1 //===- SValBuilder.cpp - Basic class for all SValBuilder implementations --===// 2 // 3 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. 4 // See https://llvm.org/LICENSE.txt for license information. 5 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception 6 // 7 //===----------------------------------------------------------------------===// 8 // 9 // This file defines SValBuilder, the base class for all (complete) SValBuilder 10 // implementations. 11 // 12 //===----------------------------------------------------------------------===// 13 14 #include "clang/StaticAnalyzer/Core/PathSensitive/SValBuilder.h" 15 #include "clang/AST/ASTContext.h" 16 #include "clang/AST/Decl.h" 17 #include "clang/AST/DeclCXX.h" 18 #include "clang/AST/ExprCXX.h" 19 #include "clang/AST/ExprObjC.h" 20 #include "clang/AST/Stmt.h" 21 #include "clang/AST/Type.h" 22 #include "clang/Basic/LLVM.h" 23 #include "clang/Analysis/AnalysisDeclContext.h" 24 #include "clang/StaticAnalyzer/Core/PathSensitive/AnalysisManager.h" 25 #include "clang/StaticAnalyzer/Core/PathSensitive/APSIntType.h" 26 #include "clang/StaticAnalyzer/Core/PathSensitive/BasicValueFactory.h" 27 #include "clang/StaticAnalyzer/Core/PathSensitive/ExprEngine.h" 28 #include "clang/StaticAnalyzer/Core/PathSensitive/MemRegion.h" 29 #include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h" 30 #include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState_Fwd.h" 31 #include "clang/StaticAnalyzer/Core/PathSensitive/SVals.h" 32 #include "clang/StaticAnalyzer/Core/PathSensitive/Store.h" 33 #include "clang/StaticAnalyzer/Core/PathSensitive/SymExpr.h" 34 #include "clang/StaticAnalyzer/Core/PathSensitive/SymbolManager.h" 35 #include "llvm/ADT/APSInt.h" 36 #include "llvm/ADT/None.h" 37 #include "llvm/ADT/Optional.h" 38 #include "llvm/Support/Casting.h" 39 #include "llvm/Support/Compiler.h" 40 #include <cassert> 41 #include <tuple> 42 43 using namespace clang; 44 using namespace ento; 45 46 //===----------------------------------------------------------------------===// 47 // Basic SVal creation. 48 //===----------------------------------------------------------------------===// 49 50 void SValBuilder::anchor() {} 51 52 SValBuilder::SValBuilder(llvm::BumpPtrAllocator &alloc, ASTContext &context, 53 ProgramStateManager &stateMgr) 54 : Context(context), BasicVals(context, alloc), 55 SymMgr(context, BasicVals, alloc), MemMgr(context, alloc), 56 StateMgr(stateMgr), 57 AnOpts( 58 stateMgr.getOwningEngine().getAnalysisManager().getAnalyzerOptions()), 59 ArrayIndexTy(context.LongLongTy), 60 ArrayIndexWidth(context.getTypeSize(ArrayIndexTy)) {} 61 62 DefinedOrUnknownSVal SValBuilder::makeZeroVal(QualType type) { 63 if (Loc::isLocType(type)) 64 return makeNullWithType(type); 65 66 if (type->isIntegralOrEnumerationType()) 67 return makeIntVal(0, type); 68 69 if (type->isArrayType() || type->isRecordType() || type->isVectorType() || 70 type->isAnyComplexType()) 71 return makeCompoundVal(type, BasicVals.getEmptySValList()); 72 73 // FIXME: Handle floats. 74 return UnknownVal(); 75 } 76 77 nonloc::SymbolVal SValBuilder::makeNonLoc(const SymExpr *lhs, 78 BinaryOperator::Opcode op, 79 const llvm::APSInt &rhs, 80 QualType type) { 81 // The Environment ensures we always get a persistent APSInt in 82 // BasicValueFactory, so we don't need to get the APSInt from 83 // BasicValueFactory again. 84 assert(lhs); 85 assert(!Loc::isLocType(type)); 86 return nonloc::SymbolVal(SymMgr.getSymIntExpr(lhs, op, rhs, type)); 87 } 88 89 nonloc::SymbolVal SValBuilder::makeNonLoc(const llvm::APSInt &lhs, 90 BinaryOperator::Opcode op, 91 const SymExpr *rhs, QualType type) { 92 assert(rhs); 93 assert(!Loc::isLocType(type)); 94 return nonloc::SymbolVal(SymMgr.getIntSymExpr(lhs, op, rhs, type)); 95 } 96 97 nonloc::SymbolVal SValBuilder::makeNonLoc(const SymExpr *lhs, 98 BinaryOperator::Opcode op, 99 const SymExpr *rhs, QualType type) { 100 assert(lhs && rhs); 101 assert(!Loc::isLocType(type)); 102 return nonloc::SymbolVal(SymMgr.getSymSymExpr(lhs, op, rhs, type)); 103 } 104 105 NonLoc SValBuilder::makeNonLoc(const SymExpr *operand, UnaryOperator::Opcode op, 106 QualType type) { 107 assert(operand); 108 assert(!Loc::isLocType(type)); 109 return nonloc::SymbolVal(SymMgr.getUnarySymExpr(operand, op, type)); 110 } 111 112 nonloc::SymbolVal SValBuilder::makeNonLoc(const SymExpr *operand, 113 QualType fromTy, QualType toTy) { 114 assert(operand); 115 assert(!Loc::isLocType(toTy)); 116 if (fromTy == toTy) 117 return operand; 118 return nonloc::SymbolVal(SymMgr.getCastSymbol(operand, fromTy, toTy)); 119 } 120 121 SVal SValBuilder::convertToArrayIndex(SVal val) { 122 if (val.isUnknownOrUndef()) 123 return val; 124 125 // Common case: we have an appropriately sized integer. 