1 // SimpleSValBuilder.cpp - A basic SValBuilder -----------------------*- C++ -*- 2 // 3 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. 4 // See https://llvm.org/LICENSE.txt for license information. 5 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception 6 // 7 //===----------------------------------------------------------------------===// 8 // 9 // This file defines SimpleSValBuilder, a basic implementation of SValBuilder. 10 // 11 //===----------------------------------------------------------------------===// 12 13 #include "clang/StaticAnalyzer/Core/PathSensitive/SValBuilder.h" 14 #include "clang/StaticAnalyzer/Core/PathSensitive/APSIntType.h" 15 #include "clang/StaticAnalyzer/Core/PathSensitive/ExprEngine.h" 16 #include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h" 17 #include "clang/StaticAnalyzer/Core/PathSensitive/SValVisitor.h" 18 19 using namespace clang; 20 using namespace ento; 21 22 namespace { 23 class SimpleSValBuilder : public SValBuilder { 24 public: 25 SimpleSValBuilder(llvm::BumpPtrAllocator &alloc, ASTContext &context, 26 ProgramStateManager &stateMgr) 27 : SValBuilder(alloc, context, stateMgr) {} 28 ~SimpleSValBuilder() override {} 29 30 SVal evalMinus(NonLoc val) override; 31 SVal evalComplement(NonLoc val) override; 32 SVal evalBinOpNN(ProgramStateRef state, BinaryOperator::Opcode op, 33 NonLoc lhs, NonLoc rhs, QualType resultTy) override; 34 SVal evalBinOpLL(ProgramStateRef state, BinaryOperator::Opcode op, 35 Loc lhs, Loc rhs, QualType resultTy) override; 36 SVal evalBinOpLN(ProgramStateRef state, BinaryOperator::Opcode op, 37 Loc lhs, NonLoc rhs, QualType resultTy) override; 38 39 /// getKnownValue - evaluates a given SVal. If the SVal has only one possible 40 /// (integer) value, that value is returned. Otherwise, returns NULL. 41 const llvm::APSInt *getKnownValue(ProgramStateRef state, SVal V) override; 42 43 /// Recursively descends into symbolic expressions and replaces symbols 44 /// with their known values (in the sense of the getKnownValue() method). 45 SVal simplifySVal(ProgramStateRef State, SVal V) override; 46 47 SVal MakeSymIntVal(const SymExpr *LHS, BinaryOperator::Opcode op, 48 const llvm::APSInt &RHS, QualType resultTy); 49 }; 50 } // end anonymous namespace 51 52 SValBuilder *ento::createSimpleSValBuilder(llvm::BumpPtrAllocator &alloc, 53 ASTContext &context, 54 ProgramStateManager &stateMgr) { 55 return new SimpleSValBuilder(alloc, context, stateMgr); 56 } 57 58 //===----------------------------------------------------------------------===// 59 // Transfer function for unary operators. 60 //===----------------------------------------------------------------------===// 61 62 SVal SimpleSValBuilder::evalMinus(NonLoc val) { 63 switch (val.getSubKind()) { 64 case nonloc::ConcreteIntKind: 65 return val.castAs<nonloc::ConcreteInt>().evalMinus(*this); 66 default: 67 return UnknownVal(); 68 } 69 } 70 71 SVal SimpleSValBuilder::evalComplement(NonLoc X) { 72 switch (X.getSubKind()) { 73 case nonloc::ConcreteIntKind: 74 return X.castAs<nonloc::ConcreteInt>().evalComplement(*this); 75 default: 76 return UnknownVal(); 77 } 78 } 79 80 //===----------------------------------------------------------------------===// 81 // Transfer function for binary operators. 82 //===----------------------------------------------------------------------===// 83 84 SVal SimpleSValBuilder::MakeSymIntVal(const SymExpr *LHS, 85 BinaryOperator::Opcode op, 86 const llvm::APSInt &RHS, 87 QualType resultTy) { 88 bool isIdempotent = false; 89 90 // Check for a few special cases with known reductions first. 91 switch (op) { 92 default: 93 // We can't reduce this case; just treat it normally. 94 break; 95 case BO_Mul: 96 // a*0 and a*1 97 if (RHS == 0) 98 return makeIntVal(0, resultTy); 99 else if (RHS == 1) 100 isIdempotent = true; 101 break; 102 case BO_Div: 103 // a/0 and a/1 104 if (RHS == 0) 105 // This is also handled elsewhere. 106 return UndefinedVal(); 107 else if (RHS == 1) 108 isIdempotent = true; 109 break; 110 case BO_Rem: 111 // a%0 and a%1 112 if (RHS == 0) 113 // This is also handled elsewhere. 114 return UndefinedVal(); 115 else if (RHS == 1) 116 return makeIntVal(0, resultTy); 117 break; 118 case BO_Add: 119 case BO_Sub: 120 case BO_Shl: 121 case BO_Shr: 122 case BO_Xor: 123 // a+0, a-0, a<<0, a>>0, a^0 124 if (RHS == 0) 125 isIdempotent = true; 126 break; 127 case BO_And: 128 // a&0 and a&(~0) 129 if (RHS == 0) 130 return makeIntVal(0, resultTy); 131 else if (RHS.isAllOnes()) 132 isIdempotent = true; 133 break; 134 case BO_Or: 135 // a|0 and a|(~0) 136 if (RHS == 0) 137 isIdempotent = true; 138 else if (RHS.isAllOnes()) { 139 const llvm::APSInt &Result = BasicVals.Convert(resultTy, RHS); 140 return nonloc::ConcreteInt(Result); 141 } 142 break; 143 } 144 145 // Idempotent ops (like a*1) can still change the type of an expression. 146 // Wrap the LHS up in a NonLoc again and let evalCast do the 147 // dirty work. 148 if (isIdempotent) 149 return evalCast(nonloc::SymbolVal(LHS), resultTy, QualType{}); 150 151 // If we reach this point, the expression cannot be simplified. 152 // Make a SymbolVal for the entire expression, after converting the RHS. 153 const llvm::APSInt *ConvertedRHS = &RHS; 154 if (BinaryOperator::isComparisonOp(op)) { 155 // We're looking for a type big enough to compare the symbolic value 156 // with the given constant. 157 // FIXME: This is an approximation of Sema::UsualArithmeticConversions. 