1 //== RegionStore.cpp - Field-sensitive store model --------------*- C++ -*--==// 2 // 3 // The LLVM Compiler Infrastructure 4 // 5 // This file is distributed under the University of Illinois Open Source 6 // License. See LICENSE.TXT for details. 7 // 8 //===----------------------------------------------------------------------===// 9 // 10 // This file defines a basic region store model. In this model, we do have field 11 // sensitivity. But we assume nothing about the heap shape. So recursive data 12 // structures are largely ignored. Basically we do 1-limiting analysis. 13 // Parameter pointers are assumed with no aliasing. Pointee objects of 14 // parameters are created lazily. 15 // 16 //===----------------------------------------------------------------------===// 17 #include "clang/AST/Attr.h" 18 #include "clang/AST/CharUnits.h" 19 #include "clang/Analysis/Analyses/LiveVariables.h" 20 #include "clang/Analysis/AnalysisContext.h" 21 #include "clang/Basic/TargetInfo.h" 22 #include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h" 23 #include "clang/StaticAnalyzer/Core/PathSensitive/MemRegion.h" 24 #include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h" 25 #include "clang/StaticAnalyzer/Core/PathSensitive/ProgramStateTrait.h" 26 #include "llvm/ADT/ImmutableList.h" 27 #include "llvm/ADT/ImmutableMap.h" 28 #include "llvm/ADT/Optional.h" 29 #include "llvm/Support/raw_ostream.h" 30 31 using namespace clang; 32 using namespace ento; 33 using llvm::Optional; 34 35 //===----------------------------------------------------------------------===// 36 // Representation of binding keys. 37 //===----------------------------------------------------------------------===// 38 39 namespace { 40 class BindingKey { 41 public: 42 enum Kind { Default = 0x0, Direct = 0x1 }; 43 private: 44 enum { Symbolic = 0x2 }; 45 46 llvm::PointerIntPair<const MemRegion *, 2> P; 47 uint64_t Data; 48 49 explicit BindingKey(const MemRegion *r, const MemRegion *Base, Kind k) 50 : P(r, k | Symbolic), Data(reinterpret_cast<uintptr_t>(Base)) { 51 assert(r && Base && "Must have known regions."); 52 assert(getConcreteOffsetRegion() == Base && "Failed to store base region"); 53 } 54 explicit BindingKey(const MemRegion *r, uint64_t offset, Kind k) 55 : P(r, k), Data(offset) { 56 assert(r && "Must have known regions."); 57 assert(getOffset() == offset && "Failed to store offset"); 58 assert((r == r->getBaseRegion() || isa<ObjCIvarRegion>(r)) && "Not a base"); 59 } 60 public: 61 62 bool isDirect() const { return P.getInt() & Direct; } 63 bool hasSymbolicOffset() const { return P.getInt() & Symbolic; } 64 65 const MemRegion *getRegion() const { return P.getPointer(); } 66 uint64_t getOffset() const { 67 assert(!hasSymbolicOffset()); 68 return Data; 69 } 70 71 const MemRegion *getConcreteOffsetRegion() const { 72 assert(hasSymbolicOffset()); 73 return reinterpret_cast<const MemRegion *>(static_cast<uintptr_t>(Data)); 74 } 75 76 const MemRegion *getBaseRegion() const { 77 if (hasSymbolicOffset()) 78 return getConcreteOffsetRegion()->getBaseRegion(); 79 return getRegion()->getBaseRegion(); 80 } 81 82 void Profile(llvm::FoldingSetNodeID& ID) const { 83 ID.AddPointer(P.getOpaqueValue()); 84 ID.AddInteger(Data); 85 } 86 87 static BindingKey Make(const MemRegion *R, Kind k); 88 89 bool operator<(const BindingKey &X) const { 90 if (P.getOpaqueValue() < X.P.getOpaqueValue()) 91 return true; 92 if (P.getOpaqueValue() > X.P.getOpaqueValue()) 93 return false; 94 return Data < X.Data; 95 } 96 97 bool operator==(const BindingKey &X) const { 98 return P.getOpaqueValue() == X.P.getOpaqueValue() && 99 Data == X.Data; 100 } 101 102 LLVM_ATTRIBUTE_USED void dump() const; 103 }; 104 } // end anonymous namespace 105 106 BindingKey BindingKey::Make(const MemRegion *R, Kind k) { 107 const RegionOffset &RO = R->getAsOffset(); 108 if (RO.hasSymbolicOffset()) 109 return BindingKey(R, RO.getRegion(), k); 110 111 return BindingKey(RO.getRegion(), RO.getOffset(), k); 112 } 113 114 namespace llvm { 115 static inline 116 raw_ostream &operator<<(raw_ostream &os, BindingKey K) { 117 os << '(' << K.getRegion(); 118 if (!K.hasSymbolicOffset()) 119 os << ',' << K.getOffset(); 120 os << ',' << (K.isDirect() ? "direct" : "default") 121 << ')'; 122 return os; 123 } 124 } // end llvm namespace 125 126 void BindingKey::dump() const { 127 llvm::errs() << *this; 128 } 129 130 //===----------------------------------------------------------------------===// 131 // Actual Store type. 132 //===----------------------------------------------------------------------===// 133 134 typedef llvm::ImmutableMap<BindingKey, SVal> ClusterBindings; 135 typedef llvm::ImmutableMapRef<BindingKey, SVal> ClusterBindingsRef; 136 137 typedef llvm::ImmutableMap<const MemRegion *, ClusterBindings> 138 RegionBindings; 139 140 namespace { 141 class RegionBindingsRef : public llvm::ImmutableMapRef<const MemRegion *, 142 ClusterBindings> { 143 ClusterBindings::Factory &CBFactory; 144 public: 145 typedef llvm::ImmutableMapRef<const MemRegion *, ClusterBindings> 146 ParentTy; 147 148 RegionBindingsRef(ClusterBindings::Factory &CBFactory, 149 const RegionBindings::TreeTy *T, 150 RegionBindings::TreeTy::Factory *F) 151 : llvm::ImmutableMapRef<const MemRegion *, ClusterBindings>(T, F), 152 CBFactory(CBFactory) {} 153 154 RegionBindingsRef(const ParentTy &P, ClusterBindings::Factory &CBFactory) 155 : llvm::ImmutableMapRef<const MemRegion *, ClusterBindings>(P), 156 CBFactory(CBFactory) {} 157 158 RegionBindingsRef add(key_type_ref K, data_type_ref D) const { 159 return RegionBindingsRef(static_cast<const ParentTy*>(this)->add(K, D), 160 CBFactory); 161 } 162 163 RegionBindingsRef remove(key_type_ref K) const { 164 return RegionBindingsRef(static_cast<const ParentTy*>(this)->remove(K), 165 CBFactory); 166 } 167 168 RegionBindingsRef addBinding(BindingKey K, SVal V) const; 169 170 RegionBindingsRef addBinding(const MemRegion *R, 171 BindingKey::Kind k, SVal V) const; 172 173 RegionBindingsRef &operator=(const RegionBindingsRef &X) { 174 *static_cast<ParentTy*>(this) = X; 175 return *this; 176 } 177 178 const SVal *lookup(BindingKey K) const; 179 const SVal *lookup(const MemRegion *R, BindingKey::Kind k) const; 180 const ClusterBindings *lookup(const MemRegion *R) const { 181 return static_cast<const ParentTy*>(this)->lookup(R); 182 } 183 184 RegionBindingsRef removeBinding(BindingKey K); 185 186 RegionBindingsRef removeBinding(const MemRegion *R, 187 BindingKey::Kind k); 188 189 RegionBindingsRef removeBinding(const MemRegion *R) { 190 return removeBinding(R, BindingKey::Direct). 191 removeBinding(R, BindingKey::Default); 192 } 193 194 Optional<SVal> getDirectBinding(const MemRegion *R) const; 195 196 /// getDefaultBinding - Returns an SVal* representing an optional default 197 /// binding associated with a region and its subregions. 198 Optional<SVal> getDefaultBinding(const MemRegion *R) const; 199 200 /// Return the internal tree as a Store. 201 Store asStore() const { 202 return asImmutableMap().getRootWithoutRetain(); 203 } 204 205 void dump(raw_ostream &OS, const char *nl) const { 206 for (iterator I = begin(), E = end(); I != E; ++I) { 207 const ClusterBindings &Cluster = I.getData(); 208 for (ClusterBindings::iterator CI = Cluster.begin(), CE = Cluster.end(); 209 CI != CE; ++CI) { 210 OS << ' ' << CI.getKey() << " : " << CI.getData() << nl; 211 } 212 OS << nl; 213 } 214 } 215 216 LLVM_ATTRIBUTE_USED void dump() const { 217 dump(llvm::errs(), "\n"); 218 } 219 }; 220 } // end anonymous namespace 221 222 typedef const RegionBindingsRef& RegionBindingsConstRef; 223 224 Optional<SVal> RegionBindingsRef::getDirectBinding(const MemRegion *R) const { 225 if (const SVal *V = lookup(R, BindingKey::Direct)) 226 return *V; 227 return Optional<SVal>(); 228 } 229 230 Optional<SVal> RegionBindingsRef::getDefaultBinding(const MemRegion *R) const { 231 if (R->isBoundable()) 232 if (const TypedValueRegion *TR = dyn_cast<TypedValueRegion>(R)) 233 if (TR->getValueType()->isUnionType()) 234 return UnknownVal(); 235 if (const SVal *V = lookup(R, BindingKey::Default)) 236 return *V; 237 return Optional<SVal>(); 238 } 239 240 RegionBindingsRef RegionBindingsRef::addBinding(BindingKey K, SVal V) const { 241 const MemRegion *Base = K.getBaseRegion(); 242 243 const ClusterBindings *ExistingCluster = lookup(Base); 244 ClusterBindings Cluster = (ExistingCluster ? *ExistingCluster 245 : CBFactory.getEmptyMap()); 246 247 ClusterBindings NewCluster = CBFactory.add(Cluster, K, V); 248 return add(Base, NewCluster); 249 } 250 251 252 RegionBindingsRef RegionBindingsRef::addBinding(const MemRegion *R, 253 BindingKey::Kind k, 254 SVal V) const { 255 return addBinding(BindingKey::Make(R, k), V); 256 } 257 258 const SVal *RegionBindingsRef::lookup(BindingKey K) const { 259 const ClusterBindings *Cluster = lookup(K.getBaseRegion()); 260 if (!Cluster) 261 return 0; 262 return Cluster->lookup(K); 263 } 264 265 const SVal *RegionBindingsRef::lookup(const MemRegion *R, 266 BindingKey::Kind k) const { 267 return lookup(BindingKey::Make(R, k)); 268 } 269 270 RegionBindingsRef RegionBindingsRef::removeBinding(BindingKey K) { 271 const MemRegion *Base = K.getBaseRegion(); 272 const ClusterBindings *Cluster = lookup(Base); 273 if (!Cluster) 274 return *this; 275 276 ClusterBindings NewCluster = CBFactory.remove(*Cluster, K); 277 if (NewCluster.isEmpty()) 278 return remove(Base); 279 return add(Base, NewCluster); 280 } 281 282 RegionBindingsRef RegionBindingsRef::removeBinding(const MemRegion *R, 283 BindingKey::Kind k){ 284 return removeBinding(BindingKey::Make(R, k)); 285 } 286 287 //===----------------------------------------------------------------------===// 288 // Fine-grained control of RegionStoreManager. 