1 // SimpleSValBuilder.cpp - A basic SValBuilder -----------------------*- C++ -*- 2 // 3 // The LLVM Compiler Infrastructure 4 // 5 // This file is distributed under the University of Illinois Open Source 6 // License. See LICENSE.TXT for details. 7 // 8 //===----------------------------------------------------------------------===// 9 // 10 // This file defines SimpleSValBuilder, a basic implementation of SValBuilder. 11 // 12 //===----------------------------------------------------------------------===// 13 14 #include "clang/StaticAnalyzer/Core/PathSensitive/SValBuilder.h" 15 #include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h" 16 17 using namespace clang; 18 using namespace ento; 19 20 namespace { 21 class SimpleSValBuilder : public SValBuilder { 22 protected: 23 virtual SVal dispatchCast(SVal val, QualType castTy); 24 virtual SVal evalCastFromNonLoc(NonLoc val, QualType castTy); 25 virtual SVal evalCastFromLoc(Loc val, QualType castTy); 26 27 public: 28 SimpleSValBuilder(llvm::BumpPtrAllocator &alloc, ASTContext &context, 29 ProgramStateManager &stateMgr) 30 : SValBuilder(alloc, context, stateMgr) {} 31 virtual ~SimpleSValBuilder() {} 32 33 virtual SVal evalMinus(NonLoc val); 34 virtual SVal evalComplement(NonLoc val); 35 virtual SVal evalBinOpNN(const ProgramState *state, BinaryOperator::Opcode op, 36 NonLoc lhs, NonLoc rhs, QualType resultTy); 37 virtual SVal evalBinOpLL(const ProgramState *state, BinaryOperator::Opcode op, 38 Loc lhs, Loc rhs, QualType resultTy); 39 virtual SVal evalBinOpLN(const ProgramState *state, BinaryOperator::Opcode op, 40 Loc lhs, NonLoc rhs, QualType resultTy); 41 42 /// getKnownValue - evaluates a given SVal. If the SVal has only one possible 43 /// (integer) value, that value is returned. Otherwise, returns NULL. 44 virtual const llvm::APSInt *getKnownValue(const ProgramState *state, SVal V); 45 46 SVal MakeSymIntVal(const SymExpr *LHS, BinaryOperator::Opcode op, 47 const llvm::APSInt &RHS, QualType resultTy); 48 }; 49 } // end anonymous namespace 50 51 SValBuilder *ento::createSimpleSValBuilder(llvm::BumpPtrAllocator &alloc, 52 ASTContext &context, 53 ProgramStateManager &stateMgr) { 54 return new SimpleSValBuilder(alloc, context, stateMgr); 55 } 56 57 //===----------------------------------------------------------------------===// 58 // Transfer function for Casts. 59 //===----------------------------------------------------------------------===// 60 61 SVal SimpleSValBuilder::dispatchCast(SVal val, QualType castTy) { 62 return isa<Loc>(val) ? evalCastFromLoc(cast<Loc>(val), castTy) 63 : evalCastFromNonLoc(cast<NonLoc>(val), castTy); 64 } 65 66 SVal SimpleSValBuilder::evalCastFromNonLoc(NonLoc val, QualType castTy) { 67 68 bool isLocType = Loc::isLocType(castTy); 69 70 if (nonloc::LocAsInteger *LI = dyn_cast<nonloc::LocAsInteger>(&val)) { 71 if (isLocType) 72 return LI->getLoc(); 73 74 // FIXME: Correctly support promotions/truncations. 75 unsigned castSize = Context.getTypeSize(castTy); 76 if (castSize == LI->getNumBits()) 77 return val; 78 return makeLocAsInteger(LI->getLoc(), castSize); 79 } 80 81 if (const SymExpr *se = val.getAsSymbolicExpression()) { 82 QualType T = Context.getCanonicalType(se->getType(Context)); 83 if (T == Context.getCanonicalType(castTy)) 84 return val; 85 86 // FIXME: Remove this hack when we support symbolic truncation/extension. 87 // HACK: If both castTy and T are integers, ignore the cast. This is 88 // not a permanent solution. Eventually we want to precisely handle 89 // extension/truncation of symbolic integers. This prevents us from losing 90 // precision when we assign 'x = y' and 'y' is symbolic and x and y are 91 // different integer types. 92 if (T->isIntegerType() && castTy->isIntegerType()) 93 return val; 94 95 if (!isLocType) 96 return makeNonLoc(se, T, castTy); 97 return UnknownVal(); 98 } 99 100 if (!isa<nonloc::ConcreteInt>(val)) 101 return UnknownVal(); 102 103 // Only handle casts from integers to integers. 