158 ASTContext &Ctx = getContext(); 159 QualType SymbolType = LHS->getType(); 160 uint64_t ValWidth = RHS.getBitWidth(); 161 uint64_t TypeWidth = Ctx.getTypeSize(SymbolType); 162 163 if (ValWidth < TypeWidth) { 164 // If the value is too small, extend it. 165 ConvertedRHS = &BasicVals.Convert(SymbolType, RHS); 166 } else if (ValWidth == TypeWidth) { 167 // If the value is signed but the symbol is unsigned, do the comparison 168 // in unsigned space. [C99 6.3.1.8] 169 // (For the opposite case, the value is already unsigned.) 170 if (RHS.isSigned() && !SymbolType->isSignedIntegerOrEnumerationType()) 171 ConvertedRHS = &BasicVals.Convert(SymbolType, RHS); 172 } 173 } else 174 ConvertedRHS = &BasicVals.Convert(resultTy, RHS); 175 176 return makeNonLoc(LHS, op, *ConvertedRHS, resultTy); 177 } 178 179 // See if Sym is known to be a relation Rel with Bound. 180 static bool isInRelation(BinaryOperator::Opcode Rel, SymbolRef Sym, 181 llvm::APSInt Bound, ProgramStateRef State) { 182 SValBuilder &SVB = State->getStateManager().getSValBuilder(); 183 SVal Result = 184 SVB.evalBinOpNN(State, Rel, nonloc::SymbolVal(Sym), 185 nonloc::ConcreteInt(Bound), SVB.getConditionType()); 186 if (auto DV = Result.getAs<DefinedSVal>()) { 187 return !State->assume(*DV, false); 188 } 189 return false; 190 } 191 192 // See if Sym is known to be within [min/4, max/4], where min and max 193 // are the bounds of the symbol's integral type. With such symbols, 194 // some manipulations can be performed without the risk of overflow. 195 // assume() doesn't cause infinite recursion because we should be dealing 196 // with simpler symbols on every recursive call. 197 static bool isWithinConstantOverflowBounds(SymbolRef Sym, 198 ProgramStateRef State) { 199 SValBuilder &SVB = State->getStateManager().getSValBuilder(); 200 BasicValueFactory &BV = SVB.getBasicValueFactory(); 201 202 QualType T = Sym->getType(); 203 assert(T->isSignedIntegerOrEnumerationType() && 204 "This only works with signed integers!"); 205 APSIntType AT = BV.getAPSIntType(T); 206 207 llvm::APSInt Max = AT.getMaxValue() / AT.getValue(4), Min = -Max; 208 return isInRelation(BO_LE, Sym, Max, State) && 209 isInRelation(BO_GE, Sym, Min, State); 210 } 211 212 // Same for the concrete integers: see if I is within [min/4, max/4]. 213 static bool isWithinConstantOverflowBounds(llvm::APSInt I) { 214 APSIntType AT(I); 215 assert(!AT.isUnsigned() && 216 "This only works with signed integers!"); 217 218 llvm::APSInt Max = AT.getMaxValue() / AT.getValue(4), Min = -Max; 219 return (I <= Max) && (I >= -Max); 220 } 221 222 static std::pair<SymbolRef, llvm::APSInt> 223 decomposeSymbol(SymbolRef Sym, BasicValueFactory &BV) { 224 if (const auto *SymInt = dyn_cast<SymIntExpr>(Sym)) 225 if (BinaryOperator::isAdditiveOp(SymInt->getOpcode())) 226 return std::make_pair(SymInt->getLHS(), 227 (SymInt->getOpcode() == BO_Add) ? 228 (SymInt->getRHS()) : 229 (-SymInt->getRHS())); 230 231 // Fail to decompose: "reduce" the problem to the "$x + 0" case. 232 return std::make_pair(Sym, BV.getValue(0, Sym->getType())); 233 } 234 235 // Simplify "(LSym + LInt) Op (RSym + RInt)" assuming all values are of the 236 // same signed integral type and no overflows occur (which should be checked 237 // by the caller). 238 static NonLoc doRearrangeUnchecked(ProgramStateRef State, 239 BinaryOperator::Opcode Op, 240 SymbolRef LSym, llvm::APSInt LInt, 241 SymbolRef RSym, llvm::APSInt RInt) { 242 SValBuilder &SVB = State->getStateManager().getSValBuilder(); 243 BasicValueFactory &BV = SVB.getBasicValueFactory(); 244 SymbolManager &SymMgr = SVB.getSymbolManager(); 245 246 QualType SymTy = LSym->getType(); 247 assert(SymTy == RSym->getType() && 248 "Symbols are not of the same type!"); 249 assert(APSIntType(LInt) == BV.getAPSIntType(SymTy) && 250 "Integers are not of the same type as symbols!"); 251 assert(APSIntType(RInt) == BV.getAPSIntType(SymTy) && 252 "Integers are not of the same type as symbols!"); 253 254 QualType ResultTy; 255 if (BinaryOperator::isComparisonOp(Op)) 256 ResultTy = SVB.getConditionType(); 257 else if (BinaryOperator::isAdditiveOp(Op)) 258 ResultTy = SymTy; 259 else 260 llvm_unreachable("Operation not suitable for unchecked rearrangement!"); 261 262 // FIXME: Can we use assume() without getting into an infinite recursion? 263 if (LSym == RSym) 264 return SVB.evalBinOpNN(State, Op, nonloc::ConcreteInt(LInt), 265 nonloc::ConcreteInt(RInt), ResultTy) 266 .castAs<NonLoc>(); 267 268 SymbolRef ResultSym = nullptr; 269 BinaryOperator::Opcode ResultOp; 270 llvm::APSInt ResultInt; 271 if (BinaryOperator::isComparisonOp(Op)) { 272 // Prefer comparing to a non-negative number. 273 // FIXME: Maybe it'd be better to have consistency in 274 // "$x - $y" vs. "$y - $x" because those are solver's keys. 275 if (LInt > RInt) { 276 ResultSym = SymMgr.getSymSymExpr(RSym, BO_Sub, LSym, SymTy); 277 ResultOp = BinaryOperator::reverseComparisonOp(Op); 278 ResultInt = LInt - RInt; // Opposite order! 279 } else { 280 ResultSym = SymMgr.getSymSymExpr(LSym, BO_Sub, RSym, SymTy); 281 ResultOp = Op; 282 ResultInt = RInt - LInt; // Opposite order! 283 } 284 } else { 285 ResultSym = SymMgr.getSymSymExpr(LSym, Op, RSym, SymTy); 286 ResultInt = (Op == BO_Add) ? (LInt + RInt) : (LInt - RInt); 287 ResultOp = BO_Add; 288 // Bring back the cosmetic difference. 289 if (ResultInt < 0) { 290 ResultInt = -ResultInt; 291 ResultOp = BO_Sub; 292 } else if (ResultInt == 0) { 293 // Shortcut: Simplify "$x + 0" to "$x". 294 return nonloc::SymbolVal(ResultSym); 295 } 296 } 297 const llvm::APSInt &PersistentResultInt = BV.getValue(ResultInt); 298 return nonloc::SymbolVal( 299 SymMgr.getSymIntExpr(ResultSym, ResultOp, PersistentResultInt, ResultTy)); 300 } 301 302 // Rearrange if symbol type matches the result type and if the operator is a 303 // comparison operator, both symbol and constant must be within constant 304 // overflow bounds. 