126 if (Optional<nonloc::ConcreteInt> CI = val.getAs<nonloc::ConcreteInt>()) { 127 const llvm::APSInt& I = CI->getValue(); 128 if (I.getBitWidth() == ArrayIndexWidth && I.isSigned()) 129 return val; 130 } 131 132 return evalCast(val, ArrayIndexTy, QualType{}); 133 } 134 135 nonloc::ConcreteInt SValBuilder::makeBoolVal(const CXXBoolLiteralExpr *boolean){ 136 return makeTruthVal(boolean->getValue()); 137 } 138 139 DefinedOrUnknownSVal 140 SValBuilder::getRegionValueSymbolVal(const TypedValueRegion *region) { 141 QualType T = region->getValueType(); 142 143 if (T->isNullPtrType()) 144 return makeZeroVal(T); 145 146 if (!SymbolManager::canSymbolicate(T)) 147 return UnknownVal(); 148 149 SymbolRef sym = SymMgr.getRegionValueSymbol(region); 150 151 if (Loc::isLocType(T)) 152 return loc::MemRegionVal(MemMgr.getSymbolicRegion(sym)); 153 154 return nonloc::SymbolVal(sym); 155 } 156 157 DefinedOrUnknownSVal SValBuilder::conjureSymbolVal(const void *SymbolTag, 158 const Expr *Ex, 159 const LocationContext *LCtx, 160 unsigned Count) { 161 QualType T = Ex->getType(); 162 163 if (T->isNullPtrType()) 164 return makeZeroVal(T); 165 166 // Compute the type of the result. If the expression is not an R-value, the 167 // result should be a location. 168 QualType ExType = Ex->getType(); 169 if (Ex->isGLValue()) 170 T = LCtx->getAnalysisDeclContext()->getASTContext().getPointerType(ExType); 171 172 return conjureSymbolVal(SymbolTag, Ex, LCtx, T, Count); 173 } 174 175 DefinedOrUnknownSVal SValBuilder::conjureSymbolVal(const void *symbolTag, 176 const Expr *expr, 177 const LocationContext *LCtx, 178 QualType type, 179 unsigned count) { 180 if (type->isNullPtrType()) 181 return makeZeroVal(type); 182 183 if (!SymbolManager::canSymbolicate(type)) 184 return UnknownVal(); 185 186 SymbolRef sym = SymMgr.conjureSymbol(expr, LCtx, type, count, symbolTag); 187 188 if (Loc::isLocType(type)) 189 return loc::MemRegionVal(MemMgr.getSymbolicRegion(sym)); 190 191 return nonloc::SymbolVal(sym); 192 } 193 194 DefinedOrUnknownSVal SValBuilder::conjureSymbolVal(const Stmt *stmt, 195 const LocationContext *LCtx, 196 QualType type, 197 unsigned visitCount) { 198 if (type->isNullPtrType()) 199 return makeZeroVal(type); 200 201 if (!SymbolManager::canSymbolicate(type)) 202 return UnknownVal(); 203 204 SymbolRef sym = SymMgr.conjureSymbol(stmt, LCtx, type, visitCount); 205 206 if (Loc::isLocType(type)) 207 return loc::MemRegionVal(MemMgr.getSymbolicRegion(sym)); 208 209 return nonloc::SymbolVal(sym); 210 } 211 212 DefinedOrUnknownSVal 213 SValBuilder::getConjuredHeapSymbolVal(const Expr *E, 214 const LocationContext *LCtx, 215 unsigned VisitCount) { 216 QualType T = E->getType(); 217 return getConjuredHeapSymbolVal(E, LCtx, T, VisitCount); 218 } 219 220 DefinedOrUnknownSVal 221 SValBuilder::getConjuredHeapSymbolVal(const Expr *E, 222 const LocationContext *LCtx, 223 QualType type, unsigned VisitCount) { 224 assert(Loc::isLocType(type)); 225 assert(SymbolManager::canSymbolicate(type)); 226 if (type->isNullPtrType()) 227 return makeZeroVal(type); 228 229 SymbolRef sym = SymMgr.conjureSymbol(E, LCtx, type, VisitCount); 230 return loc::MemRegionVal(MemMgr.getSymbolicHeapRegion(sym)); 231 } 232 233 DefinedSVal SValBuilder::getMetadataSymbolVal(const void *symbolTag, 234 const MemRegion *region, 235 const Expr *expr, QualType type, 236 const LocationContext *LCtx, 237 unsigned count) { 238 assert(SymbolManager::canSymbolicate(type) && "Invalid metadata symbol type"); 239 240 SymbolRef sym = 241 SymMgr.getMetadataSymbol(region, expr, type, LCtx, count, symbolTag); 242 243 if (Loc::isLocType(type)) 244 return loc::MemRegionVal(MemMgr.getSymbolicRegion(sym)); 245 246 return nonloc::SymbolVal(sym); 247 } 248 249 DefinedOrUnknownSVal 250 SValBuilder::getDerivedRegionValueSymbolVal(SymbolRef parentSymbol, 251 const TypedValueRegion *region) { 252 QualType T = region->getValueType(); 253 254 if (T->isNullPtrType()) 255 return makeZeroVal(T); 256 257 if (!SymbolManager::canSymbolicate(T)) 258 return UnknownVal(); 259 260 SymbolRef sym = SymMgr.getDerivedSymbol(parentSymbol, region); 261 262 if (Loc::isLocType(T)) 263 return loc::MemRegionVal(MemMgr.getSymbolicRegion(sym)); 264 265 return nonloc::SymbolVal(sym); 266 } 267 268 DefinedSVal SValBuilder::getMemberPointer(const NamedDecl *ND) { 269 assert(!ND || (isa<CXXMethodDecl, FieldDecl, IndirectFieldDecl>(ND))); 270 271 if (const auto *MD = dyn_cast_or_null<CXXMethodDecl>(ND)) { 272 // Sema treats pointers to static member functions as have function pointer 273 // type, so return a function pointer for the method. 274 // We don't need to play a similar trick for static member fields 275 // because these are represented as plain VarDecls and not FieldDecls 276 // in the AST. 277 if (MD->isStatic()) 278 return getFunctionPointer(MD); 279 } 280 281 return nonloc::PointerToMember(ND); 282 } 283 284 DefinedSVal SValBuilder::getFunctionPointer(const FunctionDecl *func) { 285 return loc::MemRegionVal(MemMgr.getFunctionCodeRegion(func)); 286 } 287 288 DefinedSVal SValBuilder::getBlockPointer(const BlockDecl *block, 289 CanQualType locTy, 290 const LocationContext *locContext, 291 unsigned blockCount) { 292 const BlockCodeRegion *BC = 293 MemMgr.getBlockCodeRegion(block, locTy, locContext->getAnalysisDeclContext()); 294 const BlockDataRegion *BD = MemMgr.getBlockDataRegion(BC, locContext, 295 blockCount); 296 return loc::MemRegionVal(BD); 297 } 298 299 Optional<loc::MemRegionVal> 300 SValBuilder::getCastedMemRegionVal(const MemRegion *R, QualType Ty) { 301 if (auto OptR = StateMgr.getStoreManager().castRegion(R, Ty)) 302 return loc::MemRegionVal(*OptR); 303 return None; 304 } 305 306 /// Return a memory region for the 'this' object reference. 