104 if (!isLocType && !castTy->isIntegerType()) 105 return UnknownVal(); 106 107 llvm::APSInt i = cast<nonloc::ConcreteInt>(val).getValue(); 108 i.setIsUnsigned(castTy->isUnsignedIntegerOrEnumerationType() || 109 Loc::isLocType(castTy)); 110 i = i.extOrTrunc(Context.getTypeSize(castTy)); 111 112 if (isLocType) 113 return makeIntLocVal(i); 114 else 115 return makeIntVal(i); 116 } 117 118 SVal SimpleSValBuilder::evalCastFromLoc(Loc val, QualType castTy) { 119 120 // Casts from pointers -> pointers, just return the lval. 121 // 122 // Casts from pointers -> references, just return the lval. These 123 // can be introduced by the frontend for corner cases, e.g 124 // casting from va_list* to __builtin_va_list&. 125 // 126 if (Loc::isLocType(castTy) || castTy->isReferenceType()) 127 return val; 128 129 // FIXME: Handle transparent unions where a value can be "transparently" 130 // lifted into a union type. 131 if (castTy->isUnionType()) 132 return UnknownVal(); 133 134 if (castTy->isIntegerType()) { 135 unsigned BitWidth = Context.getTypeSize(castTy); 136 137 if (!isa<loc::ConcreteInt>(val)) 138 return makeLocAsInteger(val, BitWidth); 139 140 llvm::APSInt i = cast<loc::ConcreteInt>(val).getValue(); 141 i.setIsUnsigned(castTy->isUnsignedIntegerOrEnumerationType() || 142 Loc::isLocType(castTy)); 143 i = i.extOrTrunc(BitWidth); 144 return makeIntVal(i); 145 } 146 147 // All other cases: return 'UnknownVal'. This includes casting pointers 148 // to floats, which is probably badness it itself, but this is a good 149 // intermediate solution until we do something better. 150 return UnknownVal(); 151 } 152 153 //===----------------------------------------------------------------------===// 154 // Transfer function for unary operators. 155 //===----------------------------------------------------------------------===// 156 157 SVal SimpleSValBuilder::evalMinus(NonLoc val) { 158 switch (val.getSubKind()) { 159 case nonloc::ConcreteIntKind: 160 return cast<nonloc::ConcreteInt>(val).evalMinus(*this); 161 default: 162 return UnknownVal(); 163 } 164 } 165 166 SVal SimpleSValBuilder::evalComplement(NonLoc X) { 167 switch (X.getSubKind()) { 168 case nonloc::ConcreteIntKind: 169 return cast<nonloc::ConcreteInt>(X).evalComplement(*this); 170 default: 171 return UnknownVal(); 172 } 173 } 174 175 //===----------------------------------------------------------------------===// 176 // Transfer function for binary operators. 177 //===----------------------------------------------------------------------===// 178 179 static BinaryOperator::Opcode NegateComparison(BinaryOperator::Opcode op) { 180 switch (op) { 181 default: 182 llvm_unreachable("Invalid opcode."); 183 case BO_LT: return BO_GE; 184 case BO_GT: return BO_LE; 185 case BO_LE: return BO_GT; 186 case BO_GE: return BO_LT; 187 case BO_EQ: return BO_NE; 188 case BO_NE: return BO_EQ; 189 } 190 } 191 192 static BinaryOperator::Opcode ReverseComparison(BinaryOperator::Opcode op) { 193 switch (op) { 194 default: 195 llvm_unreachable("Invalid opcode."); 196 case BO_LT: return BO_GT; 197 case BO_GT: return BO_LT; 198 case BO_LE: return BO_GE; 199 case BO_GE: return BO_LE; 200 case BO_EQ: 201 case BO_NE: 202 return op; 203 } 204 } 205 206 SVal SimpleSValBuilder::MakeSymIntVal(const SymExpr *LHS, 207 BinaryOperator::Opcode op, 208 const llvm::APSInt &RHS, 209 QualType resultTy) { 210 bool isIdempotent = false; 211 212 // Check for a few special cases with known reductions first. 213 switch (op) { 214 default: 215 // We can't reduce this case; just treat it normally. 216 break; 217 case BO_Mul: 218 // a*0 and a*1 219 if (RHS == 0) 220 return makeIntVal(0, resultTy); 221 else if (RHS == 1) 222 isIdempotent = true; 223 break; 224 case BO_Div: 225 // a/0 and a/1 226 if (RHS == 0) 227 // This is also handled elsewhere. 228 return UndefinedVal(); 229 else if (RHS == 1) 230 isIdempotent = true; 231 break; 232 case BO_Rem: 233 // a%0 and a%1 234 if (RHS == 0) 235 // This is also handled elsewhere. 