/Users/buildslave/jenkins/workspace/coverage/llvm-project/clang/lib/StaticAnalyzer/Core/ExprEngineC.cpp
Line | Count | Source (jump to first uncovered line) |
1 | | //=-- ExprEngineC.cpp - ExprEngine support for C expressions ----*- C++ -*-===// |
2 | | // |
3 | | // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. |
4 | | // See https://llvm.org/LICENSE.txt for license information. |
5 | | // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception |
6 | | // |
7 | | //===----------------------------------------------------------------------===// |
8 | | // |
9 | | // This file defines ExprEngine's support for C expressions. |
10 | | // |
11 | | //===----------------------------------------------------------------------===// |
12 | | |
13 | | #include "clang/AST/ExprCXX.h" |
14 | | #include "clang/AST/DeclCXX.h" |
15 | | #include "clang/StaticAnalyzer/Core/CheckerManager.h" |
16 | | #include "clang/StaticAnalyzer/Core/PathSensitive/ExprEngine.h" |
17 | | |
18 | | using namespace clang; |
19 | | using namespace ento; |
20 | | using llvm::APSInt; |
21 | | |
22 | | /// Optionally conjure and return a symbol for offset when processing |
23 | | /// an expression \p Expression. |
24 | | /// If \p Other is a location, conjure a symbol for \p Symbol |
25 | | /// (offset) if it is unknown so that memory arithmetic always |
26 | | /// results in an ElementRegion. |
27 | | /// \p Count The number of times the current basic block was visited. |
28 | | static SVal conjureOffsetSymbolOnLocation( |
29 | | SVal Symbol, SVal Other, Expr* Expression, SValBuilder &svalBuilder, |
30 | 26.5k | unsigned Count, const LocationContext *LCtx) { |
31 | 26.5k | QualType Ty = Expression->getType(); |
32 | 26.5k | if (Other.getAs<Loc>() && |
33 | 26.5k | Ty->isIntegralOrEnumerationType()10.0k && |
34 | 26.5k | Symbol.isUnknown()9.94k ) { |
35 | 0 | return svalBuilder.conjureSymbolVal(Expression, LCtx, Ty, Count); |
36 | 0 | } |
37 | 26.5k | return Symbol; |
38 | 26.5k | } |
39 | | |
40 | | void ExprEngine::VisitBinaryOperator(const BinaryOperator* B, |
41 | | ExplodedNode *Pred, |
42 | 72.9k | ExplodedNodeSet &Dst) { |
43 | 72.9k | |
44 | 72.9k | Expr *LHS = B->getLHS()->IgnoreParens(); |
45 | 72.9k | Expr *RHS = B->getRHS()->IgnoreParens(); |
46 | 72.9k | |
47 | 72.9k | // FIXME: Prechecks eventually go in ::Visit(). |
48 | 72.9k | ExplodedNodeSet CheckedSet; |
49 | 72.9k | ExplodedNodeSet Tmp2; |
50 | 72.9k | getCheckerManager().runCheckersForPreStmt(CheckedSet, Pred, B, *this); |
51 | 72.9k | |
52 | 72.9k | // With both the LHS and RHS evaluated, process the operation itself. |
53 | 72.9k | for (ExplodedNodeSet::iterator it=CheckedSet.begin(), ei=CheckedSet.end(); |
54 | 145k | it != ei; ++it72.8k ) { |
55 | 72.8k | |
56 | 72.8k | ProgramStateRef state = (*it)->getState(); |
57 | 72.8k | const LocationContext *LCtx = (*it)->getLocationContext(); |
58 | 72.8k | SVal LeftV = state->getSVal(LHS, LCtx); |
59 | 72.8k | SVal RightV = state->getSVal(RHS, LCtx); |
60 | 72.8k | |
61 | 72.8k | BinaryOperator::Opcode Op = B->getOpcode(); |
62 | 72.8k | |
63 | 72.8k | if (Op == BO_Assign) { |
64 | 21.8k | // EXPERIMENTAL: "Conjured" symbols. |
65 | 21.8k | // FIXME: Handle structs. |
66 | 21.8k | if (RightV.isUnknown()) { |
67 | 4.12k | unsigned Count = currBldrCtx->blockCount(); |
68 | 4.12k | RightV = svalBuilder.conjureSymbolVal(nullptr, B->getRHS(), LCtx, |
69 | 4.12k | Count); |
70 | 4.12k | } |
71 | 21.8k | // Simulate the effects of a "store": bind the value of the RHS |
72 | 21.8k | // to the L-Value represented by the LHS. |
73 | 21.8k | SVal ExprVal = B->isGLValue() ? LeftV14.7k : RightV7.11k ; |
74 | 21.8k | evalStore(Tmp2, B, LHS, *it, state->BindExpr(B, LCtx, ExprVal), |
75 | 21.8k | LeftV, RightV); |
76 | 21.8k | continue; |
77 | 21.8k | } |
78 | 50.9k | |
79 | 50.9k | if (!B->isAssignmentOp()) { |
80 | 50.1k | StmtNodeBuilder Bldr(*it, Tmp2, *currBldrCtx); |
81 | 50.1k | |
82 | 50.1k | if (B->isAdditiveOp()) { |
83 | 13.2k | // TODO: This can be removed after we enable history tracking with |
84 | 13.2k | // SymSymExpr. |
85 | 13.2k | unsigned Count = currBldrCtx->blockCount(); |
86 | 13.2k | RightV = conjureOffsetSymbolOnLocation( |
87 | 13.2k | RightV, LeftV, RHS, svalBuilder, Count, LCtx); |
88 | 13.2k | LeftV = conjureOffsetSymbolOnLocation( |
89 | 13.2k | LeftV, RightV, LHS, svalBuilder, Count, LCtx); |
90 | 13.2k | } |
91 | 50.1k | |
92 | 50.1k | // Although we don't yet model pointers-to-members, we do need to make |
93 | 50.1k | // sure that the members of temporaries have a valid 'this' pointer for |
94 | 50.1k | // other checks. |
95 | 50.1k | if (B->getOpcode() == BO_PtrMemD) |
96 | 18 | state = createTemporaryRegionIfNeeded(state, LCtx, LHS); |
97 | 50.1k | |
98 | 50.1k | // Process non-assignments except commas or short-circuited |
99 | 50.1k | // logical expressions (LAnd and LOr). |
100 | 50.1k | SVal Result = evalBinOp(state, Op, LeftV, RightV, B->getType()); |
101 | 50.1k | if (!Result.isUnknown()) { |
102 | 49.3k | state = state->BindExpr(B, LCtx, Result); |
103 | 49.3k | } else { |
104 | 804 | // If we cannot evaluate the operation escape the operands. |
105 | 804 | state = escapeValues(state, LeftV, PSK_EscapeOther); |
106 | 804 | state = escapeValues(state, RightV, PSK_EscapeOther); |
107 | 804 | } |
108 | 50.1k | |
109 | 50.1k | Bldr.generateNode(B, *it, state); |
110 | 50.1k | continue; |
111 | 50.1k | } |
112 | 737 | |
113 | 737 | assert (B->isCompoundAssignmentOp()); |
114 | 737 | |
115 | 737 | switch (Op) { |
116 | 0 | default: |
117 | 0 | llvm_unreachable("Invalid opcode for compound assignment."); |
118 | 32 | case BO_MulAssign: Op = BO_Mul; break; |
119 | 29 | case BO_DivAssign: Op = BO_Div; break; |
120 | 12 | case BO_RemAssign: Op = BO_Rem; break; |
121 | 363 | case BO_AddAssign: Op = BO_Add; break; |
122 | 170 | case BO_SubAssign: Op = BO_Sub; break; |
123 | 20 | case BO_ShlAssign: Op = BO_Shl; break; |
124 | 8 | case BO_ShrAssign: Op = BO_Shr; break; |
125 | 17 | case BO_AndAssign: Op = BO_And; break; |
126 | 66 | case BO_XorAssign: Op = BO_Xor; break; |
127 | 20 | case BO_OrAssign: Op = BO_Or; break; |
128 | 737 | } |
129 | 737 | |
130 | 737 | // Perform a load (the LHS). This performs the checks for |
131 | 737 | // null dereferences, and so on. |
132 | 737 | ExplodedNodeSet Tmp; |
133 | 737 | SVal location = LeftV; |
134 | 737 | evalLoad(Tmp, B, LHS, *it, state, location); |
135 | 737 | |
136 | 1.47k | for (ExplodedNodeSet::iterator I = Tmp.begin(), E = Tmp.end(); I != E; |
137 | 737 | ++I735 ) { |
138 | 735 | |
139 | 735 | state = (*I)->getState(); |
140 | 735 | const LocationContext *LCtx = (*I)->getLocationContext(); |
