599 // build constraints. The address of any non-symbolic region is guaranteed 600 // to be non-NULL, as is any label. 601 assert(isa<loc::MemRegionVal>(rhs) || isa<loc::GotoLabel>(rhs)); 602 if (lhs.isZeroConstant()) { 603 switch (op) { 604 default: 605 break; 606 case BO_EQ: 607 case BO_GT: 608 case BO_GE: 609 return makeTruthVal(false, resultTy); 610 case BO_NE: 611 case BO_LT: 612 case BO_LE: 613 return makeTruthVal(true, resultTy); 614 } 615 } 616 617 // Comparing an arbitrary integer to a region or label address is 618 // completely unknowable. 619 return UnknownVal(); 620 } 621 case loc::MemRegionKind: { 622 if (loc::ConcreteInt *rInt = dyn_cast<loc::ConcreteInt>(&rhs)) { 623 // If one of the operands is a symbol and the other is a constant, 624 // build an expression for use by the constraint manager. 625 if (SymbolRef lSym = lhs.getAsLocSymbol()) 626 return MakeSymIntVal(lSym, op, rInt->getValue(), resultTy); 627 628 // Special case comparisons to NULL. 629 // This must come after the test if the LHS is a symbol, which is used to 630 // build constraints. The address of any non-symbolic region is guaranteed 631 // to be non-NULL. 632 if (rInt->isZeroConstant()) { 633 switch (op) { 634 default: 635 break; 636 case BO_Sub: 637 return evalCastFromLoc(lhs, resultTy); 638 case BO_EQ: 639 case BO_LT: 640 case BO_LE: 641 return makeTruthVal(false, resultTy); 642 case BO_NE: 643 case BO_GT: 644 case BO_GE: 645 return makeTruthVal(true, resultTy); 646 } 647 } 648 649 // Comparing a region to an arbitrary integer is completely unknowable. 650 return UnknownVal(); 651 } 652 653 // Get both values as regions, if possible. 654 const MemRegion *LeftMR = lhs.getAsRegion(); 655 assert(LeftMR && "MemRegionKind SVal doesn't have a region!"); 656 657 const MemRegion *RightMR = rhs.getAsRegion(); 658 if (!RightMR) 659 // The RHS is probably a label, which in theory could address a region. 660 // FIXME: we can probably make a more useful statement about non-code 661 // regions, though. 662 return UnknownVal(); 663 664 // If both values wrap regions, see if they're from different base regions. 665 const MemRegion *LeftBase = LeftMR->getBaseRegion(); 666 const MemRegion *RightBase = RightMR->getBaseRegion(); 667 if (LeftBase != RightBase && 668 !isa<SymbolicRegion>(LeftBase) && !isa<SymbolicRegion>(RightBase)) { 669 switch (op) { 670 default: 671 return UnknownVal(); 672 case BO_EQ: 673 return makeTruthVal(false, resultTy); 674 case BO_NE: 675 return makeTruthVal(true, resultTy); 676 } 677 } 678 679 // The two regions are from the same base region. See if they're both a 680 // type of region we know how to compare. 681 682 // FIXME: If/when there is a getAsRawOffset() for FieldRegions, this 683 // ElementRegion path and the FieldRegion path below should be unified. 684 if (const ElementRegion *LeftER = dyn_cast<ElementRegion>(LeftMR)) { 685 // First see if the right region is also an ElementRegion. 686 const ElementRegion *RightER = dyn_cast<ElementRegion>(RightMR); 687 if (!RightER) 688 return UnknownVal(); 689 690 // Next, see if the two ERs have the same super-region and matching types. 691 // FIXME: This should do something useful even if the types don't match, 692 // though if both indexes are constant the RegionRawOffset path will 693 // give the correct answer. 694 if (LeftER->getSuperRegion() == RightER->getSuperRegion() && 695 LeftER->getElementType() == RightER->getElementType()) { 696 // Get the left index and cast it to the correct type. 697 // If the index is unknown or undefined, bail out here. 698 SVal LeftIndexVal = LeftER->getIndex(); 699 NonLoc *LeftIndex = dyn_cast<NonLoc>(&LeftIndexVal); 700 if (!LeftIndex) 701 return UnknownVal(); 702 LeftIndexVal = evalCastFromNonLoc(*LeftIndex, resultTy); 703 LeftIndex = dyn_cast<NonLoc>(&LeftIndexVal); 704 if (!LeftIndex) 705 return UnknownVal(); 706 707 // Do the same for the right index. 