305 static bool shouldRearrange(ProgramStateRef State, BinaryOperator::Opcode Op, 306 SymbolRef Sym, llvm::APSInt Int, QualType Ty) { 307 return Sym->getType() == Ty && 308 (!BinaryOperator::isComparisonOp(Op) || 309 (isWithinConstantOverflowBounds(Sym, State) && 310 isWithinConstantOverflowBounds(Int))); 311 } 312 313 static Optional<NonLoc> tryRearrange(ProgramStateRef State, 314 BinaryOperator::Opcode Op, NonLoc Lhs, 315 NonLoc Rhs, QualType ResultTy) { 316 ProgramStateManager &StateMgr = State->getStateManager(); 317 SValBuilder &SVB = StateMgr.getSValBuilder(); 318 319 // We expect everything to be of the same type - this type. 320 QualType SingleTy; 321 322 // FIXME: After putting complexity threshold to the symbols we can always 323 // rearrange additive operations but rearrange comparisons only if 324 // option is set. 325 if (!SVB.getAnalyzerOptions().ShouldAggressivelySimplifyBinaryOperation) 326 return None; 327 328 SymbolRef LSym = Lhs.getAsSymbol(); 329 if (!LSym) 330 return None; 331 332 if (BinaryOperator::isComparisonOp(Op)) { 333 SingleTy = LSym->getType(); 334 if (ResultTy != SVB.getConditionType()) 335 return None; 336 // Initialize SingleTy later with a symbol's type. 337 } else if (BinaryOperator::isAdditiveOp(Op)) { 338 SingleTy = ResultTy; 339 if (LSym->getType() != SingleTy) 340 return None; 341 } else { 342 // Don't rearrange other operations. 343 return None; 344 } 345 346 assert(!SingleTy.isNull() && "We should have figured out the type by now!"); 347 348 // Rearrange signed symbolic expressions only 349 if (!SingleTy->isSignedIntegerOrEnumerationType()) 350 return None; 351 352 SymbolRef RSym = Rhs.getAsSymbol(); 353 if (!RSym || RSym->getType() != SingleTy) 354 return None; 355 356 BasicValueFactory &BV = State->getBasicVals(); 357 llvm::APSInt LInt, RInt; 358 std::tie(LSym, LInt) = decomposeSymbol(LSym, BV); 359 std::tie(RSym, RInt) = decomposeSymbol(RSym, BV); 360 if (!shouldRearrange(State, Op, LSym, LInt, SingleTy) || 361 !shouldRearrange(State, Op, RSym, RInt, SingleTy)) 362 return None; 363 364 // We know that no overflows can occur anymore. 365 return doRearrangeUnchecked(State, Op, LSym, LInt, RSym, RInt); 366 } 367 368 SVal SimpleSValBuilder::evalBinOpNN(ProgramStateRef state, 369 BinaryOperator::Opcode op, 370 NonLoc lhs, NonLoc rhs, 371 QualType resultTy) { 372 NonLoc InputLHS = lhs; 373 NonLoc InputRHS = rhs; 374 375 // Constraints may have changed since the creation of a bound SVal. Check if 376 // the values can be simplified based on those new constraints. 377 SVal simplifiedLhs = simplifySVal(state, lhs); 378 SVal simplifiedRhs = simplifySVal(state, rhs); 379 if (auto simplifiedLhsAsNonLoc = simplifiedLhs.getAs<NonLoc>()) 380 lhs = *simplifiedLhsAsNonLoc; 381 if (auto simplifiedRhsAsNonLoc = simplifiedRhs.getAs<NonLoc>()) 382 rhs = *simplifiedRhsAsNonLoc; 383 384 // Handle trivial case where left-side and right-side are the same. 385 if (lhs == rhs) 386 switch (op) { 387 default: 388 break; 389 case BO_EQ: 390 case BO_LE: 391 case BO_GE: 392 return makeTruthVal(true, resultTy); 393 case BO_LT: 394 case BO_GT: 395 case BO_NE: 396 return makeTruthVal(false, resultTy); 397 case BO_Xor: 398 case BO_Sub: 399 if (resultTy->isIntegralOrEnumerationType()) 400 return makeIntVal(0, resultTy); 401 return evalCast(makeIntVal(0, /*isUnsigned=*/false), resultTy, 402 QualType{}); 403 case BO_Or: 404 case BO_And: 405 return evalCast(lhs, resultTy, QualType{}); 406 } 407 408 while (1) { 409 switch (lhs.getSubKind()) { 410 default: 411 return makeSymExprValNN(op, lhs, rhs, resultTy); 412 case nonloc::PointerToMemberKind: { 413 assert(rhs.getSubKind() == nonloc::PointerToMemberKind && 414 "Both SVals should have pointer-to-member-type"); 415 auto LPTM = lhs.castAs<nonloc::PointerToMember>(), 416 RPTM = rhs.castAs<nonloc::PointerToMember>(); 417 auto LPTMD = LPTM.getPTMData(), RPTMD = RPTM.getPTMData(); 418 switch (op) { 419 case BO_EQ: 420 return makeTruthVal(LPTMD == RPTMD, resultTy); 421 case BO_NE: 422 return makeTruthVal(LPTMD != RPTMD, resultTy); 423 default: 424 return UnknownVal(); 425 } 426 } 427 case nonloc::LocAsIntegerKind: { 428 Loc lhsL = lhs.castAs<nonloc::LocAsInteger>().getLoc(); 429 switch (rhs.getSubKind()) { 430 case nonloc::LocAsIntegerKind: 431 // FIXME: at the moment the implementation 432 // of modeling "pointers as integers" is not complete. 433 if (!BinaryOperator::isComparisonOp(op)) 434 return UnknownVal(); 435 return evalBinOpLL(state, op, lhsL, 436 rhs.castAs<nonloc::LocAsInteger>().getLoc(), 437 resultTy); 438 case nonloc::ConcreteIntKind: { 439 // FIXME: at the moment the implementation 440 // of modeling "pointers as integers" is not complete. 441 if (!BinaryOperator::isComparisonOp(op)) 442 return UnknownVal(); 443 // Transform the integer into a location and compare. 444 // FIXME: This only makes sense for comparisons. If we want to, say, 445 // add 1 to a LocAsInteger, we'd better unpack the Loc and add to it, 446 // then pack it back into a LocAsInteger. 447 llvm::APSInt i = rhs.castAs<nonloc::ConcreteInt>().getValue(); 448 // If the region has a symbolic base, pay attention to the type; it 449 // might be coming from a non-default address space. For non-symbolic 450 // regions it doesn't matter that much because such comparisons would 451 // most likely evaluate to concrete false anyway. FIXME: We might 452 // still need to handle the non-comparison case. 453 if (SymbolRef lSym = lhs.getAsLocSymbol(true)) 454 BasicVals.getAPSIntType(lSym->getType()).apply(i); 455 else 456 BasicVals.getAPSIntType(Context.VoidPtrTy).apply(i); 457 return evalBinOpLL(state, op, lhsL, makeLoc(i), resultTy); 458 } 459 default: 460 switch (op) { 461 case BO_EQ: 462 return makeTruthVal(false, resultTy); 463 case BO_NE: 464 return makeTruthVal(true, resultTy); 465 default: 466 // This case also handles pointer arithmetic. 