307 loc::MemRegionVal SValBuilder::getCXXThis(const CXXMethodDecl *D, 308 const StackFrameContext *SFC) { 309 return loc::MemRegionVal( 310 getRegionManager().getCXXThisRegion(D->getThisType(), SFC)); 311 } 312 313 /// Return a memory region for the 'this' object reference. 314 loc::MemRegionVal SValBuilder::getCXXThis(const CXXRecordDecl *D, 315 const StackFrameContext *SFC) { 316 const Type *T = D->getTypeForDecl(); 317 QualType PT = getContext().getPointerType(QualType(T, 0)); 318 return loc::MemRegionVal(getRegionManager().getCXXThisRegion(PT, SFC)); 319 } 320 321 Optional<SVal> SValBuilder::getConstantVal(const Expr *E) { 322 E = E->IgnoreParens(); 323 324 switch (E->getStmtClass()) { 325 // Handle expressions that we treat differently from the AST's constant 326 // evaluator. 327 case Stmt::AddrLabelExprClass: 328 return makeLoc(cast<AddrLabelExpr>(E)); 329 330 case Stmt::CXXScalarValueInitExprClass: 331 case Stmt::ImplicitValueInitExprClass: 332 return makeZeroVal(E->getType()); 333 334 case Stmt::ObjCStringLiteralClass: { 335 const auto *SL = cast<ObjCStringLiteral>(E); 336 return makeLoc(getRegionManager().getObjCStringRegion(SL)); 337 } 338 339 case Stmt::StringLiteralClass: { 340 const auto *SL = cast<StringLiteral>(E); 341 return makeLoc(getRegionManager().getStringRegion(SL)); 342 } 343 344 case Stmt::PredefinedExprClass: { 345 const auto *PE = cast<PredefinedExpr>(E); 346 assert(PE->getFunctionName() && 347 "Since we analyze only instantiated functions, PredefinedExpr " 348 "should have a function name."); 349 return makeLoc(getRegionManager().getStringRegion(PE->getFunctionName())); 350 } 351 352 // Fast-path some expressions to avoid the overhead of going through the AST's 353 // constant evaluator 354 case Stmt::CharacterLiteralClass: { 355 const auto *C = cast<CharacterLiteral>(E); 356 return makeIntVal(C->getValue(), C->getType()); 357 } 358 359 case Stmt::CXXBoolLiteralExprClass: 360 return makeBoolVal(cast<CXXBoolLiteralExpr>(E)); 361 362 case Stmt::TypeTraitExprClass: { 363 const auto *TE = cast<TypeTraitExpr>(E); 364 return makeTruthVal(TE->getValue(), TE->getType()); 365 } 366 367 case Stmt::IntegerLiteralClass: 368 return makeIntVal(cast<IntegerLiteral>(E)); 369 370 case Stmt::ObjCBoolLiteralExprClass: 371 return makeBoolVal(cast<ObjCBoolLiteralExpr>(E)); 372 373 case Stmt::CXXNullPtrLiteralExprClass: 374 return makeNullWithType(E->getType()); 375 376 case Stmt::CStyleCastExprClass: 377 case Stmt::CXXFunctionalCastExprClass: 378 case Stmt::CXXConstCastExprClass: 379 case Stmt::CXXReinterpretCastExprClass: 380 case Stmt::CXXStaticCastExprClass: 381 case Stmt::ImplicitCastExprClass: { 382 const auto *CE = cast<CastExpr>(E); 383 switch (CE->getCastKind()) { 384 default: 385 break; 386 case CK_ArrayToPointerDecay: 387 case CK_IntegralToPointer: 388 case CK_NoOp: 389 case CK_BitCast: { 390 const Expr *SE = CE->getSubExpr(); 391 Optional<SVal> Val = getConstantVal(SE); 392 if (!Val) 393 return None; 394 return evalCast(*Val, CE->getType(), SE->getType()); 395 } 396 } 397 // FALLTHROUGH 398 LLVM_FALLTHROUGH; 399 } 400 401 // If we don't have a special case, fall back to the AST's constant evaluator. 402 default: { 403 // Don't try to come up with a value for materialized temporaries. 404 if (E->isGLValue()) 405 return None; 406 407 ASTContext &Ctx = getContext(); 408 Expr::EvalResult Result; 409 if (E->EvaluateAsInt(Result, Ctx)) 410 return makeIntVal(Result.Val.getInt()); 411 412 if (Loc::isLocType(E->getType())) 413 if (E->isNullPointerConstant(Ctx, Expr::NPC_ValueDependentIsNotNull)) 414 return makeNullWithType(E->getType()); 415 416 return None; 417 } 418 } 419 } 420 421 SVal SValBuilder::makeSymExprValNN(BinaryOperator::Opcode Op, 422 NonLoc LHS, NonLoc RHS, 423 QualType ResultTy) { 424 SymbolRef symLHS = LHS.getAsSymbol(); 425 SymbolRef symRHS = RHS.getAsSymbol(); 426 427 // TODO: When the Max Complexity is reached, we should conjure a symbol 428 // instead of generating an Unknown value and propagate the taint info to it. 429 const unsigned MaxComp = AnOpts.MaxSymbolComplexity; 430 431 if (symLHS && symRHS && 432 (symLHS->computeComplexity() + symRHS->computeComplexity()) < MaxComp) 433 return makeNonLoc(symLHS, Op, symRHS, ResultTy); 434 435 if (symLHS && symLHS->computeComplexity() < MaxComp) 436 if (Optional<nonloc::ConcreteInt> rInt = RHS.getAs<nonloc::ConcreteInt>()) 437 return makeNonLoc(symLHS, Op, rInt->getValue(), ResultTy); 438 439 if (symRHS && symRHS->computeComplexity() < MaxComp) 440 if (Optional<nonloc::ConcreteInt> lInt = LHS.getAs<nonloc::ConcreteInt>()) 441 return makeNonLoc(lInt->getValue(), Op, symRHS, ResultTy); 442 443 return UnknownVal(); 444 } 445 446 SVal SValBuilder::evalMinus(NonLoc X) { 447 switch (X.getSubKind()) { 448 case nonloc::ConcreteIntKind: 449 return makeIntVal(-X.castAs<nonloc::ConcreteInt>().getValue()); 450 case nonloc::SymbolValKind: 451 return makeNonLoc(X.castAs<nonloc::SymbolVal>().getSymbol(), UO_Minus, 452 X.getType(Context)); 453 default: 454 return UnknownVal(); 455 } 456 } 457 458 SVal SValBuilder::evalComplement(NonLoc X) { 459 switch (X.getSubKind()) { 460 case nonloc::ConcreteIntKind: 461 return makeIntVal(~X.castAs<nonloc::ConcreteInt>().getValue()); 462 case nonloc::SymbolValKind: 463 return makeNonLoc(X.castAs<nonloc::SymbolVal>().getSymbol(), UO_Not, 464 X.getType(Context)); 465 default: 466 return UnknownVal(); 467 } 468 } 469 470 SVal SValBuilder::evalUnaryOp(ProgramStateRef state, UnaryOperator::Opcode opc, 471 SVal operand, QualType type) { 472 auto OpN = operand.getAs<NonLoc>(); 473 if (!OpN) 474 return UnknownVal(); 475 476 if (opc == UO_Minus) 477 return evalMinus(*OpN); 478 if (opc == UO_Not) 479 return evalComplement(*OpN); 480 llvm_unreachable("Unexpected unary operator"); 481 } 482 483 SVal SValBuilder::evalBinOp(ProgramStateRef state, BinaryOperator::Opcode op, 484 SVal lhs, SVal rhs, QualType type) { 485 if (lhs.isUndef() || rhs.isUndef()) 486 return UndefinedVal(); 487 488 if (lhs.isUnknown() || rhs.isUnknown()) 489 return UnknownVal(); 490 491 if (isa<nonloc::LazyCompoundVal>(lhs) || isa<nonloc::LazyCompoundVal>(rhs)) { 492 return UnknownVal(); 493 } 494 495 if (op == BinaryOperatorKind::BO_Cmp) { 496 // We can't reason about C++20 spaceship operator yet. 497 // 498 // FIXME: Support C++20 spaceship operator. 499 // The main problem here is that the result is not integer. 500 return UnknownVal(); 501 } 502 503 if (Optional<Loc> LV = lhs.getAs<Loc>()) { 504 if (Optional<Loc> RV = rhs.getAs<Loc>()) 505 return evalBinOpLL(state, op, *LV, *RV, type); 506 507 return evalBinOpLN(state, op, *LV, rhs.castAs<NonLoc>(), type); 508 } 509 510 if (const Optional<Loc> RV = rhs.getAs<Loc>()) { 511 const auto IsCommutative = [](BinaryOperatorKind Op) { 512 return Op == BO_Mul || Op == BO_Add || Op == BO_And || Op == BO_Xor || 513 Op == BO_Or; 514 }; 515 516 if (IsCommutative(op)) { 517 // Swap operands. 518 return evalBinOpLN(state, op, *RV, lhs.castAs<NonLoc>(), type); 519 } 520 521 // If the right operand is a concrete int location then we have nothing 522 // better but to treat it as a simple nonloc. 523 if (auto RV = rhs.getAs<loc::ConcreteInt>()) { 524 const nonloc::ConcreteInt RhsAsLoc = makeIntVal(RV->getValue()); 525 return evalBinOpNN(state, op, lhs.castAs<NonLoc>(), RhsAsLoc, type); 526 } 527 } 528 529 return evalBinOpNN(state, op, lhs.castAs<NonLoc>(), rhs.castAs<NonLoc>(), 530 type); 531 } 532 533 ConditionTruthVal SValBuilder::areEqual(ProgramStateRef state, SVal lhs, 534 SVal rhs) { 535 return state->isNonNull(evalEQ(state, lhs, rhs)); 536 } 537 538 SVal SValBuilder::evalEQ(ProgramStateRef state, SVal lhs, SVal rhs) { 539 return evalBinOp(state, BO_EQ, lhs, rhs, getConditionType()); 540 } 541 542 DefinedOrUnknownSVal SValBuilder::evalEQ(ProgramStateRef state, 543 DefinedOrUnknownSVal lhs, 544 DefinedOrUnknownSVal rhs) { 545 return evalEQ(state, static_cast<SVal>(lhs), static_cast<SVal>(rhs)) 546 .castAs<DefinedOrUnknownSVal>(); 547 } 548 549 /// Recursively check if the pointer types are equal modulo const, volatile, 550 /// and restrict qualifiers. Also, assume that all types are similar to 'void'. 551 /// Assumes the input types are canonical. 552 static bool shouldBeModeledWithNoOp(ASTContext &Context, QualType ToTy, 553 QualType FromTy) { 554 while (Context.UnwrapSimilarTypes(ToTy, FromTy)) { 555 Qualifiers Quals1, Quals2; 556 ToTy = Context.getUnqualifiedArrayType(ToTy, Quals1); 557 FromTy = Context.getUnqualifiedArrayType(FromTy, Quals2); 558 559 // Make sure that non-cvr-qualifiers the other qualifiers (e.g., address 560 // spaces) are identical. 561 Quals1.removeCVRQualifiers(); 562 Quals2.removeCVRQualifiers(); 563 if (Quals1 != Quals2) 564 return false; 565 } 566 567 // If we are casting to void, the 'From' value can be used to represent the 568 // 'To' value. 569 // 570 // FIXME: Doing this after unwrapping the types doesn't make any sense. A 571 // cast from 'int**' to 'void**' is not special in the way that a cast from 572 // 'int*' to 'void*' is. 573 if (ToTy->isVoidType()) 574 return true; 575 576 if (ToTy != FromTy) 577 return false; 578 579 return true; 580 } 581 582 // Handles casts of type CK_IntegralCast. 583 // At the moment, this function will redirect to evalCast, except when the range 584 // of the original value is known to be greater than the max of the target type. 585 SVal SValBuilder::evalIntegralCast(ProgramStateRef state, SVal val, 586 QualType castTy, QualType originalTy) { 587 // No truncations if target type is big enough. 