1 //== RegionStore.cpp - Field-sensitive store model --------------*- C++ -*--==// 2 // 3 // The LLVM Compiler Infrastructure 4 // 5 // This file is distributed under the University of Illinois Open Source 6 // License. See LICENSE.TXT for details. 7 // 8 //===----------------------------------------------------------------------===// 9 // 10 // This file defines a basic region store model. In this model, we do have field 11 // sensitivity. But we assume nothing about the heap shape. So recursive data 12 // structures are largely ignored. Basically we do 1-limiting analysis. 13 // Parameter pointers are assumed with no aliasing. Pointee objects of 14 // parameters are created lazily. 15 // 16 //===----------------------------------------------------------------------===// 17 #include "clang/AST/CharUnits.h" 18 #include "clang/AST/DeclCXX.h" 19 #include "clang/AST/ExprCXX.h" 20 #include "clang/AST/CXXInheritance.h" 21 #include "clang/Analysis/Analyses/LiveVariables.h" 22 #include "clang/Analysis/AnalysisContext.h" 23 #include "clang/Basic/TargetInfo.h" 24 #include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h" 25 #include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h" 26 #include "clang/StaticAnalyzer/Core/PathSensitive/ProgramStateTrait.h" 27 #include "clang/StaticAnalyzer/Core/PathSensitive/MemRegion.h" 28 #include "llvm/ADT/ImmutableList.h" 29 #include "llvm/ADT/ImmutableMap.h" 30 #include "llvm/ADT/Optional.h" 31 #include "llvm/Support/raw_ostream.h" 32 33 using namespace clang; 34 using namespace ento; 35 using llvm::Optional; 36 37 //===----------------------------------------------------------------------===// 38 // Representation of binding keys. 39 //===----------------------------------------------------------------------===// 40 41 namespace { 42 class BindingKey { 43 public: 44 enum Kind { Default = 0x0, Direct = 0x1 }; 45 private: 46 enum { Symbolic = 0x2 }; 47 48 llvm::PointerIntPair<const MemRegion *, 2> P; 49 uint64_t Data; 50 51 explicit BindingKey(const MemRegion *r, const MemRegion *Base, Kind k) 52 : P(r, k | Symbolic), Data(reinterpret_cast<uintptr_t>(Base)) { 53 assert(r && Base && "Must have known regions."); 54 assert(getConcreteOffsetRegion() == Base && "Failed to store base region"); 55 } 56 explicit BindingKey(const MemRegion *r, uint64_t offset, Kind k) 57 : P(r, k), Data(offset) { 58 assert(r && "Must have known regions."); 59 assert(getOffset() == offset && "Failed to store offset"); 60 assert((r == r->getBaseRegion() || isa<ObjCIvarRegion>(r)) && "Not a base"); 61 } 62 public: 63 64 bool isDirect() const { return P.getInt() & Direct; } 65 bool hasSymbolicOffset() const { return P.getInt() & Symbolic; } 66 67 const MemRegion *getRegion() const { return P.getPointer(); } 68 uint64_t getOffset() const { 69 assert(!hasSymbolicOffset()); 70 return Data; 71 } 72 73 const MemRegion *getConcreteOffsetRegion() const { 74 assert(hasSymbolicOffset()); 75 return reinterpret_cast<const MemRegion *>(static_cast<uintptr_t>(Data)); 76 } 77 78 const MemRegion *getBaseRegion() const { 79 if (hasSymbolicOffset()) 80 return getConcreteOffsetRegion()->getBaseRegion(); 81 return getRegion()->getBaseRegion(); 82 } 83 84 void Profile(llvm::FoldingSetNodeID& ID) const { 85 ID.AddPointer(P.getOpaqueValue()); 86 ID.AddInteger(Data); 87 } 88 89 static BindingKey Make(const MemRegion *R, Kind k); 90 91 bool operator<(const BindingKey &X) const { 92 if (P.getOpaqueValue() < X.P.getOpaqueValue()) 93 return true; 94 if (P.getOpaqueValue() > X.P.getOpaqueValue()) 95 return false; 96 return Data < X.Data; 97 } 98 99 bool operator==(const BindingKey &X) const { 100 return P.getOpaqueValue() == X.P.getOpaqueValue() && 101 Data == X.Data; 102 } 103 104 LLVM_ATTRIBUTE_USED void dump() const; 105 }; 106 } // end anonymous namespace 107 108 BindingKey BindingKey::Make(const MemRegion *R, Kind k) { 109 const RegionOffset &RO = R->getAsOffset(); 110 if (RO.hasSymbolicOffset()) 111 return BindingKey(R, RO.getRegion(), k); 112 113 return BindingKey(RO.getRegion(), RO.getOffset(), k); 114 } 115 116 namespace llvm { 117 static inline 118 raw_ostream &operator<<(raw_ostream &os, BindingKey K) { 119 os << '(' << K.getRegion(); 120 if (!K.hasSymbolicOffset()) 121 os << ',' << K.getOffset(); 122 os << ',' << (K.isDirect() ? "direct" : "default") 123 << ')'; 124 return os; 125 } 126 } // end llvm namespace 127 128 void BindingKey::dump() const { 129 llvm::errs() << *this; 130 } 131 132 //===----------------------------------------------------------------------===// 133 // Actual Store type. 134 //===----------------------------------------------------------------------===// 135 136 typedef llvm::ImmutableMap<BindingKey, SVal> ClusterBindings; 137 typedef llvm::ImmutableMap<const MemRegion *, ClusterBindings> RegionBindings; 138 139 //===----------------------------------------------------------------------===// 140 // Fine-grained control of RegionStoreManager. 141 //===----------------------------------------------------------------------===// 142 143 namespace { 144 struct minimal_features_tag {}; 145 struct maximal_features_tag {}; 146 147 class RegionStoreFeatures { 148 bool SupportsFields; 149 public: 150 RegionStoreFeatures(minimal_features_tag) : 151 SupportsFields(false) {} 152 153 RegionStoreFeatures(maximal_features_tag) : 154 SupportsFields(true) {} 155 156 void enableFields(bool t) { SupportsFields = t; } 157 158 bool supportsFields() const { return SupportsFields; } 159 }; 160 } 161 162 //===----------------------------------------------------------------------===// 163 // Main RegionStore logic. 164 //===----------------------------------------------------------------------===// 165 166 namespace { 167 168 class RegionStoreManager : public StoreManager { 169 const RegionStoreFeatures Features; 170 RegionBindings::Factory RBFactory; 171 ClusterBindings::Factory CBFactory; 172 173 public: 174 RegionStoreManager(ProgramStateManager& mgr, const RegionStoreFeatures &f) 175 : StoreManager(mgr), Features(f), 176 RBFactory(mgr.getAllocator()), CBFactory(mgr.getAllocator()) {} 177 178 Optional<SVal> getDirectBinding(RegionBindings B, const MemRegion *R); 179 /// getDefaultBinding - Returns an SVal* representing an optional default 180 /// binding associated with a region and its subregions. 181 Optional<SVal> getDefaultBinding(RegionBindings B, const MemRegion *R); 182 183 /// setImplicitDefaultValue - Set the default binding for the provided 184 /// MemRegion to the value implicitly defined for compound literals when 185 /// the value is not specified. 186 StoreRef setImplicitDefaultValue(Store store, const MemRegion *R, QualType T); 187 188 /// ArrayToPointer - Emulates the "decay" of an array to a pointer 189 /// type. 'Array' represents the lvalue of the array being decayed 190 /// to a pointer, and the returned SVal represents the decayed 191 /// version of that lvalue (i.e., a pointer to the first element of 192 /// the array). This is called by ExprEngine when evaluating 193 /// casts from arrays to pointers. 194 SVal ArrayToPointer(Loc Array); 195 196 /// For DerivedToBase casts, create a CXXBaseObjectRegion and return it. 197 virtual SVal evalDerivedToBase(SVal derived, QualType basePtrType); 198 199 /// \brief Evaluates C++ dynamic_cast cast. 200 /// The callback may result in the following 3 scenarios: 201 /// - Successful cast (ex: derived is subclass of base). 202 /// - Failed cast (ex: derived is definitely not a subclass of base). 203 /// - We don't know (base is a symbolic region and we don't have 204 /// enough info to determine if the cast will succeed at run time). 205 /// The function returns an SVal representing the derived class; it's 206 /// valid only if Failed flag is set to false. 207 virtual SVal evalDynamicCast(SVal base, QualType derivedPtrType,bool &Failed); 208 209 StoreRef getInitialStore(const LocationContext *InitLoc) { 210 return StoreRef(RBFactory.getEmptyMap().getRootWithoutRetain(), *this); 211 } 212 213 //===-------------------------------------------------------------------===// 214 // Binding values to regions. 215 //===-------------------------------------------------------------------===// 216 RegionBindings invalidateGlobalRegion(MemRegion::Kind K, 217 const Expr *Ex, 218 unsigned Count, 219 const LocationContext *LCtx, 220 RegionBindings B, 221 InvalidatedRegions *Invalidated); 222 223 StoreRef invalidateRegions(Store store, ArrayRef<const MemRegion *> Regions, 224 const Expr *E, unsigned Count, 225 const LocationContext *LCtx, 226 InvalidatedSymbols &IS, 227 const CallEvent *Call, 228 InvalidatedRegions *Invalidated); 229 230 bool scanReachableSymbols(Store S, const MemRegion *R, 231 ScanReachableSymbols &Callbacks); 232 233 public: // Made public for helper classes. 234 235 RegionBindings removeSubRegionBindings(RegionBindings B, const SubRegion *R); 236 237 RegionBindings addBinding(RegionBindings B, BindingKey K, SVal V); 238 239 RegionBindings addBinding(RegionBindings B, const MemRegion *R, 240 BindingKey::Kind k, SVal V); 241 242 const SVal *lookup(RegionBindings B, BindingKey K); 243 const SVal *lookup(RegionBindings B, const MemRegion *R, BindingKey::Kind k); 244 245 RegionBindings removeBinding(RegionBindings B, BindingKey K); 246 RegionBindings removeBinding(RegionBindings B, const MemRegion *R, 247 BindingKey::Kind k); 248 249 RegionBindings removeBinding(RegionBindings B, const MemRegion *R) { 250 return removeBinding(removeBinding(B, R, BindingKey::Direct), R, 251 BindingKey::Default); 252 } 253 254 RegionBindings removeCluster(RegionBindings B, const MemRegion *R); 255 256 public: // Part of public interface to class. 