467 return makeSymExprValNN(op, InputLHS, InputRHS, resultTy); 468 } 469 } 470 } 471 case nonloc::ConcreteIntKind: { 472 llvm::APSInt LHSValue = lhs.castAs<nonloc::ConcreteInt>().getValue(); 473 474 // If we're dealing with two known constants, just perform the operation. 475 if (const llvm::APSInt *KnownRHSValue = getKnownValue(state, rhs)) { 476 llvm::APSInt RHSValue = *KnownRHSValue; 477 if (BinaryOperator::isComparisonOp(op)) { 478 // We're looking for a type big enough to compare the two values. 479 // FIXME: This is not correct. char + short will result in a promotion 480 // to int. Unfortunately we have lost types by this point. 481 APSIntType CompareType = std::max(APSIntType(LHSValue), 482 APSIntType(RHSValue)); 483 CompareType.apply(LHSValue); 484 CompareType.apply(RHSValue); 485 } else if (!BinaryOperator::isShiftOp(op)) { 486 APSIntType IntType = BasicVals.getAPSIntType(resultTy); 487 IntType.apply(LHSValue); 488 IntType.apply(RHSValue); 489 } 490 491 const llvm::APSInt *Result = 492 BasicVals.evalAPSInt(op, LHSValue, RHSValue); 493 if (!Result) 494 return UndefinedVal(); 495 496 return nonloc::ConcreteInt(*Result); 497 } 498 499 // Swap the left and right sides and flip the operator if doing so 500 // allows us to better reason about the expression (this is a form 501 // of expression canonicalization). 502 // While we're at it, catch some special cases for non-commutative ops. 503 switch (op) { 504 case BO_LT: 505 case BO_GT: 506 case BO_LE: 507 case BO_GE: 508 op = BinaryOperator::reverseComparisonOp(op); 509 LLVM_FALLTHROUGH; 510 case BO_EQ: 511 case BO_NE: 512 case BO_Add: 513 case BO_Mul: 514 case BO_And: 515 case BO_Xor: 516 case BO_Or: 517 std::swap(lhs, rhs); 518 continue; 519 case BO_Shr: 520 // (~0)>>a 521 if (LHSValue.isAllOnes() && LHSValue.isSigned()) 522 return evalCast(lhs, resultTy, QualType{}); 523 LLVM_FALLTHROUGH; 524 case BO_Shl: 525 // 0<<a and 0>>a 526 if (LHSValue == 0) 527 return evalCast(lhs, resultTy, QualType{}); 528 return makeSymExprValNN(op, InputLHS, InputRHS, resultTy); 529 case BO_Div: 530 // 0 / x == 0 531 case BO_Rem: 532 // 0 % x == 0 533 if (LHSValue == 0) 534 return makeZeroVal(resultTy); 535 LLVM_FALLTHROUGH; 536 default: 537 return makeSymExprValNN(op, InputLHS, InputRHS, resultTy); 538 } 539 } 540 case nonloc::SymbolValKind: { 541 // We only handle LHS as simple symbols or SymIntExprs. 542 SymbolRef Sym = lhs.castAs<nonloc::SymbolVal>().getSymbol(); 543 544 // LHS is a symbolic expression. 545 if (const SymIntExpr *symIntExpr = dyn_cast<SymIntExpr>(Sym)) { 546 547 // Is this a logical not? (!x is represented as x == 0.) 548 if (op == BO_EQ && rhs.isZeroConstant()) { 549 // We know how to negate certain expressions. Simplify them here. 550 551 BinaryOperator::Opcode opc = symIntExpr->getOpcode(); 552 switch (opc) { 553 default: 554 // We don't know how to negate this operation. 555 // Just handle it as if it were a normal comparison to 0. 556 break; 557 case BO_LAnd: 558 case BO_LOr: 559 llvm_unreachable("Logical operators handled by branching logic."); 560 case BO_Assign: 561 case BO_MulAssign: 562 case BO_DivAssign: 563 case BO_RemAssign: 564 case BO_AddAssign: 565 case BO_SubAssign: 566 case BO_ShlAssign: 567 case BO_ShrAssign: 568 case BO_AndAssign: 569 case BO_XorAssign: 570 case BO_OrAssign: 571 case BO_Comma: 572 llvm_unreachable("'=' and ',' operators handled by ExprEngine."); 573 case BO_PtrMemD: 574 case BO_PtrMemI: 575 llvm_unreachable("Pointer arithmetic not handled here."); 576 case BO_LT: 577 case BO_GT: 578 case BO_LE: 579 case BO_GE: 580 case BO_EQ: 581 case BO_NE: 582 assert(resultTy->isBooleanType() || 583 resultTy == getConditionType()); 584 assert(symIntExpr->getType()->isBooleanType() || 585 getContext().hasSameUnqualifiedType(symIntExpr->getType(), 586 getConditionType())); 587 // Negate the comparison and make a value. 588 opc = BinaryOperator::negateComparisonOp(opc); 589 return makeNonLoc(symIntExpr->getLHS(), opc, 590 symIntExpr->getRHS(), resultTy); 591 } 592 } 593 594 // For now, only handle expressions whose RHS is a constant. 595 if (const llvm::APSInt *RHSValue = getKnownValue(state, rhs)) { 596 // If both the LHS and the current expression are additive, 597 // fold their constants and try again. 598 if (BinaryOperator::isAdditiveOp(op)) { 599 BinaryOperator::Opcode lop = symIntExpr->getOpcode(); 600 if (BinaryOperator::isAdditiveOp(lop)) { 601 // Convert the two constants to a common type, then combine them. 602 603 // resultTy may not be the best type to convert to, but it's 604 // probably the best choice in expressions with mixed type 605 // (such as x+1U+2LL). The rules for implicit conversions should 606 // choose a reasonable type to preserve the expression, and will 607 // at least match how the value is going to be used. 608 APSIntType IntType = BasicVals.getAPSIntType(resultTy); 609 const llvm::APSInt &first = IntType.convert(symIntExpr->getRHS()); 610 const llvm::APSInt &second = IntType.convert(*RHSValue); 611 612 const llvm::APSInt *newRHS; 613 if (lop == op) 614 newRHS = BasicVals.evalAPSInt(BO_Add, first, second); 615 else 616 newRHS = BasicVals.evalAPSInt(BO_Sub, first, second); 617 618 assert(newRHS && "Invalid operation despite common type!"); 619 rhs = nonloc::ConcreteInt(*newRHS); 620 lhs = nonloc::SymbolVal(symIntExpr->getLHS()); 621 op = lop; 622 continue; 623 } 624 } 625 626 // Otherwise, make a SymIntExpr out of the expression. 627 return MakeSymIntVal(symIntExpr, op, *RHSValue, resultTy); 628 } 629 } 630 631 // Is the RHS a constant? 