588 if (getContext().getTypeSize(castTy) >= getContext().getTypeSize(originalTy)) 589 return evalCast(val, castTy, originalTy); 590 591 SymbolRef se = val.getAsSymbol(); 592 if (!se) // Let evalCast handle non symbolic expressions. 593 return evalCast(val, castTy, originalTy); 594 595 // Find the maximum value of the target type. 596 APSIntType ToType(getContext().getTypeSize(castTy), 597 castTy->isUnsignedIntegerType()); 598 llvm::APSInt ToTypeMax = ToType.getMaxValue(); 599 NonLoc ToTypeMaxVal = 600 makeIntVal(ToTypeMax.isUnsigned() ? ToTypeMax.getZExtValue() 601 : ToTypeMax.getSExtValue(), 602 castTy) 603 .castAs<NonLoc>(); 604 // Check the range of the symbol being casted against the maximum value of the 605 // target type. 606 NonLoc FromVal = val.castAs<NonLoc>(); 607 QualType CmpTy = getConditionType(); 608 NonLoc CompVal = 609 evalBinOpNN(state, BO_LE, FromVal, ToTypeMaxVal, CmpTy).castAs<NonLoc>(); 610 ProgramStateRef IsNotTruncated, IsTruncated; 611 std::tie(IsNotTruncated, IsTruncated) = state->assume(CompVal); 612 if (!IsNotTruncated && IsTruncated) { 613 // Symbol is truncated so we evaluate it as a cast. 614 return makeNonLoc(se, originalTy, castTy); 615 } 616 return evalCast(val, castTy, originalTy); 617 } 618 619 //===----------------------------------------------------------------------===// 620 // Cast methods. 621 // `evalCast` is the main method 622 // `evalCastKind` and `evalCastSubKind` are helpers 623 //===----------------------------------------------------------------------===// 624 625 /// Cast a given SVal to another SVal using given QualType's. 626 /// \param V -- SVal that should be casted. 627 /// \param CastTy -- QualType that V should be casted according to. 628 /// \param OriginalTy -- QualType which is associated to V. It provides 629 /// additional information about what type the cast performs from. 630 /// \returns the most appropriate casted SVal. 631 /// Note: Many cases don't use an exact OriginalTy. It can be extracted 632 /// from SVal or the cast can performs unconditionaly. Always pass OriginalTy! 633 /// It can be crucial in certain cases and generates different results. 634 /// FIXME: If `OriginalTy.isNull()` is true, then cast performs based on CastTy 635 /// only. This behavior is uncertain and should be improved. 636 SVal SValBuilder::evalCast(SVal V, QualType CastTy, QualType OriginalTy) { 637 if (CastTy.isNull()) 638 return V; 639 640 CastTy = Context.getCanonicalType(CastTy); 641 642 const bool IsUnknownOriginalType = OriginalTy.isNull(); 643 if (!IsUnknownOriginalType) { 644 OriginalTy = Context.getCanonicalType(OriginalTy); 645 646 if (CastTy == OriginalTy) 647 return V; 648 649 // FIXME: Move this check to the most appropriate 650 // evalCastKind/evalCastSubKind function. For const casts, casts to void, 651 // just propagate the value. 652 if (!CastTy->isVariableArrayType() && !OriginalTy->isVariableArrayType()) 653 if (shouldBeModeledWithNoOp(Context, Context.getPointerType(CastTy), 654 Context.getPointerType(OriginalTy))) 655 return V; 656 } 657 658 // Cast SVal according to kinds. 659 switch (V.getBaseKind()) { 660 case SVal::UndefinedValKind: 661 return evalCastKind(V.castAs<UndefinedVal>(), CastTy, OriginalTy); 662 case SVal::UnknownValKind: 663 return evalCastKind(V.castAs<UnknownVal>(), CastTy, OriginalTy); 664 case SVal::LocKind: 665 return evalCastKind(V.castAs<Loc>(), CastTy, OriginalTy); 666 case SVal::NonLocKind: 667 return evalCastKind(V.castAs<NonLoc>(), CastTy, OriginalTy); 668 } 669 670 llvm_unreachable("Unknown SVal kind"); 671 } 672 673 SVal SValBuilder::evalCastKind(UndefinedVal V, QualType CastTy, 674 QualType OriginalTy) { 675 return V; 676 } 677 678 SVal SValBuilder::evalCastKind(UnknownVal V, QualType CastTy, 679 QualType OriginalTy) { 680 return V; 681 } 682 683 SVal SValBuilder::evalCastKind(Loc V, QualType CastTy, QualType OriginalTy) { 684 switch (V.getSubKind()) { 685 case loc::ConcreteIntKind: 686 return evalCastSubKind(V.castAs<loc::ConcreteInt>(), CastTy, OriginalTy); 687 case loc::GotoLabelKind: 688 return evalCastSubKind(V.castAs<loc::GotoLabel>(), CastTy, OriginalTy); 689 case loc::MemRegionValKind: 690 return evalCastSubKind(V.castAs<loc::MemRegionVal>(), CastTy, OriginalTy); 691 } 692 693 llvm_unreachable("Unknown SVal kind"); 694 } 695 696 SVal SValBuilder::evalCastKind(NonLoc V, QualType CastTy, QualType OriginalTy) { 697 switch (V.getSubKind()) { 698 case nonloc::CompoundValKind: 699 return evalCastSubKind(V.castAs<nonloc::CompoundVal>(), CastTy, OriginalTy); 700 case nonloc::ConcreteIntKind: 701 return evalCastSubKind(V.castAs<nonloc::ConcreteInt>(), CastTy, OriginalTy); 702 case nonloc::LazyCompoundValKind: 703 return evalCastSubKind(V.castAs<nonloc::LazyCompoundVal>(), CastTy, 704 OriginalTy); 705 case nonloc::LocAsIntegerKind: 706 return evalCastSubKind(V.castAs<nonloc::LocAsInteger>(), CastTy, 707 OriginalTy); 708 case nonloc::SymbolValKind: 709 return evalCastSubKind(V.castAs<nonloc::SymbolVal>(), CastTy, OriginalTy); 710 case nonloc::PointerToMemberKind: 711 return evalCastSubKind(V.castAs<nonloc::PointerToMember>(), CastTy, 712 OriginalTy); 713 } 714 715 llvm_unreachable("Unknown SVal kind"); 716 } 717 718 SVal SValBuilder::evalCastSubKind(loc::ConcreteInt V, QualType CastTy, 719 QualType OriginalTy) { 720 // Pointer to bool. 721 if (CastTy->isBooleanType()) 722 return makeTruthVal(V.getValue().getBoolValue(), CastTy); 723 724 // Pointer to integer. 