257 258 StoreRef Bind(Store store, Loc LV, SVal V); 259 260 // BindDefault is only used to initialize a region with a default value. 261 StoreRef BindDefault(Store store, const MemRegion *R, SVal V) { 262 RegionBindings B = GetRegionBindings(store); 263 assert(!lookup(B, R, BindingKey::Default)); 264 assert(!lookup(B, R, BindingKey::Direct)); 265 return StoreRef(addBinding(B, R, BindingKey::Default, V) 266 .getRootWithoutRetain(), *this); 267 } 268 269 /// \brief Create a new store that binds a value to a compound literal. 270 /// 271 /// \param ST The original store whose bindings are the basis for the new 272 /// store. 273 /// 274 /// \param CL The compound literal to bind (the binding key). 275 /// 276 /// \param LC The LocationContext for the binding. 277 /// 278 /// \param V The value to bind to the compound literal. 279 StoreRef bindCompoundLiteral(Store ST, 280 const CompoundLiteralExpr *CL, 281 const LocationContext *LC, SVal V); 282 283 /// BindStruct - Bind a compound value to a structure. 284 StoreRef BindStruct(Store store, const TypedValueRegion* R, SVal V); 285 286 /// BindVector - Bind a compound value to a vector. 287 StoreRef BindVector(Store store, const TypedValueRegion* R, SVal V); 288 289 StoreRef BindArray(Store store, const TypedValueRegion* R, SVal V); 290 291 /// Clears out all bindings in the given region and assigns a new value 292 /// as a Default binding. 293 StoreRef BindAggregate(Store store, const TypedRegion *R, SVal DefaultVal); 294 295 /// \brief Create a new store with the specified binding removed. 296 /// 297 /// \brief \param ST the original store, that is the basis for the new store. 298 /// 299 /// \brief \param L the location whose binding should be removed. 300 StoreRef killBinding(Store ST, Loc LV); 301 302 void incrementReferenceCount(Store store) { 303 GetRegionBindings(store).manualRetain(); 304 } 305 306 /// If the StoreManager supports it, decrement the reference count of 307 /// the specified Store object. If the reference count hits 0, the memory 308 /// associated with the object is recycled. 309 void decrementReferenceCount(Store store) { 310 GetRegionBindings(store).manualRelease(); 311 } 312 313 bool includedInBindings(Store store, const MemRegion *region) const; 314 315 /// \brief Return the value bound to specified location in a given state. 316 /// 317 /// The high level logic for this method is this: 318 /// getBinding (L) 319 /// if L has binding 320 /// return L's binding 321 /// else if L is in killset 322 /// return unknown 323 /// else 324 /// if L is on stack or heap 325 /// return undefined 326 /// else 327 /// return symbolic 328 SVal getBinding(Store store, Loc L, QualType T = QualType()); 329 330 SVal getBindingForElement(Store store, const ElementRegion *R); 331 332 SVal getBindingForField(Store store, const FieldRegion *R); 333 334 SVal getBindingForObjCIvar(Store store, const ObjCIvarRegion *R); 335 336 SVal getBindingForVar(Store store, const VarRegion *R); 337 338 SVal getBindingForLazySymbol(const TypedValueRegion *R); 339 340 SVal getBindingForFieldOrElementCommon(Store store, const TypedValueRegion *R, 341 QualType Ty, const MemRegion *superR); 342 343 SVal getLazyBinding(const MemRegion *lazyBindingRegion, 344 Store lazyBindingStore); 345 346 /// Get bindings for the values in a struct and return a CompoundVal, used 347 /// when doing struct copy: 348 /// struct s x, y; 349 /// x = y; 350 /// y's value is retrieved by this method. 351 SVal getBindingForStruct(Store store, const TypedValueRegion* R); 352 353 SVal getBindingForArray(Store store, const TypedValueRegion* R); 354 355 /// Used to lazily generate derived symbols for bindings that are defined 356 /// implicitly by default bindings in a super region. 357 Optional<SVal> getBindingForDerivedDefaultValue(RegionBindings B, 358 const MemRegion *superR, 359 const TypedValueRegion *R, 360 QualType Ty); 361 362 /// Get the state and region whose binding this region R corresponds to. 363 std::pair<Store, const MemRegion*> 364 GetLazyBinding(RegionBindings B, const MemRegion *R, 365 const MemRegion *originalRegion, 366 bool includeSuffix = false); 367 368 //===------------------------------------------------------------------===// 369 // State pruning. 370 //===------------------------------------------------------------------===// 371 372 /// removeDeadBindings - Scans the RegionStore of 'state' for dead values. 373 /// It returns a new Store with these values removed. 374 StoreRef removeDeadBindings(Store store, const StackFrameContext *LCtx, 375 SymbolReaper& SymReaper); 376 377 //===------------------------------------------------------------------===// 378 // Region "extents". 379 //===------------------------------------------------------------------===// 380 381 // FIXME: This method will soon be eliminated; see the note in Store.h. 382 DefinedOrUnknownSVal getSizeInElements(ProgramStateRef state, 383 const MemRegion* R, QualType EleTy); 384 385 //===------------------------------------------------------------------===// 386 // Utility methods. 387 //===------------------------------------------------------------------===// 388 389 static inline RegionBindings GetRegionBindings(Store store) { 390 return RegionBindings(static_cast<const RegionBindings::TreeTy*>(store)); 391 } 392 393 void print(Store store, raw_ostream &Out, const char* nl, 394 const char *sep); 395 396 void iterBindings(Store store, BindingsHandler& f) { 397 RegionBindings B = GetRegionBindings(store); 398 for (RegionBindings::iterator I = B.begin(), E = B.end(); I != E; ++I) { 399 const ClusterBindings &Cluster = I.getData(); 400 for (ClusterBindings::iterator CI = Cluster.begin(), CE = Cluster.end(); 401 CI != CE; ++CI) { 402 const BindingKey &K = CI.getKey(); 403 if (!K.isDirect()) 404 continue; 405 if (const SubRegion *R = dyn_cast<SubRegion>(K.getRegion())) { 406 // FIXME: Possibly incorporate the offset? 407 if (!f.HandleBinding(*this, store, R, CI.getData())) 408 return; 409 } 410 } 411 } 412 } 413 }; 414 415 } // end anonymous namespace 416 417 //===----------------------------------------------------------------------===// 418 // RegionStore creation. 419 //===----------------------------------------------------------------------===// 420 421 StoreManager *ento::CreateRegionStoreManager(ProgramStateManager& StMgr) { 422 RegionStoreFeatures F = maximal_features_tag(); 423 return new RegionStoreManager(StMgr, F); 424 } 425 426 StoreManager * 427 ento::CreateFieldsOnlyRegionStoreManager(ProgramStateManager &StMgr) { 428 RegionStoreFeatures F = minimal_features_tag(); 429 F.enableFields(true); 430 return new RegionStoreManager(StMgr, F); 431 } 432 433 434 //===----------------------------------------------------------------------===// 435 // Region Cluster analysis. 436 //===----------------------------------------------------------------------===// 437 438 namespace { 439 template <typename DERIVED> 440 class ClusterAnalysis { 441 protected: 442 typedef llvm::DenseMap<const MemRegion *, const ClusterBindings *> ClusterMap; 443 typedef SmallVector<const MemRegion *, 10> WorkList; 444 445 llvm::SmallPtrSet<const ClusterBindings *, 16> Visited; 446 447 WorkList WL; 448 449 RegionStoreManager &RM; 450 ASTContext &Ctx; 451 SValBuilder &svalBuilder; 452 453 RegionBindings B; 454 455 const bool includeGlobals; 456 457 const ClusterBindings *getCluster(const MemRegion *R) { 458 return B.lookup(R); 459 } 460 461 public: 462 ClusterAnalysis(RegionStoreManager &rm, ProgramStateManager &StateMgr, 463 RegionBindings b, const bool includeGlobals) 464 : RM(rm), Ctx(StateMgr.getContext()), 465 svalBuilder(StateMgr.getSValBuilder()), 466 B(b), includeGlobals(includeGlobals) {} 467 468 RegionBindings getRegionBindings() const { return B; } 469 470 bool isVisited(const MemRegion *R) { 471 return Visited.count(getCluster(R)); 472 } 473 474 void GenerateClusters() { 475 // Scan the entire set of bindings and record the region clusters. 476 for (RegionBindings::iterator RI = B.begin(), RE = B.end(); RI != RE; ++RI){ 477 const MemRegion *Base = RI.getKey(); 478 479 const ClusterBindings &Cluster = RI.getData(); 480 assert(!Cluster.isEmpty() && "Empty clusters should be removed"); 481 static_cast<DERIVED*>(this)->VisitAddedToCluster(Base, Cluster); 482 483 if (includeGlobals) 484 if (isa<NonStaticGlobalSpaceRegion>(Base->getMemorySpace())) 485 AddToWorkList(Base, &Cluster); 486 } 487 } 488 489 bool AddToWorkList(const MemRegion *R, const ClusterBindings *C) { 490 if (C && !Visited.insert(C)) 491 return false; 492 WL.push_back(R); 493 return true; 494 } 495 496 bool AddToWorkList(const MemRegion *R) { 497 const MemRegion *baseR = R->getBaseRegion(); 498 return AddToWorkList(baseR, getCluster(baseR)); 499 } 500 501 void RunWorkList() { 502 while (!WL.empty()) { 503 const MemRegion *baseR = WL.pop_back_val(); 504 505 // First visit the cluster. 506 if (const ClusterBindings *Cluster = getCluster(baseR)) 507 static_cast<DERIVED*>(this)->VisitCluster(baseR, *Cluster); 508 509 // Next, visit the base region. 510 static_cast<DERIVED*>(this)->VisitBaseRegion(baseR); 511 } 512 } 513 514 public: 515 void VisitAddedToCluster(const MemRegion *baseR, const ClusterBindings &C) {} 516 void VisitCluster(const MemRegion *baseR, const ClusterBindings &C) {} 517 void VisitBaseRegion(const MemRegion *baseR) {} 518 }; 519 } 520 521 //===----------------------------------------------------------------------===// 522 // Binding invalidation. 