632 if (const llvm::APSInt *RHSValue = getKnownValue(state, rhs)) 633 return MakeSymIntVal(Sym, op, *RHSValue, resultTy); 634 635 if (Optional<NonLoc> V = tryRearrange(state, op, lhs, rhs, resultTy)) 636 return *V; 637 638 // Give up -- this is not a symbolic expression we can handle. 639 return makeSymExprValNN(op, InputLHS, InputRHS, resultTy); 640 } 641 } 642 } 643 } 644 645 static SVal evalBinOpFieldRegionFieldRegion(const FieldRegion *LeftFR, 646 const FieldRegion *RightFR, 647 BinaryOperator::Opcode op, 648 QualType resultTy, 649 SimpleSValBuilder &SVB) { 650 // Only comparisons are meaningful here! 651 if (!BinaryOperator::isComparisonOp(op)) 652 return UnknownVal(); 653 654 // Next, see if the two FRs have the same super-region. 655 // FIXME: This doesn't handle casts yet, and simply stripping the casts 656 // doesn't help. 657 if (LeftFR->getSuperRegion() != RightFR->getSuperRegion()) 658 return UnknownVal(); 659 660 const FieldDecl *LeftFD = LeftFR->getDecl(); 661 const FieldDecl *RightFD = RightFR->getDecl(); 662 const RecordDecl *RD = LeftFD->getParent(); 663 664 // Make sure the two FRs are from the same kind of record. Just in case! 665 // FIXME: This is probably where inheritance would be a problem. 666 if (RD != RightFD->getParent()) 667 return UnknownVal(); 668 669 // We know for sure that the two fields are not the same, since that 670 // would have given us the same SVal. 671 if (op == BO_EQ) 672 return SVB.makeTruthVal(false, resultTy); 673 if (op == BO_NE) 674 return SVB.makeTruthVal(true, resultTy); 675 676 // Iterate through the fields and see which one comes first. 677 // [C99 6.7.2.1.13] "Within a structure object, the non-bit-field 678 // members and the units in which bit-fields reside have addresses that 679 // increase in the order in which they are declared." 680 bool leftFirst = (op == BO_LT || op == BO_LE); 681 for (const auto *I : RD->fields()) { 682 if (I == LeftFD) 683 return SVB.makeTruthVal(leftFirst, resultTy); 684 if (I == RightFD) 685 return SVB.makeTruthVal(!leftFirst, resultTy); 686 } 687 688 llvm_unreachable("Fields not found in parent record's definition"); 689 } 690 691 // FIXME: all this logic will change if/when we have MemRegion::getLocation(). 692 SVal SimpleSValBuilder::evalBinOpLL(ProgramStateRef state, 693 BinaryOperator::Opcode op, 694 Loc lhs, Loc rhs, 695 QualType resultTy) { 696 // Only comparisons and subtractions are valid operations on two pointers. 697 // See [C99 6.5.5 through 6.5.14] or [C++0x 5.6 through 5.15]. 698 // However, if a pointer is casted to an integer, evalBinOpNN may end up 699 // calling this function with another operation (PR7527). We don't attempt to 700 // model this for now, but it could be useful, particularly when the 701 // "location" is actually an integer value that's been passed through a void*. 702 if (!(BinaryOperator::isComparisonOp(op) || op == BO_Sub)) 703 return UnknownVal(); 704 705 // Special cases for when both sides are identical. 706 if (lhs == rhs) { 707 switch (op) { 708 default: 709 llvm_unreachable("Unimplemented operation for two identical values"); 710 case BO_Sub: 711 return makeZeroVal(resultTy); 712 case BO_EQ: 713 case BO_LE: 714 case BO_GE: 715 return makeTruthVal(true, resultTy); 716 case BO_NE: 717 case BO_LT: 718 case BO_GT: 719 return makeTruthVal(false, resultTy); 720 } 721 } 722 723 switch (lhs.getSubKind()) { 724 default: 725 llvm_unreachable("Ordering not implemented for this Loc."); 726 727 case loc::GotoLabelKind: 728 // The only thing we know about labels is that they're non-null. 729 if (rhs.isZeroConstant()) { 730 switch (op) { 731 default: 732 break; 733 case BO_Sub: 734 return evalCast(lhs, resultTy, QualType{}); 735 case BO_EQ: 736 case BO_LE: 737 case BO_LT: 738 return makeTruthVal(false, resultTy); 739 case BO_NE: 740 case BO_GT: 741 case BO_GE: 742 return makeTruthVal(true, resultTy); 743 } 744 } 745 // There may be two labels for the same location, and a function region may 746 // have the same address as a label at the start of the function (depending 747 // on the ABI). 748 // FIXME: we can probably do a comparison against other MemRegions, though. 749 // FIXME: is there a way to tell if two labels refer to the same location? 750 return UnknownVal(); 751 752 case loc::ConcreteIntKind: { 753 // If one of the operands is a symbol and the other is a constant, 754 // build an expression for use by the constraint manager. 755 if (SymbolRef rSym = rhs.getAsLocSymbol()) { 756 // We can only build expressions with symbols on the left, 757 // so we need a reversible operator. 758 if (!BinaryOperator::isComparisonOp(op) || op == BO_Cmp) 759 return UnknownVal(); 760 761 const llvm::APSInt &lVal = lhs.castAs<loc::ConcreteInt>().getValue(); 762 op = BinaryOperator::reverseComparisonOp(op); 763 return makeNonLoc(rSym, op, lVal, resultTy); 764 } 765 766 // If both operands are constants, just perform the operation. 767 if (Optional<loc::ConcreteInt> rInt = rhs.getAs<loc::ConcreteInt>()) { 768 SVal ResultVal = 769 lhs.castAs<loc::ConcreteInt>().evalBinOp(BasicVals, op, *rInt); 770 if (Optional<NonLoc> Result = ResultVal.getAs<NonLoc>()) 771 return evalCast(*Result, resultTy, QualType{}); 772 773 assert(!ResultVal.getAs<Loc>() && "Loc-Loc ops should not produce Locs"); 774 return UnknownVal(); 775 } 776 777 // Special case comparisons against NULL. 778 // This must come after the test if the RHS is a symbol, which is used to 779 // build constraints. The address of any non-symbolic region is guaranteed 780 // to be non-NULL, as is any label. 