141 | 735 | SVal V = state->getSVal(LHS, LCtx); |
142 | 735 | |
143 | 735 | // Get the computation type. |
144 | 735 | QualType CTy = |
145 | 735 | cast<CompoundAssignOperator>(B)->getComputationResultType(); |
146 | 735 | CTy = getContext().getCanonicalType(CTy); |
147 | 735 | |
148 | 735 | QualType CLHSTy = |
149 | 735 | cast<CompoundAssignOperator>(B)->getComputationLHSType(); |
150 | 735 | CLHSTy = getContext().getCanonicalType(CLHSTy); |
151 | 735 | |
152 | 735 | QualType LTy = getContext().getCanonicalType(LHS->getType()); |
153 | 735 | |
154 | 735 | // Promote LHS. |
155 | 735 | V = svalBuilder.evalCast(V, CLHSTy, LTy); |
156 | 735 | |
157 | 735 | // Compute the result of the operation. |
158 | 735 | SVal Result = svalBuilder.evalCast(evalBinOp(state, Op, V, RightV, CTy), |
159 | 735 | B->getType(), CTy); |
160 | 735 | |
161 | 735 | // EXPERIMENTAL: "Conjured" symbols. |
162 | 735 | // FIXME: Handle structs. |
163 | 735 | |
164 | 735 | SVal LHSVal; |
165 | 735 | |
166 | 735 | if (Result.isUnknown()) { |
167 | 113 | // The symbolic value is actually for the type of the left-hand side |
168 | 113 | // expression, not the computation type, as this is the value the |
169 | 113 | // LValue on the LHS will bind to. |
170 | 113 | LHSVal = svalBuilder.conjureSymbolVal(nullptr, B->getRHS(), LCtx, LTy, |
171 | 113 | currBldrCtx->blockCount()); |
172 | 113 | // However, we need to convert the symbol to the computation type. |
173 | 113 | Result = svalBuilder.evalCast(LHSVal, CTy, LTy); |
174 | 113 | } |
175 | 622 | else { |
176 | 622 | // The left-hand side may bind to a different value then the |
177 | 622 | // computation type. |
178 | 622 | LHSVal = svalBuilder.evalCast(Result, LTy, CTy); |
179 | 622 | } |
180 | 735 | |
181 | 735 | // In C++, assignment and compound assignment operators return an |
182 | 735 | // lvalue. |
183 | 735 | if (B->isGLValue()) |
184 | 164 | state = state->BindExpr(B, LCtx, location); |
185 | 571 | else |
186 | 571 | state = state->BindExpr(B, LCtx, Result); |
187 | 735 | |
188 | 735 | evalStore(Tmp2, B, LHS, *I, state, location, LHSVal); |
189 | 735 | } |
190 | 737 | } |
191 | 72.9k | |
192 | 72.9k | // FIXME: postvisits eventually go in ::Visit() |
193 | 72.9k | getCheckerManager().runCheckersForPostStmt(Dst, Tmp2, B, *this); |
194 | 72.9k | } |
195 | | |
196 | | void ExprEngine::VisitBlockExpr(const BlockExpr *BE, ExplodedNode *Pred, |
197 | 376 | ExplodedNodeSet &Dst) { |
198 | 376 | |
199 | 376 | CanQualType T = getContext().getCanonicalType(BE->getType()); |
200 | 376 | |
201 | 376 | const BlockDecl *BD = BE->getBlockDecl(); |
202 | 376 | // Get the value of the block itself. |
203 | 376 | SVal V = svalBuilder.getBlockPointer(BD, T, |
204 | 376 | Pred->getLocationContext(), |
205 | 376 | currBldrCtx->blockCount()); |
206 | 376 | |
207 | 376 | ProgramStateRef State = Pred->getState(); |
208 | 376 | |
209 | 376 | // If we created a new MemRegion for the block, we should explicitly bind |
210 | 376 | // the captured variables. |
211 | 376 | if (const BlockDataRegion *BDR = |
212 | 376 | dyn_cast_or_null<BlockDataRegion>(V.getAsRegion())) { |
213 | 376 | |
214 | 376 | BlockDataRegion::referenced_vars_iterator I = BDR->referenced_vars_begin(), |
215 | 376 | E = BDR->referenced_vars_end(); |
216 | 376 | |
217 | 376 | auto CI = BD->capture_begin(); |
218 | 376 | auto CE = BD->capture_end(); |
219 | 690 | for (; I != E; ++I314 ) { |
220 | 314 | const VarRegion *capturedR = I.getCapturedRegion(); |
221 | 314 | const VarRegion *originalR = I.getOriginalRegion(); |
222 | 314 | |
223 | 314 | // If the capture had a copy expression, use the result of evaluating |
224 | 314 | // that expression, otherwise use the original value. |
225 | 314 | // We rely on the invariant that the block declaration's capture variables |
226 | 314 | // are a prefix of the BlockDataRegion's referenced vars (which may include |
227 | 314 | // referenced globals, etc.) to enable fast lookup of the capture for a |
228 | 314 | // given referenced var. |
229 | 314 | const Expr *copyExpr = nullptr; |
230 | 314 | if (CI != CE) { |
231 | 274 | assert(CI->getVariable() == capturedR->getDecl()); |
232 | 274 | copyExpr = CI->getCopyExpr(); |
233 | 274 | CI++; |
234 | 274 | } |
235 | 314 | |
236 | 314 | if (capturedR != originalR) { |
237 | 202 | SVal originalV; |
238 | 202 | const LocationContext *LCtx = Pred->getLocationContext(); |
239 | 202 | if (copyExpr) { |
240 | 10 | originalV = State->getSVal(copyExpr, LCtx); |
241 | 192 | } else { |
242 | 192 | originalV = State->getSVal(loc::MemRegionVal(originalR)); |
243 | 192 | } |
244 | 202 | State = State->bindLoc(loc::MemRegionVal(capturedR), originalV, LCtx); |
245 | 202 | } |
246 | 314 | } |
247 | 376 | } |
248 | 376 | |
249 | 376 | ExplodedNodeSet Tmp; |
250 | 376 | StmtNodeBuilder Bldr(Pred, Tmp, *currBldrCtx); |
251 | 376 | Bldr.generateNode(BE, Pred, |
252 | 376 | State->BindExpr(BE, Pred->getLocationContext(), V), |
253 | 376 | nullptr, ProgramPoint::PostLValueKind); |
254 | 376 | |
255 | 376 | // FIXME: Move all post/pre visits to ::Visit(). |
256 | 376 | getCheckerManager().runCheckersForPostStmt(Dst, Tmp, BE, *this); |
257 | 376 | } |
258 | | |
259 | | ProgramStateRef ExprEngine::handleLValueBitCast( |
260 | | ProgramStateRef state, const Expr* Ex, const LocationContext* LCtx, |
261 | | QualType T, QualType ExTy, const CastExpr* CastE, StmtNodeBuilder& Bldr, |
262 | 66.4k | ExplodedNode* Pred) { |
263 | 66.4k | if (T->isLValueReferenceType()) { |
264 | 6 | assert(!CastE->getType()->isLValueReferenceType()); |
265 | 6 | ExTy = getContext().getLValueReferenceType(ExTy); |
266 | 66.4k | } else if (T->isRValueReferenceType()) { |
267 | 1 | assert(!CastE->getType()->isRValueReferenceType()); |
268 | 1 | ExTy = getContext().getRValueReferenceType(ExTy); |
269 | 1 | } |
270 | 66.4k | // Delegate to SValBuilder to process. |
271 | 66.4k | SVal OrigV = state->getSVal(Ex, LCtx); |
272 | 66.4k | SVal V = svalBuilder.evalCast(OrigV, T, ExTy); |
273 | 66.4k | // Negate the result if we're treating the boolean as a signed i1 |
274 | 66.4k | if (CastE->getCastKind() == CK_BooleanToSignedIntegral) |
275 | 0 | V = evalMinus(V); |
276 | 66.4k | state = state->BindExpr(CastE, LCtx, V); |
277 | 66.4k | if (V.isUnknown() && !OrigV.isUnknown()6.54k ) { |
278 | 241 | state = escapeValues(state, OrigV, PSK_EscapeOther); |
279 | 241 | } |
280 | 66.4k | Bldr.generateNode(CastE, Pred, state); |
281 | 66.4k | |
282 | 66.4k | return state; |
283 | 66.4k | } |
284 | | |
285 | | ProgramStateRef ExprEngine::handleLVectorSplat( |
286 | | ProgramStateRef state, const LocationContext* LCtx, const CastExpr* CastE, |
287 | 0 | StmtNodeBuilder &Bldr, ExplodedNode* Pred) { |