523 //===----------------------------------------------------------------------===// 524 525 bool RegionStoreManager::scanReachableSymbols(Store S, const MemRegion *R, 526 ScanReachableSymbols &Callbacks) { 527 assert(R == R->getBaseRegion() && "Should only be called for base regions"); 528 RegionBindings B = GetRegionBindings(S); 529 const ClusterBindings *Cluster = B.lookup(R); 530 531 if (!Cluster) 532 return true; 533 534 for (ClusterBindings::iterator RI = Cluster->begin(), RE = Cluster->end(); 535 RI != RE; ++RI) { 536 if (!Callbacks.scan(RI.getData())) 537 return false; 538 } 539 540 return true; 541 } 542 543 RegionBindings RegionStoreManager::removeSubRegionBindings(RegionBindings B, 544 const SubRegion *R) { 545 BindingKey SRKey = BindingKey::Make(R, BindingKey::Default); 546 const MemRegion *ClusterHead = SRKey.getBaseRegion(); 547 if (R == ClusterHead) { 548 // We can remove an entire cluster's bindings all in one go. 549 return RBFactory.remove(B, R); 550 } 551 552 if (SRKey.hasSymbolicOffset()) { 553 const SubRegion *Base = cast<SubRegion>(SRKey.getConcreteOffsetRegion()); 554 B = removeSubRegionBindings(B, Base); 555 return addBinding(B, Base, BindingKey::Default, UnknownVal()); 556 } 557 558 // This assumes the region being invalidated is char-aligned. This isn't 559 // true for bitfields, but since bitfields have no subregions they shouldn't 560 // be using this function anyway. 561 uint64_t Length = UINT64_MAX; 562 563 SVal Extent = R->getExtent(svalBuilder); 564 if (nonloc::ConcreteInt *ExtentCI = dyn_cast<nonloc::ConcreteInt>(&Extent)) { 565 const llvm::APSInt &ExtentInt = ExtentCI->getValue(); 566 assert(ExtentInt.isNonNegative() || ExtentInt.isUnsigned()); 567 // Extents are in bytes but region offsets are in bits. Be careful! 568 Length = ExtentInt.getLimitedValue() * Ctx.getCharWidth(); 569 } 570 571 const ClusterBindings *Cluster = B.lookup(ClusterHead); 572 if (!Cluster) 573 return B; 574 575 ClusterBindings Result = *Cluster; 576 577 // It is safe to iterate over the bindings as they are being changed 578 // because they are in an ImmutableMap. 579 for (ClusterBindings::iterator I = Cluster->begin(), E = Cluster->end(); 580 I != E; ++I) { 581 BindingKey NextKey = I.getKey(); 582 if (NextKey.getRegion() == SRKey.getRegion()) { 583 if (NextKey.getOffset() > SRKey.getOffset() && 584 NextKey.getOffset() - SRKey.getOffset() < Length) { 585 // Case 1: The next binding is inside the region we're invalidating. 586 // Remove it. 587 Result = CBFactory.remove(Result, NextKey); 588 } else if (NextKey.getOffset() == SRKey.getOffset()) { 589 // Case 2: The next binding is at the same offset as the region we're 590 // invalidating. In this case, we need to leave default bindings alone, 591 // since they may be providing a default value for a regions beyond what 592 // we're invalidating. 593 // FIXME: This is probably incorrect; consider invalidating an outer 594 // struct whose first field is bound to a LazyCompoundVal. 595 if (NextKey.isDirect()) 596 Result = CBFactory.remove(Result, NextKey); 597 } 598 } else if (NextKey.hasSymbolicOffset()) { 599 const MemRegion *Base = NextKey.getConcreteOffsetRegion(); 600 if (R->isSubRegionOf(Base)) { 601 // Case 3: The next key is symbolic and we just changed something within 602 // its concrete region. We don't know if the binding is still valid, so 603 // we'll be conservative and remove it. 604 if (NextKey.isDirect()) 605 Result = CBFactory.remove(Result, NextKey); 606 } else if (const SubRegion *BaseSR = dyn_cast<SubRegion>(Base)) { 607 // Case 4: The next key is symbolic, but we changed a known 608 // super-region. In this case the binding is certainly no longer valid. 609 if (R == Base || BaseSR->isSubRegionOf(R)) 610 Result = CBFactory.remove(Result, NextKey); 611 } 612 } 613 } 614 615 if (Result.isEmpty()) 616 return RBFactory.remove(B, ClusterHead); 617 return RBFactory.add(B, ClusterHead, Result); 618 } 619 620 namespace { 621 class invalidateRegionsWorker : public ClusterAnalysis<invalidateRegionsWorker> 622 { 623 const Expr *Ex; 624 unsigned Count; 625 const LocationContext *LCtx; 626 StoreManager::InvalidatedSymbols &IS; 627 StoreManager::InvalidatedRegions *Regions; 628 public: 629 invalidateRegionsWorker(RegionStoreManager &rm, 630 ProgramStateManager &stateMgr, 631 RegionBindings b, 632 const Expr *ex, unsigned count, 633 const LocationContext *lctx, 634 StoreManager::InvalidatedSymbols &is, 635 StoreManager::InvalidatedRegions *r, 636 bool includeGlobals) 637 : ClusterAnalysis<invalidateRegionsWorker>(rm, stateMgr, b, includeGlobals), 638 Ex(ex), Count(count), LCtx(lctx), IS(is), Regions(r) {} 639 640 void VisitCluster(const MemRegion *baseR, const ClusterBindings &C); 641 void VisitBaseRegion(const MemRegion *baseR); 642 643 private: 644 void VisitBinding(SVal V); 645 }; 646 } 647 648 void invalidateRegionsWorker::VisitBinding(SVal V) { 649 // A symbol? Mark it touched by the invalidation. 650 if (SymbolRef Sym = V.getAsSymbol()) 651 IS.insert(Sym); 652 653 if (const MemRegion *R = V.getAsRegion()) { 654 AddToWorkList(R); 655 return; 656 } 657 658 // Is it a LazyCompoundVal? All references get invalidated as well. 659 if (const nonloc::LazyCompoundVal *LCS = 660 dyn_cast<nonloc::LazyCompoundVal>(&V)) { 661 662 const MemRegion *LazyR = LCS->getRegion(); 663 RegionBindings B = RegionStoreManager::GetRegionBindings(LCS->getStore()); 664 665 // FIXME: This should not have to walk all bindings in the old store. 666 for (RegionBindings::iterator RI = B.begin(), RE = B.end(); RI != RE; ++RI){ 667 const ClusterBindings &Cluster = RI.getData(); 668 for (ClusterBindings::iterator CI = Cluster.begin(), CE = Cluster.end(); 669 CI != CE; ++CI) { 670 BindingKey K = CI.getKey(); 671 if (const SubRegion *BaseR = dyn_cast<SubRegion>(K.getRegion())) { 672 if (BaseR == LazyR) 673 VisitBinding(CI.getData()); 674 else if (K.hasSymbolicOffset() && BaseR->isSubRegionOf(LazyR)) 675 VisitBinding(CI.getData()); 676 } 677 } 678 } 679 680 return; 681 } 682 } 683 684 void invalidateRegionsWorker::VisitCluster(const MemRegion *BaseR, 685 const ClusterBindings &C) { 686 for (ClusterBindings::iterator I = C.begin(), E = C.end(); I != E; ++I) 687 VisitBinding(I.getData()); 688 689 B = RM.removeCluster(B, BaseR); 690 } 691 692 void invalidateRegionsWorker::VisitBaseRegion(const MemRegion *baseR) { 693 // Symbolic region? Mark that symbol touched by the invalidation. 694 if (const SymbolicRegion *SR = dyn_cast<SymbolicRegion>(baseR)) 695 IS.insert(SR->getSymbol()); 696 697 // BlockDataRegion? If so, invalidate captured variables that are passed 698 // by reference. 699 if (const BlockDataRegion *BR = dyn_cast<BlockDataRegion>(baseR)) { 700 for (BlockDataRegion::referenced_vars_iterator 701 BI = BR->referenced_vars_begin(), BE = BR->referenced_vars_end() ; 702 BI != BE; ++BI) { 703 const VarRegion *VR = *BI; 704 const VarDecl *VD = VR->getDecl(); 705 if (VD->getAttr<BlocksAttr>() || !VD->hasLocalStorage()) { 706 AddToWorkList(VR); 707 } 708 else if (Loc::isLocType(VR->getValueType())) { 709 // Map the current bindings to a Store to retrieve the value 710 // of the binding. If that binding itself is a region, we should 711 // invalidate that region. This is because a block may capture 712 // a pointer value, but the thing pointed by that pointer may 713 // get invalidated. 714 Store store = B.getRootWithoutRetain(); 715 SVal V = RM.getBinding(store, loc::MemRegionVal(VR)); 716 if (const Loc *L = dyn_cast<Loc>(&V)) { 717 if (const MemRegion *LR = L->getAsRegion()) 718 AddToWorkList(LR); 719 } 720 } 721 } 722 return; 723 } 724 725 // Otherwise, we have a normal data region. Record that we touched the region. 726 if (Regions) 727 Regions->push_back(baseR); 728 729 if (isa<AllocaRegion>(baseR) || isa<SymbolicRegion>(baseR)) { 730 // Invalidate the region by setting its default value to 731 // conjured symbol. The type of the symbol is irrelavant. 732 DefinedOrUnknownSVal V = 733 svalBuilder.conjureSymbolVal(baseR, Ex, LCtx, Ctx.IntTy, Count); 734 B = RM.addBinding(B, baseR, BindingKey::Default, V); 735 return; 736 } 737 738 if (!baseR->isBoundable()) 739 return; 740 741 const TypedValueRegion *TR = cast<TypedValueRegion>(baseR); 742 QualType T = TR->getValueType(); 743 744 // Invalidate the binding. 745 if (T->isStructureOrClassType()) { 746 // Invalidate the region by setting its default value to 747 // conjured symbol. The type of the symbol is irrelavant. 748 DefinedOrUnknownSVal V = svalBuilder.conjureSymbolVal(baseR, Ex, LCtx, 749 Ctx.IntTy, Count); 750 B = RM.addBinding(B, baseR, BindingKey::Default, V); 751 return; 752 } 753 754 if (const ArrayType *AT = Ctx.getAsArrayType(T)) { 755 // Set the default value of the array to conjured symbol. 756 DefinedOrUnknownSVal V = 757 svalBuilder.conjureSymbolVal(baseR, Ex, LCtx, 758 AT->getElementType(), Count); 759 B = RM.addBinding(B, baseR, BindingKey::Default, V); 760 return; 761 } 762 763 if (includeGlobals && 764 isa<NonStaticGlobalSpaceRegion>(baseR->getMemorySpace())) { 765 // If the region is a global and we are invalidating all globals, 766 // just erase the entry. This causes all globals to be lazily 767 // symbolicated from the same base symbol. 