236 return UndefinedVal(); 237 else if (RHS == 1) 238 return makeIntVal(0, resultTy); 239 break; 240 case BO_Add: 241 case BO_Sub: 242 case BO_Shl: 243 case BO_Shr: 244 case BO_Xor: 245 // a+0, a-0, a<<0, a>>0, a^0 246 if (RHS == 0) 247 isIdempotent = true; 248 break; 249 case BO_And: 250 // a&0 and a&(~0) 251 if (RHS == 0) 252 return makeIntVal(0, resultTy); 253 else if (RHS.isAllOnesValue()) 254 isIdempotent = true; 255 break; 256 case BO_Or: 257 // a|0 and a|(~0) 258 if (RHS == 0) 259 isIdempotent = true; 260 else if (RHS.isAllOnesValue()) { 261 const llvm::APSInt &Result = BasicVals.Convert(resultTy, RHS); 262 return nonloc::ConcreteInt(Result); 263 } 264 break; 265 } 266 267 // Idempotent ops (like a*1) can still change the type of an expression. 268 // Wrap the LHS up in a NonLoc again and let evalCastFromNonLoc do the 269 // dirty work. 270 if (isIdempotent) 271 return evalCastFromNonLoc(nonloc::SymbolVal(LHS), resultTy); 272 273 // If we reach this point, the expression cannot be simplified. 274 // Make a SymbolVal for the entire expression. 275 return makeNonLoc(LHS, op, RHS, resultTy); 276 } 277 278 SVal SimpleSValBuilder::evalBinOpNN(const ProgramState *state, 279 BinaryOperator::Opcode op, 280 NonLoc lhs, NonLoc rhs, 281 QualType resultTy) { 282 // Handle trivial case where left-side and right-side are the same. 283 if (lhs == rhs) 284 switch (op) { 285 default: 286 break; 287 case BO_EQ: 288 case BO_LE: 289 case BO_GE: 290 return makeTruthVal(true, resultTy); 291 case BO_LT: 292 case BO_GT: 293 case BO_NE: 294 return makeTruthVal(false, resultTy); 295 case BO_Xor: 296 case BO_Sub: 297 return makeIntVal(0, resultTy); 298 case BO_Or: 299 case BO_And: 300 return evalCastFromNonLoc(lhs, resultTy); 301 } 302 303 while (1) { 304 switch (lhs.getSubKind()) { 305 default: 306 return generateUnknownVal(state, op, lhs, rhs, resultTy); 307 case nonloc::LocAsIntegerKind: { 308 Loc lhsL = cast<nonloc::LocAsInteger>(lhs).getLoc(); 309 switch (rhs.getSubKind()) { 310 case nonloc::LocAsIntegerKind: 311 return evalBinOpLL(state, op, lhsL, 312 cast<nonloc::LocAsInteger>(rhs).getLoc(), 313 resultTy); 314 case nonloc::ConcreteIntKind: { 315 // Transform the integer into a location and compare. 316 llvm::APSInt i = cast<nonloc::ConcreteInt>(rhs).getValue(); 317 i.setIsUnsigned(true); 318 i = i.extOrTrunc(Context.getTypeSize(Context.VoidPtrTy)); 319 return evalBinOpLL(state, op, lhsL, makeLoc(i), resultTy); 320 } 321 default: 322 switch (op) { 323 case BO_EQ: 324 return makeTruthVal(false, resultTy); 325 case BO_NE: 326 return makeTruthVal(true, resultTy); 327 default: 328 // This case also handles pointer arithmetic. 329 return generateUnknownVal(state, op, lhs, rhs, resultTy); 330 } 331 } 332 } 333 case nonloc::ConcreteIntKind: { 334 const nonloc::ConcreteInt& lhsInt = cast<nonloc::ConcreteInt>(lhs); 335 336 // Is the RHS a symbol we can simplify? 337 // FIXME: This was mostly copy/pasted from the LHS-is-a-symbol case. 338 if (const nonloc::SymbolVal *srhs = dyn_cast<nonloc::SymbolVal>(&rhs)) { 339 SymbolRef RSym = srhs->getSymbol(); 340 if (RSym->getType(Context)->isIntegerType()) { 341 if (const llvm::APSInt *Constant = state->getSymVal(RSym)) { 342 // The symbol evaluates to a constant. 343 const llvm::APSInt *rhs_I; 344 if (BinaryOperator::isRelationalOp(op)) 345 rhs_I = &BasicVals.Convert(lhsInt.getValue(), *Constant); 346 else 347 rhs_I = &BasicVals.Convert(resultTy, *Constant); 348 349 rhs = nonloc::ConcreteInt(*rhs_I); 350 } 351 } 352 } 353 354 if (isa<nonloc::ConcreteInt>(rhs)) { 355 return lhsInt.evalBinOp(*this, op, cast<nonloc::ConcreteInt>(rhs)); 356 } else { 357 const llvm::APSInt& lhsValue = lhsInt.getValue(); 358 359 // Swap the left and right sides and flip the operator if doing so 360 // allows us to better reason about the expression (this is a form 361 // of expression canonicalization). 