1// SimpleSValBuilder.cpp - A basic SValBuilder -----------------------*- C++ -*- 2// 3// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. 4// See https://llvm.org/LICENSE.txt for license information. 5// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception 6// 7//===----------------------------------------------------------------------===// 8// 9// This file defines SimpleSValBuilder, a basic implementation of SValBuilder. 10// 11//===----------------------------------------------------------------------===// 12 13#include "clang/StaticAnalyzer/Core/PathSensitive/SValBuilder.h" 14#include "clang/StaticAnalyzer/Core/PathSensitive/AnalysisManager.h" 15#include "clang/StaticAnalyzer/Core/PathSensitive/APSIntType.h" 16#include "clang/StaticAnalyzer/Core/PathSensitive/ExprEngine.h" 17#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h" 18#include "clang/StaticAnalyzer/Core/PathSensitive/SValVisitor.h" 19 20using namespace clang; 21using namespace ento; 22 23namespace { 24class SimpleSValBuilder : public SValBuilder { 25public: 26 SimpleSValBuilder(llvm::BumpPtrAllocator &alloc, ASTContext &context, 27 ProgramStateManager &stateMgr) 28 : SValBuilder(alloc, context, stateMgr) {} 29 ~SimpleSValBuilder() override {} 30 31 SVal evalMinus(NonLoc val) override; 32 SVal evalComplement(NonLoc val) override; 33 SVal evalBinOpNN(ProgramStateRef state, BinaryOperator::Opcode op, 34 NonLoc lhs, NonLoc rhs, QualType resultTy) override; 35 SVal evalBinOpLL(ProgramStateRef state, BinaryOperator::Opcode op, 36 Loc lhs, Loc rhs, QualType resultTy) override; 37 SVal evalBinOpLN(ProgramStateRef state, BinaryOperator::Opcode op, 38 Loc lhs, NonLoc rhs, QualType resultTy) override; 39 40 /// getKnownValue - evaluates a given SVal. If the SVal has only one possible 41 /// (integer) value, that value is returned. Otherwise, returns NULL. 42 const llvm::APSInt *getKnownValue(ProgramStateRef state, SVal V) override; 43 44 /// Recursively descends into symbolic expressions and replaces symbols 45 /// with their known values (in the sense of the getKnownValue() method). 46 SVal simplifySVal(ProgramStateRef State, SVal V) override; 47 48 SVal MakeSymIntVal(const SymExpr *LHS, BinaryOperator::Opcode op, 49 const llvm::APSInt &RHS, QualType resultTy); 50}; 51} // end anonymous namespace 52 53SValBuilder *ento::createSimpleSValBuilder(llvm::BumpPtrAllocator &alloc, 54 ASTContext &context, 55 ProgramStateManager &stateMgr) { 56 return new SimpleSValBuilder(alloc, context, stateMgr); 57} 58 59//===----------------------------------------------------------------------===// 60// Transfer function for unary operators. 61//===----------------------------------------------------------------------===// 62 63SVal SimpleSValBuilder::evalMinus(NonLoc val) { 64 switch (val.getSubKind()) { 65 case nonloc::ConcreteIntKind: 66 return val.castAs<nonloc::ConcreteInt>().evalMinus(*this); 67 default: 68 return UnknownVal(); 69 } 70} 71 72SVal SimpleSValBuilder::evalComplement(NonLoc X) { 73 switch (X.getSubKind()) { 74 case nonloc::ConcreteIntKind: 75 return X.castAs<nonloc::ConcreteInt>().evalComplement(*this); 76 default: 77 return UnknownVal(); 78 } 79} 80 81//===----------------------------------------------------------------------===// 82// Transfer function for binary operators. 83//===----------------------------------------------------------------------===// 84 85SVal SimpleSValBuilder::MakeSymIntVal(const SymExpr *LHS, 86 BinaryOperator::Opcode op, 87 const llvm::APSInt &RHS, 88 QualType resultTy) { 89 bool isIdempotent = false; 90 91 // Check for a few special cases with known reductions first. 92 switch (op) { 93 default: 94 // We can't reduce this case; just treat it normally. 95 break; 96 case BO_Mul: 97 // a*0 and a*1 98 if (RHS == 0) 99 return makeIntVal(0, resultTy); 100 else if (RHS == 1) 101 isIdempotent = true; 102 break; 103 case BO_Div: 104 // a/0 and a/1 105 if (RHS == 0) 106 // This is also handled elsewhere. 107 return UndefinedVal(); 108 else if (RHS == 1) 109 isIdempotent = true; 110 break; 111 case BO_Rem: 112 // a%0 and a%1 113 if (RHS == 0) 114 // This is also handled elsewhere. 115 return UndefinedVal(); 116 else if (RHS == 1) 117 return makeIntVal(0, resultTy); 118 break; 119 case BO_Add: 120 case BO_Sub: 121 case BO_Shl: 122 case BO_Shr: 123 case BO_Xor: 124 // a+0, a-0, a<<0, a>>0, a^0 125 if (RHS == 0) 126 isIdempotent = true; 127 break; 128 case BO_And: 129 // a&0 and a&(~0) 130 if (RHS == 0) 131 return makeIntVal(0, resultTy); 132 else if (RHS.isAllOnesValue()) 133 isIdempotent = true; 134 break; 135 case BO_Or: 136 // a|0 and a|(~0) 137 if (RHS == 0) 138 isIdempotent = true; 139 else if (RHS.isAllOnesValue()) { 140 const llvm::APSInt &Result = BasicVals.Convert(resultTy, RHS); 141 return nonloc::ConcreteInt(Result); 142 } 143 break; 144 } 145 146 // Idempotent ops (like a*1) can still change the type of an expression. 147 // Wrap the LHS up in a NonLoc again and let evalCast do the 148 // dirty work. 149 if (isIdempotent) 150 return evalCast(nonloc::SymbolVal(LHS), resultTy, QualType{}); 151 152 // If we reach this point, the expression cannot be simplified. 153 // Make a SymbolVal for the entire expression, after converting the RHS. 154 const llvm::APSInt *ConvertedRHS = &RHS; 155 if (BinaryOperator::isComparisonOp(op)) { 156 // We're looking for a type big enough to compare the symbolic value 157 // with the given constant. 158 // FIXME: This is an approximation of Sema::UsualArithmeticConversions. 