/Users/buildslave/jenkins/workspace/coverage/llvm-project/clang/lib/StaticAnalyzer/Core/RangedConstraintManager.cpp
Line | Count | Source (jump to first uncovered line) |
1 | | //== RangedConstraintManager.cpp --------------------------------*- C++ -*--==// |
2 | | // |
3 | | // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. |
4 | | // See https://llvm.org/LICENSE.txt for license information. |
5 | | // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception |
6 | | // |
7 | | //===----------------------------------------------------------------------===// |
8 | | // |
9 | | // This file defines RangedConstraintManager, a class that provides a |
10 | | // range-based constraint manager interface. |
11 | | // |
12 | | //===----------------------------------------------------------------------===// |
13 | | |
14 | | #include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h" |
15 | | #include "clang/StaticAnalyzer/Core/PathSensitive/RangedConstraintManager.h" |
16 | | |
17 | | namespace clang { |
18 | | |
19 | | namespace ento { |
20 | | |
21 | 16.2k | RangedConstraintManager::~RangedConstraintManager() {} |
22 | | |
23 | | ProgramStateRef RangedConstraintManager::assumeSym(ProgramStateRef State, |
24 | | SymbolRef Sym, |
25 | 243k | bool Assumption) { |
26 | 243k | Sym = simplify(State, Sym); |
27 | | |
28 | | // Handle SymbolData. |
29 | 243k | if (isa<SymbolData>(Sym)) |
30 | 5.85k | return assumeSymUnsupported(State, Sym, Assumption); |
31 | | |
32 | | // Handle symbolic expression. |
33 | 237k | if (const SymIntExpr *SIE = dyn_cast<SymIntExpr>(Sym)) { |
34 | | // We can only simplify expressions whose RHS is an integer. |
35 | | |
36 | 236k | BinaryOperator::Opcode op = SIE->getOpcode(); |
37 | 236k | if (BinaryOperator::isComparisonOp(op) && op != BO_Cmp236k ) { |
38 | 236k | if (!Assumption) |
39 | 118k | op = BinaryOperator::negateComparisonOp(op); |
40 | | |
41 | 236k | return assumeSymRel(State, SIE->getLHS(), op, SIE->getRHS()); |
42 | 236k | } |
43 | | |
44 | | // Handle adjustment with non-comparison ops. |
45 | 340 | const llvm::APSInt &Zero = getBasicVals().getValue(0, SIE->getType()); |
46 | 340 | return assumeSymRel(State, SIE, (Assumption ? BO_NE170 : BO_EQ170 ), Zero); |
47 | 236k | } |
48 | | |
49 | 996 | if (const auto *SSE = dyn_cast<SymSymExpr>(Sym)) { |
50 | 996 | BinaryOperator::Opcode Op = SSE->getOpcode(); |
51 | 996 | if (BinaryOperator::isComparisonOp(Op)) { |
52 | | |
53 | | // We convert equality operations for pointers only. |
54 | 994 | if (Loc::isLocType(SSE->getLHS()->getType()) && |
55 | 994 | Loc::isLocType(SSE->getRHS()->getType())982 ) { |
56 | | // Translate "a != b" to "(b - a) != 0". |
57 | | // We invert the order of the operands as a heuristic for how loop |
58 | | // conditions are usually written ("begin != end") as compared to length |
59 | | // calculations ("end - begin"). The more correct thing to do would be |
60 | | // to canonicalize "a - b" and "b - a", which would allow us to treat |
61 | | // "a != b" and "b != a" the same. |
62 | | |
63 | 982 | SymbolManager &SymMgr = getSymbolManager(); |
64 | 982 | QualType DiffTy = SymMgr.getContext().getPointerDiffType(); |
65 | 982 | SymbolRef Subtraction = |
66 | 982 | SymMgr.getSymSymExpr(SSE->getRHS(), BO_Sub, SSE->getLHS(), DiffTy); |
67 | | |
68 | 982 | const llvm::APSInt &Zero = getBasicVals().getValue(0, DiffTy); |
69 | 982 | Op = BinaryOperator::reverseComparisonOp(Op); |
70 | 982 | if (!Assumption) |
71 | 491 | Op = BinaryOperator::negateComparisonOp(Op); |
72 | 982 | return assumeSymRel(State, Subtraction, Op, Zero); |
73 | 982 | } |
74 | | |
75 | 12 | if (BinaryOperator::isEqualityOp(Op)) { |
76 | 12 | SymbolManager &SymMgr = getSymbolManager(); |
77 | | |
78 | 12 | QualType ExprType = SSE->getType(); |
79 | 12 | SymbolRef CanonicalEquality = |
80 | 12 | SymMgr.getSymSymExpr(SSE->getLHS(), BO_EQ, SSE->getRHS(), ExprType); |
