[cfe-commits] r122543 [2/2] - in /cfe/trunk: include/clang/StaticAnalyzer/EntoSA/ include/clang/StaticAnalyzer/EntoSA/BugReporter/ include/clang/StaticAnalyzer/EntoSA/Checkers/ include/clang/StaticAnalyzer/EntoSA/PathSensitive/ lib/StaticAnalyzer/EntoSA/ lib/StaticAnalyzer/EntoSA/Checkers/
Argyrios Kyrtzidis
akyrtzi at gmail.com
Thu Dec 23 22:19:59 PST 2010
Removed: cfe/trunk/lib/StaticAnalyzer/EntoSA/Checkers/ReturnPointerRangeChecker.cpp
URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/lib/StaticAnalyzer/EntoSA/Checkers/ReturnPointerRangeChecker.cpp?rev=122542&view=auto
==============================================================================
--- cfe/trunk/lib/StaticAnalyzer/EntoSA/Checkers/ReturnPointerRangeChecker.cpp (original)
+++ cfe/trunk/lib/StaticAnalyzer/EntoSA/Checkers/ReturnPointerRangeChecker.cpp (removed)
@@ -1,95 +0,0 @@
-//== ReturnPointerRangeChecker.cpp ------------------------------*- C++ -*--==//
-//
-// The LLVM Compiler Infrastructure
-//
-// This file is distributed under the University of Illinois Open Source
-// License. See LICENSE.TXT for details.
-//
-//===----------------------------------------------------------------------===//
-//
-// This file defines ReturnPointerRangeChecker, which is a path-sensitive check
-// which looks for an out-of-bound pointer being returned to callers.
-//
-//===----------------------------------------------------------------------===//
-
-#include "ExprEngineInternalChecks.h"
-#include "clang/StaticAnalyzer/BugReporter/BugType.h"
-#include "clang/StaticAnalyzer/PathSensitive/CheckerVisitor.h"
-#include "clang/StaticAnalyzer/PathSensitive/ExprEngine.h"
-
-using namespace clang;
-using namespace ento;
-
-namespace {
-class ReturnPointerRangeChecker :
- public CheckerVisitor<ReturnPointerRangeChecker> {
- BuiltinBug *BT;
-public:
- ReturnPointerRangeChecker() : BT(0) {}
- static void *getTag();
- void PreVisitReturnStmt(CheckerContext &C, const ReturnStmt *RS);
-};
-}
-
-void ento::RegisterReturnPointerRangeChecker(ExprEngine &Eng) {
- Eng.registerCheck(new ReturnPointerRangeChecker());
-}
-
-void *ReturnPointerRangeChecker::getTag() {
- static int x = 0; return &x;
-}
-
-void ReturnPointerRangeChecker::PreVisitReturnStmt(CheckerContext &C,
- const ReturnStmt *RS) {
- const GRState *state = C.getState();
-
- const Expr *RetE = RS->getRetValue();
- if (!RetE)
- return;
-
- SVal V = state->getSVal(RetE);
- const MemRegion *R = V.getAsRegion();
-
- const ElementRegion *ER = dyn_cast_or_null<ElementRegion>(R);
- if (!ER)
- return;
-
- DefinedOrUnknownSVal Idx = cast<DefinedOrUnknownSVal>(ER->getIndex());
- // Zero index is always in bound, this also passes ElementRegions created for
- // pointer casts.
- if (Idx.isZeroConstant())
- return;
- // FIXME: All of this out-of-bounds checking should eventually be refactored
- // into a common place.
-
- DefinedOrUnknownSVal NumElements
- = C.getStoreManager().getSizeInElements(state, ER->getSuperRegion(),
- ER->getValueType());
-
- const GRState *StInBound = state->assumeInBound(Idx, NumElements, true);
- const GRState *StOutBound = state->assumeInBound(Idx, NumElements, false);
- if (StOutBound && !StInBound) {
- ExplodedNode *N = C.generateSink(StOutBound);
-
- if (!N)
- return;
-
- // FIXME: This bug correspond to CWE-466. Eventually we should have bug
- // types explicitly reference such exploit categories (when applicable).
- if (!BT)
- BT = new BuiltinBug("Return of pointer value outside of expected range",
- "Returned pointer value points outside the original object "
- "(potential buffer overflow)");
-
- // FIXME: It would be nice to eventually make this diagnostic more clear,
- // e.g., by referencing the original declaration or by saying *why* this
- // reference is outside the range.
-
- // Generate a report for this bug.
- RangedBugReport *report =
- new RangedBugReport(*BT, BT->getDescription(), N);
-
- report->addRange(RetE->getSourceRange());
- C.EmitReport(report);
- }
-}
Removed: cfe/trunk/lib/StaticAnalyzer/EntoSA/Checkers/ReturnUndefChecker.cpp
URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/lib/StaticAnalyzer/EntoSA/Checkers/ReturnUndefChecker.cpp?rev=122542&view=auto
==============================================================================
--- cfe/trunk/lib/StaticAnalyzer/EntoSA/Checkers/ReturnUndefChecker.cpp (original)
+++ cfe/trunk/lib/StaticAnalyzer/EntoSA/Checkers/ReturnUndefChecker.cpp (removed)
@@ -1,69 +0,0 @@
-//== ReturnUndefChecker.cpp -------------------------------------*- C++ -*--==//
-//
-// The LLVM Compiler Infrastructure
-//
-// This file is distributed under the University of Illinois Open Source
-// License. See LICENSE.TXT for details.
-//
-//===----------------------------------------------------------------------===//
-//
-// This file defines ReturnUndefChecker, which is a path-sensitive
-// check which looks for undefined or garbage values being returned to the
-// caller.
-//
-//===----------------------------------------------------------------------===//
-
-#include "ExprEngineInternalChecks.h"
-#include "clang/StaticAnalyzer/BugReporter/BugType.h"
-#include "clang/StaticAnalyzer/PathSensitive/CheckerVisitor.h"
-#include "clang/StaticAnalyzer/PathSensitive/ExprEngine.h"
-
-using namespace clang;
-using namespace ento;
-
-namespace {
-class ReturnUndefChecker :
- public CheckerVisitor<ReturnUndefChecker> {
- BuiltinBug *BT;
-public:
- ReturnUndefChecker() : BT(0) {}
- static void *getTag();
- void PreVisitReturnStmt(CheckerContext &C, const ReturnStmt *RS);
-};
-}
-
-void ento::RegisterReturnUndefChecker(ExprEngine &Eng) {
- Eng.registerCheck(new ReturnUndefChecker());
-}
-
-void *ReturnUndefChecker::getTag() {
- static int x = 0; return &x;
-}
-
-void ReturnUndefChecker::PreVisitReturnStmt(CheckerContext &C,
- const ReturnStmt *RS) {
-
- const Expr *RetE = RS->getRetValue();
- if (!RetE)
- return;
-
- if (!C.getState()->getSVal(RetE).isUndef())
- return;
-
- ExplodedNode *N = C.generateSink();
-
- if (!N)
- return;
-
- if (!BT)
- BT = new BuiltinBug("Garbage return value",
- "Undefined or garbage value returned to caller");
-
- EnhancedBugReport *report =
- new EnhancedBugReport(*BT, BT->getDescription(), N);
-
- report->addRange(RetE->getSourceRange());
- report->addVisitorCreator(bugreporter::registerTrackNullOrUndefValue, RetE);
-
- C.EmitReport(report);
-}
Removed: cfe/trunk/lib/StaticAnalyzer/EntoSA/Checkers/StackAddrLeakChecker.cpp
URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/lib/StaticAnalyzer/EntoSA/Checkers/StackAddrLeakChecker.cpp?rev=122542&view=auto
==============================================================================
--- cfe/trunk/lib/StaticAnalyzer/EntoSA/Checkers/StackAddrLeakChecker.cpp (original)
+++ cfe/trunk/lib/StaticAnalyzer/EntoSA/Checkers/StackAddrLeakChecker.cpp (removed)
@@ -1,205 +0,0 @@
-//=== StackAddrLeakChecker.cpp ------------------------------------*- C++ -*--//
-//
-// The LLVM Compiler Infrastructure
-//
-// This file is distributed under the University of Illinois Open Source
-// License. See LICENSE.TXT for details.
-//
-//===----------------------------------------------------------------------===//
-//
-// This file defines stack address leak checker, which checks if an invalid
-// stack address is stored into a global or heap location. See CERT DCL30-C.
-//
-//===----------------------------------------------------------------------===//
-
-#include "ExprEngineInternalChecks.h"
-#include "clang/StaticAnalyzer/BugReporter/BugType.h"
-#include "clang/StaticAnalyzer/PathSensitive/CheckerVisitor.h"
-#include "clang/StaticAnalyzer/PathSensitive/GRState.h"
-#include "clang/Basic/SourceManager.h"
-#include "llvm/ADT/SmallString.h"
-using namespace clang;
-using namespace ento;
-
-namespace {
-class StackAddrLeakChecker : public CheckerVisitor<StackAddrLeakChecker> {
- BuiltinBug *BT_stackleak;
- BuiltinBug *BT_returnstack;
-
-public:
- StackAddrLeakChecker() : BT_stackleak(0), BT_returnstack(0) {}
- static void *getTag() {
- static int x;
- return &x;
- }
- void PreVisitReturnStmt(CheckerContext &C, const ReturnStmt *RS);
- void evalEndPath(EndPathNodeBuilder &B, void *tag, ExprEngine &Eng);
-private:
- void EmitStackError(CheckerContext &C, const MemRegion *R, const Expr *RetE);
- SourceRange GenName(llvm::raw_ostream &os, const MemRegion *R,
- SourceManager &SM);
-};
-}
-
-void ento::RegisterStackAddrLeakChecker(ExprEngine &Eng) {
- Eng.registerCheck(new StackAddrLeakChecker());
-}
-
-SourceRange StackAddrLeakChecker::GenName(llvm::raw_ostream &os,
- const MemRegion *R,
- SourceManager &SM) {
- // Get the base region, stripping away fields and elements.
- R = R->getBaseRegion();
- SourceRange range;
- os << "Address of ";
-
- // Check if the region is a compound literal.
- if (const CompoundLiteralRegion* CR = dyn_cast<CompoundLiteralRegion>(R)) {
- const CompoundLiteralExpr* CL = CR->getLiteralExpr();
- os << "stack memory associated with a compound literal "
- "declared on line "
- << SM.getInstantiationLineNumber(CL->getLocStart())
- << " returned to caller";
- range = CL->getSourceRange();
- }
- else if (const AllocaRegion* AR = dyn_cast<AllocaRegion>(R)) {
- const Expr* ARE = AR->getExpr();
- SourceLocation L = ARE->getLocStart();
- range = ARE->getSourceRange();
- os << "stack memory allocated by call to alloca() on line "
- << SM.getInstantiationLineNumber(L);
- }
- else if (const BlockDataRegion *BR = dyn_cast<BlockDataRegion>(R)) {
- const BlockDecl *BD = BR->getCodeRegion()->getDecl();
- SourceLocation L = BD->getLocStart();
- range = BD->getSourceRange();
- os << "stack-allocated block declared on line "
- << SM.getInstantiationLineNumber(L);
- }
- else if (const VarRegion *VR = dyn_cast<VarRegion>(R)) {
- os << "stack memory associated with local variable '"
- << VR->getString() << '\'';
- range = VR->getDecl()->getSourceRange();
- }
- else {
- assert(false && "Invalid region in ReturnStackAddressChecker.");
- }
-
- return range;
-}
-
-void StackAddrLeakChecker::EmitStackError(CheckerContext &C, const MemRegion *R,
- const Expr *RetE) {
- ExplodedNode *N = C.generateSink();
-
- if (!N)
- return;
-
- if (!BT_returnstack)
- BT_returnstack=new BuiltinBug("Return of address to stack-allocated memory");
-
- // Generate a report for this bug.
- llvm::SmallString<512> buf;
- llvm::raw_svector_ostream os(buf);
- SourceRange range = GenName(os, R, C.getSourceManager());
- os << " returned to caller";
- RangedBugReport *report = new RangedBugReport(*BT_returnstack, os.str(), N);
- report->addRange(RetE->getSourceRange());
- if (range.isValid())
- report->addRange(range);
-
- C.EmitReport(report);
-}
-
-void StackAddrLeakChecker::PreVisitReturnStmt(CheckerContext &C,
- const ReturnStmt *RS) {
-
- const Expr *RetE = RS->getRetValue();
- if (!RetE)
- return;
-
- SVal V = C.getState()->getSVal(RetE);
- const MemRegion *R = V.getAsRegion();
-
- if (!R || !R->hasStackStorage())
- return;
-
- if (R->hasStackStorage()) {
- EmitStackError(C, R, RetE);
- return;
- }
-}
-
-void StackAddrLeakChecker::evalEndPath(EndPathNodeBuilder &B, void *tag,
- ExprEngine &Eng) {
- SaveAndRestore<bool> OldHasGen(B.HasGeneratedNode);
- const GRState *state = B.getState();
-
- // Iterate over all bindings to global variables and see if it contains
- // a memory region in the stack space.
- class CallBack : public StoreManager::BindingsHandler {
- private:
- const StackFrameContext *CurSFC;
- public:
- llvm::SmallVector<std::pair<const MemRegion*, const MemRegion*>, 10> V;
-
- CallBack(const LocationContext *LCtx)
- : CurSFC(LCtx->getCurrentStackFrame()) {}
-
- bool HandleBinding(StoreManager &SMgr, Store store,
- const MemRegion *region, SVal val) {
-
- if (!isa<GlobalsSpaceRegion>(region->getMemorySpace()))
- return true;
-
- const MemRegion *vR = val.getAsRegion();
- if (!vR)
- return true;
-
- if (const StackSpaceRegion *SSR =
- dyn_cast<StackSpaceRegion>(vR->getMemorySpace())) {
- // If the global variable holds a location in the current stack frame,
- // record the binding to emit a warning.
- if (SSR->getStackFrame() == CurSFC)
- V.push_back(std::make_pair(region, vR));
- }
-
- return true;
- }
- };
-
- CallBack cb(B.getPredecessor()->getLocationContext());
- state->getStateManager().getStoreManager().iterBindings(state->getStore(),cb);
-
- if (cb.V.empty())
- return;
-
- // Generate an error node.
- ExplodedNode *N = B.generateNode(state, tag, B.getPredecessor());
- if (!N)
- return;
-
- if (!BT_stackleak)
- BT_stackleak =
- new BuiltinBug("Stack address stored into global variable",
- "Stack address was saved into a global variable. "
- "This is dangerous because the address will become "
- "invalid after returning from the function");
-
- for (unsigned i = 0, e = cb.V.size(); i != e; ++i) {
- // Generate a report for this bug.
- llvm::SmallString<512> buf;
- llvm::raw_svector_ostream os(buf);
- SourceRange range = GenName(os, cb.V[i].second,
- Eng.getContext().getSourceManager());
- os << " is still referred to by the global variable '";
- const VarRegion *VR = cast<VarRegion>(cb.V[i].first->getBaseRegion());
- os << VR->getDecl()->getNameAsString()
- << "' upon returning to the caller. This will be a dangling reference";
- RangedBugReport *report = new RangedBugReport(*BT_stackleak, os.str(), N);
- if (range.isValid())
- report->addRange(range);
-
- Eng.getBugReporter().EmitReport(report);
- }
-}
Removed: cfe/trunk/lib/StaticAnalyzer/EntoSA/Checkers/StreamChecker.cpp
URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/lib/StaticAnalyzer/EntoSA/Checkers/StreamChecker.cpp?rev=122542&view=auto
==============================================================================
--- cfe/trunk/lib/StaticAnalyzer/EntoSA/Checkers/StreamChecker.cpp (original)
+++ cfe/trunk/lib/StaticAnalyzer/EntoSA/Checkers/StreamChecker.cpp (removed)
@@ -1,466 +0,0 @@
-//===-- StreamChecker.cpp -----------------------------------------*- C++ -*--//
-//
-// The LLVM Compiler Infrastructure
-//
-// This file is distributed under the University of Illinois Open Source
-// License. See LICENSE.TXT for details.
-//
-//===----------------------------------------------------------------------===//
-//
-// This file defines checkers that model and check stream handling functions.
-//
-//===----------------------------------------------------------------------===//
-
-#include "ExprEngineExperimentalChecks.h"
-#include "clang/StaticAnalyzer/BugReporter/BugType.h"
-#include "clang/StaticAnalyzer/PathSensitive/CheckerVisitor.h"
-#include "clang/StaticAnalyzer/PathSensitive/GRState.h"
-#include "clang/StaticAnalyzer/PathSensitive/GRStateTrait.h"
-#include "clang/StaticAnalyzer/PathSensitive/SymbolManager.h"
-#include "llvm/ADT/ImmutableMap.h"
-
-using namespace clang;
-using namespace ento;
-
-namespace {
-
-struct StreamState {
- enum Kind { Opened, Closed, OpenFailed, Escaped } K;
- const Stmt *S;
-
- StreamState(Kind k, const Stmt *s) : K(k), S(s) {}
-
- bool isOpened() const { return K == Opened; }
- bool isClosed() const { return K == Closed; }
- //bool isOpenFailed() const { return K == OpenFailed; }
- //bool isEscaped() const { return K == Escaped; }
-
- bool operator==(const StreamState &X) const {
- return K == X.K && S == X.S;
- }
-
- static StreamState getOpened(const Stmt *s) { return StreamState(Opened, s); }
- static StreamState getClosed(const Stmt *s) { return StreamState(Closed, s); }
- static StreamState getOpenFailed(const Stmt *s) {
- return StreamState(OpenFailed, s);
- }
- static StreamState getEscaped(const Stmt *s) {
- return StreamState(Escaped, s);
- }
-
- void Profile(llvm::FoldingSetNodeID &ID) const {
- ID.AddInteger(K);
- ID.AddPointer(S);
- }
-};
-
-class StreamChecker : public CheckerVisitor<StreamChecker> {
- IdentifierInfo *II_fopen, *II_tmpfile, *II_fclose, *II_fread, *II_fwrite,
- *II_fseek, *II_ftell, *II_rewind, *II_fgetpos, *II_fsetpos,
- *II_clearerr, *II_feof, *II_ferror, *II_fileno;
- BuiltinBug *BT_nullfp, *BT_illegalwhence, *BT_doubleclose, *BT_ResourceLeak;
-
-public:
- StreamChecker()
- : II_fopen(0), II_tmpfile(0) ,II_fclose(0), II_fread(0), II_fwrite(0),
- II_fseek(0), II_ftell(0), II_rewind(0), II_fgetpos(0), II_fsetpos(0),
- II_clearerr(0), II_feof(0), II_ferror(0), II_fileno(0),
- BT_nullfp(0), BT_illegalwhence(0), BT_doubleclose(0),
- BT_ResourceLeak(0) {}
-
- static void *getTag() {
- static int x;
- return &x;
- }
-
- virtual bool evalCallExpr(CheckerContext &C, const CallExpr *CE);
- void evalDeadSymbols(CheckerContext &C, SymbolReaper &SymReaper);
- void evalEndPath(EndPathNodeBuilder &B, void *tag, ExprEngine &Eng);
- void PreVisitReturnStmt(CheckerContext &C, const ReturnStmt *S);
-
-private:
- void Fopen(CheckerContext &C, const CallExpr *CE);
- void Tmpfile(CheckerContext &C, const CallExpr *CE);
- void Fclose(CheckerContext &C, const CallExpr *CE);
- void Fread(CheckerContext &C, const CallExpr *CE);
- void Fwrite(CheckerContext &C, const CallExpr *CE);
- void Fseek(CheckerContext &C, const CallExpr *CE);
- void Ftell(CheckerContext &C, const CallExpr *CE);
- void Rewind(CheckerContext &C, const CallExpr *CE);
- void Fgetpos(CheckerContext &C, const CallExpr *CE);
- void Fsetpos(CheckerContext &C, const CallExpr *CE);
- void Clearerr(CheckerContext &C, const CallExpr *CE);
- void Feof(CheckerContext &C, const CallExpr *CE);
- void Ferror(CheckerContext &C, const CallExpr *CE);
- void Fileno(CheckerContext &C, const CallExpr *CE);
-
- void OpenFileAux(CheckerContext &C, const CallExpr *CE);
-
- const GRState *CheckNullStream(SVal SV, const GRState *state,
- CheckerContext &C);
- const GRState *CheckDoubleClose(const CallExpr *CE, const GRState *state,
- CheckerContext &C);
-};
-
-} // end anonymous namespace
-
-namespace clang {
-namespace ento {
- template <>
- struct GRStateTrait<StreamState>
- : public GRStatePartialTrait<llvm::ImmutableMap<SymbolRef, StreamState> > {
- static void *GDMIndex() { return StreamChecker::getTag(); }
- };
-}
-}
-
-void ento::RegisterStreamChecker(ExprEngine &Eng) {
- Eng.registerCheck(new StreamChecker());
-}
-
-bool StreamChecker::evalCallExpr(CheckerContext &C, const CallExpr *CE) {
- const GRState *state = C.getState();
- const Expr *Callee = CE->getCallee();
- SVal L = state->getSVal(Callee);
- const FunctionDecl *FD = L.getAsFunctionDecl();
- if (!FD)
- return false;
-
- ASTContext &Ctx = C.getASTContext();
- if (!II_fopen)
- II_fopen = &Ctx.Idents.get("fopen");
- if (!II_tmpfile)
- II_tmpfile = &Ctx.Idents.get("tmpfile");
- if (!II_fclose)
- II_fclose = &Ctx.Idents.get("fclose");
- if (!II_fread)
- II_fread = &Ctx.Idents.get("fread");
- if (!II_fwrite)
- II_fwrite = &Ctx.Idents.get("fwrite");
- if (!II_fseek)
- II_fseek = &Ctx.Idents.get("fseek");
- if (!II_ftell)
- II_ftell = &Ctx.Idents.get("ftell");
- if (!II_rewind)
- II_rewind = &Ctx.Idents.get("rewind");
- if (!II_fgetpos)
- II_fgetpos = &Ctx.Idents.get("fgetpos");
- if (!II_fsetpos)
- II_fsetpos = &Ctx.Idents.get("fsetpos");
- if (!II_clearerr)
- II_clearerr = &Ctx.Idents.get("clearerr");
- if (!II_feof)
- II_feof = &Ctx.Idents.get("feof");
- if (!II_ferror)
- II_ferror = &Ctx.Idents.get("ferror");
- if (!II_fileno)
- II_fileno = &Ctx.Idents.get("fileno");
-
- if (FD->getIdentifier() == II_fopen) {
- Fopen(C, CE);
- return true;
- }
- if (FD->getIdentifier() == II_tmpfile) {
- Tmpfile(C, CE);
- return true;
- }
- if (FD->getIdentifier() == II_fclose) {
- Fclose(C, CE);
- return true;
- }
- if (FD->getIdentifier() == II_fread) {
- Fread(C, CE);
- return true;
- }
- if (FD->getIdentifier() == II_fwrite) {
- Fwrite(C, CE);
- return true;
- }
- if (FD->getIdentifier() == II_fseek) {
- Fseek(C, CE);
- return true;
- }
- if (FD->getIdentifier() == II_ftell) {
- Ftell(C, CE);
- return true;
- }
- if (FD->getIdentifier() == II_rewind) {
- Rewind(C, CE);
- return true;
- }
- if (FD->getIdentifier() == II_fgetpos) {
- Fgetpos(C, CE);
- return true;
- }
- if (FD->getIdentifier() == II_fsetpos) {
- Fsetpos(C, CE);
- return true;
- }
- if (FD->getIdentifier() == II_clearerr) {
- Clearerr(C, CE);
- return true;
- }
- if (FD->getIdentifier() == II_feof) {
- Feof(C, CE);
- return true;
- }
- if (FD->getIdentifier() == II_ferror) {
- Ferror(C, CE);
- return true;
- }
- if (FD->getIdentifier() == II_fileno) {
- Fileno(C, CE);
- return true;
- }
-
- return false;
-}
-
-void StreamChecker::Fopen(CheckerContext &C, const CallExpr *CE) {
- OpenFileAux(C, CE);
-}
-
-void StreamChecker::Tmpfile(CheckerContext &C, const CallExpr *CE) {
- OpenFileAux(C, CE);
-}
-
-void StreamChecker::OpenFileAux(CheckerContext &C, const CallExpr *CE) {
- const GRState *state = C.getState();
- unsigned Count = C.getNodeBuilder().getCurrentBlockCount();
- SValBuilder &svalBuilder = C.getSValBuilder();
- DefinedSVal RetVal =
- cast<DefinedSVal>(svalBuilder.getConjuredSymbolVal(0, CE, Count));
- state = state->BindExpr(CE, RetVal);
-
- ConstraintManager &CM = C.getConstraintManager();
- // Bifurcate the state into two: one with a valid FILE* pointer, the other
- // with a NULL.
- const GRState *stateNotNull, *stateNull;
- llvm::tie(stateNotNull, stateNull) = CM.assumeDual(state, RetVal);
-
- if (SymbolRef Sym = RetVal.getAsSymbol()) {
- // if RetVal is not NULL, set the symbol's state to Opened.
- stateNotNull =
- stateNotNull->set<StreamState>(Sym,StreamState::getOpened(CE));
- stateNull =
- stateNull->set<StreamState>(Sym, StreamState::getOpenFailed(CE));
-
- C.addTransition(stateNotNull);
- C.addTransition(stateNull);
- }
-}
-
-void StreamChecker::Fclose(CheckerContext &C, const CallExpr *CE) {
- const GRState *state = CheckDoubleClose(CE, C.getState(), C);
- if (state)
- C.addTransition(state);
-}
-
-void StreamChecker::Fread(CheckerContext &C, const CallExpr *CE) {
- const GRState *state = C.getState();
- if (!CheckNullStream(state->getSVal(CE->getArg(3)), state, C))
- return;
-}
-
-void StreamChecker::Fwrite(CheckerContext &C, const CallExpr *CE) {
- const GRState *state = C.getState();
- if (!CheckNullStream(state->getSVal(CE->getArg(3)), state, C))
- return;
-}
-
-void StreamChecker::Fseek(CheckerContext &C, const CallExpr *CE) {
- const GRState *state = C.getState();
- if (!(state = CheckNullStream(state->getSVal(CE->getArg(0)), state, C)))
- return;
- // Check the legality of the 'whence' argument of 'fseek'.
- SVal Whence = state->getSVal(CE->getArg(2));
- const nonloc::ConcreteInt *CI = dyn_cast<nonloc::ConcreteInt>(&Whence);
-
- if (!CI)
- return;
-
- int64_t x = CI->getValue().getSExtValue();
- if (x >= 0 && x <= 2)
- return;
-
- if (ExplodedNode *N = C.generateNode(state)) {
- if (!BT_illegalwhence)
- BT_illegalwhence = new BuiltinBug("Illegal whence argument",
- "The whence argument to fseek() should be "
- "SEEK_SET, SEEK_END, or SEEK_CUR.");
- BugReport *R = new BugReport(*BT_illegalwhence,
- BT_illegalwhence->getDescription(), N);
- C.EmitReport(R);
- }
-}
-
-void StreamChecker::Ftell(CheckerContext &C, const CallExpr *CE) {
- const GRState *state = C.getState();
- if (!CheckNullStream(state->getSVal(CE->getArg(0)), state, C))
- return;
-}
-
-void StreamChecker::Rewind(CheckerContext &C, const CallExpr *CE) {
- const GRState *state = C.getState();
- if (!CheckNullStream(state->getSVal(CE->getArg(0)), state, C))
- return;
-}
-
-void StreamChecker::Fgetpos(CheckerContext &C, const CallExpr *CE) {
- const GRState *state = C.getState();
- if (!CheckNullStream(state->getSVal(CE->getArg(0)), state, C))
- return;
-}
-
-void StreamChecker::Fsetpos(CheckerContext &C, const CallExpr *CE) {
- const GRState *state = C.getState();
- if (!CheckNullStream(state->getSVal(CE->getArg(0)), state, C))
- return;
-}
-
-void StreamChecker::Clearerr(CheckerContext &C, const CallExpr *CE) {
- const GRState *state = C.getState();
- if (!CheckNullStream(state->getSVal(CE->getArg(0)), state, C))
- return;
-}
-
-void StreamChecker::Feof(CheckerContext &C, const CallExpr *CE) {
- const GRState *state = C.getState();
- if (!CheckNullStream(state->getSVal(CE->getArg(0)), state, C))
- return;
-}
-
-void StreamChecker::Ferror(CheckerContext &C, const CallExpr *CE) {
- const GRState *state = C.getState();
- if (!CheckNullStream(state->getSVal(CE->getArg(0)), state, C))
- return;
-}
-
-void StreamChecker::Fileno(CheckerContext &C, const CallExpr *CE) {
- const GRState *state = C.getState();
- if (!CheckNullStream(state->getSVal(CE->getArg(0)), state, C))
- return;
-}
-
-const GRState *StreamChecker::CheckNullStream(SVal SV, const GRState *state,
- CheckerContext &C) {
- const DefinedSVal *DV = dyn_cast<DefinedSVal>(&SV);
- if (!DV)
- return 0;
-
- ConstraintManager &CM = C.getConstraintManager();
- const GRState *stateNotNull, *stateNull;
- llvm::tie(stateNotNull, stateNull) = CM.assumeDual(state, *DV);
-
- if (!stateNotNull && stateNull) {
- if (ExplodedNode *N = C.generateSink(stateNull)) {
- if (!BT_nullfp)
- BT_nullfp = new BuiltinBug("NULL stream pointer",
- "Stream pointer might be NULL.");
- BugReport *R =new BugReport(*BT_nullfp, BT_nullfp->getDescription(), N);
- C.EmitReport(R);
- }
- return 0;
- }
- return stateNotNull;
-}
-
-const GRState *StreamChecker::CheckDoubleClose(const CallExpr *CE,
- const GRState *state,
- CheckerContext &C) {
- SymbolRef Sym = state->getSVal(CE->getArg(0)).getAsSymbol();
- if (!Sym)
- return state;
-
- const StreamState *SS = state->get<StreamState>(Sym);
-
- // If the file stream is not tracked, return.
- if (!SS)
- return state;
-
- // Check: Double close a File Descriptor could cause undefined behaviour.
- // Conforming to man-pages
- if (SS->isClosed()) {
- ExplodedNode *N = C.generateSink();
- if (N) {
- if (!BT_doubleclose)
- BT_doubleclose = new BuiltinBug("Double fclose",
- "Try to close a file Descriptor already"
- " closed. Cause undefined behaviour.");
- BugReport *R = new BugReport(*BT_doubleclose,
- BT_doubleclose->getDescription(), N);
- C.EmitReport(R);
- }
- return NULL;
- }
-
- // Close the File Descriptor.
- return state->set<StreamState>(Sym, StreamState::getClosed(CE));
-}
-
-void StreamChecker::evalDeadSymbols(CheckerContext &C,SymbolReaper &SymReaper) {
- for (SymbolReaper::dead_iterator I = SymReaper.dead_begin(),
- E = SymReaper.dead_end(); I != E; ++I) {
- SymbolRef Sym = *I;
- const GRState *state = C.getState();
- const StreamState *SS = state->get<StreamState>(Sym);
- if (!SS)
- return;
-
- if (SS->isOpened()) {
- ExplodedNode *N = C.generateSink();
- if (N) {
- if (!BT_ResourceLeak)
- BT_ResourceLeak = new BuiltinBug("Resource Leak",
- "Opened File never closed. Potential Resource leak.");
- BugReport *R = new BugReport(*BT_ResourceLeak,
- BT_ResourceLeak->getDescription(), N);
- C.EmitReport(R);
- }
- }
- }
-}
-
-void StreamChecker::evalEndPath(EndPathNodeBuilder &B, void *tag,
- ExprEngine &Eng) {
- SaveAndRestore<bool> OldHasGen(B.HasGeneratedNode);
- const GRState *state = B.getState();
- typedef llvm::ImmutableMap<SymbolRef, StreamState> SymMap;
- SymMap M = state->get<StreamState>();
-
- for (SymMap::iterator I = M.begin(), E = M.end(); I != E; ++I) {
- StreamState SS = I->second;
- if (SS.isOpened()) {
- ExplodedNode *N = B.generateNode(state, tag, B.getPredecessor());
- if (N) {
- if (!BT_ResourceLeak)
- BT_ResourceLeak = new BuiltinBug("Resource Leak",
- "Opened File never closed. Potential Resource leak.");
- BugReport *R = new BugReport(*BT_ResourceLeak,
- BT_ResourceLeak->getDescription(), N);
- Eng.getBugReporter().EmitReport(R);
- }
- }
- }
-}
-
-void StreamChecker::PreVisitReturnStmt(CheckerContext &C, const ReturnStmt *S) {
- const Expr *RetE = S->getRetValue();
- if (!RetE)
- return;
-
- const GRState *state = C.getState();
- SymbolRef Sym = state->getSVal(RetE).getAsSymbol();
-
- if (!Sym)
- return;
-
- const StreamState *SS = state->get<StreamState>(Sym);
- if(!SS)
- return;
-
- if (SS->isOpened())
- state = state->set<StreamState>(Sym, StreamState::getEscaped(S));
-
- C.addTransition(state);
-}
Removed: cfe/trunk/lib/StaticAnalyzer/EntoSA/Checkers/UndefBranchChecker.cpp
URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/lib/StaticAnalyzer/EntoSA/Checkers/UndefBranchChecker.cpp?rev=122542&view=auto
==============================================================================
--- cfe/trunk/lib/StaticAnalyzer/EntoSA/Checkers/UndefBranchChecker.cpp (original)
+++ cfe/trunk/lib/StaticAnalyzer/EntoSA/Checkers/UndefBranchChecker.cpp (removed)
@@ -1,120 +0,0 @@
-//=== UndefBranchChecker.cpp -----------------------------------*- C++ -*--===//
-//
-// The LLVM Compiler Infrastructure
-//
-// This file is distributed under the University of Illinois Open Source
-// License. See LICENSE.TXT for details.
-//
-//===----------------------------------------------------------------------===//
-//
-// This file defines UndefBranchChecker, which checks for undefined branch
-// condition.
-//
-//===----------------------------------------------------------------------===//
-
-#include "ExprEngineInternalChecks.h"
-#include "clang/StaticAnalyzer/BugReporter/BugType.h"
-#include "clang/StaticAnalyzer/PathSensitive/Checker.h"
-
-using namespace clang;
-using namespace ento;
-
-namespace {
-
-class UndefBranchChecker : public Checker {
- BuiltinBug *BT;
-
- struct FindUndefExpr {
- GRStateManager& VM;
- const GRState* St;
-
- FindUndefExpr(GRStateManager& V, const GRState* S) : VM(V), St(S) {}
-
- const Expr* FindExpr(const Expr* Ex) {
- if (!MatchesCriteria(Ex))
- return 0;
-
- for (Stmt::const_child_iterator I = Ex->child_begin(),
- E = Ex->child_end();I!=E;++I)
- if (const Expr* ExI = dyn_cast_or_null<Expr>(*I)) {
- const Expr* E2 = FindExpr(ExI);
- if (E2) return E2;
- }
-
- return Ex;
- }
-
- bool MatchesCriteria(const Expr* Ex) { return St->getSVal(Ex).isUndef(); }
- };
-
-public:
- UndefBranchChecker() : BT(0) {}
- static void *getTag();
- void VisitBranchCondition(BranchNodeBuilder &Builder, ExprEngine &Eng,
- const Stmt *Condition, void *tag);
-};
-
-}
-
-void ento::RegisterUndefBranchChecker(ExprEngine &Eng) {
- Eng.registerCheck(new UndefBranchChecker());
-}
-
-void *UndefBranchChecker::getTag() {
- static int x;
- return &x;
-}
-
-void UndefBranchChecker::VisitBranchCondition(BranchNodeBuilder &Builder,
- ExprEngine &Eng,
- const Stmt *Condition, void *tag){
- const GRState *state = Builder.getState();
- SVal X = state->getSVal(Condition);
- if (X.isUndef()) {
- ExplodedNode *N = Builder.generateNode(state, true);
- if (N) {
- N->markAsSink();
- if (!BT)
- BT = new BuiltinBug("Branch condition evaluates to a garbage value");
-
- // What's going on here: we want to highlight the subexpression of the
- // condition that is the most likely source of the "uninitialized
- // branch condition." We do a recursive walk of the condition's
- // subexpressions and roughly look for the most nested subexpression
- // that binds to Undefined. We then highlight that expression's range.
- BlockEdge B = cast<BlockEdge>(N->getLocation());
- const Expr* Ex = cast<Expr>(B.getSrc()->getTerminatorCondition());
- assert (Ex && "Block must have a terminator.");
-
- // Get the predecessor node and check if is a PostStmt with the Stmt
- // being the terminator condition. We want to inspect the state
- // of that node instead because it will contain main information about
- // the subexpressions.
- assert (!N->pred_empty());
-
- // Note: any predecessor will do. They should have identical state,
- // since all the BlockEdge did was act as an error sink since the value
- // had to already be undefined.
- ExplodedNode *PrevN = *N->pred_begin();
- ProgramPoint P = PrevN->getLocation();
- const GRState* St = N->getState();
-
- if (PostStmt* PS = dyn_cast<PostStmt>(&P))
- if (PS->getStmt() == Ex)
- St = PrevN->getState();
-
- FindUndefExpr FindIt(Eng.getStateManager(), St);
- Ex = FindIt.FindExpr(Ex);
-
- // Emit the bug report.
- EnhancedBugReport *R = new EnhancedBugReport(*BT, BT->getDescription(),N);
- R->addVisitorCreator(bugreporter::registerTrackNullOrUndefValue, Ex);
- R->addRange(Ex->getSourceRange());
-
- Eng.getBugReporter().EmitReport(R);
- }
-
- Builder.markInfeasible(true);
- Builder.markInfeasible(false);
- }
-}
Removed: cfe/trunk/lib/StaticAnalyzer/EntoSA/Checkers/UndefCapturedBlockVarChecker.cpp
URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/lib/StaticAnalyzer/EntoSA/Checkers/UndefCapturedBlockVarChecker.cpp?rev=122542&view=auto
==============================================================================
--- cfe/trunk/lib/StaticAnalyzer/EntoSA/Checkers/UndefCapturedBlockVarChecker.cpp (original)
+++ cfe/trunk/lib/StaticAnalyzer/EntoSA/Checkers/UndefCapturedBlockVarChecker.cpp (removed)
@@ -1,102 +0,0 @@
-// UndefCapturedBlockVarChecker.cpp - Uninitialized captured vars -*- C++ -*-=//
-//
-// The LLVM Compiler Infrastructure
-//
-// This file is distributed under the University of Illinois Open Source
-// License. See LICENSE.TXT for details.
-//
-//===----------------------------------------------------------------------===//
-//
-// This checker detects blocks that capture uninitialized values.
-//
-//===----------------------------------------------------------------------===//
-
-#include "ExprEngineInternalChecks.h"
-#include "clang/StaticAnalyzer/PathSensitive/CheckerVisitor.h"
-#include "clang/StaticAnalyzer/PathSensitive/ExprEngine.h"
-#include "clang/StaticAnalyzer/BugReporter/BugType.h"
-#include "llvm/Support/raw_ostream.h"
-
-using namespace clang;
-using namespace ento;
-
-namespace {
-class UndefCapturedBlockVarChecker
- : public CheckerVisitor<UndefCapturedBlockVarChecker> {
- BugType *BT;
-
-public:
- UndefCapturedBlockVarChecker() : BT(0) {}
- static void *getTag() { static int tag = 0; return &tag; }
- void PostVisitBlockExpr(CheckerContext &C, const BlockExpr *BE);
-};
-} // end anonymous namespace
-
-void ento::RegisterUndefCapturedBlockVarChecker(ExprEngine &Eng) {
- Eng.registerCheck(new UndefCapturedBlockVarChecker());
-}
-
-static const BlockDeclRefExpr *FindBlockDeclRefExpr(const Stmt *S,
- const VarDecl *VD){
- if (const BlockDeclRefExpr *BR = dyn_cast<BlockDeclRefExpr>(S))
- if (BR->getDecl() == VD)
- return BR;
-
- for (Stmt::const_child_iterator I = S->child_begin(), E = S->child_end();
- I!=E; ++I)
- if (const Stmt *child = *I) {
- const BlockDeclRefExpr *BR = FindBlockDeclRefExpr(child, VD);
- if (BR)
- return BR;
- }
-
- return NULL;
-}
-
-void
-UndefCapturedBlockVarChecker::PostVisitBlockExpr(CheckerContext &C,
- const BlockExpr *BE) {
- if (!BE->hasBlockDeclRefExprs())
- return;
-
- const GRState *state = C.getState();
- const BlockDataRegion *R =
- cast<BlockDataRegion>(state->getSVal(BE).getAsRegion());
-
- BlockDataRegion::referenced_vars_iterator I = R->referenced_vars_begin(),
- E = R->referenced_vars_end();
-
- for (; I != E; ++I) {
- // This VarRegion is the region associated with the block; we need
- // the one associated with the encompassing context.
- const VarRegion *VR = *I;
- const VarDecl *VD = VR->getDecl();
-
- if (VD->getAttr<BlocksAttr>() || !VD->hasLocalStorage())
- continue;
-
- // Get the VarRegion associated with VD in the local stack frame.
- const LocationContext *LC = C.getPredecessor()->getLocationContext();
- VR = C.getSValBuilder().getRegionManager().getVarRegion(VD, LC);
-
- if (state->getSVal(VR).isUndef())
- if (ExplodedNode *N = C.generateSink()) {
- if (!BT)
- BT = new BuiltinBug("Captured block variable is uninitialized");
-
- // Generate a bug report.
- llvm::SmallString<128> buf;
- llvm::raw_svector_ostream os(buf);
-
- os << "Variable '" << VD->getName() << "' is captured by block with "
- "a garbage value";
-
- EnhancedBugReport *R = new EnhancedBugReport(*BT, os.str(), N);
- if (const Expr *Ex = FindBlockDeclRefExpr(BE->getBody(), VD))
- R->addRange(Ex->getSourceRange());
- R->addVisitorCreator(bugreporter::registerFindLastStore, VR);
- // need location of block
- C.EmitReport(R);
- }
- }
-}
Removed: cfe/trunk/lib/StaticAnalyzer/EntoSA/Checkers/UndefResultChecker.cpp
URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/lib/StaticAnalyzer/EntoSA/Checkers/UndefResultChecker.cpp?rev=122542&view=auto
==============================================================================
--- cfe/trunk/lib/StaticAnalyzer/EntoSA/Checkers/UndefResultChecker.cpp (original)
+++ cfe/trunk/lib/StaticAnalyzer/EntoSA/Checkers/UndefResultChecker.cpp (removed)
@@ -1,87 +0,0 @@
-//=== UndefResultChecker.cpp ------------------------------------*- C++ -*-===//
-//
-// The LLVM Compiler Infrastructure
-//
-// This file is distributed under the University of Illinois Open Source
-// License. See LICENSE.TXT for details.
-//
-//===----------------------------------------------------------------------===//
-//
-// This defines UndefResultChecker, a builtin check in ExprEngine that
-// performs checks for undefined results of non-assignment binary operators.
-//
-//===----------------------------------------------------------------------===//
-
-#include "ExprEngineInternalChecks.h"
-#include "clang/StaticAnalyzer/BugReporter/BugType.h"
-#include "clang/StaticAnalyzer/PathSensitive/CheckerVisitor.h"
-#include "clang/StaticAnalyzer/PathSensitive/ExprEngine.h"
-
-using namespace clang;
-using namespace ento;
-
-namespace {
-class UndefResultChecker
- : public CheckerVisitor<UndefResultChecker> {
-
- BugType *BT;
-
-public:
- UndefResultChecker() : BT(0) {}
- static void *getTag() { static int tag = 0; return &tag; }
- void PostVisitBinaryOperator(CheckerContext &C, const BinaryOperator *B);
-};
-} // end anonymous namespace
-
-void ento::RegisterUndefResultChecker(ExprEngine &Eng) {
- Eng.registerCheck(new UndefResultChecker());
-}
-
-void UndefResultChecker::PostVisitBinaryOperator(CheckerContext &C,
- const BinaryOperator *B) {
- const GRState *state = C.getState();
- if (state->getSVal(B).isUndef()) {
- // Generate an error node.
- ExplodedNode *N = C.generateSink();
- if (!N)
- return;
-
- if (!BT)
- BT = new BuiltinBug("Result of operation is garbage or undefined");
-
- llvm::SmallString<256> sbuf;
- llvm::raw_svector_ostream OS(sbuf);
- const Expr *Ex = NULL;
- bool isLeft = true;
-
- if (state->getSVal(B->getLHS()).isUndef()) {
- Ex = B->getLHS()->IgnoreParenCasts();
- isLeft = true;
- }
- else if (state->getSVal(B->getRHS()).isUndef()) {
- Ex = B->getRHS()->IgnoreParenCasts();
- isLeft = false;
- }
-
- if (Ex) {
- OS << "The " << (isLeft ? "left" : "right")
- << " operand of '"
- << BinaryOperator::getOpcodeStr(B->getOpcode())
- << "' is a garbage value";
- }
- else {
- // Neither operand was undefined, but the result is undefined.
- OS << "The result of the '"
- << BinaryOperator::getOpcodeStr(B->getOpcode())
- << "' expression is undefined";
- }
- EnhancedBugReport *report = new EnhancedBugReport(*BT, OS.str(), N);
- if (Ex) {
- report->addRange(Ex->getSourceRange());
- report->addVisitorCreator(bugreporter::registerTrackNullOrUndefValue, Ex);
- }
- else
- report->addVisitorCreator(bugreporter::registerTrackNullOrUndefValue, B);
- C.EmitReport(report);
- }
-}
Removed: cfe/trunk/lib/StaticAnalyzer/EntoSA/Checkers/UndefinedArraySubscriptChecker.cpp
URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/lib/StaticAnalyzer/EntoSA/Checkers/UndefinedArraySubscriptChecker.cpp?rev=122542&view=auto
==============================================================================
--- cfe/trunk/lib/StaticAnalyzer/EntoSA/Checkers/UndefinedArraySubscriptChecker.cpp (original)
+++ cfe/trunk/lib/StaticAnalyzer/EntoSA/Checkers/UndefinedArraySubscriptChecker.cpp (removed)
@@ -1,57 +0,0 @@
-//===--- UndefinedArraySubscriptChecker.h ----------------------*- C++ -*--===//
-//
-// The LLVM Compiler Infrastructure
-//
-// This file is distributed under the University of Illinois Open Source
-// License. See LICENSE.TXT for details.
-//
-//===----------------------------------------------------------------------===//
-//
-// This defines UndefinedArraySubscriptChecker, a builtin check in ExprEngine
-// that performs checks for undefined array subscripts.
-//
-//===----------------------------------------------------------------------===//
-
-#include "ExprEngineInternalChecks.h"
-#include "clang/StaticAnalyzer/BugReporter/BugType.h"
-#include "clang/StaticAnalyzer/PathSensitive/CheckerVisitor.h"
-
-using namespace clang;
-using namespace ento;
-
-namespace {
-class UndefinedArraySubscriptChecker
- : public CheckerVisitor<UndefinedArraySubscriptChecker> {
- BugType *BT;
-public:
- UndefinedArraySubscriptChecker() : BT(0) {}
- static void *getTag() {
- static int x = 0;
- return &x;
- }
- void PreVisitArraySubscriptExpr(CheckerContext &C,
- const ArraySubscriptExpr *A);
-};
-} // end anonymous namespace
-
-void ento::RegisterUndefinedArraySubscriptChecker(ExprEngine &Eng) {
- Eng.registerCheck(new UndefinedArraySubscriptChecker());
-}
-
-void
-UndefinedArraySubscriptChecker::PreVisitArraySubscriptExpr(CheckerContext &C,
- const ArraySubscriptExpr *A) {
- if (C.getState()->getSVal(A->getIdx()).isUndef()) {
- if (ExplodedNode *N = C.generateSink()) {
- if (!BT)
- BT = new BuiltinBug("Array subscript is undefined");
-
- // Generate a report for this bug.
- EnhancedBugReport *R = new EnhancedBugReport(*BT, BT->getName(), N);
- R->addRange(A->getIdx()->getSourceRange());
- R->addVisitorCreator(bugreporter::registerTrackNullOrUndefValue,
- A->getIdx());
- C.EmitReport(R);
- }
- }
-}
Removed: cfe/trunk/lib/StaticAnalyzer/EntoSA/Checkers/UndefinedAssignmentChecker.cpp
URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/lib/StaticAnalyzer/EntoSA/Checkers/UndefinedAssignmentChecker.cpp?rev=122542&view=auto
==============================================================================
--- cfe/trunk/lib/StaticAnalyzer/EntoSA/Checkers/UndefinedAssignmentChecker.cpp (original)
+++ cfe/trunk/lib/StaticAnalyzer/EntoSA/Checkers/UndefinedAssignmentChecker.cpp (removed)
@@ -1,94 +0,0 @@
-//===--- UndefinedAssignmentChecker.h ---------------------------*- C++ -*--==//
-//
-// The LLVM Compiler Infrastructure
-//
-// This file is distributed under the University of Illinois Open Source
-// License. See LICENSE.TXT for details.
-//
-//===----------------------------------------------------------------------===//
-//
-// This defines UndefinedAssginmentChecker, a builtin check in ExprEngine that
-// checks for assigning undefined values.