288 | 0 | // Recover some path sensitivity by conjuring a new value. |
289 | 0 | QualType resultType = CastE->getType(); |
290 | 0 | if (CastE->isGLValue()) |
291 | 0 | resultType = getContext().getPointerType(resultType); |
292 | 0 | SVal result = svalBuilder.conjureSymbolVal(nullptr, CastE, LCtx, |
293 | 0 | resultType, |
294 | 0 | currBldrCtx->blockCount()); |
295 | 0 | state = state->BindExpr(CastE, LCtx, result); |
296 | 0 | Bldr.generateNode(CastE, Pred, state); |
297 | 0 |
|
298 | 0 | return state; |
299 | 0 | } |
300 | | |
301 | | void ExprEngine::VisitCast(const CastExpr *CastE, const Expr *Ex, |
302 | 384k | ExplodedNode *Pred, ExplodedNodeSet &Dst) { |
303 | 384k | |
304 | 384k | ExplodedNodeSet dstPreStmt; |
305 | 384k | getCheckerManager().runCheckersForPreStmt(dstPreStmt, Pred, CastE, *this); |
306 | 384k | |
307 | 384k | if (CastE->getCastKind() == CK_LValueToRValue) { |
308 | 170k | for (ExplodedNodeSet::iterator I = dstPreStmt.begin(), E = dstPreStmt.end(); |
309 | 340k | I!=E; ++I170k ) { |
310 | 170k | ExplodedNode *subExprNode = *I; |
311 | 170k | ProgramStateRef state = subExprNode->getState(); |
312 | 170k | const LocationContext *LCtx = subExprNode->getLocationContext(); |
313 | 170k | evalLoad(Dst, CastE, CastE, subExprNode, state, state->getSVal(Ex, LCtx)); |
314 | 170k | } |
315 | 170k | return; |
316 | 170k | } |
317 | 214k | |
318 | 214k | // All other casts. |
319 | 214k | QualType T = CastE->getType(); |
320 | 214k | QualType ExTy = Ex->getType(); |
321 | 214k | |
322 | 214k | if (const ExplicitCastExpr *ExCast=dyn_cast_or_null<ExplicitCastExpr>(CastE)) |
323 | 32.6k | T = ExCast->getTypeAsWritten(); |
324 | 214k | |
325 | 214k | StmtNodeBuilder Bldr(dstPreStmt, Dst, *currBldrCtx); |
326 | 214k | for (ExplodedNodeSet::iterator I = dstPreStmt.begin(), E = dstPreStmt.end(); |
327 | 429k | I != E; ++I214k ) { |
328 | 214k | |
329 | 214k | Pred = *I; |
330 | 214k | ProgramStateRef state = Pred->getState(); |
331 | 214k | const LocationContext *LCtx = Pred->getLocationContext(); |
332 | 214k | |
333 | 214k | switch (CastE->getCastKind()) { |
334 | 0 | case CK_LValueToRValue: |
335 | 0 | llvm_unreachable("LValueToRValue casts handled earlier."); |
336 | 822 | case CK_ToVoid: |
337 | 822 | continue; |
338 | 0 | // The analyzer doesn't do anything special with these casts, |
339 | 0 | // since it understands retain/release semantics already. |
340 | 109k | case CK_ARCProduceObject: |
341 | 109k | case CK_ARCConsumeObject: |
342 | 109k | case CK_ARCReclaimReturnedObject: |
343 | 109k | case CK_ARCExtendBlockObject: // Fall-through. |
344 | 109k | case CK_CopyAndAutoreleaseBlockObject: |
345 | 109k | // The analyser can ignore atomic casts for now, although some future |
346 | 109k | // checkers may want to make certain that you're not modifying the same |
347 | 109k | // value through atomic and nonatomic pointers. |
348 | 109k | case CK_AtomicToNonAtomic: |
349 | 109k | case CK_NonAtomicToAtomic: |
350 | 109k | // True no-ops. |
351 | 109k | case CK_NoOp: |
352 | 109k | case CK_ConstructorConversion: |
353 | 109k | case CK_UserDefinedConversion: |
354 | 109k | case CK_FunctionToPointerDecay: |
355 | 109k | case CK_BuiltinFnToFnPtr: { |
356 | 109k | // Copy the SVal of Ex to CastE. |
357 | 109k | ProgramStateRef state = Pred->getState(); |
358 | 109k | const LocationContext *LCtx = Pred->getLocationContext(); |
359 | 109k | SVal V = state->getSVal(Ex, LCtx); |
360 | 109k | state = state->BindExpr(CastE, LCtx, V); |
361 | 109k | Bldr.generateNode(CastE, Pred, state); |
362 | 109k | continue; |
363 | 109k | } |
364 | 109k | case CK_MemberPointerToBoolean: |
365 | 854 | case CK_PointerToBoolean: { |
366 | 854 | SVal V = state->getSVal(Ex, LCtx); |
367 | 854 | auto PTMSV = V.getAs<nonloc::PointerToMember>(); |
368 | 854 | if (PTMSV) |
369 | 6 | V = svalBuilder.makeTruthVal(!PTMSV->isNullMemberPointer(), ExTy); |
370 | 854 | if (V.isUndef() || PTMSV) { |
371 | 6 | state = state->BindExpr(CastE, LCtx, V); |
372 | 6 | Bldr.generateNode(CastE, Pred, state); |
373 | 6 | continue; |
374 | 6 | } |
375 | 848 | // Explicitly proceed with default handler for this case cascade. |
376 | 848 | state = |
377 | 848 | handleLValueBitCast(state, Ex, LCtx, T, ExTy, CastE, Bldr, Pred); |
378 | 848 | continue; |
379 | 848 | } |
380 | 34.9k | case CK_Dependent: |
381 | 34.9k | case CK_ArrayToPointerDecay: |
382 | 34.9k | case CK_BitCast: |
383 | 34.9k | case CK_LValueToRValueBitCast: |
384 | 34.9k | case CK_AddressSpaceConversion: |
385 | 34.9k | case CK_BooleanToSignedIntegral: |
386 | 34.9k | case CK_IntegralToPointer: |
387 | 34.9k | case CK_PointerToIntegral: { |
388 | 34.9k | SVal V = state->getSVal(Ex, LCtx); |
389 | 34.9k | if (V.getAs<nonloc::PointerToMember>()) { |
390 | 0 | state = state->BindExpr(CastE, LCtx, UnknownVal()); |
391 | 0 | Bldr.generateNode(CastE, Pred, state); |
392 | 0 | continue; |
393 | 0 | } |
394 | 34.9k | // Explicitly proceed with default handler for this case cascade. |
395 | 34.9k | state = |
396 | 34.9k | handleLValueBitCast(state, Ex, LCtx, T, ExTy, CastE, Bldr, Pred); |
397 | 34.9k | continue; |
398 | 34.9k | } |
399 | 34.9k | case CK_IntegralToBoolean: |
400 | 30.6k | case CK_IntegralToFloating: |
401 | 30.6k | case CK_FloatingToIntegral: |
402 | 30.6k | case CK_FloatingToBoolean: |
403 | 30.6k | case CK_FloatingCast: |
404 | 30.6k | case CK_FloatingRealToComplex: |
405 | 30.6k | case CK_FloatingComplexToReal: |
406 | 30.6k | case CK_FloatingComplexToBoolean: |
407 | 30.6k | case CK_FloatingComplexCast: |
408 | 30.6k | case CK_FloatingComplexToIntegralComplex: |
409 | 30.6k | case CK_IntegralRealToComplex: |
410 | 30.6k | case CK_IntegralComplexToReal: |
411 | 30.6k | case CK_IntegralComplexToBoolean: |
412 | 30.6k | case CK_IntegralComplexCast: |
413 | 30.6k | case CK_IntegralComplexToFloatingComplex: |
414 | 30.6k | case CK_CPointerToObjCPointerCast: |
415 | 30.6k | case CK_BlockPointerToObjCPointerCast: |
416 | 30.6k | case CK_AnyPointerToBlockPointerCast: |
417 | 30.6k | case CK_ObjCObjectLValueCast: |
418 | 30.6k | case CK_ZeroToOCLOpaqueType: |
419 | 30.6k | case CK_IntToOCLSampler: |
420 | 30.6k | case CK_LValueBitCast: |
421 | 30.6k | case CK_FixedPointCast: |
422 | 30.6k | case CK_FixedPointToBoolean: |
423 | 30.6k | case CK_FixedPointToIntegral: |
424 | 30.6k | case CK_IntegralToFixedPoint: { |
425 | 30.6k | state = |
426 | 30.6k | handleLValueBitCast(state, Ex, LCtx, T, ExTy, CastE, Bldr, Pred); |
427 | 30.6k | continue; |
428 | 30.6k | } |
429 | 33.5k | case CK_IntegralCast: { |
430 | 33.5k | // Delegate to SValBuilder to process. |
431 | 33.5k | SVal V = state->getSVal(Ex, LCtx); |
