1 //== SymbolManager.h - Management of Symbolic Values ------------*- C++ -*--==// 2 // 3 // The LLVM Compiler Infrastructure 4 // 5 // This file is distributed under the University of Illinois Open Source 6 // License. See LICENSE.TXT for details. 7 // 8 //===----------------------------------------------------------------------===// 9 // 10 // This file defines SymbolManager, a class that manages symbolic values 11 // created for use by ExprEngine and related classes. 12 // 13 //===----------------------------------------------------------------------===// 14 15 #include "clang/StaticAnalyzer/Core/PathSensitive/SymbolManager.h" 16 #include "clang/Analysis/Analyses/LiveVariables.h" 17 #include "clang/StaticAnalyzer/Core/PathSensitive/MemRegion.h" 18 #include "clang/StaticAnalyzer/Core/PathSensitive/Store.h" 19 #include "llvm/Support/raw_ostream.h" 20 21 using namespace clang; 22 using namespace ento; 23 24 void SymExpr::anchor() { } 25 26 void SymExpr::dump() const { 27 dumpToStream(llvm::errs()); 28 } 29 30 static void print(raw_ostream &os, BinaryOperator::Opcode Op) { 31 switch (Op) { 32 default: 33 llvm_unreachable("operator printing not implemented"); 34 case BO_Mul: os << '*' ; break; 35 case BO_Div: os << '/' ; break; 36 case BO_Rem: os << '%' ; break; 37 case BO_Add: os << '+' ; break; 38 case BO_Sub: os << '-' ; break; 39 case BO_Shl: os << "<<" ; break; 40 case BO_Shr: os << ">>" ; break; 41 case BO_LT: os << "<" ; break; 42 case BO_GT: os << '>' ; break; 43 case BO_LE: os << "<=" ; break; 44 case BO_GE: os << ">=" ; break; 45 case BO_EQ: os << "==" ; break; 46 case BO_NE: os << "!=" ; break; 47 case BO_And: os << '&' ; break; 48 case BO_Xor: os << '^' ; break; 49 case BO_Or: os << '|' ; break; 50 } 51 } 52 53 void SymIntExpr::dumpToStream(raw_ostream &os) const { 54 os << '('; 55 getLHS()->dumpToStream(os); 56 os << ") "; 57 print(os, getOpcode()); 58 os << ' ' << getRHS().getZExtValue(); 59 if (getRHS().isUnsigned()) os << 'U'; 60 } 61 62 void IntSymExpr::dumpToStream(raw_ostream &os) const { 63 os << ' ' << getLHS().getZExtValue(); 64 if (getLHS().isUnsigned()) os << 'U'; 65 print(os, getOpcode()); 66 os << '('; 67 getRHS()->dumpToStream(os); 68 os << ") "; 69 } 70 71 void SymSymExpr::dumpToStream(raw_ostream &os) const { 72 os << '('; 73 getLHS()->dumpToStream(os); 74 os << ") "; 75 os << '('; 76 getRHS()->dumpToStream(os); 77 os << ')'; 78 } 79 80 void SymbolCast::dumpToStream(raw_ostream &os) const { 81 os << '(' << ToTy.getAsString() << ") ("; 82 Operand->dumpToStream(os); 83 os << ')'; 84 } 85 86 void SymbolConjured::dumpToStream(raw_ostream &os) const { 87 os << "conj_$" << getSymbolID() << '{' << T.getAsString() << '}'; 88 } 89 90 void SymbolDerived::dumpToStream(raw_ostream &os) const { 91 os << "derived_$" << getSymbolID() << '{' 92 << getParentSymbol() << ',' << getRegion() << '}'; 93 } 94 95 void SymbolExtent::dumpToStream(raw_ostream &os) const { 96 os << "extent_$" << getSymbolID() << '{' << getRegion() << '}'; 97 } 98 99 void SymbolMetadata::dumpToStream(raw_ostream &os) const { 100 os << "meta_$" << getSymbolID() << '{' 101 << getRegion() << ',' << T.getAsString() << '}'; 102 } 103 104 void SymbolData::anchor() { } 105 106 void SymbolRegionValue::dumpToStream(raw_ostream &os) const { 107 os << "reg_$" << getSymbolID() << "<" << R << ">"; 108 } 109 110 bool SymExpr::symbol_iterator::operator==(const symbol_iterator &X) const { 111 return itr == X.itr; 112 } 113 114 bool SymExpr::symbol_iterator::operator!