-//
-//===----------------------------------------------------------------------===//
-
-#include "ExprEngineInternalChecks.h"
-#include "clang/StaticAnalyzer/BugReporter/BugType.h"
-#include "clang/StaticAnalyzer/PathSensitive/CheckerVisitor.h"
-
-using namespace clang;
-using namespace ento;
-
-namespace {
-class UndefinedAssignmentChecker
- : public CheckerVisitor<UndefinedAssignmentChecker> {
- BugType *BT;
-public:
- UndefinedAssignmentChecker() : BT(0) {}
- static void *getTag();
- virtual void PreVisitBind(CheckerContext &C, const Stmt *StoreE,
- SVal location, SVal val);
-};
-}
-
-void ento::RegisterUndefinedAssignmentChecker(ExprEngine &Eng){
- Eng.registerCheck(new UndefinedAssignmentChecker());
-}
-
-void *UndefinedAssignmentChecker::getTag() {
- static int x = 0;
- return &x;
-}
-
-void UndefinedAssignmentChecker::PreVisitBind(CheckerContext &C,
- const Stmt *StoreE,
- SVal location,
- SVal val) {
- if (!val.isUndef())
- return;
-
- ExplodedNode *N = C.generateSink();
-
- if (!N)
- return;
-
- const char *str = "Assigned value is garbage or undefined";
-
- if (!BT)
- BT = new BuiltinBug(str);
-
- // Generate a report for this bug.
- const Expr *ex = 0;
-
- while (StoreE) {
- if (const BinaryOperator *B = dyn_cast<BinaryOperator>(StoreE)) {
- if (B->isCompoundAssignmentOp()) {
- const GRState *state = C.getState();
- if (state->getSVal(B->getLHS()).isUndef()) {
- str = "The left expression of the compound assignment is an "
- "uninitialized value. The computed value will also be garbage";
- ex = B->getLHS();
- break;
- }
- }
-
- ex = B->getRHS();
- break;
- }
-
- if (const DeclStmt *DS = dyn_cast<DeclStmt>(StoreE)) {
- const VarDecl* VD = dyn_cast<VarDecl>(DS->getSingleDecl());
- ex = VD->getInit();
- }
-
- break;
- }
-
- EnhancedBugReport *R = new EnhancedBugReport(*BT, str, N);
- if (ex) {
- R->addRange(ex->getSourceRange());
- R->addVisitorCreator(bugreporter::registerTrackNullOrUndefValue, ex);
- }
- C.EmitReport(R);
-}
-
Removed: cfe/trunk/lib/StaticAnalyzer/EntoSA/Checkers/UnixAPIChecker.cpp
URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/lib/StaticAnalyzer/EntoSA/Checkers/UnixAPIChecker.cpp?rev=122542&view=auto
==============================================================================
--- cfe/trunk/lib/StaticAnalyzer/EntoSA/Checkers/UnixAPIChecker.cpp (original)
+++ cfe/trunk/lib/StaticAnalyzer/EntoSA/Checkers/UnixAPIChecker.cpp (removed)
@@ -1,277 +0,0 @@
-//= UnixAPIChecker.h - Checks preconditions for various Unix APIs --*- C++ -*-//
-//
-// The LLVM Compiler Infrastructure
-//
-// This file is distributed under the University of Illinois Open Source
-// License. See LICENSE.TXT for details.
-//
-//===----------------------------------------------------------------------===//
-//
-// This defines UnixAPIChecker, which is an assortment of checks on calls
-// to various, widely used UNIX/Posix functions.
-//
-//===----------------------------------------------------------------------===//
-
-#include "ExprEngineInternalChecks.h"
-#include "clang/Basic/TargetInfo.h"
-#include "clang/StaticAnalyzer/BugReporter/BugType.h"
-#include "clang/StaticAnalyzer/PathSensitive/CheckerVisitor.h"
-#include "llvm/ADT/Optional.h"
-#include "llvm/ADT/StringSwitch.h"
-#include <fcntl.h>
-
-using namespace clang;
-using namespace ento;
-using llvm::Optional;
-
-namespace {
-class UnixAPIChecker : public CheckerVisitor<UnixAPIChecker> {
- enum SubChecks {
- OpenFn = 0,
- PthreadOnceFn = 1,
- MallocZero = 2,
- NumChecks
- };
-
- BugType *BTypes[NumChecks];
-
-public:
- Optional<uint64_t> Val_O_CREAT;
-
-public:
- UnixAPIChecker() { memset(BTypes, 0, sizeof(*BTypes) * NumChecks); }
- static void *getTag() { static unsigned tag = 0; return &tag; }
-
- void PreVisitCallExpr(CheckerContext &C, const CallExpr *CE);
-};
-} //end anonymous namespace
-
-void ento::RegisterUnixAPIChecker(ExprEngine &Eng) {
- Eng.registerCheck(new UnixAPIChecker());
-}
-
-//===----------------------------------------------------------------------===//
-// Utility functions.
-//===----------------------------------------------------------------------===//
-
-static inline void LazyInitialize(BugType *&BT, const char *name) {
- if (BT)
- return;
- BT = new BugType(name, "Unix API");
-}
-
-//===----------------------------------------------------------------------===//
-// "open" (man 2 open)
-//===----------------------------------------------------------------------===//
-
-static void CheckOpen(CheckerContext &C, UnixAPIChecker &UC,
- const CallExpr *CE, BugType *&BT) {
- // The definition of O_CREAT is platform specific. We need a better way
- // of querying this information from the checking environment.
- if (!UC.Val_O_CREAT.hasValue()) {
- if (C.getASTContext().Target.getTriple().getVendor() == llvm::Triple::Apple)
- UC.Val_O_CREAT = 0x0200;
- else {
- // FIXME: We need a more general way of getting the O_CREAT value.
- // We could possibly grovel through the preprocessor state, but
- // that would require passing the Preprocessor object to the ExprEngine.
- return;
- }
- }
-
- LazyInitialize(BT, "Improper use of 'open'");
-
- // Look at the 'oflags' argument for the O_CREAT flag.
- const GRState *state = C.getState();
-
- if (CE->getNumArgs() < 2) {
- // The frontend should issue a warning for this case, so this is a sanity
- // check.
- return;
- }
-
- // Now check if oflags has O_CREAT set.
- const Expr *oflagsEx = CE->getArg(1);
- const SVal V = state->getSVal(oflagsEx);
- if (!isa<NonLoc>(V)) {
- // The case where 'V' can be a location can only be due to a bad header,
- // so in this case bail out.
- return;
- }
- NonLoc oflags = cast<NonLoc>(V);
- NonLoc ocreateFlag =
- cast<NonLoc>(C.getSValBuilder().makeIntVal(UC.Val_O_CREAT.getValue(),
- oflagsEx->getType()));
- SVal maskedFlagsUC = C.getSValBuilder().evalBinOpNN(state, BO_And,
- oflags, ocreateFlag,
- oflagsEx->getType());
- if (maskedFlagsUC.isUnknownOrUndef())
- return;
- DefinedSVal maskedFlags = cast<DefinedSVal>(maskedFlagsUC);
-
- // Check if maskedFlags is non-zero.
- const GRState *trueState, *falseState;
- llvm::tie(trueState, falseState) = state->assume(maskedFlags);
-
- // Only emit an error if the value of 'maskedFlags' is properly
- // constrained;
- if (!(trueState && !falseState))
- return;
-
- if (CE->getNumArgs() < 3) {
- ExplodedNode *N = C.generateSink(trueState);
- if (!N)
- return;
-
- EnhancedBugReport *report =
- new EnhancedBugReport(*BT,
- "Call to 'open' requires a third argument when "
- "the 'O_CREAT' flag is set", N);
- report->addRange(oflagsEx->getSourceRange());
- C.EmitReport(report);
- }
-}
-
-//===----------------------------------------------------------------------===//
-// pthread_once
-//===----------------------------------------------------------------------===//
-
-static void CheckPthreadOnce(CheckerContext &C, UnixAPIChecker &,
- const CallExpr *CE, BugType *&BT) {
-
- // This is similar to 'CheckDispatchOnce' in the MacOSXAPIChecker.
- // They can possibly be refactored.
-
- LazyInitialize(BT, "Improper use of 'pthread_once'");
-
- if (CE->getNumArgs() < 1)
- return;
-
- // Check if the first argument is stack allocated. If so, issue a warning
- // because that's likely to be bad news.
- const GRState *state = C.getState();
- const MemRegion *R = state->getSVal(CE->getArg(0)).getAsRegion();
- if (!R || !isa<StackSpaceRegion>(R->getMemorySpace()))
- return;
-
- ExplodedNode *N = C.generateSink(state);
- if (!N)
- return;
-
- llvm::SmallString<256> S;
- llvm::raw_svector_ostream os(S);
- os << "Call to 'pthread_once' uses";
- if (const VarRegion *VR = dyn_cast<VarRegion>(R))
- os << " the local variable '" << VR->getDecl()->getName() << '\'';
- else
- os << " stack allocated memory";
- os << " for the \"control\" value. Using such transient memory for "
- "the control value is potentially dangerous.";
- if (isa<VarRegion>(R) && isa<StackLocalsSpaceRegion>(R->getMemorySpace()))
- os << " Perhaps you intended to declare the variable as 'static'?";
-
- EnhancedBugReport *report = new EnhancedBugReport(*BT, os.str(), N);
- report->addRange(CE->getArg(0)->getSourceRange());
- C.EmitReport(report);
-}
-
-//===----------------------------------------------------------------------===//
-// "malloc" with allocation size 0
-//===----------------------------------------------------------------------===//
-
-// FIXME: Eventually this should be rolled into the MallocChecker, but this
-// check is more basic and is valuable for widespread use.
-static void CheckMallocZero(CheckerContext &C, UnixAPIChecker &UC,
- const CallExpr *CE, BugType *&BT) {
-
- // Sanity check that malloc takes one argument.
- if (CE->getNumArgs() != 1)
- return;
-
- // Check if the allocation size is 0.
- const GRState *state = C.getState();
- SVal argVal = state->getSVal(CE->getArg(0));
-
- if (argVal.isUnknownOrUndef())
- return;
-
- const GRState *trueState, *falseState;
- llvm::tie(trueState, falseState) = state->assume(cast<DefinedSVal>(argVal));
-
- // Is the value perfectly constrained to zero?
- if (falseState && !trueState) {
- ExplodedNode *N = C.generateSink(falseState);
- if (!N)
- return;
-
- // FIXME: Add reference to CERT advisory, and/or C99 standard in bug
- // output.
-
- LazyInitialize(BT, "Undefined allocation of 0 bytes");
-
- EnhancedBugReport *report =
- new EnhancedBugReport(*BT, "Call to 'malloc' has an allocation size"
- " of 0 bytes", N);
- report->addRange(CE->getArg(0)->getSourceRange());
- report->addVisitorCreator(bugreporter::registerTrackNullOrUndefValue,
- CE->getArg(0));
- C.EmitReport(report);
- return;
- }
- // Assume the the value is non-zero going forward.
- assert(trueState);
- if (trueState != state) {
- C.addTransition(trueState);
- }
-}
-
-//===----------------------------------------------------------------------===//
-// Central dispatch function.
-//===----------------------------------------------------------------------===//
-
-typedef void (*SubChecker)(CheckerContext &C, UnixAPIChecker &UC,
- const CallExpr *CE, BugType *&BT);
-namespace {
- class SubCheck {
- SubChecker SC;
- UnixAPIChecker *UC;
- BugType **BT;
- public:
- SubCheck(SubChecker sc, UnixAPIChecker *uc, BugType *& bt) : SC(sc), UC(uc),
- BT(&bt) {}
- SubCheck() : SC(NULL), UC(NULL), BT(NULL) {}
-
- void run(CheckerContext &C, const CallExpr *CE) const {
- if (SC)
- SC(C, *UC, CE, *BT);
- }
- };
-} // end anonymous namespace
-
-void UnixAPIChecker::PreVisitCallExpr(CheckerContext &C, const CallExpr *CE) {
- // Get the callee. All the functions we care about are C functions
- // with simple identifiers.
- const GRState *state = C.getState();
- const Expr *Callee = CE->getCallee();
- const FunctionTextRegion *Fn =
- dyn_cast_or_null<FunctionTextRegion>(state->getSVal(Callee).getAsRegion());
-
- if (!Fn)
- return;
-
- const IdentifierInfo *FI = Fn->getDecl()->getIdentifier();
- if (!FI)
- return;
-
- const SubCheck &SC =
- llvm::StringSwitch<SubCheck>(FI->getName())
- .Case("open",
- SubCheck(CheckOpen, this, BTypes[OpenFn]))
- .Case("pthread_once",
- SubCheck(CheckPthreadOnce, this, BTypes[PthreadOnceFn]))
- .Case("malloc",
- SubCheck(CheckMallocZero, this, BTypes[MallocZero]))
- .Default(SubCheck());
-
- SC.run(C, CE);
-}
Removed: cfe/trunk/lib/StaticAnalyzer/EntoSA/Checkers/UnreachableCodeChecker.cpp
URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/lib/StaticAnalyzer/EntoSA/Checkers/UnreachableCodeChecker.cpp?rev=122542&view=auto
==============================================================================
--- cfe/trunk/lib/StaticAnalyzer/EntoSA/Checkers/UnreachableCodeChecker.cpp (original)
+++ cfe/trunk/lib/StaticAnalyzer/EntoSA/Checkers/UnreachableCodeChecker.cpp (removed)
@@ -1,223 +0,0 @@
-//==- UnreachableCodeChecker.cpp - Generalized dead code checker -*- C++ -*-==//
-//
-// The LLVM Compiler Infrastructure
-//
-// This file is distributed under the University of Illinois Open Source
-// License. See LICENSE.TXT for details.
-//
-//===----------------------------------------------------------------------===//
-// This file implements a generalized unreachable code checker using a
-// path-sensitive analysis. We mark any path visited, and then walk the CFG as a
-// post-analysis to determine what was never visited.
-//
-// A similar flow-sensitive only check exists in Analysis/ReachableCode.cpp
-//===----------------------------------------------------------------------===//
-
-#include "clang/AST/ParentMap.h"
-#include "clang/Basic/Builtins.h"
-#include "clang/Basic/SourceManager.h"
-#include "clang/StaticAnalyzer/PathSensitive/CheckerVisitor.h"
-#include "clang/StaticAnalyzer/PathSensitive/ExplodedGraph.h"
-#include "clang/StaticAnalyzer/PathSensitive/SVals.h"
-#include "clang/StaticAnalyzer/PathSensitive/CheckerHelpers.h"
-#include "clang/StaticAnalyzer/BugReporter/BugReporter.h"
-#include "ExprEngineExperimentalChecks.h"
-#include "llvm/ADT/SmallPtrSet.h"
-
-// The number of CFGBlock pointers we want to reserve memory for. This is used
-// once for each function we analyze.
-#define DEFAULT_CFGBLOCKS 256
-
-using namespace clang;
-using namespace ento;
-
-namespace {
-class UnreachableCodeChecker : public Checker {
-public:
- static void *getTag();
- void VisitEndAnalysis(ExplodedGraph &G,
- BugReporter &B,
- ExprEngine &Eng);
-private:
- static inline const Stmt *getUnreachableStmt(const CFGBlock *CB);
- void FindUnreachableEntryPoints(const CFGBlock *CB);
- static bool isInvalidPath(const CFGBlock *CB, const ParentMap &PM);
- static inline bool isEmptyCFGBlock(const CFGBlock *CB);
-
- llvm::SmallSet<unsigned, DEFAULT_CFGBLOCKS> reachable;
- llvm::SmallSet<unsigned, DEFAULT_CFGBLOCKS> visited;
-};
-}
-
-void *UnreachableCodeChecker::getTag() {
- static int x = 0;
- return &x;
-}
-
-void ento::RegisterUnreachableCodeChecker(ExprEngine &Eng) {
- Eng.registerCheck(new UnreachableCodeChecker());
-}
-
-void UnreachableCodeChecker::VisitEndAnalysis(ExplodedGraph &G,
- BugReporter &B,
- ExprEngine &Eng) {
- // Bail out if we didn't cover all paths
- if (Eng.hasWorkRemaining())
- return;
-
- CFG *C = 0;
- ParentMap *PM = 0;
- // Iterate over ExplodedGraph
- for (ExplodedGraph::node_iterator I = G.nodes_begin(), E = G.nodes_end();
- I != E; ++I) {
- const ProgramPoint &P = I->getLocation();
- const LocationContext *LC = P.getLocationContext();
-
- // Save the CFG if we don't have it already
- if (!C)
- C = LC->getAnalysisContext()->getUnoptimizedCFG();
- if (!PM)
- PM = &LC->getParentMap();
-
- if (const BlockEntrance *BE = dyn_cast<BlockEntrance>(&P)) {
- const CFGBlock *CB = BE->getBlock();
- reachable.insert(CB->getBlockID());
- }
- }
-
- // Bail out if we didn't get the CFG or the ParentMap.
- if (!C || !PM)
- return;
-
- ASTContext &Ctx = B.getContext();
-
- // Find CFGBlocks that were not covered by any node
- for (CFG::const_iterator I = C->begin(), E = C->end(); I != E; ++I) {
- const CFGBlock *CB = *I;
- // Check if the block is unreachable
- if (reachable.count(CB->getBlockID()))
- continue;
-
- // Check if the block is empty (an artificial block)
- if (isEmptyCFGBlock(CB))
- continue;
-
- // Find the entry points for this block
- if (!visited.count(CB->getBlockID()))
- FindUnreachableEntryPoints(CB);
-
- // This block may have been pruned; check if we still want to report it
- if (reachable.count(CB->getBlockID()))
- continue;
-
- // Check for false positives
- if (CB->size() > 0 && isInvalidPath(CB, *PM))
- continue;
-
- // Special case for __builtin_unreachable.
- // FIXME: This should be extended to include other unreachable markers,
- // such as llvm_unreachable.
- if (!CB->empty()) {
- CFGElement First = CB->front();
- if (CFGStmt S = First.getAs<CFGStmt>()) {
- if (const CallExpr *CE = dyn_cast<CallExpr>(S.getStmt())) {
- if (CE->isBuiltinCall(Ctx) == Builtin::BI__builtin_unreachable)
- continue;
- }
- }
- }
-
- // We found a block that wasn't covered - find the statement to report
- SourceRange SR;
- SourceLocation SL;
- if (const Stmt *S = getUnreachableStmt(CB)) {
- SR = S->getSourceRange();
- SL = S->getLocStart();
- if (SR.isInvalid() || SL.isInvalid())
- continue;
- }
- else
- continue;
-
- // Check if the SourceLocation is in a system header
- const SourceManager &SM = B.getSourceManager();
- if (SM.isInSystemHeader(SL) || SM.isInExternCSystemHeader(SL))
- continue;
-
- B.EmitBasicReport("Unreachable code", "Dead code", "This statement is never"
- " executed", SL, SR);
- }
-}
-
-// Recursively finds the entry point(s) for this dead CFGBlock.
-void UnreachableCodeChecker::FindUnreachableEntryPoints(const CFGBlock *CB) {
- visited.insert(CB->getBlockID());
-
- for (CFGBlock::const_pred_iterator I = CB->pred_begin(), E = CB->pred_end();
- I != E; ++I) {
- if (!reachable.count((*I)->getBlockID())) {
- // If we find an unreachable predecessor, mark this block as reachable so
- // we don't report this block
- reachable.insert(CB->getBlockID());
- if (!visited.count((*I)->getBlockID()))
- // If we haven't previously visited the unreachable predecessor, recurse
- FindUnreachableEntryPoints(*I);
- }
- }
-}
-
-// Find the Stmt* in a CFGBlock for reporting a warning
-const Stmt *UnreachableCodeChecker::getUnreachableStmt(const CFGBlock *CB) {
- for (CFGBlock::const_iterator I = CB->begin(), E = CB->end(); I != E; ++I) {
- if (CFGStmt S = I->getAs<CFGStmt>())
- return S;
- }
- if (const Stmt *S = CB->getTerminator())
- return S;
- else
- return 0;
-}
-
-// Determines if the path to this CFGBlock contained an element that infers this
-// block is a false positive. We assume that FindUnreachableEntryPoints has
-// already marked only the entry points to any dead code, so we need only to
-// find the condition that led to this block (the predecessor of this block.)
-// There will never be more than one predecessor.
-bool UnreachableCodeChecker::isInvalidPath(const CFGBlock *CB,
- const ParentMap &PM) {
- // We only expect a predecessor size of 0 or 1. If it is >1, then an external
- // condition has broken our assumption (for example, a sink being placed by
- // another check). In these cases, we choose not to report.
- if (CB->pred_size() > 1)
- return true;
-
- // If there are no predecessors, then this block is trivially unreachable
- if (CB->pred_size() == 0)
- return false;
-
- const CFGBlock *pred = *CB->pred_begin();
-
- // Get the predecessor block's terminator conditon
- const Stmt *cond = pred->getTerminatorCondition();
-
- //assert(cond && "CFGBlock's predecessor has a terminator condition");
- // The previous assertion is invalid in some cases (eg do/while). Leaving
- // reporting of these situations on at the moment to help triage these cases.
- if (!cond)
- return false;
-
- // Run each of the checks on the conditions
- if (containsMacro(cond) || containsEnum(cond)
- || containsStaticLocal(cond) || containsBuiltinOffsetOf(cond)
- || containsStmt<SizeOfAlignOfExpr>(cond))
- return true;
-
- return false;
-}
-
-// Returns true if the given CFGBlock is empty
-bool UnreachableCodeChecker::isEmptyCFGBlock(const CFGBlock *CB) {
- return CB->getLabel() == 0 // No labels
- && CB->size() == 0 // No statements
- && CB->getTerminator() == 0; // No terminator
-}
Removed: cfe/trunk/lib/StaticAnalyzer/EntoSA/Checkers/VLASizeChecker.cpp
URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/lib/StaticAnalyzer/EntoSA/Checkers/VLASizeChecker.cpp?rev=122542&view=auto
==============================================================================
--- cfe/trunk/lib/StaticAnalyzer/EntoSA/Checkers/VLASizeChecker.cpp (original)
+++ cfe/trunk/lib/StaticAnalyzer/EntoSA/Checkers/VLASizeChecker.cpp (removed)
@@ -1,138 +0,0 @@
-//=== VLASizeChecker.cpp - Undefined dereference checker --------*- C++ -*-===//
-//
-// The LLVM Compiler Infrastructure
-//
-// This file is distributed under the University of Illinois Open Source
-// License. See LICENSE.TXT for details.
-//
-//===----------------------------------------------------------------------===//
-//
-// This defines VLASizeChecker, a builtin check in ExprEngine that
-// performs checks for declaration of VLA of undefined or zero size.
-// In addition, VLASizeChecker is responsible for defining the extent
-// of the MemRegion that represents a VLA.
-//
-//===----------------------------------------------------------------------===//
-
-#include "ExprEngineInternalChecks.h"
-#include "clang/AST/CharUnits.h"
-#include "clang/StaticAnalyzer/BugReporter/BugType.h"
-#include "clang/StaticAnalyzer/PathSensitive/CheckerVisitor.h"
-#include "clang/StaticAnalyzer/PathSensitive/ExprEngine.h"
-
-using namespace clang;
-using namespace ento;
-
-namespace {
-class VLASizeChecker : public CheckerVisitor<VLASizeChecker> {
- BugType *BT_zero;
- BugType *BT_undef;
-
-public:
- VLASizeChecker() : BT_zero(0), BT_undef(0) {}
- static void *getTag() { static int tag = 0; return &tag; }
- void PreVisitDeclStmt(CheckerContext &C, const DeclStmt *DS);
-};
-} // end anonymous namespace
-
-void ento::RegisterVLASizeChecker(ExprEngine &Eng) {
- Eng.registerCheck(new VLASizeChecker());
-}
-
-void VLASizeChecker::PreVisitDeclStmt(CheckerContext &C, const DeclStmt *DS) {
- if (!DS->isSingleDecl())
- return;
-
- const VarDecl *VD = dyn_cast<VarDecl>(DS->getSingleDecl());
- if (!VD)
- return;
-
- ASTContext &Ctx = C.getASTContext();
- const VariableArrayType *VLA = Ctx.getAsVariableArrayType(VD->getType());
- if (!VLA)
- return;
-
- // FIXME: Handle multi-dimensional VLAs.
- const Expr* SE = VLA->getSizeExpr();
- const GRState *state = C.getState();
- SVal sizeV = state->getSVal(SE);
-
- if (sizeV.isUndef()) {
- // Generate an error node.
- ExplodedNode *N = C.generateSink();
- if (!N)
- return;
-
- if (!BT_undef)
- BT_undef = new BuiltinBug("Declared variable-length array (VLA) uses a "
- "garbage value as its size");
-
- EnhancedBugReport *report =
- new EnhancedBugReport(*BT_undef, BT_undef->getName(), N);
- report->addRange(SE->getSourceRange());
- report->addVisitorCreator(bugreporter::registerTrackNullOrUndefValue, SE);
- C.EmitReport(report);
- return;
- }
-
- // See if the size value is known. It can't be undefined because we would have
- // warned about that already.
- if (sizeV.isUnknown())
- return;
-
- // Check if the size is zero.
- DefinedSVal sizeD = cast<DefinedSVal>(sizeV);
-
- const GRState *stateNotZero, *stateZero;
- llvm::tie(stateNotZero, stateZero) = state->assume(sizeD);
-
- if (stateZero && !stateNotZero) {
- ExplodedNode* N = C.generateSink(stateZero);
- if (!BT_zero)
- BT_zero = new BuiltinBug("Declared variable-length array (VLA) has zero "
- "size");
-
- EnhancedBugReport *report =
- new EnhancedBugReport(*BT_zero, BT_zero->getName(), N);
- report->addRange(SE->getSourceRange());
- report->addVisitorCreator(bugreporter::registerTrackNullOrUndefValue, SE);
- C.EmitReport(report);
- return;
- }
-
- // From this point on, assume that the size is not zero.
- state = stateNotZero;
-
- // VLASizeChecker is responsible for defining the extent of the array being
- // declared. We do this by multiplying the array length by the element size,
- // then matching that with the array region's extent symbol.
-
- // Convert the array length to size_t.
- SValBuilder &svalBuilder = C.getSValBuilder();
- QualType SizeTy = Ctx.getSizeType();
- NonLoc ArrayLength = cast<NonLoc>(svalBuilder.evalCast(sizeD, SizeTy,
- SE->getType()));
-
- // Get the element size.
- CharUnits EleSize = Ctx.getTypeSizeInChars(VLA->getElementType());
- SVal EleSizeVal = svalBuilder.makeIntVal(EleSize.getQuantity(), SizeTy);
-
- // Multiply the array length by the element size.
- SVal ArraySizeVal = svalBuilder.evalBinOpNN(state, BO_Mul, ArrayLength,
- cast<NonLoc>(EleSizeVal), SizeTy);
-
- // Finally, assume that the array's extent matches the given size.
- const LocationContext *LC = C.getPredecessor()->getLocationContext();
- DefinedOrUnknownSVal Extent =
- state->getRegion(VD, LC)->getExtent(svalBuilder);
- DefinedOrUnknownSVal ArraySize = cast<DefinedOrUnknownSVal>(ArraySizeVal);
- DefinedOrUnknownSVal sizeIsKnown =
- svalBuilder.evalEQ(state, Extent, ArraySize);
- state = state->assume(sizeIsKnown, true);
-
- // Assume should not fail at this point.
- assert(state);
-
- // Remember our assumptions!
- C.addTransition(state);
-}
Removed: cfe/trunk/lib/StaticAnalyzer/EntoSA/CoreEngine.cpp
URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/lib/StaticAnalyzer/EntoSA/CoreEngine.cpp?rev=122542&view=auto
==============================================================================
--- cfe/trunk/lib/StaticAnalyzer/EntoSA/CoreEngine.cpp (original)
+++ cfe/trunk/lib/StaticAnalyzer/EntoSA/CoreEngine.cpp (removed)
@@ -1,809 +0,0 @@
-//==- CoreEngine.cpp - Path-Sensitive Dataflow Engine ------------*- C++ -*-//
-//
-// The LLVM Compiler Infrastructure
-//
-// This file is distributed under the University of Illinois Open Source
-// License. See LICENSE.TXT for details.
-//
-//===----------------------------------------------------------------------===//
-//
-// This file defines a generic engine for intraprocedural, path-sensitive,
-// dataflow analysis via graph reachability engine.
-//
-//===----------------------------------------------------------------------===//
-
-#include "clang/StaticAnalyzer/PathSensitive/AnalysisManager.h"
-#include "clang/StaticAnalyzer/PathSensitive/CoreEngine.h"
-#include "clang/StaticAnalyzer/PathSensitive/ExprEngine.h"
-#include "clang/Index/TranslationUnit.h"
-#include "clang/AST/Expr.h"
-#include "llvm/Support/Casting.h"
-#include "llvm/ADT/DenseMap.h"
-#include <vector>
-#include <queue>
-
-using llvm::cast;
-using llvm::isa;
-using namespace clang;
-using namespace ento;
-
-// This should be removed in the future.
-namespace clang {
-namespace ento {
-TransferFuncs* MakeCFRefCountTF(ASTContext& Ctx, bool GCEnabled,
- const LangOptions& lopts);
-}
-}
-
-//===----------------------------------------------------------------------===//
-// Worklist classes for exploration of reachable states.
-//===----------------------------------------------------------------------===//
-
-WorkList::Visitor::~Visitor() {}
-
-namespace {
-class DFS : public WorkList {
- llvm::SmallVector<WorkListUnit,20> Stack;
-public:
- virtual bool hasWork() const {
- return !Stack.empty();
- }
-
- virtual void Enqueue(const WorkListUnit& U) {
- Stack.push_back(U);
- }
-
- virtual WorkListUnit Dequeue() {
- assert (!Stack.empty());
- const WorkListUnit& U = Stack.back();
- Stack.pop_back(); // This technically "invalidates" U, but we are fine.
- return U;
- }
-
- virtual bool VisitItemsInWorkList(Visitor &V) {
- for (llvm::SmallVectorImpl<WorkListUnit>::iterator
- I = Stack.begin(), E = Stack.end(); I != E; ++I) {
- if (V.Visit(*I))
- return true;
- }
- return false;
- }
-};
-
-class BFS : public WorkList {
- std::deque<WorkListUnit> Queue;
-public:
- virtual bool hasWork() const {
- return !Queue.empty();
- }
-
- virtual void Enqueue(const WorkListUnit& U) {
- Queue.push_front(U);
- }
-
- virtual WorkListUnit Dequeue() {
- WorkListUnit U = Queue.front();
- Queue.pop_front();
- return U;
- }
-
- virtual bool VisitItemsInWorkList(Visitor &V) {
- for (std::deque<WorkListUnit>::iterator
- I = Queue.begin(), E = Queue.end(); I != E; ++I) {
- if (V.Visit(*I))
- return true;
- }
- return false;
- }
-};
-
-} // end anonymous namespace
-
-// Place the dstor for WorkList here because it contains virtual member
-// functions, and we the code for the dstor generated in one compilation unit.
-WorkList::~WorkList() {}
-
-WorkList *WorkList::MakeDFS() { return new DFS(); }
-WorkList *WorkList::MakeBFS() { return new BFS(); }
-
-namespace {
- class BFSBlockDFSContents : public WorkList {
- std::deque<WorkListUnit> Queue;
- llvm::SmallVector<WorkListUnit,20> Stack;
- public:
- virtual bool hasWork() const {
- return !Queue.empty() || !Stack.empty();
- }
-
- virtual void Enqueue(const WorkListUnit& U) {
- if (isa<BlockEntrance>(U.getNode()->getLocation()))
- Queue.push_front(U);
- else
- Stack.push_back(U);
- }
-
- virtual WorkListUnit Dequeue() {
- // Process all basic blocks to completion.
- if (!Stack.empty()) {
- const WorkListUnit& U = Stack.back();
- Stack.pop_back(); // This technically "invalidates" U, but we are fine.
- return U;
- }
-
- assert(!Queue.empty());
- // Don't use const reference. The subsequent pop_back() might make it
- // unsafe.
- WorkListUnit U = Queue.front();
- Queue.pop_front();
- return U;
- }
- virtual bool VisitItemsInWorkList(Visitor &V) {
- for (llvm::SmallVectorImpl<WorkListUnit>::iterator
- I = Stack.begin(), E = Stack.end(); I != E; ++I) {
- if (V.Visit(*I))
- return true;
- }
- for (std::deque<WorkListUnit>::iterator
- I = Queue.begin(), E = Queue.end(); I != E; ++I) {
- if (V.Visit(*I))
- return true;
- }
- return false;
- }
-
- };
-} // end anonymous namespace
-
-WorkList* WorkList::MakeBFSBlockDFSContents() {
- return new BFSBlockDFSContents();
-}
-
-//===----------------------------------------------------------------------===//
-// Core analysis engine.
-//===----------------------------------------------------------------------===//
-
-/// ExecuteWorkList - Run the worklist algorithm for a maximum number of steps.
-bool CoreEngine::ExecuteWorkList(const LocationContext *L, unsigned Steps,
- const GRState *InitState) {
-
- if (G->num_roots() == 0) { // Initialize the analysis by constructing
- // the root if none exists.
-
- const CFGBlock* Entry = &(L->getCFG()->getEntry());
-
- assert (Entry->empty() &&
- "Entry block must be empty.");
-
- assert (Entry->succ_size() == 1 &&
- "Entry block must have 1 successor.");
-
- // Get the solitary successor.
- const CFGBlock* Succ = *(Entry->succ_begin());
-
- // Construct an edge representing the
- // starting location in the function.
- BlockEdge StartLoc(Entry, Succ, L);
-
- // Set the current block counter to being empty.
- WList->setBlockCounter(BCounterFactory.GetEmptyCounter());
-
- if (!InitState)
- // Generate the root.
- generateNode(StartLoc, getInitialState(L), 0);
- else
- generateNode(StartLoc, InitState, 0);
- }
-
- // Check if we have a steps limit
- bool UnlimitedSteps = Steps == 0;
-
- while (WList->hasWork()) {
- if (!UnlimitedSteps) {
- if (Steps == 0)
- break;
- --Steps;
- }
-
- const WorkListUnit& WU = WList->Dequeue();
-
- // Set the current block counter.
- WList->setBlockCounter(WU.getBlockCounter());
-
- // Retrieve the node.
- ExplodedNode* Node = WU.getNode();
-
- // Dispatch on the location type.
- switch (Node->getLocation().getKind()) {
- case ProgramPoint::BlockEdgeKind:
- HandleBlockEdge(cast<BlockEdge>(Node->getLocation()), Node);
- break;
-
- case ProgramPoint::BlockEntranceKind:
- HandleBlockEntrance(cast<BlockEntrance>(Node->getLocation()), Node);
- break;
-
- case ProgramPoint::BlockExitKind:
- assert (false && "BlockExit location never occur in forward analysis.");
- break;
-
- case ProgramPoint::CallEnterKind:
- HandleCallEnter(cast<CallEnter>(Node->getLocation()), WU.getBlock(),
- WU.getIndex(), Node);
- break;
-
- case ProgramPoint::CallExitKind:
- HandleCallExit(cast<CallExit>(Node->getLocation()), Node);
- break;
-
- default:
- assert(isa<PostStmt>(Node->getLocation()) ||
- isa<PostInitializer>(Node->getLocation()));
- HandlePostStmt(WU.getBlock(), WU.getIndex(), Node);
- break;
- }
- }
-
- SubEng.ProcessEndWorklist(hasWorkRemaining());
- return WList->hasWork();
-}
-
-void CoreEngine::ExecuteWorkListWithInitialState(const LocationContext *L,
- unsigned Steps,
- const GRState *InitState,
- ExplodedNodeSet &Dst) {
- ExecuteWorkList(L, Steps, InitState);
- for (llvm::SmallVectorImpl<ExplodedNode*>::iterator I = G->EndNodes.begin(),
- E = G->EndNodes.end(); I != E; ++I) {
- Dst.Add(*I);
- }
-}
-
-void CoreEngine::HandleCallEnter(const CallEnter &L, const CFGBlock *Block,
- unsigned Index, ExplodedNode *Pred) {
- CallEnterNodeBuilder Builder(*this, Pred, L.getCallExpr(),
- L.getCalleeContext(), Block, Index);
- ProcessCallEnter(Builder);
-}
-
-void CoreEngine::HandleCallExit(const CallExit &L, ExplodedNode *Pred) {
- CallExitNodeBuilder Builder(*this, Pred);
- ProcessCallExit(Builder);
-}
-
-void CoreEngine::HandleBlockEdge(const BlockEdge& L, ExplodedNode* Pred) {
-
- const CFGBlock* Blk = L.getDst();
-
- // Check if we are entering the EXIT block.
- if (Blk == &(L.getLocationContext()->getCFG()->getExit())) {
-
- assert (L.getLocationContext()->getCFG()->getExit().size() == 0
- && "EXIT block cannot contain Stmts.");
-
- // Process the final state transition.
- EndPathNodeBuilder Builder(Blk, Pred, this);
- ProcessEndPath(Builder);
-
- // This path is done. Don't enqueue any more nodes.
- return;
- }
-
- // FIXME: Should we allow ProcessBlockEntrance to also manipulate state?
-
- if (ProcessBlockEntrance(Blk, Pred, WList->getBlockCounter()))
- generateNode(BlockEntrance(Blk, Pred->getLocationContext()),
- Pred->State, Pred);
- else {
- blocksAborted.push_back(std::make_pair(L, Pred));
- }
-}
-
-void CoreEngine::HandleBlockEntrance(const BlockEntrance& L,
- ExplodedNode* Pred) {
-
- // Increment the block counter.
- BlockCounter Counter = WList->getBlockCounter();
- Counter = BCounterFactory.IncrementCount(Counter,
- Pred->getLocationContext()->getCurrentStackFrame(),
- L.getBlock()->getBlockID());
- WList->setBlockCounter(Counter);
-
- // Process the entrance of the block.
- if (CFGElement E = L.getFirstElement()) {
- StmtNodeBuilder Builder(L.getBlock(), 0, Pred, this,
- SubEng.getStateManager());
- ProcessElement(E, Builder);
- }
- else
- HandleBlockExit(L.getBlock(), Pred);
-}
-
-void CoreEngine::HandleBlockExit(const CFGBlock * B, ExplodedNode* Pred) {
-
- if (const Stmt* Term = B->getTerminator()) {
- switch (Term->getStmtClass()) {
- default:
- assert(false && "Analysis for this terminator not implemented.");
- break;
-
- case Stmt::BinaryOperatorClass: // '&&' and '||'
- HandleBranch(cast<BinaryOperator>(Term)->getLHS(), Term, B, Pred);
- return;
-
- case Stmt::ConditionalOperatorClass:
- HandleBranch(cast<ConditionalOperator>(Term)->getCond(), Term, B, Pred);
- return;
-
- // FIXME: Use constant-folding in CFG construction to simplify this
- // case.
-
- case Stmt::ChooseExprClass:
- HandleBranch(cast<ChooseExpr>(Term)->getCond(), Term, B, Pred);
- return;
-
- case Stmt::DoStmtClass:
- HandleBranch(cast<DoStmt>(Term)->getCond(), Term, B, Pred);
- return;
-
- case Stmt::ForStmtClass:
- HandleBranch(cast<ForStmt>(Term)->getCond(), Term, B, Pred);
- return;
-
- case Stmt::ContinueStmtClass:
- case Stmt::BreakStmtClass:
- case Stmt::GotoStmtClass:
- break;
-
- case Stmt::IfStmtClass:
- HandleBranch(cast<IfStmt>(Term)->getCond(), Term, B, Pred);
- return;
-
- case Stmt::IndirectGotoStmtClass: {
- // Only 1 successor: the indirect goto dispatch block.
- assert (B->succ_size() == 1);
-
- IndirectGotoNodeBuilder
- builder(Pred, B, cast<IndirectGotoStmt>(Term)->getTarget(),
- *(B->succ_begin()), this);
-
- ProcessIndirectGoto(builder);
- return;
- }
-
- case Stmt::ObjCForCollectionStmtClass: {
- // In the case of ObjCForCollectionStmt, it appears twice in a CFG:
- //
- // (1) inside a basic block, which represents the binding of the
- // 'element' variable to a value.
- // (2) in a terminator, which represents the branch.
- //
- // For (1), subengines will bind a value (i.e., 0 or 1) indicating
- // whether or not collection contains any more elements. We cannot
- // just test to see if the element is nil because a container can
- // contain nil elements.
- HandleBranch(Term, Term, B, Pred);
- return;
- }
-
- case Stmt::SwitchStmtClass: {
- SwitchNodeBuilder builder(Pred, B, cast<SwitchStmt>(Term)->getCond(),
- this);
-
- ProcessSwitch(builder);
- return;
- }
-
- case Stmt::WhileStmtClass:
- HandleBranch(cast<WhileStmt>(Term)->getCond(), Term, B, Pred);
- return;
- }
- }
-
- assert (B->succ_size() == 1 &&
- "Blocks with no terminator should have at most 1 successor.");
-
- generateNode(BlockEdge(B, *(B->succ_begin()), Pred->getLocationContext()),
- Pred->State, Pred);
-}
-
-void CoreEngine::HandleBranch(const Stmt* Cond, const Stmt* Term,
- const CFGBlock * B, ExplodedNode* Pred) {
- assert (B->succ_size() == 2);
-
- BranchNodeBuilder Builder(B, *(B->succ_begin()), *(B->succ_begin()+1),
- Pred, this);
-
- ProcessBranch(Cond, Term, Builder);
-}
-
-void CoreEngine::HandlePostStmt(const CFGBlock* B, unsigned StmtIdx,
- ExplodedNode* Pred) {
- assert (!B->empty());
-
- if (StmtIdx == B->size())
- HandleBlockExit(B, Pred);
- else {
- StmtNodeBuilder Builder(B, StmtIdx, Pred, this,
- SubEng.getStateManager());
- ProcessElement((*B)[StmtIdx], Builder);
- }
-}
-
-/// generateNode - Utility method to generate nodes, hook up successors,
-/// and add nodes to the worklist.
-void CoreEngine::generateNode(const ProgramPoint& Loc,
- const GRState* State, ExplodedNode* Pred) {
-
- bool IsNew;
- ExplodedNode* Node = G->getNode(Loc, State, &IsNew);
-
- if (Pred)
- Node->addPredecessor(Pred, *G); // Link 'Node' with its predecessor.
- else {
- assert (IsNew);
- G->addRoot(Node); // 'Node' has no predecessor. Make it a root.
- }
-
- // Only add 'Node' to the worklist if it was freshly generated.
- if (IsNew) WList->Enqueue(Node);
-}
-
-StmtNodeBuilder::StmtNodeBuilder(const CFGBlock* b, unsigned idx,
- ExplodedNode* N, CoreEngine* e,
- GRStateManager &mgr)
- : Eng(*e), B(*b), Idx(idx), Pred(N), Mgr(mgr),
- PurgingDeadSymbols(false), BuildSinks(false), HasGeneratedNode(false),
- PointKind(ProgramPoint::PostStmtKind), Tag(0) {
- Deferred.insert(N);
- CleanedState = Pred->getState();
-}
-
-StmtNodeBuilder::~StmtNodeBuilder() {
- for (DeferredTy::iterator I=Deferred.begin(), E=Deferred.end(); I!=E; ++I)
- if (!(*I)->isSink())
- GenerateAutoTransition(*I);
-}
-
-void StmtNodeBuilder::GenerateAutoTransition(ExplodedNode* N) {
- assert (!N->isSink());
-
- // Check if this node entered a callee.
- if (isa<CallEnter>(N->getLocation())) {
- // Still use the index of the CallExpr. It's needed to create the callee
- // StackFrameContext.
- Eng.WList->Enqueue(N, &B, Idx);
- return;
- }
-
- // Do not create extra nodes. Move to the next CFG element.
- if (isa<PostInitializer>(N->getLocation())) {
- Eng.WList->Enqueue(N, &B, Idx+1);
- return;
- }
-
- PostStmt Loc(getStmt(), N->getLocationContext());
-
- if (Loc == N->getLocation()) {
- // Note: 'N' should be a fresh node because otherwise it shouldn't be
- // a member of Deferred.
- Eng.WList->Enqueue(N, &B, Idx+1);
- return;
- }
-
- bool IsNew;
- ExplodedNode* Succ = Eng.G->getNode(Loc, N->State, &IsNew);
- Succ->addPredecessor(N, *Eng.G);
-
- if (IsNew)
- Eng.WList->Enqueue(Succ, &B, Idx+1);
-}
-
-ExplodedNode* StmtNodeBuilder::MakeNode(ExplodedNodeSet& Dst, const Stmt* S,
- ExplodedNode* Pred, const GRState* St,
- ProgramPoint::Kind K) {
-
- ExplodedNode* N = generateNode(S, St, Pred, K);
-
- if (N) {
- if (BuildSinks)
- N->markAsSink();
- else
- Dst.Add(N);
- }
-
- return N;
-}
-
-static ProgramPoint GetProgramPoint(const Stmt *S, ProgramPoint::Kind K,
- const LocationContext *LC, const void *tag){
- switch (K) {
- default:
- assert(false && "Unhandled ProgramPoint kind");
- case ProgramPoint::PreStmtKind:
- return PreStmt(S, LC, tag);
- case ProgramPoint::PostStmtKind:
- return PostStmt(S, LC, tag);
- case ProgramPoint::PreLoadKind:
- return PreLoad(S, LC, tag);
- case ProgramPoint::PostLoadKind:
- return PostLoad(S, LC, tag);
- case ProgramPoint::PreStoreKind:
- return PreStore(S, LC, tag);
- case ProgramPoint::PostStoreKind:
- return PostStore(S, LC, tag);
- case ProgramPoint::PostLValueKind:
- return PostLValue(S, LC, tag);
- case ProgramPoint::PostPurgeDeadSymbolsKind:
- return PostPurgeDeadSymbols(S, LC, tag);
- }
-}
-
-ExplodedNode*
-StmtNodeBuilder::generateNodeInternal(const Stmt* S, const GRState* state,
- ExplodedNode* Pred,
- ProgramPoint::Kind K,
- const void *tag) {
-
- const ProgramPoint &L = GetProgramPoint(S, K, Pred->getLocationContext(),tag);
- return generateNodeInternal(L, state, Pred);
-}
-
-ExplodedNode*
-StmtNodeBuilder::generateNodeInternal(const ProgramPoint &Loc,
- const GRState* State,
- ExplodedNode* Pred) {
- bool IsNew;
- ExplodedNode* N = Eng.G->getNode(Loc, State, &IsNew);
- N->addPredecessor(Pred, *Eng.G);
- Deferred.erase(Pred);
-
- if (IsNew) {
- Deferred.insert(N);
- return N;
- }
-
- return NULL;
-}
-
-ExplodedNode* BranchNodeBuilder::generateNode(const GRState* State,
- bool branch) {
-
- // If the branch has been marked infeasible we should not generate a node.
- if (!isFeasible(branch))
- return NULL;
-
- bool IsNew;
-
- ExplodedNode* Succ =
- Eng.G->getNode(BlockEdge(Src,branch ? DstT:DstF,Pred->getLocationContext()),
- State, &IsNew);
-
- Succ->addPredecessor(Pred, *Eng.G);
-
- if (branch)
- GeneratedTrue = true;
- else
- GeneratedFalse = true;
-
- if (IsNew) {
- Deferred.push_back(Succ);
- return Succ;
- }
-
- return NULL;
-}
-
-BranchNodeBuilder::~BranchNodeBuilder() {
- if (!GeneratedTrue) generateNode(Pred->State, true);
- if (!GeneratedFalse) generateNode(Pred->State, false);
-
- for (DeferredTy::iterator I=Deferred.begin(), E=Deferred.end(); I!=E; ++I)
- if (!(*I)->isSink()) Eng.WList->Enqueue(*I);
-}
-
-
-ExplodedNode*
-IndirectGotoNodeBuilder::generateNode(const iterator& I, const GRState* St,
- bool isSink) {
- bool IsNew;
-
- ExplodedNode* Succ = Eng.G->getNode(BlockEdge(Src, I.getBlock(),
- Pred->getLocationContext()), St, &IsNew);
-
- Succ->addPredecessor(Pred, *Eng.G);
-
- if (IsNew) {
-
- if (isSink)
- Succ->markAsSink();
- else
- Eng.WList->Enqueue(Succ);
-
- return Succ;
- }
-
- return NULL;
-}
-
-
-ExplodedNode*
-SwitchNodeBuilder::generateCaseStmtNode(const iterator& I, const GRState* St){
-
- bool IsNew;
-
- ExplodedNode* Succ = Eng.G->getNode(BlockEdge(Src, I.getBlock(),
- Pred->getLocationContext()), St, &IsNew);
- Succ->addPredecessor(Pred, *Eng.G);
-
- if (IsNew) {
- Eng.WList->Enqueue(Succ);
- return Succ;
- }
-
- return NULL;
-}
-
-
-ExplodedNode*
-SwitchNodeBuilder::generateDefaultCaseNode(const GRState* St, bool isSink) {
-
- // Get the block for the default case.
- assert (Src->succ_rbegin() != Src->succ_rend());
- CFGBlock* DefaultBlock = *Src->succ_rbegin();
-
- bool IsNew;
-
- ExplodedNode* Succ = Eng.G->getNode(BlockEdge(Src, DefaultBlock,
- Pred->getLocationContext()), St, &IsNew);
- Succ->addPredecessor(Pred, *Eng.G);
-
- if (IsNew) {
- if (isSink)
- Succ->markAsSink();
- else
- Eng.WList->Enqueue(Succ);
-
- return Succ;
- }
-
- return NULL;
-}
-
-EndPathNodeBuilder::~EndPathNodeBuilder() {
- // Auto-generate an EOP node if one has not been generated.
- if (!HasGeneratedNode) {
- // If we are in an inlined call, generate CallExit node.
- if (Pred->getLocationContext()->getParent())
- GenerateCallExitNode(Pred->State);
- else
- generateNode(Pred->State);
- }
-}
-
-ExplodedNode*
-EndPathNodeBuilder::generateNode(const GRState* State, const void *tag,
- ExplodedNode* P) {
- HasGeneratedNode = true;
- bool IsNew;
-
- ExplodedNode* Node = Eng.G->getNode(BlockEntrance(&B,
- Pred->getLocationContext(), tag), State, &IsNew);
-
- Node->addPredecessor(P ? P : Pred, *Eng.G);
-
- if (IsNew) {
- Eng.G->addEndOfPath(Node);
- return Node;
- }
-
- return NULL;
-}
-
-void EndPathNodeBuilder::GenerateCallExitNode(const GRState *state) {
- HasGeneratedNode = true;
- // Create a CallExit node and enqueue it.