289 //===----------------------------------------------------------------------===// 290 291 namespace { 292 struct minimal_features_tag {}; 293 struct maximal_features_tag {}; 294 295 class RegionStoreFeatures { 296 bool SupportsFields; 297 public: 298 RegionStoreFeatures(minimal_features_tag) : 299 SupportsFields(false) {} 300 301 RegionStoreFeatures(maximal_features_tag) : 302 SupportsFields(true) {} 303 304 void enableFields(bool t) { SupportsFields = t; } 305 306 bool supportsFields() const { return SupportsFields; } 307 }; 308 } 309 310 //===----------------------------------------------------------------------===// 311 // Main RegionStore logic. 312 //===----------------------------------------------------------------------===// 313 314 namespace { 315 316 class RegionStoreManager : public StoreManager { 317 public: 318 const RegionStoreFeatures Features; 319 RegionBindings::Factory RBFactory; 320 mutable ClusterBindings::Factory CBFactory; 321 322 RegionStoreManager(ProgramStateManager& mgr, const RegionStoreFeatures &f) 323 : StoreManager(mgr), Features(f), 324 RBFactory(mgr.getAllocator()), CBFactory(mgr.getAllocator()) {} 325 326 327 /// setImplicitDefaultValue - Set the default binding for the provided 328 /// MemRegion to the value implicitly defined for compound literals when 329 /// the value is not specified. 330 RegionBindingsRef setImplicitDefaultValue(RegionBindingsConstRef B, 331 const MemRegion *R, QualType T); 332 333 /// ArrayToPointer - Emulates the "decay" of an array to a pointer 334 /// type. 'Array' represents the lvalue of the array being decayed 335 /// to a pointer, and the returned SVal represents the decayed 336 /// version of that lvalue (i.e., a pointer to the first element of 337 /// the array). This is called by ExprEngine when evaluating 338 /// casts from arrays to pointers. 339 SVal ArrayToPointer(Loc Array); 340 341 StoreRef getInitialStore(const LocationContext *InitLoc) { 342 return StoreRef(RBFactory.getEmptyMap().getRootWithoutRetain(), *this); 343 } 344 345 //===-------------------------------------------------------------------===// 346 // Binding values to regions. 347 //===-------------------------------------------------------------------===// 348 RegionBindingsRef invalidateGlobalRegion(MemRegion::Kind K, 349 const Expr *Ex, 350 unsigned Count, 351 const LocationContext *LCtx, 352 RegionBindingsRef B, 353 InvalidatedRegions *Invalidated); 354 355 StoreRef invalidateRegions(Store store, ArrayRef<const MemRegion *> Regions, 356 const Expr *E, unsigned Count, 357 const LocationContext *LCtx, 358 InvalidatedSymbols &IS, 359 const CallEvent *Call, 360 InvalidatedRegions *Invalidated); 361 362 bool scanReachableSymbols(Store S, const MemRegion *R, 363 ScanReachableSymbols &Callbacks); 364 365 RegionBindingsRef removeSubRegionBindings(RegionBindingsConstRef B, 366 const SubRegion *R); 367 368 public: // Part of public interface to class. 369 370 virtual StoreRef Bind(Store store, Loc LV, SVal V) { 371 return StoreRef(bind(getRegionBindings(store), LV, V).asStore(), *this); 372 } 373 374 RegionBindingsRef bind(RegionBindingsConstRef B, Loc LV, SVal V); 375 376 // BindDefault is only used to initialize a region with a default value. 377 StoreRef BindDefault(Store store, const MemRegion *R, SVal V) { 378 RegionBindingsRef B = getRegionBindings(store); 379 assert(!B.lookup(R, BindingKey::Default)); 380 assert(!B.lookup(R, BindingKey::Direct)); 381 return StoreRef(B.addBinding(R, BindingKey::Default, V) 382 .asImmutableMap() 383 .getRootWithoutRetain(), *this); 384 } 385 386 /// \brief Create a new store that binds a value to a compound literal. 387 /// 388 /// \param ST The original store whose bindings are the basis for the new 389 /// store. 390 /// 391 /// \param CL The compound literal to bind (the binding key). 392 /// 393 /// \param LC The LocationContext for the binding. 394 /// 395 /// \param V The value to bind to the compound literal. 396 StoreRef bindCompoundLiteral(Store ST, 397 const CompoundLiteralExpr *CL, 398 const LocationContext *LC, SVal V); 399 400 /// BindStruct - Bind a compound value to a structure. 401 RegionBindingsRef bindStruct(RegionBindingsConstRef B, 402 const TypedValueRegion* R, SVal V); 403 404 /// BindVector - Bind a compound value to a vector. 405 RegionBindingsRef bindVector(RegionBindingsConstRef B, 406 const TypedValueRegion* R, SVal V); 407 408 RegionBindingsRef bindArray(RegionBindingsConstRef B, 409 const TypedValueRegion* R, 410 SVal V); 411 412 /// Clears out all bindings in the given region and assigns a new value 413 /// as a Default binding. 414 RegionBindingsRef bindAggregate(RegionBindingsConstRef B, 415 const TypedRegion *R, 416 SVal DefaultVal); 417 418 /// \brief Create a new store with the specified binding removed. 419 /// \param ST the original store, that is the basis for the new store. 420 /// \param L the location whose binding should be removed. 421 virtual StoreRef killBinding(Store ST, Loc L); 422 423 void incrementReferenceCount(Store store) { 424 getRegionBindings(store).manualRetain(); 425 } 426 427 /// If the StoreManager supports it, decrement the reference count of 428 /// the specified Store object. If the reference count hits 0, the memory 429 /// associated with the object is recycled. 430 void decrementReferenceCount(Store store) { 431 getRegionBindings(store).manualRelease(); 432 } 433 434 bool includedInBindings(Store store, const MemRegion *region) const; 435 436 /// \brief Return the value bound to specified location in a given state. 437 /// 438 /// The high level logic for this method is this: 439 /// getBinding (L) 440 /// if L has binding 441 /// return L's binding 442 /// else if L is in killset 443 /// return unknown 444 /// else 445 /// if L is on stack or heap 446 /// return undefined 447 /// else 448 /// return symbolic 449 virtual SVal getBinding(Store S, Loc L, QualType T) { 450 return getBinding(getRegionBindings(S), L, T); 451 } 452 453 SVal getBinding(RegionBindingsConstRef B, Loc L, QualType T = QualType()); 454 455 SVal getBindingForElement(RegionBindingsConstRef B, const ElementRegion *R); 456 457 SVal getBindingForField(RegionBindingsConstRef B, const FieldRegion *R); 458 459 SVal getBindingForObjCIvar(RegionBindingsConstRef B, const ObjCIvarRegion *R); 460 461 SVal getBindingForVar(RegionBindingsConstRef B, const VarRegion *R); 462 463 SVal getBindingForLazySymbol(const TypedValueRegion *R); 464 465 SVal getBindingForFieldOrElementCommon(RegionBindingsConstRef B, 466 const TypedValueRegion *R, 467 QualType Ty, 468 const MemRegion *superR); 469 470 SVal getLazyBinding(const MemRegion *LazyBindingRegion, 471 RegionBindingsRef LazyBinding); 472 473 /// Get bindings for the values in a struct and return a CompoundVal, used 474 /// when doing struct copy: 475 /// struct s x, y; 476 /// x = y; 477 /// y's value is retrieved by this method. 478 SVal getBindingForStruct(RegionBindingsConstRef B, const TypedValueRegion* R); 479 480 SVal getBindingForArray(RegionBindingsConstRef B, const TypedValueRegion* R); 481 482 /// Used to lazily generate derived symbols for bindings that are defined 483 /// implicitly by default bindings in a super region. 484 Optional<SVal> getBindingForDerivedDefaultValue(RegionBindingsConstRef B, 485 const MemRegion *superR, 486 const TypedValueRegion *R, 487 QualType Ty); 488 489 /// Get the state and region whose binding this region R corresponds to. 490 std::pair<Store, const MemRegion*> 491 getLazyBinding(RegionBindingsConstRef B, const MemRegion *R, 492 const MemRegion *originalRegion, 493 bool includeSuffix = false); 494 495 //===------------------------------------------------------------------===// 496 // State pruning. 497 //===------------------------------------------------------------------===// 498 499 /// removeDeadBindings - Scans the RegionStore of 'state' for dead values. 500 /// It returns a new Store with these values removed. 501 StoreRef removeDeadBindings(Store store, const StackFrameContext *LCtx, 502 SymbolReaper& SymReaper); 503 504 //===------------------------------------------------------------------===// 505 // Region "extents". 506 //===------------------------------------------------------------------===// 507 508 // FIXME: This method will soon be eliminated; see the note in Store.h. 509 DefinedOrUnknownSVal getSizeInElements(ProgramStateRef state, 510 const MemRegion* R, QualType EleTy); 511 512 //===------------------------------------------------------------------===// 513 // Utility methods. 