768 B = RM.removeBinding(B, baseR); 769 return; 770 } 771 772 773 DefinedOrUnknownSVal V = svalBuilder.conjureSymbolVal(baseR, Ex, LCtx, 774 T,Count); 775 assert(SymbolManager::canSymbolicate(T) || V.isUnknown()); 776 B = RM.addBinding(B, baseR, BindingKey::Direct, V); 777 } 778 779 RegionBindings RegionStoreManager::invalidateGlobalRegion(MemRegion::Kind K, 780 const Expr *Ex, 781 unsigned Count, 782 const LocationContext *LCtx, 783 RegionBindings B, 784 InvalidatedRegions *Invalidated) { 785 // Bind the globals memory space to a new symbol that we will use to derive 786 // the bindings for all globals. 787 const GlobalsSpaceRegion *GS = MRMgr.getGlobalsRegion(K); 788 SVal V = svalBuilder.conjureSymbolVal(/* SymbolTag = */ (void*) GS, Ex, LCtx, 789 /* type does not matter */ Ctx.IntTy, 790 Count); 791 792 B = removeBinding(B, GS); 793 B = addBinding(B, BindingKey::Make(GS, BindingKey::Default), V); 794 795 // Even if there are no bindings in the global scope, we still need to 796 // record that we touched it. 797 if (Invalidated) 798 Invalidated->push_back(GS); 799 800 return B; 801 } 802 803 StoreRef RegionStoreManager::invalidateRegions(Store store, 804 ArrayRef<const MemRegion *> Regions, 805 const Expr *Ex, unsigned Count, 806 const LocationContext *LCtx, 807 InvalidatedSymbols &IS, 808 const CallEvent *Call, 809 InvalidatedRegions *Invalidated) { 810 invalidateRegionsWorker W(*this, StateMgr, 811 RegionStoreManager::GetRegionBindings(store), 812 Ex, Count, LCtx, IS, Invalidated, false); 813 814 // Scan the bindings and generate the clusters. 815 W.GenerateClusters(); 816 817 // Add the regions to the worklist. 818 for (ArrayRef<const MemRegion *>::iterator 819 I = Regions.begin(), E = Regions.end(); I != E; ++I) 820 W.AddToWorkList(*I); 821 822 W.RunWorkList(); 823 824 // Return the new bindings. 825 RegionBindings B = W.getRegionBindings(); 826 827 // For all globals which are not static nor immutable: determine which global 828 // regions should be invalidated and invalidate them. 829 // TODO: This could possibly be more precise with modules. 830 // 831 // System calls invalidate only system globals. 832 if (Call && Call->isInSystemHeader()) { 833 B = invalidateGlobalRegion(MemRegion::GlobalSystemSpaceRegionKind, 834 Ex, Count, LCtx, B, Invalidated); 835 // Internal calls might invalidate both system and internal globals. 836 } else { 837 B = invalidateGlobalRegion(MemRegion::GlobalSystemSpaceRegionKind, 838 Ex, Count, LCtx, B, Invalidated); 839 B = invalidateGlobalRegion(MemRegion::GlobalInternalSpaceRegionKind, 840 Ex, Count, LCtx, B, Invalidated); 841 } 842 843 return StoreRef(B.getRootWithoutRetain(), *this); 844 } 845 846 //===----------------------------------------------------------------------===// 847 // Extents for regions. 848 //===----------------------------------------------------------------------===// 849 850 DefinedOrUnknownSVal 851 RegionStoreManager::getSizeInElements(ProgramStateRef state, 852 const MemRegion *R, 853 QualType EleTy) { 854 SVal Size = cast<SubRegion>(R)->getExtent(svalBuilder); 855 const llvm::APSInt *SizeInt = svalBuilder.getKnownValue(state, Size); 856 if (!SizeInt) 857 return UnknownVal(); 858 859 CharUnits RegionSize = CharUnits::fromQuantity(SizeInt->getSExtValue()); 860 861 if (Ctx.getAsVariableArrayType(EleTy)) { 862 // FIXME: We need to track extra state to properly record the size 863 // of VLAs. Returning UnknownVal here, however, is a stop-gap so that 864 // we don't have a divide-by-zero below. 865 return UnknownVal(); 866 } 867 868 CharUnits EleSize = Ctx.getTypeSizeInChars(EleTy); 869 870 // If a variable is reinterpreted as a type that doesn't fit into a larger 871 // type evenly, round it down. 872 // This is a signed value, since it's used in arithmetic with signed indices. 873 return svalBuilder.makeIntVal(RegionSize / EleSize, false); 874 } 875 876 //===----------------------------------------------------------------------===// 877 // Location and region casting. 878 //===----------------------------------------------------------------------===// 879 880 /// ArrayToPointer - Emulates the "decay" of an array to a pointer 881 /// type. 'Array' represents the lvalue of the array being decayed 882 /// to a pointer, and the returned SVal represents the decayed 883 /// version of that lvalue (i.e., a pointer to the first element of 884 /// the array). This is called by ExprEngine when evaluating casts 885 /// from arrays to pointers. 886 SVal RegionStoreManager::ArrayToPointer(Loc Array) { 887 if (!isa<loc::MemRegionVal>(Array)) 888 return UnknownVal(); 889 890 const MemRegion* R = cast<loc::MemRegionVal>(&Array)->getRegion(); 891 const TypedValueRegion* ArrayR = dyn_cast<TypedValueRegion>(R); 892 893 if (!ArrayR) 894 return UnknownVal(); 895 896 // Strip off typedefs from the ArrayRegion's ValueType. 897 QualType T = ArrayR->getValueType().getDesugaredType(Ctx); 898 const ArrayType *AT = cast<ArrayType>(T); 899 T = AT->getElementType(); 900 901 NonLoc ZeroIdx = svalBuilder.makeZeroArrayIndex(); 902 return loc::MemRegionVal(MRMgr.getElementRegion(T, ZeroIdx, ArrayR, Ctx)); 903 } 904 905 // This mirrors Type::getCXXRecordDeclForPointerType(), but there doesn't 906 // appear to be another need for this in the rest of the codebase. 907 static const CXXRecordDecl *GetCXXRecordDeclForReferenceType(QualType Ty) { 908 if (const ReferenceType *RT = Ty->getAs<ReferenceType>()) 909 if (const RecordType *RCT = RT->getPointeeType()->getAs<RecordType>()) 910 return dyn_cast<CXXRecordDecl>(RCT->getDecl()); 911 return 0; 912 } 913 914 SVal RegionStoreManager::evalDerivedToBase(SVal derived, QualType baseType) { 915 const CXXRecordDecl *baseDecl; 916 917 if (baseType->isPointerType()) 918 baseDecl = baseType->getCXXRecordDeclForPointerType(); 919 else if (baseType->isReferenceType()) 920 baseDecl = GetCXXRecordDeclForReferenceType(baseType); 921 else 922 baseDecl = baseType->getAsCXXRecordDecl(); 923 924 assert(baseDecl && "not a CXXRecordDecl?"); 925 926 loc::MemRegionVal *derivedRegVal = dyn_cast<loc::MemRegionVal>(&derived); 927 if (!derivedRegVal) 928 return derived; 929 930 const MemRegion *baseReg = 931 MRMgr.getCXXBaseObjectRegion(baseDecl, derivedRegVal->getRegion()); 932 933 return loc::MemRegionVal(baseReg); 934 } 935 936 SVal RegionStoreManager::evalDynamicCast(SVal base, QualType derivedType, 937 bool &Failed) { 938 Failed = false; 939 940 loc::MemRegionVal *baseRegVal = dyn_cast<loc::MemRegionVal>(&base); 941 if (!baseRegVal) 942 return UnknownVal(); 943 const MemRegion *BaseRegion = baseRegVal->stripCasts(/*StripBases=*/false); 944 945 // Assume the derived class is a pointer or a reference to a CXX record. 946 derivedType = derivedType->getPointeeType(); 947 assert(!derivedType.isNull()); 948 const CXXRecordDecl *DerivedDecl = derivedType->getAsCXXRecordDecl(); 949 if (!DerivedDecl && !derivedType->isVoidType()) 950 return UnknownVal(); 951 952 // Drill down the CXXBaseObject chains, which represent upcasts (casts from 953 // derived to base). 954 const MemRegion *SR = BaseRegion; 955 while (const TypedRegion *TSR = dyn_cast_or_null<TypedRegion>(SR)) { 956 QualType BaseType = TSR->getLocationType()->getPointeeType(); 957 assert(!BaseType.isNull()); 958 const CXXRecordDecl *SRDecl = BaseType->getAsCXXRecordDecl(); 959 if (!SRDecl) 960 return UnknownVal(); 961 962 // If found the derived class, the cast succeeds. 963 if (SRDecl == DerivedDecl) 964 return loc::MemRegionVal(TSR); 965 966 if (!derivedType->isVoidType()) { 967 // Static upcasts are marked as DerivedToBase casts by Sema, so this will 968 // only happen when multiple or virtual inheritance is involved. 969 CXXBasePaths Paths(/*FindAmbiguities=*/false, /*RecordPaths=*/true, 970 /*DetectVirtual=*/false); 971 if (SRDecl->isDerivedFrom(DerivedDecl, Paths)) { 972 SVal Result = loc::MemRegionVal(TSR); 973 const CXXBasePath &Path = *Paths.begin(); 974 for (CXXBasePath::const_iterator I = Path.begin(), E = Path.end(); 975 I != E; ++I) { 976 Result = evalDerivedToBase(Result, I->Base->getType()); 977 } 978 return Result; 979 } 980 } 981 982 if (const CXXBaseObjectRegion *R = dyn_cast<CXXBaseObjectRegion>(TSR)) 983 // Drill down the chain to get the derived classes. 984 SR = R->getSuperRegion(); 985 else { 986 // We reached the bottom of the hierarchy. 987 988 // If this is a cast to void*, return the region. 989 if (derivedType->isVoidType()) 990 return loc::MemRegionVal(TSR); 991 992 // We did not find the derived class. We we must be casting the base to 993 // derived, so the cast should fail. 994 Failed = true; 995 return UnknownVal(); 996 } 997 } 998 999 return UnknownVal(); 1000 } 1001 1002 //===----------------------------------------------------------------------===// 1003 // Loading values from regions. 1004 //===----------------------------------------------------------------------===// 1005 1006 Optional<SVal> RegionStoreManager::getDirectBinding(RegionBindings B, 1007 const MemRegion *R) { 1008 1009 if (const SVal *V = lookup(B, R, BindingKey::Direct)) 1010 return *V; 1011 1012 return Optional<SVal>(); 1013 } 1014 1015 Optional<SVal> RegionStoreManager::getDefaultBinding(RegionBindings B, 1016 const MemRegion *R) { 1017 if (R->isBoundable()) 1018 if (const TypedValueRegion *TR = dyn_cast<TypedValueRegion>(R)) 1019 if (TR->getValueType()->isUnionType()) 1020 return UnknownVal(); 1021 1022 if (const SVal *V = lookup(B, R, BindingKey::Default)) 1023 return *V; 1024 1025 return Optional<SVal>(); 1026 } 1027 1028 SVal RegionStoreManager::getBinding(Store store, Loc L, QualType T) { 1029 assert(!isa<UnknownVal>(L) && "location unknown"); 1030 assert(!isa<UndefinedVal>(L) && "location undefined"); 1031 1032 // For access to concrete addresses, return UnknownVal. Checks 1033 // for null dereferences (and similar errors) are done by checkers, not 1034 // the Store. 