432 | 33.5k | V = svalBuilder.evalIntegralCast(state, V, T, ExTy); |
433 | 33.5k | state = state->BindExpr(CastE, LCtx, V); |
434 | 33.5k | Bldr.generateNode(CastE, Pred, state); |
435 | 33.5k | continue; |
436 | 30.6k | } |
437 | 30.6k | case CK_DerivedToBase: |
438 | 819 | case CK_UncheckedDerivedToBase: { |
439 | 819 | // For DerivedToBase cast, delegate to the store manager. |
440 | 819 | SVal val = state->getSVal(Ex, LCtx); |
441 | 819 | val = getStoreManager().evalDerivedToBase(val, CastE); |
442 | 819 | state = state->BindExpr(CastE, LCtx, val); |
443 | 819 | Bldr.generateNode(CastE, Pred, state); |
444 | 819 | continue; |
445 | 819 | } |
446 | 819 | // Handle C++ dyn_cast. |
447 | 819 | case CK_Dynamic: { |
448 | 38 | SVal val = state->getSVal(Ex, LCtx); |
449 | 38 | |
450 | 38 | // Compute the type of the result. |
451 | 38 | QualType resultType = CastE->getType(); |
452 | 38 | if (CastE->isGLValue()) |
453 | 3 | resultType = getContext().getPointerType(resultType); |
454 | 38 | |
455 | 38 | bool Failed = false; |
456 | 38 | |
457 | 38 | // Check if the value being cast evaluates to 0. |
458 | 38 | if (val.isZeroConstant()) |
459 | 2 | Failed = true; |
460 | 36 | // Else, evaluate the cast. |
461 | 36 | else |
462 | 36 | val = getStoreManager().attemptDownCast(val, T, Failed); |
463 | 38 | |
464 | 38 | if (Failed) { |
465 | 8 | if (T->isReferenceType()) { |
466 | 1 | // A bad_cast exception is thrown if input value is a reference. |
467 | 1 | // Currently, we model this, by generating a sink. |
468 | 1 | Bldr.generateSink(CastE, Pred, state); |
469 | 1 | continue; |
470 | 7 | } else { |
471 | 7 | // If the cast fails on a pointer, bind to 0. |
472 | 7 | state = state->BindExpr(CastE, LCtx, svalBuilder.makeNull()); |
473 | 7 | } |
474 | 30 | } else { |
475 | 30 | // If we don't know if the cast succeeded, conjure a new symbol. |
476 | 30 | if (val.isUnknown()) { |
477 | 0 | DefinedOrUnknownSVal NewSym = |
478 | 0 | svalBuilder.conjureSymbolVal(nullptr, CastE, LCtx, resultType, |
479 | 0 | currBldrCtx->blockCount()); |
480 | 0 | state = state->BindExpr(CastE, LCtx, NewSym); |
481 | 0 | } else |
482 | 30 | // Else, bind to the derived region value. |
483 | 30 | state = state->BindExpr(CastE, LCtx, val); |
484 | 30 | } |
485 | 38 | Bldr.generateNode(CastE, Pred, state); |
486 | 37 | continue; |
487 | 38 | } |
488 | 83 | case CK_BaseToDerived: { |
489 | 83 | SVal val = state->getSVal(Ex, LCtx); |
490 | 83 | QualType resultType = CastE->getType(); |
491 | 83 | if (CastE->isGLValue()) |
492 | 0 | resultType = getContext().getPointerType(resultType); |
493 | 83 | |
494 | 83 | bool Failed = false; |
495 | 83 | |
496 | 83 | if (!val.isConstant()) { |
497 | 75 | val = getStoreManager().attemptDownCast(val, T, Failed); |
498 | 75 | } |
499 | 83 | |
500 | 83 | // Failed to cast or the result is unknown, fall back to conservative. |
501 | 83 | if (Failed || val.isUnknown()79 ) { |
502 | 4 | val = |
503 | 4 | svalBuilder.conjureSymbolVal(nullptr, CastE, LCtx, resultType, |
504 | 4 | currBldrCtx->blockCount()); |
505 | 4 | } |
506 | 83 | state = state->BindExpr(CastE, LCtx, val); |
507 | 83 | Bldr.generateNode(CastE, Pred, state); |
508 | 83 | continue; |
509 | 38 | } |
510 | 3.29k | case CK_NullToPointer: { |
511 | 3.29k | SVal V = svalBuilder.makeNull(); |
512 | 3.29k | state = state->BindExpr(CastE, LCtx, V); |
513 | 3.29k | Bldr.generateNode(CastE, Pred, state); |
514 | 3.29k | continue; |
515 | 38 | } |
516 | 38 | case CK_NullToMemberPointer: { |
517 | 5 | SVal V = svalBuilder.getMemberPointer(nullptr); |
518 | 5 | state = state->BindExpr(CastE, LCtx, V); |
519 | 5 | Bldr.generateNode(CastE, Pred, state); |
520 | 5 | continue; |
521 | 38 | } |
522 | 38 | case CK_DerivedToBaseMemberPointer: |
523 | 24 | case CK_BaseToDerivedMemberPointer: |
524 | 24 | case CK_ReinterpretMemberPointer: { |
525 | 24 | SVal V = state->getSVal(Ex, LCtx); |
526 | 24 | if (auto PTMSV = V.getAs<nonloc::PointerToMember>()) { |
527 | 24 | SVal CastedPTMSV = svalBuilder.makePointerToMember( |
528 | 24 | getBasicVals().accumCXXBase( |
529 | 24 | llvm::make_range<CastExpr::path_const_iterator>( |
530 | 24 | CastE->path_begin(), CastE->path_end()), *PTMSV)); |
531 | 24 | state = state->BindExpr(CastE, LCtx, CastedPTMSV); |
532 | 24 | Bldr.generateNode(CastE, Pred, state); |
533 | 24 | continue; |
534 | 24 | } |
535 | 0 | // Explicitly proceed with default handler for this case cascade. |
536 | 0 | state = handleLVectorSplat(state, LCtx, CastE, Bldr, Pred); |
537 | 0 | continue; |
538 | 0 | } |
539 | 0 | // Various C++ casts that are not handled yet. |
540 | 0 | case CK_ToUnion: |
541 | 0 | case CK_VectorSplat: { |
542 | 0 | state = handleLVectorSplat(state, LCtx, CastE, Bldr, Pred); |
543 | 0 | continue; |
544 | 0 | } |
545 | 214k | } |
546 | 214k | } |
547 | 214k | } |
548 | | |
549 | | void ExprEngine::VisitCompoundLiteralExpr(const CompoundLiteralExpr *CL, |
550 | | ExplodedNode *Pred, |
551 | 62 | ExplodedNodeSet &Dst) { |
552 | 62 | StmtNodeBuilder B(Pred, Dst, *currBldrCtx); |
553 | 62 | |
554 | 62 | ProgramStateRef State = Pred->getState(); |
555 | 62 | const LocationContext *LCtx = Pred->getLocationContext(); |
556 | 62 | |
557 | 62 | const Expr *Init = CL->getInitializer(); |
558 | 62 | SVal V = State->getSVal(CL->getInitializer(), LCtx); |
559 | 62 | |
560 | 62 | if (isa<CXXConstructExpr>(Init) || isa<CXXStdInitializerListExpr>(Init)56 ) { |
561 | 10 | // No work needed. Just pass the value up to this expression. |
562 | 52 | } else { |
563 | 52 | assert(isa<InitListExpr>(Init)); |
564 | 52 | Loc CLLoc = State->getLValue(CL, LCtx); |
565 | 52 | State = State->bindLoc(CLLoc, V, LCtx); |
566 | 52 | |
567 | 52 | if (CL->isGLValue()) |
568 | 33 | V = CLLoc; |
569 | 52 | } |
570 | 62 | |
571 | 62 | B.generateNode(CL, Pred, State->BindExpr(CL, LCtx, V)); |
572 | 62 | } |
573 | | |
574 | | void ExprEngine::VisitDeclStmt(const DeclStmt *DS, ExplodedNode *Pred, |
575 | 42.3k | ExplodedNodeSet &Dst) { |
576 | 42.3k | // Assumption: The CFG has one DeclStmt per Decl. |
577 | 42.3k | const VarDecl *VD = dyn_cast_or_null<VarDecl>(*DS->decl_begin()); |
578 | 42.3k | |
579 | 42.3k | if (!VD) { |
580 | 0 | //TODO:AZ: remove explicit insertion after refactoring is done. |
581 | 0 | Dst.insert(Pred); |
582 | 0 | return; |
583 | 0 | } |
584 | 42.3k | |
585 | 42.3k | // FIXME: all pre/post visits should eventually be handled by ::Visit(). |
586 | 42.3k | ExplodedNodeSet dstPreVisit; |
587 | 42.3k | getCheckerManager().runCheckersForPreStmt(dstPreVisit, Pred, DS, *this); |
588 | 42.3k | |
589 | 42.3k | ExplodedNodeSet dstEvaluated; |
590 | 42.3k | StmtNodeBuilder B(dstPreVisit, dstEvaluated, *currBldrCtx); |