514 //===------------------------------------------------------------------===// 515 516 RegionBindingsRef getRegionBindings(Store store) const { 517 return RegionBindingsRef(CBFactory, 518 static_cast<const RegionBindings::TreeTy*>(store), 519 RBFactory.getTreeFactory()); 520 } 521 522 void print(Store store, raw_ostream &Out, const char* nl, 523 const char *sep); 524 525 void iterBindings(Store store, BindingsHandler& f) { 526 RegionBindingsRef B = getRegionBindings(store); 527 for (RegionBindingsRef::iterator I = B.begin(), E = B.end(); I != E; ++I) { 528 const ClusterBindings &Cluster = I.getData(); 529 for (ClusterBindings::iterator CI = Cluster.begin(), CE = Cluster.end(); 530 CI != CE; ++CI) { 531 const BindingKey &K = CI.getKey(); 532 if (!K.isDirect()) 533 continue; 534 if (const SubRegion *R = dyn_cast<SubRegion>(K.getRegion())) { 535 // FIXME: Possibly incorporate the offset? 536 if (!f.HandleBinding(*this, store, R, CI.getData())) 537 return; 538 } 539 } 540 } 541 } 542 }; 543 544 } // end anonymous namespace 545 546 //===----------------------------------------------------------------------===// 547 // RegionStore creation. 548 //===----------------------------------------------------------------------===// 549 550 StoreManager *ento::CreateRegionStoreManager(ProgramStateManager& StMgr) { 551 RegionStoreFeatures F = maximal_features_tag(); 552 return new RegionStoreManager(StMgr, F); 553 } 554 555 StoreManager * 556 ento::CreateFieldsOnlyRegionStoreManager(ProgramStateManager &StMgr) { 557 RegionStoreFeatures F = minimal_features_tag(); 558 F.enableFields(true); 559 return new RegionStoreManager(StMgr, F); 560 } 561 562 563 //===----------------------------------------------------------------------===// 564 // Region Cluster analysis. 565 //===----------------------------------------------------------------------===// 566 567 namespace { 568 template <typename DERIVED> 569 class ClusterAnalysis { 570 protected: 571 typedef llvm::DenseMap<const MemRegion *, const ClusterBindings *> ClusterMap; 572 typedef SmallVector<const MemRegion *, 10> WorkList; 573 574 llvm::SmallPtrSet<const ClusterBindings *, 16> Visited; 575 576 WorkList WL; 577 578 RegionStoreManager &RM; 579 ASTContext &Ctx; 580 SValBuilder &svalBuilder; 581 582 RegionBindingsRef B; 583 584 const bool includeGlobals; 585 586 const ClusterBindings *getCluster(const MemRegion *R) { 587 return B.lookup(R); 588 } 589 590 public: 591 ClusterAnalysis(RegionStoreManager &rm, ProgramStateManager &StateMgr, 592 RegionBindingsRef b, const bool includeGlobals) 593 : RM(rm), Ctx(StateMgr.getContext()), 594 svalBuilder(StateMgr.getSValBuilder()), 595 B(b), includeGlobals(includeGlobals) {} 596 597 RegionBindingsRef getRegionBindings() const { return B; } 598 599 bool isVisited(const MemRegion *R) { 600 return Visited.count(getCluster(R)); 601 } 602 603 void GenerateClusters() { 604 // Scan the entire set of bindings and record the region clusters. 605 for (RegionBindingsRef::iterator RI = B.begin(), RE = B.end(); 606 RI != RE; ++RI){ 607 const MemRegion *Base = RI.getKey(); 608 609 const ClusterBindings &Cluster = RI.getData(); 610 assert(!Cluster.isEmpty() && "Empty clusters should be removed"); 611 static_cast<DERIVED*>(this)->VisitAddedToCluster(Base, Cluster); 612 613 if (includeGlobals) 614 if (isa<NonStaticGlobalSpaceRegion>(Base->getMemorySpace())) 615 AddToWorkList(Base, &Cluster); 616 } 617 } 618 619 bool AddToWorkList(const MemRegion *R, const ClusterBindings *C) { 620 if (C && !Visited.insert(C)) 621 return false; 622 WL.push_back(R); 623 return true; 624 } 625 626 bool AddToWorkList(const MemRegion *R) { 627 const MemRegion *baseR = R->getBaseRegion(); 628 return AddToWorkList(baseR, getCluster(baseR)); 629 } 630 631 void RunWorkList() { 632 while (!WL.empty()) { 633 const MemRegion *baseR = WL.pop_back_val(); 634 635 // First visit the cluster. 636 if (const ClusterBindings *Cluster = getCluster(baseR)) 637 static_cast<DERIVED*>(this)->VisitCluster(baseR, *Cluster); 638 639 // Next, visit the base region. 640 static_cast<DERIVED*>(this)->VisitBaseRegion(baseR); 641 } 642 } 643 644 public: 645 void VisitAddedToCluster(const MemRegion *baseR, const ClusterBindings &C) {} 646 void VisitCluster(const MemRegion *baseR, const ClusterBindings &C) {} 647 void VisitBaseRegion(const MemRegion *baseR) {} 648 }; 649 } 650 651 //===----------------------------------------------------------------------===// 652 // Binding invalidation. 653 //===----------------------------------------------------------------------===// 654 655 bool RegionStoreManager::scanReachableSymbols(Store S, const MemRegion *R, 656 ScanReachableSymbols &Callbacks) { 657 assert(R == R->getBaseRegion() && "Should only be called for base regions"); 658 RegionBindingsRef B = getRegionBindings(S); 659 const ClusterBindings *Cluster = B.lookup(R); 660 661 if (!Cluster) 662 return true; 663 664 for (ClusterBindings::iterator RI = Cluster->begin(), RE = Cluster->end(); 665 RI != RE; ++RI) { 666 if (!Callbacks.scan(RI.getData())) 667 return false; 668 } 669 670 return true; 671 } 672 673 static inline bool isUnionField(const FieldRegion *FR) { 674 return FR->getDecl()->getParent()->isUnion(); 675 } 676 677 typedef SmallVector<const FieldDecl *, 8> FieldVector; 678 679 void getSymbolicOffsetFields(BindingKey K, FieldVector &Fields) { 680 assert(K.hasSymbolicOffset() && "Not implemented for concrete offset keys"); 681 682 const MemRegion *Base = K.getConcreteOffsetRegion(); 683 const MemRegion *R = K.getRegion(); 684 685 while (R != Base) { 686 if (const FieldRegion *FR = dyn_cast<FieldRegion>(R)) 687 if (!isUnionField(FR)) 688 Fields.push_back(FR->getDecl()); 689 690 R = cast<SubRegion>(R)->getSuperRegion(); 691 } 692 } 693 694 static bool isCompatibleWithFields(BindingKey K, const FieldVector &Fields) { 695 assert(K.hasSymbolicOffset() && "Not implemented for concrete offset keys"); 696 697 if (Fields.empty()) 698 return true; 699 700 FieldVector FieldsInBindingKey; 701 getSymbolicOffsetFields(K, FieldsInBindingKey); 702 703 ptrdiff_t Delta = FieldsInBindingKey.size() - Fields.size(); 704 if (Delta >= 0) 705 return std::equal(FieldsInBindingKey.begin() + Delta, 706 FieldsInBindingKey.end(), 707 Fields.begin()); 708 else 709 return std::equal(FieldsInBindingKey.begin(), FieldsInBindingKey.end(), 710 Fields.begin() - Delta); 711 } 712 713 RegionBindingsRef 714 RegionStoreManager::removeSubRegionBindings(RegionBindingsConstRef B, 715 const SubRegion *R) { 716 BindingKey SRKey = BindingKey::Make(R, BindingKey::Default); 717 const MemRegion *ClusterHead = SRKey.getBaseRegion(); 718 if (R == ClusterHead) { 719 // We can remove an entire cluster's bindings all in one go. 720 return B.remove(R); 721 } 722 723 FieldVector FieldsInSymbolicSubregions; 724 bool HasSymbolicOffset = SRKey.hasSymbolicOffset(); 725 if (HasSymbolicOffset) { 726 getSymbolicOffsetFields(SRKey, FieldsInSymbolicSubregions); 727 R = cast<SubRegion>(SRKey.getConcreteOffsetRegion()); 728 SRKey = BindingKey::Make(R, BindingKey::Default); 729 } 730 731 // This assumes the region being invalidated is char-aligned. This isn't 732 // true for bitfields, but since bitfields have no subregions they shouldn't 733 // be using this function anyway. 734 uint64_t Length = UINT64_MAX; 735 736 SVal Extent = R->getExtent(svalBuilder); 737 if (nonloc::ConcreteInt *ExtentCI = dyn_cast<nonloc::ConcreteInt>(&Extent)) { 738 const llvm::APSInt &ExtentInt = ExtentCI->getValue(); 739 assert(ExtentInt.isNonNegative() || ExtentInt.isUnsigned()); 740 // Extents are in bytes but region offsets are in bits. Be careful! 741 Length = ExtentInt.getLimitedValue() * Ctx.getCharWidth(); 742 } 743 744 const ClusterBindings *Cluster = B.lookup(ClusterHead); 745 if (!Cluster) 746 return B; 747 748 ClusterBindingsRef Result(*Cluster, CBFactory); 749 750 // It is safe to iterate over the bindings as they are being changed 751 // because they are in an ImmutableMap. 752 for (ClusterBindings::iterator I = Cluster->begin(), E = Cluster->end(); 753 I != E; ++I) { 754 BindingKey NextKey = I.getKey(); 755 if (NextKey.getRegion() == SRKey.getRegion()) { 756 // FIXME: This doesn't catch the case where we're really invalidating a 757 // region with a symbolic offset. Example: 758 // R: points[i].y 759 // Next: points[0].x 760 761 if (NextKey.getOffset() > SRKey.getOffset() && 762 NextKey.getOffset() - SRKey.getOffset() < Length) { 763 // Case 1: The next binding is inside the region we're invalidating. 764 // Remove it. 765 Result = Result.remove(NextKey); 766 767 } else if (NextKey.getOffset() == SRKey.getOffset()) { 768 // Case 2: The next binding is at the same offset as the region we're 769 // invalidating. In this case, we need to leave default bindings alone, 770 // since they may be providing a default value for a regions beyond what 771 // we're invalidating. 772 // FIXME: This is probably incorrect; consider invalidating an outer 773 // struct whose first field is bound to a LazyCompoundVal. 774 if (NextKey.isDirect()) 775 Result = Result.remove(NextKey); 776 } 777 778 } else if (NextKey.hasSymbolicOffset()) { 779 const MemRegion *Base = NextKey.getConcreteOffsetRegion(); 780 if (R->isSubRegionOf(Base)) { 781 // Case 3: The next key is symbolic and we just changed something within 782 // its concrete region. We don't know if the binding is still valid, so 783 // we'll be conservative and remove it. 784 if (NextKey.isDirect()) 785 if (isCompatibleWithFields(NextKey, FieldsInSymbolicSubregions)) 786 Result = Result.remove(NextKey); 787 } else if (const SubRegion *BaseSR = dyn_cast<SubRegion>(Base)) { 788 // Case 4: The next key is symbolic, but we changed a known 789 // super-region. In this case the binding is certainly no longer valid. 