81 | | |
82 | 12 | bool WasEqual = SSE->getOpcode() == BO_EQ; |
83 | 12 | bool IsExpectedEqual = WasEqual == Assumption; |
84 | | |
85 | 12 | const llvm::APSInt &Zero = getBasicVals().getValue(0, ExprType); |
86 | | |
87 | 12 | if (IsExpectedEqual) { |
88 | 6 | return assumeSymNE(State, CanonicalEquality, Zero, Zero); |
89 | 6 | } |
90 | | |
91 | 6 | return assumeSymEQ(State, CanonicalEquality, Zero, Zero); |
92 | 12 | } |
93 | 12 | } |
94 | 996 | } |
95 | | |
96 | | // If we get here, there's nothing else we can do but treat the symbol as |
97 | | // opaque. |
98 | 2 | return assumeSymUnsupported(State, Sym, Assumption); |
99 | 996 | } |
100 | | |
101 | | ProgramStateRef RangedConstraintManager::assumeSymInclusiveRange( |
102 | | ProgramStateRef State, SymbolRef Sym, const llvm::APSInt &From, |
103 | 12.6k | const llvm::APSInt &To, bool InRange) { |
104 | | |
105 | 12.6k | Sym = simplify(State, Sym); |
106 | | |
107 | | // Get the type used for calculating wraparound. |
108 | 12.6k | BasicValueFactory &BVF = getBasicVals(); |
109 | 12.6k | APSIntType WraparoundType = BVF.getAPSIntType(Sym->getType()); |
110 | | |
111 | 12.6k | llvm::APSInt Adjustment = WraparoundType.getZeroValue(); |
112 | 12.6k | SymbolRef AdjustedSym = Sym; |
113 | 12.6k | computeAdjustment(AdjustedSym, Adjustment); |
114 | | |
115 | | // Convert the right-hand side integer as necessary. |
116 | 12.6k | APSIntType ComparisonType = std::max(WraparoundType, APSIntType(From)); |
117 | 12.6k | llvm::APSInt ConvertedFrom = ComparisonType.convert(From); |
118 | 12.6k | llvm::APSInt ConvertedTo = ComparisonType.convert(To); |
119 | | |
120 | | // Prefer unsigned comparisons. |
121 | 12.6k | if (ComparisonType.getBitWidth() == WraparoundType.getBitWidth() && |
122 | 12.6k | ComparisonType.isUnsigned()12.5k && !WraparoundType.isUnsigned()350 ) |
123 | 8 | Adjustment.setIsSigned(false); |
124 | | |
125 | 12.6k | if (InRange) |
126 | 6.30k | return assumeSymWithinInclusiveRange(State, AdjustedSym, ConvertedFrom, |
127 | 6.30k | ConvertedTo, Adjustment); |
128 | 6.30k | return assumeSymOutsideInclusiveRange(State, AdjustedSym, ConvertedFrom, |
129 | 6.30k | ConvertedTo, Adjustment); |
130 | 12.6k | } |
131 | | |
132 | | ProgramStateRef |
133 | | RangedConstraintManager::assumeSymUnsupported(ProgramStateRef State, |
134 | 40.8k | SymbolRef Sym, bool Assumption) { |
135 | 40.8k | Sym = simplify(State, Sym); |
136 | | |
137 | 40.8k | BasicValueFactory &BVF = getBasicVals(); |
138 | 40.8k | QualType T = Sym->getType(); |
139 | | |
140 | | // Non-integer types are not supported. |
141 | 40.8k | if (!T->isIntegralOrEnumerationType()) |
142 | 4 | return State; |
143 | | |
144 | | // Reverse the operation and add directly to state. |
145 | 40.8k | const llvm::APSInt &Zero = BVF.getValue(0, T); |
146 | 40.8k | if (Assumption) |
147 | 20.4k | return assumeSymNE(State, Sym, Zero, Zero); |
148 | 20.4k | else |
149 | 20.4k | return assumeSymEQ(State, Sym, Zero, Zero); |
150 | 40.8k | } |
151 | | |
152 | | ProgramStateRef RangedConstraintManager::assumeSymRel(ProgramStateRef State, |
153 | | SymbolRef Sym, |
154 | | BinaryOperator::Opcode Op, |
155 | 237k | const llvm::APSInt &Int) { |
156 | 237k | assert(BinaryOperator::isComparisonOp(Op) && |
157 | 237k | "Non-comparison ops should be rewritten as comparisons to zero."); |
158 | | |
159 | | // Simplification: translate an assume of a constraint of the form |
160 | | // "(exp comparison_op expr) != 0" to true into an assume of |
161 | | // "exp comparison_op expr" to true. (And similarly, an assume of the form |
162 | | // "(exp comparison_op expr) == 0" to true into an assume of |
163 | | // "exp comparison_op expr" to false.) |
164 | 237k | if (Int == 0 && (177k Op == BO_EQ177k || Op == BO_NE92.6k )) { |
165 | 169k | if (const BinarySymExpr *SE = dyn_cast<BinarySymExpr>(Sym)) |