362 // While we're at it, catch some special cases for non-commutative ops. 363 NonLoc tmp = rhs; 364 rhs = lhs; 365 lhs = tmp; 366 367 switch (op) { 368 case BO_LT: 369 case BO_GT: 370 case BO_LE: 371 case BO_GE: 372 op = ReverseComparison(op); 373 continue; 374 case BO_EQ: 375 case BO_NE: 376 case BO_Add: 377 case BO_Mul: 378 case BO_And: 379 case BO_Xor: 380 case BO_Or: 381 continue; 382 case BO_Shr: 383 if (lhsValue.isAllOnesValue() && lhsValue.isSigned()) 384 // At this point lhs and rhs have been swapped. 385 return rhs; 386 // FALL-THROUGH 387 case BO_Shl: 388 if (lhsValue == 0) 389 // At this point lhs and rhs have been swapped. 390 return rhs; 391 return generateUnknownVal(state, op, lhs, rhs, resultTy); 392 default: 393 return generateUnknownVal(state, op, lhs, rhs, resultTy); 394 } 395 } 396 } 397 case nonloc::SymbolValKind: { 398 nonloc::SymbolVal *selhs = cast<nonloc::SymbolVal>(&lhs); 399 400 // LHS is a symbolic expression. 401 if (selhs->isExpression()) { 402 403 // Only handle LHS of the form "$sym op constant", at least for now. 404 const SymIntExpr *symIntExpr = 405 dyn_cast<SymIntExpr>(selhs->getSymbol()); 406 407 if (!symIntExpr) 408 return generateUnknownVal(state, op, lhs, rhs, resultTy); 409 410 // Is this a logical not? (!x is represented as x == 0.) 411 if (op == BO_EQ && rhs.isZeroConstant()) { 412 // We know how to negate certain expressions. Simplify them here. 413 414 BinaryOperator::Opcode opc = symIntExpr->getOpcode(); 415 switch (opc) { 416 default: 417 // We don't know how to negate this operation. 418 // Just handle it as if it were a normal comparison to 0. 419 break; 420 case BO_LAnd: 421 case BO_LOr: 422 llvm_unreachable("Logical operators handled by branching logic."); 423 case BO_Assign: 424 case BO_MulAssign: 425 case BO_DivAssign: 426 case BO_RemAssign: 427 case BO_AddAssign: 428 case BO_SubAssign: 429 case BO_ShlAssign: 430 case BO_ShrAssign: 431 case BO_AndAssign: 432 case BO_XorAssign: 433 case BO_OrAssign: 434 case BO_Comma: 435 llvm_unreachable("'=' and ',' operators handled by ExprEngine."); 436 case BO_PtrMemD: 437 case BO_PtrMemI: 438 llvm_unreachable("Pointer arithmetic not handled here."); 439 case BO_LT: 440 case BO_GT: 441 case BO_LE: 442 case BO_GE: 443 case BO_EQ: 444 case BO_NE: 445 // Negate the comparison and make a value. 446 opc = NegateComparison(opc); 447 assert(symIntExpr->getType(Context) == resultTy); 448 return makeNonLoc(symIntExpr->getLHS(), opc, 449 symIntExpr->getRHS(), resultTy); 450 } 451 } 452 453 // For now, only handle expressions whose RHS is a constant. 454 const nonloc::ConcreteInt *rhsInt = dyn_cast<nonloc::ConcreteInt>(&rhs); 455 if (!rhsInt) 456 return generateUnknownVal(state, op, lhs, rhs, resultTy); 457 458 // If both the LHS and the current expression are additive, 459 // fold their constants. 460 if (BinaryOperator::isAdditiveOp(op)) { 461 BinaryOperator::Opcode lop = symIntExpr->getOpcode(); 462 if (BinaryOperator::isAdditiveOp(lop)) { 463 // resultTy may not be the best type to convert to, but it's 464 // probably the best choice in expressions with mixed type 465 // (such as x+1U+2LL). The rules for implicit conversions should 466 // choose a reasonable type to preserve the expression, and will 467 // at least match how the value is going to be used. 468 const llvm::APSInt &first = 469 BasicVals.Convert(resultTy, symIntExpr->getRHS()); 470 const llvm::APSInt &second = 471 BasicVals.Convert(resultTy, rhsInt->getValue()); 472 const llvm::APSInt *newRHS; 473 if (lop == op) 474 newRHS = BasicVals.evalAPSInt(BO_Add, first, second); 475 else 476 newRHS = BasicVals.evalAPSInt(BO_Sub, first, second); 477 return MakeSymIntVal(symIntExpr->getLHS(), lop, *newRHS, resultTy); 478 } 479 } 480 481 // Otherwise, make a SymbolVal out of the expression. 482 return MakeSymIntVal(symIntExpr, op, rhsInt->getValue(), resultTy); 483 484 // LHS is a simple symbol. 485 } else { 486 nonloc::SymbolVal *slhs = cast<nonloc::SymbolVal>(&lhs); 487 SymbolRef Sym = slhs->getSymbol(); 488 QualType lhsType = Sym->getType(Context); 489 490 // The conversion type is usually the result type, but not in the case 491 // of relational expressions. 