- const StackFrameContext *LocCtx
- = cast<StackFrameContext>(Pred->getLocationContext());
- const Stmt *CE = LocCtx->getCallSite();
-
- // Use the the callee location context.
- CallExit Loc(CE, LocCtx);
-
- bool isNew;
- ExplodedNode *Node = Eng.G->getNode(Loc, state, &isNew);
- Node->addPredecessor(Pred, *Eng.G);
-
- if (isNew)
- Eng.WList->Enqueue(Node);
-}
-
-
-void CallEnterNodeBuilder::generateNode(const GRState *state) {
- // Check if the callee is in the same translation unit.
- if (CalleeCtx->getTranslationUnit() !=
- Pred->getLocationContext()->getTranslationUnit()) {
- // Create a new engine. We must be careful that the new engine should not
- // reference data structures owned by the old engine.
-
- AnalysisManager &OldMgr = Eng.SubEng.getAnalysisManager();
-
- // Get the callee's translation unit.
- idx::TranslationUnit *TU = CalleeCtx->getTranslationUnit();
-
- // Create a new AnalysisManager with components of the callee's
- // TranslationUnit.
- // The Diagnostic is actually shared when we create ASTUnits from AST files.
- AnalysisManager AMgr(TU->getASTContext(), TU->getDiagnostic(),
- OldMgr.getLangOptions(),
- OldMgr.getPathDiagnosticClient(),
- OldMgr.getStoreManagerCreator(),
- OldMgr.getConstraintManagerCreator(),
- OldMgr.getIndexer(),
- OldMgr.getMaxNodes(), OldMgr.getMaxVisit(),
- OldMgr.shouldVisualizeGraphviz(),
- OldMgr.shouldVisualizeUbigraph(),
- OldMgr.shouldPurgeDead(),
- OldMgr.shouldEagerlyAssume(),
- OldMgr.shouldTrimGraph(),
- OldMgr.shouldInlineCall(),
- OldMgr.getAnalysisContextManager().getUseUnoptimizedCFG(),
- OldMgr.getAnalysisContextManager().getAddImplicitDtors(),
- OldMgr.getAnalysisContextManager().getAddInitializers());
- llvm::OwningPtr<TransferFuncs> TF(MakeCFRefCountTF(AMgr.getASTContext(),
- /* GCEnabled */ false,
- AMgr.getLangOptions()));
- // Create the new engine.
- ExprEngine NewEng(AMgr, TF.take());
-
- // Create the new LocationContext.
- AnalysisContext *NewAnaCtx = AMgr.getAnalysisContext(CalleeCtx->getDecl(),
- CalleeCtx->getTranslationUnit());
- const StackFrameContext *OldLocCtx = CalleeCtx;
- const StackFrameContext *NewLocCtx = AMgr.getStackFrame(NewAnaCtx,
- OldLocCtx->getParent(),
- OldLocCtx->getCallSite(),
- OldLocCtx->getCallSiteBlock(),
- OldLocCtx->getIndex());
-
- // Now create an initial state for the new engine.
- const GRState *NewState = NewEng.getStateManager().MarshalState(state,
- NewLocCtx);
- ExplodedNodeSet ReturnNodes;
- NewEng.ExecuteWorkListWithInitialState(NewLocCtx, AMgr.getMaxNodes(),
- NewState, ReturnNodes);
- return;
- }
-
- // Get the callee entry block.
- const CFGBlock *Entry = &(CalleeCtx->getCFG()->getEntry());
- assert(Entry->empty());
- assert(Entry->succ_size() == 1);
-
- // Get the solitary successor.
- const CFGBlock *SuccB = *(Entry->succ_begin());
-
- // Construct an edge representing the starting location in the callee.
- BlockEdge Loc(Entry, SuccB, CalleeCtx);
-
- bool isNew;
- ExplodedNode *Node = Eng.G->getNode(Loc, state, &isNew);
- Node->addPredecessor(const_cast<ExplodedNode*>(Pred), *Eng.G);
-
- if (isNew)
- Eng.WList->Enqueue(Node);
-}
-
-void CallExitNodeBuilder::generateNode(const GRState *state) {
- // Get the callee's location context.
- const StackFrameContext *LocCtx
- = cast<StackFrameContext>(Pred->getLocationContext());
- // When exiting an implicit automatic obj dtor call, the callsite is the Stmt
- // that triggers the dtor.
- PostStmt Loc(LocCtx->getCallSite(), LocCtx->getParent());
- bool isNew;
- ExplodedNode *Node = Eng.G->getNode(Loc, state, &isNew);
- Node->addPredecessor(const_cast<ExplodedNode*>(Pred), *Eng.G);
- if (isNew)
- Eng.WList->Enqueue(Node, LocCtx->getCallSiteBlock(),
- LocCtx->getIndex() + 1);
-}
Removed: cfe/trunk/lib/StaticAnalyzer/EntoSA/Environment.cpp
URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/lib/StaticAnalyzer/EntoSA/Environment.cpp?rev=122542&view=auto
==============================================================================
--- cfe/trunk/lib/StaticAnalyzer/EntoSA/Environment.cpp (original)
+++ cfe/trunk/lib/StaticAnalyzer/EntoSA/Environment.cpp (removed)
@@ -1,236 +0,0 @@
-//== Environment.cpp - Map from Stmt* to Locations/Values -------*- C++ -*--==//
-//
-// The LLVM Compiler Infrastructure
-//
-// This file is distributed under the University of Illinois Open Source
-// License. See LICENSE.TXT for details.
-//
-//===----------------------------------------------------------------------===//
-//
-// This file defined the Environment and EnvironmentManager classes.
-//
-//===----------------------------------------------------------------------===//
-
-#include "clang/Analysis/AnalysisContext.h"
-#include "clang/Analysis/CFG.h"
-#include "clang/StaticAnalyzer/PathSensitive/GRState.h"
-
-using namespace clang;
-using namespace ento;
-
-SVal Environment::lookupExpr(const Stmt* E) const {
- const SVal* X = ExprBindings.lookup(E);
- if (X) {
- SVal V = *X;
- return V;
- }
- return UnknownVal();
-}
-
-SVal Environment::getSVal(const Stmt *E, SValBuilder& svalBuilder) const {
- for (;;) {
- switch (E->getStmtClass()) {
- case Stmt::AddrLabelExprClass:
- return svalBuilder.makeLoc(cast<AddrLabelExpr>(E));
- case Stmt::ParenExprClass:
- // ParenExprs are no-ops.
- E = cast<ParenExpr>(E)->getSubExpr();
- continue;
- case Stmt::CharacterLiteralClass: {
- const CharacterLiteral* C = cast<CharacterLiteral>(E);
- return svalBuilder.makeIntVal(C->getValue(), C->getType());
- }
- case Stmt::CXXBoolLiteralExprClass: {
- const SVal *X = ExprBindings.lookup(E);
- if (X)
- return *X;
- else
- return svalBuilder.makeIntVal(cast<CXXBoolLiteralExpr>(E));
- }
- case Stmt::IntegerLiteralClass: {
- // In C++, this expression may have been bound to a temporary object.
- SVal const *X = ExprBindings.lookup(E);
- if (X)
- return *X;
- else
- return svalBuilder.makeIntVal(cast<IntegerLiteral>(E));
- }
- case Stmt::ImplicitCastExprClass:
- case Stmt::CStyleCastExprClass: {
- // We blast through no-op casts to get the descendant
- // subexpression that has a value.
- const CastExpr* C = cast<CastExpr>(E);
- QualType CT = C->getType();
- if (CT->isVoidType())
- return UnknownVal();
- if (C->getCastKind() == CK_NoOp) {
- E = C->getSubExpr();
- continue;
- }
- break;
- }
- case Stmt::ExprWithCleanupsClass:
- E = cast<ExprWithCleanups>(E)->getSubExpr();
- continue;
- case Stmt::CXXBindTemporaryExprClass:
- E = cast<CXXBindTemporaryExpr>(E)->getSubExpr();
- continue;
- case Stmt::CXXFunctionalCastExprClass:
- E = cast<CXXFunctionalCastExpr>(E)->getSubExpr();
- continue;
- // Handle all other Stmt* using a lookup.
- default:
- break;
- };
- break;
- }
- return lookupExpr(E);
-}
-
-Environment EnvironmentManager::bindExpr(Environment Env, const Stmt *S,
- SVal V, bool Invalidate) {
- assert(S);
-
- if (V.isUnknown()) {
- if (Invalidate)
- return Environment(F.remove(Env.ExprBindings, S));
- else
- return Env;
- }
-
- return Environment(F.add(Env.ExprBindings, S, V));
-}
-
-static inline const Stmt *MakeLocation(const Stmt *S) {
- return (const Stmt*) (((uintptr_t) S) | 0x1);
-}
-
-Environment EnvironmentManager::bindExprAndLocation(Environment Env,
- const Stmt *S,
- SVal location, SVal V) {
- return Environment(F.add(F.add(Env.ExprBindings, MakeLocation(S), location),
- S, V));
-}
-
-namespace {
-class MarkLiveCallback : public SymbolVisitor {
- SymbolReaper &SymReaper;
-public:
- MarkLiveCallback(SymbolReaper &symreaper) : SymReaper(symreaper) {}
- bool VisitSymbol(SymbolRef sym) { SymReaper.markLive(sym); return true; }
-};
-} // end anonymous namespace
-
-static bool isBlockExprInCallers(const Stmt *E, const LocationContext *LC) {
- const LocationContext *ParentLC = LC->getParent();
- while (ParentLC) {
- CFG &C = *ParentLC->getCFG();
- if (C.isBlkExpr(E))
- return true;
- ParentLC = ParentLC->getParent();
- }
-
- return false;
-}
-
-// In addition to mapping from Stmt * - > SVals in the Environment, we also
-// maintain a mapping from Stmt * -> SVals (locations) that were used during
-// a load and store.
-static inline bool IsLocation(const Stmt *S) {
- return (bool) (((uintptr_t) S) & 0x1);
-}
-
-// RemoveDeadBindings:
-// - Remove subexpression bindings.
-// - Remove dead block expression bindings.
-// - Keep live block expression bindings:
-// - Mark their reachable symbols live in SymbolReaper,
-// see ScanReachableSymbols.
-// - Mark the region in DRoots if the binding is a loc::MemRegionVal.
-Environment
-EnvironmentManager::RemoveDeadBindings(Environment Env,
- SymbolReaper &SymReaper,
- const GRState *ST,
- llvm::SmallVectorImpl<const MemRegion*> &DRoots) {
-
- CFG &C = *SymReaper.getLocationContext()->getCFG();
-
- // We construct a new Environment object entirely, as this is cheaper than
- // individually removing all the subexpression bindings (which will greatly
- // outnumber block-level expression bindings).
- Environment NewEnv = getInitialEnvironment();
-
- llvm::SmallVector<std::pair<const Stmt*, SVal>, 10> deferredLocations;
-
- // Iterate over the block-expr bindings.
- for (Environment::iterator I = Env.begin(), E = Env.end();
- I != E; ++I) {
-
- const Stmt *BlkExpr = I.getKey();
-
- // For recorded locations (used when evaluating loads and stores), we
- // consider them live only when their associated normal expression is
- // also live.
- // NOTE: This assumes that loads/stores that evaluated to UnknownVal
- // still have an entry in the map.
- if (IsLocation(BlkExpr)) {
- deferredLocations.push_back(std::make_pair(BlkExpr, I.getData()));
- continue;
- }
-
- const SVal &X = I.getData();
-
- // Block-level expressions in callers are assumed always live.
- if (isBlockExprInCallers(BlkExpr, SymReaper.getLocationContext())) {
- NewEnv.ExprBindings = F.add(NewEnv.ExprBindings, BlkExpr, X);
-
- if (isa<loc::MemRegionVal>(X)) {
- const MemRegion* R = cast<loc::MemRegionVal>(X).getRegion();
- DRoots.push_back(R);
- }
-
- // Mark all symbols in the block expr's value live.
- MarkLiveCallback cb(SymReaper);
- ST->scanReachableSymbols(X, cb);
- continue;
- }
-
- // Not a block-level expression?
- if (!C.isBlkExpr(BlkExpr))
- continue;
-
- if (SymReaper.isLive(BlkExpr)) {
- // Copy the binding to the new map.
- NewEnv.ExprBindings = F.add(NewEnv.ExprBindings, BlkExpr, X);
-
- // If the block expr's value is a memory region, then mark that region.
- if (isa<loc::MemRegionVal>(X)) {
- const MemRegion* R = cast<loc::MemRegionVal>(X).getRegion();
- DRoots.push_back(R);
- }
-
- // Mark all symbols in the block expr's value live.
- MarkLiveCallback cb(SymReaper);
- ST->scanReachableSymbols(X, cb);
- continue;
- }
-
- // Otherwise the expression is dead with a couple exceptions.
- // Do not misclean LogicalExpr or ConditionalOperator. It is dead at the
- // beginning of itself, but we need its UndefinedVal to determine its
- // SVal.
- if (X.isUndef() && cast<UndefinedVal>(X).getData())
- NewEnv.ExprBindings = F.add(NewEnv.ExprBindings, BlkExpr, X);
- }
-
- // Go through he deferred locations and add them to the new environment if
- // the correspond Stmt* is in the map as well.
- for (llvm::SmallVectorImpl<std::pair<const Stmt*, SVal> >::iterator
- I = deferredLocations.begin(), E = deferredLocations.end(); I != E; ++I) {
- const Stmt *S = (Stmt*) (((uintptr_t) I->first) & (uintptr_t) ~0x1);
- if (NewEnv.ExprBindings.lookup(S))
- NewEnv.ExprBindings = F.add(NewEnv.ExprBindings, I->first, I->second);
- }
-
- return NewEnv;
-}
Removed: cfe/trunk/lib/StaticAnalyzer/EntoSA/ExplodedGraph.cpp
URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/lib/StaticAnalyzer/EntoSA/ExplodedGraph.cpp?rev=122542&view=auto
==============================================================================
--- cfe/trunk/lib/StaticAnalyzer/EntoSA/ExplodedGraph.cpp (original)
+++ cfe/trunk/lib/StaticAnalyzer/EntoSA/ExplodedGraph.cpp (removed)
@@ -1,282 +0,0 @@
-//=-- ExplodedGraph.cpp - Local, Path-Sens. "Exploded Graph" -*- C++ -*------=//
-//
-// The LLVM Compiler Infrastructure
-//
-// This file is distributed under the University of Illinois Open Source
-// License. See LICENSE.TXT for details.
-//
-//===----------------------------------------------------------------------===//
-//
-// This file defines the template classes ExplodedNode and ExplodedGraph,
-// which represent a path-sensitive, intra-procedural "exploded graph."
-//
-//===----------------------------------------------------------------------===//
-
-#include "clang/StaticAnalyzer/PathSensitive/ExplodedGraph.h"
-#include "clang/StaticAnalyzer/PathSensitive/GRState.h"
-#include "clang/AST/Stmt.h"
-#include "llvm/ADT/DenseSet.h"
-#include "llvm/ADT/DenseMap.h"
-#include "llvm/ADT/SmallVector.h"
-#include <vector>
-
-using namespace clang;
-using namespace ento;
-
-//===----------------------------------------------------------------------===//
-// Node auditing.
-//===----------------------------------------------------------------------===//
-
-// An out of line virtual method to provide a home for the class vtable.
-ExplodedNode::Auditor::~Auditor() {}
-
-#ifndef NDEBUG
-static ExplodedNode::Auditor* NodeAuditor = 0;
-#endif
-
-void ExplodedNode::SetAuditor(ExplodedNode::Auditor* A) {
-#ifndef NDEBUG
- NodeAuditor = A;
-#endif
-}
-
-//===----------------------------------------------------------------------===//
-// ExplodedNode.
-//===----------------------------------------------------------------------===//
-
-static inline BumpVector<ExplodedNode*>& getVector(void* P) {
- return *reinterpret_cast<BumpVector<ExplodedNode*>*>(P);
-}
-
-void ExplodedNode::addPredecessor(ExplodedNode* V, ExplodedGraph &G) {
- assert (!V->isSink());
- Preds.addNode(V, G);
- V->Succs.addNode(this, G);
-#ifndef NDEBUG
- if (NodeAuditor) NodeAuditor->AddEdge(V, this);
-#endif
-}
-
-void ExplodedNode::NodeGroup::addNode(ExplodedNode* N, ExplodedGraph &G) {
- assert((reinterpret_cast<uintptr_t>(N) & Mask) == 0x0);
- assert(!getFlag());
-
- if (getKind() == Size1) {
- if (ExplodedNode* NOld = getNode()) {
- BumpVectorContext &Ctx = G.getNodeAllocator();
- BumpVector<ExplodedNode*> *V =
- G.getAllocator().Allocate<BumpVector<ExplodedNode*> >();
- new (V) BumpVector<ExplodedNode*>(Ctx, 4);
-
- assert((reinterpret_cast<uintptr_t>(V) & Mask) == 0x0);
- V->push_back(NOld, Ctx);
- V->push_back(N, Ctx);
- P = reinterpret_cast<uintptr_t>(V) | SizeOther;
- assert(getPtr() == (void*) V);
- assert(getKind() == SizeOther);
- }
- else {
- P = reinterpret_cast<uintptr_t>(N);
- assert(getKind() == Size1);
- }
- }
- else {
- assert(getKind() == SizeOther);
- getVector(getPtr()).push_back(N, G.getNodeAllocator());
- }
-}
-
-unsigned ExplodedNode::NodeGroup::size() const {
- if (getFlag())
- return 0;
-
- if (getKind() == Size1)
- return getNode() ? 1 : 0;
- else
- return getVector(getPtr()).size();
-}
-
-ExplodedNode **ExplodedNode::NodeGroup::begin() const {
- if (getFlag())
- return NULL;
-
- if (getKind() == Size1)
- return (ExplodedNode**) (getPtr() ? &P : NULL);
- else
- return const_cast<ExplodedNode**>(&*(getVector(getPtr()).begin()));
-}
-
-ExplodedNode** ExplodedNode::NodeGroup::end() const {
- if (getFlag())
- return NULL;
-
- if (getKind() == Size1)
- return (ExplodedNode**) (getPtr() ? &P+1 : NULL);
- else {
- // Dereferencing end() is undefined behaviour. The vector is not empty, so
- // we can dereference the last elem and then add 1 to the result.
- return const_cast<ExplodedNode**>(getVector(getPtr()).end());
- }
-}
-
-ExplodedNode *ExplodedGraph::getNode(const ProgramPoint& L,
- const GRState* State, bool* IsNew) {
- // Profile 'State' to determine if we already have an existing node.
- llvm::FoldingSetNodeID profile;
- void* InsertPos = 0;
-
- NodeTy::Profile(profile, L, State);
- NodeTy* V = Nodes.FindNodeOrInsertPos(profile, InsertPos);
-
- if (!V) {
- // Allocate a new node.
- V = (NodeTy*) getAllocator().Allocate<NodeTy>();
- new (V) NodeTy(L, State);
-
- // Insert the node into the node set and return it.
- Nodes.InsertNode(V, InsertPos);
-
- ++NumNodes;
-
- if (IsNew) *IsNew = true;
- }
- else
- if (IsNew) *IsNew = false;
-
- return V;
-}
-
-std::pair<ExplodedGraph*, InterExplodedGraphMap*>
-ExplodedGraph::Trim(const NodeTy* const* NBeg, const NodeTy* const* NEnd,
- llvm::DenseMap<const void*, const void*> *InverseMap) const {
-
- if (NBeg == NEnd)
- return std::make_pair((ExplodedGraph*) 0,
- (InterExplodedGraphMap*) 0);
-
- assert (NBeg < NEnd);
-
- llvm::OwningPtr<InterExplodedGraphMap> M(new InterExplodedGraphMap());
-
- ExplodedGraph* G = TrimInternal(NBeg, NEnd, M.get(), InverseMap);
-
- return std::make_pair(static_cast<ExplodedGraph*>(G), M.take());
-}
-
-ExplodedGraph*
-ExplodedGraph::TrimInternal(const ExplodedNode* const* BeginSources,
- const ExplodedNode* const* EndSources,
- InterExplodedGraphMap* M,
- llvm::DenseMap<const void*, const void*> *InverseMap) const {
-
- typedef llvm::DenseSet<const ExplodedNode*> Pass1Ty;
- Pass1Ty Pass1;
-
- typedef llvm::DenseMap<const ExplodedNode*, ExplodedNode*> Pass2Ty;
- Pass2Ty& Pass2 = M->M;
-
- llvm::SmallVector<const ExplodedNode*, 10> WL1, WL2;
-
- // ===- Pass 1 (reverse DFS) -===
- for (const ExplodedNode* const* I = BeginSources; I != EndSources; ++I) {
- assert(*I);
- WL1.push_back(*I);
- }
-
- // Process the first worklist until it is empty. Because it is a std::list
- // it acts like a FIFO queue.
- while (!WL1.empty()) {
- const ExplodedNode *N = WL1.back();
- WL1.pop_back();
-
- // Have we already visited this node? If so, continue to the next one.
- if (Pass1.count(N))
- continue;
-
- // Otherwise, mark this node as visited.
- Pass1.insert(N);
-
- // If this is a root enqueue it to the second worklist.
- if (N->Preds.empty()) {
- WL2.push_back(N);
- continue;
- }
-
- // Visit our predecessors and enqueue them.
- for (ExplodedNode** I=N->Preds.begin(), **E=N->Preds.end(); I!=E; ++I)
- WL1.push_back(*I);
- }
-
- // We didn't hit a root? Return with a null pointer for the new graph.
- if (WL2.empty())
- return 0;
-
- // Create an empty graph.
- ExplodedGraph* G = MakeEmptyGraph();
-
- // ===- Pass 2 (forward DFS to construct the new graph) -===
- while (!WL2.empty()) {
- const ExplodedNode* N = WL2.back();
- WL2.pop_back();
-
- // Skip this node if we have already processed it.
- if (Pass2.find(N) != Pass2.end())
- continue;
-
- // Create the corresponding node in the new graph and record the mapping
- // from the old node to the new node.
- ExplodedNode* NewN = G->getNode(N->getLocation(), N->State, NULL);
- Pass2[N] = NewN;
-
- // Also record the reverse mapping from the new node to the old node.
- if (InverseMap) (*InverseMap)[NewN] = N;
-
- // If this node is a root, designate it as such in the graph.
- if (N->Preds.empty())
- G->addRoot(NewN);
-
- // In the case that some of the intended predecessors of NewN have already
- // been created, we should hook them up as predecessors.
-
- // Walk through the predecessors of 'N' and hook up their corresponding
- // nodes in the new graph (if any) to the freshly created node.
- for (ExplodedNode **I=N->Preds.begin(), **E=N->Preds.end(); I!=E; ++I) {
- Pass2Ty::iterator PI = Pass2.find(*I);
- if (PI == Pass2.end())
- continue;
-
- NewN->addPredecessor(PI->second, *G);
- }
-
- // In the case that some of the intended successors of NewN have already
- // been created, we should hook them up as successors. Otherwise, enqueue
- // the new nodes from the original graph that should have nodes created
- // in the new graph.
- for (ExplodedNode **I=N->Succs.begin(), **E=N->Succs.end(); I!=E; ++I) {
- Pass2Ty::iterator PI = Pass2.find(*I);
- if (PI != Pass2.end()) {
- PI->second->addPredecessor(NewN, *G);
- continue;
- }
-
- // Enqueue nodes to the worklist that were marked during pass 1.
- if (Pass1.count(*I))
- WL2.push_back(*I);
- }
-
- // Finally, explictly mark all nodes without any successors as sinks.
- if (N->isSink())
- NewN->markAsSink();
- }
-
- return G;
-}
-
-ExplodedNode*
-InterExplodedGraphMap::getMappedNode(const ExplodedNode* N) const {
- llvm::DenseMap<const ExplodedNode*, ExplodedNode*>::const_iterator I =
- M.find(N);
-
- return I == M.end() ? 0 : I->second;
-}
-
Removed: cfe/trunk/lib/StaticAnalyzer/EntoSA/FlatStore.cpp
URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/lib/StaticAnalyzer/EntoSA/FlatStore.cpp?rev=122542&view=auto
==============================================================================
--- cfe/trunk/lib/StaticAnalyzer/EntoSA/FlatStore.cpp (original)
+++ cfe/trunk/lib/StaticAnalyzer/EntoSA/FlatStore.cpp (removed)
@@ -1,203 +0,0 @@
-//=== FlatStore.cpp - Flat region-based store model -------------*- C++ -*-===//
-//
-// The LLVM Compiler Infrastructure
-//
-// This file is distributed under the University of Illinois Open Source
-// License. See LICENSE.TXT for details.
-//
-//===----------------------------------------------------------------------===//
-
-#include "clang/StaticAnalyzer/PathSensitive/GRState.h"
-#include "llvm/ADT/ImmutableIntervalMap.h"
-#include "llvm/Support/ErrorHandling.h"
-
-using namespace clang;
-using namespace ento;
-using llvm::Interval;
-
-// The actual store type.
-typedef llvm::ImmutableIntervalMap<SVal> BindingVal;
-typedef llvm::ImmutableMap<const MemRegion *, BindingVal> RegionBindings;
-
-namespace {
-class FlatStoreManager : public StoreManager {
- RegionBindings::Factory RBFactory;
- BindingVal::Factory BVFactory;
-
-public:
- FlatStoreManager(GRStateManager &mgr)
- : StoreManager(mgr),
- RBFactory(mgr.getAllocator()),
- BVFactory(mgr.getAllocator()) {}
-
- SVal Retrieve(Store store, Loc L, QualType T);
- Store Bind(Store store, Loc L, SVal val);
- Store Remove(Store St, Loc L);
- Store BindCompoundLiteral(Store store, const CompoundLiteralExpr* cl,
- const LocationContext *LC, SVal v);
-
- Store getInitialStore(const LocationContext *InitLoc) {
- return RBFactory.getEmptyMap().getRoot();
- }
-
- SubRegionMap *getSubRegionMap(Store store) {
- return 0;
- }
-
- SVal ArrayToPointer(Loc Array);
- Store RemoveDeadBindings(Store store, const StackFrameContext *LCtx,
- SymbolReaper& SymReaper,
- llvm::SmallVectorImpl<const MemRegion*>& RegionRoots){
- return store;
- }
-
- Store BindDecl(Store store, const VarRegion *VR, SVal initVal);
-
- Store BindDeclWithNoInit(Store store, const VarRegion *VR);
-
- typedef llvm::DenseSet<SymbolRef> InvalidatedSymbols;
-
- Store InvalidateRegions(Store store, const MemRegion * const *I,
- const MemRegion * const *E, const Expr *Ex,
- unsigned Count, InvalidatedSymbols *IS,
- bool invalidateGlobals, InvalidatedRegions *Regions);
-
- void print(Store store, llvm::raw_ostream& Out, const char* nl,
- const char *sep);
- void iterBindings(Store store, BindingsHandler& f);
-
-private:
- static RegionBindings getRegionBindings(Store store) {
- return RegionBindings(static_cast<const RegionBindings::TreeTy*>(store));
- }
-
- class RegionInterval {
- public:
- const MemRegion *R;
- Interval I;
- RegionInterval(const MemRegion *r, int64_t s, int64_t e) : R(r), I(s, e){}
- };
-
- RegionInterval RegionToInterval(const MemRegion *R);
-
- SVal RetrieveRegionWithNoBinding(const MemRegion *R, QualType T);
-};
-} // end anonymous namespace
-
-StoreManager *ento::CreateFlatStoreManager(GRStateManager &StMgr) {
- return new FlatStoreManager(StMgr);
-}
-
-SVal FlatStoreManager::Retrieve(Store store, Loc L, QualType T) {
- const MemRegion *R = cast<loc::MemRegionVal>(L).getRegion();
- RegionInterval RI = RegionToInterval(R);
- // FIXME: FlatStore should handle regions with unknown intervals.
- if (!RI.R)
- return UnknownVal();
-
- RegionBindings B = getRegionBindings(store);
- const BindingVal *BV = B.lookup(RI.R);
- if (BV) {
- const SVal *V = BVFactory.lookup(*BV, RI.I);
- if (V)
- return *V;
- else
- return RetrieveRegionWithNoBinding(R, T);
- }
- return RetrieveRegionWithNoBinding(R, T);
-}
-
-SVal FlatStoreManager::RetrieveRegionWithNoBinding(const MemRegion *R,
- QualType T) {
- if (R->hasStackNonParametersStorage())
- return UndefinedVal();
- else
- return svalBuilder.getRegionValueSymbolVal(cast<TypedRegion>(R));
-}
-
-Store FlatStoreManager::Bind(Store store, Loc L, SVal val) {
- const MemRegion *R = cast<loc::MemRegionVal>(L).getRegion();
- RegionBindings B = getRegionBindings(store);
- const BindingVal *V = B.lookup(R);
-
- BindingVal BV = BVFactory.getEmptyMap();
- if (V)
- BV = *V;
-
- RegionInterval RI = RegionToInterval(R);
- // FIXME: FlatStore should handle regions with unknown intervals.
- if (!RI.R)
- return B.getRoot();
- BV = BVFactory.add(BV, RI.I, val);
- B = RBFactory.add(B, RI.R, BV);
- return B.getRoot();
-}
-
-Store FlatStoreManager::Remove(Store store, Loc L) {
- return store;
-}
-
-Store FlatStoreManager::BindCompoundLiteral(Store store,
- const CompoundLiteralExpr* cl,
- const LocationContext *LC,
- SVal v) {
- return store;
-}
-
-SVal FlatStoreManager::ArrayToPointer(Loc Array) {
- return Array;
-}
-
-Store FlatStoreManager::BindDecl(Store store, const VarRegion *VR,
- SVal initVal) {
- return Bind(store, svalBuilder.makeLoc(VR), initVal);
-}
-
-Store FlatStoreManager::BindDeclWithNoInit(Store store, const VarRegion *VR) {
- return store;
-}
-
-Store FlatStoreManager::InvalidateRegions(Store store,
- const MemRegion * const *I,
- const MemRegion * const *E,
- const Expr *Ex, unsigned Count,
- InvalidatedSymbols *IS,
- bool invalidateGlobals,
- InvalidatedRegions *Regions) {
- assert(false && "Not implemented");
- return store;
-}
-
-void FlatStoreManager::print(Store store, llvm::raw_ostream& Out,
- const char* nl, const char *sep) {
-}
-
-void FlatStoreManager::iterBindings(Store store, BindingsHandler& f) {
-}
-
-FlatStoreManager::RegionInterval
-FlatStoreManager::RegionToInterval(const MemRegion *R) {
- switch (R->getKind()) {
- case MemRegion::VarRegionKind: {
- QualType T = cast<VarRegion>(R)->getValueType();
- int64_t Size = Ctx.getTypeSize(T);
- return RegionInterval(R, 0, Size-1);
- }
-
- case MemRegion::ElementRegionKind:
- case MemRegion::FieldRegionKind: {
- RegionOffset Offset = R->getAsOffset();
- // We cannot compute offset for all regions, for example, elements
- // with symbolic offsets.
- if (!Offset.getRegion())
- return RegionInterval(0, 0, 0);
- int64_t Start = Offset.getOffset();
- int64_t Size = Ctx.getTypeSize(cast<TypedRegion>(R)->getValueType());
- return RegionInterval(Offset.getRegion(), Start, Start+Size);
- }
-
- default:
- llvm_unreachable("Region kind unhandled.");
- return RegionInterval(0, 0, 0);
- }
-}
Removed: cfe/trunk/lib/StaticAnalyzer/EntoSA/GRState.cpp
URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/lib/StaticAnalyzer/EntoSA/GRState.cpp?rev=122542&view=auto
==============================================================================
--- cfe/trunk/lib/StaticAnalyzer/EntoSA/GRState.cpp (original)
+++ cfe/trunk/lib/StaticAnalyzer/EntoSA/GRState.cpp (removed)
@@ -1,551 +0,0 @@
-//= GRState.cpp - Path-Sensitive "State" for tracking values -----*- C++ -*--=//
-//
-// The LLVM Compiler Infrastructure
-//
-// This file is distributed under the University of Illinois Open Source
-// License. See LICENSE.TXT for details.
-//
-//===----------------------------------------------------------------------===//
-//
-// This file implements GRState and GRStateManager.
-//
-//===----------------------------------------------------------------------===//
-
-#include "clang/Analysis/CFG.h"
-#include "clang/StaticAnalyzer/PathSensitive/GRStateTrait.h"
-#include "clang/StaticAnalyzer/PathSensitive/GRState.h"
-#include "clang/StaticAnalyzer/PathSensitive/SubEngine.h"
-#include "clang/StaticAnalyzer/PathSensitive/TransferFuncs.h"
-#include "llvm/Support/raw_ostream.h"
-
-using namespace clang;
-using namespace ento;
-
-// Give the vtable for ConstraintManager somewhere to live.
-// FIXME: Move this elsewhere.
-ConstraintManager::~ConstraintManager() {}
-
-GRStateManager::~GRStateManager() {
- for (std::vector<GRState::Printer*>::iterator I=Printers.begin(),
- E=Printers.end(); I!=E; ++I)
- delete *I;
-
- for (GDMContextsTy::iterator I=GDMContexts.begin(), E=GDMContexts.end();
- I!=E; ++I)
- I->second.second(I->second.first);
-}
-
-const GRState*
-GRStateManager::RemoveDeadBindings(const GRState* state,
- const StackFrameContext *LCtx,
- SymbolReaper& SymReaper) {
-
- // This code essentially performs a "mark-and-sweep" of the VariableBindings.
- // The roots are any Block-level exprs and Decls that our liveness algorithm
- // tells us are live. We then see what Decls they may reference, and keep
- // those around. This code more than likely can be made faster, and the
- // frequency of which this method is called should be experimented with
- // for optimum performance.
- llvm::SmallVector<const MemRegion*, 10> RegionRoots;
- GRState NewState = *state;
-
- NewState.Env = EnvMgr.RemoveDeadBindings(NewState.Env, SymReaper,
- state, RegionRoots);
-
- // Clean up the store.
- NewState.St = StoreMgr->RemoveDeadBindings(NewState.St, LCtx,
- SymReaper, RegionRoots);
- state = getPersistentState(NewState);
- return ConstraintMgr->RemoveDeadBindings(state, SymReaper);
-}
-
-const GRState *GRStateManager::MarshalState(const GRState *state,
- const StackFrameContext *InitLoc) {
- // make up an empty state for now.
- GRState State(this,
- EnvMgr.getInitialEnvironment(),
- StoreMgr->getInitialStore(InitLoc),
- GDMFactory.getEmptyMap());
-
- return getPersistentState(State);
-}
-
-const GRState *GRState::bindCompoundLiteral(const CompoundLiteralExpr* CL,
- const LocationContext *LC,
- SVal V) const {
- Store new_store =
- getStateManager().StoreMgr->BindCompoundLiteral(St, CL, LC, V);
- return makeWithStore(new_store);
-}
-
-const GRState *GRState::bindDecl(const VarRegion* VR, SVal IVal) const {
- Store new_store = getStateManager().StoreMgr->BindDecl(St, VR, IVal);
- return makeWithStore(new_store);
-}
-
-const GRState *GRState::bindDeclWithNoInit(const VarRegion* VR) const {
- Store new_store = getStateManager().StoreMgr->BindDeclWithNoInit(St, VR);
- return makeWithStore(new_store);
-}
-
-const GRState *GRState::bindLoc(Loc LV, SVal V) const {
- GRStateManager &Mgr = getStateManager();
- Store new_store = Mgr.StoreMgr->Bind(St, LV, V);
- const GRState *new_state = makeWithStore(new_store);
-
- const MemRegion *MR = LV.getAsRegion();
- if (MR)
- return Mgr.getOwningEngine().ProcessRegionChange(new_state, MR);
-
- return new_state;
-}
-
-const GRState *GRState::bindDefault(SVal loc, SVal V) const {
- GRStateManager &Mgr = getStateManager();
- const MemRegion *R = cast<loc::MemRegionVal>(loc).getRegion();
- Store new_store = Mgr.StoreMgr->BindDefault(St, R, V);
- const GRState *new_state = makeWithStore(new_store);
- return Mgr.getOwningEngine().ProcessRegionChange(new_state, R);
-}
-
-const GRState *GRState::InvalidateRegions(const MemRegion * const *Begin,
- const MemRegion * const *End,
- const Expr *E, unsigned Count,
- StoreManager::InvalidatedSymbols *IS,
- bool invalidateGlobals) const {
- GRStateManager &Mgr = getStateManager();
- SubEngine &Eng = Mgr.getOwningEngine();
-
- if (Eng.WantsRegionChangeUpdate(this)) {
- StoreManager::InvalidatedRegions Regions;
-
- Store new_store = Mgr.StoreMgr->InvalidateRegions(St, Begin, End,
- E, Count, IS,
- invalidateGlobals,
- &Regions);
- const GRState *new_state = makeWithStore(new_store);
-
- return Eng.ProcessRegionChanges(new_state,
- &Regions.front(),
- &Regions.back()+1);
- }
-
- Store new_store = Mgr.StoreMgr->InvalidateRegions(St, Begin, End,
- E, Count, IS,
- invalidateGlobals,
- NULL);
- return makeWithStore(new_store);
-}
-
-const GRState *GRState::unbindLoc(Loc LV) const {
- assert(!isa<loc::MemRegionVal>(LV) && "Use InvalidateRegion instead.");
-
- Store OldStore = getStore();
- Store NewStore = getStateManager().StoreMgr->Remove(OldStore, LV);
-
- if (NewStore == OldStore)
- return this;
-
- return makeWithStore(NewStore);
-}
-
-const GRState *GRState::EnterStackFrame(const StackFrameContext *frame) const {
- Store new_store = getStateManager().StoreMgr->EnterStackFrame(this, frame);
- return makeWithStore(new_store);
-}
-
-SVal GRState::getSValAsScalarOrLoc(const MemRegion *R) const {
- // We only want to do fetches from regions that we can actually bind
- // values. For example, SymbolicRegions of type 'id<...>' cannot
- // have direct bindings (but their can be bindings on their subregions).
- if (!R->isBoundable())
- return UnknownVal();
-
- if (const TypedRegion *TR = dyn_cast<TypedRegion>(R)) {
- QualType T = TR->getValueType();
- if (Loc::IsLocType(T) || T->isIntegerType())
- return getSVal(R);
- }
-
- return UnknownVal();
-}
-
-SVal GRState::getSVal(Loc location, QualType T) const {
- SVal V = getRawSVal(cast<Loc>(location), T);
-
- // If 'V' is a symbolic value that is *perfectly* constrained to
- // be a constant value, use that value instead to lessen the burden
- // on later analysis stages (so we have less symbolic values to reason
- // about).
- if (!T.isNull()) {
- if (SymbolRef sym = V.getAsSymbol()) {
- if (const llvm::APSInt *Int = getSymVal(sym)) {
- // FIXME: Because we don't correctly model (yet) sign-extension
- // and truncation of symbolic values, we need to convert
- // the integer value to the correct signedness and bitwidth.
- //
- // This shows up in the following:
- //
- // char foo();
- // unsigned x = foo();
- // if (x == 54)
- // ...
- //
- // The symbolic value stored to 'x' is actually the conjured
- // symbol for the call to foo(); the type of that symbol is 'char',
- // not unsigned.
- const llvm::APSInt &NewV = getBasicVals().Convert(T, *Int);
-
- if (isa<Loc>(V))
- return loc::ConcreteInt(NewV);
- else
- return nonloc::ConcreteInt(NewV);
- }
- }
- }
-
- return V;
-}
-
-const GRState *GRState::BindExpr(const Stmt* S, SVal V, bool Invalidate) const{
- Environment NewEnv = getStateManager().EnvMgr.bindExpr(Env, S, V,
- Invalidate);
- if (NewEnv == Env)
- return this;
-
- GRState NewSt = *this;
- NewSt.Env = NewEnv;
- return getStateManager().getPersistentState(NewSt);
-}
-
-const GRState *GRState::bindExprAndLocation(const Stmt *S, SVal location,
- SVal V) const {
- Environment NewEnv =
- getStateManager().EnvMgr.bindExprAndLocation(Env, S, location, V);
-
- if (NewEnv == Env)
- return this;
-
- GRState NewSt = *this;
- NewSt.Env = NewEnv;
- return getStateManager().getPersistentState(NewSt);
-}
-
-const GRState *GRState::assumeInBound(DefinedOrUnknownSVal Idx,
- DefinedOrUnknownSVal UpperBound,
- bool Assumption) const {
- if (Idx.isUnknown() || UpperBound.isUnknown())
- return this;
-
- // Build an expression for 0 <= Idx < UpperBound.
- // This is the same as Idx + MIN < UpperBound + MIN, if overflow is allowed.
- // FIXME: This should probably be part of SValBuilder.
- GRStateManager &SM = getStateManager();
- SValBuilder &svalBuilder = SM.getSValBuilder();
- ASTContext &Ctx = svalBuilder.getContext();
-
- // Get the offset: the minimum value of the array index type.
- BasicValueFactory &BVF = svalBuilder.getBasicValueFactory();
- // FIXME: This should be using ValueManager::ArrayindexTy...somehow.
- QualType indexTy = Ctx.IntTy;
- nonloc::ConcreteInt Min(BVF.getMinValue(indexTy));
-
- // Adjust the index.
- SVal newIdx = svalBuilder.evalBinOpNN(this, BO_Add,
- cast<NonLoc>(Idx), Min, indexTy);
- if (newIdx.isUnknownOrUndef())
- return this;
-
- // Adjust the upper bound.
- SVal newBound =
- svalBuilder.evalBinOpNN(this, BO_Add, cast<NonLoc>(UpperBound),
- Min, indexTy);
-
- if (newBound.isUnknownOrUndef())
- return this;
-
- // Build the actual comparison.
- SVal inBound = svalBuilder.evalBinOpNN(this, BO_LT,
- cast<NonLoc>(newIdx), cast<NonLoc>(newBound),
- Ctx.IntTy);
- if (inBound.isUnknownOrUndef())
- return this;
-
- // Finally, let the constraint manager take care of it.
- ConstraintManager &CM = SM.getConstraintManager();
- return CM.assume(this, cast<DefinedSVal>(inBound), Assumption);
-}
-
-const GRState* GRStateManager::getInitialState(const LocationContext *InitLoc) {
- GRState State(this,
- EnvMgr.getInitialEnvironment(),
- StoreMgr->getInitialStore(InitLoc),
- GDMFactory.getEmptyMap());
-
- return getPersistentState(State);
-}
-
-const GRState* GRStateManager::getPersistentState(GRState& State) {
-
- llvm::FoldingSetNodeID ID;
- State.Profile(ID);
- void* InsertPos;
-
- if (GRState* I = StateSet.FindNodeOrInsertPos(ID, InsertPos))
- return I;
-
- GRState* I = (GRState*) Alloc.Allocate<GRState>();
- new (I) GRState(State);
- StateSet.InsertNode(I, InsertPos);
- return I;
-}
-
-const GRState* GRState::makeWithStore(Store store) const {
- GRState NewSt = *this;
- NewSt.St = store;
- return getStateManager().getPersistentState(NewSt);
-}
-
-//===----------------------------------------------------------------------===//
-// State pretty-printing.
-//===----------------------------------------------------------------------===//
-
-static bool IsEnvLoc(const Stmt *S) {
- // FIXME: This is a layering violation. Should be in environment.
- return (bool) (((uintptr_t) S) & 0x1);
-}
-
-void GRState::print(llvm::raw_ostream& Out, CFG &C, const char* nl,
- const char* sep) const {
- // Print the store.
- GRStateManager &Mgr = getStateManager();
- Mgr.getStoreManager().print(getStore(), Out, nl, sep);
-
- // Print Subexpression bindings.
- bool isFirst = true;
-
- // FIXME: All environment printing should be moved inside Environment.
- for (Environment::iterator I = Env.begin(), E = Env.end(); I != E; ++I) {
- if (C.isBlkExpr(I.getKey()) || IsEnvLoc(I.getKey()))
- continue;
-
- if (isFirst) {
- Out << nl << nl << "Sub-Expressions:" << nl;
- isFirst = false;
- }
- else { Out << nl; }
-
- Out << " (" << (void*) I.getKey() << ") ";
- LangOptions LO; // FIXME.
- I.getKey()->printPretty(Out, 0, PrintingPolicy(LO));
- Out << " : " << I.getData();
- }
-
- // Print block-expression bindings.
- isFirst = true;
-
- for (Environment::iterator I = Env.begin(), E = Env.end(); I != E; ++I) {
- if (!C.isBlkExpr(I.getKey()))
- continue;
-
- if (isFirst) {
- Out << nl << nl << "Block-level Expressions:" << nl;
- isFirst = false;
- }
- else { Out << nl; }
-
- Out << " (" << (void*) I.getKey() << ") ";
- LangOptions LO; // FIXME.
- I.getKey()->printPretty(Out, 0, PrintingPolicy(LO));
- Out << " : " << I.getData();
- }
-
- // Print locations.
- isFirst = true;
-
- for (Environment::iterator I = Env.begin(), E = Env.end(); I != E; ++I) {
- if (!IsEnvLoc(I.getKey()))
- continue;
-
- if (isFirst) {
- Out << nl << nl << "Load/store locations:" << nl;
- isFirst = false;
- }
- else { Out << nl; }
-
- const Stmt *S = (Stmt*) (((uintptr_t) I.getKey()) & ((uintptr_t) ~0x1));
-
- Out << " (" << (void*) S << ") ";
- LangOptions LO; // FIXME.
- S->printPretty(Out, 0, PrintingPolicy(LO));
- Out << " : " << I.getData();
- }
-
- Mgr.getConstraintManager().print(this, Out, nl, sep);
-
- // Print checker-specific data.
- for (std::vector<Printer*>::iterator I = Mgr.Printers.begin(),
- E = Mgr.Printers.end(); I != E; ++I) {
- (*I)->Print(Out, this, nl, sep);
- }
-}
-
-void GRState::printDOT(llvm::raw_ostream& Out, CFG &C) const {
- print(Out, C, "\\l", "\\|");
-}
-
-void GRState::printStdErr(CFG &C) const {
- print(llvm::errs(), C);
-}
-
-//===----------------------------------------------------------------------===//
-// Generic Data Map.
-//===----------------------------------------------------------------------===//
-
-void* const* GRState::FindGDM(void* K) const {
- return GDM.lookup(K);
-}
-
-void*
-GRStateManager::FindGDMContext(void* K,
- void* (*CreateContext)(llvm::BumpPtrAllocator&),
- void (*DeleteContext)(void*)) {
-
- std::pair<void*, void (*)(void*)>& p = GDMContexts[K];
- if (!p.first) {
- p.first = CreateContext(Alloc);
- p.second = DeleteContext;
- }
-
- return p.first;
-}
-
-const GRState* GRStateManager::addGDM(const GRState* St, void* Key, void* Data){
- GRState::GenericDataMap M1 = St->getGDM();
- GRState::GenericDataMap M2 = GDMFactory.add(M1, Key, Data);
-
- if (M1 == M2)
- return St;
-
- GRState NewSt = *St;
- NewSt.GDM = M2;
- return getPersistentState(NewSt);
-}
-
-const GRState *GRStateManager::removeGDM(const GRState *state, void *Key) {
- GRState::GenericDataMap OldM = state->getGDM();
- GRState::GenericDataMap NewM = GDMFactory.remove(OldM, Key);
-
- if (NewM == OldM)
- return state;
-
- GRState NewState = *state;
- NewState.GDM = NewM;
- return getPersistentState(NewState);
-}
-
-//===----------------------------------------------------------------------===//
-// Utility.
-//===----------------------------------------------------------------------===//
-
-namespace {
-class ScanReachableSymbols : public SubRegionMap::Visitor {
- typedef llvm::DenseSet<const MemRegion*> VisitedRegionsTy;
-
- VisitedRegionsTy visited;
- const GRState *state;
- SymbolVisitor &visitor;
- llvm::OwningPtr<SubRegionMap> SRM;
-public:
-
- ScanReachableSymbols(const GRState *st, SymbolVisitor& v)
- : state(st), visitor(v) {}
-
- bool scan(nonloc::CompoundVal val);
- bool scan(SVal val);
- bool scan(const MemRegion *R);
-
- // From SubRegionMap::Visitor.
- bool Visit(const MemRegion* Parent, const MemRegion* SubRegion) {
- return scan(SubRegion);
- }
-};
-}
-
-bool ScanReachableSymbols::scan(nonloc::CompoundVal val) {
- for (nonloc::CompoundVal::iterator I=val.begin(), E=val.end(); I!=E; ++I)
- if (!scan(*I))
- return false;
-
- return true;
-}
-
-bool ScanReachableSymbols::scan(SVal val) {
- if (loc::MemRegionVal *X = dyn_cast<loc::MemRegionVal>(&val))
- return scan(X->getRegion());
-
- if (nonloc::LocAsInteger *X = dyn_cast<nonloc::LocAsInteger>(&val))
- return scan(X->getLoc());
-
- if (SymbolRef Sym = val.getAsSymbol())
- return visitor.VisitSymbol(Sym);
-
- if (nonloc::CompoundVal *X = dyn_cast<nonloc::CompoundVal>(&val))
- return scan(*X);
-
- return true;
-}
-
-bool ScanReachableSymbols::scan(const MemRegion *R) {
- if (isa<MemSpaceRegion>(R) || visited.count(R))
- return true;
-
- visited.insert(R);
-
- // If this is a symbolic region, visit the symbol for the region.
- if (const SymbolicRegion *SR = dyn_cast<SymbolicRegion>(R))
- if (!visitor.VisitSymbol(SR->getSymbol()))
- return false;
-
- // If this is a subregion, also visit the parent regions.
- if (const SubRegion *SR = dyn_cast<SubRegion>(R))
- if (!scan(SR->getSuperRegion()))
- return false;
-
- // Now look at the binding to this region (if any).