159 ASTContext &Ctx = getContext(); 160 QualType SymbolType = LHS->getType(); 161 uint64_t ValWidth = RHS.getBitWidth(); 162 uint64_t TypeWidth = Ctx.getTypeSize(SymbolType); 163 164 if (ValWidth < TypeWidth) { 165 // If the value is too small, extend it. 166 ConvertedRHS = &BasicVals.Convert(SymbolType, RHS); 167 } else if (ValWidth == TypeWidth) { 168 // If the value is signed but the symbol is unsigned, do the comparison 169 // in unsigned space. [C99 6.3.1.8] 170 // (For the opposite case, the value is already unsigned.) 171 if (RHS.isSigned() && !SymbolType->isSignedIntegerOrEnumerationType()) 172 ConvertedRHS = &BasicVals.Convert(SymbolType, RHS); 173 } 174 } else 175 ConvertedRHS = &BasicVals.Convert(resultTy, RHS); 176 177 return makeNonLoc(LHS, op, *ConvertedRHS, resultTy); 178} 179 180// See if Sym is known to be a relation Rel with Bound. 181static bool isInRelation(BinaryOperator::Opcode Rel, SymbolRef Sym, 182 llvm::APSInt Bound, ProgramStateRef State) { 183 SValBuilder &SVB = State->getStateManager().getSValBuilder(); 184 SVal Result = 185 SVB.evalBinOpNN(State, Rel, nonloc::SymbolVal(Sym), 186 nonloc::ConcreteInt(Bound), SVB.getConditionType()); 187 if (auto DV = Result.getAs<DefinedSVal>()) { 188 return !State->assume(*DV, false); 189 } 190 return false; 191} 192 193// See if Sym is known to be within [min/4, max/4], where min and max 194// are the bounds of the symbol's integral type. With such symbols, 195// some manipulations can be performed without the risk of overflow. 196// assume() doesn't cause infinite recursion because we should be dealing 197// with simpler symbols on every recursive call. 198static bool isWithinConstantOverflowBounds(SymbolRef Sym, 199 ProgramStateRef State) { 200 SValBuilder &SVB = State->getStateManager().getSValBuilder(); 201 BasicValueFactory &BV = SVB.getBasicValueFactory(); 202 203 QualType T = Sym->getType(); 204 assert(T->isSignedIntegerOrEnumerationType() && 205 "This only works with signed integers!"); 206 APSIntType AT = BV.getAPSIntType(T); 207 208 llvm::APSInt Max = AT.getMaxValue() / AT.getValue(4), Min = -Max; 209 return isInRelation(BO_LE, Sym, Max, State) && 210 isInRelation(BO_GE, Sym, Min, State); 211} 212 213// Same for the concrete integers: see if I is within [min/4, max/4]. 214static bool isWithinConstantOverflowBounds(llvm::APSInt I) { 215 APSIntType AT(I); 216 assert(!AT.isUnsigned() && 217 "This only works with signed integers!"); 218 219 llvm::APSInt Max = AT.getMaxValue() / AT.getValue(4), Min = -Max; 220 return (I <= Max) && (I >= -Max); 221} 222 223static std::pair<SymbolRef, llvm::APSInt> 224decomposeSymbol(SymbolRef Sym, BasicValueFactory &BV) { 225 if (const auto *SymInt = dyn_cast<SymIntExpr>(Sym)) 226 if (BinaryOperator::isAdditiveOp(SymInt->getOpcode())) 227 return std::make_pair(SymInt->getLHS(), 228 (SymInt->getOpcode() == BO_Add) ? 229 (SymInt->getRHS()) : 230 (-SymInt->getRHS())); 231 232 // Fail to decompose: "reduce" the problem to the "$x + 0" case. 233 return std::make_pair(Sym, BV.getValue(0, Sym->getType())); 234} 235 236// Simplify "(LSym + LInt) Op (RSym + RInt)" assuming all values are of the 237// same signed integral type and no overflows occur (which should be checked 238// by the caller). 239static NonLoc doRearrangeUnchecked(ProgramStateRef State, 240 BinaryOperator::Opcode Op, 241 SymbolRef LSym, llvm::APSInt LInt, 242 SymbolRef RSym, llvm::APSInt RInt) { 243 SValBuilder &SVB = State->getStateManager().getSValBuilder(); 244 BasicValueFactory &BV = SVB.getBasicValueFactory(); 245 SymbolManager &SymMgr = SVB.getSymbolManager(); 246 247 QualType SymTy = LSym->getType(); 248 assert(SymTy == RSym->getType() && 249 "Symbols are not of the same type!"); 250 assert(APSIntType(LInt) == BV.getAPSIntType(SymTy) && 251 "Integers are not of the same type as symbols!"); 252 assert(APSIntType(RInt) == BV.getAPSIntType(SymTy) && 253 "Integers are not of the same type as symbols!"); 254 255 QualType ResultTy; 256 if (BinaryOperator::isComparisonOp(Op)) 257 ResultTy = SVB.getConditionType(); 258 else if (BinaryOperator::isAdditiveOp(Op)) 259 ResultTy = SymTy; 260 else 261 llvm_unreachable("Operation not suitable for unchecked rearrangement!"); 262 263 // FIXME: Can we use assume() without getting into an infinite recursion? 264 if (LSym == RSym) 265 return SVB.evalBinOpNN(State, Op, nonloc::ConcreteInt(LInt), 266 nonloc::ConcreteInt(RInt), ResultTy) 267 .castAs<NonLoc>(); 268 269 SymbolRef ResultSym = nullptr; 270 BinaryOperator::Opcode ResultOp; 271 llvm::APSInt ResultInt; 272 if (BinaryOperator::isComparisonOp(Op)) { 273 // Prefer comparing to a non-negative number. 274 // FIXME: Maybe it'd be better to have consistency in 275 // "$x - $y" vs. "$y - $x" because those are solver's keys. 276 if (LInt > RInt) { 277 ResultSym = SymMgr.getSymSymExpr(RSym, BO_Sub, LSym, SymTy); 278 ResultOp = BinaryOperator::reverseComparisonOp(Op); 279 ResultInt = LInt - RInt; // Opposite order! 280 } else { 281 ResultSym = SymMgr.getSymSymExpr(LSym, BO_Sub, RSym, SymTy); 282 ResultOp = Op; 283 ResultInt = RInt - LInt; // Opposite order! 284 } 285 } else { 286 ResultSym = SymMgr.getSymSymExpr(LSym, Op, RSym, SymTy); 287 ResultInt = (Op == BO_Add) ? (LInt + RInt) : (LInt - RInt); 288 ResultOp = BO_Add; 289 // Bring back the cosmetic difference. 290 if (ResultInt < 0) { 291 ResultInt = -ResultInt; 292 ResultOp = BO_Sub; 293 } else if (ResultInt == 0) { 294 // Shortcut: Simplify "$x + 0" to "$x". 