790 if (R == Base || BaseSR->isSubRegionOf(R)) 791 if (isCompatibleWithFields(NextKey, FieldsInSymbolicSubregions)) 792 Result = Result.remove(NextKey); 793 } 794 } 795 } 796 797 // If we're invalidating a region with a symbolic offset, we need to make sure 798 // we don't treat the base region as uninitialized anymore. 799 // FIXME: This isn't very precise; see the example in the loop. 800 if (HasSymbolicOffset) 801 Result = Result.add(SRKey, UnknownVal()); 802 803 if (Result.isEmpty()) 804 return B.remove(ClusterHead); 805 return B.add(ClusterHead, Result.asImmutableMap()); 806 } 807 808 namespace { 809 class invalidateRegionsWorker : public ClusterAnalysis<invalidateRegionsWorker> 810 { 811 const Expr *Ex; 812 unsigned Count; 813 const LocationContext *LCtx; 814 InvalidatedSymbols &IS; 815 StoreManager::InvalidatedRegions *Regions; 816 public: 817 invalidateRegionsWorker(RegionStoreManager &rm, 818 ProgramStateManager &stateMgr, 819 RegionBindingsRef b, 820 const Expr *ex, unsigned count, 821 const LocationContext *lctx, 822 InvalidatedSymbols &is, 823 StoreManager::InvalidatedRegions *r, 824 bool includeGlobals) 825 : ClusterAnalysis<invalidateRegionsWorker>(rm, stateMgr, b, includeGlobals), 826 Ex(ex), Count(count), LCtx(lctx), IS(is), Regions(r) {} 827 828 void VisitCluster(const MemRegion *baseR, const ClusterBindings &C); 829 void VisitBaseRegion(const MemRegion *baseR); 830 831 private: 832 void VisitBinding(SVal V); 833 }; 834 } 835 836 void invalidateRegionsWorker::VisitBinding(SVal V) { 837 // A symbol? Mark it touched by the invalidation. 838 if (SymbolRef Sym = V.getAsSymbol()) 839 IS.insert(Sym); 840 841 if (const MemRegion *R = V.getAsRegion()) { 842 AddToWorkList(R); 843 return; 844 } 845 846 // Is it a LazyCompoundVal? All references get invalidated as well. 847 if (const nonloc::LazyCompoundVal *LCS = 848 dyn_cast<nonloc::LazyCompoundVal>(&V)) { 849 850 const MemRegion *LazyR = LCS->getRegion(); 851 RegionBindingsRef B = RM.getRegionBindings(LCS->getStore()); 852 853 // FIXME: This should not have to walk all bindings in the old store. 854 for (RegionBindingsRef::iterator RI = B.begin(), RE = B.end(); RI != RE; ++RI){ 855 const ClusterBindings &Cluster = RI.getData(); 856 for (ClusterBindings::iterator CI = Cluster.begin(), CE = Cluster.end(); 857 CI != CE; ++CI) { 858 BindingKey K = CI.getKey(); 859 if (const SubRegion *BaseR = dyn_cast<SubRegion>(K.getRegion())) { 860 if (BaseR == LazyR) 861 VisitBinding(CI.getData()); 862 else if (K.hasSymbolicOffset() && BaseR->isSubRegionOf(LazyR)) 863 VisitBinding(CI.getData()); 864 } 865 } 866 } 867 868 return; 869 } 870 } 871 872 void invalidateRegionsWorker::VisitCluster(const MemRegion *BaseR, 873 const ClusterBindings &C) { 874 for (ClusterBindings::iterator I = C.begin(), E = C.end(); I != E; ++I) 875 VisitBinding(I.getData()); 876 877 B = B.remove(BaseR); 878 } 879 880 void invalidateRegionsWorker::VisitBaseRegion(const MemRegion *baseR) { 881 // Symbolic region? Mark that symbol touched by the invalidation. 882 if (const SymbolicRegion *SR = dyn_cast<SymbolicRegion>(baseR)) 883 IS.insert(SR->getSymbol()); 884 885 // BlockDataRegion? If so, invalidate captured variables that are passed 886 // by reference. 887 if (const BlockDataRegion *BR = dyn_cast<BlockDataRegion>(baseR)) { 888 for (BlockDataRegion::referenced_vars_iterator 889 BI = BR->referenced_vars_begin(), BE = BR->referenced_vars_end() ; 890 BI != BE; ++BI) { 891 const VarRegion *VR = BI.getCapturedRegion(); 892 const VarDecl *VD = VR->getDecl(); 893 if (VD->getAttr<BlocksAttr>() || !VD->hasLocalStorage()) { 894 AddToWorkList(VR); 895 } 896 else if (Loc::isLocType(VR->getValueType())) { 897 // Map the current bindings to a Store to retrieve the value 898 // of the binding. If that binding itself is a region, we should 899 // invalidate that region. This is because a block may capture 900 // a pointer value, but the thing pointed by that pointer may 901 // get invalidated. 902 SVal V = RM.getBinding(B, loc::MemRegionVal(VR)); 903 if (const Loc *L = dyn_cast<Loc>(&V)) { 904 if (const MemRegion *LR = L->getAsRegion()) 905 AddToWorkList(LR); 906 } 907 } 908 } 909 return; 910 } 911 912 // Otherwise, we have a normal data region. Record that we touched the region. 913 if (Regions) 914 Regions->push_back(baseR); 915 916 if (isa<AllocaRegion>(baseR) || isa<SymbolicRegion>(baseR)) { 917 // Invalidate the region by setting its default value to 918 // conjured symbol. The type of the symbol is irrelavant. 919 DefinedOrUnknownSVal V = 920 svalBuilder.conjureSymbolVal(baseR, Ex, LCtx, Ctx.IntTy, Count); 921 B = B.addBinding(baseR, BindingKey::Default, V); 922 return; 923 } 924 925 if (!baseR->isBoundable()) 926 return; 927 928 const TypedValueRegion *TR = cast<TypedValueRegion>(baseR); 929 QualType T = TR->getValueType(); 930 931 // Invalidate the binding. 932 if (T->isStructureOrClassType()) { 933 // Invalidate the region by setting its default value to 934 // conjured symbol. The type of the symbol is irrelavant. 935 DefinedOrUnknownSVal V = svalBuilder.conjureSymbolVal(baseR, Ex, LCtx, 936 Ctx.IntTy, Count); 937 B = B.addBinding(baseR, BindingKey::Default, V); 938 return; 939 } 940 941 if (const ArrayType *AT = Ctx.getAsArrayType(T)) { 942 // Set the default value of the array to conjured symbol. 943 DefinedOrUnknownSVal V = 944 svalBuilder.conjureSymbolVal(baseR, Ex, LCtx, 945 AT->getElementType(), Count); 946 B = B.addBinding(baseR, BindingKey::Default, V); 947 return; 948 } 949 950 if (includeGlobals && 951 isa<NonStaticGlobalSpaceRegion>(baseR->getMemorySpace())) { 952 // If the region is a global and we are invalidating all globals, 953 // just erase the entry. This causes all globals to be lazily 954 // symbolicated from the same base symbol. 955 B = B.removeBinding(baseR); 956 return; 957 } 958 959 960 DefinedOrUnknownSVal V = svalBuilder.conjureSymbolVal(baseR, Ex, LCtx, 961 T,Count); 962 assert(SymbolManager::canSymbolicate(T) || V.isUnknown()); 963 B = B.addBinding(baseR, BindingKey::Direct, V); 964 } 965 966 RegionBindingsRef 967 RegionStoreManager::invalidateGlobalRegion(MemRegion::Kind K, 968 const Expr *Ex, 969 unsigned Count, 970 const LocationContext *LCtx, 971 RegionBindingsRef B, 972 InvalidatedRegions *Invalidated) { 973 // Bind the globals memory space to a new symbol that we will use to derive 974 // the bindings for all globals. 975 const GlobalsSpaceRegion *GS = MRMgr.getGlobalsRegion(K); 976 SVal V = svalBuilder.conjureSymbolVal(/* SymbolTag = */ (const void*) GS, Ex, LCtx, 977 /* type does not matter */ Ctx.IntTy, 978 Count); 979 980 B = B.removeBinding(GS) 981 .addBinding(BindingKey::Make(GS, BindingKey::Default), V); 982 983 // Even if there are no bindings in the global scope, we still need to 984 // record that we touched it. 985 if (Invalidated) 986 Invalidated->push_back(GS); 987 988 return B; 989 } 990 991 StoreRef 992 RegionStoreManager::invalidateRegions(Store store, 993 ArrayRef<const MemRegion *> Regions, 994 const Expr *Ex, unsigned Count, 995 const LocationContext *LCtx, 996 InvalidatedSymbols &IS, 997 const CallEvent *Call, 998 InvalidatedRegions *Invalidated) { 999 invalidateRegionsWorker W(*this, StateMgr, 1000 RegionStoreManager::getRegionBindings(store), 1001 Ex, Count, LCtx, IS, Invalidated, false); 1002 1003 // Scan the bindings and generate the clusters. 1004 W.GenerateClusters(); 1005 1006 // Add the regions to the worklist. 1007 for (ArrayRef<const MemRegion *>::iterator 1008 I = Regions.begin(), E = Regions.end(); I != E; ++I) 1009 W.AddToWorkList(*I); 1010 1011 W.RunWorkList(); 1012 1013 // Return the new bindings. 1014 RegionBindingsRef B = W.getRegionBindings(); 1015 1016 // For all globals which are not static nor immutable: determine which global 1017 // regions should be invalidated and invalidate them. 1018 // TODO: This could possibly be more precise with modules. 1019 // 1020 // System calls invalidate only system globals. 1021 if (Call && Call->isInSystemHeader()) { 1022 B = invalidateGlobalRegion(MemRegion::GlobalSystemSpaceRegionKind, 1023 Ex, Count, LCtx, B, Invalidated); 1024 // Internal calls might invalidate both system and internal globals. 1025 } else { 1026 B = invalidateGlobalRegion(MemRegion::GlobalSystemSpaceRegionKind, 1027 Ex, Count, LCtx, B, Invalidated); 1028 B = invalidateGlobalRegion(MemRegion::GlobalInternalSpaceRegionKind, 1029 Ex, Count, LCtx, B, Invalidated); 1030 } 1031 1032 return StoreRef(B.asStore(), *this); 1033 } 1034 1035 //===----------------------------------------------------------------------===// 1036 // Extents for regions. 