725 if (CastTy->isIntegralOrEnumerationType()) { 726 llvm::APSInt Value = V.getValue(); 727 BasicVals.getAPSIntType(CastTy).apply(Value); 728 return makeIntVal(Value); 729 } 730 731 // Pointer to any pointer. 732 if (Loc::isLocType(CastTy)) { 733 llvm::APSInt Value = V.getValue(); 734 BasicVals.getAPSIntType(CastTy).apply(Value); 735 return loc::ConcreteInt(BasicVals.getValue(Value)); 736 } 737 738 // Pointer to whatever else. 739 return UnknownVal(); 740 } 741 742 SVal SValBuilder::evalCastSubKind(loc::GotoLabel V, QualType CastTy, 743 QualType OriginalTy) { 744 // Pointer to bool. 745 if (CastTy->isBooleanType()) 746 // Labels are always true. 747 return makeTruthVal(true, CastTy); 748 749 // Pointer to integer. 750 if (CastTy->isIntegralOrEnumerationType()) { 751 const unsigned BitWidth = Context.getIntWidth(CastTy); 752 return makeLocAsInteger(V, BitWidth); 753 } 754 755 const bool IsUnknownOriginalType = OriginalTy.isNull(); 756 if (!IsUnknownOriginalType) { 757 // Array to pointer. 758 if (isa<ArrayType>(OriginalTy)) 759 if (CastTy->isPointerType() || CastTy->isReferenceType()) 760 return UnknownVal(); 761 } 762 763 // Pointer to any pointer. 764 if (Loc::isLocType(CastTy)) 765 return V; 766 767 // Pointer to whatever else. 768 return UnknownVal(); 769 } 770 771 static bool hasSameUnqualifiedPointeeType(QualType ty1, QualType ty2) { 772 return ty1->getPointeeType().getCanonicalType().getTypePtr() == 773 ty2->getPointeeType().getCanonicalType().getTypePtr(); 774 } 775 776 SVal SValBuilder::evalCastSubKind(loc::MemRegionVal V, QualType CastTy, 777 QualType OriginalTy) { 778 // Pointer to bool. 779 if (CastTy->isBooleanType()) { 780 const MemRegion *R = V.getRegion(); 781 if (const FunctionCodeRegion *FTR = dyn_cast<FunctionCodeRegion>(R)) 782 if (const FunctionDecl *FD = dyn_cast<FunctionDecl>(FTR->getDecl())) 783 if (FD->isWeak()) 784 // FIXME: Currently we are using an extent symbol here, 785 // because there are no generic region address metadata 786 // symbols to use, only content metadata. 787 return nonloc::SymbolVal(SymMgr.getExtentSymbol(FTR)); 788 789 if (const SymbolicRegion *SymR = R->getSymbolicBase()) { 790 SymbolRef Sym = SymR->getSymbol(); 791 QualType Ty = Sym->getType(); 792 // This change is needed for architectures with varying 793 // pointer widths. See the amdgcn opencl reproducer with 794 // this change as an example: solver-sym-simplification-ptr-bool.cl 795 if (!Ty->isReferenceType()) 796 return makeNonLoc(Sym, BO_NE, BasicVals.getZeroWithTypeSize(Ty), 797 CastTy); 798 } 799 // Non-symbolic memory regions are always true. 800 return makeTruthVal(true, CastTy); 801 } 802 803 const bool IsUnknownOriginalType = OriginalTy.isNull(); 804 // Try to cast to array 805 const auto *ArrayTy = 806 IsUnknownOriginalType 807 ? nullptr 808 : dyn_cast<ArrayType>(OriginalTy.getCanonicalType()); 809 810 // Pointer to integer. 811 if (CastTy->isIntegralOrEnumerationType()) { 812 SVal Val = V; 813 // Array to integer. 814 if (ArrayTy) { 815 // We will always decay to a pointer. 816 QualType ElemTy = ArrayTy->getElementType(); 817 Val = StateMgr.ArrayToPointer(V, ElemTy); 818 // FIXME: Keep these here for now in case we decide soon that we 819 // need the original decayed type. 820 // QualType elemTy = cast<ArrayType>(originalTy)->getElementType(); 821 // QualType pointerTy = C.getPointerType(elemTy); 822 } 823 const unsigned BitWidth = Context.getIntWidth(CastTy); 824 return makeLocAsInteger(Val.castAs<Loc>(), BitWidth); 825 } 826 827 // Pointer to pointer. 828 if (Loc::isLocType(CastTy)) { 829 830 if (IsUnknownOriginalType) { 831 // When retrieving symbolic pointer and expecting a non-void pointer, 832 // wrap them into element regions of the expected type if necessary. 833 // It is necessary to make sure that the retrieved value makes sense, 834 // because there's no other cast in the AST that would tell us to cast 835 // it to the correct pointer type. We might need to do that for non-void 836 // pointers as well. 837 // FIXME: We really need a single good function to perform casts for us 838 // correctly every time we need it. 839 const MemRegion *R = V.getRegion(); 840 if (CastTy->isPointerType() && !CastTy->isVoidPointerType()) { 841 if (const auto *SR = dyn_cast<SymbolicRegion>(R)) { 842 QualType SRTy = SR->getSymbol()->getType(); 843 if (!hasSameUnqualifiedPointeeType(SRTy, CastTy)) { 844 if (auto OptMemRegV = getCastedMemRegionVal(SR, CastTy)) 845 return *OptMemRegV; 846 } 847 } 848 } 849 // Next fixes pointer dereference using type different from its initial 850 // one. See PR37503 and PR49007 for details. 