//===- ConstraintManager.cpp - Constraints on symbolic values. ------------===//

//

// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.

// See https://llvm.org/LICENSE.txt for license information.

// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception

//

//===----------------------------------------------------------------------===//

//

//  This file defined the interface to manage constraints on symbolic values.

//

//===----------------------------------------------------------------------===//

#include "clang/StaticAnalyzer/Core/PathSensitive/ConstraintManager.h"

#include "clang/AST/Type.h"

#include "clang/StaticAnalyzer/Core/PathSensitive/MemRegion.h"

#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h"

#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState_Fwd.h"

#include "clang/StaticAnalyzer/Core/PathSensitive/SVals.h"

#include "llvm/ADT/ScopeExit.h"

using namespace clang;

using namespace ento;

ConstraintManager::~ConstraintManager() = default;

static DefinedSVal getLocFromSymbol(const ProgramStateRef &State,

                                    SymbolRef Sym) {

  const MemRegion *R =

      State->getStateManager().getRegionManager().getSymbolicRegion(Sym);

  return loc::MemRegionVal(R);

}

ConditionTruthVal ConstraintManager::checkNull(ProgramStateRef State,

                                               SymbolRef Sym) {

  QualType Ty = Sym->getType();

  DefinedSVal V = Loc::isLocType(Ty) ? getLocFromSymbol(State, Sym)

                                     : nonloc::SymbolVal(Sym);

  const ProgramStatePair &P = assumeDual(State, V);

  if (P.first && !P.second)

    return ConditionTruthVal(false);

  if (!P.first && P.second)

    return ConditionTruthVal(true);

  return {};

}

template <typename AssumeFunction>

ConstraintManager::ProgramStatePair

ConstraintManager::assumeDualImpl(ProgramStateRef &State,

                                  AssumeFunction &Assume) {

  if (LLVM_UNLIKELY(State->isPosteriorlyOverconstrained()))

    return {State, State};

  // Assume functions might recurse (see `reAssume` or `tryRearrange`). During

  // the recursion the State might not change anymore, that means we reached a

  // fixpoint.

  // We avoid infinite recursion of assume calls by checking already visited

  // States on the stack of assume function calls.

  const ProgramState *RawSt = State.get();

  if (LLVM_UNLIKELY(AssumeStack.contains(RawSt)))

    return {State, State};

  AssumeStack.push(RawSt);

  auto AssumeStackBuilder =

      llvm::make_scope_exit([this]() { AssumeStack.pop(); });

ConstraintManager.cpp:std::__1::pair<llvm::IntrusiveRefCntPtr<clang::ento::ProgramState const>, llvm::IntrusiveRefCntPtr<clang::ento::ProgramState const> > clang::ento::ConstraintManager::assumeDualImpl<clang::ento::ConstraintManager::assumeDual(llvm::IntrusiveRefCntPtr<clang::ento::ProgramState const>, clang::ento::DefinedSVal)::$_0>(llvm::IntrusiveRefCntPtr<clang::ento::ProgramState const>&, clang::ento::ConstraintManager::assumeDual(llvm::IntrusiveRefCntPtr<clang::ento::ProgramState const>, clang::ento::DefinedSVal)::$_0&)::'lambda'()::operator()() const

Line

Count

Source

63

661k

      llvm::make_scope_exit([this]() { AssumeStack.pop(); });

ConstraintManager.cpp:std::__1::pair<llvm::IntrusiveRefCntPtr<clang::ento::ProgramState const>, llvm::IntrusiveRefCntPtr<clang::ento::ProgramState const> > clang::ento::ConstraintManager::assumeDualImpl<clang::ento::ConstraintManager::assumeInclusiveRangeDual(llvm::IntrusiveRefCntPtr<clang::ento::ProgramState const>, clang::ento::NonLoc, llvm::APSInt const&, llvm::APSInt const&)::$_0>(llvm::IntrusiveRefCntPtr<clang::ento::ProgramState const>&, clang::ento::ConstraintManager::assumeInclusiveRangeDual(llvm::IntrusiveRefCntPtr<clang::ento::ProgramState const>, clang::ento::NonLoc, llvm::APSInt const&, llvm::APSInt const&)::$_0&)::'lambda'()::operator()() const

Line

Count

Source

63

8.97k

      llvm::make_scope_exit([this]() { AssumeStack.pop(); });