1037 //===----------------------------------------------------------------------===// 1038 1039 DefinedOrUnknownSVal 1040 RegionStoreManager::getSizeInElements(ProgramStateRef state, 1041 const MemRegion *R, 1042 QualType EleTy) { 1043 SVal Size = cast<SubRegion>(R)->getExtent(svalBuilder); 1044 const llvm::APSInt *SizeInt = svalBuilder.getKnownValue(state, Size); 1045 if (!SizeInt) 1046 return UnknownVal(); 1047 1048 CharUnits RegionSize = CharUnits::fromQuantity(SizeInt->getSExtValue()); 1049 1050 if (Ctx.getAsVariableArrayType(EleTy)) { 1051 // FIXME: We need to track extra state to properly record the size 1052 // of VLAs. Returning UnknownVal here, however, is a stop-gap so that 1053 // we don't have a divide-by-zero below. 1054 return UnknownVal(); 1055 } 1056 1057 CharUnits EleSize = Ctx.getTypeSizeInChars(EleTy); 1058 1059 // If a variable is reinterpreted as a type that doesn't fit into a larger 1060 // type evenly, round it down. 1061 // This is a signed value, since it's used in arithmetic with signed indices. 1062 return svalBuilder.makeIntVal(RegionSize / EleSize, false); 1063 } 1064 1065 //===----------------------------------------------------------------------===// 1066 // Location and region casting. 1067 //===----------------------------------------------------------------------===// 1068 1069 /// ArrayToPointer - Emulates the "decay" of an array to a pointer 1070 /// type. 'Array' represents the lvalue of the array being decayed 1071 /// to a pointer, and the returned SVal represents the decayed 1072 /// version of that lvalue (i.e., a pointer to the first element of 1073 /// the array). This is called by ExprEngine when evaluating casts 1074 /// from arrays to pointers. 1075 SVal RegionStoreManager::ArrayToPointer(Loc Array) { 1076 if (!isa<loc::MemRegionVal>(Array)) 1077 return UnknownVal(); 1078 1079 const MemRegion* R = cast<loc::MemRegionVal>(&Array)->getRegion(); 1080 const TypedValueRegion* ArrayR = dyn_cast<TypedValueRegion>(R); 1081 1082 if (!ArrayR) 1083 return UnknownVal(); 1084 1085 // Strip off typedefs from the ArrayRegion's ValueType. 1086 QualType T = ArrayR->getValueType().getDesugaredType(Ctx); 1087 const ArrayType *AT = cast<ArrayType>(T); 1088 T = AT->getElementType(); 1089 1090 NonLoc ZeroIdx = svalBuilder.makeZeroArrayIndex(); 1091 return loc::MemRegionVal(MRMgr.getElementRegion(T, ZeroIdx, ArrayR, Ctx)); 1092 } 1093 1094 //===----------------------------------------------------------------------===// 1095 // Loading values from regions. 1096 //===----------------------------------------------------------------------===// 1097 1098 SVal RegionStoreManager::getBinding(RegionBindingsConstRef B, Loc L, QualType T) { 1099 assert(!isa<UnknownVal>(L) && "location unknown"); 1100 assert(!isa<UndefinedVal>(L) && "location undefined"); 1101 1102 // For access to concrete addresses, return UnknownVal. Checks 1103 // for null dereferences (and similar errors) are done by checkers, not 1104 // the Store. 1105 // FIXME: We can consider lazily symbolicating such memory, but we really 1106 // should defer this when we can reason easily about symbolicating arrays 1107 // of bytes. 1108 if (isa<loc::ConcreteInt>(L)) { 1109 return UnknownVal(); 1110 } 1111 if (!isa<loc::MemRegionVal>(L)) { 1112 return UnknownVal(); 1113 } 1114 1115 const MemRegion *MR = cast<loc::MemRegionVal>(L).getRegion(); 1116 1117 if (isa<AllocaRegion>(MR) || 1118 isa<SymbolicRegion>(MR) || 1119 isa<CodeTextRegion>(MR)) { 1120 if (T.isNull()) { 1121 if (const TypedRegion *TR = dyn_cast<TypedRegion>(MR)) 1122 T = TR->getLocationType(); 1123 else { 1124 const SymbolicRegion *SR = cast<SymbolicRegion>(MR); 1125 T = SR->getSymbol()->getType(); 1126 } 1127 } 1128 MR = GetElementZeroRegion(MR, T); 1129 } 1130 1131 // FIXME: Perhaps this method should just take a 'const MemRegion*' argument 1132 // instead of 'Loc', and have the other Loc cases handled at a higher level. 1133 const TypedValueRegion *R = cast<TypedValueRegion>(MR); 1134 QualType RTy = R->getValueType(); 1135 1136 // FIXME: we do not yet model the parts of a complex type, so treat the 1137 // whole thing as "unknown". 1138 if (RTy->isAnyComplexType()) 1139 return UnknownVal(); 1140 1141 // FIXME: We should eventually handle funny addressing. e.g.: 1142 // 1143 // int x = ...; 1144 // int *p = &x; 1145 // char *q = (char*) p; 1146 // char c = *q; // returns the first byte of 'x'. 1147 // 1148 // Such funny addressing will occur due to layering of regions. 1149 if (RTy->isStructureOrClassType()) 1150 return getBindingForStruct(B, R); 1151 1152 // FIXME: Handle unions. 1153 if (RTy->isUnionType()) 1154 return UnknownVal(); 1155 1156 if (RTy->isArrayType()) { 1157 if (RTy->isConstantArrayType()) 1158 return getBindingForArray(B, R); 1159 else 1160 return UnknownVal(); 1161 } 1162 1163 // FIXME: handle Vector types. 1164 if (RTy->isVectorType()) 1165 return UnknownVal(); 1166 1167 if (const FieldRegion* FR = dyn_cast<FieldRegion>(R)) 1168 return CastRetrievedVal(getBindingForField(B, FR), FR, T, false); 1169 1170 if (const ElementRegion* ER = dyn_cast<ElementRegion>(R)) { 1171 // FIXME: Here we actually perform an implicit conversion from the loaded 1172 // value to the element type. Eventually we want to compose these values 1173 // more intelligently. For example, an 'element' can encompass multiple 1174 // bound regions (e.g., several bound bytes), or could be a subset of 1175 // a larger value. 1176 return CastRetrievedVal(getBindingForElement(B, ER), ER, T, false); 1177 } 1178 1179 if (const ObjCIvarRegion *IVR = dyn_cast<ObjCIvarRegion>(R)) { 1180 // FIXME: Here we actually perform an implicit conversion from the loaded 1181 // value to the ivar type. What we should model is stores to ivars 1182 // that blow past the extent of the ivar. If the address of the ivar is 1183 // reinterpretted, it is possible we stored a different value that could 1184 // fit within the ivar. Either we need to cast these when storing them 1185 // or reinterpret them lazily (as we do here). 1186 return CastRetrievedVal(getBindingForObjCIvar(B, IVR), IVR, T, false); 1187 } 1188 1189 if (const VarRegion *VR = dyn_cast<VarRegion>(R)) { 1190 // FIXME: Here we actually perform an implicit conversion from the loaded 1191 // value to the variable type. What we should model is stores to variables 1192 // that blow past the extent of the variable. If the address of the 1193 // variable is reinterpretted, it is possible we stored a different value 1194 // that could fit within the variable. Either we need to cast these when 1195 // storing them or reinterpret them lazily (as we do here). 1196 return CastRetrievedVal(getBindingForVar(B, VR), VR, T, false); 1197 } 1198 1199 const SVal *V = B.lookup(R, BindingKey::Direct); 1200 1201 // Check if the region has a binding. 1202 if (V) 1203 return *V; 1204 1205 // The location does not have a bound value. This means that it has 1206 // the value it had upon its creation and/or entry to the analyzed 1207 // function/method. These are either symbolic values or 'undefined'. 1208 if (R->hasStackNonParametersStorage()) { 1209 // All stack variables are considered to have undefined values 1210 // upon creation. All heap allocated blocks are considered to 1211 // have undefined values as well unless they are explicitly bound 1212 // to specific values. 1213 return UndefinedVal(); 1214 } 1215 1216 // All other values are symbolic. 1217 return svalBuilder.getRegionValueSymbolVal(R); 1218 } 1219 1220 std::pair<Store, const MemRegion *> 1221 RegionStoreManager::getLazyBinding(RegionBindingsConstRef B, 1222 const MemRegion *R, 1223 const MemRegion *originalRegion, 1224 bool includeSuffix) { 1225 1226 if (originalRegion != R) { 1227 if (Optional<SVal> OV = B.getDefaultBinding(R)) { 1228 if (const nonloc::LazyCompoundVal *V = 1229 dyn_cast<nonloc::LazyCompoundVal>(OV.getPointer())) 1230 return std::make_pair(V->getStore(), V->getRegion()); 1231 } 1232 } 1233 1234 if (const ElementRegion *ER = dyn_cast<ElementRegion>(R)) { 1235 const std::pair<Store, const MemRegion *> &X = 1236 getLazyBinding(B, ER->getSuperRegion(), originalRegion); 1237 1238 if (X.second) 1239 return std::make_pair(X.first, 1240 MRMgr.getElementRegionWithSuper(ER, X.second)); 1241 } 1242 else if (const FieldRegion *FR = dyn_cast<FieldRegion>(R)) { 1243 const std::pair<Store, const MemRegion *> &X = 1244 getLazyBinding(B, FR->getSuperRegion(), originalRegion); 1245 1246 if (X.second) { 1247 if (includeSuffix) 1248 return std::make_pair(X.first, 1249 MRMgr.getFieldRegionWithSuper(FR, X.second)); 1250 return X; 1251 } 1252 1253 } 1254 // C++ base object region is another kind of region that we should blast 1255 // through to look for lazy compound value. It is like a field region. 1256 else if (const CXXBaseObjectRegion *baseReg = 1257 dyn_cast<CXXBaseObjectRegion>(R)) { 1258 const std::pair<Store, const MemRegion *> &X = 1259 getLazyBinding(B, baseReg->getSuperRegion(), originalRegion); 1260 1261 if (X.second) { 1262 if (includeSuffix) 1263 return std::make_pair(X.first, 1264 MRMgr.getCXXBaseObjectRegionWithSuper(baseReg, 1265 X.second)); 1266 return X; 1267 } 1268 } 1269 1270 // The NULL MemRegion indicates an non-existent lazy binding. A NULL Store is 1271 // possible for a valid lazy binding. 1272 return std::make_pair((Store) 0, (const MemRegion *) 0); 1273 } 1274 1275 SVal RegionStoreManager::getBindingForElement(RegionBindingsConstRef B, 1276 const ElementRegion* R) { 1277 // We do not currently model bindings of the CompoundLiteralregion. 