492 QualType conversionType = resultTy; 493 if (BinaryOperator::isRelationalOp(op)) 494 conversionType = lhsType; 495 496 // Does the symbol simplify to a constant? If so, "fold" the constant 497 // by setting 'lhs' to a ConcreteInt and try again. 498 if (lhsType->isIntegerType()) 499 if (const llvm::APSInt *Constant = state->getSymVal(Sym)) { 500 // The symbol evaluates to a constant. If necessary, promote the 501 // folded constant (LHS) to the result type. 502 const llvm::APSInt &lhs_I = BasicVals.Convert(conversionType, 503 *Constant); 504 lhs = nonloc::ConcreteInt(lhs_I); 505 506 // Also promote the RHS (if necessary). 507 508 // For shifts, it is not necessary to promote the RHS. 509 if (BinaryOperator::isShiftOp(op)) 510 continue; 511 512 // Other operators: do an implicit conversion. This shouldn't be 513 // necessary once we support truncation/extension of symbolic values. 514 if (nonloc::ConcreteInt *rhs_I = dyn_cast<nonloc::ConcreteInt>(&rhs)){ 515 rhs = nonloc::ConcreteInt(BasicVals.Convert(conversionType, 516 rhs_I->getValue())); 517 } 518 519 continue; 520 } 521 522 // Is the RHS a symbol we can simplify? 523 if (const nonloc::SymbolVal *srhs = dyn_cast<nonloc::SymbolVal>(&rhs)) { 524 SymbolRef RSym = srhs->getSymbol(); 525 if (RSym->getType(Context)->isIntegerType()) { 526 if (const llvm::APSInt *Constant = state->getSymVal(RSym)) { 527 // The symbol evaluates to a constant. 528 const llvm::APSInt &rhs_I = BasicVals.Convert(conversionType, 529 *Constant); 530 rhs = nonloc::ConcreteInt(rhs_I); 531 } 532 } 533 } 534 535 if (isa<nonloc::ConcreteInt>(rhs)) { 536 return MakeSymIntVal(slhs->getSymbol(), op, 537 cast<nonloc::ConcreteInt>(rhs).getValue(), 538 resultTy); 539 } 540 541 return generateUnknownVal(state, op, lhs, rhs, resultTy); 542 } 543 } 544 } 545 } 546 } 547 548 // FIXME: all this logic will change if/when we have MemRegion::getLocation(). 549 SVal SimpleSValBuilder::evalBinOpLL(const ProgramState *state, 550 BinaryOperator::Opcode op, 551 Loc lhs, Loc rhs, 552 QualType resultTy) { 553 // Only comparisons and subtractions are valid operations on two pointers. 554 // See [C99 6.5.5 through 6.5.14] or [C++0x 5.6 through 5.15]. 555 // However, if a pointer is casted to an integer, evalBinOpNN may end up 556 // calling this function with another operation (PR7527). We don't attempt to 557 // model this for now, but it could be useful, particularly when the 558 // "location" is actually an integer value that's been passed through a void*. 559 if (!(BinaryOperator::isComparisonOp(op) || op == BO_Sub)) 560 return UnknownVal(); 561 562 // Special cases for when both sides are identical. 563 if (lhs == rhs) { 564 switch (op) { 565 default: 566 llvm_unreachable("Unimplemented operation for two identical values"); 567 case BO_Sub: 568 return makeZeroVal(resultTy); 569 case BO_EQ: 570 case BO_LE: 571 case BO_GE: 572 return makeTruthVal(true, resultTy); 573 case BO_NE: 574 case BO_LT: 575 case BO_GT: 576 return makeTruthVal(false, resultTy); 577 } 578 } 579 580 switch (lhs.getSubKind()) { 581 default: 582 llvm_unreachable("Ordering not implemented for this Loc."); 583 584 case loc::GotoLabelKind: 585 // The only thing we know about labels is that they're non-null. 586 if (rhs.isZeroConstant()) { 587 switch (op) { 588 default: 589 break; 590 case BO_Sub: 591 return evalCastFromLoc(lhs, resultTy); 592 case BO_EQ: 593 case BO_LE: 594 case BO_LT: 595 return makeTruthVal(false, resultTy); 596 case BO_NE: 597 case BO_GT: 598 case BO_GE: 599 return makeTruthVal(true, resultTy); 600 } 601 } 602 // There may be two labels for the same location, and a function region may 603 // have the same address as a label at the start of the function (depending 604 // on the ABI). 605 // FIXME: we can probably do a comparison against other MemRegions, though. 606 // FIXME: is there a way to tell if two labels refer to the same location? 607 return UnknownVal(); 608 609 case loc::ConcreteIntKind: { 610 // If one of the operands is a symbol and the other is a constant, 611 // build an expression for use by the constraint manager. 