  ProgramStateRef StTrue = Assume(true);

  if (!StTrue) {

    ProgramStateRef StFalse = Assume(false);

    if (LLVM_UNLIKELY(!StFalse)) { // both infeasible

      ProgramStateRef StInfeasible = State->cloneAsPosteriorlyOverconstrained();

      assert(StInfeasible->isPosteriorlyOverconstrained());

      // Checkers might rely on the API contract that both returned states

      // cannot be null. Thus, we return StInfeasible for both branches because

      // it might happen that a Checker uncoditionally uses one of them if the

      // other is a nullptr. This may also happen with the non-dual and

      // adjacent `assume(true)` and `assume(false)` calls. By implementing

      // assume in therms of assumeDual, we can keep our API contract there as

      // well.

      return ProgramStatePair(StInfeasible, StInfeasible);

    }

    return ProgramStatePair(nullptr, StFalse);

  }

  ProgramStateRef StFalse = Assume(false);

  if (!StFalse) {

    return ProgramStatePair(StTrue, nullptr);

  }

  return ProgramStatePair(StTrue, StFalse);

}

ConstraintManager.cpp:std::__1::pair<llvm::IntrusiveRefCntPtr<clang::ento::ProgramState const>, llvm::IntrusiveRefCntPtr<clang::ento::ProgramState const> > clang::ento::ConstraintManager::assumeDualImpl<clang::ento::ConstraintManager::assumeDual(llvm::IntrusiveRefCntPtr<clang::ento::ProgramState const>, clang::ento::DefinedSVal)::$_0>(llvm::IntrusiveRefCntPtr<clang::ento::ProgramState const>&, clang::ento::ConstraintManager::assumeDual(llvm::IntrusiveRefCntPtr<clang::ento::ProgramState const>, clang::ento::DefinedSVal)::$_0&)

Line

Count

Source

49

661k

                                  AssumeFunction &Assume) {

50

661k

  if (LLVM_UNLIKELY(State->isPosteriorlyOverconstrained()))

51

130

    return {State, State};

52

53

  // Assume functions might recurse (see `reAssume` or `tryRearrange`). During

54

  // the recursion the State might not change anymore, that means we reached a

55

  // fixpoint.

56

  // We avoid infinite recursion of assume calls by checking already visited

57

  // States on the stack of assume function calls.

58

661k

  const ProgramState *RawSt = State.get();

59

661k

  if (LLVM_UNLIKELY(AssumeStack.contains(RawSt)))

60

0

    return {State, State};

61

661k

  AssumeStack.push(RawSt);

62

661k

  auto AssumeStackBuilder =

63

661k

      llvm::make_scope_exit([this]() { AssumeStack.pop(); });

64

65

661k

  ProgramStateRef StTrue = Assume(true);

66

67

661k

  if (!StTrue) {

68

92.7k

    ProgramStateRef StFalse = Assume(false);

69

92.7k

    if (LLVM_UNLIKELY(!StFalse)) { // both infeasible

70

74

      ProgramStateRef StInfeasible = State->cloneAsPosteriorlyOverconstrained();

71

74

      assert(StInfeasible->isPosteriorlyOverconstrained());

72

      // Checkers might rely on the API contract that both returned states

73

      // cannot be null. Thus, we return StInfeasible for both branches because

74

      // it might happen that a Checker uncoditionally uses one of them if the

75

      // other is a nullptr. This may also happen with the non-dual and

76

      // adjacent `assume(true)` and `assume(false)` calls. By implementing

77

      // assume in therms of assumeDual, we can keep our API contract there as

78

      // well.

79

74

      return ProgramStatePair(StInfeasible, StInfeasible);

80

74

    }

81

92.6k

    return ProgramStatePair(nullptr, StFalse);

82

92.7k

  }

83

84

568k

  ProgramStateRef StFalse = Assume(false);

85

568k

  if (!StFalse) {

86

502k

    return ProgramStatePair(StTrue, nullptr);

87

502k

  }

88

89

66.5k

  return ProgramStatePair(StTrue, StFalse);