1035 // FIXME: We can consider lazily symbolicating such memory, but we really 1036 // should defer this when we can reason easily about symbolicating arrays 1037 // of bytes. 1038 if (isa<loc::ConcreteInt>(L)) { 1039 return UnknownVal(); 1040 } 1041 if (!isa<loc::MemRegionVal>(L)) { 1042 return UnknownVal(); 1043 } 1044 1045 const MemRegion *MR = cast<loc::MemRegionVal>(L).getRegion(); 1046 1047 if (isa<AllocaRegion>(MR) || 1048 isa<SymbolicRegion>(MR) || 1049 isa<CodeTextRegion>(MR)) { 1050 if (T.isNull()) { 1051 if (const TypedRegion *TR = dyn_cast<TypedRegion>(MR)) 1052 T = TR->getLocationType(); 1053 else { 1054 const SymbolicRegion *SR = cast<SymbolicRegion>(MR); 1055 T = SR->getSymbol()->getType(Ctx); 1056 } 1057 } 1058 MR = GetElementZeroRegion(MR, T); 1059 } 1060 1061 // FIXME: Perhaps this method should just take a 'const MemRegion*' argument 1062 // instead of 'Loc', and have the other Loc cases handled at a higher level. 1063 const TypedValueRegion *R = cast<TypedValueRegion>(MR); 1064 QualType RTy = R->getValueType(); 1065 1066 // FIXME: We should eventually handle funny addressing. e.g.: 1067 // 1068 // int x = ...; 1069 // int *p = &x; 1070 // char *q = (char*) p; 1071 // char c = *q; // returns the first byte of 'x'. 1072 // 1073 // Such funny addressing will occur due to layering of regions. 1074 1075 if (RTy->isStructureOrClassType()) 1076 return getBindingForStruct(store, R); 1077 1078 // FIXME: Handle unions. 1079 if (RTy->isUnionType()) 1080 return UnknownVal(); 1081 1082 if (RTy->isArrayType()) { 1083 if (RTy->isConstantArrayType()) 1084 return getBindingForArray(store, R); 1085 else 1086 return UnknownVal(); 1087 } 1088 1089 // FIXME: handle Vector types. 1090 if (RTy->isVectorType()) 1091 return UnknownVal(); 1092 1093 if (const FieldRegion* FR = dyn_cast<FieldRegion>(R)) 1094 return CastRetrievedVal(getBindingForField(store, FR), FR, T, false); 1095 1096 if (const ElementRegion* ER = dyn_cast<ElementRegion>(R)) { 1097 // FIXME: Here we actually perform an implicit conversion from the loaded 1098 // value to the element type. Eventually we want to compose these values 1099 // more intelligently. For example, an 'element' can encompass multiple 1100 // bound regions (e.g., several bound bytes), or could be a subset of 1101 // a larger value. 1102 return CastRetrievedVal(getBindingForElement(store, ER), ER, T, false); 1103 } 1104 1105 if (const ObjCIvarRegion *IVR = dyn_cast<ObjCIvarRegion>(R)) { 1106 // FIXME: Here we actually perform an implicit conversion from the loaded 1107 // value to the ivar type. What we should model is stores to ivars 1108 // that blow past the extent of the ivar. If the address of the ivar is 1109 // reinterpretted, it is possible we stored a different value that could 1110 // fit within the ivar. Either we need to cast these when storing them 1111 // or reinterpret them lazily (as we do here). 1112 return CastRetrievedVal(getBindingForObjCIvar(store, IVR), IVR, T, false); 1113 } 1114 1115 if (const VarRegion *VR = dyn_cast<VarRegion>(R)) { 1116 // FIXME: Here we actually perform an implicit conversion from the loaded 1117 // value to the variable type. What we should model is stores to variables 1118 // that blow past the extent of the variable. If the address of the 1119 // variable is reinterpretted, it is possible we stored a different value 1120 // that could fit within the variable. Either we need to cast these when 1121 // storing them or reinterpret them lazily (as we do here). 1122 return CastRetrievedVal(getBindingForVar(store, VR), VR, T, false); 1123 } 1124 1125 RegionBindings B = GetRegionBindings(store); 1126 const SVal *V = lookup(B, R, BindingKey::Direct); 1127 1128 // Check if the region has a binding. 1129 if (V) 1130 return *V; 1131 1132 // The location does not have a bound value. This means that it has 1133 // the value it had upon its creation and/or entry to the analyzed 1134 // function/method. These are either symbolic values or 'undefined'. 1135 if (R->hasStackNonParametersStorage()) { 1136 // All stack variables are considered to have undefined values 1137 // upon creation. All heap allocated blocks are considered to 1138 // have undefined values as well unless they are explicitly bound 1139 // to specific values. 1140 return UndefinedVal(); 1141 } 1142 1143 // All other values are symbolic. 1144 return svalBuilder.getRegionValueSymbolVal(R); 1145 } 1146 1147 std::pair<Store, const MemRegion *> 1148 RegionStoreManager::GetLazyBinding(RegionBindings B, const MemRegion *R, 1149 const MemRegion *originalRegion, 1150 bool includeSuffix) { 1151 1152 if (originalRegion != R) { 1153 if (Optional<SVal> OV = getDefaultBinding(B, R)) { 1154 if (const nonloc::LazyCompoundVal *V = 1155 dyn_cast<nonloc::LazyCompoundVal>(OV.getPointer())) 1156 return std::make_pair(V->getStore(), V->getRegion()); 1157 } 1158 } 1159 1160 if (const ElementRegion *ER = dyn_cast<ElementRegion>(R)) { 1161 const std::pair<Store, const MemRegion *> &X = 1162 GetLazyBinding(B, ER->getSuperRegion(), originalRegion); 1163 1164 if (X.second) 1165 return std::make_pair(X.first, 1166 MRMgr.getElementRegionWithSuper(ER, X.second)); 1167 } 1168 else if (const FieldRegion *FR = dyn_cast<FieldRegion>(R)) { 1169 const std::pair<Store, const MemRegion *> &X = 1170 GetLazyBinding(B, FR->getSuperRegion(), originalRegion); 1171 1172 if (X.second) { 1173 if (includeSuffix) 1174 return std::make_pair(X.first, 1175 MRMgr.getFieldRegionWithSuper(FR, X.second)); 1176 return X; 1177 } 1178 1179 } 1180 // C++ base object region is another kind of region that we should blast 1181 // through to look for lazy compound value. It is like a field region. 1182 else if (const CXXBaseObjectRegion *baseReg = 1183 dyn_cast<CXXBaseObjectRegion>(R)) { 1184 const std::pair<Store, const MemRegion *> &X = 1185 GetLazyBinding(B, baseReg->getSuperRegion(), originalRegion); 1186 1187 if (X.second) { 1188 if (includeSuffix) 1189 return std::make_pair(X.first, 1190 MRMgr.getCXXBaseObjectRegionWithSuper(baseReg, 1191 X.second)); 1192 return X; 1193 } 1194 } 1195 1196 // The NULL MemRegion indicates an non-existent lazy binding. A NULL Store is 1197 // possible for a valid lazy binding. 1198 return std::make_pair((Store) 0, (const MemRegion *) 0); 1199 } 1200 1201 SVal RegionStoreManager::getBindingForElement(Store store, 1202 const ElementRegion* R) { 1203 // We do not currently model bindings of the CompoundLiteralregion. 1204 if (isa<CompoundLiteralRegion>(R->getBaseRegion())) 1205 return UnknownVal(); 1206 1207 // Check if the region has a binding. 1208 RegionBindings B = GetRegionBindings(store); 1209 if (const Optional<SVal> &V = getDirectBinding(B, R)) 1210 return *V; 1211 1212 const MemRegion* superR = R->getSuperRegion(); 1213 1214 // Check if the region is an element region of a string literal. 1215 if (const StringRegion *StrR=dyn_cast<StringRegion>(superR)) { 1216 // FIXME: Handle loads from strings where the literal is treated as 1217 // an integer, e.g., *((unsigned int*)"hello") 1218 QualType T = Ctx.getAsArrayType(StrR->getValueType())->getElementType(); 1219 if (T != Ctx.getCanonicalType(R->getElementType())) 1220 return UnknownVal(); 1221 1222 const StringLiteral *Str = StrR->getStringLiteral(); 1223 SVal Idx = R->getIndex(); 1224 if (nonloc::ConcreteInt *CI = dyn_cast<nonloc::ConcreteInt>(&Idx)) { 1225 int64_t i = CI->getValue().getSExtValue(); 1226 // Abort on string underrun. This can be possible by arbitrary 1227 // clients of getBindingForElement(). 1228 if (i < 0) 1229 return UndefinedVal(); 1230 int64_t length = Str->getLength(); 1231 // Technically, only i == length is guaranteed to be null. 1232 // However, such overflows should be caught before reaching this point; 1233 // the only time such an access would be made is if a string literal was 1234 // used to initialize a larger array. 1235 char c = (i >= length) ? '\0' : Str->getCodeUnit(i); 1236 return svalBuilder.makeIntVal(c, T); 1237 } 1238 } 1239 1240 // Check for loads from a code text region. For such loads, just give up. 1241 if (isa<CodeTextRegion>(superR)) 1242 return UnknownVal(); 1243 1244 // Handle the case where we are indexing into a larger scalar object. 1245 // For example, this handles: 1246 // int x = ... 1247 // char *y = &x; 1248 // return *y; 1249 // FIXME: This is a hack, and doesn't do anything really intelligent yet. 1250 const RegionRawOffset &O = R->getAsArrayOffset(); 1251 1252 // If we cannot reason about the offset, return an unknown value. 1253 if (!O.getRegion()) 1254 return UnknownVal(); 1255 1256 if (const TypedValueRegion *baseR = 1257 dyn_cast_or_null<TypedValueRegion>(O.getRegion())) { 1258 QualType baseT = baseR->getValueType(); 1259 if (baseT->isScalarType()) { 1260 QualType elemT = R->getElementType(); 1261 if (elemT->isScalarType()) { 1262 if (Ctx.getTypeSizeInChars(baseT) >= Ctx.getTypeSizeInChars(elemT)) { 1263 if (const Optional<SVal> &V = getDirectBinding(B, superR)) { 1264 if (SymbolRef parentSym = V->getAsSymbol()) 1265 return svalBuilder.getDerivedRegionValueSymbolVal(parentSym, R); 1266 1267 if (V->isUnknownOrUndef()) 1268 return *V; 1269 // Other cases: give up. We are indexing into a larger object 1270 // that has some value, but we don't know how to handle that yet. 1271 return UnknownVal(); 1272 } 1273 } 1274 } 1275 } 1276 } 1277 return getBindingForFieldOrElementCommon(store, R, R->getElementType(), 1278 superR); 1279 } 1280 1281 SVal RegionStoreManager::getBindingForField(Store store, 1282 const FieldRegion* R) { 1283 1284 // Check if the region has a binding. 