166 | 38.8k | if (BinaryOperator::isComparisonOp(SE->getOpcode())) |
167 | 212 | return assumeSym(State, Sym, (Op == BO_NE ? true106 : false106 )); |
168 | 169k | } |
169 | | |
170 | | // Get the type used for calculating wraparound. |
171 | 237k | BasicValueFactory &BVF = getBasicVals(); |
172 | 237k | APSIntType WraparoundType = BVF.getAPSIntType(Sym->getType()); |
173 | | |
174 | | // We only handle simple comparisons of the form "$sym == constant" |
175 | | // or "($sym+constant1) == constant2". |
176 | | // The adjustment is "constant1" in the above expression. It's used to |
177 | | // "slide" the solution range around for modular arithmetic. For example, |
178 | | // x < 4 has the solution [0, 3]. x+2 < 4 has the solution [0-2, 3-2], which |
179 | | // in modular arithmetic is [0, 1] U [UINT_MAX-1, UINT_MAX]. It's up to |
180 | | // the subclasses of SimpleConstraintManager to handle the adjustment. |
181 | 237k | llvm::APSInt Adjustment = WraparoundType.getZeroValue(); |
182 | 237k | computeAdjustment(Sym, Adjustment); |
183 | | |
184 | | // Convert the right-hand side integer as necessary. |
185 | 237k | APSIntType ComparisonType = std::max(WraparoundType, APSIntType(Int)); |
186 | 237k | llvm::APSInt ConvertedInt = ComparisonType.convert(Int); |
187 | | |
188 | | // Prefer unsigned comparisons. |
189 | 237k | if (ComparisonType.getBitWidth() == WraparoundType.getBitWidth() && |
190 | 237k | ComparisonType.isUnsigned()234k && !WraparoundType.isUnsigned()132k ) |
191 | 534 | Adjustment.setIsSigned(false); |
192 | | |
193 | 237k | switch (Op) { |
194 | 0 | default: |
195 | 0 | llvm_unreachable("invalid operation not caught by assertion above"); |
196 | |
|
197 | 87.8k | case BO_EQ: |
198 | 87.8k | return assumeSymEQ(State, Sym, ConvertedInt, Adjustment); |
199 | | |
200 | 87.8k | case BO_NE: |
201 | 87.8k | return assumeSymNE(State, Sym, ConvertedInt, Adjustment); |
202 | | |
203 | 16.2k | case BO_GT: |
204 | 16.2k | return assumeSymGT(State, Sym, ConvertedInt, Adjustment); |
205 | | |
206 | 14.7k | case BO_GE: |
207 | 14.7k | return assumeSymGE(State, Sym, ConvertedInt, Adjustment); |
208 | | |
209 | 14.7k | case BO_LT: |
210 | 14.7k | return assumeSymLT(State, Sym, ConvertedInt, Adjustment); |
211 | | |
212 | 16.2k | case BO_LE: |
213 | 16.2k | return assumeSymLE(State, Sym, ConvertedInt, Adjustment); |
214 | 237k | } // end switch |
215 | 237k | } |
216 | | |
217 | | void RangedConstraintManager::computeAdjustment(SymbolRef &Sym, |
218 | 250k | llvm::APSInt &Adjustment) { |
219 | | // Is it a "($sym+constant1)" expression? |
220 | 250k | if (const SymIntExpr *SE = dyn_cast<SymIntExpr>(Sym)) { |
221 | 42.7k | BinaryOperator::Opcode Op = SE->getOpcode(); |
222 | 42.7k | if (Op == BO_Add || Op == BO_Sub40.1k ) { |
223 | 3.96k | Sym = SE->getLHS(); |
224 | 3.96k | Adjustment = APSIntType(Adjustment).convert(SE->getRHS()); |
225 | | |
226 | | // Don't forget to negate the adjustment if it's being subtracted. |
227 | | // This should happen /after/ promotion, in case the value being |
228 | | // subtracted is, say, CHAR_MIN, and the promoted type is 'int'. |
229 | 3.96k | if (Op == BO_Sub) |
230 | 1.40k | Adjustment = -Adjustment; |
231 | 3.96k | } |
232 | 42.7k | } |
233 | 250k | } |
234 | | |
235 | 1.24M | SVal simplifyToSVal(ProgramStateRef State, SymbolRef Sym) { |
236 | 1.24M | SValBuilder &SVB = State->getStateManager().getSValBuilder(); |
237 | 1.24M | return SVB.simplifySVal(State, SVB.makeSymbolVal(Sym)); |
238 | 1.24M | } |
239 | | |
240 | 297k | SymbolRef simplify(ProgramStateRef State, SymbolRef Sym) { |
241 | 297k | SVal SimplifiedVal = simplifyToSVal(State, Sym); |
242 | 297k | if (SymbolRef SimplifiedSym = SimplifiedVal.getAsSymbol()) |
243 | 294k | return SimplifiedSym; |
244 | 2.57k | return Sym; |
245 | 297k | } |
246 | | |
247 | | } // end of namespace ento |
248 | | } // end of namespace clang |