591 | 42.3k | for (ExplodedNodeSet::iterator I = dstPreVisit.begin(), E = dstPreVisit.end(); |
592 | 84.6k | I!=E; ++I42.3k ) { |
593 | 42.3k | ExplodedNode *N = *I; |
594 | 42.3k | ProgramStateRef state = N->getState(); |
595 | 42.3k | const LocationContext *LC = N->getLocationContext(); |
596 | 42.3k | |
597 | 42.3k | // Decls without InitExpr are not initialized explicitly. |
598 | 42.3k | if (const Expr *InitEx = VD->getInit()) { |
599 | 39.5k | |
600 | 39.5k | // Note in the state that the initialization has occurred. |
601 | 39.5k | ExplodedNode *UpdatedN = N; |
602 | 39.5k | SVal InitVal = state->getSVal(InitEx, LC); |
603 | 39.5k | |
604 | 39.5k | assert(DS->isSingleDecl()); |
605 | 39.5k | if (getObjectUnderConstruction(state, DS, LC)) { |
606 | 14.2k | state = finishObjectConstruction(state, DS, LC); |
607 | 14.2k | // We constructed the object directly in the variable. |
608 | 14.2k | // No need to bind anything. |
609 | 14.2k | B.generateNode(DS, UpdatedN, state); |
610 | 25.2k | } else { |
611 | 25.2k | // Recover some path-sensitivity if a scalar value evaluated to |
612 | 25.2k | // UnknownVal. |
613 | 25.2k | if (InitVal.isUnknown()) { |
614 | 5.18k | QualType Ty = InitEx->getType(); |
615 | 5.18k | if (InitEx->isGLValue()) { |
616 | 0 | Ty = getContext().getPointerType(Ty); |
617 | 0 | } |
618 | 5.18k | |
619 | 5.18k | InitVal = svalBuilder.conjureSymbolVal(nullptr, InitEx, LC, Ty, |
620 | 5.18k | currBldrCtx->blockCount()); |
621 | 5.18k | } |
622 | 25.2k | |
623 | 25.2k | |
624 | 25.2k | B.takeNodes(UpdatedN); |
625 | 25.2k | ExplodedNodeSet Dst2; |
626 | 25.2k | evalBind(Dst2, DS, UpdatedN, state->getLValue(VD, LC), InitVal, true); |
627 | 25.2k | B.addNodes(Dst2); |
628 | 25.2k | } |
629 | 39.5k | } |
630 | 2.81k | else { |
631 | 2.81k | B.generateNode(DS, N, state); |
632 | 2.81k | } |
633 | 42.3k | } |
634 | 42.3k | |
635 | 42.3k | getCheckerManager().runCheckersForPostStmt(Dst, B.getResults(), DS, *this); |
636 | 42.3k | } |
637 | | |
638 | | void ExprEngine::VisitLogicalExpr(const BinaryOperator* B, ExplodedNode *Pred, |
639 | 1.15k | ExplodedNodeSet &Dst) { |
640 | 1.15k | // This method acts upon CFG elements for logical operators && and || |
641 | 1.15k | // and attaches the value (true or false) to them as expressions. |
642 | 1.15k | // It doesn't produce any state splits. |
643 | 1.15k | // If we made it that far, we're past the point when we modeled the short |
644 | 1.15k | // circuit. It means that we should have precise knowledge about whether |
645 | 1.15k | // we've short-circuited. If we did, we already know the value we need to |
646 | 1.15k | // bind. If we didn't, the value of the RHS (casted to the boolean type) |
647 | 1.15k | // is the answer. |
648 | 1.15k | // Currently this method tries to figure out whether we've short-circuited |
649 | 1.15k | // by looking at the ExplodedGraph. This method is imperfect because there |
650 | 1.15k | // could inevitably have been merges that would have resulted in multiple |
651 | 1.15k | // potential path traversal histories. We bail out when we fail. |
652 | 1.15k | // Due to this ambiguity, a more reliable solution would have been to |
653 | 1.15k | // track the short circuit operation history path-sensitively until |
654 | 1.15k | // we evaluate the respective logical operator. |
655 | 1.15k | assert(B->getOpcode() == BO_LAnd || |
656 | 1.15k | B->getOpcode() == BO_LOr); |
657 | 1.15k | |
658 | 1.15k | StmtNodeBuilder Bldr(Pred, Dst, *currBldrCtx); |
659 | 1.15k | ProgramStateRef state = Pred->getState(); |
660 | 1.15k | |
661 | 1.15k | if (B->getType()->isVectorType()) { |
662 | 2 | // FIXME: We do not model vector arithmetic yet. When adding support for |
663 | 2 | // that, note that the CFG-based reasoning below does not apply, because |
664 | 2 | // logical operators on vectors are not short-circuit. Currently they are |
665 | 2 | // modeled as short-circuit in Clang CFG but this is incorrect. |
666 | 2 | // Do not set the value for the expression. It'd be UnknownVal by default. |
667 | 2 | Bldr.generateNode(B, Pred, state); |
668 | 2 | return; |
669 | 2 | } |
670 | 1.15k | |
671 | 1.15k | ExplodedNode *N = Pred; |
672 | 2.33k | while (!N->getLocation().getAs<BlockEntrance>()) { |
673 | 1.17k | ProgramPoint P = N->getLocation(); |
674 | 1.17k | assert(P.getAs<PreStmt>()|| P.getAs<PreStmtPurgeDeadSymbols>()); |
675 | 1.17k | (void) P; |
676 | 1.17k | if (N->pred_size() != 1) { |
677 | 0 | // We failed to track back where we came from. |
678 | 0 | Bldr.generateNode(B, Pred, state); |
679 | 0 | return; |
680 | 0 | } |
681 | 1.17k | N = *N->pred_begin(); |
682 | 1.17k | } |
683 | 1.15k | |
684 | 1.15k | if (N->pred_size() != 1) { |
685 | 7 | // We failed to track back where we came from. |
686 | 7 | Bldr.generateNode(B, Pred, state); |
687 | 7 | return; |
688 | 7 | } |
689 | 1.14k | |
690 | 1.14k | N = *N->pred_begin(); |
691 | 1.14k | BlockEdge BE = N->getLocation().castAs<BlockEdge>(); |
692 | 1.14k | SVal X; |
693 | 1.14k | |
694 | 1.14k | // Determine the value of the expression by introspecting how we |
695 | 1.14k | // got this location in the CFG. This requires looking at the previous |
696 | 1.14k | // block we were in and what kind of control-flow transfer was involved. |
697 | 1.14k | const CFGBlock *SrcBlock = BE.getSrc(); |
698 | 1.14k | // The only terminator (if there is one) that makes sense is a logical op. |
699 | 1.14k | CFGTerminator T = SrcBlock->getTerminator(); |
700 | 1.14k | if (const BinaryOperator *Term = cast_or_null<BinaryOperator>(T.getStmt())) { |
701 | 493 | (void) Term; |
702 | 493 | assert(Term->isLogicalOp()); |
703 | 493 | assert(SrcBlock->succ_size() == 2); |
704 | 493 | // Did we take the true or false branch? |
705 | 493 | unsigned constant = (*SrcBlock->succ_begin() == BE.getDst()) ? 191 : 0402 ; |
706 | 493 | X = svalBuilder.makeIntVal(constant, B->getType()); |
707 | 493 | } |
708 | 654 | else { |
709 | 654 | // If there is no terminator, by construction the last statement |
710 | 654 | // in SrcBlock is the value of the enclosing expression. |
711 | 654 | // However, we still need to constrain that value to be 0 or 1. |
712 | 654 | assert(!SrcBlock->empty()); |
713 | 654 | CFGStmt Elem = SrcBlock->rbegin()->castAs<CFGStmt>(); |
714 | 654 | const Expr *RHS = cast<Expr>(Elem.getStmt()); |
715 | 654 | SVal RHSVal = N->getState()->getSVal(RHS, Pred->getLocationContext()); |
716 | 654 | |
717 | 654 | if (RHSVal.isUndef()) { |
718 | 1 | X = RHSVal; |
719 | 653 | } else { |
720 | 653 | // We evaluate "RHSVal != 0" expression which result in 0 if the value is |
721 | 653 | // known to be false, 1 if the value is known to be true and a new symbol |