1285 RegionBindings B = GetRegionBindings(store); 1286 if (const Optional<SVal> &V = getDirectBinding(B, R)) 1287 return *V; 1288 1289 QualType Ty = R->getValueType(); 1290 return getBindingForFieldOrElementCommon(store, R, Ty, R->getSuperRegion()); 1291 } 1292 1293 Optional<SVal> 1294 RegionStoreManager::getBindingForDerivedDefaultValue(RegionBindings B, 1295 const MemRegion *superR, 1296 const TypedValueRegion *R, 1297 QualType Ty) { 1298 1299 if (const Optional<SVal> &D = getDefaultBinding(B, superR)) { 1300 const SVal &val = D.getValue(); 1301 if (SymbolRef parentSym = val.getAsSymbol()) 1302 return svalBuilder.getDerivedRegionValueSymbolVal(parentSym, R); 1303 1304 if (val.isZeroConstant()) 1305 return svalBuilder.makeZeroVal(Ty); 1306 1307 if (val.isUnknownOrUndef()) 1308 return val; 1309 1310 // Lazy bindings are handled later. 1311 if (isa<nonloc::LazyCompoundVal>(val)) 1312 return Optional<SVal>(); 1313 1314 llvm_unreachable("Unknown default value"); 1315 } 1316 1317 return Optional<SVal>(); 1318 } 1319 1320 SVal RegionStoreManager::getLazyBinding(const MemRegion *lazyBindingRegion, 1321 Store lazyBindingStore) { 1322 if (const ElementRegion *ER = dyn_cast<ElementRegion>(lazyBindingRegion)) 1323 return getBindingForElement(lazyBindingStore, ER); 1324 1325 return getBindingForField(lazyBindingStore, 1326 cast<FieldRegion>(lazyBindingRegion)); 1327 } 1328 1329 SVal RegionStoreManager::getBindingForFieldOrElementCommon(Store store, 1330 const TypedValueRegion *R, 1331 QualType Ty, 1332 const MemRegion *superR) { 1333 1334 // At this point we have already checked in either getBindingForElement or 1335 // getBindingForField if 'R' has a direct binding. 1336 RegionBindings B = GetRegionBindings(store); 1337 1338 // Lazy binding? 1339 Store lazyBindingStore = NULL; 1340 const MemRegion *lazyBindingRegion = NULL; 1341 llvm::tie(lazyBindingStore, lazyBindingRegion) = GetLazyBinding(B, R, R, 1342 true); 1343 1344 if (lazyBindingRegion) 1345 return getLazyBinding(lazyBindingRegion, lazyBindingStore); 1346 1347 // Record whether or not we see a symbolic index. That can completely 1348 // be out of scope of our lookup. 1349 bool hasSymbolicIndex = false; 1350 1351 while (superR) { 1352 if (const Optional<SVal> &D = 1353 getBindingForDerivedDefaultValue(B, superR, R, Ty)) 1354 return *D; 1355 1356 if (const ElementRegion *ER = dyn_cast<ElementRegion>(superR)) { 1357 NonLoc index = ER->getIndex(); 1358 if (!index.isConstant()) 1359 hasSymbolicIndex = true; 1360 } 1361 1362 // If our super region is a field or element itself, walk up the region 1363 // hierarchy to see if there is a default value installed in an ancestor. 1364 if (const SubRegion *SR = dyn_cast<SubRegion>(superR)) { 1365 superR = SR->getSuperRegion(); 1366 continue; 1367 } 1368 break; 1369 } 1370 1371 if (R->hasStackNonParametersStorage()) { 1372 if (isa<ElementRegion>(R)) { 1373 // Currently we don't reason specially about Clang-style vectors. Check 1374 // if superR is a vector and if so return Unknown. 1375 if (const TypedValueRegion *typedSuperR = 1376 dyn_cast<TypedValueRegion>(superR)) { 1377 if (typedSuperR->getValueType()->isVectorType()) 1378 return UnknownVal(); 1379 } 1380 } 1381 1382 // FIXME: We also need to take ElementRegions with symbolic indexes into 1383 // account. This case handles both directly accessing an ElementRegion 1384 // with a symbolic offset, but also fields within an element with 1385 // a symbolic offset. 1386 if (hasSymbolicIndex) 1387 return UnknownVal(); 1388 1389 return UndefinedVal(); 1390 } 1391 1392 // All other values are symbolic. 1393 return svalBuilder.getRegionValueSymbolVal(R); 1394 } 1395 1396 SVal RegionStoreManager::getBindingForObjCIvar(Store store, 1397 const ObjCIvarRegion* R) { 1398 1399 // Check if the region has a binding. 1400 RegionBindings B = GetRegionBindings(store); 1401 1402 if (const Optional<SVal> &V = getDirectBinding(B, R)) 1403 return *V; 1404 1405 const MemRegion *superR = R->getSuperRegion(); 1406 1407 // Check if the super region has a default binding. 1408 if (const Optional<SVal> &V = getDefaultBinding(B, superR)) { 1409 if (SymbolRef parentSym = V->getAsSymbol()) 1410 return svalBuilder.getDerivedRegionValueSymbolVal(parentSym, R); 1411 1412 // Other cases: give up. 1413 return UnknownVal(); 1414 } 1415 1416 return getBindingForLazySymbol(R); 1417 } 1418 1419 SVal RegionStoreManager::getBindingForVar(Store store, const VarRegion *R) { 1420 1421 // Check if the region has a binding. 1422 RegionBindings B = GetRegionBindings(store); 1423 1424 if (const Optional<SVal> &V = getDirectBinding(B, R)) 1425 return *V; 1426 1427 // Lazily derive a value for the VarRegion. 1428 const VarDecl *VD = R->getDecl(); 1429 QualType T = VD->getType(); 1430 const MemSpaceRegion *MS = R->getMemorySpace(); 1431 1432 if (isa<UnknownSpaceRegion>(MS) || 1433 isa<StackArgumentsSpaceRegion>(MS)) 1434 return svalBuilder.getRegionValueSymbolVal(R); 1435 1436 if (isa<GlobalsSpaceRegion>(MS)) { 1437 if (isa<NonStaticGlobalSpaceRegion>(MS)) { 1438 // Is 'VD' declared constant? If so, retrieve the constant value. 1439 QualType CT = Ctx.getCanonicalType(T); 1440 if (CT.isConstQualified()) { 1441 const Expr *Init = VD->getInit(); 1442 // Do the null check first, as we want to call 'IgnoreParenCasts'. 1443 if (Init) 1444 if (const IntegerLiteral *IL = 1445 dyn_cast<IntegerLiteral>(Init->IgnoreParenCasts())) { 1446 const nonloc::ConcreteInt &V = svalBuilder.makeIntVal(IL); 1447 return svalBuilder.evalCast(V, Init->getType(), IL->getType()); 1448 } 1449 } 1450 1451 if (const Optional<SVal> &V 1452 = getBindingForDerivedDefaultValue(B, MS, R, CT)) 1453 return V.getValue(); 1454 1455 return svalBuilder.getRegionValueSymbolVal(R); 1456 } 1457 1458 if (T->isIntegerType()) 1459 return svalBuilder.makeIntVal(0, T); 1460 if (T->isPointerType()) 1461 return svalBuilder.makeNull(); 1462 1463 return UnknownVal(); 1464 } 1465 1466 return UndefinedVal(); 1467 } 1468 1469 SVal RegionStoreManager::getBindingForLazySymbol(const TypedValueRegion *R) { 1470 // All other values are symbolic. 1471 return svalBuilder.getRegionValueSymbolVal(R); 1472 } 1473 1474 static bool mayHaveLazyBinding(QualType Ty) { 1475 return Ty->isArrayType() || Ty->isStructureOrClassType(); 1476 } 1477 1478 SVal RegionStoreManager::getBindingForStruct(Store store, 1479 const TypedValueRegion* R) { 1480 const RecordDecl *RD = R->getValueType()->castAs<RecordType>()->getDecl(); 1481 if (RD->field_empty()) 1482 return UnknownVal(); 1483 1484 // If we already have a lazy binding, don't create a new one, 1485 // unless the first field might have a lazy binding of its own. 1486 // (Right now we can't tell the difference.) 1487 QualType FirstFieldType = RD->field_begin()->getType(); 1488 if (!mayHaveLazyBinding(FirstFieldType)) { 1489 RegionBindings B = GetRegionBindings(store); 1490 BindingKey K = BindingKey::Make(R, BindingKey::Default); 1491 if (const nonloc::LazyCompoundVal *V = 1492 dyn_cast_or_null<nonloc::LazyCompoundVal>(lookup(B, K))) { 1493 return *V; 1494 } 1495 } 1496 1497 return svalBuilder.makeLazyCompoundVal(StoreRef(store, *this), R); 1498 } 1499 1500 SVal RegionStoreManager::getBindingForArray(Store store, 1501 const TypedValueRegion * R) { 1502 const ConstantArrayType *Ty = Ctx.getAsConstantArrayType(R->getValueType()); 1503 assert(Ty && "Only constant array types can have compound bindings."); 1504 1505 // If we already have a lazy binding, don't create a new one, 1506 // unless the first element might have a lazy binding of its own. 1507 // (Right now we can't tell the difference.) 1508 if (!mayHaveLazyBinding(Ty->getElementType())) { 1509 RegionBindings B = GetRegionBindings(store); 1510 BindingKey K = BindingKey::Make(R, BindingKey::Default); 1511 if (const nonloc::LazyCompoundVal *V = 1512 dyn_cast_or_null<nonloc::LazyCompoundVal>(lookup(B, K))) { 1513 return *V; 1514 } 1515 } 1516 1517 return svalBuilder.makeLazyCompoundVal(StoreRef(store, *this), R); 1518 } 1519 1520 bool RegionStoreManager::includedInBindings(Store store, 1521 const MemRegion *region) const { 1522 RegionBindings B = GetRegionBindings(store); 1523 region = region->getBaseRegion(); 1524 1525 // Quick path: if the base is the head of a cluster, the region is live. 1526 if (B.lookup(region)) 1527 return true; 1528 1529 // Slow path: if the region is the VALUE of any binding, it is live. 1530 for (RegionBindings::iterator RI = B.begin(), RE = B.end(); RI != RE; ++RI) { 1531 const ClusterBindings &Cluster = RI.getData(); 1532 for (ClusterBindings::iterator CI = Cluster.begin(), CE = Cluster.end(); 1533 CI != CE; ++CI) { 1534 const SVal &D = CI.getData(); 1535 if (const MemRegion *R = D.getAsRegion()) 1536 if (R->getBaseRegion() == region) 1537 return true; 1538 } 1539 } 1540 1541 return false; 1542 } 1543 1544 //===----------------------------------------------------------------------===// 1545 // Binding values to regions. 1546 //===----------------------------------------------------------------------===// 1547 1548 StoreRef RegionStoreManager::killBinding(Store ST, Loc L) { 1549 if (isa<loc::MemRegionVal>(L)) 1550 if (const MemRegion* R = cast<loc::MemRegionVal>(L).getRegion()) 1551 return StoreRef(removeBinding(GetRegionBindings(ST), 1552 R).getRootWithoutRetain(), 1553 *this); 1554 1555 return StoreRef(ST, *this); 1556 } 1557 1558 StoreRef RegionStoreManager::Bind(Store store, Loc L, SVal V) { 1559 if (isa<loc::ConcreteInt>(L)) 1560 return StoreRef(store, *this); 1561 1562 // If we get here, the location should be a region. 