781 assert(rhs.getAs<loc::MemRegionVal>() || rhs.getAs<loc::GotoLabel>()); 782 if (lhs.isZeroConstant()) { 783 switch (op) { 784 default: 785 break; 786 case BO_EQ: 787 case BO_GT: 788 case BO_GE: 789 return makeTruthVal(false, resultTy); 790 case BO_NE: 791 case BO_LT: 792 case BO_LE: 793 return makeTruthVal(true, resultTy); 794 } 795 } 796 797 // Comparing an arbitrary integer to a region or label address is 798 // completely unknowable. 799 return UnknownVal(); 800 } 801 case loc::MemRegionValKind: { 802 if (Optional<loc::ConcreteInt> rInt = rhs.getAs<loc::ConcreteInt>()) { 803 // If one of the operands is a symbol and the other is a constant, 804 // build an expression for use by the constraint manager. 805 if (SymbolRef lSym = lhs.getAsLocSymbol(true)) { 806 if (BinaryOperator::isComparisonOp(op)) 807 return MakeSymIntVal(lSym, op, rInt->getValue(), resultTy); 808 return UnknownVal(); 809 } 810 // Special case comparisons to NULL. 811 // This must come after the test if the LHS is a symbol, which is used to 812 // build constraints. The address of any non-symbolic region is guaranteed 813 // to be non-NULL. 814 if (rInt->isZeroConstant()) { 815 if (op == BO_Sub) 816 return evalCast(lhs, resultTy, QualType{}); 817 818 if (BinaryOperator::isComparisonOp(op)) { 819 QualType boolType = getContext().BoolTy; 820 NonLoc l = evalCast(lhs, boolType, QualType{}).castAs<NonLoc>(); 821 NonLoc r = makeTruthVal(false, boolType).castAs<NonLoc>(); 822 return evalBinOpNN(state, op, l, r, resultTy); 823 } 824 } 825 826 // Comparing a region to an arbitrary integer is completely unknowable. 827 return UnknownVal(); 828 } 829 830 // Get both values as regions, if possible. 831 const MemRegion *LeftMR = lhs.getAsRegion(); 832 assert(LeftMR && "MemRegionValKind SVal doesn't have a region!"); 833 834 const MemRegion *RightMR = rhs.getAsRegion(); 835 if (!RightMR) 836 // The RHS is probably a label, which in theory could address a region. 837 // FIXME: we can probably make a more useful statement about non-code 838 // regions, though. 839 return UnknownVal(); 840 841 const MemRegion *LeftBase = LeftMR->getBaseRegion(); 842 const MemRegion *RightBase = RightMR->getBaseRegion(); 843 const MemSpaceRegion *LeftMS = LeftBase->getMemorySpace(); 844 const MemSpaceRegion *RightMS = RightBase->getMemorySpace(); 845 const MemSpaceRegion *UnknownMS = MemMgr.getUnknownRegion(); 846 847 // If the two regions are from different known memory spaces they cannot be 848 // equal. Also, assume that no symbolic region (whose memory space is 849 // unknown) is on the stack. 850 if (LeftMS != RightMS && 851 ((LeftMS != UnknownMS && RightMS != UnknownMS) || 852 (isa<StackSpaceRegion>(LeftMS) || isa<StackSpaceRegion>(RightMS)))) { 853 switch (op) { 854 default: 855 return UnknownVal(); 856 case BO_EQ: 857 return makeTruthVal(false, resultTy); 858 case BO_NE: 859 return makeTruthVal(true, resultTy); 860 } 861 } 862 863 // If both values wrap regions, see if they're from different base regions. 864 // Note, heap base symbolic regions are assumed to not alias with 865 // each other; for example, we assume that malloc returns different address 866 // on each invocation. 867 // FIXME: ObjC object pointers always reside on the heap, but currently 868 // we treat their memory space as unknown, because symbolic pointers 869 // to ObjC objects may alias. There should be a way to construct 870 // possibly-aliasing heap-based regions. For instance, MacOSXApiChecker 871 // guesses memory space for ObjC object pointers manually instead of 872 // relying on us. 873 if (LeftBase != RightBase && 874 ((!isa<SymbolicRegion>(LeftBase) && !isa<SymbolicRegion>(RightBase)) || 875 (isa<HeapSpaceRegion>(LeftMS) || isa<HeapSpaceRegion>(RightMS))) ){ 876 switch (op) { 877 default: 878 return UnknownVal(); 879 case BO_EQ: 880 return makeTruthVal(false, resultTy); 881 case BO_NE: 882 return makeTruthVal(true, resultTy); 883 } 884 } 885 886 // Handle special cases for when both regions are element regions. 887 const ElementRegion *RightER = dyn_cast<ElementRegion>(RightMR); 888 const ElementRegion *LeftER = dyn_cast<ElementRegion>(LeftMR); 889 if (RightER && LeftER) { 890 // Next, see if the two ERs have the same super-region and matching types. 891 // FIXME: This should do something useful even if the types don't match, 892 // though if both indexes are constant the RegionRawOffset path will 893 // give the correct answer. 894 if (LeftER->getSuperRegion() == RightER->getSuperRegion() && 895 LeftER->getElementType() == RightER->getElementType()) { 896 // Get the left index and cast it to the correct type. 897 // If the index is unknown or undefined, bail out here. 898 SVal LeftIndexVal = LeftER->getIndex(); 899 Optional<NonLoc> LeftIndex = LeftIndexVal.getAs<NonLoc>(); 900 if (!LeftIndex) 901 return UnknownVal(); 902 LeftIndexVal = evalCast(*LeftIndex, ArrayIndexTy, QualType{}); 903 LeftIndex = LeftIndexVal.getAs<NonLoc>(); 904 if (!LeftIndex) 905 return UnknownVal(); 906 907 // Do the same for the right index. 908 SVal RightIndexVal = RightER->getIndex(); 909 Optional<NonLoc> RightIndex = RightIndexVal.getAs<NonLoc>(); 910 if (!RightIndex) 911 return UnknownVal(); 912 RightIndexVal = evalCast(*RightIndex, ArrayIndexTy, QualType{}); 913 RightIndex = RightIndexVal.getAs<NonLoc>(); 914 if (!RightIndex) 915 return UnknownVal(); 916 917 // Actually perform the operation. 918 // evalBinOpNN expects the two indexes to already be the right type. 919 return evalBinOpNN(state, op, *LeftIndex, *RightIndex, resultTy); 920 } 921 } 922 923 // Special handling of the FieldRegions, even with symbolic offsets. 924 const FieldRegion *RightFR = dyn_cast<FieldRegion>(RightMR); 925 const FieldRegion *LeftFR = dyn_cast<FieldRegion>(LeftMR); 926 if (RightFR && LeftFR) { 927 SVal R = evalBinOpFieldRegionFieldRegion(LeftFR, RightFR, op, resultTy, 928 *this); 929 if (!R.isUnknown()) 930 return R; 931 } 932 933 // Compare the regions using the raw offsets. 