722 | 653 | // when the assumption is unknown. |
723 | 653 | nonloc::ConcreteInt Zero(getBasicVals().getValue(0, B->getType())); |
724 | 653 | X = evalBinOp(N->getState(), BO_NE, |
725 | 653 | svalBuilder.evalCast(RHSVal, B->getType(), RHS->getType()), |
726 | 653 | Zero, B->getType()); |
727 | 653 | } |
728 | 654 | } |
729 | 1.14k | Bldr.generateNode(B, Pred, state->BindExpr(B, Pred->getLocationContext(), X)); |
730 | 1.14k | } |
731 | | |
732 | | void ExprEngine::VisitInitListExpr(const InitListExpr *IE, |
733 | | ExplodedNode *Pred, |
734 | 1.18k | ExplodedNodeSet &Dst) { |
735 | 1.18k | StmtNodeBuilder B(Pred, Dst, *currBldrCtx); |
736 | 1.18k | |
737 | 1.18k | ProgramStateRef state = Pred->getState(); |
738 | 1.18k | const LocationContext *LCtx = Pred->getLocationContext(); |
739 | 1.18k | QualType T = getContext().getCanonicalType(IE->getType()); |
740 | 1.18k | unsigned NumInitElements = IE->getNumInits(); |
741 | 1.18k | |
742 | 1.18k | if (!IE->isGLValue() && !IE->isTransparent()1.17k && |
743 | 1.18k | (1.15k T->isArrayType()1.15k || T->isRecordType()630 || T->isVectorType()68 || |
744 | 1.15k | T->isAnyComplexType()62 )) { |
745 | 1.09k | llvm::ImmutableList<SVal> vals = getBasicVals().getEmptySValList(); |
746 | 1.09k | |
747 | 1.09k | // Handle base case where the initializer has no elements. |
748 | 1.09k | // e.g: static int* myArray[] = {}; |
749 | 1.09k | if (NumInitElements == 0) { |
750 | 168 | SVal V = svalBuilder.makeCompoundVal(T, vals); |
751 | 168 | B.generateNode(IE, Pred, state->BindExpr(IE, LCtx, V)); |
752 | 168 | return; |
753 | 168 | } |
754 | 929 | |
755 | 929 | for (InitListExpr::const_reverse_iterator it = IE->rbegin(), |
756 | 3.04k | ei = IE->rend(); it != ei; ++it2.11k ) { |
757 | 2.11k | SVal V = state->getSVal(cast<Expr>(*it), LCtx); |
758 | 2.11k | vals = getBasicVals().prependSVal(V, vals); |
759 | 2.11k | } |
760 | 929 | |
761 | 929 | B.generateNode(IE, Pred, |
762 | 929 | state->BindExpr(IE, LCtx, |
763 | 929 | svalBuilder.makeCompoundVal(T, vals))); |
764 | 929 | return; |
765 | 929 | } |
766 | 86 | |
767 | 86 | // Handle scalars: int{5} and int{} and GLvalues. |
768 | 86 | // Note, if the InitListExpr is a GLvalue, it means that there is an address |
769 | 86 | // representing it, so it must have a single init element. |
770 | 86 | assert(NumInitElements <= 1); |
771 | 86 | |
772 | 86 | SVal V; |
773 | 86 | if (NumInitElements == 0) |
774 | 57 | V = getSValBuilder().makeZeroVal(T); |
775 | 29 | else |
776 | 29 | V = state->getSVal(IE->getInit(0), LCtx); |
777 | 86 | |
778 | 86 | B.generateNode(IE, Pred, state->BindExpr(IE, LCtx, V)); |
779 | 86 | } |
780 | | |
781 | | void ExprEngine::VisitGuardedExpr(const Expr *Ex, |
782 | | const Expr *L, |
783 | | const Expr *R, |
784 | | ExplodedNode *Pred, |
785 | 904 | ExplodedNodeSet &Dst) { |
786 | 904 | assert(L && R); |
787 | 904 | |
788 | 904 | StmtNodeBuilder B(Pred, Dst, *currBldrCtx); |
789 | 904 | ProgramStateRef state = Pred->getState(); |
790 | 904 | const LocationContext *LCtx = Pred->getLocationContext(); |
791 | 904 | const CFGBlock *SrcBlock = nullptr; |
792 | 904 | |
793 | 904 | // Find the predecessor block. |
794 | 904 | ProgramStateRef SrcState = state; |
795 | 2.71k | for (const ExplodedNode *N = Pred ; N ; N = *N->pred_begin()1.81k ) { |
796 | 2.71k | ProgramPoint PP = N->getLocation(); |
797 | 2.71k | if (PP.getAs<PreStmtPurgeDeadSymbols>() || PP.getAs<BlockEntrance>()1.80k ) { |
798 | 1.81k | // If the state N has multiple predecessors P, it means that successors |
799 | 1.81k | // of P are all equivalent. |
800 | 1.81k | // In turn, that means that all nodes at P are equivalent in terms |
801 | 1.81k | // of observable behavior at N, and we can follow any of them. |
802 | 1.81k | // FIXME: a more robust solution which does not walk up the tree. |
803 | 1.81k | continue; |
804 | 1.81k | } |
805 | 904 | SrcBlock = PP.castAs<BlockEdge>().getSrc(); |
806 | 904 | SrcState = N->getState(); |
807 | 904 | break; |
808 | 904 | } |
809 | 904 | |
810 | 904 | assert(SrcBlock && "missing function entry"); |
811 | 904 | |
812 | 904 | // Find the last expression in the predecessor block. That is the |
813 | 904 | // expression that is used for the value of the ternary expression. |
814 | 904 | bool hasValue = false; |
815 | 904 | SVal V; |
816 | 904 | |
817 | 904 | for (CFGElement CE : llvm::reverse(*SrcBlock)) { |
818 | 904 | if (Optional<CFGStmt> CS = CE.getAs<CFGStmt>()) { |
819 | 904 | const Expr *ValEx = cast<Expr>(CS->getStmt()); |
820 | 904 | ValEx = ValEx->IgnoreParens(); |
821 | 904 | |
822 | 904 | // For GNU extension '?:' operator, the left hand side will be an |
823 | 904 | // OpaqueValueExpr, so get the underlying expression. |
824 | 904 | if (const OpaqueValueExpr *OpaqueEx = dyn_cast<OpaqueValueExpr>(L)) |
825 | 21 | L = OpaqueEx->getSourceExpr(); |
826 | 904 | |
827 | 904 | // If the last expression in the predecessor block matches true or false |
828 | 904 | // subexpression, get its the value. |
829 | 904 | if (ValEx == L->IgnoreParens() || ValEx == R->IgnoreParens()273 ) { |
830 | 902 | hasValue = true; |
831 | 902 | V = SrcState->getSVal(ValEx, LCtx); |
832 | 902 | } |
833 | 904 | break; |
834 | 904 | } |
835 | 904 | } |
836 | 904 | |
837 | 904 | if (!hasValue) |
838 | 2 | V = svalBuilder.conjureSymbolVal(nullptr, Ex, LCtx, |
839 | 2 | currBldrCtx->blockCount()); |
840 | 904 | |
841 | 904 | // Generate a new node with the binding from the appropriate path. |
842 | 904 | B.generateNode(Ex, Pred, state->BindExpr(Ex, LCtx, V, true)); |
843 | 904 | } |
844 | | |
845 | | void ExprEngine:: |
846 | | VisitOffsetOfExpr(const OffsetOfExpr *OOE, |
847 | 21 | ExplodedNode *Pred, ExplodedNodeSet &Dst) { |
848 | 21 | StmtNodeBuilder B(Pred, Dst, *currBldrCtx); |
849 | 21 | Expr::EvalResult Result; |
850 | 21 | if (OOE->EvaluateAsInt(Result, getContext())) { |
851 | 21 | APSInt IV = Result.Val.getInt(); |
852 | 21 | assert(IV.getBitWidth() == getContext().getTypeSize(OOE->getType())); |
853 | 21 | assert(OOE->getType()->castAs<BuiltinType>()->isInteger()); |
854 | 21 | assert(IV.isSigned() == OOE->getType()->isSignedIntegerType()); |
855 | 21 | SVal X = svalBuilder.makeIntVal(IV); |
856 | 21 | B.generateNode(OOE, Pred, |
857 | 21 | Pred->getState()->BindExpr(OOE, Pred->getLocationContext(), |
858 | 21 | X)); |
859 | 21 | } |
860 | 21 | // FIXME: Handle the case where __builtin_offsetof is not a constant. |
861 | 21 | } |
862 | | |
863 | | |
864 | | void ExprEngine:: |
865 | | VisitUnaryExprOrTypeTraitExpr(const UnaryExprOrTypeTraitExpr *Ex, |
866 | | ExplodedNode *Pred, |
867 | 938 | ExplodedNodeSet &Dst) { |