295 return nonloc::SymbolVal(ResultSym); 296 } 297 } 298 const llvm::APSInt &PersistentResultInt = BV.getValue(ResultInt); 299 return nonloc::SymbolVal( 300 SymMgr.getSymIntExpr(ResultSym, ResultOp, PersistentResultInt, ResultTy)); 301} 302 303// Rearrange if symbol type matches the result type and if the operator is a 304// comparison operator, both symbol and constant must be within constant 305// overflow bounds. 306static bool shouldRearrange(ProgramStateRef State, BinaryOperator::Opcode Op, 307 SymbolRef Sym, llvm::APSInt Int, QualType Ty) { 308 return Sym->getType() == Ty && 309 (!BinaryOperator::isComparisonOp(Op) || 310 (isWithinConstantOverflowBounds(Sym, State) && 311 isWithinConstantOverflowBounds(Int))); 312} 313 314static Optional<NonLoc> tryRearrange(ProgramStateRef State, 315 BinaryOperator::Opcode Op, NonLoc Lhs, 316 NonLoc Rhs, QualType ResultTy) { 317 ProgramStateManager &StateMgr = State->getStateManager(); 318 SValBuilder &SVB = StateMgr.getSValBuilder(); 319 320 // We expect everything to be of the same type - this type. 321 QualType SingleTy; 322 323 auto &Opts = 324 StateMgr.getOwningEngine().getAnalysisManager().getAnalyzerOptions(); 325 326 // FIXME: After putting complexity threshold to the symbols we can always 327 // rearrange additive operations but rearrange comparisons only if 328 // option is set. 329 if(!Opts.ShouldAggressivelySimplifyBinaryOperation) 330 return None; 331 332 SymbolRef LSym = Lhs.getAsSymbol(); 333 if (!LSym) 334 return None; 335 336 if (BinaryOperator::isComparisonOp(Op)) { 337 SingleTy = LSym->getType(); 338 if (ResultTy != SVB.getConditionType()) 339 return None; 340 // Initialize SingleTy later with a symbol's type. 341 } else if (BinaryOperator::isAdditiveOp(Op)) { 342 SingleTy = ResultTy; 343 if (LSym->getType() != SingleTy) 344 return None; 345 } else { 346 // Don't rearrange other operations. 347 return None; 348 } 349 350 assert(!SingleTy.isNull() && "We should have figured out the type by now!"); 351 352 // Rearrange signed symbolic expressions only 353 if (!SingleTy->isSignedIntegerOrEnumerationType()) 354 return None; 355 356 SymbolRef RSym = Rhs.getAsSymbol(); 357 if (!RSym || RSym->getType() != SingleTy) 358 return None; 359 360 BasicValueFactory &BV = State->getBasicVals(); 361 llvm::APSInt LInt, RInt; 362 std::tie(LSym, LInt) = decomposeSymbol(LSym, BV); 363 std::tie(RSym, RInt) = decomposeSymbol(RSym, BV); 364 if (!shouldRearrange(State, Op, LSym, LInt, SingleTy) || 365 !shouldRearrange(State, Op, RSym, RInt, SingleTy)) 366 return None; 367 368 // We know that no overflows can occur anymore. 369 return doRearrangeUnchecked(State, Op, LSym, LInt, RSym, RInt); 370} 371 372SVal SimpleSValBuilder::evalBinOpNN(ProgramStateRef state, 373 BinaryOperator::Opcode op, 374 NonLoc lhs, NonLoc rhs, 375 QualType resultTy) { 376 NonLoc InputLHS = lhs; 377 NonLoc InputRHS = rhs; 378 379 // Handle trivial case where left-side and right-side are the same. 380 if (lhs == rhs) 381 switch (op) { 382 default: 383 break; 384 case BO_EQ: 385 case BO_LE: 386 case BO_GE: 387 return makeTruthVal(true, resultTy); 388 case BO_LT: 389 case BO_GT: 390 case BO_NE: 391 return makeTruthVal(false, resultTy); 392 case BO_Xor: 393 case BO_Sub: 394 if (resultTy->isIntegralOrEnumerationType()) 395 return makeIntVal(0, resultTy); 396 return evalCast(makeIntVal(0, /*isUnsigned=*/false), resultTy, 397 QualType{}); 398 case BO_Or: 399 case BO_And: 400 return evalCast(lhs, resultTy, QualType{}); 401 } 402 403 while (1) { 404 switch (lhs.getSubKind()) { 405 default: 406 return makeSymExprValNN(op, lhs, rhs, resultTy); 407 case nonloc::PointerToMemberKind: { 408 assert(rhs.getSubKind() == nonloc::PointerToMemberKind && 409 "Both SVals should have pointer-to-member-type"); 410 auto LPTM = lhs.castAs<nonloc::PointerToMember>(), 411 RPTM = rhs.castAs<nonloc::PointerToMember>(); 412 auto LPTMD = LPTM.getPTMData(), RPTMD = RPTM.getPTMData(); 413 switch (op) { 414 case BO_EQ: 415 return makeTruthVal(LPTMD == RPTMD, resultTy); 416 case BO_NE: 417 return makeTruthVal(LPTMD != RPTMD, resultTy); 418 default: 419 return UnknownVal(); 420 } 421 } 422 case nonloc::LocAsIntegerKind: { 423 Loc lhsL = lhs.castAs<nonloc::LocAsInteger>().getLoc(); 424 switch (rhs.getSubKind()) { 425 case nonloc::LocAsIntegerKind: 426 // FIXME: at the moment the implementation 427 // of modeling "pointers as integers" is not complete. 428 if (!BinaryOperator::isComparisonOp(op)) 429 return UnknownVal(); 430 return evalBinOpLL(state, op, lhsL, 431 rhs.castAs<nonloc::LocAsInteger>().getLoc(), 432 resultTy); 433 case nonloc::ConcreteIntKind: { 434 // FIXME: at the moment the implementation 435 // of modeling "pointers as integers" is not complete. 436 if (!BinaryOperator::isComparisonOp(op)) 437 return UnknownVal(); 438 // Transform the integer into a location and compare. 439 // FIXME: This only makes sense for comparisons. If we want to, say, 440 // add 1 to a LocAsInteger, we'd better unpack the Loc and add to it, 441 // then pack it back into a LocAsInteger. 442 llvm::APSInt i = rhs.castAs<nonloc::ConcreteInt>().getValue(); 443 // If the region has a symbolic base, pay attention to the type; it 444 // might be coming from a non-default address space. For non-symbolic 445 // regions it doesn't matter that much because such comparisons would 446 // most likely evaluate to concrete false anyway. FIXME: We might 447 // still need to handle the non-comparison case. 448 if (SymbolRef lSym = lhs.getAsLocSymbol(true)) 449 BasicVals.getAPSIntType(lSym->getType()).apply(i); 450 else 451 BasicVals.getAPSIntType(Context.VoidPtrTy).apply(i); 452 return evalBinOpLL(state, op, lhsL, makeLoc(i), resultTy); 453 } 454 default: 455 switch (op) { 456 case BO_EQ: 457 return makeTruthVal(false, resultTy); 458 case BO_NE: 459 return makeTruthVal(true, resultTy); 460 default: 461 // This case also handles pointer arithmetic. 