- if (!scan(state->getSValAsScalarOrLoc(R)))
- return false;
-
- // Now look at the subregions.
- if (!SRM.get())
- SRM.reset(state->getStateManager().getStoreManager().
- getSubRegionMap(state->getStore()));
-
- return SRM->iterSubRegions(R, *this);
-}
-
-bool GRState::scanReachableSymbols(SVal val, SymbolVisitor& visitor) const {
- ScanReachableSymbols S(this, visitor);
- return S.scan(val);
-}
-
-bool GRState::scanReachableSymbols(const SVal *I, const SVal *E,
- SymbolVisitor &visitor) const {
- ScanReachableSymbols S(this, visitor);
- for ( ; I != E; ++I) {
- if (!S.scan(*I))
- return false;
- }
- return true;
-}
-
-bool GRState::scanReachableSymbols(const MemRegion * const *I,
- const MemRegion * const *E,
- SymbolVisitor &visitor) const {
- ScanReachableSymbols S(this, visitor);
- for ( ; I != E; ++I) {
- if (!S.scan(*I))
- return false;
- }
- return true;
-}
Removed: cfe/trunk/lib/StaticAnalyzer/EntoSA/HTMLDiagnostics.cpp
URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/lib/StaticAnalyzer/EntoSA/HTMLDiagnostics.cpp?rev=122542&view=auto
==============================================================================
--- cfe/trunk/lib/StaticAnalyzer/EntoSA/HTMLDiagnostics.cpp (original)
+++ cfe/trunk/lib/StaticAnalyzer/EntoSA/HTMLDiagnostics.cpp (removed)
@@ -1,578 +0,0 @@
-//===--- HTMLDiagnostics.cpp - HTML Diagnostics for Paths ----*- C++ -*-===//
-//
-// The LLVM Compiler Infrastructure
-//
-// This file is distributed under the University of Illinois Open Source
-// License. See LICENSE.TXT for details.
-//
-//===----------------------------------------------------------------------===//
-//
-// This file defines the HTMLDiagnostics object.
-//
-//===----------------------------------------------------------------------===//
-
-#include "clang/StaticAnalyzer/PathDiagnosticClients.h"
-#include "clang/StaticAnalyzer/BugReporter/PathDiagnostic.h"
-#include "clang/AST/ASTContext.h"
-#include "clang/AST/Decl.h"
-#include "clang/Basic/SourceManager.h"
-#include "clang/Basic/FileManager.h"
-#include "clang/Rewrite/Rewriter.h"
-#include "clang/Rewrite/HTMLRewrite.h"
-#include "clang/Lex/Lexer.h"
-#include "clang/Lex/Preprocessor.h"
-#include "llvm/Support/MemoryBuffer.h"
-#include "llvm/Support/raw_ostream.h"
-#include "llvm/Support/Path.h"
-
-using namespace clang;
-using namespace ento;
-
-//===----------------------------------------------------------------------===//
-// Boilerplate.
-//===----------------------------------------------------------------------===//
-
-namespace {
-
-class HTMLDiagnostics : public PathDiagnosticClient {
- llvm::sys::Path Directory, FilePrefix;
- bool createdDir, noDir;
- const Preprocessor &PP;
- std::vector<const PathDiagnostic*> BatchedDiags;
-public:
- HTMLDiagnostics(const std::string& prefix, const Preprocessor &pp);
-
- virtual ~HTMLDiagnostics() { FlushDiagnostics(NULL); }
-
- virtual void FlushDiagnostics(llvm::SmallVectorImpl<std::string> *FilesMade);
-
- virtual void HandlePathDiagnostic(const PathDiagnostic* D);
-
- virtual llvm::StringRef getName() const {
- return "HTMLDiagnostics";
- }
-
- unsigned ProcessMacroPiece(llvm::raw_ostream& os,
- const PathDiagnosticMacroPiece& P,
- unsigned num);
-
- void HandlePiece(Rewriter& R, FileID BugFileID,
- const PathDiagnosticPiece& P, unsigned num, unsigned max);
-
- void HighlightRange(Rewriter& R, FileID BugFileID, SourceRange Range,
- const char *HighlightStart = "<span class=\"mrange\">",
- const char *HighlightEnd = "</span>");
-
- void ReportDiag(const PathDiagnostic& D,
- llvm::SmallVectorImpl<std::string> *FilesMade);
-};
-
-} // end anonymous namespace
-
-HTMLDiagnostics::HTMLDiagnostics(const std::string& prefix,
- const Preprocessor &pp)
- : Directory(prefix), FilePrefix(prefix), createdDir(false), noDir(false),
- PP(pp) {
- // All html files begin with "report"
- FilePrefix.appendComponent("report");
-}
-
-PathDiagnosticClient*
-ento::createHTMLDiagnosticClient(const std::string& prefix,
- const Preprocessor &PP) {
- return new HTMLDiagnostics(prefix, PP);
-}
-
-//===----------------------------------------------------------------------===//
-// Report processing.
-//===----------------------------------------------------------------------===//
-
-void HTMLDiagnostics::HandlePathDiagnostic(const PathDiagnostic* D) {
- if (!D)
- return;
-
- if (D->empty()) {
- delete D;
- return;
- }
-
- const_cast<PathDiagnostic*>(D)->flattenLocations();
- BatchedDiags.push_back(D);
-}
-
-void
-HTMLDiagnostics::FlushDiagnostics(llvm::SmallVectorImpl<std::string> *FilesMade)
-{
- while (!BatchedDiags.empty()) {
- const PathDiagnostic* D = BatchedDiags.back();
- BatchedDiags.pop_back();
- ReportDiag(*D, FilesMade);
- delete D;
- }
-
- BatchedDiags.clear();
-}
-
-void HTMLDiagnostics::ReportDiag(const PathDiagnostic& D,
- llvm::SmallVectorImpl<std::string> *FilesMade){
- // Create the HTML directory if it is missing.
- if (!createdDir) {
- createdDir = true;
- std::string ErrorMsg;
- Directory.createDirectoryOnDisk(true, &ErrorMsg);
-
- if (!Directory.isDirectory()) {
- llvm::errs() << "warning: could not create directory '"
- << Directory.str() << "'\n"
- << "reason: " << ErrorMsg << '\n';
-
- noDir = true;
-
- return;
- }
- }
-
- if (noDir)
- return;
-
- const SourceManager &SMgr = D.begin()->getLocation().getManager();
- FileID FID;
-
- // Verify that the entire path is from the same FileID.
- for (PathDiagnostic::const_iterator I = D.begin(), E = D.end(); I != E; ++I) {
- FullSourceLoc L = I->getLocation().asLocation().getInstantiationLoc();
-
- if (FID.isInvalid()) {
- FID = SMgr.getFileID(L);
- } else if (SMgr.getFileID(L) != FID)
- return; // FIXME: Emit a warning?
-
- // Check the source ranges.
- for (PathDiagnosticPiece::range_iterator RI=I->ranges_begin(),
- RE=I->ranges_end(); RI!=RE; ++RI) {
-
- SourceLocation L = SMgr.getInstantiationLoc(RI->getBegin());
-
- if (!L.isFileID() || SMgr.getFileID(L) != FID)
- return; // FIXME: Emit a warning?
-
- L = SMgr.getInstantiationLoc(RI->getEnd());
-
- if (!L.isFileID() || SMgr.getFileID(L) != FID)
- return; // FIXME: Emit a warning?
- }
- }
-
- if (FID.isInvalid())
- return; // FIXME: Emit a warning?
-
- // Create a new rewriter to generate HTML.
- Rewriter R(const_cast<SourceManager&>(SMgr), PP.getLangOptions());
-
- // Process the path.
- unsigned n = D.size();
- unsigned max = n;
-
- for (PathDiagnostic::const_reverse_iterator I=D.rbegin(), E=D.rend();
- I!=E; ++I, --n)
- HandlePiece(R, FID, *I, n, max);
-
- // Add line numbers, header, footer, etc.
-
- // unsigned FID = R.getSourceMgr().getMainFileID();
- html::EscapeText(R, FID);
- html::AddLineNumbers(R, FID);
-
- // If we have a preprocessor, relex the file and syntax highlight.
- // We might not have a preprocessor if we come from a deserialized AST file,
- // for example.
-
- html::SyntaxHighlight(R, FID, PP);
- html::HighlightMacros(R, FID, PP);
-
- // Get the full directory name of the analyzed file.
-
- const FileEntry* Entry = SMgr.getFileEntryForID(FID);
-
- // This is a cludge; basically we want to append either the full
- // working directory if we have no directory information. This is
- // a work in progress.
-
- std::string DirName = "";
-
- if (llvm::sys::path::is_relative(Entry->getName())) {
- llvm::sys::Path P = llvm::sys::Path::GetCurrentDirectory();
- DirName = P.str() + "/";
- }
-
- // Add the name of the file as an <h1> tag.
-
- {
- std::string s;
- llvm::raw_string_ostream os(s);
-
- os << "<!-- REPORTHEADER -->\n"
- << "<h3>Bug Summary</h3>\n<table class=\"simpletable\">\n"
- "<tr><td class=\"rowname\">File:</td><td>"
- << html::EscapeText(DirName)
- << html::EscapeText(Entry->getName())
- << "</td></tr>\n<tr><td class=\"rowname\">Location:</td><td>"
- "<a href=\"#EndPath\">line "
- << (*D.rbegin()).getLocation().asLocation().getInstantiationLineNumber()
- << ", column "
- << (*D.rbegin()).getLocation().asLocation().getInstantiationColumnNumber()
- << "</a></td></tr>\n"
- "<tr><td class=\"rowname\">Description:</td><td>"
- << D.getDescription() << "</td></tr>\n";
-
- // Output any other meta data.
-
- for (PathDiagnostic::meta_iterator I=D.meta_begin(), E=D.meta_end();
- I!=E; ++I) {
- os << "<tr><td></td><td>" << html::EscapeText(*I) << "</td></tr>\n";
- }
-
- os << "</table>\n<!-- REPORTSUMMARYEXTRA -->\n"
- "<h3>Annotated Source Code</h3>\n";
-
- R.InsertTextBefore(SMgr.getLocForStartOfFile(FID), os.str());
- }
-
- // Embed meta-data tags.
- {
- std::string s;
- llvm::raw_string_ostream os(s);
-
- const std::string& BugDesc = D.getDescription();
- if (!BugDesc.empty())
- os << "\n<!-- BUGDESC " << BugDesc << " -->\n";
-
- const std::string& BugType = D.getBugType();
- if (!BugType.empty())
- os << "\n<!-- BUGTYPE " << BugType << " -->\n";
-
- const std::string& BugCategory = D.getCategory();
- if (!BugCategory.empty())
- os << "\n<!-- BUGCATEGORY " << BugCategory << " -->\n";
-
- os << "\n<!-- BUGFILE " << DirName << Entry->getName() << " -->\n";
-
- os << "\n<!-- BUGLINE "
- << D.back()->getLocation().asLocation().getInstantiationLineNumber()
- << " -->\n";
-
- os << "\n<!-- BUGPATHLENGTH " << D.size() << " -->\n";
-
- // Mark the end of the tags.
- os << "\n<!-- BUGMETAEND -->\n";
-
- // Insert the text.
- R.InsertTextBefore(SMgr.getLocForStartOfFile(FID), os.str());
- }
-
- // Add CSS, header, and footer.
-
- html::AddHeaderFooterInternalBuiltinCSS(R, FID, Entry->getName());
-
- // Get the rewrite buffer.
- const RewriteBuffer *Buf = R.getRewriteBufferFor(FID);
-
- if (!Buf) {
- llvm::errs() << "warning: no diagnostics generated for main file.\n";
- return;
- }
-
- // Create a path for the target HTML file.
- llvm::sys::Path F(FilePrefix);
- F.makeUnique(false, NULL);
-
- // Rename the file with an HTML extension.
- llvm::sys::Path H(F);
- H.appendSuffix("html");
- F.renamePathOnDisk(H, NULL);
-
- std::string ErrorMsg;
- llvm::raw_fd_ostream os(H.c_str(), ErrorMsg);
-
- if (!ErrorMsg.empty()) {
- llvm::errs() << "warning: could not create file '" << F.str()
- << "'\n";
- return;
- }
-
- if (FilesMade)
- FilesMade->push_back(llvm::sys::path::filename(H.str()));
-
- // Emit the HTML to disk.
- for (RewriteBuffer::iterator I = Buf->begin(), E = Buf->end(); I!=E; ++I)
- os << *I;
-}
-
-void HTMLDiagnostics::HandlePiece(Rewriter& R, FileID BugFileID,
- const PathDiagnosticPiece& P,
- unsigned num, unsigned max) {
-
- // For now, just draw a box above the line in question, and emit the
- // warning.
- FullSourceLoc Pos = P.getLocation().asLocation();
-
- if (!Pos.isValid())
- return;
-
- SourceManager &SM = R.getSourceMgr();
- assert(&Pos.getManager() == &SM && "SourceManagers are different!");
- std::pair<FileID, unsigned> LPosInfo = SM.getDecomposedInstantiationLoc(Pos);
-
- if (LPosInfo.first != BugFileID)
- return;
-
- const llvm::MemoryBuffer *Buf = SM.getBuffer(LPosInfo.first);
- const char* FileStart = Buf->getBufferStart();
-
- // Compute the column number. Rewind from the current position to the start
- // of the line.
- unsigned ColNo = SM.getColumnNumber(LPosInfo.first, LPosInfo.second);
- const char *TokInstantiationPtr =Pos.getInstantiationLoc().getCharacterData();
- const char *LineStart = TokInstantiationPtr-ColNo;
-
- // Compute LineEnd.
- const char *LineEnd = TokInstantiationPtr;
- const char* FileEnd = Buf->getBufferEnd();
- while (*LineEnd != '\n' && LineEnd != FileEnd)
- ++LineEnd;
-
- // Compute the margin offset by counting tabs and non-tabs.
- unsigned PosNo = 0;
- for (const char* c = LineStart; c != TokInstantiationPtr; ++c)
- PosNo += *c == '\t' ? 8 : 1;
-
- // Create the html for the message.
-
- const char *Kind = 0;
- switch (P.getKind()) {
- case PathDiagnosticPiece::Event: Kind = "Event"; break;
- case PathDiagnosticPiece::ControlFlow: Kind = "Control"; break;
- // Setting Kind to "Control" is intentional.
- case PathDiagnosticPiece::Macro: Kind = "Control"; break;
- }
-
- std::string sbuf;
- llvm::raw_string_ostream os(sbuf);
-
- os << "\n<tr><td class=\"num\"></td><td class=\"line\"><div id=\"";
-
- if (num == max)
- os << "EndPath";
- else
- os << "Path" << num;
-
- os << "\" class=\"msg";
- if (Kind)
- os << " msg" << Kind;
- os << "\" style=\"margin-left:" << PosNo << "ex";
-
- // Output a maximum size.
- if (!isa<PathDiagnosticMacroPiece>(P)) {
- // Get the string and determining its maximum substring.
- const std::string& Msg = P.getString();
- unsigned max_token = 0;
- unsigned cnt = 0;
- unsigned len = Msg.size();
-
- for (std::string::const_iterator I=Msg.begin(), E=Msg.end(); I!=E; ++I)
- switch (*I) {
- default:
- ++cnt;
- continue;
- case ' ':
- case '\t':
- case '\n':
- if (cnt > max_token) max_token = cnt;
- cnt = 0;
- }
-
- if (cnt > max_token)
- max_token = cnt;
-
- // Determine the approximate size of the message bubble in em.
- unsigned em;
- const unsigned max_line = 120;
-
- if (max_token >= max_line)
- em = max_token / 2;
- else {
- unsigned characters = max_line;
- unsigned lines = len / max_line;
-
- if (lines > 0) {
- for (; characters > max_token; --characters)
- if (len / characters > lines) {
- ++characters;
- break;
- }
- }
-
- em = characters / 2;
- }
-
- if (em < max_line/2)
- os << "; max-width:" << em << "em";
- }
- else
- os << "; max-width:100em";
-
- os << "\">";
-
- if (max > 1) {
- os << "<table class=\"msgT\"><tr><td valign=\"top\">";
- os << "<div class=\"PathIndex";
- if (Kind) os << " PathIndex" << Kind;
- os << "\">" << num << "</div>";
- os << "</td><td>";
- }
-
- if (const PathDiagnosticMacroPiece *MP =
- dyn_cast<PathDiagnosticMacroPiece>(&P)) {
-
- os << "Within the expansion of the macro '";
-
- // Get the name of the macro by relexing it.
- {
- FullSourceLoc L = MP->getLocation().asLocation().getInstantiationLoc();
- assert(L.isFileID());
- llvm::StringRef BufferInfo = L.getBufferData();
- const char* MacroName = L.getDecomposedLoc().second + BufferInfo.data();
- Lexer rawLexer(L, PP.getLangOptions(), BufferInfo.begin(),
- MacroName, BufferInfo.end());
-
- Token TheTok;
- rawLexer.LexFromRawLexer(TheTok);
- for (unsigned i = 0, n = TheTok.getLength(); i < n; ++i)
- os << MacroName[i];
- }
-
- os << "':\n";
-
- if (max > 1)
- os << "</td></tr></table>";
-
- // Within a macro piece. Write out each event.
- ProcessMacroPiece(os, *MP, 0);
- }
- else {
- os << html::EscapeText(P.getString());
-
- if (max > 1)
- os << "</td></tr></table>";
- }
-
- os << "</div></td></tr>";
-
- // Insert the new html.
- unsigned DisplayPos = LineEnd - FileStart;
- SourceLocation Loc =
- SM.getLocForStartOfFile(LPosInfo.first).getFileLocWithOffset(DisplayPos);
-
- R.InsertTextBefore(Loc, os.str());
-
- // Now highlight the ranges.
- for (const SourceRange *I = P.ranges_begin(), *E = P.ranges_end();
- I != E; ++I)
- HighlightRange(R, LPosInfo.first, *I);
-
-#if 0
- // If there is a code insertion hint, insert that code.
- // FIXME: This code is disabled because it seems to mangle the HTML
- // output. I'm leaving it here because it's generally the right idea,
- // but needs some help from someone more familiar with the rewriter.
- for (const FixItHint *Hint = P.fixit_begin(), *HintEnd = P.fixit_end();
- Hint != HintEnd; ++Hint) {
- if (Hint->RemoveRange.isValid()) {
- HighlightRange(R, LPosInfo.first, Hint->RemoveRange,
- "<span class=\"CodeRemovalHint\">", "</span>");
- }
- if (Hint->InsertionLoc.isValid()) {
- std::string EscapedCode = html::EscapeText(Hint->CodeToInsert, true);
- EscapedCode = "<span class=\"CodeInsertionHint\">" + EscapedCode
- + "</span>";
- R.InsertTextBefore(Hint->InsertionLoc, EscapedCode);
- }
- }
-#endif
-}
-
-static void EmitAlphaCounter(llvm::raw_ostream& os, unsigned n) {
- unsigned x = n % ('z' - 'a');
- n /= 'z' - 'a';
-
- if (n > 0)
- EmitAlphaCounter(os, n);
-
- os << char('a' + x);
-}
-
-unsigned HTMLDiagnostics::ProcessMacroPiece(llvm::raw_ostream& os,
- const PathDiagnosticMacroPiece& P,
- unsigned num) {
-
- for (PathDiagnosticMacroPiece::const_iterator I=P.begin(), E=P.end();
- I!=E; ++I) {
-
- if (const PathDiagnosticMacroPiece *MP =
- dyn_cast<PathDiagnosticMacroPiece>(*I)) {
- num = ProcessMacroPiece(os, *MP, num);
- continue;
- }
-
- if (PathDiagnosticEventPiece *EP = dyn_cast<PathDiagnosticEventPiece>(*I)) {
- os << "<div class=\"msg msgEvent\" style=\"width:94%; "
- "margin-left:5px\">"
- "<table class=\"msgT\"><tr>"
- "<td valign=\"top\"><div class=\"PathIndex PathIndexEvent\">";
- EmitAlphaCounter(os, num++);
- os << "</div></td><td valign=\"top\">"
- << html::EscapeText(EP->getString())
- << "</td></tr></table></div>\n";
- }
- }
-
- return num;
-}
-
-void HTMLDiagnostics::HighlightRange(Rewriter& R, FileID BugFileID,
- SourceRange Range,
- const char *HighlightStart,
- const char *HighlightEnd) {
- SourceManager &SM = R.getSourceMgr();
- const LangOptions &LangOpts = R.getLangOpts();
-
- SourceLocation InstantiationStart = SM.getInstantiationLoc(Range.getBegin());
- unsigned StartLineNo = SM.getInstantiationLineNumber(InstantiationStart);
-
- SourceLocation InstantiationEnd = SM.getInstantiationLoc(Range.getEnd());
- unsigned EndLineNo = SM.getInstantiationLineNumber(InstantiationEnd);
-
- if (EndLineNo < StartLineNo)
- return;
-
- if (SM.getFileID(InstantiationStart) != BugFileID ||
- SM.getFileID(InstantiationEnd) != BugFileID)
- return;
-
- // Compute the column number of the end.
- unsigned EndColNo = SM.getInstantiationColumnNumber(InstantiationEnd);
- unsigned OldEndColNo = EndColNo;
-
- if (EndColNo) {
- // Add in the length of the token, so that we cover multi-char tokens.
- EndColNo += Lexer::MeasureTokenLength(Range.getEnd(), SM, LangOpts)-1;
- }
-
- // Highlight the range. Make the span tag the outermost tag for the
- // selected range.
-
- SourceLocation E =
- InstantiationEnd.getFileLocWithOffset(EndColNo - OldEndColNo);
-
- html::HighlightRange(R, InstantiationStart, E, HighlightStart, HighlightEnd);
-}
Removed: cfe/trunk/lib/StaticAnalyzer/EntoSA/Makefile
URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/lib/StaticAnalyzer/EntoSA/Makefile?rev=122542&view=auto
==============================================================================
--- cfe/trunk/lib/StaticAnalyzer/EntoSA/Makefile (original)
+++ cfe/trunk/lib/StaticAnalyzer/EntoSA/Makefile (removed)
@@ -1,19 +0,0 @@
-##===- clang/lib/Checker/Makefile --------------------------*- Makefile -*-===##
-#
-# The LLVM Compiler Infrastructure
-#
-# This file is distributed under the University of Illinois Open Source
-# License. See LICENSE.TXT for details.
-#
-##===----------------------------------------------------------------------===##
-#
-# This implements analyses built on top of source-level CFGs.
-#
-##===----------------------------------------------------------------------===##
-
-CLANG_LEVEL := ../..
-LIBRARYNAME := clangStaticAnalyzerCore
-PARALLEL_DIRS := Checkers
-
-include $(CLANG_LEVEL)/Makefile
-
Removed: cfe/trunk/lib/StaticAnalyzer/EntoSA/ManagerRegistry.cpp
URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/lib/StaticAnalyzer/EntoSA/ManagerRegistry.cpp?rev=122542&view=auto
==============================================================================
--- cfe/trunk/lib/StaticAnalyzer/EntoSA/ManagerRegistry.cpp (original)
+++ cfe/trunk/lib/StaticAnalyzer/EntoSA/ManagerRegistry.cpp (removed)
@@ -1,21 +0,0 @@
-//===- ManagerRegistry.cpp - Pluggble Analyzer module creators --*- C++ -*-===//
-//
-// The LLVM Compiler Infrastructure
-//
-// This file is distributed under the University of Illinois Open Source
-// License. See LICENSE.TXT for details.
-//
-//===----------------------------------------------------------------------===//
-//
-// This file defines the pluggable analyzer module creators.
-//
-//===----------------------------------------------------------------------===//
-
-#include "clang/StaticAnalyzer/ManagerRegistry.h"
-
-using namespace clang;
-using namespace ento;
-
-StoreManagerCreator ManagerRegistry::StoreMgrCreator = 0;
-
-ConstraintManagerCreator ManagerRegistry::ConstraintMgrCreator = 0;
Removed: cfe/trunk/lib/StaticAnalyzer/EntoSA/MemRegion.cpp
URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/lib/StaticAnalyzer/EntoSA/MemRegion.cpp?rev=122542&view=auto
==============================================================================
--- cfe/trunk/lib/StaticAnalyzer/EntoSA/MemRegion.cpp (original)
+++ cfe/trunk/lib/StaticAnalyzer/EntoSA/MemRegion.cpp (removed)
@@ -1,987 +0,0 @@
-//== MemRegion.cpp - Abstract memory regions for static analysis --*- C++ -*--//
-//
-// The LLVM Compiler Infrastructure
-//
-// This file is distributed under the University of Illinois Open Source
-// License. See LICENSE.TXT for details.
-//
-//===----------------------------------------------------------------------===//
-//
-// This file defines MemRegion and its subclasses. MemRegion defines a
-// partially-typed abstraction of memory useful for path-sensitive dataflow
-// analyses.
-//
-//===----------------------------------------------------------------------===//
-
-#include "clang/StaticAnalyzer/PathSensitive/MemRegion.h"
-#include "clang/StaticAnalyzer/PathSensitive/SValBuilder.h"
-#include "clang/Analysis/AnalysisContext.h"
-#include "clang/Analysis/Support/BumpVector.h"
-#include "clang/AST/CharUnits.h"
-#include "clang/AST/RecordLayout.h"
-#include "llvm/Support/raw_ostream.h"
-
-using namespace clang;
-using namespace ento;
-
-//===----------------------------------------------------------------------===//
-// MemRegion Construction.
-//===----------------------------------------------------------------------===//
-
-template<typename RegionTy> struct MemRegionManagerTrait;
-
-template <typename RegionTy, typename A1>
-RegionTy* MemRegionManager::getRegion(const A1 a1) {
-
- const typename MemRegionManagerTrait<RegionTy>::SuperRegionTy *superRegion =
- MemRegionManagerTrait<RegionTy>::getSuperRegion(*this, a1);
-
- llvm::FoldingSetNodeID ID;
- RegionTy::ProfileRegion(ID, a1, superRegion);
- void* InsertPos;
- RegionTy* R = cast_or_null<RegionTy>(Regions.FindNodeOrInsertPos(ID,
- InsertPos));
-
- if (!R) {
- R = (RegionTy*) A.Allocate<RegionTy>();
- new (R) RegionTy(a1, superRegion);
- Regions.InsertNode(R, InsertPos);
- }
-
- return R;
-}
-
-template <typename RegionTy, typename A1>
-RegionTy* MemRegionManager::getSubRegion(const A1 a1,
- const MemRegion *superRegion) {
- llvm::FoldingSetNodeID ID;
- RegionTy::ProfileRegion(ID, a1, superRegion);
- void* InsertPos;
- RegionTy* R = cast_or_null<RegionTy>(Regions.FindNodeOrInsertPos(ID,
- InsertPos));
-
- if (!R) {
- R = (RegionTy*) A.Allocate<RegionTy>();
- new (R) RegionTy(a1, superRegion);
- Regions.InsertNode(R, InsertPos);
- }
-
- return R;
-}
-
-template <typename RegionTy, typename A1, typename A2>
-RegionTy* MemRegionManager::getRegion(const A1 a1, const A2 a2) {
-
- const typename MemRegionManagerTrait<RegionTy>::SuperRegionTy *superRegion =
- MemRegionManagerTrait<RegionTy>::getSuperRegion(*this, a1, a2);
-
- llvm::FoldingSetNodeID ID;
- RegionTy::ProfileRegion(ID, a1, a2, superRegion);
- void* InsertPos;
- RegionTy* R = cast_or_null<RegionTy>(Regions.FindNodeOrInsertPos(ID,
- InsertPos));
-
- if (!R) {
- R = (RegionTy*) A.Allocate<RegionTy>();
- new (R) RegionTy(a1, a2, superRegion);
- Regions.InsertNode(R, InsertPos);
- }
-
- return R;
-}
-
-template <typename RegionTy, typename A1, typename A2>
-RegionTy* MemRegionManager::getSubRegion(const A1 a1, const A2 a2,
- const MemRegion *superRegion) {
-
- llvm::FoldingSetNodeID ID;
- RegionTy::ProfileRegion(ID, a1, a2, superRegion);
- void* InsertPos;
- RegionTy* R = cast_or_null<RegionTy>(Regions.FindNodeOrInsertPos(ID,
- InsertPos));
-
- if (!R) {
- R = (RegionTy*) A.Allocate<RegionTy>();
- new (R) RegionTy(a1, a2, superRegion);
- Regions.InsertNode(R, InsertPos);
- }
-
- return R;
-}
-
-template <typename RegionTy, typename A1, typename A2, typename A3>
-RegionTy* MemRegionManager::getSubRegion(const A1 a1, const A2 a2, const A3 a3,
- const MemRegion *superRegion) {
-
- llvm::FoldingSetNodeID ID;
- RegionTy::ProfileRegion(ID, a1, a2, a3, superRegion);
- void* InsertPos;
- RegionTy* R = cast_or_null<RegionTy>(Regions.FindNodeOrInsertPos(ID,
- InsertPos));
-
- if (!R) {
- R = (RegionTy*) A.Allocate<RegionTy>();
- new (R) RegionTy(a1, a2, a3, superRegion);
- Regions.InsertNode(R, InsertPos);
- }
-
- return R;
-}
-
-//===----------------------------------------------------------------------===//
-// Object destruction.
-//===----------------------------------------------------------------------===//
-
-MemRegion::~MemRegion() {}
-
-MemRegionManager::~MemRegionManager() {
- // All regions and their data are BumpPtrAllocated. No need to call
- // their destructors.
-}
-
-//===----------------------------------------------------------------------===//
-// Basic methods.
-//===----------------------------------------------------------------------===//
-
-bool SubRegion::isSubRegionOf(const MemRegion* R) const {
- const MemRegion* r = getSuperRegion();
- while (r != 0) {
- if (r == R)
- return true;
- if (const SubRegion* sr = dyn_cast<SubRegion>(r))
- r = sr->getSuperRegion();
- else
- break;
- }
- return false;
-}
-
-MemRegionManager* SubRegion::getMemRegionManager() const {
- const SubRegion* r = this;
- do {
- const MemRegion *superRegion = r->getSuperRegion();
- if (const SubRegion *sr = dyn_cast<SubRegion>(superRegion)) {
- r = sr;
- continue;
- }
- return superRegion->getMemRegionManager();
- } while (1);
-}
-
-const StackFrameContext *VarRegion::getStackFrame() const {
- const StackSpaceRegion *SSR = dyn_cast<StackSpaceRegion>(getMemorySpace());
- return SSR ? SSR->getStackFrame() : NULL;
-}
-
-//===----------------------------------------------------------------------===//
-// Region extents.
-//===----------------------------------------------------------------------===//
-
-DefinedOrUnknownSVal DeclRegion::getExtent(SValBuilder &svalBuilder) const {
- ASTContext& Ctx = svalBuilder.getContext();
- QualType T = getDesugaredValueType(Ctx);
-
- if (isa<VariableArrayType>(T))
- return nonloc::SymbolVal(svalBuilder.getSymbolManager().getExtentSymbol(this));
- if (isa<IncompleteArrayType>(T))
- return UnknownVal();
-
- CharUnits size = Ctx.getTypeSizeInChars(T);
- QualType sizeTy = svalBuilder.getArrayIndexType();
- return svalBuilder.makeIntVal(size.getQuantity(), sizeTy);
-}
-
-DefinedOrUnknownSVal FieldRegion::getExtent(SValBuilder &svalBuilder) const {
- DefinedOrUnknownSVal Extent = DeclRegion::getExtent(svalBuilder);
-
- // A zero-length array at the end of a struct often stands for dynamically-
- // allocated extra memory.
- if (Extent.isZeroConstant()) {
- QualType T = getDesugaredValueType(svalBuilder.getContext());
-
- if (isa<ConstantArrayType>(T))
- return UnknownVal();
- }
-
- return Extent;
-}
-
-DefinedOrUnknownSVal AllocaRegion::getExtent(SValBuilder &svalBuilder) const {
- return nonloc::SymbolVal(svalBuilder.getSymbolManager().getExtentSymbol(this));
-}
-
-DefinedOrUnknownSVal SymbolicRegion::getExtent(SValBuilder &svalBuilder) const {
- return nonloc::SymbolVal(svalBuilder.getSymbolManager().getExtentSymbol(this));
-}
-
-DefinedOrUnknownSVal StringRegion::getExtent(SValBuilder &svalBuilder) const {
- return svalBuilder.makeIntVal(getStringLiteral()->getByteLength()+1,
- svalBuilder.getArrayIndexType());
-}
-
-QualType CXXBaseObjectRegion::getValueType() const {
- return QualType(decl->getTypeForDecl(), 0);
-}
-
-//===----------------------------------------------------------------------===//
-// FoldingSet profiling.
-//===----------------------------------------------------------------------===//
-
-void MemSpaceRegion::Profile(llvm::FoldingSetNodeID& ID) const {
- ID.AddInteger((unsigned)getKind());
-}
-
-void StackSpaceRegion::Profile(llvm::FoldingSetNodeID &ID) const {
- ID.AddInteger((unsigned)getKind());
- ID.AddPointer(getStackFrame());
-}
-
-void StaticGlobalSpaceRegion::Profile(llvm::FoldingSetNodeID &ID) const {
- ID.AddInteger((unsigned)getKind());
- ID.AddPointer(getCodeRegion());
-}
-
-void StringRegion::ProfileRegion(llvm::FoldingSetNodeID& ID,
- const StringLiteral* Str,
- const MemRegion* superRegion) {
- ID.AddInteger((unsigned) StringRegionKind);
- ID.AddPointer(Str);
- ID.AddPointer(superRegion);
-}
-
-void AllocaRegion::ProfileRegion(llvm::FoldingSetNodeID& ID,
- const Expr* Ex, unsigned cnt,
- const MemRegion *) {
- ID.AddInteger((unsigned) AllocaRegionKind);
- ID.AddPointer(Ex);
- ID.AddInteger(cnt);
-}
-
-void AllocaRegion::Profile(llvm::FoldingSetNodeID& ID) const {
- ProfileRegion(ID, Ex, Cnt, superRegion);
-}
-
-void CompoundLiteralRegion::Profile(llvm::FoldingSetNodeID& ID) const {
- CompoundLiteralRegion::ProfileRegion(ID, CL, superRegion);
-}
-
-void CompoundLiteralRegion::ProfileRegion(llvm::FoldingSetNodeID& ID,
- const CompoundLiteralExpr* CL,
- const MemRegion* superRegion) {
- ID.AddInteger((unsigned) CompoundLiteralRegionKind);
- ID.AddPointer(CL);
- ID.AddPointer(superRegion);
-}
-
-void CXXThisRegion::ProfileRegion(llvm::FoldingSetNodeID &ID,
- const PointerType *PT,
- const MemRegion *sRegion) {
- ID.AddInteger((unsigned) CXXThisRegionKind);
- ID.AddPointer(PT);
- ID.AddPointer(sRegion);
-}
-
-void CXXThisRegion::Profile(llvm::FoldingSetNodeID &ID) const {
- CXXThisRegion::ProfileRegion(ID, ThisPointerTy, superRegion);
-}
-
-void DeclRegion::ProfileRegion(llvm::FoldingSetNodeID& ID, const Decl* D,
- const MemRegion* superRegion, Kind k) {
- ID.AddInteger((unsigned) k);
- ID.AddPointer(D);
- ID.AddPointer(superRegion);
-}
-
-void DeclRegion::Profile(llvm::FoldingSetNodeID& ID) const {
- DeclRegion::ProfileRegion(ID, D, superRegion, getKind());
-}
-
-void VarRegion::Profile(llvm::FoldingSetNodeID &ID) const {
- VarRegion::ProfileRegion(ID, getDecl(), superRegion);
-}
-
-void SymbolicRegion::ProfileRegion(llvm::FoldingSetNodeID& ID, SymbolRef sym,
- const MemRegion *sreg) {
- ID.AddInteger((unsigned) MemRegion::SymbolicRegionKind);
- ID.Add(sym);
- ID.AddPointer(sreg);
-}
-
-void SymbolicRegion::Profile(llvm::FoldingSetNodeID& ID) const {
- SymbolicRegion::ProfileRegion(ID, sym, getSuperRegion());
-}
-
-void ElementRegion::ProfileRegion(llvm::FoldingSetNodeID& ID,
- QualType ElementType, SVal Idx,
- const MemRegion* superRegion) {
- ID.AddInteger(MemRegion::ElementRegionKind);
- ID.Add(ElementType);
- ID.AddPointer(superRegion);
- Idx.Profile(ID);
-}
-
-void ElementRegion::Profile(llvm::FoldingSetNodeID& ID) const {
- ElementRegion::ProfileRegion(ID, ElementType, Index, superRegion);
-}
-
-void FunctionTextRegion::ProfileRegion(llvm::FoldingSetNodeID& ID,
- const FunctionDecl *FD,
- const MemRegion*) {
- ID.AddInteger(MemRegion::FunctionTextRegionKind);
- ID.AddPointer(FD);
-}
-
-void FunctionTextRegion::Profile(llvm::FoldingSetNodeID& ID) const {
- FunctionTextRegion::ProfileRegion(ID, FD, superRegion);
-}
-
-void BlockTextRegion::ProfileRegion(llvm::FoldingSetNodeID& ID,
- const BlockDecl *BD, CanQualType,
- const AnalysisContext *AC,
- const MemRegion*) {
- ID.AddInteger(MemRegion::BlockTextRegionKind);
- ID.AddPointer(BD);
-}
-
-void BlockTextRegion::Profile(llvm::FoldingSetNodeID& ID) const {
- BlockTextRegion::ProfileRegion(ID, BD, locTy, AC, superRegion);
-}
-
-void BlockDataRegion::ProfileRegion(llvm::FoldingSetNodeID& ID,
- const BlockTextRegion *BC,
- const LocationContext *LC,
- const MemRegion *sReg) {
- ID.AddInteger(MemRegion::BlockDataRegionKind);
- ID.AddPointer(BC);
- ID.AddPointer(LC);
- ID.AddPointer(sReg);
-}
-
-void BlockDataRegion::Profile(llvm::FoldingSetNodeID& ID) const {
- BlockDataRegion::ProfileRegion(ID, BC, LC, getSuperRegion());
-}
-
-void CXXTempObjectRegion::ProfileRegion(llvm::FoldingSetNodeID &ID,
- Expr const *Ex,
- const MemRegion *sReg) {
- ID.AddPointer(Ex);
- ID.AddPointer(sReg);
-}
-
-void CXXTempObjectRegion::Profile(llvm::FoldingSetNodeID &ID) const {
- ProfileRegion(ID, Ex, getSuperRegion());
-}
-
-void CXXBaseObjectRegion::ProfileRegion(llvm::FoldingSetNodeID &ID,
- const CXXRecordDecl *decl,
- const MemRegion *sReg) {
- ID.AddPointer(decl);
- ID.AddPointer(sReg);
-}
-
-void CXXBaseObjectRegion::Profile(llvm::FoldingSetNodeID &ID) const {
- ProfileRegion(ID, decl, superRegion);
-}
-
-//===----------------------------------------------------------------------===//
-// Region pretty-printing.
-//===----------------------------------------------------------------------===//
-
-void MemRegion::dump() const {
- dumpToStream(llvm::errs());
-}
-
-std::string MemRegion::getString() const {
- std::string s;
- llvm::raw_string_ostream os(s);
- dumpToStream(os);
- return os.str();
-}
-
-void MemRegion::dumpToStream(llvm::raw_ostream& os) const {
- os << "<Unknown Region>";
-}
-
-void AllocaRegion::dumpToStream(llvm::raw_ostream& os) const {
- os << "alloca{" << (void*) Ex << ',' << Cnt << '}';
-}
-
-void FunctionTextRegion::dumpToStream(llvm::raw_ostream& os) const {
- os << "code{" << getDecl()->getDeclName().getAsString() << '}';
-}
-
-void BlockTextRegion::dumpToStream(llvm::raw_ostream& os) const {
- os << "block_code{" << (void*) this << '}';
-}
-
-void BlockDataRegion::dumpToStream(llvm::raw_ostream& os) const {
- os << "block_data{" << BC << '}';
-}
-
-void CompoundLiteralRegion::dumpToStream(llvm::raw_ostream& os) const {
- // FIXME: More elaborate pretty-printing.
- os << "{ " << (void*) CL << " }";
-}
-
-void CXXTempObjectRegion::dumpToStream(llvm::raw_ostream &os) const {
- os << "temp_object";
-}
-
-void CXXBaseObjectRegion::dumpToStream(llvm::raw_ostream &os) const {
- os << "base " << decl->getName();
-}
-
-void CXXThisRegion::dumpToStream(llvm::raw_ostream &os) const {
- os << "this";
-}
-
-void ElementRegion::dumpToStream(llvm::raw_ostream& os) const {
- os << "element{" << superRegion << ','
- << Index << ',' << getElementType().getAsString() << '}';
-}
-
-void FieldRegion::dumpToStream(llvm::raw_ostream& os) const {
- os << superRegion << "->" << getDecl();
-}
-
-void NonStaticGlobalSpaceRegion::dumpToStream(llvm::raw_ostream &os) const {
- os << "NonStaticGlobalSpaceRegion";
-}
-
-void ObjCIvarRegion::dumpToStream(llvm::raw_ostream& os) const {
- os << "ivar{" << superRegion << ',' << getDecl() << '}';
-}
-
-void StringRegion::dumpToStream(llvm::raw_ostream& os) const {
- Str->printPretty(os, 0, PrintingPolicy(getContext().getLangOptions()));
-}
-
-void SymbolicRegion::dumpToStream(llvm::raw_ostream& os) const {
- os << "SymRegion{" << sym << '}';
-}
-
-void VarRegion::dumpToStream(llvm::raw_ostream& os) const {
- os << cast<VarDecl>(D);
-}
-
-void RegionRawOffset::dump() const {
- dumpToStream(llvm::errs());
-}
-
-void RegionRawOffset::dumpToStream(llvm::raw_ostream& os) const {
- os << "raw_offset{" << getRegion() << ',' << getByteOffset() << '}';
-}
-
-void StaticGlobalSpaceRegion::dumpToStream(llvm::raw_ostream &os) const {
- os << "StaticGlobalsMemSpace{" << CR << '}';
-}
-
-//===----------------------------------------------------------------------===//
-// MemRegionManager methods.
-//===----------------------------------------------------------------------===//
-
-template <typename REG>
-const REG *MemRegionManager::LazyAllocate(REG*& region) {
- if (!region) {
- region = (REG*) A.Allocate<REG>();
- new (region) REG(this);
- }
-
- return region;
-}
-
-template <typename REG, typename ARG>
-const REG *MemRegionManager::LazyAllocate(REG*& region, ARG a) {
- if (!region) {
- region = (REG*) A.Allocate<REG>();
- new (region) REG(this, a);
- }
-
- return region;
-}
-
-const StackLocalsSpaceRegion*
-MemRegionManager::getStackLocalsRegion(const StackFrameContext *STC) {
- assert(STC);
- StackLocalsSpaceRegion *&R = StackLocalsSpaceRegions[STC];
-
- if (R)
- return R;
-
- R = A.Allocate<StackLocalsSpaceRegion>();
- new (R) StackLocalsSpaceRegion(this, STC);
- return R;
-}
-
-const StackArgumentsSpaceRegion *
-MemRegionManager::getStackArgumentsRegion(const StackFrameContext *STC) {
- assert(STC);
- StackArgumentsSpaceRegion *&R = StackArgumentsSpaceRegions[STC];
-
- if (R)
- return R;
-
- R = A.Allocate<StackArgumentsSpaceRegion>();
- new (R) StackArgumentsSpaceRegion(this, STC);
- return R;
-}
-
-const GlobalsSpaceRegion
-*MemRegionManager::getGlobalsRegion(const CodeTextRegion *CR) {
- if (!CR)
- return LazyAllocate(globals);
-
- StaticGlobalSpaceRegion *&R = StaticsGlobalSpaceRegions[CR];
- if (R)
- return R;
-
- R = A.Allocate<StaticGlobalSpaceRegion>();
- new (R) StaticGlobalSpaceRegion(this, CR);
- return R;
-}
-
-const HeapSpaceRegion *MemRegionManager::getHeapRegion() {
- return LazyAllocate(heap);
-}
-
-const MemSpaceRegion *MemRegionManager::getUnknownRegion() {
- return LazyAllocate(unknown);
-}
-
-const MemSpaceRegion *MemRegionManager::getCodeRegion() {
- return LazyAllocate(code);
-}
-
-//===----------------------------------------------------------------------===//
-// Constructing regions.
-//===----------------------------------------------------------------------===//
-
-const StringRegion* MemRegionManager::getStringRegion(const StringLiteral* Str){
- return getSubRegion<StringRegion>(Str, getGlobalsRegion());
-}
-
-const VarRegion* MemRegionManager::getVarRegion(const VarDecl *D,
- const LocationContext *LC) {
- const MemRegion *sReg = 0;
-
- if (D->hasGlobalStorage() && !D->isStaticLocal())
- sReg = getGlobalsRegion();
- else {
- // FIXME: Once we implement scope handling, we will need to properly lookup
- // 'D' to the proper LocationContext.
- const DeclContext *DC = D->getDeclContext();
- const StackFrameContext *STC = LC->getStackFrameForDeclContext(DC);
-
- if (!STC)
- sReg = getUnknownRegion();
- else {
- if (D->hasLocalStorage()) {
- sReg = isa<ParmVarDecl>(D) || isa<ImplicitParamDecl>(D)
- ? static_cast<const MemRegion*>(getStackArgumentsRegion(STC))
- : static_cast<const MemRegion*>(getStackLocalsRegion(STC));
- }
- else {
- assert(D->isStaticLocal());
- const Decl *D = STC->getDecl();
- if (const FunctionDecl *FD = dyn_cast<FunctionDecl>(D))
- sReg = getGlobalsRegion(getFunctionTextRegion(FD));
- else if (const BlockDecl *BD = dyn_cast<BlockDecl>(D)) {
- const BlockTextRegion *BTR =
- getBlockTextRegion(BD,
- C.getCanonicalType(BD->getSignatureAsWritten()->getType()),
- STC->getAnalysisContext());
- sReg = getGlobalsRegion(BTR);
- }
- else {
- // FIXME: For ObjC-methods, we need a new CodeTextRegion. For now
- // just use the main global memspace.
- sReg = getGlobalsRegion();
- }
- }
- }
- }
-
- return getSubRegion<VarRegion>(D, sReg);
-}
-
-const VarRegion *MemRegionManager::getVarRegion(const VarDecl *D,
- const MemRegion *superR) {
- return getSubRegion<VarRegion>(D, superR);
-}
-
-const BlockDataRegion *
-MemRegionManager::getBlockDataRegion(const BlockTextRegion *BC,
- const LocationContext *LC) {
- const MemRegion *sReg = 0;
-
- if (LC) {
- // FIXME: Once we implement scope handling, we want the parent region
- // to be the scope.
- const StackFrameContext *STC = LC->getCurrentStackFrame();
- assert(STC);
- sReg = getStackLocalsRegion(STC);
- }
- else {
- // We allow 'LC' to be NULL for cases where want BlockDataRegions
- // without context-sensitivity.
- sReg = getUnknownRegion();
- }
-
- return getSubRegion<BlockDataRegion>(BC, LC, sReg);
-}
-
-const CompoundLiteralRegion*
-MemRegionManager::getCompoundLiteralRegion(const CompoundLiteralExpr* CL,
- const LocationContext *LC) {
-
- const MemRegion *sReg = 0;
-
- if (CL->isFileScope())
- sReg = getGlobalsRegion();
- else {
- const StackFrameContext *STC = LC->getCurrentStackFrame();
- assert(STC);
- sReg = getStackLocalsRegion(STC);
- }
-
- return getSubRegion<CompoundLiteralRegion>(CL, sReg);
-}
-
-const ElementRegion*
-MemRegionManager::getElementRegion(QualType elementType, NonLoc Idx,
- const MemRegion* superRegion,
- ASTContext& Ctx){
-
- QualType T = Ctx.getCanonicalType(elementType).getUnqualifiedType();
-
- llvm::FoldingSetNodeID ID;
- ElementRegion::ProfileRegion(ID, T, Idx, superRegion);
-
- void* InsertPos;
- MemRegion* data = Regions.FindNodeOrInsertPos(ID, InsertPos);
- ElementRegion* R = cast_or_null<ElementRegion>(data);
-
- if (!R) {
- R = (ElementRegion*) A.Allocate<ElementRegion>();
- new (R) ElementRegion(T, Idx, superRegion);
- Regions.InsertNode(R, InsertPos);
- }
-
- return R;
-}
-
-const FunctionTextRegion *
-MemRegionManager::getFunctionTextRegion(const FunctionDecl *FD) {
- return getSubRegion<FunctionTextRegion>(FD, getCodeRegion());
-}
-
-const BlockTextRegion *
-MemRegionManager::getBlockTextRegion(const BlockDecl *BD, CanQualType locTy,
- AnalysisContext *AC) {
- return getSubRegion<BlockTextRegion>(BD, locTy, AC, getCodeRegion());
-}
-
-
-/// getSymbolicRegion - Retrieve or create a "symbolic" memory region.