868 | 938 | // FIXME: Prechecks eventually go in ::Visit(). |
869 | 938 | ExplodedNodeSet CheckedSet; |
870 | 938 | getCheckerManager().runCheckersForPreStmt(CheckedSet, Pred, Ex, *this); |
871 | 938 | |
872 | 938 | ExplodedNodeSet EvalSet; |
873 | 938 | StmtNodeBuilder Bldr(CheckedSet, EvalSet, *currBldrCtx); |
874 | 938 | |
875 | 938 | QualType T = Ex->getTypeOfArgument(); |
876 | 938 | |
877 | 938 | for (ExplodedNodeSet::iterator I = CheckedSet.begin(), E = CheckedSet.end(); |
878 | 1.87k | I != E; ++I938 ) { |
879 | 938 | if (Ex->getKind() == UETT_SizeOf) { |
880 | 935 | if (!T->isIncompleteType() && !T->isConstantSizeType()931 ) { |
881 | 9 | assert(T->isVariableArrayType() && "Unknown non-constant-sized type."); |
882 | 9 | |
883 | 9 | // FIXME: Add support for VLA type arguments and VLA expressions. |
884 | 9 | // When that happens, we should probably refactor VLASizeChecker's code. |
885 | 9 | continue; |
886 | 926 | } else if (T->getAs<ObjCObjectType>()) { |
887 | 0 | // Some code tries to take the sizeof an ObjCObjectType, relying that |
888 | 0 | // the compiler has laid out its representation. Just report Unknown |
889 | 0 | // for these. |
890 | 0 | continue; |
891 | 0 | } |
892 | 929 | } |
893 | 929 | |
894 | 929 | APSInt Value = Ex->EvaluateKnownConstInt(getContext()); |
895 | 929 | CharUnits amt = CharUnits::fromQuantity(Value.getZExtValue()); |
896 | 929 | |
897 | 929 | ProgramStateRef state = (*I)->getState(); |
898 | 929 | state = state->BindExpr(Ex, (*I)->getLocationContext(), |
899 | 929 | svalBuilder.makeIntVal(amt.getQuantity(), |
900 | 929 | Ex->getType())); |
901 | 929 | Bldr.generateNode(Ex, *I, state); |
902 | 929 | } |
903 | 938 | |
904 | 938 | getCheckerManager().runCheckersForPostStmt(Dst, EvalSet, Ex, *this); |
905 | 938 | } |
906 | | |
907 | | void ExprEngine::handleUOExtension(ExplodedNodeSet::iterator I, |
908 | | const UnaryOperator *U, |
909 | 26.8k | StmtNodeBuilder &Bldr) { |
910 | 26.8k | // FIXME: We can probably just have some magic in Environment::getSVal() |
911 | 26.8k | // that propagates values, instead of creating a new node here. |
912 | 26.8k | // |
913 | 26.8k | // Unary "+" is a no-op, similar to a parentheses. We still have places |
914 | 26.8k | // where it may be a block-level expression, so we need to |
915 | 26.8k | // generate an extra node that just propagates the value of the |
916 | 26.8k | // subexpression. |
917 | 26.8k | const Expr *Ex = U->getSubExpr()->IgnoreParens(); |
918 | 26.8k | ProgramStateRef state = (*I)->getState(); |
919 | 26.8k | const LocationContext *LCtx = (*I)->getLocationContext(); |
920 | 26.8k | Bldr.generateNode(U, *I, state->BindExpr(U, LCtx, |
921 | 26.8k | state->getSVal(Ex, LCtx))); |
922 | 26.8k | } |
923 | | |
924 | | void ExprEngine::VisitUnaryOperator(const UnaryOperator* U, ExplodedNode *Pred, |
925 | 38.7k | ExplodedNodeSet &Dst) { |
926 | 38.7k | // FIXME: Prechecks eventually go in ::Visit(). |
927 | 38.7k | ExplodedNodeSet CheckedSet; |
928 | 38.7k | getCheckerManager().runCheckersForPreStmt(CheckedSet, Pred, U, *this); |
929 | 38.7k | |
930 | 38.7k | ExplodedNodeSet EvalSet; |
931 | 38.7k | StmtNodeBuilder Bldr(CheckedSet, EvalSet, *currBldrCtx); |
932 | 38.7k | |
933 | 38.7k | for (ExplodedNodeSet::iterator I = CheckedSet.begin(), E = CheckedSet.end(); |
934 | 77.4k | I != E; ++I38.7k ) { |
935 | 38.7k | switch (U->getOpcode()) { |
936 | 8.81k | default: { |
937 | 8.81k | Bldr.takeNodes(*I); |
938 | 8.81k | ExplodedNodeSet Tmp; |
939 | 8.81k | VisitIncrementDecrementOperator(U, *I, Tmp); |
940 | 8.81k | Bldr.addNodes(Tmp); |
941 | 8.81k | break; |
942 | 0 | } |
943 | 14 | case UO_Real: { |
944 | 14 | const Expr *Ex = U->getSubExpr()->IgnoreParens(); |
945 | 14 | |
946 | 14 | // FIXME: We don't have complex SValues yet. |
947 | 14 | if (Ex->getType()->isAnyComplexType()) { |
948 | 10 | // Just report "Unknown." |
949 | 10 | break; |
950 | 10 | } |
951 | 4 | |
952 | 4 | // For all other types, UO_Real is an identity operation. |
953 | 4 | assert (U->getType() == Ex->getType()); |
954 | 4 | ProgramStateRef state = (*I)->getState(); |
955 | 4 | const LocationContext *LCtx = (*I)->getLocationContext(); |
956 | 4 | Bldr.generateNode(U, *I, state->BindExpr(U, LCtx, |
957 | 4 | state->getSVal(Ex, LCtx))); |
958 | 4 | break; |
959 | 4 | } |
960 | 4 | |
961 | 11 | case UO_Imag: { |
962 | 11 | const Expr *Ex = U->getSubExpr()->IgnoreParens(); |
963 | 11 | // FIXME: We don't have complex SValues yet. |
964 | 11 | if (Ex->getType()->isAnyComplexType()) { |
965 | 8 | // Just report "Unknown." |
966 | 8 | break; |
967 | 8 | } |
968 | 3 | // For all other types, UO_Imag returns 0. |
969 | 3 | ProgramStateRef state = (*I)->getState(); |
970 | 3 | const LocationContext *LCtx = (*I)->getLocationContext(); |
971 | 3 | SVal X = svalBuilder.makeZeroVal(Ex->getType()); |
972 | 3 | Bldr.generateNode(U, *I, state->BindExpr(U, LCtx, X)); |
973 | 3 | break; |
974 | 3 | } |
975 | 3 | |
976 | 3.53k | case UO_AddrOf: { |
977 | 3.53k | // Process pointer-to-member address operation. |
978 | 3.53k | const Expr *Ex = U->getSubExpr()->IgnoreParens(); |
979 | 3.53k | if (const DeclRefExpr *DRE = dyn_cast<DeclRefExpr>(Ex)) { |
980 | 2.81k | const ValueDecl *VD = DRE->getDecl(); |
981 | 2.81k | |
982 | 2.81k | if (isa<CXXMethodDecl>(VD) || isa<FieldDecl>(VD)2.78k ) { |
983 | 44 | ProgramStateRef State = (*I)->getState(); |
984 | 44 | const LocationContext *LCtx = (*I)->getLocationContext(); |
985 | 44 | SVal SV = svalBuilder.getMemberPointer(cast<DeclaratorDecl>(VD)); |
986 | 44 | Bldr.generateNode(U, *I, State->BindExpr(U, LCtx, SV)); |
987 | 44 | break; |
988 | 44 | } |
989 | 3.49k | } |
990 | 3.49k | // Explicitly proceed with default handler for this case cascade. |
991 | 3.49k | handleUOExtension(I, U, Bldr); |
992 | 3.49k | break; |
993 | 3.49k | } |
994 | 3.49k | case UO_Plus: |
995 | 0 | assert(!U->isGLValue()); |
996 | 0 | LLVM_FALLTHROUGH; |
997 | 23.3k | case UO_Deref: |
998 | 23.3k | case UO_Extension: { |
999 | 23.3k | handleUOExtension(I, U, Bldr); |
1000 | 23.3k | break; |
1001 | 23.3k | } |
1002 | 23.3k | |
1003 | 23.3k | case UO_LNot: |
1004 | 2.96k | case UO_Minus: |
1005 | 2.96k | case UO_Not: { |
1006 | 2.96k | assert (!U->isGLValue()); |
1007 | 2.96k | const Expr *Ex = U->getSubExpr()->IgnoreParens(); |
1008 | 2.96k | ProgramStateRef state = (*I)->getState(); |
1009 | 2.96k | const LocationContext *LCtx = (*I)->getLocationContext(); |
1010 | 2.96k | |
1011 | 2.96k | // Get the value of the subexpression. |
1012 | 2.96k | SVal V = state->getSVal(Ex, LCtx); |
1013 | 2.96k | |
1014 | 2.96k | if (V.isUnknownOrUndef()) { |
1015 | 10 | Bldr.generateNode(U, *I, state->BindExpr(U, LCtx, V)); |