708 SVal RightIndexVal = RightER->getIndex(); 709 NonLoc *RightIndex = dyn_cast<NonLoc>(&RightIndexVal); 710 if (!RightIndex) 711 return UnknownVal(); 712 RightIndexVal = evalCastFromNonLoc(*RightIndex, resultTy); 713 RightIndex = dyn_cast<NonLoc>(&RightIndexVal); 714 if (!RightIndex) 715 return UnknownVal(); 716 717 // Actually perform the operation. 718 // evalBinOpNN expects the two indexes to already be the right type. 719 return evalBinOpNN(state, op, *LeftIndex, *RightIndex, resultTy); 720 } 721 722 // If the element indexes aren't comparable, see if the raw offsets are. 723 RegionRawOffset LeftOffset = LeftER->getAsArrayOffset(); 724 RegionRawOffset RightOffset = RightER->getAsArrayOffset(); 725 726 if (LeftOffset.getRegion() != NULL && 727 LeftOffset.getRegion() == RightOffset.getRegion()) { 728 CharUnits left = LeftOffset.getOffset(); 729 CharUnits right = RightOffset.getOffset(); 730 731 switch (op) { 732 default: 733 return UnknownVal(); 734 case BO_LT: 735 return makeTruthVal(left < right, resultTy); 736 case BO_GT: 737 return makeTruthVal(left > right, resultTy); 738 case BO_LE: 739 return makeTruthVal(left <= right, resultTy); 740 case BO_GE: 741 return makeTruthVal(left >= right, resultTy); 742 case BO_EQ: 743 return makeTruthVal(left == right, resultTy); 744 case BO_NE: 745 return makeTruthVal(left != right, resultTy); 746 } 747 } 748 749 // If we get here, we have no way of comparing the ElementRegions. 750 return UnknownVal(); 751 } 752 753 // See if both regions are fields of the same structure. 754 // FIXME: This doesn't handle nesting, inheritance, or Objective-C ivars. 755 if (const FieldRegion *LeftFR = dyn_cast<FieldRegion>(LeftMR)) { 756 // Only comparisons are meaningful here! 757 if (!BinaryOperator::isComparisonOp(op)) 758 return UnknownVal(); 759 760 // First see if the right region is also a FieldRegion. 761 const FieldRegion *RightFR = dyn_cast<FieldRegion>(RightMR); 762 if (!RightFR) 763 return UnknownVal(); 764 765 // Next, see if the two FRs have the same super-region. 766 // FIXME: This doesn't handle casts yet, and simply stripping the casts 767 // doesn't help. 768 if (LeftFR->getSuperRegion() != RightFR->getSuperRegion()) 769 return UnknownVal(); 770 771 const FieldDecl *LeftFD = LeftFR->getDecl(); 772 const FieldDecl *RightFD = RightFR->getDecl(); 773 const RecordDecl *RD = LeftFD->getParent(); 774 775 // Make sure the two FRs are from the same kind of record. Just in case! 776 // FIXME: This is probably where inheritance would be a problem. 777 if (RD != RightFD->getParent()) 778 return UnknownVal(); 779 780 // We know for sure that the two fields are not the same, since that 781 // would have given us the same SVal. 782 if (op == BO_EQ) 783 return makeTruthVal(false, resultTy); 784 if (op == BO_NE) 785 return makeTruthVal(true, resultTy); 786 787 // Iterate through the fields and see which one comes first. 788 // [C99 6.7.2.1.13] "Within a structure object, the non-bit-field 789 // members and the units in which bit-fields reside have addresses that 790 // increase in the order in which they are declared." 791 bool leftFirst = (op == BO_LT || op == BO_LE); 792 for (RecordDecl::field_iterator I = RD->field_begin(), 793 E = RD->field_end(); I!=E; ++I) { 794 if (*I == LeftFD) 795 return makeTruthVal(leftFirst, resultTy); 796 if (*I == RightFD) 797 return makeTruthVal(!leftFirst, resultTy); 798 } 799 800 assert(false && "Fields not found in parent record's definition"); 801 } 802 803 // If we get here, we have no way of comparing the regions. 