-const SymbolicRegion *MemRegionManager::getSymbolicRegion(SymbolRef sym) {
- return getSubRegion<SymbolicRegion>(sym, getUnknownRegion());
-}
-
-const FieldRegion*
-MemRegionManager::getFieldRegion(const FieldDecl* d,
- const MemRegion* superRegion){
- return getSubRegion<FieldRegion>(d, superRegion);
-}
-
-const ObjCIvarRegion*
-MemRegionManager::getObjCIvarRegion(const ObjCIvarDecl* d,
- const MemRegion* superRegion) {
- return getSubRegion<ObjCIvarRegion>(d, superRegion);
-}
-
-const CXXTempObjectRegion*
-MemRegionManager::getCXXTempObjectRegion(Expr const *E,
- LocationContext const *LC) {
- const StackFrameContext *SFC = LC->getCurrentStackFrame();
- assert(SFC);
- return getSubRegion<CXXTempObjectRegion>(E, getStackLocalsRegion(SFC));
-}
-
-const CXXBaseObjectRegion *
-MemRegionManager::getCXXBaseObjectRegion(const CXXRecordDecl *decl,
- const MemRegion *superRegion) {
- return getSubRegion<CXXBaseObjectRegion>(decl, superRegion);
-}
-
-const CXXThisRegion*
-MemRegionManager::getCXXThisRegion(QualType thisPointerTy,
- const LocationContext *LC) {
- const StackFrameContext *STC = LC->getCurrentStackFrame();
- assert(STC);
- const PointerType *PT = thisPointerTy->getAs<PointerType>();
- assert(PT);
- return getSubRegion<CXXThisRegion>(PT, getStackArgumentsRegion(STC));
-}
-
-const AllocaRegion*
-MemRegionManager::getAllocaRegion(const Expr* E, unsigned cnt,
- const LocationContext *LC) {
- const StackFrameContext *STC = LC->getCurrentStackFrame();
- assert(STC);
- return getSubRegion<AllocaRegion>(E, cnt, getStackLocalsRegion(STC));
-}
-
-const MemSpaceRegion *MemRegion::getMemorySpace() const {
- const MemRegion *R = this;
- const SubRegion* SR = dyn_cast<SubRegion>(this);
-
- while (SR) {
- R = SR->getSuperRegion();
- SR = dyn_cast<SubRegion>(R);
- }
-
- return dyn_cast<MemSpaceRegion>(R);
-}
-
-bool MemRegion::hasStackStorage() const {
- return isa<StackSpaceRegion>(getMemorySpace());
-}
-
-bool MemRegion::hasStackNonParametersStorage() const {
- return isa<StackLocalsSpaceRegion>(getMemorySpace());
-}
-
-bool MemRegion::hasStackParametersStorage() const {
- return isa<StackArgumentsSpaceRegion>(getMemorySpace());
-}
-
-bool MemRegion::hasGlobalsOrParametersStorage() const {
- const MemSpaceRegion *MS = getMemorySpace();
- return isa<StackArgumentsSpaceRegion>(MS) ||
- isa<GlobalsSpaceRegion>(MS);
-}
-
-// getBaseRegion strips away all elements and fields, and get the base region
-// of them.
-const MemRegion *MemRegion::getBaseRegion() const {
- const MemRegion *R = this;
- while (true) {
- switch (R->getKind()) {
- case MemRegion::ElementRegionKind:
- case MemRegion::FieldRegionKind:
- case MemRegion::ObjCIvarRegionKind:
- R = cast<SubRegion>(R)->getSuperRegion();
- continue;
- default:
- break;
- }
- break;
- }
- return R;
-}
-
-//===----------------------------------------------------------------------===//
-// View handling.
-//===----------------------------------------------------------------------===//
-
-const MemRegion *MemRegion::StripCasts() const {
- const MemRegion *R = this;
- while (true) {
- if (const ElementRegion *ER = dyn_cast<ElementRegion>(R)) {
- // FIXME: generalize. Essentially we want to strip away ElementRegions
- // that were layered on a symbolic region because of casts. We only
- // want to strip away ElementRegions, however, where the index is 0.
- SVal index = ER->getIndex();
- if (nonloc::ConcreteInt *CI = dyn_cast<nonloc::ConcreteInt>(&index)) {
- if (CI->getValue().getSExtValue() == 0) {
- R = ER->getSuperRegion();
- continue;
- }
- }
- }
- break;
- }
- return R;
-}
-
-// FIXME: Merge with the implementation of the same method in Store.cpp
-static bool IsCompleteType(ASTContext &Ctx, QualType Ty) {
- if (const RecordType *RT = Ty->getAs<RecordType>()) {
- const RecordDecl *D = RT->getDecl();
- if (!D->getDefinition())
- return false;
- }
-
- return true;
-}
-
-RegionRawOffset ElementRegion::getAsArrayOffset() const {
- CharUnits offset = CharUnits::Zero();
- const ElementRegion *ER = this;
- const MemRegion *superR = NULL;
- ASTContext &C = getContext();
-
- // FIXME: Handle multi-dimensional arrays.
-
- while (ER) {
- superR = ER->getSuperRegion();
-
- // FIXME: generalize to symbolic offsets.
- SVal index = ER->getIndex();
- if (nonloc::ConcreteInt *CI = dyn_cast<nonloc::ConcreteInt>(&index)) {
- // Update the offset.
- int64_t i = CI->getValue().getSExtValue();
-
- if (i != 0) {
- QualType elemType = ER->getElementType();
-
- // If we are pointing to an incomplete type, go no further.
- if (!IsCompleteType(C, elemType)) {
- superR = ER;
- break;
- }
-
- CharUnits size = C.getTypeSizeInChars(elemType);
- offset += (i * size);
- }
-
- // Go to the next ElementRegion (if any).
- ER = dyn_cast<ElementRegion>(superR);
- continue;
- }
-
- return NULL;
- }
-
- assert(superR && "super region cannot be NULL");
- return RegionRawOffset(superR, offset.getQuantity());
-}
-
-RegionOffset MemRegion::getAsOffset() const {
- const MemRegion *R = this;
- int64_t Offset = 0;
-
- while (1) {
- switch (R->getKind()) {
- default:
- return RegionOffset(0);
- case SymbolicRegionKind:
- case AllocaRegionKind:
- case CompoundLiteralRegionKind:
- case CXXThisRegionKind:
- case StringRegionKind:
- case VarRegionKind:
- case CXXTempObjectRegionKind:
- goto Finish;
- case ElementRegionKind: {
- const ElementRegion *ER = cast<ElementRegion>(R);
- QualType EleTy = ER->getValueType();
-
- if (!IsCompleteType(getContext(), EleTy))
- return RegionOffset(0);
-
- SVal Index = ER->getIndex();
- if (const nonloc::ConcreteInt *CI=dyn_cast<nonloc::ConcreteInt>(&Index)) {
- int64_t i = CI->getValue().getSExtValue();
- CharUnits Size = getContext().getTypeSizeInChars(EleTy);
- Offset += i * Size.getQuantity() * 8;
- } else {
- // We cannot compute offset for non-concrete index.
- return RegionOffset(0);
- }
- R = ER->getSuperRegion();
- break;
- }
- case FieldRegionKind: {
- const FieldRegion *FR = cast<FieldRegion>(R);
- const RecordDecl *RD = FR->getDecl()->getParent();
- if (!RD->isDefinition())
- // We cannot compute offset for incomplete type.
- return RegionOffset(0);
- // Get the field number.
- unsigned idx = 0;
- for (RecordDecl::field_iterator FI = RD->field_begin(),
- FE = RD->field_end(); FI != FE; ++FI, ++idx)
- if (FR->getDecl() == *FI)
- break;
-
- const ASTRecordLayout &Layout = getContext().getASTRecordLayout(RD);
- // This is offset in bits.
- Offset += Layout.getFieldOffset(idx);
- R = FR->getSuperRegion();
- break;
- }
- }
- }
-
- Finish:
- return RegionOffset(R, Offset);
-}
-
-//===----------------------------------------------------------------------===//
-// BlockDataRegion
-//===----------------------------------------------------------------------===//
-
-void BlockDataRegion::LazyInitializeReferencedVars() {
- if (ReferencedVars)
- return;
-
- AnalysisContext *AC = getCodeRegion()->getAnalysisContext();
- AnalysisContext::referenced_decls_iterator I, E;
- llvm::tie(I, E) = AC->getReferencedBlockVars(BC->getDecl());
-
- if (I == E) {
- ReferencedVars = (void*) 0x1;
- return;
- }
-
- MemRegionManager &MemMgr = *getMemRegionManager();
- llvm::BumpPtrAllocator &A = MemMgr.getAllocator();
- BumpVectorContext BC(A);
-
- typedef BumpVector<const MemRegion*> VarVec;
- VarVec *BV = (VarVec*) A.Allocate<VarVec>();
- new (BV) VarVec(BC, E - I);
-
- for ( ; I != E; ++I) {
- const VarDecl *VD = *I;
- const VarRegion *VR = 0;
-
- if (!VD->getAttr<BlocksAttr>() && VD->hasLocalStorage())
- VR = MemMgr.getVarRegion(VD, this);
- else {
- if (LC)
- VR = MemMgr.getVarRegion(VD, LC);
- else {
- VR = MemMgr.getVarRegion(VD, MemMgr.getUnknownRegion());
- }
- }
-
- assert(VR);
- BV->push_back(VR, BC);
- }
-
- ReferencedVars = BV;
-}
-
-BlockDataRegion::referenced_vars_iterator
-BlockDataRegion::referenced_vars_begin() const {
- const_cast<BlockDataRegion*>(this)->LazyInitializeReferencedVars();
-
- BumpVector<const MemRegion*> *Vec =
- static_cast<BumpVector<const MemRegion*>*>(ReferencedVars);
-
- return BlockDataRegion::referenced_vars_iterator(Vec == (void*) 0x1 ?
- NULL : Vec->begin());
-}
-
-BlockDataRegion::referenced_vars_iterator
-BlockDataRegion::referenced_vars_end() const {
- const_cast<BlockDataRegion*>(this)->LazyInitializeReferencedVars();
-
- BumpVector<const MemRegion*> *Vec =
- static_cast<BumpVector<const MemRegion*>*>(ReferencedVars);
-
- return BlockDataRegion::referenced_vars_iterator(Vec == (void*) 0x1 ?
- NULL : Vec->end());
-}
Removed: cfe/trunk/lib/StaticAnalyzer/EntoSA/PathDiagnostic.cpp
URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/lib/StaticAnalyzer/EntoSA/PathDiagnostic.cpp?rev=122542&view=auto
==============================================================================
--- cfe/trunk/lib/StaticAnalyzer/EntoSA/PathDiagnostic.cpp (original)
+++ cfe/trunk/lib/StaticAnalyzer/EntoSA/PathDiagnostic.cpp (removed)
@@ -1,279 +0,0 @@
-//===--- PathDiagnostic.cpp - Path-Specific Diagnostic Handling -*- C++ -*-===//
-//
-// The LLVM Compiler Infrastructure
-//
-// This file is distributed under the University of Illinois Open Source
-// License. See LICENSE.TXT for details.
-//
-//===----------------------------------------------------------------------===//
-//
-// This file defines the PathDiagnostic-related interfaces.
-//
-//===----------------------------------------------------------------------===//
-
-#include "clang/StaticAnalyzer/BugReporter/PathDiagnostic.h"
-#include "clang/AST/Expr.h"
-#include "clang/AST/Decl.h"
-#include "clang/AST/DeclObjC.h"
-#include "clang/AST/StmtCXX.h"
-#include "llvm/ADT/SmallString.h"
-#include "llvm/Support/Casting.h"
-
-using namespace clang;
-using namespace ento;
-using llvm::dyn_cast;
-using llvm::isa;
-
-bool PathDiagnosticMacroPiece::containsEvent() const {
- for (const_iterator I = begin(), E = end(); I!=E; ++I) {
- if (isa<PathDiagnosticEventPiece>(*I))
- return true;
-
- if (PathDiagnosticMacroPiece *MP = dyn_cast<PathDiagnosticMacroPiece>(*I))
- if (MP->containsEvent())
- return true;
- }
-
- return false;
-}
-
-static llvm::StringRef StripTrailingDots(llvm::StringRef s) {
- for (llvm::StringRef::size_type i = s.size(); i != 0; --i)
- if (s[i - 1] != '.')
- return s.substr(0, i);
- return "";
-}
-
-PathDiagnosticPiece::PathDiagnosticPiece(llvm::StringRef s,
- Kind k, DisplayHint hint)
- : str(StripTrailingDots(s)), kind(k), Hint(hint) {}
-
-PathDiagnosticPiece::PathDiagnosticPiece(Kind k, DisplayHint hint)
- : kind(k), Hint(hint) {}
-
-PathDiagnosticPiece::~PathDiagnosticPiece() {}
-PathDiagnosticEventPiece::~PathDiagnosticEventPiece() {}
-PathDiagnosticControlFlowPiece::~PathDiagnosticControlFlowPiece() {}
-
-PathDiagnosticMacroPiece::~PathDiagnosticMacroPiece() {
- for (iterator I = begin(), E = end(); I != E; ++I) delete *I;
-}
-
-PathDiagnostic::PathDiagnostic() : Size(0) {}
-
-PathDiagnostic::~PathDiagnostic() {
- for (iterator I = begin(), E = end(); I != E; ++I) delete &*I;
-}
-
-void PathDiagnostic::resetPath(bool deletePieces) {
- Size = 0;
-
- if (deletePieces)
- for (iterator I=begin(), E=end(); I!=E; ++I)
- delete &*I;
-
- path.clear();
-}
-
-
-PathDiagnostic::PathDiagnostic(llvm::StringRef bugtype, llvm::StringRef desc,
- llvm::StringRef category)
- : Size(0),
- BugType(StripTrailingDots(bugtype)),
- Desc(StripTrailingDots(desc)),
- Category(StripTrailingDots(category)) {}
-
-void PathDiagnosticClient::HandleDiagnostic(Diagnostic::Level DiagLevel,
- const DiagnosticInfo &Info) {
- // Default implementation (Warnings/errors count).
- DiagnosticClient::HandleDiagnostic(DiagLevel, Info);
-
- // Create a PathDiagnostic with a single piece.
-
- PathDiagnostic* D = new PathDiagnostic();
-
- const char *LevelStr;
- switch (DiagLevel) {
- default:
- case Diagnostic::Ignored: assert(0 && "Invalid diagnostic type");
- case Diagnostic::Note: LevelStr = "note: "; break;
- case Diagnostic::Warning: LevelStr = "warning: "; break;
- case Diagnostic::Error: LevelStr = "error: "; break;
- case Diagnostic::Fatal: LevelStr = "fatal error: "; break;
- }
-
- llvm::SmallString<100> StrC;
- StrC += LevelStr;
- Info.FormatDiagnostic(StrC);
-
- PathDiagnosticPiece *P =
- new PathDiagnosticEventPiece(FullSourceLoc(Info.getLocation(),
- Info.getSourceManager()),
- StrC.str());
-
- for (unsigned i = 0, e = Info.getNumRanges(); i != e; ++i)
- P->addRange(Info.getRange(i).getAsRange());
- for (unsigned i = 0, e = Info.getNumFixItHints(); i != e; ++i)
- P->addFixItHint(Info.getFixItHint(i));
- D->push_front(P);
-
- HandlePathDiagnostic(D);
-}
-
-//===----------------------------------------------------------------------===//
-// PathDiagnosticLocation methods.
-//===----------------------------------------------------------------------===//
-
-FullSourceLoc PathDiagnosticLocation::asLocation() const {
- assert(isValid());
- // Note that we want a 'switch' here so that the compiler can warn us in
- // case we add more cases.
- switch (K) {
- case SingleLocK:
- case RangeK:
- break;
- case StmtK:
- return FullSourceLoc(S->getLocStart(), const_cast<SourceManager&>(*SM));
- case DeclK:
- return FullSourceLoc(D->getLocation(), const_cast<SourceManager&>(*SM));
- }
-
- return FullSourceLoc(R.getBegin(), const_cast<SourceManager&>(*SM));
-}
-
-PathDiagnosticRange PathDiagnosticLocation::asRange() const {
- assert(isValid());
- // Note that we want a 'switch' here so that the compiler can warn us in
- // case we add more cases.
- switch (K) {
- case SingleLocK:
- return PathDiagnosticRange(R, true);
- case RangeK:
- break;
- case StmtK: {
- const Stmt *S = asStmt();
- switch (S->getStmtClass()) {
- default:
- break;
- case Stmt::DeclStmtClass: {
- const DeclStmt *DS = cast<DeclStmt>(S);
- if (DS->isSingleDecl()) {
- // Should always be the case, but we'll be defensive.
- return SourceRange(DS->getLocStart(),
- DS->getSingleDecl()->getLocation());
- }
- break;
- }
- // FIXME: Provide better range information for different
- // terminators.
- case Stmt::IfStmtClass:
- case Stmt::WhileStmtClass:
- case Stmt::DoStmtClass:
- case Stmt::ForStmtClass:
- case Stmt::ChooseExprClass:
- case Stmt::IndirectGotoStmtClass:
- case Stmt::SwitchStmtClass:
- case Stmt::ConditionalOperatorClass:
- case Stmt::ObjCForCollectionStmtClass: {
- SourceLocation L = S->getLocStart();
- return SourceRange(L, L);
- }
- }
-
- return S->getSourceRange();
- }
- case DeclK:
- if (const ObjCMethodDecl *MD = dyn_cast<ObjCMethodDecl>(D))
- return MD->getSourceRange();
- if (const FunctionDecl *FD = dyn_cast<FunctionDecl>(D)) {
- if (Stmt *Body = FD->getBody())
- return Body->getSourceRange();
- }
- else {
- SourceLocation L = D->getLocation();
- return PathDiagnosticRange(SourceRange(L, L), true);
- }
- }
-
- return R;
-}
-
-void PathDiagnosticLocation::flatten() {
- if (K == StmtK) {
- R = asRange();
- K = RangeK;
- S = 0;
- D = 0;
- }
- else if (K == DeclK) {
- SourceLocation L = D->getLocation();
- R = SourceRange(L, L);
- K = SingleLocK;
- S = 0;
- D = 0;
- }
-}
-
-//===----------------------------------------------------------------------===//
-// FoldingSet profiling methods.
-//===----------------------------------------------------------------------===//
-
-void PathDiagnosticLocation::Profile(llvm::FoldingSetNodeID &ID) const {
- ID.AddInteger((unsigned) K);
- switch (K) {
- case RangeK:
- ID.AddInteger(R.getBegin().getRawEncoding());
- ID.AddInteger(R.getEnd().getRawEncoding());
- break;
- case SingleLocK:
- ID.AddInteger(R.getBegin().getRawEncoding());
- break;
- case StmtK:
- ID.Add(S);
- break;
- case DeclK:
- ID.Add(D);
- break;
- }
- return;
-}
-
-void PathDiagnosticPiece::Profile(llvm::FoldingSetNodeID &ID) const {
- ID.AddInteger((unsigned) getKind());
- ID.AddString(str);
- // FIXME: Add profiling support for code hints.
- ID.AddInteger((unsigned) getDisplayHint());
- for (range_iterator I = ranges_begin(), E = ranges_end(); I != E; ++I) {
- ID.AddInteger(I->getBegin().getRawEncoding());
- ID.AddInteger(I->getEnd().getRawEncoding());
- }
-}
-
-void PathDiagnosticSpotPiece::Profile(llvm::FoldingSetNodeID &ID) const {
- PathDiagnosticPiece::Profile(ID);
- ID.Add(Pos);
-}
-
-void PathDiagnosticControlFlowPiece::Profile(llvm::FoldingSetNodeID &ID) const {
- PathDiagnosticPiece::Profile(ID);
- for (const_iterator I = begin(), E = end(); I != E; ++I)
- ID.Add(*I);
-}
-
-void PathDiagnosticMacroPiece::Profile(llvm::FoldingSetNodeID &ID) const {
- PathDiagnosticSpotPiece::Profile(ID);
- for (const_iterator I = begin(), E = end(); I != E; ++I)
- ID.Add(**I);
-}
-
-void PathDiagnostic::Profile(llvm::FoldingSetNodeID &ID) const {
- ID.AddInteger(Size);
- ID.AddString(BugType);
- ID.AddString(Desc);
- ID.AddString(Category);
- for (const_iterator I = begin(), E = end(); I != E; ++I)
- ID.Add(*I);
-
- for (meta_iterator I = meta_begin(), E = meta_end(); I != E; ++I)
- ID.AddString(*I);
-}
Removed: cfe/trunk/lib/StaticAnalyzer/EntoSA/PlistDiagnostics.cpp
URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/lib/StaticAnalyzer/EntoSA/PlistDiagnostics.cpp?rev=122542&view=auto
==============================================================================
--- cfe/trunk/lib/StaticAnalyzer/EntoSA/PlistDiagnostics.cpp (original)
+++ cfe/trunk/lib/StaticAnalyzer/EntoSA/PlistDiagnostics.cpp (removed)
@@ -1,472 +0,0 @@
-//===--- PlistDiagnostics.cpp - Plist Diagnostics for Paths -----*- C++ -*-===//
-//
-// The LLVM Compiler Infrastructure
-//
-// This file is distributed under the University of Illinois Open Source
-// License. See LICENSE.TXT for details.
-//
-//===----------------------------------------------------------------------===//
-//
-// This file defines the PlistDiagnostics object.
-//
-//===----------------------------------------------------------------------===//
-
-#include "clang/StaticAnalyzer/PathDiagnosticClients.h"
-#include "clang/StaticAnalyzer/BugReporter/PathDiagnostic.h"
-#include "clang/Basic/SourceManager.h"
-#include "clang/Basic/FileManager.h"
-#include "clang/Lex/Preprocessor.h"
-#include "llvm/Support/raw_ostream.h"
-#include "llvm/Support/Casting.h"
-#include "llvm/ADT/DenseMap.h"
-#include "llvm/ADT/SmallVector.h"
-using namespace clang;
-using namespace ento;
-using llvm::cast;
-
-typedef llvm::DenseMap<FileID, unsigned> FIDMap;
-
-namespace clang {
- class Preprocessor;
-}
-
-namespace {
-struct CompareDiagnostics {
- // Compare if 'X' is "<" than 'Y'.
- bool operator()(const PathDiagnostic *X, const PathDiagnostic *Y) const {
- // First compare by location
- const FullSourceLoc &XLoc = X->getLocation().asLocation();
- const FullSourceLoc &YLoc = Y->getLocation().asLocation();
- if (XLoc < YLoc)
- return true;
- if (XLoc != YLoc)
- return false;
-
- // Next, compare by bug type.
- llvm::StringRef XBugType = X->getBugType();
- llvm::StringRef YBugType = Y->getBugType();
- if (XBugType < YBugType)
- return true;
- if (XBugType != YBugType)
- return false;
-
- // Next, compare by bug description.
- llvm::StringRef XDesc = X->getDescription();
- llvm::StringRef YDesc = Y->getDescription();
- if (XDesc < YDesc)
- return true;
- if (XDesc != YDesc)
- return false;
-
- // FIXME: Further refine by comparing PathDiagnosticPieces?
- return false;
- }
-};
-}
-
-namespace {
- class PlistDiagnostics : public PathDiagnosticClient {
- std::vector<const PathDiagnostic*> BatchedDiags;
- const std::string OutputFile;
- const LangOptions &LangOpts;
- llvm::OwningPtr<PathDiagnosticClient> SubPD;
- bool flushed;
- public:
- PlistDiagnostics(const std::string& prefix, const LangOptions &LangOpts,
- PathDiagnosticClient *subPD);
-
- ~PlistDiagnostics() { FlushDiagnostics(NULL); }
-
- void FlushDiagnostics(llvm::SmallVectorImpl<std::string> *FilesMade);
-
- void HandlePathDiagnostic(const PathDiagnostic* D);
-
- virtual llvm::StringRef getName() const {
- return "PlistDiagnostics";
- }
-
- PathGenerationScheme getGenerationScheme() const;
- bool supportsLogicalOpControlFlow() const { return true; }
- bool supportsAllBlockEdges() const { return true; }
- virtual bool useVerboseDescription() const { return false; }
- };
-} // end anonymous namespace
-
-PlistDiagnostics::PlistDiagnostics(const std::string& output,
- const LangOptions &LO,
- PathDiagnosticClient *subPD)
- : OutputFile(output), LangOpts(LO), SubPD(subPD), flushed(false) {}
-
-PathDiagnosticClient*
-ento::createPlistDiagnosticClient(const std::string& s, const Preprocessor &PP,
- PathDiagnosticClient *subPD) {
- return new PlistDiagnostics(s, PP.getLangOptions(), subPD);
-}
-
-PathDiagnosticClient::PathGenerationScheme
-PlistDiagnostics::getGenerationScheme() const {
- if (const PathDiagnosticClient *PD = SubPD.get())
- return PD->getGenerationScheme();
-
- return Extensive;
-}
-
-static void AddFID(FIDMap &FIDs, llvm::SmallVectorImpl<FileID> &V,
- const SourceManager* SM, SourceLocation L) {
-
- FileID FID = SM->getFileID(SM->getInstantiationLoc(L));
- FIDMap::iterator I = FIDs.find(FID);
- if (I != FIDs.end()) return;
- FIDs[FID] = V.size();
- V.push_back(FID);
-}
-
-static unsigned GetFID(const FIDMap& FIDs, const SourceManager &SM,
- SourceLocation L) {
- FileID FID = SM.getFileID(SM.getInstantiationLoc(L));
- FIDMap::const_iterator I = FIDs.find(FID);
- assert(I != FIDs.end());
- return I->second;
-}
-
-static llvm::raw_ostream& Indent(llvm::raw_ostream& o, const unsigned indent) {
- for (unsigned i = 0; i < indent; ++i) o << ' ';
- return o;
-}
-
-static void EmitLocation(llvm::raw_ostream& o, const SourceManager &SM,
- const LangOptions &LangOpts,
- SourceLocation L, const FIDMap &FM,
- unsigned indent, bool extend = false) {
-
- FullSourceLoc Loc(SM.getInstantiationLoc(L), const_cast<SourceManager&>(SM));
-
- // Add in the length of the token, so that we cover multi-char tokens.
- unsigned offset =
- extend ? Lexer::MeasureTokenLength(Loc, SM, LangOpts) - 1 : 0;
-
- Indent(o, indent) << "<dict>\n";
- Indent(o, indent) << " <key>line</key><integer>"
- << Loc.getInstantiationLineNumber() << "</integer>\n";
- Indent(o, indent) << " <key>col</key><integer>"
- << Loc.getInstantiationColumnNumber() + offset << "</integer>\n";
- Indent(o, indent) << " <key>file</key><integer>"
- << GetFID(FM, SM, Loc) << "</integer>\n";
- Indent(o, indent) << "</dict>\n";
-}
-
-static void EmitLocation(llvm::raw_ostream& o, const SourceManager &SM,
- const LangOptions &LangOpts,
- const PathDiagnosticLocation &L, const FIDMap& FM,
- unsigned indent, bool extend = false) {
- EmitLocation(o, SM, LangOpts, L.asLocation(), FM, indent, extend);
-}
-
-static void EmitRange(llvm::raw_ostream& o, const SourceManager &SM,
- const LangOptions &LangOpts,
- PathDiagnosticRange R, const FIDMap &FM,
- unsigned indent) {
- Indent(o, indent) << "<array>\n";
- EmitLocation(o, SM, LangOpts, R.getBegin(), FM, indent+1);
- EmitLocation(o, SM, LangOpts, R.getEnd(), FM, indent+1, !R.isPoint);
- Indent(o, indent) << "</array>\n";
-}
-
-static llvm::raw_ostream& EmitString(llvm::raw_ostream& o,
- const std::string& s) {
- o << "<string>";
- for (std::string::const_iterator I=s.begin(), E=s.end(); I!=E; ++I) {
- char c = *I;
- switch (c) {
- default: o << c; break;
- case '&': o << "&"; break;
- case '<': o << "<"; break;
- case '>': o << ">"; break;
- case '\'': o << "'"; break;
- case '\"': o << """; break;
- }
- }
- o << "</string>";
- return o;
-}
-
-static void ReportControlFlow(llvm::raw_ostream& o,
- const PathDiagnosticControlFlowPiece& P,
- const FIDMap& FM,
- const SourceManager &SM,
- const LangOptions &LangOpts,
- unsigned indent) {
-
- Indent(o, indent) << "<dict>\n";
- ++indent;
-
- Indent(o, indent) << "<key>kind</key><string>control</string>\n";
-
- // Emit edges.
- Indent(o, indent) << "<key>edges</key>\n";
- ++indent;
- Indent(o, indent) << "<array>\n";
- ++indent;
- for (PathDiagnosticControlFlowPiece::const_iterator I=P.begin(), E=P.end();
- I!=E; ++I) {
- Indent(o, indent) << "<dict>\n";
- ++indent;
- Indent(o, indent) << "<key>start</key>\n";
- EmitRange(o, SM, LangOpts, I->getStart().asRange(), FM, indent+1);
- Indent(o, indent) << "<key>end</key>\n";
- EmitRange(o, SM, LangOpts, I->getEnd().asRange(), FM, indent+1);
- --indent;
- Indent(o, indent) << "</dict>\n";
- }
- --indent;
- Indent(o, indent) << "</array>\n";
- --indent;
-
- // Output any helper text.
- const std::string& s = P.getString();
- if (!s.empty()) {
- Indent(o, indent) << "<key>alternate</key>";
- EmitString(o, s) << '\n';
- }
-
- --indent;
- Indent(o, indent) << "</dict>\n";
-}
-
-static void ReportEvent(llvm::raw_ostream& o, const PathDiagnosticPiece& P,
- const FIDMap& FM,
- const SourceManager &SM,
- const LangOptions &LangOpts,
- unsigned indent) {
-
- Indent(o, indent) << "<dict>\n";
- ++indent;
-
- Indent(o, indent) << "<key>kind</key><string>event</string>\n";
-
- // Output the location.
- FullSourceLoc L = P.getLocation().asLocation();
-
- Indent(o, indent) << "<key>location</key>\n";
- EmitLocation(o, SM, LangOpts, L, FM, indent);
-
- // Output the ranges (if any).
- PathDiagnosticPiece::range_iterator RI = P.ranges_begin(),
- RE = P.ranges_end();
-
- if (RI != RE) {
- Indent(o, indent) << "<key>ranges</key>\n";
- Indent(o, indent) << "<array>\n";
- ++indent;
- for (; RI != RE; ++RI)
- EmitRange(o, SM, LangOpts, *RI, FM, indent+1);
- --indent;
- Indent(o, indent) << "</array>\n";
- }
-
- // Output the text.
- assert(!P.getString().empty());
- Indent(o, indent) << "<key>extended_message</key>\n";
- Indent(o, indent);
- EmitString(o, P.getString()) << '\n';
-
- // Output the short text.
- // FIXME: Really use a short string.
- Indent(o, indent) << "<key>message</key>\n";
- EmitString(o, P.getString()) << '\n';
-
- // Finish up.
- --indent;
- Indent(o, indent); o << "</dict>\n";
-}
-
-static void ReportMacro(llvm::raw_ostream& o,
- const PathDiagnosticMacroPiece& P,
- const FIDMap& FM, const SourceManager &SM,
- const LangOptions &LangOpts,
- unsigned indent) {
-
- for (PathDiagnosticMacroPiece::const_iterator I=P.begin(), E=P.end();
- I!=E; ++I) {
-
- switch ((*I)->getKind()) {
- default:
- break;
- case PathDiagnosticPiece::Event:
- ReportEvent(o, cast<PathDiagnosticEventPiece>(**I), FM, SM, LangOpts,
- indent);
- break;
- case PathDiagnosticPiece::Macro:
- ReportMacro(o, cast<PathDiagnosticMacroPiece>(**I), FM, SM, LangOpts,
- indent);
- break;
- }
- }
-}
-
-static void ReportDiag(llvm::raw_ostream& o, const PathDiagnosticPiece& P,
- const FIDMap& FM, const SourceManager &SM,
- const LangOptions &LangOpts) {
-
- unsigned indent = 4;
-
- switch (P.getKind()) {
- case PathDiagnosticPiece::ControlFlow:
- ReportControlFlow(o, cast<PathDiagnosticControlFlowPiece>(P), FM, SM,
- LangOpts, indent);
- break;
- case PathDiagnosticPiece::Event:
- ReportEvent(o, cast<PathDiagnosticEventPiece>(P), FM, SM, LangOpts,
- indent);
- break;
- case PathDiagnosticPiece::Macro:
- ReportMacro(o, cast<PathDiagnosticMacroPiece>(P), FM, SM, LangOpts,
- indent);
- break;
- }
-}
-
-void PlistDiagnostics::HandlePathDiagnostic(const PathDiagnostic* D) {
- if (!D)
- return;
-
- if (D->empty()) {
- delete D;
- return;
- }
-
- // We need to flatten the locations (convert Stmt* to locations) because
- // the referenced statements may be freed by the time the diagnostics
- // are emitted.
- const_cast<PathDiagnostic*>(D)->flattenLocations();
- BatchedDiags.push_back(D);
-}
-
-void PlistDiagnostics::FlushDiagnostics(llvm::SmallVectorImpl<std::string>
- *FilesMade) {
-
- if (flushed)
- return;
-
- flushed = true;
-
- // Sort the diagnostics so that they are always emitted in a deterministic
- // order.
- if (!BatchedDiags.empty())
- std::sort(BatchedDiags.begin(), BatchedDiags.end(), CompareDiagnostics());
-
- // Build up a set of FIDs that we use by scanning the locations and
- // ranges of the diagnostics.
- FIDMap FM;
- llvm::SmallVector<FileID, 10> Fids;
- const SourceManager* SM = 0;
-
- if (!BatchedDiags.empty())
- SM = &(*BatchedDiags.begin())->begin()->getLocation().getManager();
-
- for (std::vector<const PathDiagnostic*>::iterator DI = BatchedDiags.begin(),
- DE = BatchedDiags.end(); DI != DE; ++DI) {
-
- const PathDiagnostic *D = *DI;
-
- for (PathDiagnostic::const_iterator I=D->begin(), E=D->end(); I!=E; ++I) {
- AddFID(FM, Fids, SM, I->getLocation().asLocation());
-
- for (PathDiagnosticPiece::range_iterator RI=I->ranges_begin(),
- RE=I->ranges_end(); RI!=RE; ++RI) {
- AddFID(FM, Fids, SM, RI->getBegin());
- AddFID(FM, Fids, SM, RI->getEnd());
- }
- }
- }
-
- // Open the file.
- std::string ErrMsg;
- llvm::raw_fd_ostream o(OutputFile.c_str(), ErrMsg);
- if (!ErrMsg.empty()) {
- llvm::errs() << "warning: could not creat file: " << OutputFile << '\n';
- return;
- }
-
- // Write the plist header.
- o << "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n"
- "<!DOCTYPE plist PUBLIC \"-//Apple Computer//DTD PLIST 1.0//EN\" "
- "\"http://www.apple.com/DTDs/PropertyList-1.0.dtd\">\n"
- "<plist version=\"1.0\">\n";
-
- // Write the root object: a <dict> containing...
- // - "files", an <array> mapping from FIDs to file names
- // - "diagnostics", an <array> containing the path diagnostics
- o << "<dict>\n"
- " <key>files</key>\n"
- " <array>\n";
-
- for (llvm::SmallVectorImpl<FileID>::iterator I=Fids.begin(), E=Fids.end();
- I!=E; ++I) {
- o << " ";
- EmitString(o, SM->getFileEntryForID(*I)->getName()) << '\n';
- }
-
- o << " </array>\n"
- " <key>diagnostics</key>\n"
- " <array>\n";
-
- for (std::vector<const PathDiagnostic*>::iterator DI=BatchedDiags.begin(),
- DE = BatchedDiags.end(); DI!=DE; ++DI) {
-
- o << " <dict>\n"
- " <key>path</key>\n";
-
- const PathDiagnostic *D = *DI;
- // Create an owning smart pointer for 'D' just so that we auto-free it
- // when we exit this method.
- llvm::OwningPtr<PathDiagnostic> OwnedD(const_cast<PathDiagnostic*>(D));
-
- o << " <array>\n";
-
- for (PathDiagnostic::const_iterator I=D->begin(), E=D->end(); I != E; ++I)
- ReportDiag(o, *I, FM, *SM, LangOpts);
-
- o << " </array>\n";
-
- // Output the bug type and bug category.
- o << " <key>description</key>";
- EmitString(o, D->getDescription()) << '\n';
- o << " <key>category</key>";
- EmitString(o, D->getCategory()) << '\n';
- o << " <key>type</key>";
- EmitString(o, D->getBugType()) << '\n';
-
- // Output the location of the bug.
- o << " <key>location</key>\n";
- EmitLocation(o, *SM, LangOpts, D->getLocation(), FM, 2);
-
- // Output the diagnostic to the sub-diagnostic client, if any.
- if (SubPD) {
- SubPD->HandlePathDiagnostic(OwnedD.take());
- llvm::SmallVector<std::string, 1> SubFilesMade;
- SubPD->FlushDiagnostics(SubFilesMade);
-
- if (!SubFilesMade.empty()) {
- o << " <key>" << SubPD->getName() << "_files</key>\n";
- o << " <array>\n";
- for (size_t i = 0, n = SubFilesMade.size(); i < n ; ++i)
- o << " <string>" << SubFilesMade[i] << "</string>\n";
- o << " </array>\n";
- }
- }
-
- // Close up the entry.
- o << " </dict>\n";
- }
-
- o << " </array>\n";
-
- // Finish.
- o << "</dict>\n</plist>";
-
- if (FilesMade)
- FilesMade->push_back(OutputFile);
-
- BatchedDiags.clear();
-}
Removed: cfe/trunk/lib/StaticAnalyzer/EntoSA/README.txt
URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/lib/StaticAnalyzer/EntoSA/README.txt?rev=122542&view=auto
==============================================================================
--- cfe/trunk/lib/StaticAnalyzer/EntoSA/README.txt (original)
+++ cfe/trunk/lib/StaticAnalyzer/EntoSA/README.txt (removed)
@@ -1,117 +0,0 @@
-//===----------------------------------------------------------------------===//
-// Clang Static Analyzer
-//===----------------------------------------------------------------------===//
-
-= Library Structure =
-
-The analyzer library has two layers: a (low-level) static analysis
-engine (GRExprEngine.cpp and friends), and some static checkers
-(*Checker.cpp). The latter are built on top of the former via the
-Checker and CheckerVisitor interfaces (Checker.h and
-CheckerVisitor.h). The Checker interface is designed to be minimal
-and simple for checker writers, and attempts to isolate them from much
-of the gore of the internal analysis engine.
-
-= How It Works =
-
-The analyzer is inspired by several foundational research papers ([1],
-[2]). (FIXME: kremenek to add more links)
-
-In a nutshell, the analyzer is basically a source code simulator that
-traces out possible paths of execution. The state of the program
-(values of variables and expressions) is encapsulated by the state
-(GRState). A location in the program is called a program point
-(ProgramPoint), and the combination of state and program point is a
-node in an exploded graph (ExplodedGraph). The term "exploded" comes
-from exploding the control-flow edges in the control-flow graph (CFG).
-
-Conceptually the analyzer does a reachability analysis through the
-ExplodedGraph. We start at a root node, which has the entry program
-point and initial state, and then simulate transitions by analyzing
-individual expressions. The analysis of an expression can cause the
-state to change, resulting in a new node in the ExplodedGraph with an
-updated program point and an updated state. A bug is found by hitting
-a node that satisfies some "bug condition" (basically a violation of a
-checking invariant).
-
-The analyzer traces out multiple paths by reasoning about branches and
-then bifurcating the state: on the true branch the conditions of the
-branch are assumed to be true and on the false branch the conditions
-of the branch are assumed to be false. Such "assumptions" create
-constraints on the values of the program, and those constraints are
-recorded in the GRState object (and are manipulated by the
-ConstraintManager). If assuming the conditions of a branch would
-cause the constraints to be unsatisfiable, the branch is considered
-infeasible and that path is not taken. This is how we get
-path-sensitivity. We reduce exponential blow-up by caching nodes. If
-a new node with the same state and program point as an existing node
-would get generated, the path "caches out" and we simply reuse the
-existing node. Thus the ExplodedGraph is not a DAG; it can contain
-cycles as paths loop back onto each other and cache out.
-
-GRState and ExplodedNodes are basically immutable once created. Once
-one creates a GRState, you need to create a new one to get a new
-GRState. This immutability is key since the ExplodedGraph represents
-the behavior of the analyzed program from the entry point. To
-represent these efficiently, we use functional data structures (e.g.,
-ImmutableMaps) which share data between instances.
-
-Finally, individual Checkers work by also manipulating the analysis
-state. The analyzer engine talks to them via a visitor interface.
-For example, the PreVisitCallExpr() method is called by GRExprEngine
-to tell the Checker that we are about to analyze a CallExpr, and the
-checker is asked to check for any preconditions that might not be
-satisfied. The checker can do nothing, or it can generate a new
-GRState and ExplodedNode which contains updated checker state. If it
-finds a bug, it can tell the BugReporter object about the bug,
-providing it an ExplodedNode which is the last node in the path that
-triggered the problem.
-
-= Working on the Analyzer =
-
-If you are interested in bringing up support for C++ expressions, the
-best place to look is the visitation logic in GRExprEngine, which
-handles the simulation of individual expressions. There are plenty of
-examples there of how other expressions are handled.
-
-If you are interested in writing checkers, look at the Checker and
-CheckerVisitor interfaces (Checker.h and CheckerVisitor.h). Also look
-at the files named *Checker.cpp for examples on how you can implement
-these interfaces.
-
-= Debugging the Analyzer =
-
-There are some useful command-line options for debugging. For example:
-
-$ clang -cc1 -help | grep analyze
- -analyze-function <value>
- -analyzer-display-progress
- -analyzer-viz-egraph-graphviz
- ...
-
-The first allows you to specify only analyzing a specific function.
-The second prints to the console what function is being analyzed. The
-third generates a graphviz dot file of the ExplodedGraph. This is
-extremely useful when debugging the analyzer and viewing the
-simulation results.
-
-Of course, viewing the CFG (Control-Flow Graph) is also useful:
-
-$ clang -cc1 -help | grep cfg
- -cfg-add-implicit-dtors Add C++ implicit destructors to CFGs for all analyses
- -cfg-add-initializers Add C++ initializers to CFGs for all analyses
- -cfg-dump Display Control-Flow Graphs
- -cfg-view View Control-Flow Graphs using GraphViz
- -unoptimized-cfg Generate unoptimized CFGs for all analyses
-
--cfg-dump dumps a textual representation of the CFG to the console,
-and -cfg-view creates a GraphViz representation.
-
-= References =
-
-[1] Precise interprocedural dataflow analysis via graph reachability,
- T Reps, S Horwitz, and M Sagiv, POPL '95,
- http://portal.acm.org/citation.cfm?id=199462
-
-[2] A memory model for static analysis of C programs, Z Xu, T
- Kremenek, and J Zhang, http://lcs.ios.ac.cn/~xzx/memmodel.pdf
Removed: cfe/trunk/lib/StaticAnalyzer/EntoSA/RangeConstraintManager.cpp
URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/lib/StaticAnalyzer/EntoSA/RangeConstraintManager.cpp?rev=122542&view=auto
==============================================================================
--- cfe/trunk/lib/StaticAnalyzer/EntoSA/RangeConstraintManager.cpp (original)
+++ cfe/trunk/lib/StaticAnalyzer/EntoSA/RangeConstraintManager.cpp (removed)
@@ -1,442 +0,0 @@
-//== RangeConstraintManager.cpp - Manage range constraints.------*- C++ -*--==//
-//
-// The LLVM Compiler Infrastructure
-//
-// This file is distributed under the University of Illinois Open Source
-// License. See LICENSE.TXT for details.
-//
-//===----------------------------------------------------------------------===//
-//
-// This file defines RangeConstraintManager, a class that tracks simple
-// equality and inequality constraints on symbolic values of GRState.
-//
-//===----------------------------------------------------------------------===//
-
-#include "SimpleConstraintManager.h"
-#include "clang/StaticAnalyzer/PathSensitive/GRState.h"
-#include "clang/StaticAnalyzer/PathSensitive/GRStateTrait.h"
-#include "clang/StaticAnalyzer/PathSensitive/TransferFuncs.h"
-#include "clang/StaticAnalyzer/ManagerRegistry.h"
-#include "llvm/Support/Debug.h"
-#include "llvm/ADT/FoldingSet.h"
-#include "llvm/ADT/ImmutableSet.h"
-#include "llvm/Support/raw_ostream.h"
-
-using namespace clang;
-using namespace ento;
-
-namespace { class ConstraintRange {}; }
-static int ConstraintRangeIndex = 0;
-
-/// A Range represents the closed range [from, to]. The caller must
-/// guarantee that from <= to. Note that Range is immutable, so as not
-/// to subvert RangeSet's immutability.
-namespace {
-class Range : public std::pair<const llvm::APSInt*,
- const llvm::APSInt*> {
-public:
- Range(const llvm::APSInt &from, const llvm::APSInt &to)
- : std::pair<const llvm::APSInt*, const llvm::APSInt*>(&from, &to) {
- assert(from <= to);
- }
- bool Includes(const llvm::APSInt &v) const {
- return *first <= v && v <= *second;
- }
- const llvm::APSInt &From() const {
- return *first;
- }
- const llvm::APSInt &To() const {
- return *second;
- }
- const llvm::APSInt *getConcreteValue() const {
- return &From() == &To() ? &From() : NULL;
- }
-
- void Profile(llvm::FoldingSetNodeID &ID) const {
- ID.AddPointer(&From());
- ID.AddPointer(&To());
- }
-};
-
-
-class RangeTrait : public llvm::ImutContainerInfo<Range> {
-public:
- // When comparing if one Range is less than another, we should compare
- // the actual APSInt values instead of their pointers. This keeps the order
- // consistent (instead of comparing by pointer values) and can potentially
- // be used to speed up some of the operations in RangeSet.
- static inline bool isLess(key_type_ref lhs, key_type_ref rhs) {
- return *lhs.first < *rhs.first || (!(*rhs.first < *lhs.first) &&
- *lhs.second < *rhs.second);
- }
-};
-
-/// RangeSet contains a set of ranges. If the set is empty, then
-/// there the value of a symbol is overly constrained and there are no
-/// possible values for that symbol.
-class RangeSet {
- typedef llvm::ImmutableSet<Range, RangeTrait> PrimRangeSet;
- PrimRangeSet ranges; // no need to make const, since it is an
- // ImmutableSet - this allows default operator=
- // to work.
-public:
- typedef PrimRangeSet::Factory Factory;
- typedef PrimRangeSet::iterator iterator;
-
- RangeSet(PrimRangeSet RS) : ranges(RS) {}
-
- iterator begin() const { return ranges.begin(); }
- iterator end() const { return ranges.end(); }
-
- bool isEmpty() const { return ranges.isEmpty(); }
-
- /// Construct a new RangeSet representing '{ [from, to] }'.
- RangeSet(Factory &F, const llvm::APSInt &from, const llvm::APSInt &to)
- : ranges(F.add(F.getEmptySet(), Range(from, to))) {}
-
- /// Profile - Generates a hash profile of this RangeSet for use
- /// by FoldingSet.
- void Profile(llvm::FoldingSetNodeID &ID) const { ranges.Profile(ID); }
-
- /// getConcreteValue - If a symbol is contrained to equal a specific integer
- /// constant then this method returns that value. Otherwise, it returns
- /// NULL.
- const llvm::APSInt* getConcreteValue() const {
- return ranges.isSingleton() ? ranges.begin()->getConcreteValue() : 0;
- }
-
-private:
- void IntersectInRange(BasicValueFactory &BV, Factory &F,
- const llvm::APSInt &Lower,
- const llvm::APSInt &Upper,
- PrimRangeSet &newRanges,
- PrimRangeSet::iterator &i,
- PrimRangeSet::iterator &e) const {
- // There are six cases for each range R in the set:
- // 1. R is entirely before the intersection range.
- // 2. R is entirely after the intersection range.
- // 3. R contains the entire intersection range.
- // 4. R starts before the intersection range and ends in the middle.
- // 5. R starts in the middle of the intersection range and ends after it.
- // 6. R is entirely contained in the intersection range.
- // These correspond to each of the conditions below.
- for (/* i = begin(), e = end() */; i != e; ++i) {
- if (i->To() < Lower) {
- continue;
- }
- if (i->From() > Upper) {
- break;
- }
-
- if (i->Includes(Lower)) {
- if (i->Includes(Upper)) {
- newRanges = F.add(newRanges, Range(BV.getValue(Lower),
- BV.getValue(Upper)));
- break;
- } else
- newRanges = F.add(newRanges, Range(BV.getValue(Lower), i->To()));
- } else {
- if (i->Includes(Upper)) {
- newRanges = F.add(newRanges, Range(i->From(), BV.getValue(Upper)));
- break;
- } else
- newRanges = F.add(newRanges, *i);
- }
- }
- }
-
-public:
- // Returns a set containing the values in the receiving set, intersected with
- // the closed range [Lower, Upper]. Unlike the Range type, this range uses
- // modular arithmetic, corresponding to the common treatment of C integer
- // overflow. Thus, if the Lower bound is greater than the Upper bound, the
- // range is taken to wrap around. This is equivalent to taking the
- // intersection with the two ranges [Min, Upper] and [Lower, Max],
- // or, alternatively, /removing/ all integers between Upper and Lower.
- RangeSet Intersect(BasicValueFactory &BV, Factory &F,
- const llvm::APSInt &Lower,
- const llvm::APSInt &Upper) const {
- PrimRangeSet newRanges = F.getEmptySet();
-
- PrimRangeSet::iterator i = begin(), e = end();
- if (Lower <= Upper)
- IntersectInRange(BV, F, Lower, Upper, newRanges, i, e);
- else {
- // The order of the next two statements is important!
- // IntersectInRange() does not reset the iteration state for i and e.
- // Therefore, the lower range most be handled first.