1016 | 10 | break; |
1017 | 10 | } |
1018 | 2.95k | |
1019 | 2.95k | switch (U->getOpcode()) { |
1020 | 0 | default: |
1021 | 0 | llvm_unreachable("Invalid Opcode."); |
1022 | 929 | case UO_Not: |
1023 | 929 | // FIXME: Do we need to handle promotions? |
1024 | 929 | state = state->BindExpr(U, LCtx, evalComplement(V.castAs<NonLoc>())); |
1025 | 929 | break; |
1026 | 1.03k | case UO_Minus: |
1027 | 1.03k | // FIXME: Do we need to handle promotions? |
1028 | 1.03k | state = state->BindExpr(U, LCtx, evalMinus(V.castAs<NonLoc>())); |
1029 | 1.03k | break; |
1030 | 991 | case UO_LNot: |
1031 | 991 | // C99 6.5.3.3: "The expression !E is equivalent to (0==E)." |
1032 | 991 | // |
1033 | 991 | // Note: technically we do "E == 0", but this is the same in the |
1034 | 991 | // transfer functions as "0 == E". |
1035 | 991 | SVal Result; |
1036 | 991 | if (Optional<Loc> LV = V.getAs<Loc>()) { |
1037 | 205 | Loc X = svalBuilder.makeNullWithType(Ex->getType()); |
1038 | 205 | Result = evalBinOp(state, BO_EQ, *LV, X, U->getType()); |
1039 | 786 | } else if (Ex->getType()->isFloatingType()) { |
1040 | 1 | // FIXME: handle floating point types. |
1041 | 1 | Result = UnknownVal(); |
1042 | 785 | } else { |
1043 | 785 | nonloc::ConcreteInt X(getBasicVals().getValue(0, Ex->getType())); |
1044 | 785 | Result = evalBinOp(state, BO_EQ, V.castAs<NonLoc>(), X, |
1045 | 785 | U->getType()); |
1046 | 785 | } |
1047 | 991 | |
1048 | 991 | state = state->BindExpr(U, LCtx, Result); |
1049 | 991 | break; |
1050 | 2.95k | } |
1051 | 2.95k | Bldr.generateNode(U, *I, state); |
1052 | 2.95k | break; |
1053 | 2.95k | } |
1054 | 38.7k | } |
1055 | 38.7k | } |
1056 | 38.7k | |
1057 | 38.7k | getCheckerManager().runCheckersForPostStmt(Dst, EvalSet, U, *this); |
1058 | 38.7k | } |
1059 | | |
1060 | | void ExprEngine::VisitIncrementDecrementOperator(const UnaryOperator* U, |
1061 | | ExplodedNode *Pred, |
1062 | 8.81k | ExplodedNodeSet &Dst) { |
1063 | 8.81k | // Handle ++ and -- (both pre- and post-increment). |
1064 | 8.81k | assert (U->isIncrementDecrementOp()); |
1065 | 8.81k | const Expr *Ex = U->getSubExpr()->IgnoreParens(); |
1066 | 8.81k | |
1067 | 8.81k | const LocationContext *LCtx = Pred->getLocationContext(); |
1068 | 8.81k | ProgramStateRef state = Pred->getState(); |
1069 | 8.81k | SVal loc = state->getSVal(Ex, LCtx); |
1070 | 8.81k | |
1071 | 8.81k | // Perform a load. |
1072 | 8.81k | ExplodedNodeSet Tmp; |
1073 | 8.81k | evalLoad(Tmp, U, Ex, Pred, state, loc); |
1074 | 8.81k | |
1075 | 8.81k | ExplodedNodeSet Dst2; |
1076 | 8.81k | StmtNodeBuilder Bldr(Tmp, Dst2, *currBldrCtx); |
1077 | 17.6k | for (ExplodedNodeSet::iterator I=Tmp.begin(), E=Tmp.end();I!=E;++I8.81k ) { |
1078 | 8.81k | |
1079 | 8.81k | state = (*I)->getState(); |
1080 | 8.81k | assert(LCtx == (*I)->getLocationContext()); |
1081 | 8.81k | SVal V2_untested = state->getSVal(Ex, LCtx); |
1082 | 8.81k | |
1083 | 8.81k | // Propagate unknown and undefined values. |
1084 | 8.81k | if (V2_untested.isUnknownOrUndef()) { |
1085 | 293 | state = state->BindExpr(U, LCtx, V2_untested); |
1086 | 293 | |
1087 | 293 | // Perform the store, so that the uninitialized value detection happens. |
1088 | 293 | Bldr.takeNodes(*I); |
1089 | 293 | ExplodedNodeSet Dst3; |
1090 | 293 | evalStore(Dst3, U, Ex, *I, state, loc, V2_untested); |
1091 | 293 | Bldr.addNodes(Dst3); |
1092 | 293 | |
1093 | 293 | continue; |
1094 | 293 | } |
1095 | 8.51k | DefinedSVal V2 = V2_untested.castAs<DefinedSVal>(); |
1096 | 8.51k | |
1097 | 8.51k | // Handle all other values. |
1098 | 8.51k | BinaryOperator::Opcode Op = U->isIncrementOp() ? BO_Add8.27k : BO_Sub242 ; |
1099 | 8.51k | |
1100 | 8.51k | // If the UnaryOperator has non-location type, use its type to create the |
1101 | 8.51k | // constant value. If the UnaryOperator has location type, create the |
1102 | 8.51k | // constant with int type and pointer width. |
1103 | 8.51k | SVal RHS; |
1104 | 8.51k | SVal Result; |
1105 | 8.51k | |
1106 | 8.51k | if (U->getType()->isAnyPointerType()) |
1107 | 656 | RHS = svalBuilder.makeArrayIndex(1); |
1108 | 7.86k | else if (U->getType()->isIntegralOrEnumerationType()) |
1109 | 7.86k | RHS = svalBuilder.makeIntVal(1, U->getType()); |
1110 | 1 | else |
1111 | 1 | RHS = UnknownVal(); |
1112 | 8.51k | |
1113 | 8.51k | // The use of an operand of type bool with the ++ operators is deprecated |
1114 | 8.51k | // but valid until C++17. And if the operand of the ++ operator is of type |
1115 | 8.51k | // bool, it is set to true until C++17. Note that for '_Bool', it is also |
1116 | 8.51k | // set to true when it encounters ++ operator. |
1117 | 8.51k | if (U->getType()->isBooleanType() && U->isIncrementOp()70 ) |
1118 | 52 | Result = svalBuilder.makeTruthVal(true, U->getType()); |
1119 | 8.46k | else |
1120 | 8.46k | Result = evalBinOp(state, Op, V2, RHS, U->getType()); |
1121 | 8.51k | |
1122 | 8.51k | // Conjure a new symbol if necessary to recover precision. |
1123 | 8.51k | if (Result.isUnknown()){ |
1124 | 3 | DefinedOrUnknownSVal SymVal = |
1125 | 3 | svalBuilder.conjureSymbolVal(nullptr, U, LCtx, |
1126 | 3 | currBldrCtx->blockCount()); |
1127 | 3 | Result = SymVal; |
1128 | 3 | |
1129 | 3 | // If the value is a location, ++/-- should always preserve |
1130 | 3 | // non-nullness. Check if the original value was non-null, and if so |
1131 | 3 | // propagate that constraint. |
1132 | 3 | if (Loc::isLocType(U->getType())) { |
1133 | 0 | DefinedOrUnknownSVal Constraint = |
1134 | 0 | svalBuilder.evalEQ(state, V2,svalBuilder.makeZeroVal(U->getType())); |
1135 | 0 |
|
1136 | 0 | if (!state->assume(Constraint, true)) { |
1137 | 0 | // It isn't feasible for the original value to be null. |
1138 | 0 | // Propagate this constraint. |
1139 | 0 | Constraint = svalBuilder.evalEQ(state, SymVal, |
1140 | 0 | svalBuilder.makeZeroVal(U->getType())); |
1141 | 0 |
|
1142 | 0 | state = state->assume(Constraint, false); |
1143 | 0 | assert(state); |
1144 | 0 | } |
1145 | 0 | } |
1146 | 3 | } |
1147 | 8.51k | |
1148 | 8.51k | // Since the lvalue-to-rvalue conversion is explicit in the AST, |
1149 | 8.51k | // we bind an l-value if the operator is prefix and an lvalue (in C++). |
1150 | 8.51k | if (U->isGLValue()) |
1151 | 1.10k | state = state->BindExpr(U, LCtx, loc); |
1152 | 7.41k | else |
1153 | 7.41k | state = state->BindExpr(U, LCtx, U->isPostfix() ? V26.88k : Result530 ); |
1154 | 8.51k | |
1155 | 8.51k | // Perform the store. |
1156 | 8.51k | Bldr.takeNodes(*I); |
1157 | 8.51k | ExplodedNodeSet Dst3; |
1158 | 8.51k | evalStore(Dst3, U, Ex, *I, state, loc, Result); |
1159 | 8.51k | Bldr.addNodes(Dst3); |
1160 | 8.51k | } |
1161 | 8.81k | Dst.insert(Dst2); |
1162 | 8.81k | } |