1278 if (isa<CompoundLiteralRegion>(R->getBaseRegion())) 1279 return UnknownVal(); 1280 1281 // Check if the region has a binding. 1282 if (const Optional<SVal> &V = B.getDirectBinding(R)) 1283 return *V; 1284 1285 const MemRegion* superR = R->getSuperRegion(); 1286 1287 // Check if the region is an element region of a string literal. 1288 if (const StringRegion *StrR=dyn_cast<StringRegion>(superR)) { 1289 // FIXME: Handle loads from strings where the literal is treated as 1290 // an integer, e.g., *((unsigned int*)"hello") 1291 QualType T = Ctx.getAsArrayType(StrR->getValueType())->getElementType(); 1292 if (T != Ctx.getCanonicalType(R->getElementType())) 1293 return UnknownVal(); 1294 1295 const StringLiteral *Str = StrR->getStringLiteral(); 1296 SVal Idx = R->getIndex(); 1297 if (nonloc::ConcreteInt *CI = dyn_cast<nonloc::ConcreteInt>(&Idx)) { 1298 int64_t i = CI->getValue().getSExtValue(); 1299 // Abort on string underrun. This can be possible by arbitrary 1300 // clients of getBindingForElement(). 1301 if (i < 0) 1302 return UndefinedVal(); 1303 int64_t length = Str->getLength(); 1304 // Technically, only i == length is guaranteed to be null. 1305 // However, such overflows should be caught before reaching this point; 1306 // the only time such an access would be made is if a string literal was 1307 // used to initialize a larger array. 1308 char c = (i >= length) ? '\0' : Str->getCodeUnit(i); 1309 return svalBuilder.makeIntVal(c, T); 1310 } 1311 } 1312 1313 // Check for loads from a code text region. For such loads, just give up. 1314 if (isa<CodeTextRegion>(superR)) 1315 return UnknownVal(); 1316 1317 // Handle the case where we are indexing into a larger scalar object. 1318 // For example, this handles: 1319 // int x = ... 1320 // char *y = &x; 1321 // return *y; 1322 // FIXME: This is a hack, and doesn't do anything really intelligent yet. 1323 const RegionRawOffset &O = R->getAsArrayOffset(); 1324 1325 // If we cannot reason about the offset, return an unknown value. 1326 if (!O.getRegion()) 1327 return UnknownVal(); 1328 1329 if (const TypedValueRegion *baseR = 1330 dyn_cast_or_null<TypedValueRegion>(O.getRegion())) { 1331 QualType baseT = baseR->getValueType(); 1332 if (baseT->isScalarType()) { 1333 QualType elemT = R->getElementType(); 1334 if (elemT->isScalarType()) { 1335 if (Ctx.getTypeSizeInChars(baseT) >= Ctx.getTypeSizeInChars(elemT)) { 1336 if (const Optional<SVal> &V = B.getDirectBinding(superR)) { 1337 if (SymbolRef parentSym = V->getAsSymbol()) 1338 return svalBuilder.getDerivedRegionValueSymbolVal(parentSym, R); 1339 1340 if (V->isUnknownOrUndef()) 1341 return *V; 1342 // Other cases: give up. We are indexing into a larger object 1343 // that has some value, but we don't know how to handle that yet. 1344 return UnknownVal(); 1345 } 1346 } 1347 } 1348 } 1349 } 1350 return getBindingForFieldOrElementCommon(B, R, R->getElementType(), 1351 superR); 1352 } 1353 1354 SVal RegionStoreManager::getBindingForField(RegionBindingsConstRef B, 1355 const FieldRegion* R) { 1356 1357 // Check if the region has a binding. 1358 if (const Optional<SVal> &V = B.getDirectBinding(R)) 1359 return *V; 1360 1361 QualType Ty = R->getValueType(); 1362 return getBindingForFieldOrElementCommon(B, R, Ty, R->getSuperRegion()); 1363 } 1364 1365 Optional<SVal> 1366 RegionStoreManager::getBindingForDerivedDefaultValue(RegionBindingsConstRef B, 1367 const MemRegion *superR, 1368 const TypedValueRegion *R, 1369 QualType Ty) { 1370 1371 if (const Optional<SVal> &D = B.getDefaultBinding(superR)) { 1372 const SVal &val = D.getValue(); 1373 if (SymbolRef parentSym = val.getAsSymbol()) 1374 return svalBuilder.getDerivedRegionValueSymbolVal(parentSym, R); 1375 1376 if (val.isZeroConstant()) 1377 return svalBuilder.makeZeroVal(Ty); 1378 1379 if (val.isUnknownOrUndef()) 1380 return val; 1381 1382 // Lazy bindings are handled later. 1383 if (isa<nonloc::LazyCompoundVal>(val)) 1384 return Optional<SVal>(); 1385 1386 llvm_unreachable("Unknown default value"); 1387 } 1388 1389 return Optional<SVal>(); 1390 } 1391 1392 SVal RegionStoreManager::getLazyBinding(const MemRegion *LazyBindingRegion, 1393 RegionBindingsRef LazyBinding) { 1394 if (const ElementRegion *ER = dyn_cast<ElementRegion>(LazyBindingRegion)) 1395 return getBindingForElement(LazyBinding, ER); 1396 return getBindingForField(LazyBinding, cast<FieldRegion>(LazyBindingRegion)); 1397 } 1398 1399 SVal 1400 RegionStoreManager::getBindingForFieldOrElementCommon(RegionBindingsConstRef B, 1401 const TypedValueRegion *R, 1402 QualType Ty, 1403 const MemRegion *superR) { 1404 1405 // At this point we have already checked in either getBindingForElement or 1406 // getBindingForField if 'R' has a direct binding. 1407 1408 // Lazy binding? 1409 Store lazyBindingStore = NULL; 1410 const MemRegion *lazyBindingRegion = NULL; 1411 llvm::tie(lazyBindingStore, lazyBindingRegion) = getLazyBinding(B, R, R, 1412 true); 1413 if (lazyBindingRegion) 1414 return getLazyBinding(lazyBindingRegion, 1415 getRegionBindings(lazyBindingStore)); 1416 1417 // Record whether or not we see a symbolic index. That can completely 1418 // be out of scope of our lookup. 1419 bool hasSymbolicIndex = false; 1420 1421 while (superR) { 1422 if (const Optional<SVal> &D = 1423 getBindingForDerivedDefaultValue(B, superR, R, Ty)) 1424 return *D; 1425 1426 if (const ElementRegion *ER = dyn_cast<ElementRegion>(superR)) { 1427 NonLoc index = ER->getIndex(); 1428 if (!index.isConstant()) 1429 hasSymbolicIndex = true; 1430 } 1431 1432 // If our super region is a field or element itself, walk up the region 1433 // hierarchy to see if there is a default value installed in an ancestor. 1434 if (const SubRegion *SR = dyn_cast<SubRegion>(superR)) { 1435 superR = SR->getSuperRegion(); 1436 continue; 1437 } 1438 break; 1439 } 1440 1441 if (R->hasStackNonParametersStorage()) { 1442 if (isa<ElementRegion>(R)) { 1443 // Currently we don't reason specially about Clang-style vectors. Check 1444 // if superR is a vector and if so return Unknown. 1445 if (const TypedValueRegion *typedSuperR = 1446 dyn_cast<TypedValueRegion>(superR)) { 1447 if (typedSuperR->getValueType()->isVectorType()) 1448 return UnknownVal(); 1449 } 1450 } 1451 1452 // FIXME: We also need to take ElementRegions with symbolic indexes into 1453 // account. This case handles both directly accessing an ElementRegion 1454 // with a symbolic offset, but also fields within an element with 1455 // a symbolic offset. 1456 if (hasSymbolicIndex) 1457 return UnknownVal(); 1458 1459 return UndefinedVal(); 1460 } 1461 1462 // All other values are symbolic. 1463 return svalBuilder.getRegionValueSymbolVal(R); 1464 } 1465 1466 SVal RegionStoreManager::getBindingForObjCIvar(RegionBindingsConstRef B, 1467 const ObjCIvarRegion* R) { 1468 // Check if the region has a binding. 1469 if (const Optional<SVal> &V = B.getDirectBinding(R)) 1470 return *V; 1471 1472 const MemRegion *superR = R->getSuperRegion(); 1473 1474 // Check if the super region has a default binding. 1475 if (const Optional<SVal> &V = B.getDefaultBinding(superR)) { 1476 if (SymbolRef parentSym = V->getAsSymbol()) 1477 return svalBuilder.getDerivedRegionValueSymbolVal(parentSym, R); 1478 1479 // Other cases: give up. 1480 return UnknownVal(); 1481 } 1482 1483 return getBindingForLazySymbol(R); 1484 } 1485 1486 SVal RegionStoreManager::getBindingForVar(RegionBindingsConstRef B, 1487 const VarRegion *R) { 1488 1489 // Check if the region has a binding. 1490 if (const Optional<SVal> &V = B.getDirectBinding(R)) 1491 return *V; 1492 1493 // Lazily derive a value for the VarRegion. 1494 const VarDecl *VD = R->getDecl(); 1495 QualType T = VD->getType(); 1496 const MemSpaceRegion *MS = R->getMemorySpace(); 1497 1498 if (isa<UnknownSpaceRegion>(MS) || 1499 isa<StackArgumentsSpaceRegion>(MS)) 1500 return svalBuilder.getRegionValueSymbolVal(R); 1501 1502 if (isa<GlobalsSpaceRegion>(MS)) { 1503 if (isa<NonStaticGlobalSpaceRegion>(MS)) { 1504 // Is 'VD' declared constant? If so, retrieve the constant value. 1505 QualType CT = Ctx.getCanonicalType(T); 1506 if (CT.isConstQualified()) { 1507 const Expr *Init = VD->getInit(); 1508 // Do the null check first, as we want to call 'IgnoreParenCasts'. 1509 if (Init) 1510 if (const IntegerLiteral *IL = 1511 dyn_cast<IntegerLiteral>(Init->IgnoreParenCasts())) { 1512 const nonloc::ConcreteInt &V = svalBuilder.makeIntVal(IL); 1513 return svalBuilder.evalCast(V, Init->getType(), IL->getType()); 1514 } 1515 } 1516 1517 if (const Optional<SVal> &V 1518 = getBindingForDerivedDefaultValue(B, MS, R, CT)) 1519 return V.getValue(); 1520 1521 return svalBuilder.getRegionValueSymbolVal(R); 1522 } 1523 1524 if (T->isIntegerType()) 1525 return svalBuilder.makeIntVal(0, T); 1526 if (T->isPointerType()) 1527 return svalBuilder.makeNull(); 1528 1529 return UnknownVal(); 1530 } 1531 1532 return UndefinedVal(); 1533 } 1534 1535 SVal RegionStoreManager::getBindingForLazySymbol(const TypedValueRegion *R) { 1536 // All other values are symbolic. 