- IntersectInRange(BV, F, BV.getMinValue(Upper), Upper, newRanges, i, e);
- IntersectInRange(BV, F, Lower, BV.getMaxValue(Lower), newRanges, i, e);
- }
- return newRanges;
- }
-
- void print(llvm::raw_ostream &os) const {
- bool isFirst = true;
- os << "{ ";
- for (iterator i = begin(), e = end(); i != e; ++i) {
- if (isFirst)
- isFirst = false;
- else
- os << ", ";
-
- os << '[' << i->From().toString(10) << ", " << i->To().toString(10)
- << ']';
- }
- os << " }";
- }
-
- bool operator==(const RangeSet &other) const {
- return ranges == other.ranges;
- }
-};
-} // end anonymous namespace
-
-typedef llvm::ImmutableMap<SymbolRef,RangeSet> ConstraintRangeTy;
-
-namespace clang {
-namespace ento {
-template<>
-struct GRStateTrait<ConstraintRange>
- : public GRStatePartialTrait<ConstraintRangeTy> {
- static inline void* GDMIndex() { return &ConstraintRangeIndex; }
-};
-}
-}
-
-namespace {
-class RangeConstraintManager : public SimpleConstraintManager{
- RangeSet GetRange(const GRState *state, SymbolRef sym);
-public:
- RangeConstraintManager(SubEngine &subengine)
- : SimpleConstraintManager(subengine) {}
-
- const GRState *assumeSymNE(const GRState* state, SymbolRef sym,
- const llvm::APSInt& Int,
- const llvm::APSInt& Adjustment);
-
- const GRState *assumeSymEQ(const GRState* state, SymbolRef sym,
- const llvm::APSInt& Int,
- const llvm::APSInt& Adjustment);
-
- const GRState *assumeSymLT(const GRState* state, SymbolRef sym,
- const llvm::APSInt& Int,
- const llvm::APSInt& Adjustment);
-
- const GRState *assumeSymGT(const GRState* state, SymbolRef sym,
- const llvm::APSInt& Int,
- const llvm::APSInt& Adjustment);
-
- const GRState *assumeSymGE(const GRState* state, SymbolRef sym,
- const llvm::APSInt& Int,
- const llvm::APSInt& Adjustment);
-
- const GRState *assumeSymLE(const GRState* state, SymbolRef sym,
- const llvm::APSInt& Int,
- const llvm::APSInt& Adjustment);
-
- const llvm::APSInt* getSymVal(const GRState* St, SymbolRef sym) const;
-
- // FIXME: Refactor into SimpleConstraintManager?
- bool isEqual(const GRState* St, SymbolRef sym, const llvm::APSInt& V) const {
- const llvm::APSInt *i = getSymVal(St, sym);
- return i ? *i == V : false;
- }
-
- const GRState* RemoveDeadBindings(const GRState* St, SymbolReaper& SymReaper);
-
- void print(const GRState* St, llvm::raw_ostream& Out,
- const char* nl, const char *sep);
-
-private:
- RangeSet::Factory F;
-};
-
-} // end anonymous namespace
-
-ConstraintManager* ento::CreateRangeConstraintManager(GRStateManager&,
- SubEngine &subeng) {
- return new RangeConstraintManager(subeng);
-}
-
-const llvm::APSInt* RangeConstraintManager::getSymVal(const GRState* St,
- SymbolRef sym) const {
- const ConstraintRangeTy::data_type *T = St->get<ConstraintRange>(sym);
- return T ? T->getConcreteValue() : NULL;
-}
-
-/// Scan all symbols referenced by the constraints. If the symbol is not alive
-/// as marked in LSymbols, mark it as dead in DSymbols.
-const GRState*
-RangeConstraintManager::RemoveDeadBindings(const GRState* state,
- SymbolReaper& SymReaper) {
-
- ConstraintRangeTy CR = state->get<ConstraintRange>();
- ConstraintRangeTy::Factory& CRFactory = state->get_context<ConstraintRange>();
-
- for (ConstraintRangeTy::iterator I = CR.begin(), E = CR.end(); I != E; ++I) {
- SymbolRef sym = I.getKey();
- if (SymReaper.maybeDead(sym))
- CR = CRFactory.remove(CR, sym);
- }
-
- return state->set<ConstraintRange>(CR);
-}
-
-RangeSet
-RangeConstraintManager::GetRange(const GRState *state, SymbolRef sym) {
- if (ConstraintRangeTy::data_type* V = state->get<ConstraintRange>(sym))
- return *V;
-
- // Lazily generate a new RangeSet representing all possible values for the
- // given symbol type.
- QualType T = state->getSymbolManager().getType(sym);
- BasicValueFactory& BV = state->getBasicVals();
- return RangeSet(F, BV.getMinValue(T), BV.getMaxValue(T));
-}
-
-//===------------------------------------------------------------------------===
-// assumeSymX methods: public interface for RangeConstraintManager.
-//===------------------------------------------------------------------------===/
-
-// The syntax for ranges below is mathematical, using [x, y] for closed ranges
-// and (x, y) for open ranges. These ranges are modular, corresponding with
-// a common treatment of C integer overflow. This means that these methods
-// do not have to worry about overflow; RangeSet::Intersect can handle such a
-// "wraparound" range.
-// As an example, the range [UINT_MAX-1, 3) contains five values: UINT_MAX-1,
-// UINT_MAX, 0, 1, and 2.
-
-const GRState*
-RangeConstraintManager::assumeSymNE(const GRState* state, SymbolRef sym,
- const llvm::APSInt& Int,
- const llvm::APSInt& Adjustment) {
- BasicValueFactory &BV = state->getBasicVals();
-
- llvm::APSInt Lower = Int-Adjustment;
- llvm::APSInt Upper = Lower;
- --Lower;
- ++Upper;
-
- // [Int-Adjustment+1, Int-Adjustment-1]
- // Notice that the lower bound is greater than the upper bound.
- RangeSet New = GetRange(state, sym).Intersect(BV, F, Upper, Lower);
- return New.isEmpty() ? NULL : state->set<ConstraintRange>(sym, New);
-}
-
-const GRState*
-RangeConstraintManager::assumeSymEQ(const GRState* state, SymbolRef sym,
- const llvm::APSInt& Int,
- const llvm::APSInt& Adjustment) {
- // [Int-Adjustment, Int-Adjustment]
- BasicValueFactory &BV = state->getBasicVals();
- llvm::APSInt AdjInt = Int-Adjustment;
- RangeSet New = GetRange(state, sym).Intersect(BV, F, AdjInt, AdjInt);
- return New.isEmpty() ? NULL : state->set<ConstraintRange>(sym, New);
-}
-
-const GRState*
-RangeConstraintManager::assumeSymLT(const GRState* state, SymbolRef sym,
- const llvm::APSInt& Int,
- const llvm::APSInt& Adjustment) {
- BasicValueFactory &BV = state->getBasicVals();
-
- QualType T = state->getSymbolManager().getType(sym);
- const llvm::APSInt &Min = BV.getMinValue(T);
-
- // Special case for Int == Min. This is always false.
- if (Int == Min)
- return NULL;
-
- llvm::APSInt Lower = Min-Adjustment;
- llvm::APSInt Upper = Int-Adjustment;
- --Upper;
-
- RangeSet New = GetRange(state, sym).Intersect(BV, F, Lower, Upper);
- return New.isEmpty() ? NULL : state->set<ConstraintRange>(sym, New);
-}
-
-const GRState*
-RangeConstraintManager::assumeSymGT(const GRState* state, SymbolRef sym,
- const llvm::APSInt& Int,
- const llvm::APSInt& Adjustment) {
- BasicValueFactory &BV = state->getBasicVals();
-
- QualType T = state->getSymbolManager().getType(sym);
- const llvm::APSInt &Max = BV.getMaxValue(T);
-
- // Special case for Int == Max. This is always false.
- if (Int == Max)
- return NULL;
-
- llvm::APSInt Lower = Int-Adjustment;
- llvm::APSInt Upper = Max-Adjustment;
- ++Lower;
-
- RangeSet New = GetRange(state, sym).Intersect(BV, F, Lower, Upper);
- return New.isEmpty() ? NULL : state->set<ConstraintRange>(sym, New);
-}
-
-const GRState*
-RangeConstraintManager::assumeSymGE(const GRState* state, SymbolRef sym,
- const llvm::APSInt& Int,
- const llvm::APSInt& Adjustment) {
- BasicValueFactory &BV = state->getBasicVals();
-
- QualType T = state->getSymbolManager().getType(sym);
- const llvm::APSInt &Min = BV.getMinValue(T);
-
- // Special case for Int == Min. This is always feasible.
- if (Int == Min)
- return state;
-
- const llvm::APSInt &Max = BV.getMaxValue(T);
-
- llvm::APSInt Lower = Int-Adjustment;
- llvm::APSInt Upper = Max-Adjustment;
-
- RangeSet New = GetRange(state, sym).Intersect(BV, F, Lower, Upper);
- return New.isEmpty() ? NULL : state->set<ConstraintRange>(sym, New);
-}
-
-const GRState*
-RangeConstraintManager::assumeSymLE(const GRState* state, SymbolRef sym,
- const llvm::APSInt& Int,
- const llvm::APSInt& Adjustment) {
- BasicValueFactory &BV = state->getBasicVals();
-
- QualType T = state->getSymbolManager().getType(sym);
- const llvm::APSInt &Max = BV.getMaxValue(T);
-
- // Special case for Int == Max. This is always feasible.
- if (Int == Max)
- return state;
-
- const llvm::APSInt &Min = BV.getMinValue(T);
-
- llvm::APSInt Lower = Min-Adjustment;
- llvm::APSInt Upper = Int-Adjustment;
-
- RangeSet New = GetRange(state, sym).Intersect(BV, F, Lower, Upper);
- return New.isEmpty() ? NULL : state->set<ConstraintRange>(sym, New);
-}
-
-//===------------------------------------------------------------------------===
-// Pretty-printing.
-//===------------------------------------------------------------------------===/
-
-void RangeConstraintManager::print(const GRState* St, llvm::raw_ostream& Out,
- const char* nl, const char *sep) {
-
- ConstraintRangeTy Ranges = St->get<ConstraintRange>();
-
- if (Ranges.isEmpty())
- return;
-
- Out << nl << sep << "ranges of symbol values:";
-
- for (ConstraintRangeTy::iterator I=Ranges.begin(), E=Ranges.end(); I!=E; ++I){
- Out << nl << ' ' << I.getKey() << " : ";
- I.getData().print(Out);
- }
-}
Removed: cfe/trunk/lib/StaticAnalyzer/EntoSA/RegionStore.cpp
URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/lib/StaticAnalyzer/EntoSA/RegionStore.cpp?rev=122542&view=auto
==============================================================================
--- cfe/trunk/lib/StaticAnalyzer/EntoSA/RegionStore.cpp (original)
+++ cfe/trunk/lib/StaticAnalyzer/EntoSA/RegionStore.cpp (removed)
@@ -1,1875 +0,0 @@
-//== RegionStore.cpp - Field-sensitive store model --------------*- C++ -*--==//
-//
-// The LLVM Compiler Infrastructure
-//
-// This file is distributed under the University of Illinois Open Source
-// License. See LICENSE.TXT for details.
-//
-//===----------------------------------------------------------------------===//
-//
-// This file defines a basic region store model. In this model, we do have field
-// sensitivity. But we assume nothing about the heap shape. So recursive data
-// structures are largely ignored. Basically we do 1-limiting analysis.
-// Parameter pointers are assumed with no aliasing. Pointee objects of
-// parameters are created lazily.
-//
-//===----------------------------------------------------------------------===//
-#include "clang/AST/CharUnits.h"
-#include "clang/AST/DeclCXX.h"
-#include "clang/AST/ExprCXX.h"
-#include "clang/Analysis/Analyses/LiveVariables.h"
-#include "clang/Analysis/AnalysisContext.h"
-#include "clang/Basic/TargetInfo.h"
-#include "clang/StaticAnalyzer/PathSensitive/GRState.h"
-#include "clang/StaticAnalyzer/PathSensitive/GRStateTrait.h"
-#include "clang/StaticAnalyzer/PathSensitive/MemRegion.h"
-#include "llvm/ADT/ImmutableList.h"
-#include "llvm/ADT/ImmutableMap.h"
-#include "llvm/ADT/Optional.h"
-#include "llvm/Support/raw_ostream.h"
-
-using namespace clang;
-using namespace ento;
-using llvm::Optional;
-
-//===----------------------------------------------------------------------===//
-// Representation of binding keys.
-//===----------------------------------------------------------------------===//
-
-namespace {
-class BindingKey {
-public:
- enum Kind { Direct = 0x0, Default = 0x1 };
-private:
- llvm ::PointerIntPair<const MemRegion*, 1> P;
- uint64_t Offset;
-
- explicit BindingKey(const MemRegion *r, uint64_t offset, Kind k)
- : P(r, (unsigned) k), Offset(offset) {}
-public:
-
- bool isDirect() const { return P.getInt() == Direct; }
-
- const MemRegion *getRegion() const { return P.getPointer(); }
- uint64_t getOffset() const { return Offset; }
-
- void Profile(llvm::FoldingSetNodeID& ID) const {
- ID.AddPointer(P.getOpaqueValue());
- ID.AddInteger(Offset);
- }
-
- static BindingKey Make(const MemRegion *R, Kind k);
-
- bool operator<(const BindingKey &X) const {
- if (P.getOpaqueValue() < X.P.getOpaqueValue())
- return true;
- if (P.getOpaqueValue() > X.P.getOpaqueValue())
- return false;
- return Offset < X.Offset;
- }
-
- bool operator==(const BindingKey &X) const {
- return P.getOpaqueValue() == X.P.getOpaqueValue() &&
- Offset == X.Offset;
- }
-
- bool isValid() const {
- return getRegion() != NULL;
- }
-};
-} // end anonymous namespace
-
-BindingKey BindingKey::Make(const MemRegion *R, Kind k) {
- if (const ElementRegion *ER = dyn_cast<ElementRegion>(R)) {
- const RegionRawOffset &O = ER->getAsArrayOffset();
-
- // FIXME: There are some ElementRegions for which we cannot compute
- // raw offsets yet, including regions with symbolic offsets. These will be
- // ignored by the store.
- return BindingKey(O.getRegion(), O.getByteOffset(), k);
- }
-
- return BindingKey(R, 0, k);
-}
-
-namespace llvm {
- static inline
- llvm::raw_ostream& operator<<(llvm::raw_ostream& os, BindingKey K) {
- os << '(' << K.getRegion() << ',' << K.getOffset()
- << ',' << (K.isDirect() ? "direct" : "default")
- << ')';
- return os;
- }
-} // end llvm namespace
-
-//===----------------------------------------------------------------------===//
-// Actual Store type.
-//===----------------------------------------------------------------------===//
-
-typedef llvm::ImmutableMap<BindingKey, SVal> RegionBindings;
-
-//===----------------------------------------------------------------------===//
-// Fine-grained control of RegionStoreManager.
-//===----------------------------------------------------------------------===//
-
-namespace {
-struct minimal_features_tag {};
-struct maximal_features_tag {};
-
-class RegionStoreFeatures {
- bool SupportsFields;
-public:
- RegionStoreFeatures(minimal_features_tag) :
- SupportsFields(false) {}
-
- RegionStoreFeatures(maximal_features_tag) :
- SupportsFields(true) {}
-
- void enableFields(bool t) { SupportsFields = t; }
-
- bool supportsFields() const { return SupportsFields; }
-};
-}
-
-//===----------------------------------------------------------------------===//
-// Main RegionStore logic.
-//===----------------------------------------------------------------------===//
-
-namespace {
-
-class RegionStoreSubRegionMap : public SubRegionMap {
-public:
- typedef llvm::ImmutableSet<const MemRegion*> Set;
- typedef llvm::DenseMap<const MemRegion*, Set> Map;
-private:
- Set::Factory F;
- Map M;
-public:
- bool add(const MemRegion* Parent, const MemRegion* SubRegion) {
- Map::iterator I = M.find(Parent);
-
- if (I == M.end()) {
- M.insert(std::make_pair(Parent, F.add(F.getEmptySet(), SubRegion)));
- return true;
- }
-
- I->second = F.add(I->second, SubRegion);
- return false;
- }
-
- void process(llvm::SmallVectorImpl<const SubRegion*> &WL, const SubRegion *R);
-
- ~RegionStoreSubRegionMap() {}
-
- const Set *getSubRegions(const MemRegion *Parent) const {
- Map::const_iterator I = M.find(Parent);
- return I == M.end() ? NULL : &I->second;
- }
-
- bool iterSubRegions(const MemRegion* Parent, Visitor& V) const {
- Map::const_iterator I = M.find(Parent);
-
- if (I == M.end())
- return true;
-
- Set S = I->second;
- for (Set::iterator SI=S.begin(),SE=S.end(); SI != SE; ++SI) {
- if (!V.Visit(Parent, *SI))
- return false;
- }
-
- return true;
- }
-};
-
-void
-RegionStoreSubRegionMap::process(llvm::SmallVectorImpl<const SubRegion*> &WL,
- const SubRegion *R) {
- const MemRegion *superR = R->getSuperRegion();
- if (add(superR, R))
- if (const SubRegion *sr = dyn_cast<SubRegion>(superR))
- WL.push_back(sr);
-}
-
-class RegionStoreManager : public StoreManager {
- const RegionStoreFeatures Features;
- RegionBindings::Factory RBFactory;
-
-public:
- RegionStoreManager(GRStateManager& mgr, const RegionStoreFeatures &f)
- : StoreManager(mgr),
- Features(f),
- RBFactory(mgr.getAllocator()) {}
-
- SubRegionMap *getSubRegionMap(Store store) {
- return getRegionStoreSubRegionMap(store);
- }
-
- RegionStoreSubRegionMap *getRegionStoreSubRegionMap(Store store);
-
- Optional<SVal> getDirectBinding(RegionBindings B, const MemRegion *R);
- /// getDefaultBinding - Returns an SVal* representing an optional default
- /// binding associated with a region and its subregions.
- Optional<SVal> getDefaultBinding(RegionBindings B, const MemRegion *R);
-
- /// setImplicitDefaultValue - Set the default binding for the provided
- /// MemRegion to the value implicitly defined for compound literals when
- /// the value is not specified.
- Store setImplicitDefaultValue(Store store, const MemRegion *R, QualType T);
-
- /// ArrayToPointer - Emulates the "decay" of an array to a pointer
- /// type. 'Array' represents the lvalue of the array being decayed
- /// to a pointer, and the returned SVal represents the decayed
- /// version of that lvalue (i.e., a pointer to the first element of
- /// the array). This is called by ExprEngine when evaluating
- /// casts from arrays to pointers.
- SVal ArrayToPointer(Loc Array);
-
- /// For DerivedToBase casts, create a CXXBaseObjectRegion and return it.
- virtual SVal evalDerivedToBase(SVal derived, QualType basePtrType);
-
- SVal evalBinOp(BinaryOperator::Opcode Op,Loc L, NonLoc R, QualType resultTy);
-
- Store getInitialStore(const LocationContext *InitLoc) {
- return RBFactory.getEmptyMap().getRoot();
- }
-
- //===-------------------------------------------------------------------===//
- // Binding values to regions.
- //===-------------------------------------------------------------------===//
-
- Store InvalidateRegions(Store store,
- const MemRegion * const *Begin,
- const MemRegion * const *End,
- const Expr *E, unsigned Count,
- InvalidatedSymbols *IS,
- bool invalidateGlobals,
- InvalidatedRegions *Regions);
-
-public: // Made public for helper classes.
-
- void RemoveSubRegionBindings(RegionBindings &B, const MemRegion *R,
- RegionStoreSubRegionMap &M);
-
- RegionBindings addBinding(RegionBindings B, BindingKey K, SVal V);
-
- RegionBindings addBinding(RegionBindings B, const MemRegion *R,
- BindingKey::Kind k, SVal V);
-
- const SVal *lookup(RegionBindings B, BindingKey K);
- const SVal *lookup(RegionBindings B, const MemRegion *R, BindingKey::Kind k);
-
- RegionBindings removeBinding(RegionBindings B, BindingKey K);
- RegionBindings removeBinding(RegionBindings B, const MemRegion *R,
- BindingKey::Kind k);
-
- RegionBindings removeBinding(RegionBindings B, const MemRegion *R) {
- return removeBinding(removeBinding(B, R, BindingKey::Direct), R,
- BindingKey::Default);
- }
-
-public: // Part of public interface to class.
-
- Store Bind(Store store, Loc LV, SVal V);
-
- // BindDefault is only used to initialize a region with a default value.
- Store BindDefault(Store store, const MemRegion *R, SVal V) {
- RegionBindings B = GetRegionBindings(store);
- assert(!lookup(B, R, BindingKey::Default));
- assert(!lookup(B, R, BindingKey::Direct));
- return addBinding(B, R, BindingKey::Default, V).getRoot();
- }
-
- Store BindCompoundLiteral(Store store, const CompoundLiteralExpr* CL,
- const LocationContext *LC, SVal V);
-
- Store BindDecl(Store store, const VarRegion *VR, SVal InitVal);
-
- Store BindDeclWithNoInit(Store store, const VarRegion *) {
- return store;
- }
-
- /// BindStruct - Bind a compound value to a structure.
- Store BindStruct(Store store, const TypedRegion* R, SVal V);
-
- Store BindArray(Store store, const TypedRegion* R, SVal V);
-
- /// KillStruct - Set the entire struct to unknown.
- Store KillStruct(Store store, const TypedRegion* R, SVal DefaultVal);
-
- Store Remove(Store store, Loc LV);
-
-
- //===------------------------------------------------------------------===//
- // Loading values from regions.
- //===------------------------------------------------------------------===//
-
- /// The high level logic for this method is this:
- /// Retrieve (L)
- /// if L has binding
- /// return L's binding
- /// else if L is in killset
- /// return unknown
- /// else
- /// if L is on stack or heap
- /// return undefined
- /// else
- /// return symbolic
- SVal Retrieve(Store store, Loc L, QualType T = QualType());
-
- SVal RetrieveElement(Store store, const ElementRegion *R);
-
- SVal RetrieveField(Store store, const FieldRegion *R);
-
- SVal RetrieveObjCIvar(Store store, const ObjCIvarRegion *R);
-
- SVal RetrieveVar(Store store, const VarRegion *R);
-
- SVal RetrieveLazySymbol(const TypedRegion *R);
-
- SVal RetrieveFieldOrElementCommon(Store store, const TypedRegion *R,
- QualType Ty, const MemRegion *superR);
-
- /// Retrieve the values in a struct and return a CompoundVal, used when doing
- /// struct copy:
- /// struct s x, y;
- /// x = y;
- /// y's value is retrieved by this method.
- SVal RetrieveStruct(Store store, const TypedRegion* R);
-
- SVal RetrieveArray(Store store, const TypedRegion* R);
-
- /// Used to lazily generate derived symbols for bindings that are defined
- /// implicitly by default bindings in a super region.
- Optional<SVal> RetrieveDerivedDefaultValue(RegionBindings B,
- const MemRegion *superR,
- const TypedRegion *R, QualType Ty);
-
- /// Get the state and region whose binding this region R corresponds to.
- std::pair<Store, const MemRegion*>
- GetLazyBinding(RegionBindings B, const MemRegion *R);
-
- Store CopyLazyBindings(nonloc::LazyCompoundVal V, Store store,
- const TypedRegion *R);
-
- //===------------------------------------------------------------------===//
- // State pruning.
- //===------------------------------------------------------------------===//
-
- /// RemoveDeadBindings - Scans the RegionStore of 'state' for dead values.
- /// It returns a new Store with these values removed.
- Store RemoveDeadBindings(Store store, const StackFrameContext *LCtx,
- SymbolReaper& SymReaper,
- llvm::SmallVectorImpl<const MemRegion*>& RegionRoots);
-
- Store EnterStackFrame(const GRState *state, const StackFrameContext *frame);
-
- //===------------------------------------------------------------------===//
- // Region "extents".
- //===------------------------------------------------------------------===//
-
- // FIXME: This method will soon be eliminated; see the note in Store.h.
- DefinedOrUnknownSVal getSizeInElements(const GRState *state,
- const MemRegion* R, QualType EleTy);
-
- //===------------------------------------------------------------------===//
- // Utility methods.
- //===------------------------------------------------------------------===//
-
- static inline RegionBindings GetRegionBindings(Store store) {
- return RegionBindings(static_cast<const RegionBindings::TreeTy*>(store));
- }
-
- void print(Store store, llvm::raw_ostream& Out, const char* nl,
- const char *sep);
-
- void iterBindings(Store store, BindingsHandler& f) {
- RegionBindings B = GetRegionBindings(store);
- for (RegionBindings::iterator I=B.begin(), E=B.end(); I!=E; ++I) {
- const BindingKey &K = I.getKey();
- if (!K.isDirect())
- continue;
- if (const SubRegion *R = dyn_cast<SubRegion>(I.getKey().getRegion())) {
- // FIXME: Possibly incorporate the offset?
- if (!f.HandleBinding(*this, store, R, I.getData()))
- return;
- }
- }
- }
-};
-
-} // end anonymous namespace
-
-//===----------------------------------------------------------------------===//
-// RegionStore creation.
-//===----------------------------------------------------------------------===//
-
-StoreManager *ento::CreateRegionStoreManager(GRStateManager& StMgr) {
- RegionStoreFeatures F = maximal_features_tag();
- return new RegionStoreManager(StMgr, F);
-}
-
-StoreManager *ento::CreateFieldsOnlyRegionStoreManager(GRStateManager &StMgr) {
- RegionStoreFeatures F = minimal_features_tag();
- F.enableFields(true);
- return new RegionStoreManager(StMgr, F);
-}
-
-
-RegionStoreSubRegionMap*
-RegionStoreManager::getRegionStoreSubRegionMap(Store store) {
- RegionBindings B = GetRegionBindings(store);
- RegionStoreSubRegionMap *M = new RegionStoreSubRegionMap();
-
- llvm::SmallVector<const SubRegion*, 10> WL;
-
- for (RegionBindings::iterator I=B.begin(), E=B.end(); I!=E; ++I)
- if (const SubRegion *R = dyn_cast<SubRegion>(I.getKey().getRegion()))
- M->process(WL, R);
-
- // We also need to record in the subregion map "intermediate" regions that
- // don't have direct bindings but are super regions of those that do.
- while (!WL.empty()) {
- const SubRegion *R = WL.back();
- WL.pop_back();
- M->process(WL, R);
- }
-
- return M;
-}
-
-//===----------------------------------------------------------------------===//
-// Region Cluster analysis.
-//===----------------------------------------------------------------------===//
-
-namespace {
-template <typename DERIVED>
-class ClusterAnalysis {
-protected:
- typedef BumpVector<BindingKey> RegionCluster;
- typedef llvm::DenseMap<const MemRegion *, RegionCluster *> ClusterMap;
- llvm::DenseMap<const RegionCluster*, unsigned> Visited;
- typedef llvm::SmallVector<std::pair<const MemRegion *, RegionCluster*>, 10>
- WorkList;
-
- BumpVectorContext BVC;
- ClusterMap ClusterM;
- WorkList WL;
-
- RegionStoreManager &RM;
- ASTContext &Ctx;
- SValBuilder &svalBuilder;
-
- RegionBindings B;
-
- const bool includeGlobals;
-
-public:
- ClusterAnalysis(RegionStoreManager &rm, GRStateManager &StateMgr,
- RegionBindings b, const bool includeGlobals)
- : RM(rm), Ctx(StateMgr.getContext()),
- svalBuilder(StateMgr.getSValBuilder()),
- B(b), includeGlobals(includeGlobals) {}
-
- RegionBindings getRegionBindings() const { return B; }
-
- RegionCluster &AddToCluster(BindingKey K) {
- const MemRegion *R = K.getRegion();
- const MemRegion *baseR = R->getBaseRegion();
- RegionCluster &C = getCluster(baseR);
- C.push_back(K, BVC);
- static_cast<DERIVED*>(this)->VisitAddedToCluster(baseR, C);
- return C;
- }
-
- bool isVisited(const MemRegion *R) {
- return (bool) Visited[&getCluster(R->getBaseRegion())];
- }
-
- RegionCluster& getCluster(const MemRegion *R) {
- RegionCluster *&CRef = ClusterM[R];
- if (!CRef) {
- void *Mem = BVC.getAllocator().template Allocate<RegionCluster>();
- CRef = new (Mem) RegionCluster(BVC, 10);
- }
- return *CRef;
- }
-
- void GenerateClusters() {
- // Scan the entire set of bindings and make the region clusters.
- for (RegionBindings::iterator RI = B.begin(), RE = B.end(); RI != RE; ++RI){
- RegionCluster &C = AddToCluster(RI.getKey());
- if (const MemRegion *R = RI.getData().getAsRegion()) {
- // Generate a cluster, but don't add the region to the cluster
- // if there aren't any bindings.
- getCluster(R->getBaseRegion());
- }
- if (includeGlobals) {
- const MemRegion *R = RI.getKey().getRegion();
- if (isa<NonStaticGlobalSpaceRegion>(R->getMemorySpace()))
- AddToWorkList(R, C);
- }
- }
- }
-
- bool AddToWorkList(const MemRegion *R, RegionCluster &C) {
- if (unsigned &visited = Visited[&C])
- return false;
- else
- visited = 1;
-
- WL.push_back(std::make_pair(R, &C));
- return true;
- }
-
- bool AddToWorkList(BindingKey K) {
- return AddToWorkList(K.getRegion());
- }
-
- bool AddToWorkList(const MemRegion *R) {
- const MemRegion *baseR = R->getBaseRegion();
- return AddToWorkList(baseR, getCluster(baseR));
- }
-
- void RunWorkList() {
- while (!WL.empty()) {
- const MemRegion *baseR;
- RegionCluster *C;
- llvm::tie(baseR, C) = WL.back();
- WL.pop_back();
-
- // First visit the cluster.
- static_cast<DERIVED*>(this)->VisitCluster(baseR, C->begin(), C->end());
-
- // Next, visit the base region.
- static_cast<DERIVED*>(this)->VisitBaseRegion(baseR);
- }
- }
-
-public:
- void VisitAddedToCluster(const MemRegion *baseR, RegionCluster &C) {}
- void VisitCluster(const MemRegion *baseR, BindingKey *I, BindingKey *E) {}
- void VisitBaseRegion(const MemRegion *baseR) {}
-};
-}
-
-//===----------------------------------------------------------------------===//
-// Binding invalidation.
-//===----------------------------------------------------------------------===//
-
-void RegionStoreManager::RemoveSubRegionBindings(RegionBindings &B,
- const MemRegion *R,
- RegionStoreSubRegionMap &M) {
-
- if (const RegionStoreSubRegionMap::Set *S = M.getSubRegions(R))
- for (RegionStoreSubRegionMap::Set::iterator I = S->begin(), E = S->end();
- I != E; ++I)
- RemoveSubRegionBindings(B, *I, M);
-
- B = removeBinding(B, R);
-}
-
-namespace {
-class InvalidateRegionsWorker : public ClusterAnalysis<InvalidateRegionsWorker>
-{
- const Expr *Ex;
- unsigned Count;
- StoreManager::InvalidatedSymbols *IS;
- StoreManager::InvalidatedRegions *Regions;
-public:
- InvalidateRegionsWorker(RegionStoreManager &rm,
- GRStateManager &stateMgr,
- RegionBindings b,
- const Expr *ex, unsigned count,
- StoreManager::InvalidatedSymbols *is,
- StoreManager::InvalidatedRegions *r,
- bool includeGlobals)
- : ClusterAnalysis<InvalidateRegionsWorker>(rm, stateMgr, b, includeGlobals),
- Ex(ex), Count(count), IS(is), Regions(r) {}
-
- void VisitCluster(const MemRegion *baseR, BindingKey *I, BindingKey *E);
- void VisitBaseRegion(const MemRegion *baseR);
-
-private:
- void VisitBinding(SVal V);
-};
-}
-
-void InvalidateRegionsWorker::VisitBinding(SVal V) {
- // A symbol? Mark it touched by the invalidation.
- if (IS)
- if (SymbolRef Sym = V.getAsSymbol())
- IS->insert(Sym);
-
- if (const MemRegion *R = V.getAsRegion()) {
- AddToWorkList(R);
- return;
- }
-
- // Is it a LazyCompoundVal? All references get invalidated as well.
- if (const nonloc::LazyCompoundVal *LCS =
- dyn_cast<nonloc::LazyCompoundVal>(&V)) {
-
- const MemRegion *LazyR = LCS->getRegion();
- RegionBindings B = RegionStoreManager::GetRegionBindings(LCS->getStore());
-
- for (RegionBindings::iterator RI = B.begin(), RE = B.end(); RI != RE; ++RI){
- const SubRegion *baseR = dyn_cast<SubRegion>(RI.getKey().getRegion());
- if (baseR && baseR->isSubRegionOf(LazyR))
- VisitBinding(RI.getData());
- }
-
- return;
- }
-}
-
-void InvalidateRegionsWorker::VisitCluster(const MemRegion *baseR,
- BindingKey *I, BindingKey *E) {
- for ( ; I != E; ++I) {
- // Get the old binding. Is it a region? If so, add it to the worklist.
- const BindingKey &K = *I;
- if (const SVal *V = RM.lookup(B, K))
- VisitBinding(*V);
-
- B = RM.removeBinding(B, K);
- }
-}
-
-void InvalidateRegionsWorker::VisitBaseRegion(const MemRegion *baseR) {
- if (IS) {
- // Symbolic region? Mark that symbol touched by the invalidation.
- if (const SymbolicRegion *SR = dyn_cast<SymbolicRegion>(baseR))
- IS->insert(SR->getSymbol());
- }
-
- // BlockDataRegion? If so, invalidate captured variables that are passed
- // by reference.
- if (const BlockDataRegion *BR = dyn_cast<BlockDataRegion>(baseR)) {
- for (BlockDataRegion::referenced_vars_iterator
- BI = BR->referenced_vars_begin(), BE = BR->referenced_vars_end() ;
- BI != BE; ++BI) {
- const VarRegion *VR = *BI;
- const VarDecl *VD = VR->getDecl();
- if (VD->getAttr<BlocksAttr>() || !VD->hasLocalStorage())
- AddToWorkList(VR);
- }
- return;
- }
-
- // Otherwise, we have a normal data region. Record that we touched the region.
- if (Regions)
- Regions->push_back(baseR);
-
- if (isa<AllocaRegion>(baseR) || isa<SymbolicRegion>(baseR)) {
- // Invalidate the region by setting its default value to
- // conjured symbol. The type of the symbol is irrelavant.
- DefinedOrUnknownSVal V =
- svalBuilder.getConjuredSymbolVal(baseR, Ex, Ctx.IntTy, Count);
- B = RM.addBinding(B, baseR, BindingKey::Default, V);
- return;
- }
-
- if (!baseR->isBoundable())
- return;
-
- const TypedRegion *TR = cast<TypedRegion>(baseR);
- QualType T = TR->getValueType();
-
- // Invalidate the binding.
- if (T->isStructureType()) {
- // Invalidate the region by setting its default value to
- // conjured symbol. The type of the symbol is irrelavant.
- DefinedOrUnknownSVal V = svalBuilder.getConjuredSymbolVal(baseR, Ex, Ctx.IntTy,
- Count);
- B = RM.addBinding(B, baseR, BindingKey::Default, V);
- return;
- }
-
- if (const ArrayType *AT = Ctx.getAsArrayType(T)) {
- // Set the default value of the array to conjured symbol.
- DefinedOrUnknownSVal V =
- svalBuilder.getConjuredSymbolVal(baseR, Ex, AT->getElementType(), Count);
- B = RM.addBinding(B, baseR, BindingKey::Default, V);
- return;
- }
-
- if (includeGlobals &&
- isa<NonStaticGlobalSpaceRegion>(baseR->getMemorySpace())) {
- // If the region is a global and we are invalidating all globals,
- // just erase the entry. This causes all globals to be lazily
- // symbolicated from the same base symbol.
- B = RM.removeBinding(B, baseR);
- return;
- }
-
-
- DefinedOrUnknownSVal V = svalBuilder.getConjuredSymbolVal(baseR, Ex, T, Count);
- assert(SymbolManager::canSymbolicate(T) || V.isUnknown());
- B = RM.addBinding(B, baseR, BindingKey::Direct, V);
-}
-
-Store RegionStoreManager::InvalidateRegions(Store store,
- const MemRegion * const *I,
- const MemRegion * const *E,
- const Expr *Ex, unsigned Count,
- InvalidatedSymbols *IS,
- bool invalidateGlobals,
- InvalidatedRegions *Regions) {
- InvalidateRegionsWorker W(*this, StateMgr,
- RegionStoreManager::GetRegionBindings(store),
- Ex, Count, IS, Regions, invalidateGlobals);
-
- // Scan the bindings and generate the clusters.
- W.GenerateClusters();
-
- // Add I .. E to the worklist.
- for ( ; I != E; ++I)
- W.AddToWorkList(*I);
-
- W.RunWorkList();
-
- // Return the new bindings.
- RegionBindings B = W.getRegionBindings();
-
- if (invalidateGlobals) {
- // Bind the non-static globals memory space to a new symbol that we will
- // use to derive the bindings for all non-static globals.
- const GlobalsSpaceRegion *GS = MRMgr.getGlobalsRegion();
- SVal V =
- svalBuilder.getConjuredSymbolVal(/* SymbolTag = */ (void*) GS, Ex,
- /* symbol type, doesn't matter */ Ctx.IntTy,
- Count);
- B = addBinding(B, BindingKey::Make(GS, BindingKey::Default), V);
-
- // Even if there are no bindings in the global scope, we still need to
- // record that we touched it.
- if (Regions)
- Regions->push_back(GS);
- }
-
- return B.getRoot();
-}
-
-//===----------------------------------------------------------------------===//
-// Extents for regions.
-//===----------------------------------------------------------------------===//
-
-DefinedOrUnknownSVal RegionStoreManager::getSizeInElements(const GRState *state,
- const MemRegion *R,
- QualType EleTy) {
- SVal Size = cast<SubRegion>(R)->getExtent(svalBuilder);
- const llvm::APSInt *SizeInt = svalBuilder.getKnownValue(state, Size);
- if (!SizeInt)
- return UnknownVal();
-
- CharUnits RegionSize = CharUnits::fromQuantity(SizeInt->getSExtValue());
-
- if (Ctx.getAsVariableArrayType(EleTy)) {
- // FIXME: We need to track extra state to properly record the size
- // of VLAs. Returning UnknownVal here, however, is a stop-gap so that
- // we don't have a divide-by-zero below.
- return UnknownVal();
- }
-
- CharUnits EleSize = Ctx.getTypeSizeInChars(EleTy);
-
- // If a variable is reinterpreted as a type that doesn't fit into a larger
- // type evenly, round it down.
- // This is a signed value, since it's used in arithmetic with signed indices.
- return svalBuilder.makeIntVal(RegionSize / EleSize, false);
-}
-
-//===----------------------------------------------------------------------===//
-// Location and region casting.
-//===----------------------------------------------------------------------===//
-
-/// ArrayToPointer - Emulates the "decay" of an array to a pointer
-/// type. 'Array' represents the lvalue of the array being decayed
-/// to a pointer, and the returned SVal represents the decayed
-/// version of that lvalue (i.e., a pointer to the first element of
-/// the array). This is called by ExprEngine when evaluating casts
-/// from arrays to pointers.
-SVal RegionStoreManager::ArrayToPointer(Loc Array) {
- if (!isa<loc::MemRegionVal>(Array))
- return UnknownVal();
-
- const MemRegion* R = cast<loc::MemRegionVal>(&Array)->getRegion();
- const TypedRegion* ArrayR = dyn_cast<TypedRegion>(R);
-
- if (!ArrayR)
- return UnknownVal();
-
- // Strip off typedefs from the ArrayRegion's ValueType.
- QualType T = ArrayR->getValueType().getDesugaredType(Ctx);
- ArrayType *AT = cast<ArrayType>(T);
- T = AT->getElementType();
-
- NonLoc ZeroIdx = svalBuilder.makeZeroArrayIndex();
- return loc::MemRegionVal(MRMgr.getElementRegion(T, ZeroIdx, ArrayR, Ctx));
-}
-
-SVal RegionStoreManager::evalDerivedToBase(SVal derived, QualType baseType) {
- const CXXRecordDecl *baseDecl;
- if (baseType->isPointerType())
- baseDecl = baseType->getCXXRecordDeclForPointerType();
- else
- baseDecl = baseType->getAsCXXRecordDecl();
-
- assert(baseDecl && "not a CXXRecordDecl?");
-
- loc::MemRegionVal *derivedRegVal = dyn_cast<loc::MemRegionVal>(&derived);
- if (!derivedRegVal)
- return derived;
-
- const MemRegion *baseReg =
- MRMgr.getCXXBaseObjectRegion(baseDecl, derivedRegVal->getRegion());
- return loc::MemRegionVal(baseReg);
-}
-//===----------------------------------------------------------------------===//
-// Pointer arithmetic.
-//===----------------------------------------------------------------------===//
-
-SVal RegionStoreManager::evalBinOp(BinaryOperator::Opcode Op, Loc L, NonLoc R,
- QualType resultTy) {
- // Assume the base location is MemRegionVal.
- if (!isa<loc::MemRegionVal>(L))
- return UnknownVal();
-
- // Special case for zero RHS.
- if (R.isZeroConstant()) {
- switch (Op) {
- default:
- // Handle it normally.
- break;
- case BO_Add:
- case BO_Sub:
- // FIXME: does this need to be casted to match resultTy?
- return L;
- }
- }
-
- const MemRegion* MR = cast<loc::MemRegionVal>(L).getRegion();
- const ElementRegion *ER = 0;
-
- switch (MR->getKind()) {
- case MemRegion::SymbolicRegionKind: {
- const SymbolicRegion *SR = cast<SymbolicRegion>(MR);
- SymbolRef Sym = SR->getSymbol();
- QualType T = Sym->getType(Ctx);
- QualType EleTy;
-
- if (const PointerType *PT = T->getAs<PointerType>())
- EleTy = PT->getPointeeType();
- else
- EleTy = T->getAs<ObjCObjectPointerType>()->getPointeeType();
-
- const NonLoc &ZeroIdx = svalBuilder.makeZeroArrayIndex();
- ER = MRMgr.getElementRegion(EleTy, ZeroIdx, SR, Ctx);
- break;
- }
- case MemRegion::AllocaRegionKind: {
- const AllocaRegion *AR = cast<AllocaRegion>(MR);
- QualType EleTy = Ctx.CharTy; // Create an ElementRegion of bytes.
- NonLoc ZeroIdx = svalBuilder.makeZeroArrayIndex();
- ER = MRMgr.getElementRegion(EleTy, ZeroIdx, AR, Ctx);
- break;
- }
-
- case MemRegion::ElementRegionKind: {
- ER = cast<ElementRegion>(MR);
- break;
- }
-
- // Not yet handled.
- case MemRegion::VarRegionKind:
- case MemRegion::StringRegionKind: {
-
- }
- // Fall-through.
- case MemRegion::CompoundLiteralRegionKind:
- case MemRegion::FieldRegionKind:
- case MemRegion::ObjCIvarRegionKind:
- case MemRegion::CXXTempObjectRegionKind:
- case MemRegion::CXXBaseObjectRegionKind:
- return UnknownVal();
-
- case MemRegion::FunctionTextRegionKind:
- case MemRegion::BlockTextRegionKind:
- case MemRegion::BlockDataRegionKind:
- // Technically this can happen if people do funny things with casts.
- return UnknownVal();
-
- case MemRegion::CXXThisRegionKind:
- assert(0 &&
- "Cannot perform pointer arithmetic on implicit argument 'this'");
- case MemRegion::GenericMemSpaceRegionKind:
- case MemRegion::StackLocalsSpaceRegionKind:
- case MemRegion::StackArgumentsSpaceRegionKind:
- case MemRegion::HeapSpaceRegionKind:
- case MemRegion::NonStaticGlobalSpaceRegionKind:
- case MemRegion::StaticGlobalSpaceRegionKind:
- case MemRegion::UnknownSpaceRegionKind:
- assert(0 && "Cannot perform pointer arithmetic on a MemSpace");
- return UnknownVal();
- }
-
- SVal Idx = ER->getIndex();
- nonloc::ConcreteInt* Base = dyn_cast<nonloc::ConcreteInt>(&Idx);
-
- // For now, only support:
- // (a) concrete integer indices that can easily be resolved
- // (b) 0 + symbolic index
- if (Base) {
- if (nonloc::ConcreteInt *Offset = dyn_cast<nonloc::ConcreteInt>(&R)) {
- // FIXME: Should use SValBuilder here.
- SVal NewIdx =
- Base->evalBinOp(svalBuilder, Op,
- cast<nonloc::ConcreteInt>(svalBuilder.convertToArrayIndex(*Offset)));
-
- if (!isa<NonLoc>(NewIdx))
- return UnknownVal();
-
- const MemRegion* NewER =
- MRMgr.getElementRegion(ER->getElementType(), cast<NonLoc>(NewIdx),
- ER->getSuperRegion(), Ctx);
- return svalBuilder.makeLoc(NewER);
- }
- if (0 == Base->getValue()) {
- const MemRegion* NewER =
- MRMgr.getElementRegion(ER->getElementType(), R,
- ER->getSuperRegion(), Ctx);
- return svalBuilder.makeLoc(NewER);
- }
- }
-
- return UnknownVal();
-}
-
-//===----------------------------------------------------------------------===//
-// Loading values from regions.
-//===----------------------------------------------------------------------===//
-
-Optional<SVal> RegionStoreManager::getDirectBinding(RegionBindings B,
- const MemRegion *R) {
-
- if (const SVal *V = lookup(B, R, BindingKey::Direct))
- return *V;
-
- return Optional<SVal>();
-}
-
-Optional<SVal> RegionStoreManager::getDefaultBinding(RegionBindings B,
- const MemRegion *R) {
- if (R->isBoundable())
- if (const TypedRegion *TR = dyn_cast<TypedRegion>(R))
- if (TR->getValueType()->isUnionType())
- return UnknownVal();
-
- if (const SVal *V = lookup(B, R, BindingKey::Default))
- return *V;
-
- return Optional<SVal>();
-}
-
-SVal RegionStoreManager::Retrieve(Store store, Loc L, QualType T) {
- assert(!isa<UnknownVal>(L) && "location unknown");
- assert(!isa<UndefinedVal>(L) && "location undefined");
-
- // For access to concrete addresses, return UnknownVal. Checks
- // for null dereferences (and similar errors) are done by checkers, not
- // the Store.
- // FIXME: We can consider lazily symbolicating such memory, but we really
- // should defer this when we can reason easily about symbolicating arrays
- // of bytes.
- if (isa<loc::ConcreteInt>(L)) {
- return UnknownVal();
- }
-
- const MemRegion *MR = cast<loc::MemRegionVal>(L).getRegion();
-
- if (isa<AllocaRegion>(MR) || isa<SymbolicRegion>(MR)) {
- if (T.isNull()) {
- const SymbolicRegion *SR = cast<SymbolicRegion>(MR);
- T = SR->getSymbol()->getType(Ctx);
- }
- MR = GetElementZeroRegion(MR, T);
- }
-
- if (isa<CodeTextRegion>(MR)) {
- assert(0 && "Why load from a code text region?");
- return UnknownVal();
- }
-
- // FIXME: Perhaps this method should just take a 'const MemRegion*' argument
- // instead of 'Loc', and have the other Loc cases handled at a higher level.
- const TypedRegion *R = cast<TypedRegion>(MR);
- QualType RTy = R->getValueType();
-
- // FIXME: We should eventually handle funny addressing. e.g.:
- //
- // int x = ...;
- // int *p = &x;
- // char *q = (char*) p;
- // char c = *q; // returns the first byte of 'x'.
- //
- // Such funny addressing will occur due to layering of regions.
-
- if (RTy->isStructureOrClassType())
- return RetrieveStruct(store, R);
-
- // FIXME: Handle unions.
- if (RTy->isUnionType())
- return UnknownVal();
-
- if (RTy->isArrayType())
- return RetrieveArray(store, R);
-
- // FIXME: handle Vector types.
- if (RTy->isVectorType())
- return UnknownVal();
-
- if (const FieldRegion* FR = dyn_cast<FieldRegion>(R))
- return CastRetrievedVal(RetrieveField(store, FR), FR, T, false);
-
- if (const ElementRegion* ER = dyn_cast<ElementRegion>(R)) {
- // FIXME: Here we actually perform an implicit conversion from the loaded
- // value to the element type. Eventually we want to compose these values
- // more intelligently. For example, an 'element' can encompass multiple
- // bound regions (e.g., several bound bytes), or could be a subset of
- // a larger value.
- return CastRetrievedVal(RetrieveElement(store, ER), ER, T, false);
- }
-
- if (const ObjCIvarRegion *IVR = dyn_cast<ObjCIvarRegion>(R)) {
- // FIXME: Here we actually perform an implicit conversion from the loaded
- // value to the ivar type. What we should model is stores to ivars
- // that blow past the extent of the ivar. If the address of the ivar is
- // reinterpretted, it is possible we stored a different value that could
- // fit within the ivar. Either we need to cast these when storing them
- // or reinterpret them lazily (as we do here).
- return CastRetrievedVal(RetrieveObjCIvar(store, IVR), IVR, T, false);
- }
-
- if (const VarRegion *VR = dyn_cast<VarRegion>(R)) {
- // FIXME: Here we actually perform an implicit conversion from the loaded
- // value to the variable type. What we should model is stores to variables
- // that blow past the extent of the variable. If the address of the
- // variable is reinterpretted, it is possible we stored a different value
- // that could fit within the variable. Either we need to cast these when
- // storing them or reinterpret them lazily (as we do here).
- return CastRetrievedVal(RetrieveVar(store, VR), VR, T, false);
- }
-
- RegionBindings B = GetRegionBindings(store);
- const SVal *V = lookup(B, R, BindingKey::Direct);
-
- // Check if the region has a binding.
- if (V)
- return *V;
-
- // The location does not have a bound value. This means that it has
- // the value it had upon its creation and/or entry to the analyzed
- // function/method. These are either symbolic values or 'undefined'.
- if (R->hasStackNonParametersStorage()) {
- // All stack variables are considered to have undefined values
- // upon creation. All heap allocated blocks are considered to
- // have undefined values as well unless they are explicitly bound
- // to specific values.
- return UndefinedVal();
- }
-
- // All other values are symbolic.