462 return makeSymExprValNN(op, InputLHS, InputRHS, resultTy); 463 } 464 } 465 } 466 case nonloc::ConcreteIntKind: { 467 llvm::APSInt LHSValue = lhs.castAs<nonloc::ConcreteInt>().getValue(); 468 469 // If we're dealing with two known constants, just perform the operation. 470 if (const llvm::APSInt *KnownRHSValue = getKnownValue(state, rhs)) { 471 llvm::APSInt RHSValue = *KnownRHSValue; 472 if (BinaryOperator::isComparisonOp(op)) { 473 // We're looking for a type big enough to compare the two values. 474 // FIXME: This is not correct. char + short will result in a promotion 475 // to int. Unfortunately we have lost types by this point. 476 APSIntType CompareType = std::max(APSIntType(LHSValue), 477 APSIntType(RHSValue)); 478 CompareType.apply(LHSValue); 479 CompareType.apply(RHSValue); 480 } else if (!BinaryOperator::isShiftOp(op)) { 481 APSIntType IntType = BasicVals.getAPSIntType(resultTy); 482 IntType.apply(LHSValue); 483 IntType.apply(RHSValue); 484 } 485 486 const llvm::APSInt *Result = 487 BasicVals.evalAPSInt(op, LHSValue, RHSValue); 488 if (!Result) 489 return UndefinedVal(); 490 491 return nonloc::ConcreteInt(*Result); 492 } 493 494 // Swap the left and right sides and flip the operator if doing so 495 // allows us to better reason about the expression (this is a form 496 // of expression canonicalization). 497 // While we're at it, catch some special cases for non-commutative ops. 498 switch (op) { 499 case BO_LT: 500 case BO_GT: 501 case BO_LE: 502 case BO_GE: 503 op = BinaryOperator::reverseComparisonOp(op); 504 LLVM_FALLTHROUGH; 505 case BO_EQ: 506 case BO_NE: 507 case BO_Add: 508 case BO_Mul: 509 case BO_And: 510 case BO_Xor: 511 case BO_Or: 512 std::swap(lhs, rhs); 513 continue; 514 case BO_Shr: 515 // (~0)>>a 516 if (LHSValue.isAllOnesValue() && LHSValue.isSigned()) 517 return evalCast(lhs, resultTy, QualType{}); 518 LLVM_FALLTHROUGH; 519 case BO_Shl: 520 // 0<<a and 0>>a 521 if (LHSValue == 0) 522 return evalCast(lhs, resultTy, QualType{}); 523 return makeSymExprValNN(op, InputLHS, InputRHS, resultTy); 524 case BO_Div: 525 // 0 / x == 0 526 case BO_Rem: 527 // 0 % x == 0 528 if (LHSValue == 0) 529 return makeZeroVal(resultTy); 530 LLVM_FALLTHROUGH; 531 default: 532 return makeSymExprValNN(op, InputLHS, InputRHS, resultTy); 533 } 534 } 535 case nonloc::SymbolValKind: { 536 // We only handle LHS as simple symbols or SymIntExprs. 537 SymbolRef Sym = lhs.castAs<nonloc::SymbolVal>().getSymbol(); 538 539 // LHS is a symbolic expression. 540 if (const SymIntExpr *symIntExpr = dyn_cast<SymIntExpr>(Sym)) { 541 542 // Is this a logical not? (!x is represented as x == 0.) 543 if (op == BO_EQ && rhs.isZeroConstant()) { 544 // We know how to negate certain expressions. Simplify them here. 545 546 BinaryOperator::Opcode opc = symIntExpr->getOpcode(); 547 switch (opc) { 548 default: 549 // We don't know how to negate this operation. 550 // Just handle it as if it were a normal comparison to 0. 551 break; 552 case BO_LAnd: 553 case BO_LOr: 554 llvm_unreachable("Logical operators handled by branching logic."); 555 case BO_Assign: 556 case BO_MulAssign: 557 case BO_DivAssign: 558 case BO_RemAssign: 559 case BO_AddAssign: 560 case BO_SubAssign: 561 case BO_ShlAssign: 562 case BO_ShrAssign: 563 case BO_AndAssign: 564 case BO_XorAssign: 565 case BO_OrAssign: 566 case BO_Comma: 567 llvm_unreachable("'=' and ',' operators handled by ExprEngine."); 568 case BO_PtrMemD: 569 case BO_PtrMemI: 570 llvm_unreachable("Pointer arithmetic not handled here."); 571 case BO_LT: 572 case BO_GT: 573 case BO_LE: 574 case BO_GE: 575 case BO_EQ: 576 case BO_NE: 577 assert(resultTy->isBooleanType() || 578 resultTy == getConditionType()); 579 assert(symIntExpr->getType()->isBooleanType() || 580 getContext().hasSameUnqualifiedType(symIntExpr->getType(), 581 getConditionType())); 582 // Negate the comparison and make a value. 583 opc = BinaryOperator::negateComparisonOp(opc); 584 return makeNonLoc(symIntExpr->getLHS(), opc, 585 symIntExpr->getRHS(), resultTy); 586 } 587 } 588 589 // For now, only handle expressions whose RHS is a constant. 590 if (const llvm::APSInt *RHSValue = getKnownValue(state, rhs)) { 591 // If both the LHS and the current expression are additive, 592 // fold their constants and try again. 593 if (BinaryOperator::isAdditiveOp(op)) { 594 BinaryOperator::Opcode lop = symIntExpr->getOpcode(); 595 if (BinaryOperator::isAdditiveOp(lop)) { 596 // Convert the two constants to a common type, then combine them. 597 598 // resultTy may not be the best type to convert to, but it's 599 // probably the best choice in expressions with mixed type 600 // (such as x+1U+2LL). The rules for implicit conversions should 601 // choose a reasonable type to preserve the expression, and will 602 // at least match how the value is going to be used. 603 APSIntType IntType = BasicVals.getAPSIntType(resultTy); 604 const llvm::APSInt &first = IntType.convert(symIntExpr->getRHS()); 605 const llvm::APSInt &second = IntType.convert(*RHSValue); 606 607 const llvm::APSInt *newRHS; 608 if (lop == op) 609 newRHS = BasicVals.evalAPSInt(BO_Add, first, second); 610 else 611 newRHS = BasicVals.evalAPSInt(BO_Sub, first, second); 612 613 assert(newRHS && "Invalid operation despite common type!"); 614 rhs = nonloc::ConcreteInt(*newRHS); 615 lhs = nonloc::SymbolVal(symIntExpr->getLHS()); 616 op = lop; 617 continue; 618 } 619 } 620 621 // Otherwise, make a SymIntExpr out of the expression. 