1563 const MemRegion *R = cast<loc::MemRegionVal>(L).getRegion(); 1564 1565 // Check if the region is a struct region. 1566 if (const TypedValueRegion* TR = dyn_cast<TypedValueRegion>(R)) { 1567 QualType Ty = TR->getValueType(); 1568 if (Ty->isArrayType()) 1569 return BindArray(store, TR, V); 1570 if (Ty->isStructureOrClassType()) 1571 return BindStruct(store, TR, V); 1572 if (Ty->isVectorType()) 1573 return BindVector(store, TR, V); 1574 } 1575 1576 if (const SymbolicRegion *SR = dyn_cast<SymbolicRegion>(R)) { 1577 // Binding directly to a symbolic region should be treated as binding 1578 // to element 0. 1579 QualType T = SR->getSymbol()->getType(Ctx); 1580 1581 // FIXME: Is this the right way to handle symbols that are references? 1582 if (const PointerType *PT = T->getAs<PointerType>()) 1583 T = PT->getPointeeType(); 1584 else 1585 T = T->getAs<ReferenceType>()->getPointeeType(); 1586 1587 R = GetElementZeroRegion(SR, T); 1588 } 1589 1590 // Clear out bindings that may overlap with this binding. 1591 1592 // Perform the binding. 1593 RegionBindings B = GetRegionBindings(store); 1594 B = removeSubRegionBindings(B, cast<SubRegion>(R)); 1595 BindingKey Key = BindingKey::Make(R, BindingKey::Direct); 1596 return StoreRef(addBinding(B, Key, V).getRootWithoutRetain(), *this); 1597 } 1598 1599 // FIXME: this method should be merged into Bind(). 1600 StoreRef RegionStoreManager::bindCompoundLiteral(Store ST, 1601 const CompoundLiteralExpr *CL, 1602 const LocationContext *LC, 1603 SVal V) { 1604 return Bind(ST, loc::MemRegionVal(MRMgr.getCompoundLiteralRegion(CL, LC)), V); 1605 } 1606 1607 StoreRef RegionStoreManager::setImplicitDefaultValue(Store store, 1608 const MemRegion *R, 1609 QualType T) { 1610 RegionBindings B = GetRegionBindings(store); 1611 SVal V; 1612 1613 if (Loc::isLocType(T)) 1614 V = svalBuilder.makeNull(); 1615 else if (T->isIntegerType()) 1616 V = svalBuilder.makeZeroVal(T); 1617 else if (T->isStructureOrClassType() || T->isArrayType()) { 1618 // Set the default value to a zero constant when it is a structure 1619 // or array. The type doesn't really matter. 1620 V = svalBuilder.makeZeroVal(Ctx.IntTy); 1621 } 1622 else { 1623 // We can't represent values of this type, but we still need to set a value 1624 // to record that the region has been initialized. 1625 // If this assertion ever fires, a new case should be added above -- we 1626 // should know how to default-initialize any value we can symbolicate. 1627 assert(!SymbolManager::canSymbolicate(T) && "This type is representable"); 1628 V = UnknownVal(); 1629 } 1630 1631 return StoreRef(addBinding(B, R, BindingKey::Default, 1632 V).getRootWithoutRetain(), *this); 1633 } 1634 1635 StoreRef RegionStoreManager::BindArray(Store store, const TypedValueRegion* R, 1636 SVal Init) { 1637 1638 const ArrayType *AT =cast<ArrayType>(Ctx.getCanonicalType(R->getValueType())); 1639 QualType ElementTy = AT->getElementType(); 1640 Optional<uint64_t> Size; 1641 1642 if (const ConstantArrayType* CAT = dyn_cast<ConstantArrayType>(AT)) 1643 Size = CAT->getSize().getZExtValue(); 1644 1645 // Check if the init expr is a string literal. 1646 if (loc::MemRegionVal *MRV = dyn_cast<loc::MemRegionVal>(&Init)) { 1647 const StringRegion *S = cast<StringRegion>(MRV->getRegion()); 1648 1649 // Treat the string as a lazy compound value. 1650 nonloc::LazyCompoundVal LCV = 1651 cast<nonloc::LazyCompoundVal>(svalBuilder. 1652 makeLazyCompoundVal(StoreRef(store, *this), S)); 1653 return BindAggregate(store, R, LCV); 1654 } 1655 1656 // Handle lazy compound values. 1657 if (isa<nonloc::LazyCompoundVal>(Init)) 1658 return BindAggregate(store, R, Init); 1659 1660 // Remaining case: explicit compound values. 1661 1662 if (Init.isUnknown()) 1663 return setImplicitDefaultValue(store, R, ElementTy); 1664 1665 nonloc::CompoundVal& CV = cast<nonloc::CompoundVal>(Init); 1666 nonloc::CompoundVal::iterator VI = CV.begin(), VE = CV.end(); 1667 uint64_t i = 0; 1668 1669 StoreRef newStore(store, *this); 1670 for (; Size.hasValue() ? i < Size.getValue() : true ; ++i, ++VI) { 1671 // The init list might be shorter than the array length. 1672 if (VI == VE) 1673 break; 1674 1675 const NonLoc &Idx = svalBuilder.makeArrayIndex(i); 1676 const ElementRegion *ER = MRMgr.getElementRegion(ElementTy, Idx, R, Ctx); 1677 1678 if (ElementTy->isStructureOrClassType()) 1679 newStore = BindStruct(newStore.getStore(), ER, *VI); 1680 else if (ElementTy->isArrayType()) 1681 newStore = BindArray(newStore.getStore(), ER, *VI); 1682 else 1683 newStore = Bind(newStore.getStore(), svalBuilder.makeLoc(ER), *VI); 1684 } 1685 1686 // If the init list is shorter than the array length, set the 1687 // array default value. 1688 if (Size.hasValue() && i < Size.getValue()) 1689 newStore = setImplicitDefaultValue(newStore.getStore(), R, ElementTy); 1690 1691 return newStore; 1692 } 1693 1694 StoreRef RegionStoreManager::BindVector(Store store, const TypedValueRegion* R, 1695 SVal V) { 1696 QualType T = R->getValueType(); 1697 assert(T->isVectorType()); 1698 const VectorType *VT = T->getAs<VectorType>(); // Use getAs for typedefs. 1699 1700 // Handle lazy compound values and symbolic values. 1701 if (isa<nonloc::LazyCompoundVal>(V) || isa<nonloc::SymbolVal>(V)) 1702 return BindAggregate(store, R, V); 1703 1704 // We may get non-CompoundVal accidentally due to imprecise cast logic or 1705 // that we are binding symbolic struct value. Kill the field values, and if 1706 // the value is symbolic go and bind it as a "default" binding. 1707 if (!isa<nonloc::CompoundVal>(V)) { 1708 return BindAggregate(store, R, UnknownVal()); 1709 } 1710 1711 QualType ElemType = VT->getElementType(); 1712 nonloc::CompoundVal& CV = cast<nonloc::CompoundVal>(V); 1713 nonloc::CompoundVal::iterator VI = CV.begin(), VE = CV.end(); 1714 unsigned index = 0, numElements = VT->getNumElements(); 1715 StoreRef newStore(store, *this); 1716 1717 for ( ; index != numElements ; ++index) { 1718 if (VI == VE) 1719 break; 1720 1721 NonLoc Idx = svalBuilder.makeArrayIndex(index); 1722 const ElementRegion *ER = MRMgr.getElementRegion(ElemType, Idx, R, Ctx); 1723 1724 if (ElemType->isArrayType()) 1725 newStore = BindArray(newStore.getStore(), ER, *VI); 1726 else if (ElemType->isStructureOrClassType()) 1727 newStore = BindStruct(newStore.getStore(), ER, *VI); 1728 else 1729 newStore = Bind(newStore.getStore(), svalBuilder.makeLoc(ER), *VI); 1730 } 1731 return newStore; 1732 } 1733 1734 StoreRef RegionStoreManager::BindStruct(Store store, const TypedValueRegion* R, 1735 SVal V) { 1736 1737 if (!Features.supportsFields()) 1738 return StoreRef(store, *this); 1739 1740 QualType T = R->getValueType(); 1741 assert(T->isStructureOrClassType()); 1742 1743 const RecordType* RT = T->getAs<RecordType>(); 1744 RecordDecl *RD = RT->getDecl(); 1745 1746 if (!RD->isCompleteDefinition()) 1747 return StoreRef(store, *this); 1748 1749 // Handle lazy compound values and symbolic values. 1750 if (isa<nonloc::LazyCompoundVal>(V) || isa<nonloc::SymbolVal>(V)) 1751 return BindAggregate(store, R, V); 1752 1753 // We may get non-CompoundVal accidentally due to imprecise cast logic or 1754 // that we are binding symbolic struct value. Kill the field values, and if 1755 // the value is symbolic go and bind it as a "default" binding. 1756 if (V.isUnknown() || !isa<nonloc::CompoundVal>(V)) 1757 return BindAggregate(store, R, UnknownVal()); 1758 1759 nonloc::CompoundVal& CV = cast<nonloc::CompoundVal>(V); 1760 nonloc::CompoundVal::iterator VI = CV.begin(), VE = CV.end(); 1761 1762 RecordDecl::field_iterator FI, FE; 1763 StoreRef newStore(store, *this); 1764 1765 for (FI = RD->field_begin(), FE = RD->field_end(); FI != FE; ++FI) { 1766 1767 if (VI == VE) 1768 break; 1769 1770 // Skip any unnamed bitfields to stay in sync with the initializers. 1771 if (FI->isUnnamedBitfield()) 1772 continue; 1773 1774 QualType FTy = FI->getType(); 1775 const FieldRegion* FR = MRMgr.getFieldRegion(*FI, R); 1776 1777 if (FTy->isArrayType()) 1778 newStore = BindArray(newStore.getStore(), FR, *VI); 1779 else if (FTy->isStructureOrClassType()) 1780 newStore = BindStruct(newStore.getStore(), FR, *VI); 1781 else 1782 newStore = Bind(newStore.getStore(), svalBuilder.makeLoc(FR), *VI); 1783 ++VI; 1784 } 1785 1786 // There may be fewer values in the initialize list than the fields of struct. 1787 if (FI != FE) { 1788 RegionBindings B = GetRegionBindings(newStore.getStore()); 1789 B = addBinding(B, R, BindingKey::Default, svalBuilder.makeIntVal(0, false)); 1790 newStore = StoreRef(B.getRootWithoutRetain(), *this); 1791 } 1792 1793 return newStore; 1794 } 1795 1796 StoreRef RegionStoreManager::BindAggregate(Store store, const TypedRegion *R, 1797 SVal Val) { 1798 // Remove the old bindings, using 'R' as the root of all regions 1799 // we will invalidate. Then add the new binding. 1800 RegionBindings B = GetRegionBindings(store); 1801 1802 B = removeSubRegionBindings(B, R); 1803 B = addBinding(B, R, BindingKey::Default, Val); 1804 1805 return StoreRef(B.getRootWithoutRetain(), *this); 1806 } 1807 1808 //===----------------------------------------------------------------------===// 1809 // "Raw" retrievals and bindings. 