=(const symbol_iterator &X) const { 115 return itr != X.itr; 116 } 117 118 SymExpr::symbol_iterator::symbol_iterator(const SymExpr *SE) { 119 itr.push_back(SE); 120 while (!isa<SymbolData>(itr.back())) expand(); 121 } 122 123 SymExpr::symbol_iterator &SymExpr::symbol_iterator::operator++() { 124 assert(!itr.empty() && "attempting to iterate on an 'end' iterator"); 125 assert(isa<SymbolData>(itr.back())); 126 itr.pop_back(); 127 if (!itr.empty()) 128 while (!isa<SymbolData>(itr.back())) expand(); 129 return *this; 130 } 131 132 SymbolRef SymExpr::symbol_iterator::operator*() { 133 assert(!itr.empty() && "attempting to dereference an 'end' iterator"); 134 return cast<SymbolData>(itr.back()); 135 } 136 137 void SymExpr::symbol_iterator::expand() { 138 const SymExpr *SE = itr.back(); 139 itr.pop_back(); 140 141 switch (SE->getKind()) { 142 case SymExpr::RegionValueKind: 143 case SymExpr::ConjuredKind: 144 case SymExpr::DerivedKind: 145 case SymExpr::ExtentKind: 146 case SymExpr::MetadataKind: 147 return; 148 case SymExpr::CastSymbolKind: 149 itr.push_back(cast<SymbolCast>(SE)->getOperand()); 150 return; 151 case SymExpr::SymIntKind: 152 itr.push_back(cast<SymIntExpr>(SE)->getLHS()); 153 return; 154 case SymExpr::IntSymKind: 155 itr.push_back(cast<IntSymExpr>(SE)->getRHS()); 156 return; 157 case SymExpr::SymSymKind: { 158 const SymSymExpr *x = cast<SymSymExpr>(SE); 159 itr.push_back(x->getLHS()); 160 itr.push_back(x->getRHS()); 161 return; 162 } 163 } 164 llvm_unreachable("unhandled expansion case"); 165 } 166 167 const SymbolRegionValue* 168 SymbolManager::getRegionValueSymbol(const TypedValueRegion* R) { 169 llvm::FoldingSetNodeID profile; 170 SymbolRegionValue::Profile(profile, R); 171 void *InsertPos; 172 SymExpr *SD = DataSet.FindNodeOrInsertPos(profile, InsertPos); 173 if (!SD) { 174 SD = (SymExpr*) BPAlloc.Allocate<SymbolRegionValue>(); 175 new (SD) SymbolRegionValue(SymbolCounter, R); 176 DataSet.InsertNode(SD, InsertPos); 177 ++SymbolCounter; 178 } 179 180 return cast<SymbolRegionValue>(SD); 181 } 182 183 const SymbolConjured* 184 SymbolManager::getConjuredSymbol(const Stmt *E, QualType T, unsigned Count, 185 const void *SymbolTag) { 186 187 llvm::FoldingSetNodeID profile; 188 SymbolConjured::Profile(profile, E, T, Count, SymbolTag); 189 void *InsertPos; 190 SymExpr *SD = DataSet.FindNodeOrInsertPos(profile, InsertPos); 191 if (!SD) { 192 SD = (SymExpr*) BPAlloc.Allocate<SymbolConjured>(); 193 new (SD) SymbolConjured(SymbolCounter, E, T, Count, SymbolTag); 194 DataSet.InsertNode(SD, InsertPos); 195 ++SymbolCounter; 196 } 197 198 return cast<SymbolConjured>(SD); 199 } 200 201 const SymbolDerived* 202 SymbolManager::getDerivedSymbol(SymbolRef