622 return MakeSymIntVal(symIntExpr, op, *RHSValue, resultTy); 623 } 624 } 625 626 // Does the symbolic expression simplify to a constant? 627 // If so, "fold" the constant by setting 'lhs' to a ConcreteInt 628 // and try again. 629 SVal simplifiedLhs = simplifySVal(state, lhs); 630 if (simplifiedLhs != lhs) 631 if (auto simplifiedLhsAsNonLoc = simplifiedLhs.getAs<NonLoc>()) { 632 lhs = *simplifiedLhsAsNonLoc; 633 continue; 634 } 635 636 // Is the RHS a constant? 637 if (const llvm::APSInt *RHSValue = getKnownValue(state, rhs)) 638 return MakeSymIntVal(Sym, op, *RHSValue, resultTy); 639 640 if (Optional<NonLoc> V = tryRearrange(state, op, lhs, rhs, resultTy)) 641 return *V; 642 643 // Give up -- this is not a symbolic expression we can handle. 644 return makeSymExprValNN(op, InputLHS, InputRHS, resultTy); 645 } 646 } 647 } 648} 649 650static SVal evalBinOpFieldRegionFieldRegion(const FieldRegion *LeftFR, 651 const FieldRegion *RightFR, 652 BinaryOperator::Opcode op, 653 QualType resultTy, 654 SimpleSValBuilder &SVB) { 655 // Only comparisons are meaningful here! 656 if (!BinaryOperator::isComparisonOp(op)) 657 return UnknownVal(); 658 659 // Next, see if the two FRs have the same super-region. 660 // FIXME: This doesn't handle casts yet, and simply stripping the casts 661 // doesn't help. 662 if (LeftFR->getSuperRegion() != RightFR->getSuperRegion()) 663 return UnknownVal(); 664 665 const FieldDecl *LeftFD = LeftFR->getDecl(); 666 const FieldDecl *RightFD = RightFR->getDecl(); 667 const RecordDecl *RD = LeftFD->getParent(); 668 669 // Make sure the two FRs are from the same kind of record. Just in case! 670 // FIXME: This is probably where inheritance would be a problem. 671 if (RD != RightFD->getParent()) 672 return UnknownVal(); 673 674 // We know for sure that the two fields are not the same, since that 675 // would have given us the same SVal. 676 if (op == BO_EQ) 677 return SVB.makeTruthVal(false, resultTy); 678 if (op == BO_NE) 679 return SVB.makeTruthVal(true, resultTy); 680 681 // Iterate through the fields and see which one comes first. 682 // [C99 6.7.2.1.13] "Within a structure object, the non-bit-field 683 // members and the units in which bit-fields reside have addresses that 684 // increase in the order in which they are declared." 685 bool leftFirst = (op == BO_LT || op == BO_LE); 686 for (const auto *I : RD->fields()) { 687 if (I == LeftFD) 688 return SVB.makeTruthVal(leftFirst, resultTy); 689 if (I == RightFD) 690 return SVB.makeTruthVal(!leftFirst, resultTy); 691 } 692 693 llvm_unreachable("Fields not found in parent record's definition"); 694} 695 696// FIXME: all this logic will change if/when we have MemRegion::getLocation(). 697SVal SimpleSValBuilder::evalBinOpLL(ProgramStateRef state, 698 BinaryOperator::Opcode op, 699 Loc lhs, Loc rhs, 700 QualType resultTy) { 701 // Only comparisons and subtractions are valid operations on two pointers. 702 // See [C99 6.5.5 through 6.5.14] or [C++0x 5.6 through 5.15]. 703 // However, if a pointer is casted to an integer, evalBinOpNN may end up 704 // calling this function with another operation (PR7527). We don't attempt to 705 // model this for now, but it could be useful, particularly when the 706 // "location" is actually an integer value that's been passed through a void*. 707 if (!(BinaryOperator::isComparisonOp(op) || op == BO_Sub)) 708 return UnknownVal(); 709 710 // Special cases for when both sides are identical. 711 if (lhs == rhs) { 712 switch (op) { 713 default: 714 llvm_unreachable("Unimplemented operation for two identical values"); 715 case BO_Sub: 716 return makeZeroVal(resultTy); 717 case BO_EQ: 718 case BO_LE: 719 case BO_GE: 720 return makeTruthVal(true, resultTy); 721 case BO_NE: 722 case BO_LT: 723 case BO_GT: 724 return makeTruthVal(false, resultTy); 725 } 726 } 727 728 switch (lhs.getSubKind()) { 729 default: 730 llvm_unreachable("Ordering not implemented for this Loc."); 731 732 case loc::GotoLabelKind: 733 // The only thing we know about labels is that they're non-null. 734 if (rhs.isZeroConstant()) { 735 switch (op) { 736 default: 737 break; 738 case BO_Sub: 739 return evalCast(lhs, resultTy, QualType{}); 740 case BO_EQ: 741 case BO_LE: 742 case BO_LT: 743 return makeTruthVal(false, resultTy); 744 case BO_NE: 745 case BO_GT: 746 case BO_GE: 747 return makeTruthVal(true, resultTy); 748 } 749 } 750 // There may be two labels for the same location, and a function region may 751 // have the same address as a label at the start of the function (depending 752 // on the ABI). 753 // FIXME: we can probably do a comparison against other MemRegions, though. 754 // FIXME: is there a way to tell if two labels refer to the same location? 755 return UnknownVal(); 756 757 case loc::ConcreteIntKind: { 758 // If one of the operands is a symbol and the other is a constant, 759 // build an expression for use by the constraint manager. 760 if (SymbolRef rSym = rhs.getAsLocSymbol()) { 761 // We can only build expressions with symbols on the left, 762 // so we need a reversible operator. 763 if (!BinaryOperator::isComparisonOp(op) || op == BO_Cmp) 764 return UnknownVal(); 765 766 const llvm::APSInt &lVal = lhs.castAs<loc::ConcreteInt>().getValue(); 767 op = BinaryOperator::reverseComparisonOp(op); 768 return makeNonLoc(rSym, op, lVal, resultTy); 769 } 770 771 // If both operands are constants, just perform the operation. 