612 if (SymbolRef rSym = rhs.getAsLocSymbol()) { 613 // We can only build expressions with symbols on the left, 614 // so we need a reversible operator. 615 if (!BinaryOperator::isComparisonOp(op)) 616 return UnknownVal(); 617 618 const llvm::APSInt &lVal = cast<loc::ConcreteInt>(lhs).getValue(); 619 return makeNonLoc(rSym, ReverseComparison(op), lVal, resultTy); 620 } 621 622 // If both operands are constants, just perform the operation. 623 if (loc::ConcreteInt *rInt = dyn_cast<loc::ConcreteInt>(&rhs)) { 624 SVal ResultVal = cast<loc::ConcreteInt>(lhs).evalBinOp(BasicVals, op, 625 *rInt); 626 if (Loc *Result = dyn_cast<Loc>(&ResultVal)) 627 return evalCastFromLoc(*Result, resultTy); 628 else 629 return UnknownVal(); 630 } 631 632 // Special case comparisons against NULL. 633 // This must come after the test if the RHS is a symbol, which is used to 634 // build constraints. The address of any non-symbolic region is guaranteed 635 // to be non-NULL, as is any label. 636 assert(isa<loc::MemRegionVal>(rhs) || isa<loc::GotoLabel>(rhs)); 637 if (lhs.isZeroConstant()) { 638 switch (op) { 639 default: 640 break; 641 case BO_EQ: 642 case BO_GT: 643 case BO_GE: 644 return makeTruthVal(false, resultTy); 645 case BO_NE: 646 case BO_LT: 647 case BO_LE: 648 return makeTruthVal(true, resultTy); 649 } 650 } 651 652 // Comparing an arbitrary integer to a region or label address is 653 // completely unknowable. 654 return UnknownVal(); 655 } 656 case loc::MemRegionKind: { 657 if (loc::ConcreteInt *rInt = dyn_cast<loc::ConcreteInt>(&rhs)) { 658 // If one of the operands is a symbol and the other is a constant, 659 // build an expression for use by the constraint manager. 660 if (SymbolRef lSym = lhs.getAsLocSymbol()) 661 return MakeSymIntVal(lSym, op, rInt->getValue(), resultTy); 662 663 // Special case comparisons to NULL. 664 // This must come after the test if the LHS is a symbol, which is used to 665 // build constraints. The address of any non-symbolic region is guaranteed 666 // to be non-NULL. 667 if (rInt->isZeroConstant()) { 668 switch (op) { 669 default: 670 break; 671 case BO_Sub: 672 return evalCastFromLoc(lhs, resultTy); 673 case BO_EQ: 674 case BO_LT: 675 case BO_LE: 676 return makeTruthVal(false, resultTy); 677 case BO_NE: 678 case BO_GT: 679 case BO_GE: 680 return makeTruthVal(true, resultTy); 681 } 682 } 683 684 // Comparing a region to an arbitrary integer is completely unknowable. 685 return UnknownVal(); 686 } 687 688 // Get both values as regions, if possible. 689 const MemRegion *LeftMR = lhs.getAsRegion(); 690 assert(LeftMR && "MemRegionKind SVal doesn't have a region!"); 691 692 const MemRegion *RightMR = rhs.getAsRegion(); 693 if (!RightMR) 694 // The RHS is probably a label, which in theory could address a region. 695 // FIXME: we can probably make a more useful statement about non-code 696 // regions, though. 697 return UnknownVal(); 698 699 // If both values wrap regions, see if they're from different base regions. 700 const MemRegion *LeftBase = LeftMR->getBaseRegion(); 701 const MemRegion *RightBase = RightMR->getBaseRegion(); 702 if (LeftBase != RightBase && 703 !isa<SymbolicRegion>(LeftBase) && !isa<SymbolicRegion>(RightBase)) { 704 switch (op) { 705 default: 706 return UnknownVal(); 707 case BO_EQ: 708 return makeTruthVal(false, resultTy); 709 case BO_NE: 710 return makeTruthVal(true, resultTy); 711 } 712 } 713 714 // The two regions are from the same base region. See if they're both a 715 // type of region we know how to compare. 716 717 // FIXME: If/when there is a getAsRawOffset() for FieldRegions, this 718 // ElementRegion path and the FieldRegion path below should be unified. 719 if (const ElementRegion *LeftER = dyn_cast<ElementRegion>(LeftMR)) { 720 // First see if the right region is also an ElementRegion. 721 const ElementRegion *RightER = dyn_cast<ElementRegion>(RightMR); 722 if (!RightER) 723 return UnknownVal(); 724 725 // Next, see if the two ERs have the same super-region and matching types. 