parentSymbol, 203 const TypedValueRegion *R) { 204 205 llvm::FoldingSetNodeID profile; 206 SymbolDerived::Profile(profile, parentSymbol, R); 207 void *InsertPos; 208 SymExpr *SD = DataSet.FindNodeOrInsertPos(profile, InsertPos); 209 if (!SD) { 210 SD = (SymExpr*) BPAlloc.Allocate<SymbolDerived>(); 211 new (SD) SymbolDerived(SymbolCounter, parentSymbol, R); 212 DataSet.InsertNode(SD, InsertPos); 213 ++SymbolCounter; 214 } 215 216 return cast<SymbolDerived>(SD); 217 } 218 219 const SymbolExtent* 220 SymbolManager::getExtentSymbol(const SubRegion *R) { 221 llvm::FoldingSetNodeID profile; 222 SymbolExtent::Profile(profile, R); 223 void *InsertPos; 224 SymExpr *SD = DataSet.FindNodeOrInsertPos(profile, InsertPos); 225 if (!SD) { 226 SD = (SymExpr*) BPAlloc.Allocate<SymbolExtent>(); 227 new (SD) SymbolExtent(SymbolCounter, R); 228 DataSet.InsertNode(SD, InsertPos); 229 ++SymbolCounter; 230 } 231 232 return cast<SymbolExtent>(SD); 233 } 234 235 const SymbolMetadata* 236 SymbolManager::getMetadataSymbol(const MemRegion* R, const Stmt *S, QualType T, 237 unsigned Count, const void *SymbolTag) { 238 239 llvm::FoldingSetNodeID profile; 240 SymbolMetadata::Profile(profile, R, S, T, Count, SymbolTag); 241 void *InsertPos; 242 SymExpr *SD = DataSet.FindNodeOrInsertPos(profile, InsertPos); 243 if (!SD) { 244 SD = (SymExpr*) BPAlloc.Allocate<SymbolMetadata>(); 245 new (SD) SymbolMetadata(SymbolCounter, R, S, T, Count, SymbolTag); 246 DataSet.InsertNode(SD, InsertPos); 247 ++SymbolCounter; 248 } 249 250 return cast<SymbolMetadata>(SD); 251 } 252 253 const SymbolCast* 254 SymbolManager::getCastSymbol(const SymExpr *Op, 255 QualType From, QualType To) { 256 llvm::FoldingSetNodeID ID; 257 SymbolCast::Profile(ID, Op, From, To); 258 void *InsertPos; 259 SymExpr *data = DataSet.FindNodeOrInsertPos(ID, InsertPos); 260 if (!data) { 261 data = (SymbolCast*) BPAlloc.Allocate<SymbolCast>(); 262 new (data) SymbolCast(Op, From, To); 263 DataSet.InsertNode(data, InsertPos); 264 } 265 266 return cast<SymbolCast>(data); 267 } 268 269 const SymIntExpr *SymbolManager::getSymIntExpr(const SymExpr *lhs, 270 BinaryOperator::Opcode op, 271 const llvm::APSInt& v, 272 QualType t) { 273 llvm::FoldingSetNodeID ID; 274 SymIntExpr::Profile(ID, lhs, op, v, t); 275 void *InsertPos; 276 SymExpr *data = DataSet.FindNodeOrInsertPos(ID, InsertPos); 277 278 if (!data) { 279 data = (SymIntExpr*) BPAlloc.Allocate<SymIntExpr>(); 280 new (data) SymIntExpr(lhs, op, v, t); 281 DataSet.InsertNode(data, InsertPos); 282 } 283 284 return cast<SymIntExpr>(data); 285 } 286 287 const IntSymExpr *SymbolManager::getIntSymExpr(const llvm::APSInt& lhs, 288 BinaryOperator::Opcode op, 289 const SymExpr *rhs, 290 QualType t) { 291 llvm::FoldingSetNodeID ID; 292 IntSymExpr::Profile(ID, lhs, op, rhs, t); 293 void *InsertPos; 294 SymExpr *data = DataSet.FindNodeOrInsertPos(ID, InsertPos); 295 296 if (!data) { 297 data = (IntSymExpr*) BPAlloc.Allocate<IntSymExpr>(); 298 new (data) IntSymExpr(lhs, op, rhs, t); 299 DataSet.InsertNode(data, InsertPos); 300 } 301 302 return cast<IntSymExpr>(data); 303 } 304 305 