772 if (Optional<loc::ConcreteInt> rInt = rhs.getAs<loc::ConcreteInt>()) { 773 SVal ResultVal = 774 lhs.castAs<loc::ConcreteInt>().evalBinOp(BasicVals, op, *rInt); 775 if (Optional<NonLoc> Result = ResultVal.getAs<NonLoc>()) 776 return evalCast(*Result, resultTy, QualType{}); 777 778 assert(!ResultVal.getAs<Loc>() && "Loc-Loc ops should not produce Locs"); 779 return UnknownVal(); 780 } 781 782 // Special case comparisons against NULL. 783 // This must come after the test if the RHS is a symbol, which is used to 784 // build constraints. The address of any non-symbolic region is guaranteed 785 // to be non-NULL, as is any label. 786 assert(rhs.getAs<loc::MemRegionVal>() || rhs.getAs<loc::GotoLabel>()); 787 if (lhs.isZeroConstant()) { 788 switch (op) { 789 default: 790 break; 791 case BO_EQ: 792 case BO_GT: 793 case BO_GE: 794 return makeTruthVal(false, resultTy); 795 case BO_NE: 796 case BO_LT: 797 case BO_LE: 798 return makeTruthVal(true, resultTy); 799 } 800 } 801 802 // Comparing an arbitrary integer to a region or label address is 803 // completely unknowable. 804 return UnknownVal(); 805 } 806 case loc::MemRegionValKind: { 807 if (Optional<loc::ConcreteInt> rInt = rhs.getAs<loc::ConcreteInt>()) { 808 // If one of the operands is a symbol and the other is a constant, 809 // build an expression for use by the constraint manager. 810 if (SymbolRef lSym = lhs.getAsLocSymbol(true)) { 811 if (BinaryOperator::isComparisonOp(op)) 812 return MakeSymIntVal(lSym, op, rInt->getValue(), resultTy); 813 return UnknownVal(); 814 } 815 // Special case comparisons to NULL. 816 // This must come after the test if the LHS is a symbol, which is used to 817 // build constraints. The address of any non-symbolic region is guaranteed 818 // to be non-NULL. 819 if (rInt->isZeroConstant()) { 820 if (op == BO_Sub) 821 return evalCast(lhs, resultTy, QualType{}); 822 823 if (BinaryOperator::isComparisonOp(op)) { 824 QualType boolType = getContext().BoolTy; 825 NonLoc l = evalCast(lhs, boolType, QualType{}).castAs<NonLoc>(); 826 NonLoc r = makeTruthVal(false, boolType).castAs<NonLoc>(); 827 return evalBinOpNN(state, op, l, r, resultTy); 828 } 829 } 830 831 // Comparing a region to an arbitrary integer is completely unknowable. 832 return UnknownVal(); 833 } 834 835 // Get both values as regions, if possible. 836 const MemRegion *LeftMR = lhs.getAsRegion(); 837 assert(LeftMR && "MemRegionValKind SVal doesn't have a region!"); 838 839 const MemRegion *RightMR = rhs.getAsRegion(); 840 if (!RightMR) 841 // The RHS is probably a label, which in theory could address a region. 842 // FIXME: we can probably make a more useful statement about non-code 843 // regions, though. 844 return UnknownVal(); 845 846 const MemRegion *LeftBase = LeftMR->getBaseRegion(); 847 const MemRegion *RightBase = RightMR->getBaseRegion(); 848 const MemSpaceRegion *LeftMS = LeftBase->getMemorySpace(); 849 const MemSpaceRegion *RightMS = RightBase->getMemorySpace(); 850 const MemSpaceRegion *UnknownMS = MemMgr.getUnknownRegion(); 851 852 // If the two regions are from different known memory spaces they cannot be 853 // equal. Also, assume that no symbolic region (whose memory space is 854 // unknown) is on the stack. 855 if (LeftMS != RightMS && 856 ((LeftMS != UnknownMS && RightMS != UnknownMS) || 857 (isa<StackSpaceRegion>(LeftMS) || isa<StackSpaceRegion>(RightMS)))) { 858 switch (op) { 859 default: 860 return UnknownVal(); 861 case BO_EQ: 862 return makeTruthVal(false, resultTy); 863 case BO_NE: 864 return makeTruthVal(true, resultTy); 865 } 866 } 867 868 // If both values wrap regions, see if they're from different base regions. 869 // Note, heap base symbolic regions are assumed to not alias with 870 // each other; for example, we assume that malloc returns different address 871 // on each invocation. 872 // FIXME: ObjC object pointers always reside on the heap, but currently 873 // we treat their memory space as unknown, because symbolic pointers 874 // to ObjC objects may alias. There should be a way to construct 875 // possibly-aliasing heap-based regions. For instance, MacOSXApiChecker 876 // guesses memory space for ObjC object pointers manually instead of 877 // relying on us. 878 if (LeftBase != RightBase && 879 ((!isa<SymbolicRegion>(LeftBase) && !isa<SymbolicRegion>(RightBase)) || 880 (isa<HeapSpaceRegion>(LeftMS) || isa<HeapSpaceRegion>(RightMS))) ){ 881 switch (op) { 882 default: 883 return UnknownVal(); 884 case BO_EQ: 885 return makeTruthVal(false, resultTy); 886 case BO_NE: 887 return makeTruthVal(true, resultTy); 888 } 889 } 890 891 // Handle special cases for when both regions are element regions. 892 const ElementRegion *RightER = dyn_cast<ElementRegion>(RightMR); 893 const ElementRegion *LeftER = dyn_cast<ElementRegion>(LeftMR); 894 if (RightER && LeftER) { 895 // Next, see if the two ERs have the same super-region and matching types. 896 // FIXME: This should do something useful even if the types don't match, 897 // though if both indexes are constant the RegionRawOffset path will 898 // give the correct answer. 899 if (LeftER->getSuperRegion() == RightER->getSuperRegion() && 900 LeftER->getElementType() == RightER->getElementType()) { 901 // Get the left index and cast it to the correct type. 902 // If the index is unknown or undefined, bail out here. 903 SVal LeftIndexVal = LeftER->getIndex(); 904 Optional<NonLoc> LeftIndex = LeftIndexVal.getAs<NonLoc>(); 905 if (!LeftIndex) 906 return UnknownVal(); 907 LeftIndexVal = evalCast(*LeftIndex, ArrayIndexTy, QualType{}); 908 LeftIndex = LeftIndexVal.getAs<NonLoc>(); 909 if (!LeftIndex) 910 return UnknownVal(); 911 912 // Do the same for the right index. 