- return svalBuilder.getRegionValueSymbolVal(R);
-}
-
-std::pair<Store, const MemRegion *>
-RegionStoreManager::GetLazyBinding(RegionBindings B, const MemRegion *R) {
- if (Optional<SVal> OV = getDirectBinding(B, R))
- if (const nonloc::LazyCompoundVal *V =
- dyn_cast<nonloc::LazyCompoundVal>(OV.getPointer()))
- return std::make_pair(V->getStore(), V->getRegion());
-
- if (const ElementRegion *ER = dyn_cast<ElementRegion>(R)) {
- const std::pair<Store, const MemRegion *> &X =
- GetLazyBinding(B, ER->getSuperRegion());
-
- if (X.second)
- return std::make_pair(X.first,
- MRMgr.getElementRegionWithSuper(ER, X.second));
- }
- else if (const FieldRegion *FR = dyn_cast<FieldRegion>(R)) {
- const std::pair<Store, const MemRegion *> &X =
- GetLazyBinding(B, FR->getSuperRegion());
-
- if (X.second)
- return std::make_pair(X.first,
- MRMgr.getFieldRegionWithSuper(FR, X.second));
- }
- // The NULL MemRegion indicates an non-existent lazy binding. A NULL Store is
- // possible for a valid lazy binding.
- return std::make_pair((Store) 0, (const MemRegion *) 0);
-}
-
-SVal RegionStoreManager::RetrieveElement(Store store,
- const ElementRegion* R) {
- // Check if the region has a binding.
- RegionBindings B = GetRegionBindings(store);
- if (const Optional<SVal> &V = getDirectBinding(B, R))
- return *V;
-
- const MemRegion* superR = R->getSuperRegion();
-
- // Check if the region is an element region of a string literal.
- if (const StringRegion *StrR=dyn_cast<StringRegion>(superR)) {
- // FIXME: Handle loads from strings where the literal is treated as
- // an integer, e.g., *((unsigned int*)"hello")
- QualType T = Ctx.getAsArrayType(StrR->getValueType())->getElementType();
- if (T != Ctx.getCanonicalType(R->getElementType()))
- return UnknownVal();
-
- const StringLiteral *Str = StrR->getStringLiteral();
- SVal Idx = R->getIndex();
- if (nonloc::ConcreteInt *CI = dyn_cast<nonloc::ConcreteInt>(&Idx)) {
- int64_t i = CI->getValue().getSExtValue();
- int64_t byteLength = Str->getByteLength();
- // Technically, only i == byteLength is guaranteed to be null.
- // However, such overflows should be caught before reaching this point;
- // the only time such an access would be made is if a string literal was
- // used to initialize a larger array.
- char c = (i >= byteLength) ? '\0' : Str->getString()[i];
- return svalBuilder.makeIntVal(c, T);
- }
- }
-
- // Check for loads from a code text region. For such loads, just give up.
- if (isa<CodeTextRegion>(superR))
- return UnknownVal();
-
- // Handle the case where we are indexing into a larger scalar object.
- // For example, this handles:
- // int x = ...
- // char *y = &x;
- // return *y;
- // FIXME: This is a hack, and doesn't do anything really intelligent yet.
- const RegionRawOffset &O = R->getAsArrayOffset();
- if (const TypedRegion *baseR = dyn_cast_or_null<TypedRegion>(O.getRegion())) {
- QualType baseT = baseR->getValueType();
- if (baseT->isScalarType()) {
- QualType elemT = R->getElementType();
- if (elemT->isScalarType()) {
- if (Ctx.getTypeSizeInChars(baseT) >= Ctx.getTypeSizeInChars(elemT)) {
- if (const Optional<SVal> &V = getDirectBinding(B, superR)) {
- if (SymbolRef parentSym = V->getAsSymbol())
- return svalBuilder.getDerivedRegionValueSymbolVal(parentSym, R);
-
- if (V->isUnknownOrUndef())
- return *V;
- // Other cases: give up. We are indexing into a larger object
- // that has some value, but we don't know how to handle that yet.
- return UnknownVal();
- }
- }
- }
- }
- }
- return RetrieveFieldOrElementCommon(store, R, R->getElementType(), superR);
-}
-
-SVal RegionStoreManager::RetrieveField(Store store,
- const FieldRegion* R) {
-
- // Check if the region has a binding.
- RegionBindings B = GetRegionBindings(store);
- if (const Optional<SVal> &V = getDirectBinding(B, R))
- return *V;
-
- QualType Ty = R->getValueType();
- return RetrieveFieldOrElementCommon(store, R, Ty, R->getSuperRegion());
-}
-
-Optional<SVal>
-RegionStoreManager::RetrieveDerivedDefaultValue(RegionBindings B,
- const MemRegion *superR,
- const TypedRegion *R,
- QualType Ty) {
-
- if (const Optional<SVal> &D = getDefaultBinding(B, superR)) {
- if (SymbolRef parentSym = D->getAsSymbol())
- return svalBuilder.getDerivedRegionValueSymbolVal(parentSym, R);
-
- if (D->isZeroConstant())
- return svalBuilder.makeZeroVal(Ty);
-
- if (D->isUnknownOrUndef())
- return *D;
-
- assert(0 && "Unknown default value");
- }
-
- return Optional<SVal>();
-}
-
-SVal RegionStoreManager::RetrieveFieldOrElementCommon(Store store,
- const TypedRegion *R,
- QualType Ty,
- const MemRegion *superR) {
-
- // At this point we have already checked in either RetrieveElement or
- // RetrieveField if 'R' has a direct binding.
-
- RegionBindings B = GetRegionBindings(store);
-
- while (superR) {
- if (const Optional<SVal> &D =
- RetrieveDerivedDefaultValue(B, superR, R, Ty))
- return *D;
-
- // If our super region is a field or element itself, walk up the region
- // hierarchy to see if there is a default value installed in an ancestor.
- if (const SubRegion *SR = dyn_cast<SubRegion>(superR)) {
- superR = SR->getSuperRegion();
- continue;
- }
- break;
- }
-
- // Lazy binding?
- Store lazyBindingStore = NULL;
- const MemRegion *lazyBindingRegion = NULL;
- llvm::tie(lazyBindingStore, lazyBindingRegion) = GetLazyBinding(B, R);
-
- if (lazyBindingRegion) {
- if (const ElementRegion *ER = dyn_cast<ElementRegion>(lazyBindingRegion))
- return RetrieveElement(lazyBindingStore, ER);
- return RetrieveField(lazyBindingStore,
- cast<FieldRegion>(lazyBindingRegion));
- }
-
- if (R->hasStackNonParametersStorage()) {
- if (const ElementRegion *ER = dyn_cast<ElementRegion>(R)) {
- // Currently we don't reason specially about Clang-style vectors. Check
- // if superR is a vector and if so return Unknown.
- if (const TypedRegion *typedSuperR = dyn_cast<TypedRegion>(superR)) {
- if (typedSuperR->getValueType()->isVectorType())
- return UnknownVal();
- }
-
- // FIXME: We also need to take ElementRegions with symbolic indexes into
- // account.
- if (!ER->getIndex().isConstant())
- return UnknownVal();
- }
-
- return UndefinedVal();
- }
-
- // All other values are symbolic.
- return svalBuilder.getRegionValueSymbolVal(R);
-}
-
-SVal RegionStoreManager::RetrieveObjCIvar(Store store, const ObjCIvarRegion* R){
-
- // Check if the region has a binding.
- RegionBindings B = GetRegionBindings(store);
-
- if (const Optional<SVal> &V = getDirectBinding(B, R))
- return *V;
-
- const MemRegion *superR = R->getSuperRegion();
-
- // Check if the super region has a default binding.
- if (const Optional<SVal> &V = getDefaultBinding(B, superR)) {
- if (SymbolRef parentSym = V->getAsSymbol())
- return svalBuilder.getDerivedRegionValueSymbolVal(parentSym, R);
-
- // Other cases: give up.
- return UnknownVal();
- }
-
- return RetrieveLazySymbol(R);
-}
-
-SVal RegionStoreManager::RetrieveVar(Store store, const VarRegion *R) {
-
- // Check if the region has a binding.
- RegionBindings B = GetRegionBindings(store);
-
- if (const Optional<SVal> &V = getDirectBinding(B, R))
- return *V;
-
- // Lazily derive a value for the VarRegion.
- const VarDecl *VD = R->getDecl();
- QualType T = VD->getType();
- const MemSpaceRegion *MS = R->getMemorySpace();
-
- if (isa<UnknownSpaceRegion>(MS) ||
- isa<StackArgumentsSpaceRegion>(MS))
- return svalBuilder.getRegionValueSymbolVal(R);
-
- if (isa<GlobalsSpaceRegion>(MS)) {
- if (isa<NonStaticGlobalSpaceRegion>(MS)) {
- // Is 'VD' declared constant? If so, retrieve the constant value.
- QualType CT = Ctx.getCanonicalType(T);
- if (CT.isConstQualified()) {
- const Expr *Init = VD->getInit();
- // Do the null check first, as we want to call 'IgnoreParenCasts'.
- if (Init)
- if (const IntegerLiteral *IL =
- dyn_cast<IntegerLiteral>(Init->IgnoreParenCasts())) {
- const nonloc::ConcreteInt &V = svalBuilder.makeIntVal(IL);
- return svalBuilder.evalCast(V, Init->getType(), IL->getType());
- }
- }
-
- if (const Optional<SVal> &V = RetrieveDerivedDefaultValue(B, MS, R, CT))
- return V.getValue();
-
- return svalBuilder.getRegionValueSymbolVal(R);
- }
-
- if (T->isIntegerType())
- return svalBuilder.makeIntVal(0, T);
- if (T->isPointerType())
- return svalBuilder.makeNull();
-
- return UnknownVal();
- }
-
- return UndefinedVal();
-}
-
-SVal RegionStoreManager::RetrieveLazySymbol(const TypedRegion *R) {
- // All other values are symbolic.
- return svalBuilder.getRegionValueSymbolVal(R);
-}
-
-SVal RegionStoreManager::RetrieveStruct(Store store, const TypedRegion* R) {
- QualType T = R->getValueType();
- assert(T->isStructureOrClassType());
- return svalBuilder.makeLazyCompoundVal(store, R);
-}
-
-SVal RegionStoreManager::RetrieveArray(Store store, const TypedRegion * R) {
- assert(Ctx.getAsConstantArrayType(R->getValueType()));
- return svalBuilder.makeLazyCompoundVal(store, R);
-}
-
-//===----------------------------------------------------------------------===//
-// Binding values to regions.
-//===----------------------------------------------------------------------===//
-
-Store RegionStoreManager::Remove(Store store, Loc L) {
- if (isa<loc::MemRegionVal>(L))
- if (const MemRegion* R = cast<loc::MemRegionVal>(L).getRegion())
- return removeBinding(GetRegionBindings(store), R).getRoot();
-
- return store;
-}
-
-Store RegionStoreManager::Bind(Store store, Loc L, SVal V) {
- if (isa<loc::ConcreteInt>(L))
- return store;
-
- // If we get here, the location should be a region.
- const MemRegion *R = cast<loc::MemRegionVal>(L).getRegion();
-
- // Check if the region is a struct region.
- if (const TypedRegion* TR = dyn_cast<TypedRegion>(R))
- if (TR->getValueType()->isStructureOrClassType())
- return BindStruct(store, TR, V);
-
- if (const ElementRegion *ER = dyn_cast<ElementRegion>(R)) {
- if (ER->getIndex().isZeroConstant()) {
- if (const TypedRegion *superR =
- dyn_cast<TypedRegion>(ER->getSuperRegion())) {
- QualType superTy = superR->getValueType();
- // For now, just invalidate the fields of the struct/union/class.
- // This is for test rdar_test_7185607 in misc-ps-region-store.m.
- // FIXME: Precisely handle the fields of the record.
- if (superTy->isStructureOrClassType())
- return KillStruct(store, superR, UnknownVal());
- }
- }
- }
- else if (const SymbolicRegion *SR = dyn_cast<SymbolicRegion>(R)) {
- // Binding directly to a symbolic region should be treated as binding
- // to element 0.
- QualType T = SR->getSymbol()->getType(Ctx);
-
- // FIXME: Is this the right way to handle symbols that are references?
- if (const PointerType *PT = T->getAs<PointerType>())
- T = PT->getPointeeType();
- else
- T = T->getAs<ReferenceType>()->getPointeeType();
-
- R = GetElementZeroRegion(SR, T);
- }
-
- // Perform the binding.
- RegionBindings B = GetRegionBindings(store);
- return addBinding(B, R, BindingKey::Direct, V).getRoot();
-}
-
-Store RegionStoreManager::BindDecl(Store store, const VarRegion *VR,
- SVal InitVal) {
-
- QualType T = VR->getDecl()->getType();
-
- if (T->isArrayType())
- return BindArray(store, VR, InitVal);
- if (T->isStructureOrClassType())
- return BindStruct(store, VR, InitVal);
-
- return Bind(store, svalBuilder.makeLoc(VR), InitVal);
-}
-
-// FIXME: this method should be merged into Bind().
-Store RegionStoreManager::BindCompoundLiteral(Store store,
- const CompoundLiteralExpr *CL,
- const LocationContext *LC,
- SVal V) {
- return Bind(store, loc::MemRegionVal(MRMgr.getCompoundLiteralRegion(CL, LC)),
- V);
-}
-
-
-Store RegionStoreManager::setImplicitDefaultValue(Store store,
- const MemRegion *R,
- QualType T) {
- RegionBindings B = GetRegionBindings(store);
- SVal V;
-
- if (Loc::IsLocType(T))
- V = svalBuilder.makeNull();
- else if (T->isIntegerType())
- V = svalBuilder.makeZeroVal(T);
- else if (T->isStructureOrClassType() || T->isArrayType()) {
- // Set the default value to a zero constant when it is a structure
- // or array. The type doesn't really matter.
- V = svalBuilder.makeZeroVal(Ctx.IntTy);
- }
- else {
- return store;
- }
-
- return addBinding(B, R, BindingKey::Default, V).getRoot();
-}
-
-Store RegionStoreManager::BindArray(Store store, const TypedRegion* R,
- SVal Init) {
-
- const ArrayType *AT =cast<ArrayType>(Ctx.getCanonicalType(R->getValueType()));
- QualType ElementTy = AT->getElementType();
- Optional<uint64_t> Size;
-
- if (const ConstantArrayType* CAT = dyn_cast<ConstantArrayType>(AT))
- Size = CAT->getSize().getZExtValue();
-
- // Check if the init expr is a string literal.
- if (loc::MemRegionVal *MRV = dyn_cast<loc::MemRegionVal>(&Init)) {
- const StringRegion *S = cast<StringRegion>(MRV->getRegion());
-
- // Treat the string as a lazy compound value.
- nonloc::LazyCompoundVal LCV =
- cast<nonloc::LazyCompoundVal>(svalBuilder.makeLazyCompoundVal(store, S));
- return CopyLazyBindings(LCV, store, R);
- }
-
- // Handle lazy compound values.
- if (nonloc::LazyCompoundVal *LCV = dyn_cast<nonloc::LazyCompoundVal>(&Init))
- return CopyLazyBindings(*LCV, store, R);
-
- // Remaining case: explicit compound values.
-
- if (Init.isUnknown())
- return setImplicitDefaultValue(store, R, ElementTy);
-
- nonloc::CompoundVal& CV = cast<nonloc::CompoundVal>(Init);
- nonloc::CompoundVal::iterator VI = CV.begin(), VE = CV.end();
- uint64_t i = 0;
-
- for (; Size.hasValue() ? i < Size.getValue() : true ; ++i, ++VI) {
- // The init list might be shorter than the array length.
- if (VI == VE)
- break;
-
- const NonLoc &Idx = svalBuilder.makeArrayIndex(i);
- const ElementRegion *ER = MRMgr.getElementRegion(ElementTy, Idx, R, Ctx);
-
- if (ElementTy->isStructureOrClassType())
- store = BindStruct(store, ER, *VI);
- else if (ElementTy->isArrayType())
- store = BindArray(store, ER, *VI);
- else
- store = Bind(store, svalBuilder.makeLoc(ER), *VI);
- }
-
- // If the init list is shorter than the array length, set the
- // array default value.
- if (Size.hasValue() && i < Size.getValue())
- store = setImplicitDefaultValue(store, R, ElementTy);
-
- return store;
-}
-
-Store RegionStoreManager::BindStruct(Store store, const TypedRegion* R,
- SVal V) {
-
- if (!Features.supportsFields())
- return store;
-
- QualType T = R->getValueType();
- assert(T->isStructureOrClassType());
-
- const RecordType* RT = T->getAs<RecordType>();
- RecordDecl* RD = RT->getDecl();
-
- if (!RD->isDefinition())
- return store;
-
- // Handle lazy compound values.
- if (const nonloc::LazyCompoundVal *LCV=dyn_cast<nonloc::LazyCompoundVal>(&V))
- return CopyLazyBindings(*LCV, store, R);
-
- // We may get non-CompoundVal accidentally due to imprecise cast logic or
- // that we are binding symbolic struct value. Kill the field values, and if
- // the value is symbolic go and bind it as a "default" binding.
- if (V.isUnknown() || !isa<nonloc::CompoundVal>(V)) {
- SVal SV = isa<nonloc::SymbolVal>(V) ? V : UnknownVal();
- return KillStruct(store, R, SV);
- }
-
- nonloc::CompoundVal& CV = cast<nonloc::CompoundVal>(V);
- nonloc::CompoundVal::iterator VI = CV.begin(), VE = CV.end();
-
- RecordDecl::field_iterator FI, FE;
-
- for (FI = RD->field_begin(), FE = RD->field_end(); FI != FE; ++FI, ++VI) {
-
- if (VI == VE)
- break;
-
- QualType FTy = (*FI)->getType();
- const FieldRegion* FR = MRMgr.getFieldRegion(*FI, R);
-
- if (FTy->isArrayType())
- store = BindArray(store, FR, *VI);
- else if (FTy->isStructureOrClassType())
- store = BindStruct(store, FR, *VI);
- else
- store = Bind(store, svalBuilder.makeLoc(FR), *VI);
- }
-
- // There may be fewer values in the initialize list than the fields of struct.
- if (FI != FE) {
- RegionBindings B = GetRegionBindings(store);
- B = addBinding(B, R, BindingKey::Default, svalBuilder.makeIntVal(0, false));
- store = B.getRoot();
- }
-
- return store;
-}
-
-Store RegionStoreManager::KillStruct(Store store, const TypedRegion* R,
- SVal DefaultVal) {
- RegionBindings B = GetRegionBindings(store);
- llvm::OwningPtr<RegionStoreSubRegionMap>
- SubRegions(getRegionStoreSubRegionMap(store));
- RemoveSubRegionBindings(B, R, *SubRegions);
-
- // Set the default value of the struct region to "unknown".
- return addBinding(B, R, BindingKey::Default, DefaultVal).getRoot();
-}
-
-Store RegionStoreManager::CopyLazyBindings(nonloc::LazyCompoundVal V,
- Store store, const TypedRegion *R) {
-
- // Nuke the old bindings stemming from R.
- RegionBindings B = GetRegionBindings(store);
-
- llvm::OwningPtr<RegionStoreSubRegionMap>
- SubRegions(getRegionStoreSubRegionMap(store));
-
- // B and DVM are updated after the call to RemoveSubRegionBindings.
- RemoveSubRegionBindings(B, R, *SubRegions.get());
-
- // Now copy the bindings. This amounts to just binding 'V' to 'R'. This
- // results in a zero-copy algorithm.
- return addBinding(B, R, BindingKey::Direct, V).getRoot();
-}
-
-//===----------------------------------------------------------------------===//
-// "Raw" retrievals and bindings.
-//===----------------------------------------------------------------------===//
-
-
-RegionBindings RegionStoreManager::addBinding(RegionBindings B, BindingKey K,
- SVal V) {
- if (!K.isValid())
- return B;
- return RBFactory.add(B, K, V);
-}
-
-RegionBindings RegionStoreManager::addBinding(RegionBindings B,
- const MemRegion *R,
- BindingKey::Kind k, SVal V) {
- return addBinding(B, BindingKey::Make(R, k), V);
-}
-
-const SVal *RegionStoreManager::lookup(RegionBindings B, BindingKey K) {
- if (!K.isValid())
- return NULL;
- return B.lookup(K);
-}
-
-const SVal *RegionStoreManager::lookup(RegionBindings B,
- const MemRegion *R,
- BindingKey::Kind k) {
- return lookup(B, BindingKey::Make(R, k));
-}
-
-RegionBindings RegionStoreManager::removeBinding(RegionBindings B,
- BindingKey K) {
- if (!K.isValid())
- return B;
- return RBFactory.remove(B, K);
-}
-
-RegionBindings RegionStoreManager::removeBinding(RegionBindings B,
- const MemRegion *R,
- BindingKey::Kind k){
- return removeBinding(B, BindingKey::Make(R, k));
-}
-
-//===----------------------------------------------------------------------===//
-// State pruning.
-//===----------------------------------------------------------------------===//
-
-namespace {
-class RemoveDeadBindingsWorker :
- public ClusterAnalysis<RemoveDeadBindingsWorker> {
- llvm::SmallVector<const SymbolicRegion*, 12> Postponed;
- SymbolReaper &SymReaper;
- const StackFrameContext *CurrentLCtx;
-
-public:
- RemoveDeadBindingsWorker(RegionStoreManager &rm, GRStateManager &stateMgr,
- RegionBindings b, SymbolReaper &symReaper,
- const StackFrameContext *LCtx)
- : ClusterAnalysis<RemoveDeadBindingsWorker>(rm, stateMgr, b,
- /* includeGlobals = */ false),
- SymReaper(symReaper), CurrentLCtx(LCtx) {}
-
- // Called by ClusterAnalysis.
- void VisitAddedToCluster(const MemRegion *baseR, RegionCluster &C);
- void VisitCluster(const MemRegion *baseR, BindingKey *I, BindingKey *E);
-
- void VisitBindingKey(BindingKey K);
- bool UpdatePostponed();
- void VisitBinding(SVal V);
-};
-}
-
-void RemoveDeadBindingsWorker::VisitAddedToCluster(const MemRegion *baseR,
- RegionCluster &C) {
-
- if (const VarRegion *VR = dyn_cast<VarRegion>(baseR)) {
- if (SymReaper.isLive(VR))
- AddToWorkList(baseR, C);
-
- return;
- }
-
- if (const SymbolicRegion *SR = dyn_cast<SymbolicRegion>(baseR)) {
- if (SymReaper.isLive(SR->getSymbol()))
- AddToWorkList(SR, C);
- else
- Postponed.push_back(SR);
-
- return;
- }
-
- if (isa<NonStaticGlobalSpaceRegion>(baseR)) {
- AddToWorkList(baseR, C);
- return;
- }
-
- // CXXThisRegion in the current or parent location context is live.
- if (const CXXThisRegion *TR = dyn_cast<CXXThisRegion>(baseR)) {
- const StackArgumentsSpaceRegion *StackReg =
- cast<StackArgumentsSpaceRegion>(TR->getSuperRegion());
- const StackFrameContext *RegCtx = StackReg->getStackFrame();
- if (RegCtx == CurrentLCtx || RegCtx->isParentOf(CurrentLCtx))
- AddToWorkList(TR, C);
- }
-}
-
-void RemoveDeadBindingsWorker::VisitCluster(const MemRegion *baseR,
- BindingKey *I, BindingKey *E) {
- for ( ; I != E; ++I)
- VisitBindingKey(*I);
-}
-
-void RemoveDeadBindingsWorker::VisitBinding(SVal V) {
- // Is it a LazyCompoundVal? All referenced regions are live as well.
- if (const nonloc::LazyCompoundVal *LCS =
- dyn_cast<nonloc::LazyCompoundVal>(&V)) {
-
- const MemRegion *LazyR = LCS->getRegion();
- RegionBindings B = RegionStoreManager::GetRegionBindings(LCS->getStore());
- for (RegionBindings::iterator RI = B.begin(), RE = B.end(); RI != RE; ++RI){
- const SubRegion *baseR = dyn_cast<SubRegion>(RI.getKey().getRegion());
- if (baseR && baseR->isSubRegionOf(LazyR))
- VisitBinding(RI.getData());
- }
- return;
- }
-
- // If V is a region, then add it to the worklist.
- if (const MemRegion *R = V.getAsRegion())
- AddToWorkList(R);
-
- // Update the set of live symbols.
- for (SVal::symbol_iterator SI=V.symbol_begin(), SE=V.symbol_end();
- SI!=SE;++SI)
- SymReaper.markLive(*SI);
-}
-
-void RemoveDeadBindingsWorker::VisitBindingKey(BindingKey K) {
- const MemRegion *R = K.getRegion();
-
- // Mark this region "live" by adding it to the worklist. This will cause
- // use to visit all regions in the cluster (if we haven't visited them
- // already).
- if (AddToWorkList(R)) {
- // Mark the symbol for any live SymbolicRegion as "live". This means we
- // should continue to track that symbol.
- if (const SymbolicRegion *SymR = dyn_cast<SymbolicRegion>(R))
- SymReaper.markLive(SymR->getSymbol());
-
- // For BlockDataRegions, enqueue the VarRegions for variables marked
- // with __block (passed-by-reference).
- // via BlockDeclRefExprs.
- if (const BlockDataRegion *BD = dyn_cast<BlockDataRegion>(R)) {
- for (BlockDataRegion::referenced_vars_iterator
- RI = BD->referenced_vars_begin(), RE = BD->referenced_vars_end();
- RI != RE; ++RI) {
- if ((*RI)->getDecl()->getAttr<BlocksAttr>())
- AddToWorkList(*RI);
- }
-
- // No possible data bindings on a BlockDataRegion.
- return;
- }
- }
-
- // Visit the data binding for K.
- if (const SVal *V = RM.lookup(B, K))
- VisitBinding(*V);
-}
-
-bool RemoveDeadBindingsWorker::UpdatePostponed() {
- // See if any postponed SymbolicRegions are actually live now, after
- // having done a scan.
- bool changed = false;
-
- for (llvm::SmallVectorImpl<const SymbolicRegion*>::iterator
- I = Postponed.begin(), E = Postponed.end() ; I != E ; ++I) {
- if (const SymbolicRegion *SR = cast_or_null<SymbolicRegion>(*I)) {
- if (SymReaper.isLive(SR->getSymbol())) {
- changed |= AddToWorkList(SR);
- *I = NULL;
- }
- }
- }
-
- return changed;
-}
-
-Store RegionStoreManager::RemoveDeadBindings(Store store,
- const StackFrameContext *LCtx,
- SymbolReaper& SymReaper,
- llvm::SmallVectorImpl<const MemRegion*>& RegionRoots)
-{
- RegionBindings B = GetRegionBindings(store);
- RemoveDeadBindingsWorker W(*this, StateMgr, B, SymReaper, LCtx);
- W.GenerateClusters();
-
- // Enqueue the region roots onto the worklist.
- for (llvm::SmallVectorImpl<const MemRegion*>::iterator I=RegionRoots.begin(),
- E=RegionRoots.end(); I!=E; ++I)
- W.AddToWorkList(*I);
-
- do W.RunWorkList(); while (W.UpdatePostponed());
-
- // We have now scanned the store, marking reachable regions and symbols
- // as live. We now remove all the regions that are dead from the store
- // as well as update DSymbols with the set symbols that are now dead.
- for (RegionBindings::iterator I = B.begin(), E = B.end(); I != E; ++I) {
- const BindingKey &K = I.getKey();
-
- // If the cluster has been visited, we know the region has been marked.
- if (W.isVisited(K.getRegion()))
- continue;
-
- // Remove the dead entry.
- B = removeBinding(B, K);
-
- // Mark all non-live symbols that this binding references as dead.
- if (const SymbolicRegion* SymR = dyn_cast<SymbolicRegion>(K.getRegion()))
- SymReaper.maybeDead(SymR->getSymbol());
-
- SVal X = I.getData();
- SVal::symbol_iterator SI = X.symbol_begin(), SE = X.symbol_end();
- for (; SI != SE; ++SI)
- SymReaper.maybeDead(*SI);
- }
-
- return B.getRoot();
-}
-
-
-Store RegionStoreManager::EnterStackFrame(const GRState *state,
- const StackFrameContext *frame) {
- FunctionDecl const *FD = cast<FunctionDecl>(frame->getDecl());
- FunctionDecl::param_const_iterator PI = FD->param_begin();
- Store store = state->getStore();
-
- if (CallExpr const *CE = dyn_cast<CallExpr>(frame->getCallSite())) {
- CallExpr::const_arg_iterator AI = CE->arg_begin(), AE = CE->arg_end();
-
- // Copy the arg expression value to the arg variables.
- for (; AI != AE; ++AI, ++PI) {
- SVal ArgVal = state->getSVal(*AI);
- store = Bind(store,
- svalBuilder.makeLoc(MRMgr.getVarRegion(*PI,frame)), ArgVal);
- }
- } else if (const CXXConstructExpr *CE =
- dyn_cast<CXXConstructExpr>(frame->getCallSite())) {
- CXXConstructExpr::const_arg_iterator AI = CE->arg_begin(),
- AE = CE->arg_end();
-
- // Copy the arg expression value to the arg variables.
- for (; AI != AE; ++AI, ++PI) {
- SVal ArgVal = state->getSVal(*AI);
- store = Bind(store,
- svalBuilder.makeLoc(MRMgr.getVarRegion(*PI,frame)), ArgVal);
- }
- } else
- assert(isa<CXXDestructorDecl>(frame->getDecl()));
-
- return store;
-}
-
-//===----------------------------------------------------------------------===//
-// Utility methods.
-//===----------------------------------------------------------------------===//
-
-void RegionStoreManager::print(Store store, llvm::raw_ostream& OS,
- const char* nl, const char *sep) {
- RegionBindings B = GetRegionBindings(store);
- OS << "Store (direct and default bindings):" << nl;
-
- for (RegionBindings::iterator I = B.begin(), E = B.end(); I != E; ++I)
- OS << ' ' << I.getKey() << " : " << I.getData() << nl;
-}
Removed: cfe/trunk/lib/StaticAnalyzer/EntoSA/SValBuilder.cpp
URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/lib/StaticAnalyzer/EntoSA/SValBuilder.cpp?rev=122542&view=auto
==============================================================================
--- cfe/trunk/lib/StaticAnalyzer/EntoSA/SValBuilder.cpp (original)
+++ cfe/trunk/lib/StaticAnalyzer/EntoSA/SValBuilder.cpp (removed)
@@ -1,310 +0,0 @@
-// SValBuilder.cpp - Basic class for all SValBuilder implementations -*- C++ -*-
-//
-// The LLVM Compiler Infrastructure
-//
-// This file is distributed under the University of Illinois Open Source
-// License. See LICENSE.TXT for details.
-//
-//===----------------------------------------------------------------------===//
-//
-// This file defines SValBuilder, the base class for all (complete) SValBuilder
-// implementations.
-//
-//===----------------------------------------------------------------------===//
-
-#include "clang/StaticAnalyzer/PathSensitive/MemRegion.h"
-#include "clang/StaticAnalyzer/PathSensitive/SVals.h"
-#include "clang/StaticAnalyzer/PathSensitive/SValBuilder.h"
-#include "clang/StaticAnalyzer/PathSensitive/GRState.h"
-#include "clang/StaticAnalyzer/PathSensitive/BasicValueFactory.h"
-
-using namespace clang;
-using namespace ento;
-
-//===----------------------------------------------------------------------===//
-// Basic SVal creation.
-//===----------------------------------------------------------------------===//
-
-DefinedOrUnknownSVal SValBuilder::makeZeroVal(QualType T) {
- if (Loc::IsLocType(T))
- return makeNull();
-
- if (T->isIntegerType())
- return makeIntVal(0, T);
-
- // FIXME: Handle floats.
- // FIXME: Handle structs.
- return UnknownVal();
-}
-
-
-NonLoc SValBuilder::makeNonLoc(const SymExpr *lhs, BinaryOperator::Opcode op,
- const llvm::APSInt& v, QualType T) {
- // The Environment ensures we always get a persistent APSInt in
- // BasicValueFactory, so we don't need to get the APSInt from
- // BasicValueFactory again.
- assert(!Loc::IsLocType(T));
- return nonloc::SymExprVal(SymMgr.getSymIntExpr(lhs, op, v, T));
-}
-
-NonLoc SValBuilder::makeNonLoc(const SymExpr *lhs, BinaryOperator::Opcode op,
- const SymExpr *rhs, QualType T) {
- assert(SymMgr.getType(lhs) == SymMgr.getType(rhs));
- assert(!Loc::IsLocType(T));
- return nonloc::SymExprVal(SymMgr.getSymSymExpr(lhs, op, rhs, T));
-}
-
-
-SVal SValBuilder::convertToArrayIndex(SVal V) {
- if (V.isUnknownOrUndef())
- return V;
-
- // Common case: we have an appropriately sized integer.
- if (nonloc::ConcreteInt* CI = dyn_cast<nonloc::ConcreteInt>(&V)) {
- const llvm::APSInt& I = CI->getValue();
- if (I.getBitWidth() == ArrayIndexWidth && I.isSigned())
- return V;
- }
-
- return evalCastNL(cast<NonLoc>(V), ArrayIndexTy);
-}
-
-DefinedOrUnknownSVal
-SValBuilder::getRegionValueSymbolVal(const TypedRegion* R) {
- QualType T = R->getValueType();
-
- if (!SymbolManager::canSymbolicate(T))
- return UnknownVal();
-
- SymbolRef sym = SymMgr.getRegionValueSymbol(R);
-
- if (Loc::IsLocType(T))
- return loc::MemRegionVal(MemMgr.getSymbolicRegion(sym));
-
- return nonloc::SymbolVal(sym);
-}
-
-DefinedOrUnknownSVal SValBuilder::getConjuredSymbolVal(const void *SymbolTag,
- const Expr *E,
- unsigned Count) {
- QualType T = E->getType();
-
- if (!SymbolManager::canSymbolicate(T))
- return UnknownVal();
-
- SymbolRef sym = SymMgr.getConjuredSymbol(E, Count, SymbolTag);
-
- if (Loc::IsLocType(T))
- return loc::MemRegionVal(MemMgr.getSymbolicRegion(sym));
-
- return nonloc::SymbolVal(sym);
-}
-
-DefinedOrUnknownSVal SValBuilder::getConjuredSymbolVal(const void *SymbolTag,
- const Expr *E,
- QualType T,
- unsigned Count) {
-
- if (!SymbolManager::canSymbolicate(T))
- return UnknownVal();
-
- SymbolRef sym = SymMgr.getConjuredSymbol(E, T, Count, SymbolTag);
-
- if (Loc::IsLocType(T))
- return loc::MemRegionVal(MemMgr.getSymbolicRegion(sym));
-
- return nonloc::SymbolVal(sym);
-}
-
-DefinedSVal SValBuilder::getMetadataSymbolVal(const void *SymbolTag,
- const MemRegion *MR,
- const Expr *E, QualType T,
- unsigned Count) {
- assert(SymbolManager::canSymbolicate(T) && "Invalid metadata symbol type");
-
- SymbolRef sym = SymMgr.getMetadataSymbol(MR, E, T, Count, SymbolTag);
-
- if (Loc::IsLocType(T))
- return loc::MemRegionVal(MemMgr.getSymbolicRegion(sym));
-
- return nonloc::SymbolVal(sym);
-}
-
-DefinedOrUnknownSVal
-SValBuilder::getDerivedRegionValueSymbolVal(SymbolRef parentSymbol,
- const TypedRegion *R) {
- QualType T = R->getValueType();
-
- if (!SymbolManager::canSymbolicate(T))
- return UnknownVal();
-
- SymbolRef sym = SymMgr.getDerivedSymbol(parentSymbol, R);
-
- if (Loc::IsLocType(T))
- return loc::MemRegionVal(MemMgr.getSymbolicRegion(sym));
-
- return nonloc::SymbolVal(sym);
-}
-
-DefinedSVal SValBuilder::getFunctionPointer(const FunctionDecl* FD) {
- return loc::MemRegionVal(MemMgr.getFunctionTextRegion(FD));
-}
-
-DefinedSVal SValBuilder::getBlockPointer(const BlockDecl *D,
- CanQualType locTy,
- const LocationContext *LC) {
- const BlockTextRegion *BC =
- MemMgr.getBlockTextRegion(D, locTy, LC->getAnalysisContext());
- const BlockDataRegion *BD = MemMgr.getBlockDataRegion(BC, LC);
- return loc::MemRegionVal(BD);
-}
-
-//===----------------------------------------------------------------------===//
-
-SVal SValBuilder::evalBinOp(const GRState *ST, BinaryOperator::Opcode Op,
- SVal L, SVal R, QualType T) {
-
- if (L.isUndef() || R.isUndef())
- return UndefinedVal();
-
- if (L.isUnknown() || R.isUnknown())
- return UnknownVal();
-
- if (isa<Loc>(L)) {
- if (isa<Loc>(R))
- return evalBinOpLL(ST, Op, cast<Loc>(L), cast<Loc>(R), T);
-
- return evalBinOpLN(ST, Op, cast<Loc>(L), cast<NonLoc>(R), T);
- }
-
- if (isa<Loc>(R)) {
- // Support pointer arithmetic where the addend is on the left
- // and the pointer on the right.
- assert(Op == BO_Add);
-
- // Commute the operands.
- return evalBinOpLN(ST, Op, cast<Loc>(R), cast<NonLoc>(L), T);
- }
-
- return evalBinOpNN(ST, Op, cast<NonLoc>(L), cast<NonLoc>(R), T);
-}
-
-DefinedOrUnknownSVal SValBuilder::evalEQ(const GRState *ST,
- DefinedOrUnknownSVal L,
- DefinedOrUnknownSVal R) {
- return cast<DefinedOrUnknownSVal>(evalBinOp(ST, BO_EQ, L, R,
- Context.IntTy));
-}
-
-// FIXME: should rewrite according to the cast kind.
-SVal SValBuilder::evalCast(SVal val, QualType castTy, QualType originalTy) {
- if (val.isUnknownOrUndef() || castTy == originalTy)
- return val;
-
- // For const casts, just propagate the value.
- if (!castTy->isVariableArrayType() && !originalTy->isVariableArrayType())
- if (Context.hasSameUnqualifiedType(castTy, originalTy))
- return val;
-
- // Check for casts to real or complex numbers. We don't handle these at all
- // right now.
- if (castTy->isFloatingType() || castTy->isAnyComplexType())
- return UnknownVal();
-
- // Check for casts from integers to integers.
- if (castTy->isIntegerType() && originalTy->isIntegerType())
- return evalCastNL(cast<NonLoc>(val), castTy);
-
- // Check for casts from pointers to integers.
- if (castTy->isIntegerType() && Loc::IsLocType(originalTy))
- return evalCastL(cast<Loc>(val), castTy);
-
- // Check for casts from integers to pointers.
- if (Loc::IsLocType(castTy) && originalTy->isIntegerType()) {
- if (nonloc::LocAsInteger *LV = dyn_cast<nonloc::LocAsInteger>(&val)) {
- if (const MemRegion *R = LV->getLoc().getAsRegion()) {
- StoreManager &storeMgr = StateMgr.getStoreManager();
- R = storeMgr.CastRegion(R, castTy);
- return R ? SVal(loc::MemRegionVal(R)) : UnknownVal();
- }
- return LV->getLoc();
- }
- goto DispatchCast;
- }
-
- // Just pass through function and block pointers.
- if (originalTy->isBlockPointerType() || originalTy->isFunctionPointerType()) {
- assert(Loc::IsLocType(castTy));
- return val;
- }
-
- // Check for casts from array type to another type.
- if (originalTy->isArrayType()) {
- // We will always decay to a pointer.
- val = StateMgr.ArrayToPointer(cast<Loc>(val));
-
- // Are we casting from an array to a pointer? If so just pass on
- // the decayed value.
- if (castTy->isPointerType())
- return val;
-
- // Are we casting from an array to an integer? If so, cast the decayed
- // pointer value to an integer.
- assert(castTy->isIntegerType());
-
- // FIXME: Keep these here for now in case we decide soon that we
- // need the original decayed type.
- // QualType elemTy = cast<ArrayType>(originalTy)->getElementType();
- // QualType pointerTy = C.getPointerType(elemTy);
- return evalCastL(cast<Loc>(val), castTy);
- }
-
- // Check for casts from a region to a specific type.
- if (const MemRegion *R = val.getAsRegion()) {
- // FIXME: We should handle the case where we strip off view layers to get
- // to a desugared type.
-
- if (!Loc::IsLocType(castTy)) {
- // FIXME: There can be gross cases where one casts the result of a function
- // (that returns a pointer) to some other value that happens to fit
- // within that pointer value. We currently have no good way to
- // model such operations. When this happens, the underlying operation
- // is that the caller is reasoning about bits. Conceptually we are
- // layering a "view" of a location on top of those bits. Perhaps
- // we need to be more lazy about mutual possible views, even on an
- // SVal? This may be necessary for bit-level reasoning as well.
- return UnknownVal();
- }
-
- // We get a symbolic function pointer for a dereference of a function
- // pointer, but it is of function type. Example:
-
- // struct FPRec {
- // void (*my_func)(int * x);
- // };
- //
- // int bar(int x);
- //
- // int f1_a(struct FPRec* foo) {
- // int x;
- // (*foo->my_func)(&x);
- // return bar(x)+1; // no-warning
- // }
-
- assert(Loc::IsLocType(originalTy) || originalTy->isFunctionType() ||
- originalTy->isBlockPointerType());
-
- StoreManager &storeMgr = StateMgr.getStoreManager();
-
- // Delegate to store manager to get the result of casting a region to a
- // different type. If the MemRegion* returned is NULL, this expression
- // Evaluates to UnknownVal.
- R = storeMgr.CastRegion(R, castTy);
- return R ? SVal(loc::MemRegionVal(R)) : UnknownVal();
- }
-
-DispatchCast:
- // All other cases.
- return isa<Loc>(val) ? evalCastL(cast<Loc>(val), castTy)
- : evalCastNL(cast<NonLoc>(val), castTy);
-}
Removed: cfe/trunk/lib/StaticAnalyzer/EntoSA/SVals.cpp
URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/lib/StaticAnalyzer/EntoSA/SVals.cpp?rev=122542&view=auto
==============================================================================
--- cfe/trunk/lib/StaticAnalyzer/EntoSA/SVals.cpp (original)
+++ cfe/trunk/lib/StaticAnalyzer/EntoSA/SVals.cpp (removed)
@@ -1,361 +0,0 @@
-//= RValues.cpp - Abstract RValues for Path-Sens. Value Tracking -*- C++ -*-==//
-//
-// The LLVM Compiler Infrastructure
-//
-// This file is distributed under the University of Illinois Open Source
-// License. See LICENSE.TXT for details.
-//
-//===----------------------------------------------------------------------===//
-//
-// This file defines SVal, Loc, and NonLoc, classes that represent
-// abstract r-values for use with path-sensitive value tracking.
-//
-//===----------------------------------------------------------------------===//
-
-#include "clang/StaticAnalyzer/PathSensitive/GRState.h"
-#include "clang/Basic/IdentifierTable.h"
-
-using namespace clang;
-using namespace ento;
-using llvm::dyn_cast;
-using llvm::cast;
-using llvm::APSInt;
-
-//===----------------------------------------------------------------------===//
-// Symbol iteration within an SVal.
-//===----------------------------------------------------------------------===//
-
-
-//===----------------------------------------------------------------------===//
-// Utility methods.
-//===----------------------------------------------------------------------===//
-
-bool SVal::hasConjuredSymbol() const {
- if (const nonloc::SymbolVal* SV = dyn_cast<nonloc::SymbolVal>(this)) {
- SymbolRef sym = SV->getSymbol();
- if (isa<SymbolConjured>(sym))
- return true;
- }
-
- if (const loc::MemRegionVal *RV = dyn_cast<loc::MemRegionVal>(this)) {
- const MemRegion *R = RV->getRegion();
- if (const SymbolicRegion *SR = dyn_cast<SymbolicRegion>(R)) {
- SymbolRef sym = SR->getSymbol();
- if (isa<SymbolConjured>(sym))
- return true;
- }
- }
-
- return false;
-}
-
-const FunctionDecl *SVal::getAsFunctionDecl() const {
- if (const loc::MemRegionVal* X = dyn_cast<loc::MemRegionVal>(this)) {
- const MemRegion* R = X->getRegion();
- if (const FunctionTextRegion *CTR = R->getAs<FunctionTextRegion>())
- return CTR->getDecl();
- }
-
- return NULL;
-}
-
-/// getAsLocSymbol - If this SVal is a location (subclasses Loc) and
-/// wraps a symbol, return that SymbolRef. Otherwise return 0.
-// FIXME: should we consider SymbolRef wrapped in CodeTextRegion?
-SymbolRef SVal::getAsLocSymbol() const {
- if (const nonloc::LocAsInteger *X = dyn_cast<nonloc::LocAsInteger>(this))
- return X->getLoc().getAsLocSymbol();
-
- if (const loc::MemRegionVal *X = dyn_cast<loc::MemRegionVal>(this)) {
- const MemRegion *R = X->StripCasts();
- if (const SymbolicRegion *SymR = dyn_cast<SymbolicRegion>(R))
- return SymR->getSymbol();
- }
- return NULL;
-}
-
-/// Get the symbol in the SVal or its base region.
-SymbolRef SVal::getLocSymbolInBase() const {
- const loc::MemRegionVal *X = dyn_cast<loc::MemRegionVal>(this);
-
- if (!X)
- return 0;
-
- const MemRegion *R = X->getRegion();
-
- while (const SubRegion *SR = dyn_cast<SubRegion>(R)) {
- if (const SymbolicRegion *SymR = dyn_cast<SymbolicRegion>(SR))
- return SymR->getSymbol();
- else
- R = SR->getSuperRegion();
- }
-
- return 0;
-}
-
-/// getAsSymbol - If this Sval wraps a symbol return that SymbolRef.
-/// Otherwise return 0.
-// FIXME: should we consider SymbolRef wrapped in CodeTextRegion?
-SymbolRef SVal::getAsSymbol() const {
- if (const nonloc::SymbolVal *X = dyn_cast<nonloc::SymbolVal>(this))
- return X->getSymbol();
-
- if (const nonloc::SymExprVal *X = dyn_cast<nonloc::SymExprVal>(this))
- if (SymbolRef Y = dyn_cast<SymbolData>(X->getSymbolicExpression()))
- return Y;
-
- return getAsLocSymbol();
-}
-
-/// getAsSymbolicExpression - If this Sval wraps a symbolic expression then
-/// return that expression. Otherwise return NULL.
-const SymExpr *SVal::getAsSymbolicExpression() const {
- if (const nonloc::SymExprVal *X = dyn_cast<nonloc::SymExprVal>(this))
- return X->getSymbolicExpression();
-
- return getAsSymbol();
-}
-
-const MemRegion *SVal::getAsRegion() const {
- if (const loc::MemRegionVal *X = dyn_cast<loc::MemRegionVal>(this))
- return X->getRegion();
-
- if (const nonloc::LocAsInteger *X = dyn_cast<nonloc::LocAsInteger>(this)) {
- return X->getLoc().getAsRegion();
- }
-
- return 0;
-}
-
-const MemRegion *loc::MemRegionVal::StripCasts() const {
- const MemRegion *R = getRegion();
- return R ? R->StripCasts() : NULL;
-}
-
-bool SVal::symbol_iterator::operator==(const symbol_iterator &X) const {
- return itr == X.itr;
-}
-
-bool SVal::symbol_iterator::operator!=(const symbol_iterator &X) const {
- return itr != X.itr;
-}
-
-SVal::symbol_iterator::symbol_iterator(const SymExpr *SE) {
- itr.push_back(SE);
- while (!isa<SymbolData>(itr.back())) expand();
-}
-
-SVal::symbol_iterator& SVal::symbol_iterator::operator++() {
- assert(!itr.empty() && "attempting to iterate on an 'end' iterator");
- assert(isa<SymbolData>(itr.back()));
- itr.pop_back();
- if (!itr.empty())
- while (!isa<SymbolData>(itr.back())) expand();
- return *this;
-}
-
-SymbolRef SVal::symbol_iterator::operator*() {
- assert(!itr.empty() && "attempting to dereference an 'end' iterator");
- return cast<SymbolData>(itr.back());
-}
-
-void SVal::symbol_iterator::expand() {
- const SymExpr *SE = itr.back();
- itr.pop_back();
-
- if (const SymIntExpr *SIE = dyn_cast<SymIntExpr>(SE)) {
- itr.push_back(SIE->getLHS());
- return;
- }
- else if (const SymSymExpr *SSE = dyn_cast<SymSymExpr>(SE)) {
- itr.push_back(SSE->getLHS());
- itr.push_back(SSE->getRHS());
- return;
- }
-
- assert(false && "unhandled expansion case");
-}
-
-const void *nonloc::LazyCompoundVal::getStore() const {
- return static_cast<const LazyCompoundValData*>(Data)->getStore();
-}
-
-const TypedRegion *nonloc::LazyCompoundVal::getRegion() const {
- return static_cast<const LazyCompoundValData*>(Data)->getRegion();
-}
-
-//===----------------------------------------------------------------------===//
-// Other Iterators.
-//===----------------------------------------------------------------------===//
-
-nonloc::CompoundVal::iterator nonloc::CompoundVal::begin() const {
- return getValue()->begin();
-}
-
-nonloc::CompoundVal::iterator nonloc::CompoundVal::end() const {
- return getValue()->end();
-}
-
-//===----------------------------------------------------------------------===//
-// Useful predicates.
-//===----------------------------------------------------------------------===//
-
-bool SVal::isConstant() const {
- return isa<nonloc::ConcreteInt>(this) || isa<loc::ConcreteInt>(this);
-}
-
-bool SVal::isConstant(int I) const {
- if (isa<loc::ConcreteInt>(*this))
- return cast<loc::ConcreteInt>(*this).getValue() == I;
- else if (isa<nonloc::ConcreteInt>(*this))
- return cast<nonloc::ConcreteInt>(*this).getValue() == I;
- else
- return false;
-}
-
-bool SVal::isZeroConstant() const {
- return isConstant(0);
-}
-
-
-//===----------------------------------------------------------------------===//
-// Transfer function dispatch for Non-Locs.