934 RegionOffset LeftOffset = LeftMR->getAsOffset(); 935 RegionOffset RightOffset = RightMR->getAsOffset(); 936 937 if (LeftOffset.getRegion() != nullptr && 938 LeftOffset.getRegion() == RightOffset.getRegion() && 939 !LeftOffset.hasSymbolicOffset() && !RightOffset.hasSymbolicOffset()) { 940 int64_t left = LeftOffset.getOffset(); 941 int64_t right = RightOffset.getOffset(); 942 943 switch (op) { 944 default: 945 return UnknownVal(); 946 case BO_LT: 947 return makeTruthVal(left < right, resultTy); 948 case BO_GT: 949 return makeTruthVal(left > right, resultTy); 950 case BO_LE: 951 return makeTruthVal(left <= right, resultTy); 952 case BO_GE: 953 return makeTruthVal(left >= right, resultTy); 954 case BO_EQ: 955 return makeTruthVal(left == right, resultTy); 956 case BO_NE: 957 return makeTruthVal(left != right, resultTy); 958 } 959 } 960 961 // At this point we're not going to get a good answer, but we can try 962 // conjuring an expression instead. 963 SymbolRef LHSSym = lhs.getAsLocSymbol(); 964 SymbolRef RHSSym = rhs.getAsLocSymbol(); 965 if (LHSSym && RHSSym) 966 return makeNonLoc(LHSSym, op, RHSSym, resultTy); 967 968 // If we get here, we have no way of comparing the regions. 969 return UnknownVal(); 970 } 971 } 972 } 973 974 SVal SimpleSValBuilder::evalBinOpLN(ProgramStateRef state, 975 BinaryOperator::Opcode op, Loc lhs, 976 NonLoc rhs, QualType resultTy) { 977 if (op >= BO_PtrMemD && op <= BO_PtrMemI) { 978 if (auto PTMSV = rhs.getAs<nonloc::PointerToMember>()) { 979 if (PTMSV->isNullMemberPointer()) 980 return UndefinedVal(); 981 982 auto getFieldLValue = [&](const auto *FD) -> SVal { 983 SVal Result = lhs; 984 985 for (const auto &I : *PTMSV) 986 Result = StateMgr.getStoreManager().evalDerivedToBase( 987 Result, I->getType(), I->isVirtual()); 988 989 return state->getLValue(FD, Result); 990 }; 991 992 if (const auto *FD = PTMSV->getDeclAs<FieldDecl>()) { 993 return getFieldLValue(FD); 994 } 995 if (const auto *FD = PTMSV->getDeclAs<IndirectFieldDecl>()) { 996 return getFieldLValue(FD); 997 } 998 } 999 1000 return rhs; 1001 } 1002 1003 assert(!BinaryOperator::isComparisonOp(op) && 1004 "arguments to comparison ops must be of the same type"); 1005 1006 // Special case: rhs is a zero constant. 1007 if (rhs.isZeroConstant()) 1008 return lhs; 1009 1010 // Perserve the null pointer so that it can be found by the DerefChecker. 1011 if (lhs.isZeroConstant()) 1012 return lhs; 1013 1014 // We are dealing with pointer arithmetic. 1015 1016 // Handle pointer arithmetic on constant values. 1017 if (Optional<nonloc::ConcreteInt> rhsInt = rhs.getAs<nonloc::ConcreteInt>()) { 1018 if (Optional<loc::ConcreteInt> lhsInt = lhs.getAs<loc::ConcreteInt>()) { 1019 const llvm::APSInt &leftI = lhsInt->getValue(); 1020 assert(leftI.isUnsigned()); 1021 llvm::APSInt rightI(rhsInt->getValue(), /* isUnsigned */ true); 1022 1023 // Convert the bitwidth of rightI. This should deal with overflow 1024 // since we are dealing with concrete values. 1025 rightI = rightI.extOrTrunc(leftI.getBitWidth()); 1026 1027 // Offset the increment by the pointer size. 1028 llvm::APSInt Multiplicand(rightI.getBitWidth(), /* isUnsigned */ true); 1029 QualType pointeeType = resultTy->getPointeeType(); 1030 Multiplicand = getContext().getTypeSizeInChars(pointeeType).getQuantity(); 1031 rightI *= Multiplicand; 1032 1033 // Compute the adjusted pointer. 1034 switch (op) { 1035 case BO_Add: 1036 rightI = leftI + rightI; 1037 break; 1038 case BO_Sub: 1039 rightI = leftI - rightI; 1040 break; 1041 default: 1042 llvm_unreachable("Invalid pointer arithmetic operation"); 1043 } 1044 return loc::ConcreteInt(getBasicValueFactory().getValue(rightI)); 1045 } 1046 } 1047 1048 // Handle cases where 'lhs' is a region. 1049 if (const MemRegion *region = lhs.getAsRegion()) { 1050 rhs = convertToArrayIndex(rhs).castAs<NonLoc>(); 1051 SVal index = UnknownVal(); 1052 const SubRegion *superR = nullptr; 1053 // We need to know the type of the pointer in order to add an integer to it. 1054 // Depending on the type, different amount of bytes is added. 1055 QualType elementType; 1056 1057 if (const ElementRegion *elemReg = dyn_cast<ElementRegion>(region)) { 1058 assert(op == BO_Add || op == BO_Sub); 1059 index = evalBinOpNN(state, op, elemReg->getIndex(), rhs, 1060 getArrayIndexType()); 1061 superR = cast<SubRegion>(elemReg->getSuperRegion()); 1062 elementType = elemReg->getElementType(); 1063 } 1064 else if (isa<SubRegion>(region)) { 1065 assert(op == BO_Add || op == BO_Sub); 1066 index = (op == BO_Add) ? rhs : evalMinus(rhs); 1067 superR = cast<SubRegion>(region); 1068 // TODO: Is this actually reliable? Maybe improving our MemRegion 1069 // hierarchy to provide typed regions for all non-void pointers would be 1070 // better. For instance, we cannot extend this towards LocAsInteger 1071 // operations, where result type of the expression is integer. 1072 if (resultTy->isAnyPointerType()) 1073 elementType = resultTy->getPointeeType(); 1074 } 1075 1076 // Represent arithmetic on void pointers as arithmetic on char pointers. 1077 // It is fine when a TypedValueRegion of char value type represents 1078 // a void pointer. Note that arithmetic on void pointers is a GCC extension. 