913 SVal RightIndexVal = RightER->getIndex(); 914 Optional<NonLoc> RightIndex = RightIndexVal.getAs<NonLoc>(); 915 if (!RightIndex) 916 return UnknownVal(); 917 RightIndexVal = evalCast(*RightIndex, ArrayIndexTy, QualType{}); 918 RightIndex = RightIndexVal.getAs<NonLoc>(); 919 if (!RightIndex) 920 return UnknownVal(); 921 922 // Actually perform the operation. 923 // evalBinOpNN expects the two indexes to already be the right type. 924 return evalBinOpNN(state, op, *LeftIndex, *RightIndex, resultTy); 925 } 926 } 927 928 // Special handling of the FieldRegions, even with symbolic offsets. 929 const FieldRegion *RightFR = dyn_cast<FieldRegion>(RightMR); 930 const FieldRegion *LeftFR = dyn_cast<FieldRegion>(LeftMR); 931 if (RightFR && LeftFR) { 932 SVal R = evalBinOpFieldRegionFieldRegion(LeftFR, RightFR, op, resultTy, 933 *this); 934 if (!R.isUnknown()) 935 return R; 936 } 937 938 // Compare the regions using the raw offsets. 939 RegionOffset LeftOffset = LeftMR->getAsOffset(); 940 RegionOffset RightOffset = RightMR->getAsOffset(); 941 942 if (LeftOffset.getRegion() != nullptr && 943 LeftOffset.getRegion() == RightOffset.getRegion() && 944 !LeftOffset.hasSymbolicOffset() && !RightOffset.hasSymbolicOffset()) { 945 int64_t left = LeftOffset.getOffset(); 946 int64_t right = RightOffset.getOffset(); 947 948 switch (op) { 949 default: 950 return UnknownVal(); 951 case BO_LT: 952 return makeTruthVal(left < right, resultTy); 953 case BO_GT: 954 return makeTruthVal(left > right, resultTy); 955 case BO_LE: 956 return makeTruthVal(left <= right, resultTy); 957 case BO_GE: 958 return makeTruthVal(left >= right, resultTy); 959 case BO_EQ: 960 return makeTruthVal(left == right, resultTy); 961 case BO_NE: 962 return makeTruthVal(left != right, resultTy); 963 } 964 } 965 966 // At this point we're not going to get a good answer, but we can try 967 // conjuring an expression instead. 968 SymbolRef LHSSym = lhs.getAsLocSymbol(); 969 SymbolRef RHSSym = rhs.getAsLocSymbol(); 970 if (LHSSym && RHSSym) 971 return makeNonLoc(LHSSym, op, RHSSym, resultTy); 972 973 // If we get here, we have no way of comparing the regions. 974 return UnknownVal(); 975 } 976 } 977} 978 979SVal SimpleSValBuilder::evalBinOpLN(ProgramStateRef state, 980 BinaryOperator::Opcode op, Loc lhs, 981 NonLoc rhs, QualType resultTy) { 982 if (op >= BO_PtrMemD && op <= BO_PtrMemI) { 983 if (auto PTMSV = rhs.getAs<nonloc::PointerToMember>()) { 984 if (PTMSV->isNullMemberPointer()) 985 return UndefinedVal(); 986 987 auto getFieldLValue = [&](const auto *FD) -> SVal { 988 SVal Result = lhs; 989 990 for (const auto &I : *PTMSV) 991 Result = StateMgr.getStoreManager().evalDerivedToBase( 992 Result, I->getType(), I->isVirtual()); 993 994 return state->getLValue(FD, Result); 995 }; 996 997 if (const auto *FD = PTMSV->getDeclAs<FieldDecl>()) { 998 return getFieldLValue(FD); 999 } 1000 if (const auto *FD = PTMSV->getDeclAs<IndirectFieldDecl>()) { 1001 return getFieldLValue(FD); 1002 } 1003 } 1004 1005 return rhs; 1006 } 1007 1008 assert(!BinaryOperator::isComparisonOp(op) && 1009 "arguments to comparison ops must be of the same type"); 1010 1011 // Special case: rhs is a zero constant. 1012 if (rhs.isZeroConstant()) 1013 return lhs; 1014 1015 // Perserve the null pointer so that it can be found by the DerefChecker. 1016 if (lhs.isZeroConstant()) 1017 return lhs; 1018 1019 // We are dealing with pointer arithmetic. 1020 1021 // Handle pointer arithmetic on constant values. 1022 if (Optional<nonloc::ConcreteInt> rhsInt = rhs.getAs<nonloc::ConcreteInt>()) { 1023 if (Optional<loc::ConcreteInt> lhsInt = lhs.getAs<loc::ConcreteInt>()) { 1024 const llvm::APSInt &leftI = lhsInt->getValue(); 1025 assert(leftI.isUnsigned()); 1026 llvm::APSInt rightI(rhsInt->getValue(), /* isUnsigned */ true); 1027 1028 // Convert the bitwidth of rightI. This should deal with overflow 1029 // since we are dealing with concrete values. 1030 rightI = rightI.extOrTrunc(leftI.getBitWidth()); 1031 1032 // Offset the increment by the pointer size. 1033 llvm::APSInt Multiplicand(rightI.getBitWidth(), /* isUnsigned */ true); 1034 QualType pointeeType = resultTy->getPointeeType(); 1035 Multiplicand = getContext().getTypeSizeInChars(pointeeType).getQuantity(); 1036 rightI *= Multiplicand; 1037 1038 // Compute the adjusted pointer. 1039 switch (op) { 1040 case BO_Add: 1041 rightI = leftI + rightI; 1042 break; 1043 case BO_Sub: 1044 rightI = leftI - rightI; 1045 break; 1046 default: 1047 llvm_unreachable("Invalid pointer arithmetic operation"); 1048 } 1049 return loc::ConcreteInt(getBasicValueFactory().getValue(rightI)); 1050 } 1051 } 1052 1053 // Handle cases where 'lhs' is a region. 1054 if (const MemRegion *region = lhs.getAsRegion()) { 1055 rhs = convertToArrayIndex(rhs).castAs<NonLoc>(); 1056 SVal index = UnknownVal(); 1057 const SubRegion *superR = nullptr; 1058 // We need to know the type of the pointer in order to add an integer to it. 1059 // Depending on the type, different amount of bytes is added. 1060 QualType elementType; 1061 1062 if (const ElementRegion *elemReg = dyn_cast<ElementRegion>(region)) { 1063 assert(op == BO_Add || op == BO_Sub); 1064 index = evalBinOpNN(state, op, elemReg->getIndex(), rhs, 1065 getArrayIndexType()); 1066 superR = cast<SubRegion>(elemReg->getSuperRegion()); 1067 elementType = elemReg->getElementType(); 1068 } 1069 else if (isa<SubRegion>(region)) { 1070 assert(op == BO_Add || op == BO_Sub); 1071 index = (op == BO_Add) ? rhs : evalMinus(rhs); 1072 superR = cast<SubRegion>(region); 1073 // TODO: Is this actually reliable? Maybe improving our MemRegion 1074 // hierarchy to provide typed regions for all non-void pointers would be 1075 // better. For instance, we cannot extend this towards LocAsInteger 1076 // operations, where result type of the expression is integer. 