726 // FIXME: This should do something useful even if the types don't match, 727 // though if both indexes are constant the RegionRawOffset path will 728 // give the correct answer. 729 if (LeftER->getSuperRegion() == RightER->getSuperRegion() && 730 LeftER->getElementType() == RightER->getElementType()) { 731 // Get the left index and cast it to the correct type. 732 // If the index is unknown or undefined, bail out here. 733 SVal LeftIndexVal = LeftER->getIndex(); 734 NonLoc *LeftIndex = dyn_cast<NonLoc>(&LeftIndexVal); 735 if (!LeftIndex) 736 return UnknownVal(); 737 LeftIndexVal = evalCastFromNonLoc(*LeftIndex, resultTy); 738 LeftIndex = dyn_cast<NonLoc>(&LeftIndexVal); 739 if (!LeftIndex) 740 return UnknownVal(); 741 742 // Do the same for the right index. 743 SVal RightIndexVal = RightER->getIndex(); 744 NonLoc *RightIndex = dyn_cast<NonLoc>(&RightIndexVal); 745 if (!RightIndex) 746 return UnknownVal(); 747 RightIndexVal = evalCastFromNonLoc(*RightIndex, resultTy); 748 RightIndex = dyn_cast<NonLoc>(&RightIndexVal); 749 if (!RightIndex) 750 return UnknownVal(); 751 752 // Actually perform the operation. 753 // evalBinOpNN expects the two indexes to already be the right type. 754 return evalBinOpNN(state, op, *LeftIndex, *RightIndex, resultTy); 755 } 756 757 // If the element indexes aren't comparable, see if the raw offsets are. 758 RegionRawOffset LeftOffset = LeftER->getAsArrayOffset(); 759 RegionRawOffset RightOffset = RightER->getAsArrayOffset(); 760 761 if (LeftOffset.getRegion() != NULL && 762 LeftOffset.getRegion() == RightOffset.getRegion()) { 763 CharUnits left = LeftOffset.getOffset(); 764 CharUnits right = RightOffset.getOffset(); 765 766 switch (op) { 767 default: 768 return UnknownVal(); 769 case BO_LT: 770 return makeTruthVal(left < right, resultTy); 771 case BO_GT: 772 return makeTruthVal(left > right, resultTy); 773 case BO_LE: 774 return makeTruthVal(left <= right, resultTy); 775 case BO_GE: 776 return makeTruthVal(left >= right, resultTy); 777 case BO_EQ: 778 return makeTruthVal(left == right, resultTy); 779 case BO_NE: 780 return makeTruthVal(left != right, resultTy); 781 } 782 } 783 784 // If we get here, we have no way of comparing the ElementRegions. 785 return UnknownVal(); 786 } 787 788 // See if both regions are fields of the same structure. 789 // FIXME: This doesn't handle nesting, inheritance, or Objective-C ivars. 790 if (const FieldRegion *LeftFR = dyn_cast<FieldRegion>(LeftMR)) { 791 // Only comparisons are meaningful here! 792 if (!BinaryOperator::isComparisonOp(op)) 793 return UnknownVal(); 794 795 // First see if the right region is also a FieldRegion. 796 const FieldRegion *RightFR = dyn_cast<FieldRegion>(RightMR); 797 if (!RightFR) 798 return UnknownVal(); 799 800 // Next, see if the two FRs have the same super-region. 801 // FIXME: This doesn't handle casts yet, and simply stripping the casts 802 // doesn't help. 803 if (LeftFR->getSuperRegion() != RightFR->getSuperRegion()) 804 return UnknownVal(); 805 806 const FieldDecl *LeftFD = LeftFR->getDecl(); 807 const FieldDecl *RightFD = RightFR->getDecl(); 808 const RecordDecl *RD = LeftFD->getParent(); 809 810 // Make sure the two FRs are from the same kind of record. Just in case! 811 // FIXME: This is probably where inheritance would be a problem. 812 if (RD != RightFD->getParent()) 813 return UnknownVal(); 814 815 // We know for sure that the two fields are not the same, since that 816 // would have given us the same SVal. 817 if (op == BO_EQ) 818 return makeTruthVal(false, resultTy); 819 if (op == BO_NE) 820 return makeTruthVal(true, resultTy); 821 822 // Iterate through the fields and see which one comes first. 823 // [C99 6.7.2.1.13] "Within a structure object, the non-bit-field 824 // members and the units in which bit-fields reside have addresses that 825 // increase in the order in which they are declared." 826 bool leftFirst = (op == BO_LT || op == BO_LE); 827 for (RecordDecl::field_iterator I = RD->field_begin(), 828 E = RD->field_end(); I!