const SymSymExpr *SymbolManager::getSymSymExpr(const SymExpr *lhs, 306 BinaryOperator::Opcode op, 307 const SymExpr *rhs, 308 QualType t) { 309 llvm::FoldingSetNodeID ID; 310 SymSymExpr::Profile(ID, lhs, op, rhs, t); 311 void *InsertPos; 312 SymExpr *data = DataSet.FindNodeOrInsertPos(ID, InsertPos); 313 314 if (!data) { 315 data = (SymSymExpr*) BPAlloc.Allocate<SymSymExpr>(); 316 new (data) SymSymExpr(lhs, op, rhs, t); 317 DataSet.InsertNode(data, InsertPos); 318 } 319 320 return cast<SymSymExpr>(data); 321 } 322 323 QualType SymbolConjured::getType(ASTContext&) const { 324 return T; 325 } 326 327 QualType SymbolDerived::getType(ASTContext &Ctx) const { 328 return R->getValueType(); 329 } 330 331 QualType SymbolExtent::getType(ASTContext &Ctx) const { 332 return Ctx.getSizeType(); 333 } 334 335 QualType SymbolMetadata::getType(ASTContext&) const { 336 return T; 337 } 338 339 QualType SymbolRegionValue::getType(ASTContext &C) const { 340 return R->getValueType(); 341 } 342 343 SymbolManager::~SymbolManager() { 344 for (SymbolDependTy::const_iterator I = SymbolDependencies.begin(), 345 E = SymbolDependencies.end(); I != E; ++I) { 346 delete I->second; 347 } 348 349 } 350 351 bool SymbolManager::canSymbolicate(QualType T) { 352 T = T.getCanonicalType(); 353 354 if (Loc::isLocType(T)) 355 return true; 356 357 if (T->isIntegerType()) 358 return T->isScalarType(); 359 360 if (T->isRecordType() && !T->isUnionType()) 361 return true; 362 363 return false; 364 } 365 366 void SymbolManager::addSymbolDependency(const SymbolRef Primary, 367 const SymbolRef Dependent) { 368 SymbolDependTy::iterator I = SymbolDependencies.find(Primary); 369 SymbolRefSmallVectorTy *dependencies = 0; 370 if (I == SymbolDependencies.end()) { 371 dependencies = new SymbolRefSmallVectorTy(); 372 SymbolDependencies[Primary] = dependencies; 373 } else { 374 dependencies = I->second; 375 } 376 dependencies->push_back(Dependent); 377 } 378 379 const SymbolRefSmallVectorTy *SymbolManager::getDependentSymbols( 380 const SymbolRef Primary) { 381 SymbolDependTy::const_iterator I = SymbolDependencies.find(Primary); 382 if (I == SymbolDependencies.end()) 383 return 0; 384 return I->second; 385 } 386 387 void SymbolReaper::markDependentsLive(SymbolRef sym) { 388 // Do not mark dependents more then once. 389 SymbolMapTy::iterator LI = TheLiving.find(sym); 390 assert(LI != TheLiving.end() && "The primary symbol is not live."); 391 if (LI->second == HaveMarkedDependents) 392 return; 393 LI->second = HaveMarkedDependents; 394 395 if (const SymbolRefSmallVectorTy *Deps = SymMgr.getDependentSymbols(sym)) { 396 for (SymbolRefSmallVectorTy::const_iterator I = Deps->begin(), 397 E = Deps->end(); I != E; ++I) { 398 if (TheLiving.find(*I) != TheLiving.end()) 399 continue; 400 markLive(*I); 401 } 402 } 403 } 404 405 void SymbolReaper::markLive(SymbolRef sym) { 406 TheLiving[sym] = NotProcessed; 407 TheDead.erase(sym); 408 markDependentsLive(sym); 409 } 410 411 void SymbolReaper::markLive(const MemRegion *region) { 412 RegionRoots.insert(region); 413 } 414 415 void SymbolReaper::markInUse(SymbolRef