1810 //===----------------------------------------------------------------------===// 1811 1812 1813 RegionBindings RegionStoreManager::addBinding(RegionBindings B, BindingKey K, 1814 SVal V) { 1815 const MemRegion *Base = K.getBaseRegion(); 1816 1817 const ClusterBindings *ExistingCluster = B.lookup(Base); 1818 ClusterBindings Cluster = (ExistingCluster ? *ExistingCluster 1819 : CBFactory.getEmptyMap()); 1820 1821 ClusterBindings NewCluster = CBFactory.add(Cluster, K, V); 1822 return RBFactory.add(B, Base, NewCluster); 1823 } 1824 1825 RegionBindings RegionStoreManager::addBinding(RegionBindings B, 1826 const MemRegion *R, 1827 BindingKey::Kind k, SVal V) { 1828 return addBinding(B, BindingKey::Make(R, k), V); 1829 } 1830 1831 const SVal *RegionStoreManager::lookup(RegionBindings B, BindingKey K) { 1832 const ClusterBindings *Cluster = B.lookup(K.getBaseRegion()); 1833 if (!Cluster) 1834 return 0; 1835 1836 return Cluster->lookup(K); 1837 } 1838 1839 const SVal *RegionStoreManager::lookup(RegionBindings B, 1840 const MemRegion *R, 1841 BindingKey::Kind k) { 1842 return lookup(B, BindingKey::Make(R, k)); 1843 } 1844 1845 RegionBindings RegionStoreManager::removeBinding(RegionBindings B, 1846 BindingKey K) { 1847 const MemRegion *Base = K.getBaseRegion(); 1848 const ClusterBindings *Cluster = B.lookup(Base); 1849 if (!Cluster) 1850 return B; 1851 1852 ClusterBindings NewCluster = CBFactory.remove(*Cluster, K); 1853 if (NewCluster.isEmpty()) 1854 return RBFactory.remove(B, Base); 1855 return RBFactory.add(B, Base, NewCluster); 1856 } 1857 1858 RegionBindings RegionStoreManager::removeBinding(RegionBindings B, 1859 const MemRegion *R, 1860 BindingKey::Kind k){ 1861 return removeBinding(B, BindingKey::Make(R, k)); 1862 } 1863 1864 RegionBindings RegionStoreManager::removeCluster(RegionBindings B, 1865 const MemRegion *Base) { 1866 return RBFactory.remove(B, Base); 1867 } 1868 1869 //===----------------------------------------------------------------------===// 1870 // State pruning. 1871 //===----------------------------------------------------------------------===// 1872 1873 namespace { 1874 class removeDeadBindingsWorker : 1875 public ClusterAnalysis<removeDeadBindingsWorker> { 1876 SmallVector<const SymbolicRegion*, 12> Postponed; 1877 SymbolReaper &SymReaper; 1878 const StackFrameContext *CurrentLCtx; 1879 1880 public: 1881 removeDeadBindingsWorker(RegionStoreManager &rm, 1882 ProgramStateManager &stateMgr, 1883 RegionBindings b, SymbolReaper &symReaper, 1884 const StackFrameContext *LCtx) 1885 : ClusterAnalysis<removeDeadBindingsWorker>(rm, stateMgr, b, 1886 /* includeGlobals = */ false), 1887 SymReaper(symReaper), CurrentLCtx(LCtx) {} 1888 1889 // Called by ClusterAnalysis. 1890 void VisitAddedToCluster(const MemRegion *baseR, const ClusterBindings &C); 1891 void VisitCluster(const MemRegion *baseR, const ClusterBindings &C); 1892 1893 void VisitBindingKey(BindingKey K); 1894 bool UpdatePostponed(); 1895 void VisitBinding(SVal V); 1896 }; 1897 } 1898 1899 void removeDeadBindingsWorker::VisitAddedToCluster(const MemRegion *baseR, 1900 const ClusterBindings &C) { 1901 1902 if (const VarRegion *VR = dyn_cast<VarRegion>(baseR)) { 1903 if (SymReaper.isLive(VR)) 1904 AddToWorkList(baseR, &C); 1905 1906 return; 1907 } 1908 1909 if (const SymbolicRegion *SR = dyn_cast<SymbolicRegion>(baseR)) { 1910 if (SymReaper.isLive(SR->getSymbol())) 1911 AddToWorkList(SR, &C); 1912 else 1913 Postponed.push_back(SR); 1914 1915 return; 1916 } 1917 1918 if (isa<NonStaticGlobalSpaceRegion>(baseR)) { 1919 AddToWorkList(baseR, &C); 1920 return; 1921 } 1922 1923 // CXXThisRegion in the current or parent location context is live. 1924 if (const CXXThisRegion *TR = dyn_cast<CXXThisRegion>(baseR)) { 1925 const StackArgumentsSpaceRegion *StackReg = 1926 cast<StackArgumentsSpaceRegion>(TR->getSuperRegion()); 1927 const StackFrameContext *RegCtx = StackReg->getStackFrame(); 1928 if (RegCtx == CurrentLCtx || RegCtx->isParentOf(CurrentLCtx)) 1929 AddToWorkList(TR, &C); 1930 } 1931 } 1932 1933 void removeDeadBindingsWorker::VisitCluster(const MemRegion *baseR, 1934 const ClusterBindings &C) { 1935 for (ClusterBindings::iterator I = C.begin(), E = C.end(); I != E; ++I) { 1936 VisitBindingKey(I.getKey()); 1937 VisitBinding(I.getData()); 1938 } 1939 } 1940 1941 void removeDeadBindingsWorker::VisitBinding(SVal V) { 1942 // Is it a LazyCompoundVal? All referenced regions are live as well. 1943 if (const nonloc::LazyCompoundVal *LCS = 1944 dyn_cast<nonloc::LazyCompoundVal>(&V)) { 1945 1946 const MemRegion *LazyR = LCS->getRegion(); 1947 RegionBindings B = RegionStoreManager::GetRegionBindings(LCS->getStore()); 1948 1949 // FIXME: This should not have to walk all bindings in the old store. 1950 for (RegionBindings::iterator RI = B.begin(), RE = B.end(); RI != RE; ++RI){ 1951 const ClusterBindings &Cluster = RI.getData(); 1952 for (ClusterBindings::iterator CI = Cluster.begin(), CE = Cluster.end(); 1953 CI != CE; ++CI) { 1954 BindingKey K = CI.getKey(); 1955 if (const SubRegion *BaseR = dyn_cast<SubRegion>(K.getRegion())) { 1956 if (BaseR == LazyR) 1957 VisitBinding(CI.getData()); 1958 else if (K.hasSymbolicOffset() && BaseR->isSubRegionOf(LazyR)) 1959 VisitBinding(CI.getData()); 1960 } 1961 } 1962 } 1963 1964 return; 1965 } 1966 1967 // If V is a region, then add it to the worklist. 1968 if (const MemRegion *R = V.getAsRegion()) { 1969 AddToWorkList(R); 1970 1971 // All regions captured by a block are also live. 1972 if (const BlockDataRegion *BR = dyn_cast<BlockDataRegion>(R)) { 1973 BlockDataRegion::referenced_vars_iterator I = BR->referenced_vars_begin(), 1974 E = BR->referenced_vars_end(); 1975 for ( ; I != E; ++I) 1976 AddToWorkList(I.getCapturedRegion()); 1977 } 1978 } 1979 1980 1981 // Update the set of live symbols. 1982 for (SymExpr::symbol_iterator SI = V.symbol_begin(), SE = V.symbol_end(); 1983 SI!=SE; ++SI) 1984 SymReaper.markLive(*SI); 1985 } 1986 1987 void removeDeadBindingsWorker::VisitBindingKey(BindingKey K) { 1988 const MemRegion *R = K.getRegion(); 1989 1990 // Mark this region "live" by adding it to the worklist. This will cause 1991 // use to visit all regions in the cluster (if we haven't visited them 1992 // already). 1993 if (AddToWorkList(R)) { 1994 // Mark the symbol for any live SymbolicRegion as "live". This means we 1995 // should continue to track that symbol. 1996 if (const SymbolicRegion *SymR = dyn_cast<SymbolicRegion>(R)) 1997 SymReaper.markLive(SymR->getSymbol()); 1998 } 1999 } 2000 2001 bool removeDeadBindingsWorker::UpdatePostponed() { 2002 // See if any postponed SymbolicRegions are actually live now, after 2003 // having done a scan. 2004 bool changed = false; 2005 2006 for (SmallVectorImpl<const SymbolicRegion*>::iterator 2007 I = Postponed.begin(), E = Postponed.end() ; I != E ; ++I) { 2008 if (const SymbolicRegion *SR = cast_or_null<SymbolicRegion>(*I)) { 2009 if (SymReaper.isLive(SR->getSymbol())) { 2010 changed |= AddToWorkList(SR); 2011 *I = NULL; 2012 } 2013 } 2014 } 2015 2016 return changed; 2017 } 2018 2019 StoreRef RegionStoreManager::removeDeadBindings(Store store, 2020 const StackFrameContext *LCtx, 2021 SymbolReaper& SymReaper) { 2022 RegionBindings B = GetRegionBindings(store); 2023 removeDeadBindingsWorker W(*this, StateMgr, B, SymReaper, LCtx); 2024 W.GenerateClusters(); 2025 2026 // Enqueue the region roots onto the worklist. 2027 for (SymbolReaper::region_iterator I = SymReaper.region_begin(), 2028 E = SymReaper.region_end(); I != E; ++I) { 2029 W.AddToWorkList(*I); 2030 } 2031 2032 do W.RunWorkList(); while (W.UpdatePostponed()); 2033 2034 // We have now scanned the store, marking reachable regions and symbols 2035 // as live. We now remove all the regions that are dead from the store 2036 // as well as update DSymbols with the set symbols that are now dead. 2037 for (RegionBindings::iterator I = B.begin(), E = B.end(); I != E; ++I) { 2038 const MemRegion *Base = I.getKey(); 2039 2040 // If the cluster has been visited, we know the region has been marked. 2041 if (W.isVisited(Base)) 2042 continue; 2043 2044 // Remove the dead entry. 2045 B = removeCluster(B, Base); 2046 2047 if (const SymbolicRegion *SymR = dyn_cast<SymbolicRegion>(Base)) 2048 SymReaper.maybeDead(SymR->getSymbol()); 2049 2050 // Mark all non-live symbols that this binding references as dead. 2051 const ClusterBindings &Cluster = I.getData(); 2052 for (ClusterBindings::iterator CI = Cluster.begin(), CE = Cluster.end(); 2053 CI != CE; ++CI) { 2054 SVal X = CI.getData(); 2055 SymExpr::symbol_iterator SI = X.symbol_begin(), SE = X.symbol_end(); 2056 for (; SI != SE; ++SI) 2057 SymReaper.maybeDead(*SI); 2058 } 2059 } 2060 2061 return StoreRef(B.getRootWithoutRetain(), *this); 2062 } 2063 2064 //===----------------------------------------------------------------------===// 2065 // Utility methods. 2066 //===----------------------------------------------------------------------===// 2067 2068 void RegionStoreManager::print(Store store, raw_ostream &OS, 2069 const char* nl, const char *sep) { 2070 RegionBindings B = GetRegionBindings(store); 2071 OS << "Store (direct and default bindings), " 2072 << (void*) B.getRootWithoutRetain() 2073 << " :" << nl; 2074 2075 for (RegionBindings::iterator I = B.begin(), E = B.end(); I != E; ++I) { 2076 const ClusterBindings &Cluster = I.getData(); 2077 for (ClusterBindings::iterator CI = Cluster.begin(), CE = Cluster.end(); 2078 CI != CE; ++CI) { 2079 OS << ' ' << CI.getKey() << " : " << CI.getData() << nl; 2080 } 2081 OS << nl; 2082 } 2083 } 2084