=E; ++I) { 829 if (*I == LeftFD) 830 return makeTruthVal(leftFirst, resultTy); 831 if (*I == RightFD) 832 return makeTruthVal(!leftFirst, resultTy); 833 } 834 835 llvm_unreachable("Fields not found in parent record's definition"); 836 } 837 838 // If we get here, we have no way of comparing the regions. 839 return UnknownVal(); 840 } 841 } 842 } 843 844 SVal SimpleSValBuilder::evalBinOpLN(const ProgramState *state, 845 BinaryOperator::Opcode op, 846 Loc lhs, NonLoc rhs, QualType resultTy) { 847 848 // Special case: rhs is a zero constant. 849 if (rhs.isZeroConstant()) 850 return lhs; 851 852 // Special case: 'rhs' is an integer that has the same width as a pointer and 853 // we are using the integer location in a comparison. Normally this cannot be 854 // triggered, but transfer functions like those for OSCommpareAndSwapBarrier32 855 // can generate comparisons that trigger this code. 856 // FIXME: Are all locations guaranteed to have pointer width? 857 if (BinaryOperator::isComparisonOp(op)) { 858 if (nonloc::ConcreteInt *rhsInt = dyn_cast<nonloc::ConcreteInt>(&rhs)) { 859 const llvm::APSInt *x = &rhsInt->getValue(); 860 ASTContext &ctx = Context; 861 if (ctx.getTypeSize(ctx.VoidPtrTy) == x->getBitWidth()) { 862 // Convert the signedness of the integer (if necessary). 863 if (x->isSigned()) 864 x = &getBasicValueFactory().getValue(*x, true); 865 866 return evalBinOpLL(state, op, lhs, loc::ConcreteInt(*x), resultTy); 867 } 868 } 869 } 870 871 // We are dealing with pointer arithmetic. 872 873 // Handle pointer arithmetic on constant values. 874 if (nonloc::ConcreteInt *rhsInt = dyn_cast<nonloc::ConcreteInt>(&rhs)) { 875 if (loc::ConcreteInt *lhsInt = dyn_cast<loc::ConcreteInt>(&lhs)) { 876 const llvm::APSInt &leftI = lhsInt->getValue(); 877 assert(leftI.isUnsigned()); 878 llvm::APSInt rightI(rhsInt->getValue(), /* isUnsigned */ true); 879 880 // Convert the bitwidth of rightI. This should deal with overflow 881 // since we are dealing with concrete values. 882 rightI = rightI.extOrTrunc(leftI.getBitWidth()); 883 884 // Offset the increment by the pointer size. 885 llvm::APSInt Multiplicand(rightI.getBitWidth(), /* isUnsigned */ true); 886 rightI *= Multiplicand; 887 888 // Compute the adjusted pointer. 889 switch (op) { 890 case BO_Add: 891 rightI = leftI + rightI; 892 break; 893 case BO_Sub: 894 rightI = leftI - rightI; 895 break; 896 default: 897 llvm_unreachable("Invalid pointer arithmetic operation"); 898 } 899 return loc::ConcreteInt(getBasicValueFactory().getValue(rightI)); 900 } 901 } 902 903 // Handle cases where 'lhs' is a region. 904 if (const MemRegion *region = lhs.getAsRegion()) { 905 rhs = cast<NonLoc>(convertToArrayIndex(rhs)); 906 SVal index = UnknownVal(); 907 const MemRegion *superR = 0; 908 QualType elementType; 909 910 if (const ElementRegion *elemReg = dyn_cast<ElementRegion>(region)) { 911 assert(op == BO_Add || op == BO_Sub); 912 index = evalBinOpNN(state, op, elemReg->getIndex(), rhs, 913 getArrayIndexType()); 914 superR = elemReg->getSuperRegion(); 915 elementType = elemReg->getElementType(); 916 } 917 else if (isa<SubRegion>(region)) { 918 superR = region; 919 index = rhs; 920 if (const PointerType *PT = resultTy->getAs<PointerType>()) { 921 elementType = PT->getPointeeType(); 922 } 923 else { 924 const ObjCObjectPointerType *OT = 925 resultTy->getAs<ObjCObjectPointerType>(); 926 elementType = OT->getPointeeType(); 927 } 928 } 929 930 if (NonLoc *indexV = dyn_cast<NonLoc>(&index)) { 931 return loc::MemRegionVal(MemMgr.getElementRegion(elementType, *indexV, 932 superR, getContext())); 933 } 934 } 935 return UnknownVal(); 936 } 937 938 const llvm::APSInt *SimpleSValBuilder::getKnownValue(const ProgramState *state, 939 SVal V) { 940 if (V.isUnknownOrUndef()) 941 return NULL; 942 943 if (loc::ConcreteInt* X = dyn_cast<loc::ConcreteInt>(&V)) 944 return &X->getValue(); 945 946 if (nonloc::ConcreteInt* X = dyn_cast<nonloc::ConcreteInt>(&V)) 947 return &X->getValue(); 948 949 if (SymbolRef Sym = V.getAsSymbol()) 950 return state->getSymVal(Sym); 951 952 // FIXME: Add support for SymExprs. 953 return NULL; 954 } 955