1079 if (elementType->isVoidType()) 1080 elementType = getContext().CharTy; 1081 1082 if (Optional<NonLoc> indexV = index.getAs<NonLoc>()) { 1083 return loc::MemRegionVal(MemMgr.getElementRegion(elementType, *indexV, 1084 superR, getContext())); 1085 } 1086 } 1087 return UnknownVal(); 1088 } 1089 1090 const llvm::APSInt *SimpleSValBuilder::getKnownValue(ProgramStateRef state, 1091 SVal V) { 1092 V = simplifySVal(state, V); 1093 if (V.isUnknownOrUndef()) 1094 return nullptr; 1095 1096 if (Optional<loc::ConcreteInt> X = V.getAs<loc::ConcreteInt>()) 1097 return &X->getValue(); 1098 1099 if (Optional<nonloc::ConcreteInt> X = V.getAs<nonloc::ConcreteInt>()) 1100 return &X->getValue(); 1101 1102 if (SymbolRef Sym = V.getAsSymbol()) 1103 return state->getConstraintManager().getSymVal(state, Sym); 1104 1105 return nullptr; 1106 } 1107 1108 SVal SimpleSValBuilder::simplifySVal(ProgramStateRef State, SVal V) { 1109 // For now, this function tries to constant-fold symbols inside a 1110 // nonloc::SymbolVal, and does nothing else. More simplifications should 1111 // be possible, such as constant-folding an index in an ElementRegion. 1112 1113 class Simplifier : public FullSValVisitor<Simplifier, SVal> { 1114 ProgramStateRef State; 1115 SValBuilder &SVB; 1116 1117 // Cache results for the lifetime of the Simplifier. Results change every 1118 // time new constraints are added to the program state, which is the whole 1119 // point of simplifying, and for that very reason it's pointless to maintain 1120 // the same cache for the duration of the whole analysis. 1121 llvm::DenseMap<SymbolRef, SVal> Cached; 1122 1123 static bool isUnchanged(SymbolRef Sym, SVal Val) { 1124 return Sym == Val.getAsSymbol(); 1125 } 1126 1127 SVal cache(SymbolRef Sym, SVal V) { 1128 Cached[Sym] = V; 1129 return V; 1130 } 1131 1132 SVal skip(SymbolRef Sym) { 1133 return cache(Sym, SVB.makeSymbolVal(Sym)); 1134 } 1135 1136 // Return the known const value for the Sym if available, or return Undef 1137 // otherwise. 1138 SVal getConst(SymbolRef Sym) { 1139 const llvm::APSInt *Const = 1140 State->getConstraintManager().getSymVal(State, Sym); 1141 if (Const) 1142 return Loc::isLocType(Sym->getType()) ? (SVal)SVB.makeIntLocVal(*Const) 1143 : (SVal)SVB.makeIntVal(*Const); 1144 return UndefinedVal(); 1145 } 1146 1147 SVal getConstOrVisit(SymbolRef Sym) { 1148 const SVal Ret = getConst(Sym); 1149 if (Ret.isUndef()) 1150 return Visit(Sym); 1151 return Ret; 1152 } 1153 1154 public: 1155 Simplifier(ProgramStateRef State) 1156 : State(State), SVB(State->getStateManager().getSValBuilder()) {} 1157 1158 SVal VisitSymbolData(const SymbolData *S) { 1159 // No cache here. 1160 if (const llvm::APSInt *I = 1161 SVB.getKnownValue(State, SVB.makeSymbolVal(S))) 1162 return Loc::isLocType(S->getType()) ? (SVal)SVB.makeIntLocVal(*I) 1163 : (SVal)SVB.makeIntVal(*I); 1164 return SVB.makeSymbolVal(S); 1165 } 1166 1167 // TODO: Support SymbolCast. 1168 1169 SVal VisitSymIntExpr(const SymIntExpr *S) { 1170 auto I = Cached.find(S); 1171 if (I != Cached.end()) 1172 return I->second; 1173 1174 SVal LHS = getConstOrVisit(S->getLHS()); 1175 if (isUnchanged(S->getLHS(), LHS)) 1176 return skip(S); 1177 1178 SVal RHS; 1179 // By looking at the APSInt in the right-hand side of S, we cannot 1180 // figure out if it should be treated as a Loc or as a NonLoc. 1181 // So make our guess by recalling that we cannot multiply pointers 1182 // or compare a pointer to an integer. 1183 if (Loc::isLocType(S->getLHS()->getType()) && 1184 BinaryOperator::isComparisonOp(S->getOpcode())) { 1185 // The usual conversion of $sym to &SymRegion{$sym}, as they have 1186 // the same meaning for Loc-type symbols, but the latter form 1187 // is preferred in SVal computations for being Loc itself. 1188 if (SymbolRef Sym = LHS.getAsSymbol()) { 1189 assert(Loc::isLocType(Sym->getType())); 1190 LHS = SVB.makeLoc(Sym); 1191 } 1192 RHS = SVB.makeIntLocVal(S->getRHS()); 1193 } else { 1194 RHS = SVB.makeIntVal(S->getRHS()); 1195 } 1196 1197 return cache( 1198 S, SVB.evalBinOp(State, S->getOpcode(), LHS, RHS, S->getType())); 1199 } 1200 1201 SVal VisitIntSymExpr(const IntSymExpr *S) { 1202 auto I = Cached.find(S); 1203 if (I != Cached.end()) 1204 return I->second; 1205 1206 SVal RHS = getConstOrVisit(S->getRHS()); 1207 if (isUnchanged(S->getRHS(), RHS)) 1208 return skip(S); 1209 1210 SVal LHS = SVB.makeIntVal(S->getLHS()); 1211 return cache( 1212 S, SVB.evalBinOp(State, S->getOpcode(), LHS, RHS, S->getType())); 1213 } 1214 1215 SVal VisitSymSymExpr(const SymSymExpr *S) { 1216 auto I = Cached.find(S); 1217 if (I != Cached.end()) 1218 return I->second; 1219 1220 // For now don't try to simplify mixed Loc/NonLoc expressions 1221 // because they often appear from LocAsInteger operations 1222 // and we don't know how to combine a LocAsInteger 1223 // with a concrete value. 1224 if (Loc::isLocType(S->getLHS()->getType()) != 1225 Loc::isLocType(S->getRHS()->getType())) 1226 return skip(S); 1227 1228 SVal LHS = getConstOrVisit(S->getLHS()); 1229 SVal RHS = getConstOrVisit(S->getRHS()); 1230 1231 if (isUnchanged(S->getLHS(), LHS) && isUnchanged(S->getRHS(), RHS)) 1232 return skip(S); 1233 1234 return cache( 1235 S, SVB.evalBinOp(State, S->getOpcode(), LHS, RHS, S->getType())); 1236 } 1237 1238 SVal VisitSymExpr(SymbolRef S) { return nonloc::SymbolVal(S); } 1239 1240 SVal VisitMemRegion(const MemRegion *R) { return loc::MemRegionVal(R); } 1241 1242 SVal VisitNonLocSymbolVal(nonloc::SymbolVal V) { 1243 // Simplification is much more costly than computing complexity. 1244 // For high complexity, it may be not worth it. 1245 return Visit(V.getSymbol()); 1246 } 1247 1248 SVal VisitSVal(SVal V) { return V; } 1249 }; 1250 1251 // A crude way of preventing this function from calling itself from evalBinOp. 1252 static bool isReentering = false; 1253 if (isReentering) 1254 return V; 1255 1256 isReentering = true; 1257 SVal SimplifiedV = Simplifier(State).Visit(V); 1258 isReentering = false; 1259 1260 return SimplifiedV; 1261 } 1262