804 return UnknownVal(); 805 } 806 } 807} 808 809SVal SimpleSValBuilder::evalBinOpLN(const GRState *state, 810 BinaryOperator::Opcode op, 811 Loc lhs, NonLoc rhs, QualType resultTy) { 812 813 // Special case: rhs is a zero constant. 814 if (rhs.isZeroConstant()) 815 return lhs; 816 817 // Special case: 'rhs' is an integer that has the same width as a pointer and 818 // we are using the integer location in a comparison. Normally this cannot be 819 // triggered, but transfer functions like those for OSCommpareAndSwapBarrier32 820 // can generate comparisons that trigger this code. 821 // FIXME: Are all locations guaranteed to have pointer width? 822 if (BinaryOperator::isComparisonOp(op)) { 823 if (nonloc::ConcreteInt *rhsInt = dyn_cast<nonloc::ConcreteInt>(&rhs)) { 824 const llvm::APSInt *x = &rhsInt->getValue(); 825 ASTContext &ctx = Context; 826 if (ctx.getTypeSize(ctx.VoidPtrTy) == x->getBitWidth()) { 827 // Convert the signedness of the integer (if necessary). 828 if (x->isSigned()) 829 x = &getBasicValueFactory().getValue(*x, true); 830 831 return evalBinOpLL(state, op, lhs, loc::ConcreteInt(*x), resultTy); 832 } 833 } 834 } 835 836 // We are dealing with pointer arithmetic. 837 838 // Handle pointer arithmetic on constant values. 839 if (nonloc::ConcreteInt *rhsInt = dyn_cast<nonloc::ConcreteInt>(&rhs)) { 840 if (loc::ConcreteInt *lhsInt = dyn_cast<loc::ConcreteInt>(&lhs)) { 841 const llvm::APSInt &leftI = lhsInt->getValue(); 842 assert(leftI.isUnsigned()); 843 llvm::APSInt rightI(rhsInt->getValue(), /* isUnsigned */ true); 844 845 // Convert the bitwidth of rightI. This should deal with overflow 846 // since we are dealing with concrete values. 847 rightI = rightI.extOrTrunc(leftI.getBitWidth()); 848 849 // Offset the increment by the pointer size. 850 llvm::APSInt Multiplicand(rightI.getBitWidth(), /* isUnsigned */ true); 851 rightI *= Multiplicand; 852 853 // Compute the adjusted pointer. 854 switch (op) { 855 case BO_Add: 856 rightI = leftI + rightI; 857 break; 858 case BO_Sub: 859 rightI = leftI - rightI; 860 break; 861 default: 862 llvm_unreachable("Invalid pointer arithmetic operation"); 863 } 864 return loc::ConcreteInt(getBasicValueFactory().getValue(rightI)); 865 } 866 } 867 868 // Handle cases where 'lhs' is a region. 869 if (const MemRegion *region = lhs.getAsRegion()) { 870 rhs = cast<NonLoc>(convertToArrayIndex(rhs)); 871 SVal index = UnknownVal(); 872 const MemRegion *superR = 0; 873 QualType elementType; 874 875 if (const ElementRegion *elemReg = dyn_cast<ElementRegion>(region)) { 876 index = evalBinOpNN(state, BO_Add, elemReg->getIndex(), rhs, 877 getArrayIndexType()); 878 superR = elemReg->getSuperRegion(); 879 elementType = elemReg->getElementType(); 880 } 881 else if (isa<SubRegion>(region)) { 882 superR = region; 883 index = rhs; 884 if (const PointerType *PT = resultTy->getAs<PointerType>()) { 885 elementType = PT->getPointeeType(); 886 } 887 else { 888 const ObjCObjectPointerType *OT = 889 resultTy->getAs<ObjCObjectPointerType>(); 890 elementType = OT->getPointeeType(); 891 } 892 } 893 894 if (NonLoc *indexV = dyn_cast<NonLoc>(&index)) { 895 return loc::MemRegionVal(MemMgr.getElementRegion(elementType, *indexV, 896 superR, getContext())); 897 } 898 } 899 return UnknownVal(); 900} 901 902const llvm::APSInt *SimpleSValBuilder::getKnownValue(const GRState *state, 903 SVal V) { 904 if (V.isUnknownOrUndef()) 905 return NULL; 906 907 if (loc::ConcreteInt* X = dyn_cast<loc::ConcreteInt>(&V)) 908 return &X->getValue(); 909 910 if (nonloc::ConcreteInt* X = dyn_cast<nonloc::ConcreteInt>(&V)) 911 return &X->getValue(); 912 913 if (SymbolRef Sym = V.getAsSymbol()) 914 return state->getSymVal(Sym); 915 916 // FIXME: Add support for SymExprs. 917 return NULL; 918} 919