851 if (const auto *ER = dyn_cast<ElementRegion>(R)) { 852 if (auto OptMemRegV = getCastedMemRegionVal(ER, CastTy)) 853 return *OptMemRegV; 854 } 855 856 return V; 857 } 858 859 if (OriginalTy->isIntegralOrEnumerationType() || 860 OriginalTy->isBlockPointerType() || OriginalTy->isFunctionPointerType()) 861 return V; 862 863 // Array to pointer. 864 if (ArrayTy) { 865 // Are we casting from an array to a pointer? If so just pass on 866 // the decayed value. 867 if (CastTy->isPointerType() || CastTy->isReferenceType()) { 868 // We will always decay to a pointer. 869 QualType ElemTy = ArrayTy->getElementType(); 870 return StateMgr.ArrayToPointer(V, ElemTy); 871 } 872 // Are we casting from an array to an integer? If so, cast the decayed 873 // pointer value to an integer. 874 assert(CastTy->isIntegralOrEnumerationType()); 875 } 876 877 // Other pointer to pointer. 878 assert(Loc::isLocType(OriginalTy) || OriginalTy->isFunctionType() || 879 CastTy->isReferenceType()); 880 881 // We get a symbolic function pointer for a dereference of a function 882 // pointer, but it is of function type. Example: 883 884 // struct FPRec { 885 // void (*my_func)(int * x); 886 // }; 887 // 888 // int bar(int x); 889 // 890 // int f1_a(struct FPRec* foo) { 891 // int x; 892 // (*foo->my_func)(&x); 893 // return bar(x)+1; // no-warning 894 // } 895 896 // Get the result of casting a region to a different type. 897 const MemRegion *R = V.getRegion(); 898 if (auto OptMemRegV = getCastedMemRegionVal(R, CastTy)) 899 return *OptMemRegV; 900 } 901 902 // Pointer to whatever else. 903 // FIXME: There can be gross cases where one casts the result of a 904 // function (that returns a pointer) to some other value that happens to 905 // fit within that pointer value. We currently have no good way to model 906 // such operations. When this happens, the underlying operation is that 907 // the caller is reasoning about bits. Conceptually we are layering a 908 // "view" of a location on top of those bits. Perhaps we need to be more 909 // lazy about mutual possible views, even on an SVal? This may be 910 // necessary for bit-level reasoning as well. 911 return UnknownVal(); 912 } 913 914 SVal SValBuilder::evalCastSubKind(nonloc::CompoundVal V, QualType CastTy, 915 QualType OriginalTy) { 916 // Compound to whatever. 917 return UnknownVal(); 918 } 919 920 SVal SValBuilder::evalCastSubKind(nonloc::ConcreteInt V, QualType CastTy, 921 QualType OriginalTy) { 922 auto CastedValue = [V, CastTy, this]() { 923 llvm::APSInt Value = V.getValue(); 924 BasicVals.getAPSIntType(CastTy).apply(Value); 925 return Value; 926 }; 927 928 // Integer to bool. 929 if (CastTy->isBooleanType()) 930 return makeTruthVal(V.getValue().getBoolValue(), CastTy); 931 932 // Integer to pointer. 933 if (CastTy->isIntegralOrEnumerationType()) 934 return makeIntVal(CastedValue()); 935 936 // Integer to pointer. 937 if (Loc::isLocType(CastTy)) 938 return makeIntLocVal(CastedValue()); 939 940 // Pointer to whatever else. 941 return UnknownVal(); 942 } 943 944 SVal SValBuilder::evalCastSubKind(nonloc::LazyCompoundVal V, QualType CastTy, 945 QualType OriginalTy) { 946 // Compound to whatever. 947 return UnknownVal(); 948 } 949 950 SVal SValBuilder::evalCastSubKind(nonloc::LocAsInteger V, QualType CastTy, 951 QualType OriginalTy) { 952 Loc L = V.getLoc(); 953 954 // Pointer as integer to bool. 955 if (CastTy->isBooleanType()) 956 // Pass to Loc function. 957 return evalCastKind(L, CastTy, OriginalTy); 958 959 const bool IsUnknownOriginalType = OriginalTy.isNull(); 960 // Pointer as integer to pointer. 961 if (!IsUnknownOriginalType && Loc::isLocType(CastTy) && 962 OriginalTy->isIntegralOrEnumerationType()) { 963 if (const MemRegion *R = L.getAsRegion()) 964 if (auto OptMemRegV = getCastedMemRegionVal(R, CastTy)) 965 return *OptMemRegV; 966 return L; 967 } 968 969 // Pointer as integer with region to integer/pointer. 970 const MemRegion *R = L.getAsRegion(); 971 if (!IsUnknownOriginalType && R) { 972 if (CastTy->isIntegralOrEnumerationType()) 973 return evalCastSubKind(loc::MemRegionVal(R), CastTy, OriginalTy); 974 975 if (Loc::isLocType(CastTy)) { 976 assert(Loc::isLocType(OriginalTy) || OriginalTy->isFunctionType() || 977 CastTy->isReferenceType()); 978 // Delegate to store manager to get the result of casting a region to a 979 // different type. If the MemRegion* returned is NULL, this expression 980 // Evaluates to UnknownVal. 981 if (auto OptMemRegV = getCastedMemRegionVal(R, CastTy)) 982 return *OptMemRegV; 983 } 984 } else { 985 if (Loc::isLocType(CastTy)) { 986 if (IsUnknownOriginalType) 987 return evalCastSubKind(loc::MemRegionVal(R), CastTy, OriginalTy); 988 return L; 989 } 990 991 SymbolRef SE = nullptr; 992 if (R) { 993 if (const SymbolicRegion *SR = 994 dyn_cast<SymbolicRegion>(R->StripCasts())) { 995 SE = SR->getSymbol(); 996 } 997 } 998 999 if (!CastTy->isFloatingType() || !SE || SE->getType()->isFloatingType()) { 1000 // FIXME: Correctly support promotions/truncations. 