1077 if (resultTy->isAnyPointerType()) 1078 elementType = resultTy->getPointeeType(); 1079 } 1080 1081 // Represent arithmetic on void pointers as arithmetic on char pointers. 1082 // It is fine when a TypedValueRegion of char value type represents 1083 // a void pointer. Note that arithmetic on void pointers is a GCC extension. 1084 if (elementType->isVoidType()) 1085 elementType = getContext().CharTy; 1086 1087 if (Optional<NonLoc> indexV = index.getAs<NonLoc>()) { 1088 return loc::MemRegionVal(MemMgr.getElementRegion(elementType, *indexV, 1089 superR, getContext())); 1090 } 1091 } 1092 return UnknownVal(); 1093} 1094 1095const llvm::APSInt *SimpleSValBuilder::getKnownValue(ProgramStateRef state, 1096 SVal V) { 1097 V = simplifySVal(state, V); 1098 if (V.isUnknownOrUndef()) 1099 return nullptr; 1100 1101 if (Optional<loc::ConcreteInt> X = V.getAs<loc::ConcreteInt>()) 1102 return &X->getValue(); 1103 1104 if (Optional<nonloc::ConcreteInt> X = V.getAs<nonloc::ConcreteInt>()) 1105 return &X->getValue(); 1106 1107 if (SymbolRef Sym = V.getAsSymbol()) 1108 return state->getConstraintManager().getSymVal(state, Sym); 1109 1110 // FIXME: Add support for SymExprs. 1111 return nullptr; 1112} 1113 1114SVal SimpleSValBuilder::simplifySVal(ProgramStateRef State, SVal V) { 1115 // For now, this function tries to constant-fold symbols inside a 1116 // nonloc::SymbolVal, and does nothing else. More simplifications should 1117 // be possible, such as constant-folding an index in an ElementRegion. 1118 1119 class Simplifier : public FullSValVisitor<Simplifier, SVal> { 1120 ProgramStateRef State; 1121 SValBuilder &SVB; 1122 1123 // Cache results for the lifetime of the Simplifier. Results change every 1124 // time new constraints are added to the program state, which is the whole 1125 // point of simplifying, and for that very reason it's pointless to maintain 1126 // the same cache for the duration of the whole analysis. 1127 llvm::DenseMap<SymbolRef, SVal> Cached; 1128 1129 static bool isUnchanged(SymbolRef Sym, SVal Val) { 1130 return Sym == Val.getAsSymbol(); 1131 } 1132 1133 SVal cache(SymbolRef Sym, SVal V) { 1134 Cached[Sym] = V; 1135 return V; 1136 } 1137 1138 SVal skip(SymbolRef Sym) { 1139 return cache(Sym, SVB.makeSymbolVal(Sym)); 1140 } 1141 1142 public: 1143 Simplifier(ProgramStateRef State) 1144 : State(State), SVB(State->getStateManager().getSValBuilder()) {} 1145 1146 SVal VisitSymbolData(const SymbolData *S) { 1147 // No cache here. 1148 if (const llvm::APSInt *I = 1149 SVB.getKnownValue(State, SVB.makeSymbolVal(S))) 1150 return Loc::isLocType(S->getType()) ? (SVal)SVB.makeIntLocVal(*I) 1151 : (SVal)SVB.makeIntVal(*I); 1152 return SVB.makeSymbolVal(S); 1153 } 1154 1155 // TODO: Support SymbolCast. Support IntSymExpr when/if we actually 1156 // start producing them. 1157 1158 SVal VisitSymIntExpr(const SymIntExpr *S) { 1159 auto I = Cached.find(S); 1160 if (I != Cached.end()) 1161 return I->second; 1162 1163 SVal LHS = Visit(S->getLHS()); 1164 if (isUnchanged(S->getLHS(), LHS)) 1165 return skip(S); 1166 1167 SVal RHS; 1168 // By looking at the APSInt in the right-hand side of S, we cannot 1169 // figure out if it should be treated as a Loc or as a NonLoc. 1170 // So make our guess by recalling that we cannot multiply pointers 1171 // or compare a pointer to an integer. 1172 if (Loc::isLocType(S->getLHS()->getType()) && 1173 BinaryOperator::isComparisonOp(S->getOpcode())) { 1174 // The usual conversion of $sym to &SymRegion{$sym}, as they have 1175 // the same meaning for Loc-type symbols, but the latter form 1176 // is preferred in SVal computations for being Loc itself. 1177 if (SymbolRef Sym = LHS.getAsSymbol()) { 1178 assert(Loc::isLocType(Sym->getType())); 1179 LHS = SVB.makeLoc(Sym); 1180 } 1181 RHS = SVB.makeIntLocVal(S->getRHS()); 1182 } else { 1183 RHS = SVB.makeIntVal(S->getRHS()); 1184 } 1185 1186 return cache( 1187 S, SVB.evalBinOp(State, S->getOpcode(), LHS, RHS, S->getType())); 1188 } 1189 1190 SVal VisitSymSymExpr(const SymSymExpr *S) { 1191 auto I = Cached.find(S); 1192 if (I != Cached.end()) 1193 return I->second; 1194 1195 // For now don't try to simplify mixed Loc/NonLoc expressions 1196 // because they often appear from LocAsInteger operations 1197 // and we don't know how to combine a LocAsInteger 1198 // with a concrete value. 1199 if (Loc::isLocType(S->getLHS()->getType()) != 1200 Loc::isLocType(S->getRHS()->getType())) 1201 return skip(S); 1202 1203 SVal LHS = Visit(S->getLHS()); 1204 SVal RHS = Visit(S->getRHS()); 1205 if (isUnchanged(S->getLHS(), LHS) && isUnchanged(S->getRHS(), RHS)) 1206 return skip(S); 1207 1208 return cache( 1209 S, SVB.evalBinOp(State, S->getOpcode(), LHS, RHS, S->getType())); 1210 } 1211 1212 SVal VisitSymExpr(SymbolRef S) { return nonloc::SymbolVal(S); } 1213 1214 SVal VisitMemRegion(const MemRegion *R) { return loc::MemRegionVal(R); } 1215 1216 SVal VisitNonLocSymbolVal(nonloc::SymbolVal V) { 1217 // Simplification is much more costly than computing complexity. 1218 // For high complexity, it may be not worth it. 1219 return Visit(V.getSymbol()); 1220 } 1221 1222 SVal VisitSVal(SVal V) { return V; } 1223 }; 1224 1225 // A crude way of preventing this function from calling itself from evalBinOp. 1226 static bool isReentering = false; 1227 if (isReentering) 1228 return V; 1229 1230 isReentering = true; 1231 SVal SimplifiedV = Simplifier(State).Visit(V); 1232 isReentering = false; 1233 1234 return SimplifiedV; 1235} 1236