sym) { 416 if (isa<SymbolMetadata>(sym)) 417 MetadataInUse.insert(sym); 418 } 419 420 bool SymbolReaper::maybeDead(SymbolRef sym) { 421 if (isLive(sym)) 422 return false; 423 424 TheDead.insert(sym); 425 return true; 426 } 427 428 bool SymbolReaper::isLiveRegion(const MemRegion *MR) { 429 if (RegionRoots.count(MR)) 430 return true; 431 432 MR = MR->getBaseRegion(); 433 434 if (const SymbolicRegion *SR = dyn_cast<SymbolicRegion>(MR)) 435 return isLive(SR->getSymbol()); 436 437 if (const VarRegion *VR = dyn_cast<VarRegion>(MR)) 438 return isLive(VR, true); 439 440 // FIXME: This is a gross over-approximation. What we really need is a way to 441 // tell if anything still refers to this region. Unlike SymbolicRegions, 442 // AllocaRegions don't have associated symbols, though, so we don't actually 443 // have a way to track their liveness. 444 if (isa<AllocaRegion>(MR)) 445 return true; 446 447 if (isa<CXXThisRegion>(MR)) 448 return true; 449 450 if (isa<MemSpaceRegion>(MR)) 451 return true; 452 453 return false; 454 } 455 456 bool SymbolReaper::isLive(SymbolRef sym) { 457 if (TheLiving.count(sym)) { 458 markDependentsLive(sym); 459 return true; 460 } 461 462 if (const SymbolDerived *derived = dyn_cast<SymbolDerived>(sym)) { 463 if (isLive(derived->getParentSymbol())) { 464 markLive(sym); 465 return true; 466 } 467 return false; 468 } 469 470 if (const SymbolExtent *extent = dyn_cast<SymbolExtent>(sym)) { 471 if (isLiveRegion(extent->getRegion())) { 472 markLive(sym); 473 return true; 474 } 475 return false; 476 } 477 478 if (const SymbolMetadata *metadata = dyn_cast<SymbolMetadata>(sym)) { 479 if (MetadataInUse.count(sym)) { 480 if (isLiveRegion(metadata->getRegion())) { 481 markLive(sym); 482 MetadataInUse.erase(sym); 483 return true; 484 } 485 } 486 return false; 487 } 488 489 // Interogate the symbol. It may derive from an input value to 490 // the analyzed function/method. 491 return isa<SymbolRegionValue>(sym); 492 } 493 494 bool SymbolReaper::isLive(const Stmt *ExprVal) const { 495 return LCtx->getAnalysis<RelaxedLiveVariables>()->isLive(Loc, ExprVal); 496 } 497 498 bool SymbolReaper::isLive(const VarRegion *VR, bool includeStoreBindings) const{ 499 const StackFrameContext *VarContext = VR->getStackFrame(); 500 const StackFrameContext *CurrentContext = LCtx->getCurrentStackFrame(); 501 502 if (VarContext == CurrentContext) { 503 if (LCtx->getAnalysis<RelaxedLiveVariables>()->isLive(Loc, VR->getDecl())) 504 return true; 505 506 if (!includeStoreBindings) 507 return false; 508 509 unsigned &cachedQuery = 510 const_cast<SymbolReaper*>(this)->includedRegionCache[VR]; 511 512 if (cachedQuery) { 513 return cachedQuery == 1; 514 } 515 516 // Query the store to see if the region occurs in any live bindings. 517 if (Store store = reapedStore.getStore()) { 518 bool hasRegion = 519 reapedStore.getStoreManager().includedInBindings(store, VR); 520 cachedQuery = hasRegion ? 1 : 2; 521 return hasRegion; 522 } 523 524 return false; 525 } 526 527 return VarContext->isParentOf(CurrentContext); 528 } 529 530 SymbolVisitor::~SymbolVisitor() {} 531