1537 return svalBuilder.getRegionValueSymbolVal(R); 1538 } 1539 1540 static bool mayHaveLazyBinding(QualType Ty) { 1541 return Ty->isArrayType() || Ty->isStructureOrClassType(); 1542 } 1543 1544 SVal RegionStoreManager::getBindingForStruct(RegionBindingsConstRef B, 1545 const TypedValueRegion* R) { 1546 const RecordDecl *RD = R->getValueType()->castAs<RecordType>()->getDecl(); 1547 if (RD->field_empty()) 1548 return UnknownVal(); 1549 1550 // If we already have a lazy binding, don't create a new one, 1551 // unless the first field might have a lazy binding of its own. 1552 // (Right now we can't tell the difference.) 1553 QualType FirstFieldType = RD->field_begin()->getType(); 1554 if (!mayHaveLazyBinding(FirstFieldType)) { 1555 BindingKey K = BindingKey::Make(R, BindingKey::Default); 1556 if (const nonloc::LazyCompoundVal *V = 1557 dyn_cast_or_null<nonloc::LazyCompoundVal>(B.lookup(K))) { 1558 return *V; 1559 } 1560 } 1561 1562 return svalBuilder.makeLazyCompoundVal(StoreRef(B.asStore(), *this), R); 1563 } 1564 1565 SVal RegionStoreManager::getBindingForArray(RegionBindingsConstRef B, 1566 const TypedValueRegion * R) { 1567 const ConstantArrayType *Ty = Ctx.getAsConstantArrayType(R->getValueType()); 1568 assert(Ty && "Only constant array types can have compound bindings."); 1569 1570 // If we already have a lazy binding, don't create a new one, 1571 // unless the first element might have a lazy binding of its own. 1572 // (Right now we can't tell the difference.) 1573 if (!mayHaveLazyBinding(Ty->getElementType())) { 1574 BindingKey K = BindingKey::Make(R, BindingKey::Default); 1575 if (const nonloc::LazyCompoundVal *V = 1576 dyn_cast_or_null<nonloc::LazyCompoundVal>(B.lookup(K))) { 1577 return *V; 1578 } 1579 } 1580 1581 return svalBuilder.makeLazyCompoundVal(StoreRef(B.asStore(), *this), R); 1582 } 1583 1584 bool RegionStoreManager::includedInBindings(Store store, 1585 const MemRegion *region) const { 1586 RegionBindingsRef B = getRegionBindings(store); 1587 region = region->getBaseRegion(); 1588 1589 // Quick path: if the base is the head of a cluster, the region is live. 1590 if (B.lookup(region)) 1591 return true; 1592 1593 // Slow path: if the region is the VALUE of any binding, it is live. 1594 for (RegionBindingsRef::iterator RI = B.begin(), RE = B.end(); RI != RE; ++RI) { 1595 const ClusterBindings &Cluster = RI.getData(); 1596 for (ClusterBindings::iterator CI = Cluster.begin(), CE = Cluster.end(); 1597 CI != CE; ++CI) { 1598 const SVal &D = CI.getData(); 1599 if (const MemRegion *R = D.getAsRegion()) 1600 if (R->getBaseRegion() == region) 1601 return true; 1602 } 1603 } 1604 1605 return false; 1606 } 1607 1608 //===----------------------------------------------------------------------===// 1609 // Binding values to regions. 1610 //===----------------------------------------------------------------------===// 1611 1612 StoreRef RegionStoreManager::killBinding(Store ST, Loc L) { 1613 if (isa<loc::MemRegionVal>(L)) 1614 if (const MemRegion* R = cast<loc::MemRegionVal>(L).getRegion()) 1615 return StoreRef(getRegionBindings(ST).removeBinding(R) 1616 .asImmutableMap() 1617 .getRootWithoutRetain(), 1618 *this); 1619 1620 return StoreRef(ST, *this); 1621 } 1622 1623 RegionBindingsRef 1624 RegionStoreManager::bind(RegionBindingsConstRef B, Loc L, SVal V) { 1625 if (isa<loc::ConcreteInt>(L)) 1626 return B; 1627 1628 // If we get here, the location should be a region. 1629 const MemRegion *R = cast<loc::MemRegionVal>(L).getRegion(); 1630 1631 // Check if the region is a struct region. 1632 if (const TypedValueRegion* TR = dyn_cast<TypedValueRegion>(R)) { 1633 QualType Ty = TR->getValueType(); 1634 if (Ty->isArrayType()) 1635 return bindArray(B, TR, V); 1636 if (Ty->isStructureOrClassType()) 1637 return bindStruct(B, TR, V); 1638 if (Ty->isVectorType()) 1639 return bindVector(B, TR, V); 1640 } 1641 1642 if (const SymbolicRegion *SR = dyn_cast<SymbolicRegion>(R)) { 1643 // Binding directly to a symbolic region should be treated as binding 1644 // to element 0. 1645 QualType T = SR->getSymbol()->getType(); 1646 if (T->isAnyPointerType() || T->isReferenceType()) 1647 T = T->getPointeeType(); 1648 1649 R = GetElementZeroRegion(SR, T); 1650 } 1651 1652 // Clear out bindings that may overlap with this binding. 1653 RegionBindingsRef NewB = removeSubRegionBindings(B, cast<SubRegion>(R)); 1654 return NewB.addBinding(BindingKey::Make(R, BindingKey::Direct), V); 1655 } 1656 1657 // FIXME: this method should be merged into Bind(). 1658 StoreRef RegionStoreManager::bindCompoundLiteral(Store ST, 1659 const CompoundLiteralExpr *CL, 1660 const LocationContext *LC, 1661 SVal V) { 1662 return Bind(ST, loc::MemRegionVal(MRMgr.getCompoundLiteralRegion(CL, LC)), V); 1663 } 1664 1665 RegionBindingsRef 1666 RegionStoreManager::setImplicitDefaultValue(RegionBindingsConstRef B, 1667 const MemRegion *R, 1668 QualType T) { 1669 SVal V; 1670 1671 if (Loc::isLocType(T)) 1672 V = svalBuilder.makeNull(); 1673 else if (T->isIntegerType()) 1674 V = svalBuilder.makeZeroVal(T); 1675 else if (T->isStructureOrClassType() || T->isArrayType()) { 1676 // Set the default value to a zero constant when it is a structure 1677 // or array. The type doesn't really matter. 1678 V = svalBuilder.makeZeroVal(Ctx.IntTy); 1679 } 1680 else { 1681 // We can't represent values of this type, but we still need to set a value 1682 // to record that the region has been initialized. 1683 // If this assertion ever fires, a new case should be added above -- we 1684 // should know how to default-initialize any value we can symbolicate. 1685 assert(!SymbolManager::canSymbolicate(T) && "This type is representable"); 1686 V = UnknownVal(); 1687 } 1688 1689 return B.addBinding(R, BindingKey::Default, V); 1690 } 1691 1692 RegionBindingsRef 1693 RegionStoreManager::bindArray(RegionBindingsConstRef B, 1694 const TypedValueRegion* R, 1695 SVal Init) { 1696 1697 const ArrayType *AT =cast<ArrayType>(Ctx.getCanonicalType(R->getValueType())); 1698 QualType ElementTy = AT->getElementType(); 1699 Optional<uint64_t> Size; 1700 1701 if (const ConstantArrayType* CAT = dyn_cast<ConstantArrayType>(AT)) 1702 Size = CAT->getSize().getZExtValue(); 1703 1704 // Check if the init expr is a string literal. 1705 if (loc::MemRegionVal *MRV = dyn_cast<loc::MemRegionVal>(&Init)) { 1706 const StringRegion *S = cast<StringRegion>(MRV->getRegion()); 1707 1708 // Treat the string as a lazy compound value. 1709 StoreRef store(B.asStore(), *this); 1710 nonloc::LazyCompoundVal LCV = 1711 cast<nonloc::LazyCompoundVal>(svalBuilder.makeLazyCompoundVal(store, S)); 1712 return bindAggregate(B, R, LCV); 1713 } 1714 1715 // Handle lazy compound values. 1716 if (isa<nonloc::LazyCompoundVal>(Init)) 1717 return bindAggregate(B, R, Init); 1718 1719 // Remaining case: explicit compound values. 1720 1721 if (Init.isUnknown()) 1722 return setImplicitDefaultValue(B, R, ElementTy); 1723 1724 nonloc::CompoundVal& CV = cast<nonloc::CompoundVal>(Init); 1725 nonloc::CompoundVal::iterator VI = CV.begin(), VE = CV.end(); 1726 uint64_t i = 0; 1727 1728 RegionBindingsRef NewB(B); 1729 1730 for (; Size.hasValue() ? i < Size.getValue() : true ; ++i, ++VI) { 1731 // The init list might be shorter than the array length. 1732 if (VI == VE) 1733 break; 1734 1735 const NonLoc &Idx = svalBuilder.makeArrayIndex(i); 1736 const ElementRegion *ER = MRMgr.getElementRegion(ElementTy, Idx, R, Ctx); 1737 1738 if (ElementTy->isStructureOrClassType()) 1739 NewB = bindStruct(NewB, ER, *VI); 1740 else if (ElementTy->isArrayType()) 1741 NewB = bindArray(NewB, ER, *VI); 1742 else 1743 NewB = bind(NewB, svalBuilder.makeLoc(ER), *VI); 1744 } 1745 1746 // If the init list is shorter than the array length, set the 1747 // array default value. 1748 if (Size.hasValue() && i < Size.getValue()) 1749 NewB = setImplicitDefaultValue(NewB, R, ElementTy); 1750 1751 return NewB; 1752 } 1753 1754 RegionBindingsRef RegionStoreManager::bindVector(RegionBindingsConstRef B, 1755 const TypedValueRegion* R, 1756 SVal V) { 1757 QualType T = R->getValueType(); 1758 assert(T->isVectorType()); 1759 const VectorType *VT = T->getAs<VectorType>(); // Use getAs for typedefs. 1760 1761 // Handle lazy compound values and symbolic values. 1762 if (isa<nonloc::LazyCompoundVal>(V) || isa<nonloc::SymbolVal>(V)) 1763 return bindAggregate(B, R, V); 1764 1765 // We may get non-CompoundVal accidentally due to imprecise cast logic or 1766 // that we are binding symbolic struct value. Kill the field values, and if 1767 // the value is symbolic go and bind it as a "default" binding. 1768 if (!isa<nonloc::CompoundVal>(V)) { 1769 return bindAggregate(B, R, UnknownVal()); 1770 } 1771 1772 QualType ElemType = VT->getElementType(); 1773 nonloc::CompoundVal& CV = cast<nonloc::CompoundVal>(V); 1774 nonloc::CompoundVal::iterator VI = CV.begin(), VE = CV.end(); 1775 unsigned index = 0, numElements = VT->getNumElements(); 1776 RegionBindingsRef NewB(B); 1777 1778 for ( ; index != numElements ; ++index) { 1779 if (VI == VE) 1780 break; 1781 1782 NonLoc Idx = svalBuilder.makeArrayIndex(index); 1783 const ElementRegion *ER = MRMgr.getElementRegion(ElemType, Idx, R, Ctx); 1784 1785 if (ElemType->isArrayType()) 1786 NewB = bindArray(NewB, ER, *VI); 1787 else if (ElemType->isStructureOrClassType()) 1788 NewB = bindStruct(NewB, ER, *VI); 1789 else 1790 NewB = bind(NewB, svalBuilder.makeLoc(ER), *VI); 1791 } 1792 return NewB; 1793 } 1794 1795 RegionBindingsRef RegionStoreManager::bindStruct(RegionBindingsConstRef B, 1796 const TypedValueRegion* R, 1797 SVal V) { 1798 if (!Features.supportsFields()) 1799 return B; 1800 1801 QualType T = R->getValueType(); 1802 assert(T->isStructureOrClassType()); 1803 1804 const RecordType* RT = T->getAs<RecordType>(); 1805 RecordDecl *RD = RT->getDecl(); 1806 1807 if (!RD->isCompleteDefinition()) 1808 return B; 1809 1810 // Handle lazy compound values and symbolic values. 