1001 const unsigned CastSize = Context.getIntWidth(CastTy); 1002 if (CastSize == V.getNumBits()) 1003 return V; 1004 1005 return makeLocAsInteger(L, CastSize); 1006 } 1007 } 1008 1009 // Pointer as integer to whatever else. 1010 return UnknownVal(); 1011 } 1012 1013 SVal SValBuilder::evalCastSubKind(nonloc::SymbolVal V, QualType CastTy, 1014 QualType OriginalTy) { 1015 SymbolRef SE = V.getSymbol(); 1016 1017 const bool IsUnknownOriginalType = OriginalTy.isNull(); 1018 // Symbol to bool. 1019 if (!IsUnknownOriginalType && CastTy->isBooleanType()) { 1020 // Non-float to bool. 1021 if (Loc::isLocType(OriginalTy) || 1022 OriginalTy->isIntegralOrEnumerationType() || 1023 OriginalTy->isMemberPointerType()) { 1024 BasicValueFactory &BVF = getBasicValueFactory(); 1025 return makeNonLoc(SE, BO_NE, BVF.getValue(0, SE->getType()), CastTy); 1026 } 1027 } else { 1028 // Symbol to integer, float. 1029 QualType T = Context.getCanonicalType(SE->getType()); 1030 1031 // Produce SymbolCast if CastTy and T are different integers. 1032 // NOTE: In the end the type of SymbolCast shall be equal to CastTy. 1033 if (T->isIntegralOrUnscopedEnumerationType() && 1034 CastTy->isIntegralOrUnscopedEnumerationType()) { 1035 AnalyzerOptions &Opts = 1036 StateMgr.getOwningEngine().getAnalysisManager().getAnalyzerOptions(); 1037 // If appropriate option is disabled, ignore the cast. 1038 // NOTE: ShouldSupportSymbolicIntegerCasts is `false` by default. 1039 if (!Opts.ShouldSupportSymbolicIntegerCasts) 1040 return V; 1041 return simplifySymbolCast(V, CastTy); 1042 } 1043 if (!Loc::isLocType(CastTy)) 1044 if (!IsUnknownOriginalType || !CastTy->isFloatingType() || 1045 T->isFloatingType()) 1046 return makeNonLoc(SE, T, CastTy); 1047 } 1048 1049 // Symbol to pointer and whatever else. 1050 return UnknownVal(); 1051 } 1052 1053 SVal SValBuilder::evalCastSubKind(nonloc::PointerToMember V, QualType CastTy, 1054 QualType OriginalTy) { 1055 // Member pointer to whatever. 1056 return V; 1057 } 1058 1059 nonloc::SymbolVal SValBuilder::simplifySymbolCast(nonloc::SymbolVal V, 1060 QualType CastTy) { 1061 // We use seven conditions to recognize a simplification case. 1062 // For the clarity let `CastTy` be `C`, SE->getType() - `T`, root type - `R`, 1063 // prefix `u` for unsigned, `s` for signed, no prefix - any sign: 1064 // E.g. (char)(short)(uint x) 1065 // ( sC )( sT )( uR x) 1066 // 1067 // C === R (the same type) 1068 // (char)(char x) -> (char x) 1069 // (long)(long x) -> (long x) 1070 // Note: Comparisons operators below are for bit width. 1071 // C == T 1072 // (short)(short)(int x) -> (short)(int x) 1073 // (int)(long)(char x) -> (int)(char x) (sizeof(long) == sizeof(int)) 1074 // (long)(ullong)(char x) -> (long)(char x) (sizeof(long) == sizeof(ullong)) 1075 // C < T 1076 // (short)(int)(char x) -> (short)(char x) 1077 // (char)(int)(short x) -> (char)(short x) 1078 // (short)(int)(short x) -> (short x) 1079 // C > T > uR 1080 // (int)(short)(uchar x) -> (int)(uchar x) 1081 // (uint)(short)(uchar x) -> (uint)(uchar x) 1082 // (int)(ushort)(uchar x) -> (int)(uchar x) 1083 // C > sT > sR 1084 // (int)(short)(char x) -> (int)(char x) 1085 // (uint)(short)(char x) -> (uint)(char x) 1086 // C > sT == sR 1087 // (int)(char)(char x) -> (int)(char x) 1088 // (uint)(short)(short x) -> (uint)(short x) 1089 // C > uT == uR 1090 // (int)(uchar)(uchar x) -> (int)(uchar x) 1091 // (uint)(ushort)(ushort x) -> (uint)(ushort x) 1092 // (llong)(ulong)(uint x) -> (llong)(uint x) (sizeof(ulong) == sizeof(uint)) 1093 1094 SymbolRef SE = V.getSymbol(); 1095 QualType T = Context.getCanonicalType(SE->getType()); 1096 1097 if (T == CastTy) 1098 return V; 1099 1100 if (!isa<SymbolCast>(SE)) 1101 return makeNonLoc(SE, T, CastTy); 1102 1103 SymbolRef RootSym = cast<SymbolCast>(SE)->getOperand(); 1104 QualType RT = RootSym->getType().getCanonicalType(); 1105 1106 // FIXME support simplification from non-integers. 1107 if (!RT->isIntegralOrEnumerationType()) 1108 return makeNonLoc(SE, T, CastTy); 1109 1110 BasicValueFactory &BVF = getBasicValueFactory(); 1111 APSIntType CTy = BVF.getAPSIntType(CastTy); 1112 APSIntType TTy = BVF.getAPSIntType(T); 1113 1114 const auto WC = CTy.getBitWidth(); 1115 const auto WT = TTy.getBitWidth(); 1116 1117 if (WC <= WT) { 1118 const bool isSameType = (RT == CastTy); 1119 if (isSameType) 1120 return nonloc::SymbolVal(RootSym); 1121 return makeNonLoc(RootSym, RT, CastTy); 1122 } 1123 1124 APSIntType RTy = BVF.getAPSIntType(RT); 1125 const auto WR = RTy.getBitWidth(); 1126 const bool UT = TTy.isUnsigned(); 1127 const bool UR = RTy.isUnsigned(); 1128 1129 if (((WT > WR) && (UR || !UT)) || ((WT == WR) && (UT == UR))) 1130 return makeNonLoc(RootSym, RT, CastTy); 1131 1132 return makeNonLoc(SE, T, CastTy); 1133 } 1134