90

568k

}

ConstraintManager.cpp:std::__1::pair<llvm::IntrusiveRefCntPtr<clang::ento::ProgramState const>, llvm::IntrusiveRefCntPtr<clang::ento::ProgramState const> > clang::ento::ConstraintManager::assumeDualImpl<clang::ento::ConstraintManager::assumeInclusiveRangeDual(llvm::IntrusiveRefCntPtr<clang::ento::ProgramState const>, clang::ento::NonLoc, llvm::APSInt const&, llvm::APSInt const&)::$_0>(llvm::IntrusiveRefCntPtr<clang::ento::ProgramState const>&, clang::ento::ConstraintManager::assumeInclusiveRangeDual(llvm::IntrusiveRefCntPtr<clang::ento::ProgramState const>, clang::ento::NonLoc, llvm::APSInt const&, llvm::APSInt const&)::$_0&)

Line

Count

Source

49

9.10k

                                  AssumeFunction &Assume) {

50

9.10k

  if (LLVM_UNLIKELY(State->isPosteriorlyOverconstrained()))

51

128

    return {State, State};

52

53

  // Assume functions might recurse (see `reAssume` or `tryRearrange`). During

54

  // the recursion the State might not change anymore, that means we reached a

55

  // fixpoint.

56

  // We avoid infinite recursion of assume calls by checking already visited

57

  // States on the stack of assume function calls.

58

8.97k

  const ProgramState *RawSt = State.get();

59

8.97k

  if (LLVM_UNLIKELY(AssumeStack.contains(RawSt)))

60

0

    return {State, State};

61

8.97k

  AssumeStack.push(RawSt);

62

8.97k

  auto AssumeStackBuilder =

63

8.97k

      llvm::make_scope_exit([this]() { AssumeStack.pop(); });

64

65

8.97k

  ProgramStateRef StTrue = Assume(true);

66

67

8.97k

  if (!StTrue) {

68

1.46k

    ProgramStateRef StFalse = Assume(false);

69

1.46k

    if (LLVM_UNLIKELY(!StFalse)) { // both infeasible

70

2

      ProgramStateRef StInfeasible = State->cloneAsPosteriorlyOverconstrained();

71

2

      assert(StInfeasible->isPosteriorlyOverconstrained());

72

      // Checkers might rely on the API contract that both returned states

73

      // cannot be null. Thus, we return StInfeasible for both branches because

74

      // it might happen that a Checker uncoditionally uses one of them if the

75

      // other is a nullptr. This may also happen with the non-dual and

76

      // adjacent `assume(true)` and `assume(false)` calls. By implementing

77

      // assume in therms of assumeDual, we can keep our API contract there as

78

      // well.

79

2

      return ProgramStatePair(StInfeasible, StInfeasible);

80

2

    }

81

1.46k

    return ProgramStatePair(nullptr, StFalse);

82

1.46k

  }

83

84

7.50k

  ProgramStateRef StFalse = Assume(false);

85

7.50k

  if (!StFalse) {

86

5.04k

    return ProgramStatePair(StTrue, nullptr);

87

5.04k

  }

88

89

2.46k

  return ProgramStatePair(StTrue, StFalse);

90

7.50k

}

ConstraintManager::ProgramStatePair

ConstraintManager::assumeDual(ProgramStateRef State, DefinedSVal Cond) {

  auto AssumeFun = [&, Cond](bool Assumption) {

    return assumeInternal(State, Cond, Assumption);

  };

  return assumeDualImpl(State, AssumeFun);

}

ConstraintManager::ProgramStatePair

ConstraintManager::assumeInclusiveRangeDual(ProgramStateRef State, NonLoc Value,

                                            const llvm::APSInt &From,

                                            const llvm::APSInt &To) {

  auto AssumeFun = [&](bool Assumption) {

    return assumeInclusiveRangeInternal(State, Value, From, To, Assumption);

  };

  return assumeDualImpl(State, AssumeFun);

}

ProgramStateRef ConstraintManager::assume(ProgramStateRef State,

                                          DefinedSVal Cond, bool Assumption) {

  ConstraintManager::ProgramStatePair R = assumeDual(State, Cond);

  return Assumption ? 
R.first18.0k
 : 
R.second13.9k
;

}

ProgramStateRef

ConstraintManager::assumeInclusiveRange(ProgramStateRef State, NonLoc Value,

                                        const llvm::APSInt &From,

                                        const llvm::APSInt &To, bool InBound) {

  ConstraintManager::ProgramStatePair R =

      assumeInclusiveRangeDual(State, Value, From, To);

  return InBound ? 
R.first4.77k
 : 
R.second3.29k
;

}