1811 if (isa<nonloc::LazyCompoundVal>(V) || isa<nonloc::SymbolVal>(V)) 1812 return bindAggregate(B, R, V); 1813 1814 // We may get non-CompoundVal accidentally due to imprecise cast logic or 1815 // that we are binding symbolic struct value. Kill the field values, and if 1816 // the value is symbolic go and bind it as a "default" binding. 1817 if (V.isUnknown() || !isa<nonloc::CompoundVal>(V)) 1818 return bindAggregate(B, R, UnknownVal()); 1819 1820 nonloc::CompoundVal& CV = cast<nonloc::CompoundVal>(V); 1821 nonloc::CompoundVal::iterator VI = CV.begin(), VE = CV.end(); 1822 1823 RecordDecl::field_iterator FI, FE; 1824 RegionBindingsRef NewB(B); 1825 1826 for (FI = RD->field_begin(), FE = RD->field_end(); FI != FE; ++FI) { 1827 1828 if (VI == VE) 1829 break; 1830 1831 // Skip any unnamed bitfields to stay in sync with the initializers. 1832 if (FI->isUnnamedBitfield()) 1833 continue; 1834 1835 QualType FTy = FI->getType(); 1836 const FieldRegion* FR = MRMgr.getFieldRegion(*FI, R); 1837 1838 if (FTy->isArrayType()) 1839 NewB = bindArray(NewB, FR, *VI); 1840 else if (FTy->isStructureOrClassType()) 1841 NewB = bindStruct(NewB, FR, *VI); 1842 else 1843 NewB = bind(NewB, svalBuilder.makeLoc(FR), *VI); 1844 ++VI; 1845 } 1846 1847 // There may be fewer values in the initialize list than the fields of struct. 1848 if (FI != FE) { 1849 NewB = NewB.addBinding(R, BindingKey::Default, 1850 svalBuilder.makeIntVal(0, false)); 1851 } 1852 1853 return NewB; 1854 } 1855 1856 RegionBindingsRef 1857 RegionStoreManager::bindAggregate(RegionBindingsConstRef B, 1858 const TypedRegion *R, 1859 SVal Val) { 1860 // Remove the old bindings, using 'R' as the root of all regions 1861 // we will invalidate. Then add the new binding. 1862 return removeSubRegionBindings(B, R).addBinding(R, BindingKey::Default, Val); 1863 } 1864 1865 //===----------------------------------------------------------------------===// 1866 // State pruning. 1867 //===----------------------------------------------------------------------===// 1868 1869 namespace { 1870 class removeDeadBindingsWorker : 1871 public ClusterAnalysis<removeDeadBindingsWorker> { 1872 SmallVector<const SymbolicRegion*, 12> Postponed; 1873 SymbolReaper &SymReaper; 1874 const StackFrameContext *CurrentLCtx; 1875 1876 public: 1877 removeDeadBindingsWorker(RegionStoreManager &rm, 1878 ProgramStateManager &stateMgr, 1879 RegionBindingsRef b, SymbolReaper &symReaper, 1880 const StackFrameContext *LCtx) 1881 : ClusterAnalysis<removeDeadBindingsWorker>(rm, stateMgr, b, 1882 /* includeGlobals = */ false), 1883 SymReaper(symReaper), CurrentLCtx(LCtx) {} 1884 1885 // Called by ClusterAnalysis. 1886 void VisitAddedToCluster(const MemRegion *baseR, const ClusterBindings &C); 1887 void VisitCluster(const MemRegion *baseR, const ClusterBindings &C); 1888 1889 bool UpdatePostponed(); 1890 void VisitBinding(SVal V); 1891 }; 1892 } 1893 1894 void removeDeadBindingsWorker::VisitAddedToCluster(const MemRegion *baseR, 1895 const ClusterBindings &C) { 1896 1897 if (const VarRegion *VR = dyn_cast<VarRegion>(baseR)) { 1898 if (SymReaper.isLive(VR)) 1899 AddToWorkList(baseR, &C); 1900 1901 return; 1902 } 1903 1904 if (const SymbolicRegion *SR = dyn_cast<SymbolicRegion>(baseR)) { 1905 if (SymReaper.isLive(SR->getSymbol())) 1906 AddToWorkList(SR, &C); 1907 else 1908 Postponed.push_back(SR); 1909 1910 return; 1911 } 1912 1913 if (isa<NonStaticGlobalSpaceRegion>(baseR)) { 1914 AddToWorkList(baseR, &C); 1915 return; 1916 } 1917 1918 // CXXThisRegion in the current or parent location context is live. 1919 if (const CXXThisRegion *TR = dyn_cast<CXXThisRegion>(baseR)) { 1920 const StackArgumentsSpaceRegion *StackReg = 1921 cast<StackArgumentsSpaceRegion>(TR->getSuperRegion()); 1922 const StackFrameContext *RegCtx = StackReg->getStackFrame(); 1923 if (CurrentLCtx && 1924 (RegCtx == CurrentLCtx || RegCtx->isParentOf(CurrentLCtx))) 1925 AddToWorkList(TR, &C); 1926 } 1927 } 1928 1929 void removeDeadBindingsWorker::VisitCluster(const MemRegion *baseR, 1930 const ClusterBindings &C) { 1931 // Mark the symbol for any SymbolicRegion with live bindings as live itself. 1932 // This means we should continue to track that symbol. 1933 if (const SymbolicRegion *SymR = dyn_cast<SymbolicRegion>(baseR)) 1934 SymReaper.markLive(SymR->getSymbol()); 1935 1936 for (ClusterBindings::iterator I = C.begin(), E = C.end(); I != E; ++I) 1937 VisitBinding(I.getData()); 1938 } 1939 1940 void removeDeadBindingsWorker::VisitBinding(SVal V) { 1941 // Is it a LazyCompoundVal? All referenced regions are live as well. 1942 if (const nonloc::LazyCompoundVal *LCS = 1943 dyn_cast<nonloc::LazyCompoundVal>(&V)) { 1944 1945 const MemRegion *LazyR = LCS->getRegion(); 1946 RegionBindingsRef B = RM.getRegionBindings(LCS->getStore()); 1947 1948 // FIXME: This should not have to walk all bindings in the old store. 1949 for (RegionBindingsRef::iterator RI = B.begin(), RE = B.end(); 1950 RI != RE; ++RI){ 1951 const ClusterBindings &Cluster = RI.getData(); 1952 for (ClusterBindings::iterator CI = Cluster.begin(), CE = Cluster.end(); 1953 CI != CE; ++CI) { 1954 BindingKey K = CI.getKey(); 1955 if (const SubRegion *BaseR = dyn_cast<SubRegion>(K.getRegion())) { 1956 if (BaseR == LazyR) 1957 VisitBinding(CI.getData()); 1958 else if (K.hasSymbolicOffset() && BaseR->isSubRegionOf(LazyR)) 1959 VisitBinding(CI.getData()); 1960 } 1961 } 1962 } 1963 1964 return; 1965 } 1966 1967 // If V is a region, then add it to the worklist. 1968 if (const MemRegion *R = V.getAsRegion()) { 1969 AddToWorkList(R); 1970 1971 // All regions captured by a block are also live. 1972 if (const BlockDataRegion *BR = dyn_cast<BlockDataRegion>(R)) { 1973 BlockDataRegion::referenced_vars_iterator I = BR->referenced_vars_begin(), 1974 E = BR->referenced_vars_end(); 1975 for ( ; I != E; ++I) 1976 AddToWorkList(I.getCapturedRegion()); 1977 } 1978 } 1979 1980 1981 // Update the set of live symbols. 1982 for (SymExpr::symbol_iterator SI = V.symbol_begin(), SE = V.symbol_end(); 1983 SI!=SE; ++SI) 1984 SymReaper.markLive(*SI); 1985 } 1986 1987 bool removeDeadBindingsWorker::UpdatePostponed() { 1988 // See if any postponed SymbolicRegions are actually live now, after 1989 // having done a scan. 1990 bool changed = false; 1991 1992 for (SmallVectorImpl<const SymbolicRegion*>::iterator 1993 I = Postponed.begin(), E = Postponed.end() ; I != E ; ++I) { 1994 if (const SymbolicRegion *SR = *I) { 1995 if (SymReaper.isLive(SR->getSymbol())) { 1996 changed |= AddToWorkList(SR); 1997 *I = NULL; 1998 } 1999 } 2000 } 2001 2002 return changed; 2003 } 2004 2005 StoreRef RegionStoreManager::removeDeadBindings(Store store, 2006 const StackFrameContext *LCtx, 2007 SymbolReaper& SymReaper) { 2008 RegionBindingsRef B = getRegionBindings(store); 2009 removeDeadBindingsWorker W(*this, StateMgr, B, SymReaper, LCtx); 2010 W.GenerateClusters(); 2011 2012 // Enqueue the region roots onto the worklist. 2013 for (SymbolReaper::region_iterator I = SymReaper.region_begin(), 2014 E = SymReaper.region_end(); I != E; ++I) { 2015 W.AddToWorkList(*I); 2016 } 2017 2018 do W.RunWorkList(); while (W.UpdatePostponed()); 2019 2020 // We have now scanned the store, marking reachable regions and symbols 2021 // as live. We now remove all the regions that are dead from the store 2022 // as well as update DSymbols with the set symbols that are now dead. 2023 for (RegionBindingsRef::iterator I = B.begin(), E = B.end(); I != E; ++I) { 2024 const MemRegion *Base = I.getKey(); 2025 2026 // If the cluster has been visited, we know the region has been marked. 2027 if (W.isVisited(Base)) 2028 continue; 2029 2030 // Remove the dead entry. 2031 B = B.remove(Base); 2032 2033 if (const SymbolicRegion *SymR = dyn_cast<SymbolicRegion>(Base)) 2034 SymReaper.maybeDead(SymR->getSymbol()); 2035 2036 // Mark all non-live symbols that this binding references as dead. 2037 const ClusterBindings &Cluster = I.getData(); 2038 for (ClusterBindings::iterator CI = Cluster.begin(), CE = Cluster.end(); 2039 CI != CE; ++CI) { 2040 SVal X = CI.getData(); 2041 SymExpr::symbol_iterator SI = X.symbol_begin(), SE = X.symbol_end(); 2042 for (; SI != SE; ++SI) 2043 SymReaper.maybeDead(*SI); 2044 } 2045 } 2046 2047 return StoreRef(B.asStore(), *this); 2048 } 2049 2050 //===----------------------------------------------------------------------===// 2051 // Utility methods. 2052 //===----------------------------------------------------------------------===// 2053 2054 void RegionStoreManager::print(Store store, raw_ostream &OS, 2055 const char* nl, const char *sep) { 2056 RegionBindingsRef B = getRegionBindings(store); 2057 OS << "Store (direct and default bindings), " 2058 << B.asStore() 2059 << " :" << nl; 2060 B.dump(OS, nl); 2061 } 2062