-//===----------------------------------------------------------------------===//
-
-SVal nonloc::ConcreteInt::evalBinOp(SValBuilder &svalBuilder,
- BinaryOperator::Opcode Op,
- const nonloc::ConcreteInt& R) const {
- const llvm::APSInt* X =
- svalBuilder.getBasicValueFactory().evalAPSInt(Op, getValue(), R.getValue());
-
- if (X)
- return nonloc::ConcreteInt(*X);
- else
- return UndefinedVal();
-}
-
-nonloc::ConcreteInt
-nonloc::ConcreteInt::evalComplement(SValBuilder &svalBuilder) const {
- return svalBuilder.makeIntVal(~getValue());
-}
-
-nonloc::ConcreteInt
-nonloc::ConcreteInt::evalMinus(SValBuilder &svalBuilder) const {
- return svalBuilder.makeIntVal(-getValue());
-}
-
-//===----------------------------------------------------------------------===//
-// Transfer function dispatch for Locs.
-//===----------------------------------------------------------------------===//
-
-SVal loc::ConcreteInt::evalBinOp(BasicValueFactory& BasicVals,
- BinaryOperator::Opcode Op,
- const loc::ConcreteInt& R) const {
-
- assert (Op == BO_Add || Op == BO_Sub ||
- (Op >= BO_LT && Op <= BO_NE));
-
- const llvm::APSInt* X = BasicVals.evalAPSInt(Op, getValue(), R.getValue());
-
- if (X)
- return loc::ConcreteInt(*X);
- else
- return UndefinedVal();
-}
-
-//===----------------------------------------------------------------------===//
-// Pretty-Printing.
-//===----------------------------------------------------------------------===//
-
-void SVal::dump() const { dumpToStream(llvm::errs()); }
-
-void SVal::dumpToStream(llvm::raw_ostream& os) const {
- switch (getBaseKind()) {
- case UnknownKind:
- os << "Unknown";
- break;
- case NonLocKind:
- cast<NonLoc>(this)->dumpToStream(os);
- break;
- case LocKind:
- cast<Loc>(this)->dumpToStream(os);
- break;
- case UndefinedKind:
- os << "Undefined";
- break;
- default:
- assert (false && "Invalid SVal.");
- }
-}
-
-void NonLoc::dumpToStream(llvm::raw_ostream& os) const {
- switch (getSubKind()) {
- case nonloc::ConcreteIntKind: {
- const nonloc::ConcreteInt& C = *cast<nonloc::ConcreteInt>(this);
- if (C.getValue().isUnsigned())
- os << C.getValue().getZExtValue();
- else
- os << C.getValue().getSExtValue();
- os << ' ' << (C.getValue().isUnsigned() ? 'U' : 'S')
- << C.getValue().getBitWidth() << 'b';
- break;
- }
- case nonloc::SymbolValKind:
- os << '$' << cast<nonloc::SymbolVal>(this)->getSymbol();
- break;
- case nonloc::SymExprValKind: {
- const nonloc::SymExprVal& C = *cast<nonloc::SymExprVal>(this);
- const SymExpr *SE = C.getSymbolicExpression();
- os << SE;
- break;
- }
- case nonloc::LocAsIntegerKind: {
- const nonloc::LocAsInteger& C = *cast<nonloc::LocAsInteger>(this);
- os << C.getLoc() << " [as " << C.getNumBits() << " bit integer]";
- break;
- }
- case nonloc::CompoundValKind: {
- const nonloc::CompoundVal& C = *cast<nonloc::CompoundVal>(this);
- os << "compoundVal{";
- bool first = true;
- for (nonloc::CompoundVal::iterator I=C.begin(), E=C.end(); I!=E; ++I) {
- if (first) {
- os << ' '; first = false;
- }
- else
- os << ", ";
-
- (*I).dumpToStream(os);
- }
- os << "}";
- break;
- }
- case nonloc::LazyCompoundValKind: {
- const nonloc::LazyCompoundVal &C = *cast<nonloc::LazyCompoundVal>(this);
- os << "lazyCompoundVal{" << const_cast<void *>(C.getStore())
- << ',' << C.getRegion()
- << '}';
- break;
- }
- default:
- assert (false && "Pretty-printed not implemented for this NonLoc.");
- break;
- }
-}
-
-void Loc::dumpToStream(llvm::raw_ostream& os) const {
- switch (getSubKind()) {
- case loc::ConcreteIntKind:
- os << cast<loc::ConcreteInt>(this)->getValue().getZExtValue() << " (Loc)";
- break;
- case loc::GotoLabelKind:
- os << "&&" << cast<loc::GotoLabel>(this)->getLabel()->getID()->getName();
- break;
- case loc::MemRegionKind:
- os << '&' << cast<loc::MemRegionVal>(this)->getRegion()->getString();
- break;
- default:
- assert(false && "Pretty-printing not implemented for this Loc.");
- break;
- }
-}
Removed: cfe/trunk/lib/StaticAnalyzer/EntoSA/SimpleConstraintManager.cpp
URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/lib/StaticAnalyzer/EntoSA/SimpleConstraintManager.cpp?rev=122542&view=auto
==============================================================================
--- cfe/trunk/lib/StaticAnalyzer/EntoSA/SimpleConstraintManager.cpp (original)
+++ cfe/trunk/lib/StaticAnalyzer/EntoSA/SimpleConstraintManager.cpp (removed)
@@ -1,303 +0,0 @@
-//== SimpleConstraintManager.cpp --------------------------------*- C++ -*--==//
-//
-// The LLVM Compiler Infrastructure
-//
-// This file is distributed under the University of Illinois Open Source
-// License. See LICENSE.TXT for details.
-//
-//===----------------------------------------------------------------------===//
-//
-// This file defines SimpleConstraintManager, a class that holds code shared
-// between BasicConstraintManager and RangeConstraintManager.
-//
-//===----------------------------------------------------------------------===//
-
-#include "SimpleConstraintManager.h"
-#include "clang/StaticAnalyzer/PathSensitive/ExprEngine.h"
-#include "clang/StaticAnalyzer/PathSensitive/GRState.h"
-#include "clang/StaticAnalyzer/PathSensitive/Checker.h"
-
-namespace clang {
-
-namespace ento {
-
-SimpleConstraintManager::~SimpleConstraintManager() {}
-
-bool SimpleConstraintManager::canReasonAbout(SVal X) const {
- if (nonloc::SymExprVal *SymVal = dyn_cast<nonloc::SymExprVal>(&X)) {
- const SymExpr *SE = SymVal->getSymbolicExpression();
-
- if (isa<SymbolData>(SE))
- return true;
-
- if (const SymIntExpr *SIE = dyn_cast<SymIntExpr>(SE)) {
- switch (SIE->getOpcode()) {
- // We don't reason yet about bitwise-constraints on symbolic values.
- case BO_And:
- case BO_Or:
- case BO_Xor:
- return false;
- // We don't reason yet about these arithmetic constraints on
- // symbolic values.
- case BO_Mul:
- case BO_Div:
- case BO_Rem:
- case BO_Shl:
- case BO_Shr:
- return false;
- // All other cases.
- default:
- return true;
- }
- }
-
- return false;
- }
-
- return true;
-}
-
-const GRState *SimpleConstraintManager::assume(const GRState *state,
- DefinedSVal Cond,
- bool Assumption) {
- if (isa<NonLoc>(Cond))
- return assume(state, cast<NonLoc>(Cond), Assumption);
- else
- return assume(state, cast<Loc>(Cond), Assumption);
-}
-
-const GRState *SimpleConstraintManager::assume(const GRState *state, Loc cond,
- bool assumption) {
- state = assumeAux(state, cond, assumption);
- return SU.ProcessAssume(state, cond, assumption);
-}
-
-const GRState *SimpleConstraintManager::assumeAux(const GRState *state,
- Loc Cond, bool Assumption) {
-
- BasicValueFactory &BasicVals = state->getBasicVals();
-
- switch (Cond.getSubKind()) {
- default:
- assert (false && "'Assume' not implemented for this Loc.");
- return state;
-
- case loc::MemRegionKind: {
- // FIXME: Should this go into the storemanager?
-
- const MemRegion *R = cast<loc::MemRegionVal>(Cond).getRegion();
- const SubRegion *SubR = dyn_cast<SubRegion>(R);
-
- while (SubR) {
- // FIXME: now we only find the first symbolic region.
- if (const SymbolicRegion *SymR = dyn_cast<SymbolicRegion>(SubR)) {
- const llvm::APSInt &zero = BasicVals.getZeroWithPtrWidth();
- if (Assumption)
- return assumeSymNE(state, SymR->getSymbol(), zero, zero);
- else
- return assumeSymEQ(state, SymR->getSymbol(), zero, zero);
- }
- SubR = dyn_cast<SubRegion>(SubR->getSuperRegion());
- }
-
- // FALL-THROUGH.
- }
-
- case loc::GotoLabelKind:
- return Assumption ? state : NULL;
-
- case loc::ConcreteIntKind: {
- bool b = cast<loc::ConcreteInt>(Cond).getValue() != 0;
- bool isFeasible = b ? Assumption : !Assumption;
- return isFeasible ? state : NULL;
- }
- } // end switch
-}
-
-const GRState *SimpleConstraintManager::assume(const GRState *state,
- NonLoc cond,
- bool assumption) {
- state = assumeAux(state, cond, assumption);
- return SU.ProcessAssume(state, cond, assumption);
-}
-
-static BinaryOperator::Opcode NegateComparison(BinaryOperator::Opcode op) {
- // FIXME: This should probably be part of BinaryOperator, since this isn't
- // the only place it's used. (This code was copied from SimpleSValBuilder.cpp.)
- switch (op) {
- default:
- assert(false && "Invalid opcode.");
- case BO_LT: return BO_GE;
- case BO_GT: return BO_LE;
- case BO_LE: return BO_GT;
- case BO_GE: return BO_LT;
- case BO_EQ: return BO_NE;
- case BO_NE: return BO_EQ;
- }
-}
-
-const GRState *SimpleConstraintManager::assumeAux(const GRState *state,
- NonLoc Cond,
- bool Assumption) {
-
- // We cannot reason about SymSymExprs,
- // and can only reason about some SymIntExprs.
- if (!canReasonAbout(Cond)) {
- // Just return the current state indicating that the path is feasible.
- // This may be an over-approximation of what is possible.
- return state;
- }
-
- BasicValueFactory &BasicVals = state->getBasicVals();
- SymbolManager &SymMgr = state->getSymbolManager();
-
- switch (Cond.getSubKind()) {
- default:
- assert(false && "'Assume' not implemented for this NonLoc");
-
- case nonloc::SymbolValKind: {
- nonloc::SymbolVal& SV = cast<nonloc::SymbolVal>(Cond);
- SymbolRef sym = SV.getSymbol();
- QualType T = SymMgr.getType(sym);
- const llvm::APSInt &zero = BasicVals.getValue(0, T);
- if (Assumption)
- return assumeSymNE(state, sym, zero, zero);
- else
- return assumeSymEQ(state, sym, zero, zero);
- }
-
- case nonloc::SymExprValKind: {
- nonloc::SymExprVal V = cast<nonloc::SymExprVal>(Cond);
-
- // For now, we only handle expressions whose RHS is an integer.
- // All other expressions are assumed to be feasible.
- const SymIntExpr *SE = dyn_cast<SymIntExpr>(V.getSymbolicExpression());
- if (!SE)
- return state;
-
- BinaryOperator::Opcode op = SE->getOpcode();
- // Implicitly compare non-comparison expressions to 0.
- if (!BinaryOperator::isComparisonOp(op)) {
- QualType T = SymMgr.getType(SE);
- const llvm::APSInt &zero = BasicVals.getValue(0, T);
- op = (Assumption ? BO_NE : BO_EQ);
- return assumeSymRel(state, SE, op, zero);
- }
-
- // From here on out, op is the real comparison we'll be testing.
- if (!Assumption)
- op = NegateComparison(op);
-
- return assumeSymRel(state, SE->getLHS(), op, SE->getRHS());
- }
-
- case nonloc::ConcreteIntKind: {
- bool b = cast<nonloc::ConcreteInt>(Cond).getValue() != 0;
- bool isFeasible = b ? Assumption : !Assumption;
- return isFeasible ? state : NULL;
- }
-
- case nonloc::LocAsIntegerKind:
- return assumeAux(state, cast<nonloc::LocAsInteger>(Cond).getLoc(),
- Assumption);
- } // end switch
-}
-
-const GRState *SimpleConstraintManager::assumeSymRel(const GRState *state,
- const SymExpr *LHS,
- BinaryOperator::Opcode op,
- const llvm::APSInt& Int) {
- assert(BinaryOperator::isComparisonOp(op) &&
- "Non-comparison ops should be rewritten as comparisons to zero.");
-
- // We only handle simple comparisons of the form "$sym == constant"
- // or "($sym+constant1) == constant2".
- // The adjustment is "constant1" in the above expression. It's used to
- // "slide" the solution range around for modular arithmetic. For example,
- // x < 4 has the solution [0, 3]. x+2 < 4 has the solution [0-2, 3-2], which
- // in modular arithmetic is [0, 1] U [UINT_MAX-1, UINT_MAX]. It's up to
- // the subclasses of SimpleConstraintManager to handle the adjustment.
- llvm::APSInt Adjustment;
-
- // First check if the LHS is a simple symbol reference.
- SymbolRef Sym = dyn_cast<SymbolData>(LHS);
- if (Sym) {
- Adjustment = 0;
- } else {
- // Next, see if it's a "($sym+constant1)" expression.
- const SymIntExpr *SE = dyn_cast<SymIntExpr>(LHS);
-
- // We don't handle "($sym1+$sym2)".
- // Give up and assume the constraint is feasible.
- if (!SE)
- return state;
-
- // We don't handle "(<expr>+constant1)".
- // Give up and assume the constraint is feasible.
- Sym = dyn_cast<SymbolData>(SE->getLHS());
- if (!Sym)
- return state;
-
- // Get the constant out of the expression "($sym+constant1)".
- switch (SE->getOpcode()) {
- case BO_Add:
- Adjustment = SE->getRHS();
- break;
- case BO_Sub:
- Adjustment = -SE->getRHS();
- break;
- default:
- // We don't handle non-additive operators.
- // Give up and assume the constraint is feasible.
- return state;
- }
- }
-
- // FIXME: This next section is a hack. It silently converts the integers to
- // be of the same type as the symbol, which is not always correct. Really the
- // comparisons should be performed using the Int's type, then mapped back to
- // the symbol's range of values.
- GRStateManager &StateMgr = state->getStateManager();
- ASTContext &Ctx = StateMgr.getContext();
-
- QualType T = Sym->getType(Ctx);
- assert(T->isIntegerType() || Loc::IsLocType(T));
- unsigned bitwidth = Ctx.getTypeSize(T);
- bool isSymUnsigned = T->isUnsignedIntegerType() || Loc::IsLocType(T);
-
- // Convert the adjustment.
- Adjustment.setIsUnsigned(isSymUnsigned);
- Adjustment = Adjustment.extOrTrunc(bitwidth);
-
- // Convert the right-hand side integer.
- llvm::APSInt ConvertedInt(Int, isSymUnsigned);
- ConvertedInt = ConvertedInt.extOrTrunc(bitwidth);
-
- switch (op) {
- default:
- // No logic yet for other operators. assume the constraint is feasible.
- return state;
-
- case BO_EQ:
- return assumeSymEQ(state, Sym, ConvertedInt, Adjustment);
-
- case BO_NE:
- return assumeSymNE(state, Sym, ConvertedInt, Adjustment);
-
- case BO_GT:
- return assumeSymGT(state, Sym, ConvertedInt, Adjustment);
-
- case BO_GE:
- return assumeSymGE(state, Sym, ConvertedInt, Adjustment);
-
- case BO_LT:
- return assumeSymLT(state, Sym, ConvertedInt, Adjustment);
-
- case BO_LE:
- return assumeSymLE(state, Sym, ConvertedInt, Adjustment);
- } // end switch
-}
-
-} // end of namespace ento
-
-} // end of namespace clang
Removed: cfe/trunk/lib/StaticAnalyzer/EntoSA/SimpleConstraintManager.h
URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/lib/StaticAnalyzer/EntoSA/SimpleConstraintManager.h?rev=122542&view=auto
==============================================================================
--- cfe/trunk/lib/StaticAnalyzer/EntoSA/SimpleConstraintManager.h (original)
+++ cfe/trunk/lib/StaticAnalyzer/EntoSA/SimpleConstraintManager.h (removed)
@@ -1,93 +0,0 @@
-//== SimpleConstraintManager.h ----------------------------------*- C++ -*--==//
-//
-// The LLVM Compiler Infrastructure
-//
-// This file is distributed under the University of Illinois Open Source
-// License. See LICENSE.TXT for details.
-//
-//===----------------------------------------------------------------------===//
-//
-// Code shared between BasicConstraintManager and RangeConstraintManager.
-//
-//===----------------------------------------------------------------------===//
-
-#ifndef LLVM_CLANG_GR_SIMPLE_CONSTRAINT_MANAGER_H
-#define LLVM_CLANG_GR_SIMPLE_CONSTRAINT_MANAGER_H
-
-#include "clang/StaticAnalyzer/PathSensitive/ConstraintManager.h"
-#include "clang/StaticAnalyzer/PathSensitive/GRState.h"
-
-namespace clang {
-
-namespace ento {
-
-class SimpleConstraintManager : public ConstraintManager {
- SubEngine &SU;
-public:
- SimpleConstraintManager(SubEngine &subengine) : SU(subengine) {}
- virtual ~SimpleConstraintManager();
-
- //===------------------------------------------------------------------===//
- // Common implementation for the interface provided by ConstraintManager.
- //===------------------------------------------------------------------===//
-
- bool canReasonAbout(SVal X) const;
-
- const GRState *assume(const GRState *state, DefinedSVal Cond,
- bool Assumption);
-
- const GRState *assume(const GRState *state, Loc Cond, bool Assumption);
-
- const GRState *assume(const GRState *state, NonLoc Cond, bool Assumption);
-
- const GRState *assumeSymRel(const GRState *state,
- const SymExpr *LHS,
- BinaryOperator::Opcode op,
- const llvm::APSInt& Int);
-
-protected:
-
- //===------------------------------------------------------------------===//
- // Interface that subclasses must implement.
- //===------------------------------------------------------------------===//
-
- // Each of these is of the form "$sym+Adj <> V", where "<>" is the comparison
- // operation for the method being invoked.
- virtual const GRState *assumeSymNE(const GRState *state, SymbolRef sym,
- const llvm::APSInt& V,
- const llvm::APSInt& Adjustment) = 0;
-
- virtual const GRState *assumeSymEQ(const GRState *state, SymbolRef sym,
- const llvm::APSInt& V,
- const llvm::APSInt& Adjustment) = 0;
-
- virtual const GRState *assumeSymLT(const GRState *state, SymbolRef sym,
- const llvm::APSInt& V,
- const llvm::APSInt& Adjustment) = 0;
-
- virtual const GRState *assumeSymGT(const GRState *state, SymbolRef sym,
- const llvm::APSInt& V,
- const llvm::APSInt& Adjustment) = 0;
-
- virtual const GRState *assumeSymLE(const GRState *state, SymbolRef sym,
- const llvm::APSInt& V,
- const llvm::APSInt& Adjustment) = 0;
-
- virtual const GRState *assumeSymGE(const GRState *state, SymbolRef sym,
- const llvm::APSInt& V,
- const llvm::APSInt& Adjustment) = 0;
-
- //===------------------------------------------------------------------===//
- // Internal implementation.
- //===------------------------------------------------------------------===//
-
- const GRState *assumeAux(const GRState *state, Loc Cond,bool Assumption);
-
- const GRState *assumeAux(const GRState *state, NonLoc Cond, bool Assumption);
-};
-
-} // end GR namespace
-
-} // end clang namespace
-
-#endif
Removed: cfe/trunk/lib/StaticAnalyzer/EntoSA/SimpleSValBuilder.cpp
URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/lib/StaticAnalyzer/EntoSA/SimpleSValBuilder.cpp?rev=122542&view=auto
==============================================================================
--- cfe/trunk/lib/StaticAnalyzer/EntoSA/SimpleSValBuilder.cpp (original)
+++ cfe/trunk/lib/StaticAnalyzer/EntoSA/SimpleSValBuilder.cpp (removed)
@@ -1,884 +0,0 @@
-// SimpleSValBuilder.cpp - A basic SValBuilder -----------------------*- C++ -*-
-//
-// The LLVM Compiler Infrastructure
-//
-// This file is distributed under the University of Illinois Open Source
-// License. See LICENSE.TXT for details.
-//
-//===----------------------------------------------------------------------===//
-//
-// This file defines SimpleSValBuilder, a basic implementation of SValBuilder.
-//
-//===----------------------------------------------------------------------===//
-
-#include "clang/StaticAnalyzer/PathSensitive/SValBuilder.h"
-#include "clang/StaticAnalyzer/PathSensitive/GRState.h"
-
-using namespace clang;
-using namespace ento;
-
-namespace {
-class SimpleSValBuilder : public SValBuilder {
-protected:
- virtual SVal evalCastNL(NonLoc val, QualType castTy);
- virtual SVal evalCastL(Loc val, QualType castTy);
-
-public:
- SimpleSValBuilder(llvm::BumpPtrAllocator &alloc, ASTContext &context,
- GRStateManager &stateMgr)
- : SValBuilder(alloc, context, stateMgr) {}
- virtual ~SimpleSValBuilder() {}
-
- virtual SVal evalMinus(NonLoc val);
- virtual SVal evalComplement(NonLoc val);
- virtual SVal evalBinOpNN(const GRState *state, BinaryOperator::Opcode op,
- NonLoc lhs, NonLoc rhs, QualType resultTy);
- virtual SVal evalBinOpLL(const GRState *state, BinaryOperator::Opcode op,
- Loc lhs, Loc rhs, QualType resultTy);
- virtual SVal evalBinOpLN(const GRState *state, BinaryOperator::Opcode op,
- Loc lhs, NonLoc rhs, QualType resultTy);
-
- /// getKnownValue - evaluates a given SVal. If the SVal has only one possible
- /// (integer) value, that value is returned. Otherwise, returns NULL.
- virtual const llvm::APSInt *getKnownValue(const GRState *state, SVal V);
-
- SVal MakeSymIntVal(const SymExpr *LHS, BinaryOperator::Opcode op,
- const llvm::APSInt &RHS, QualType resultTy);
-};
-} // end anonymous namespace
-
-SValBuilder *ento::createSimpleSValBuilder(llvm::BumpPtrAllocator &alloc,
- ASTContext &context,
- GRStateManager &stateMgr) {
- return new SimpleSValBuilder(alloc, context, stateMgr);
-}
-
-//===----------------------------------------------------------------------===//
-// Transfer function for Casts.
-//===----------------------------------------------------------------------===//
-
-SVal SimpleSValBuilder::evalCastNL(NonLoc val, QualType castTy) {
-
- bool isLocType = Loc::IsLocType(castTy);
-
- if (nonloc::LocAsInteger *LI = dyn_cast<nonloc::LocAsInteger>(&val)) {
- if (isLocType)
- return LI->getLoc();
-
- // FIXME: Correctly support promotions/truncations.
- unsigned castSize = Context.getTypeSize(castTy);
- if (castSize == LI->getNumBits())
- return val;
- return makeLocAsInteger(LI->getLoc(), castSize);
- }
-
- if (const SymExpr *se = val.getAsSymbolicExpression()) {
- QualType T = Context.getCanonicalType(se->getType(Context));
- if (T == Context.getCanonicalType(castTy))
- return val;
-
- // FIXME: Remove this hack when we support symbolic truncation/extension.
- // HACK: If both castTy and T are integers, ignore the cast. This is
- // not a permanent solution. Eventually we want to precisely handle
- // extension/truncation of symbolic integers. This prevents us from losing
- // precision when we assign 'x = y' and 'y' is symbolic and x and y are
- // different integer types.
- if (T->isIntegerType() && castTy->isIntegerType())
- return val;
-
- return UnknownVal();
- }
-
- if (!isa<nonloc::ConcreteInt>(val))
- return UnknownVal();
-
- // Only handle casts from integers to integers.
- if (!isLocType && !castTy->isIntegerType())
- return UnknownVal();
-
- llvm::APSInt i = cast<nonloc::ConcreteInt>(val).getValue();
- i.setIsUnsigned(castTy->isUnsignedIntegerType() || Loc::IsLocType(castTy));
- i = i.extOrTrunc(Context.getTypeSize(castTy));
-
- if (isLocType)
- return makeIntLocVal(i);
- else
- return makeIntVal(i);
-}
-
-SVal SimpleSValBuilder::evalCastL(Loc val, QualType castTy) {
-
- // Casts from pointers -> pointers, just return the lval.
- //
- // Casts from pointers -> references, just return the lval. These
- // can be introduced by the frontend for corner cases, e.g
- // casting from va_list* to __builtin_va_list&.
- //
- if (Loc::IsLocType(castTy) || castTy->isReferenceType())
- return val;
-
- // FIXME: Handle transparent unions where a value can be "transparently"
- // lifted into a union type.
- if (castTy->isUnionType())
- return UnknownVal();
-
- if (castTy->isIntegerType()) {
- unsigned BitWidth = Context.getTypeSize(castTy);
-
- if (!isa<loc::ConcreteInt>(val))
- return makeLocAsInteger(val, BitWidth);
-
- llvm::APSInt i = cast<loc::ConcreteInt>(val).getValue();
- i.setIsUnsigned(castTy->isUnsignedIntegerType() || Loc::IsLocType(castTy));
- i = i.extOrTrunc(BitWidth);
- return makeIntVal(i);
- }
-
- // All other cases: return 'UnknownVal'. This includes casting pointers
- // to floats, which is probably badness it itself, but this is a good
- // intermediate solution until we do something better.
- return UnknownVal();
-}
-
-//===----------------------------------------------------------------------===//
-// Transfer function for unary operators.
-//===----------------------------------------------------------------------===//
-
-SVal SimpleSValBuilder::evalMinus(NonLoc val) {
- switch (val.getSubKind()) {
- case nonloc::ConcreteIntKind:
- return cast<nonloc::ConcreteInt>(val).evalMinus(*this);
- default:
- return UnknownVal();
- }
-}
-
-SVal SimpleSValBuilder::evalComplement(NonLoc X) {
- switch (X.getSubKind()) {
- case nonloc::ConcreteIntKind:
- return cast<nonloc::ConcreteInt>(X).evalComplement(*this);
- default:
- return UnknownVal();
- }
-}
-
-//===----------------------------------------------------------------------===//
-// Transfer function for binary operators.
-//===----------------------------------------------------------------------===//
-
-static BinaryOperator::Opcode NegateComparison(BinaryOperator::Opcode op) {
- switch (op) {
- default:
- assert(false && "Invalid opcode.");
- case BO_LT: return BO_GE;
- case BO_GT: return BO_LE;
- case BO_LE: return BO_GT;
- case BO_GE: return BO_LT;
- case BO_EQ: return BO_NE;
- case BO_NE: return BO_EQ;
- }
-}
-
-static BinaryOperator::Opcode ReverseComparison(BinaryOperator::Opcode op) {
- switch (op) {
- default:
- assert(false && "Invalid opcode.");
- case BO_LT: return BO_GT;
- case BO_GT: return BO_LT;
- case BO_LE: return BO_GE;
- case BO_GE: return BO_LE;
- case BO_EQ:
- case BO_NE:
- return op;
- }
-}
-
-SVal SimpleSValBuilder::MakeSymIntVal(const SymExpr *LHS,
- BinaryOperator::Opcode op,
- const llvm::APSInt &RHS,
- QualType resultTy) {
- bool isIdempotent = false;
-
- // Check for a few special cases with known reductions first.
- switch (op) {
- default:
- // We can't reduce this case; just treat it normally.
- break;
- case BO_Mul:
- // a*0 and a*1
- if (RHS == 0)
- return makeIntVal(0, resultTy);
- else if (RHS == 1)
- isIdempotent = true;
- break;
- case BO_Div:
- // a/0 and a/1
- if (RHS == 0)
- // This is also handled elsewhere.
- return UndefinedVal();
- else if (RHS == 1)
- isIdempotent = true;
- break;
- case BO_Rem:
- // a%0 and a%1
- if (RHS == 0)
- // This is also handled elsewhere.
- return UndefinedVal();
- else if (RHS == 1)
- return makeIntVal(0, resultTy);
- break;
- case BO_Add:
- case BO_Sub:
- case BO_Shl:
- case BO_Shr:
- case BO_Xor:
- // a+0, a-0, a<<0, a>>0, a^0
- if (RHS == 0)
- isIdempotent = true;
- break;
- case BO_And:
- // a&0 and a&(~0)
- if (RHS == 0)
- return makeIntVal(0, resultTy);
- else if (RHS.isAllOnesValue())
- isIdempotent = true;
- break;
- case BO_Or:
- // a|0 and a|(~0)
- if (RHS == 0)
- isIdempotent = true;
- else if (RHS.isAllOnesValue()) {
- const llvm::APSInt &Result = BasicVals.Convert(resultTy, RHS);
- return nonloc::ConcreteInt(Result);
- }
- break;
- }
-
- // Idempotent ops (like a*1) can still change the type of an expression.
- // Wrap the LHS up in a NonLoc again and let evalCastNL do the dirty work.
- if (isIdempotent) {
- if (SymbolRef LHSSym = dyn_cast<SymbolData>(LHS))
- return evalCastNL(nonloc::SymbolVal(LHSSym), resultTy);
- return evalCastNL(nonloc::SymExprVal(LHS), resultTy);
- }
-
- // If we reach this point, the expression cannot be simplified.
- // Make a SymExprVal for the entire thing.
- return makeNonLoc(LHS, op, RHS, resultTy);
-}
-
-SVal SimpleSValBuilder::evalBinOpNN(const GRState *state,
- BinaryOperator::Opcode op,
- NonLoc lhs, NonLoc rhs,
- QualType resultTy) {
- // Handle trivial case where left-side and right-side are the same.
- if (lhs == rhs)
- switch (op) {
- default:
- break;
- case BO_EQ:
- case BO_LE:
- case BO_GE:
- return makeTruthVal(true, resultTy);
- case BO_LT:
- case BO_GT:
- case BO_NE:
- return makeTruthVal(false, resultTy);
- case BO_Xor:
- case BO_Sub:
- return makeIntVal(0, resultTy);
- case BO_Or:
- case BO_And:
- return evalCastNL(lhs, resultTy);
- }
-
- while (1) {
- switch (lhs.getSubKind()) {
- default:
- return UnknownVal();
- case nonloc::LocAsIntegerKind: {
- Loc lhsL = cast<nonloc::LocAsInteger>(lhs).getLoc();
- switch (rhs.getSubKind()) {
- case nonloc::LocAsIntegerKind:
- return evalBinOpLL(state, op, lhsL,
- cast<nonloc::LocAsInteger>(rhs).getLoc(),
- resultTy);
- case nonloc::ConcreteIntKind: {
- // Transform the integer into a location and compare.
- llvm::APSInt i = cast<nonloc::ConcreteInt>(rhs).getValue();
- i.setIsUnsigned(true);
- i = i.extOrTrunc(Context.getTypeSize(Context.VoidPtrTy));
- return evalBinOpLL(state, op, lhsL, makeLoc(i), resultTy);
- }
- default:
- switch (op) {
- case BO_EQ:
- return makeTruthVal(false, resultTy);
- case BO_NE:
- return makeTruthVal(true, resultTy);
- default:
- // This case also handles pointer arithmetic.
- return UnknownVal();
- }
- }
- }
- case nonloc::SymExprValKind: {
- nonloc::SymExprVal *selhs = cast<nonloc::SymExprVal>(&lhs);
-
- // Only handle LHS of the form "$sym op constant", at least for now.
- const SymIntExpr *symIntExpr =
- dyn_cast<SymIntExpr>(selhs->getSymbolicExpression());
-
- if (!symIntExpr)
- return UnknownVal();
-
- // Is this a logical not? (!x is represented as x == 0.)
- if (op == BO_EQ && rhs.isZeroConstant()) {
- // We know how to negate certain expressions. Simplify them here.
-
- BinaryOperator::Opcode opc = symIntExpr->getOpcode();
- switch (opc) {
- default:
- // We don't know how to negate this operation.
- // Just handle it as if it were a normal comparison to 0.
- break;
- case BO_LAnd:
- case BO_LOr:
- assert(false && "Logical operators handled by branching logic.");
- return UnknownVal();
- case BO_Assign:
- case BO_MulAssign:
- case BO_DivAssign:
- case BO_RemAssign:
- case BO_AddAssign:
- case BO_SubAssign:
- case BO_ShlAssign:
- case BO_ShrAssign:
- case BO_AndAssign:
- case BO_XorAssign:
- case BO_OrAssign:
- case BO_Comma:
- assert(false && "'=' and ',' operators handled by ExprEngine.");
- return UnknownVal();
- case BO_PtrMemD:
- case BO_PtrMemI:
- assert(false && "Pointer arithmetic not handled here.");
- return UnknownVal();
- case BO_LT:
- case BO_GT:
- case BO_LE:
- case BO_GE:
- case BO_EQ:
- case BO_NE:
- // Negate the comparison and make a value.
- opc = NegateComparison(opc);
- assert(symIntExpr->getType(Context) == resultTy);
- return makeNonLoc(symIntExpr->getLHS(), opc,
- symIntExpr->getRHS(), resultTy);
- }
- }
-
- // For now, only handle expressions whose RHS is a constant.
- const nonloc::ConcreteInt *rhsInt = dyn_cast<nonloc::ConcreteInt>(&rhs);
- if (!rhsInt)
- return UnknownVal();
-
- // If both the LHS and the current expression are additive,
- // fold their constants.
- if (BinaryOperator::isAdditiveOp(op)) {
- BinaryOperator::Opcode lop = symIntExpr->getOpcode();
- if (BinaryOperator::isAdditiveOp(lop)) {
- // resultTy may not be the best type to convert to, but it's
- // probably the best choice in expressions with mixed type
- // (such as x+1U+2LL). The rules for implicit conversions should
- // choose a reasonable type to preserve the expression, and will
- // at least match how the value is going to be used.
- const llvm::APSInt &first =
- BasicVals.Convert(resultTy, symIntExpr->getRHS());
- const llvm::APSInt &second =
- BasicVals.Convert(resultTy, rhsInt->getValue());
- const llvm::APSInt *newRHS;
- if (lop == op)
- newRHS = BasicVals.evalAPSInt(BO_Add, first, second);
- else
- newRHS = BasicVals.evalAPSInt(BO_Sub, first, second);
- return MakeSymIntVal(symIntExpr->getLHS(), lop, *newRHS, resultTy);
- }
- }
-
- // Otherwise, make a SymExprVal out of the expression.
- return MakeSymIntVal(symIntExpr, op, rhsInt->getValue(), resultTy);
- }
- case nonloc::ConcreteIntKind: {
- const nonloc::ConcreteInt& lhsInt = cast<nonloc::ConcreteInt>(lhs);
-
- if (isa<nonloc::ConcreteInt>(rhs)) {
- return lhsInt.evalBinOp(*this, op, cast<nonloc::ConcreteInt>(rhs));
- } else {
- const llvm::APSInt& lhsValue = lhsInt.getValue();
-
- // Swap the left and right sides and flip the operator if doing so
- // allows us to better reason about the expression (this is a form
- // of expression canonicalization).
- // While we're at it, catch some special cases for non-commutative ops.
- NonLoc tmp = rhs;
- rhs = lhs;
- lhs = tmp;
-
- switch (op) {
- case BO_LT:
- case BO_GT:
- case BO_LE:
- case BO_GE:
- op = ReverseComparison(op);
- continue;
- case BO_EQ:
- case BO_NE:
- case BO_Add:
- case BO_Mul:
- case BO_And:
- case BO_Xor:
- case BO_Or:
- continue;
- case BO_Shr:
- if (lhsValue.isAllOnesValue() && lhsValue.isSigned())
- // At this point lhs and rhs have been swapped.
- return rhs;
- // FALL-THROUGH
- case BO_Shl:
- if (lhsValue == 0)
- // At this point lhs and rhs have been swapped.
- return rhs;
- return UnknownVal();
- default:
- return UnknownVal();
- }
- }
- }
- case nonloc::SymbolValKind: {
- nonloc::SymbolVal *slhs = cast<nonloc::SymbolVal>(&lhs);
- SymbolRef Sym = slhs->getSymbol();
- // Does the symbol simplify to a constant? If so, "fold" the constant
- // by setting 'lhs' to a ConcreteInt and try again.
- if (Sym->getType(Context)->isIntegerType())
- if (const llvm::APSInt *Constant = state->getSymVal(Sym)) {
- // The symbol evaluates to a constant. If necessary, promote the
- // folded constant (LHS) to the result type.
- const llvm::APSInt &lhs_I = BasicVals.Convert(resultTy, *Constant);
- lhs = nonloc::ConcreteInt(lhs_I);
-
- // Also promote the RHS (if necessary).
-
- // For shifts, it is not necessary to promote the RHS.
- if (BinaryOperator::isShiftOp(op))
- continue;
-
- // Other operators: do an implicit conversion. This shouldn't be
- // necessary once we support truncation/extension of symbolic values.
- if (nonloc::ConcreteInt *rhs_I = dyn_cast<nonloc::ConcreteInt>(&rhs)){
- rhs = nonloc::ConcreteInt(BasicVals.Convert(resultTy,
- rhs_I->getValue()));
- }
-
- continue;
- }
-
- // Is the RHS a symbol we can simplify?
- if (const nonloc::SymbolVal *srhs = dyn_cast<nonloc::SymbolVal>(&rhs)) {
- SymbolRef RSym = srhs->getSymbol();
- if (RSym->getType(Context)->isIntegerType()) {
- if (const llvm::APSInt *Constant = state->getSymVal(RSym)) {
- // The symbol evaluates to a constant.
- const llvm::APSInt &rhs_I = BasicVals.Convert(resultTy, *Constant);
- rhs = nonloc::ConcreteInt(rhs_I);
- }
- }
- }
-
- if (isa<nonloc::ConcreteInt>(rhs)) {
- return MakeSymIntVal(slhs->getSymbol(), op,
- cast<nonloc::ConcreteInt>(rhs).getValue(),
- resultTy);
- }
-
- return UnknownVal();
- }
- }
- }
-}
-
-// FIXME: all this logic will change if/when we have MemRegion::getLocation().
-SVal SimpleSValBuilder::evalBinOpLL(const GRState *state,
- BinaryOperator::Opcode op,
- Loc lhs, Loc rhs,
- QualType resultTy) {
- // Only comparisons and subtractions are valid operations on two pointers.
- // See [C99 6.5.5 through 6.5.14] or [C++0x 5.6 through 5.15].
- // However, if a pointer is casted to an integer, evalBinOpNN may end up
- // calling this function with another operation (PR7527). We don't attempt to
- // model this for now, but it could be useful, particularly when the
- // "location" is actually an integer value that's been passed through a void*.
- if (!(BinaryOperator::isComparisonOp(op) || op == BO_Sub))
- return UnknownVal();
-
- // Special cases for when both sides are identical.
- if (lhs == rhs) {
- switch (op) {
- default:
- assert(false && "Unimplemented operation for two identical values");
- return UnknownVal();
- case BO_Sub:
- return makeZeroVal(resultTy);
- case BO_EQ:
- case BO_LE:
- case BO_GE:
- return makeTruthVal(true, resultTy);
- case BO_NE:
- case BO_LT:
- case BO_GT:
- return makeTruthVal(false, resultTy);
- }
- }
-
- switch (lhs.getSubKind()) {
- default:
- assert(false && "Ordering not implemented for this Loc.");
- return UnknownVal();
-
- case loc::GotoLabelKind:
- // The only thing we know about labels is that they're non-null.
- if (rhs.isZeroConstant()) {
- switch (op) {
- default:
- break;
- case BO_Sub:
- return evalCastL(lhs, resultTy);
- case BO_EQ:
- case BO_LE:
- case BO_LT:
- return makeTruthVal(false, resultTy);
- case BO_NE:
- case BO_GT:
- case BO_GE:
- return makeTruthVal(true, resultTy);
- }
- }
- // There may be two labels for the same location, and a function region may
- // have the same address as a label at the start of the function (depending
- // on the ABI).
- // FIXME: we can probably do a comparison against other MemRegions, though.
- // FIXME: is there a way to tell if two labels refer to the same location?
- return UnknownVal();
-
- case loc::ConcreteIntKind: {
- // If one of the operands is a symbol and the other is a constant,
- // build an expression for use by the constraint manager.
- if (SymbolRef rSym = rhs.getAsLocSymbol()) {
- // We can only build expressions with symbols on the left,
- // so we need a reversible operator.
- if (!BinaryOperator::isComparisonOp(op))
- return UnknownVal();
-
- const llvm::APSInt &lVal = cast<loc::ConcreteInt>(lhs).getValue();
- return makeNonLoc(rSym, ReverseComparison(op), lVal, resultTy);
- }
-
- // If both operands are constants, just perform the operation.
- if (loc::ConcreteInt *rInt = dyn_cast<loc::ConcreteInt>(&rhs)) {
- SVal ResultVal = cast<loc::ConcreteInt>(lhs).evalBinOp(BasicVals, op,
- *rInt);
- if (Loc *Result = dyn_cast<Loc>(&ResultVal))
- return evalCastL(*Result, resultTy);
- else
- return UnknownVal();
- }
-
- // Special case comparisons against NULL.
- // This must come after the test if the RHS is a symbol, which is used to
- // build constraints. The address of any non-symbolic region is guaranteed
- // to be non-NULL, as is any label.
- assert(isa<loc::MemRegionVal>(rhs) || isa<loc::GotoLabel>(rhs));
- if (lhs.isZeroConstant()) {
- switch (op) {
- default:
- break;
- case BO_EQ:
- case BO_GT:
- case BO_GE:
- return makeTruthVal(false, resultTy);
- case BO_NE:
- case BO_LT:
- case BO_LE:
- return makeTruthVal(true, resultTy);
- }
- }
-
- // Comparing an arbitrary integer to a region or label address is
- // completely unknowable.
- return UnknownVal();
- }
- case loc::MemRegionKind: {
- if (loc::ConcreteInt *rInt = dyn_cast<loc::ConcreteInt>(&rhs)) {
- // If one of the operands is a symbol and the other is a constant,
- // build an expression for use by the constraint manager.
- if (SymbolRef lSym = lhs.getAsLocSymbol())
- return MakeSymIntVal(lSym, op, rInt->getValue(), resultTy);
-
- // Special case comparisons to NULL.
- // This must come after the test if the LHS is a symbol, which is used to
- // build constraints. The address of any non-symbolic region is guaranteed
- // to be non-NULL.
- if (rInt->isZeroConstant()) {
- switch (op) {
- default:
- break;
- case BO_Sub:
- return evalCastL(lhs, resultTy);
- case BO_EQ:
- case BO_LT:
- case BO_LE:
- return makeTruthVal(false, resultTy);
- case BO_NE:
- case BO_GT:
- case BO_GE:
- return makeTruthVal(true, resultTy);
- }
- }
-
- // Comparing a region to an arbitrary integer is completely unknowable.
- return UnknownVal();
- }
-
- // Get both values as regions, if possible.
- const MemRegion *LeftMR = lhs.getAsRegion();
- assert(LeftMR && "MemRegionKind SVal doesn't have a region!");
-
- const MemRegion *RightMR = rhs.getAsRegion();
- if (!RightMR)
- // The RHS is probably a label, which in theory could address a region.
- // FIXME: we can probably make a more useful statement about non-code
- // regions, though.
- return UnknownVal();
-
- // If both values wrap regions, see if they're from different base regions.
- const MemRegion *LeftBase = LeftMR->getBaseRegion();
- const MemRegion *RightBase = RightMR->getBaseRegion();
- if (LeftBase != RightBase &&
- !isa<SymbolicRegion>(LeftBase) && !isa<SymbolicRegion>(RightBase)) {
- switch (op) {
- default:
- return UnknownVal();
- case BO_EQ:
- return makeTruthVal(false, resultTy);
- case BO_NE:
- return makeTruthVal(true, resultTy);
- }
- }
-
- // The two regions are from the same base region. See if they're both a
- // type of region we know how to compare.
-
- // FIXME: If/when there is a getAsRawOffset() for FieldRegions, this
- // ElementRegion path and the FieldRegion path below should be unified.
- if (const ElementRegion *LeftER = dyn_cast<ElementRegion>(LeftMR)) {
- // First see if the right region is also an ElementRegion.
- const ElementRegion *RightER = dyn_cast<ElementRegion>(RightMR);
- if (!RightER)
- return UnknownVal();
-
- // Next, see if the two ERs have the same super-region and matching types.
- // FIXME: This should do something useful even if the types don't match,
- // though if both indexes are constant the RegionRawOffset path will
- // give the correct answer.
- if (LeftER->getSuperRegion() == RightER->getSuperRegion() &&
- LeftER->getElementType() == RightER->getElementType()) {
- // Get the left index and cast it to the correct type.
- // If the index is unknown or undefined, bail out here.
- SVal LeftIndexVal = LeftER->getIndex();
- NonLoc *LeftIndex = dyn_cast<NonLoc>(&LeftIndexVal);
- if (!LeftIndex)
- return UnknownVal();
- LeftIndexVal = evalCastNL(*LeftIndex, resultTy);
- LeftIndex = dyn_cast<NonLoc>(&LeftIndexVal);
- if (!LeftIndex)
- return UnknownVal();
-
- // Do the same for the right index.
- SVal RightIndexVal = RightER->getIndex();
- NonLoc *RightIndex = dyn_cast<NonLoc>(&RightIndexVal);
- if (!RightIndex)
- return UnknownVal();
- RightIndexVal = evalCastNL(*RightIndex, resultTy);
- RightIndex = dyn_cast<NonLoc>(&RightIndexVal);
- if (!RightIndex)
- return UnknownVal();
-
- // Actually perform the operation.
- // evalBinOpNN expects the two indexes to already be the right type.
- return evalBinOpNN(state, op, *LeftIndex, *RightIndex, resultTy);
- }
-
- // If the element indexes aren't comparable, see if the raw offsets are.
- RegionRawOffset LeftOffset = LeftER->getAsArrayOffset();
- RegionRawOffset RightOffset = RightER->getAsArrayOffset();
-
- if (LeftOffset.getRegion() != NULL &&
- LeftOffset.getRegion() == RightOffset.getRegion()) {
- int64_t left = LeftOffset.getByteOffset();
- int64_t right = RightOffset.getByteOffset();
-
- switch (op) {
- default:
- return UnknownVal();
- case BO_LT:
- return makeTruthVal(left < right, resultTy);
- case BO_GT:
- return makeTruthVal(left > right, resultTy);
- case BO_LE:
- return makeTruthVal(left <= right, resultTy);
- case BO_GE:
- return makeTruthVal(left >= right, resultTy);
- case BO_EQ:
- return makeTruthVal(left == right, resultTy);
- case BO_NE:
- return makeTruthVal(left != right, resultTy);
- }
- }
-
- // If we get here, we have no way of comparing the ElementRegions.
- return UnknownVal();
- }
-
- // See if both regions are fields of the same structure.
- // FIXME: This doesn't handle nesting, inheritance, or Objective-C ivars.
- if (const FieldRegion *LeftFR = dyn_cast<FieldRegion>(LeftMR)) {
- // Only comparisons are meaningful here!
- if (!BinaryOperator::isComparisonOp(op))
- return UnknownVal();
-
- // First see if the right region is also a FieldRegion.
- const FieldRegion *RightFR = dyn_cast<FieldRegion>(RightMR);
- if (!RightFR)
- return UnknownVal();
-
- // Next, see if the two FRs have the same super-region.
- // FIXME: This doesn't handle casts yet, and simply stripping the casts
- // doesn't help.
- if (LeftFR->getSuperRegion() != RightFR->getSuperRegion())
- return UnknownVal();
-
- const FieldDecl *LeftFD = LeftFR->getDecl();
- const FieldDecl *RightFD = RightFR->getDecl();
- const RecordDecl *RD = LeftFD->getParent();
-
- // Make sure the two FRs are from the same kind of record. Just in case!
- // FIXME: This is probably where inheritance would be a problem.
- if (RD != RightFD->getParent())
- return UnknownVal();
-
- // We know for sure that the two fields are not the same, since that
- // would have given us the same SVal.
- if (op == BO_EQ)
- return makeTruthVal(false, resultTy);
- if (op == BO_NE)
- return makeTruthVal(true, resultTy);
-
- // Iterate through the fields and see which one comes first.
- // [C99 6.7.2.1.13] "Within a structure object, the non-bit-field
- // members and the units in which bit-fields reside have addresses that
- // increase in the order in which they are declared."
- bool leftFirst = (op == BO_LT || op == BO_LE);
- for (RecordDecl::field_iterator I = RD->field_begin(),
- E = RD->field_end(); I!=E; ++I) {
- if (*I == LeftFD)
- return makeTruthVal(leftFirst, resultTy);
- if (*I == RightFD)
- return makeTruthVal(!leftFirst, resultTy);
- }
-
- assert(false && "Fields not found in parent record's definition");
- }
-
- // If we get here, we have no way of comparing the regions.
- return UnknownVal();
- }
- }
-}
-
-SVal SimpleSValBuilder::evalBinOpLN(const GRState *state,
- BinaryOperator::Opcode op,
- Loc lhs, NonLoc rhs, QualType resultTy) {
- // Special case: 'rhs' is an integer that has the same width as a pointer and
- // we are using the integer location in a comparison. Normally this cannot be
- // triggered, but transfer functions like those for OSCommpareAndSwapBarrier32
- // can generate comparisons that trigger this code.
- // FIXME: Are all locations guaranteed to have pointer width?
- if (BinaryOperator::isComparisonOp(op)) {
- if (nonloc::ConcreteInt *rhsInt = dyn_cast<nonloc::ConcreteInt>(&rhs)) {
- const llvm::APSInt *x = &rhsInt->getValue();
- ASTContext &ctx = Context;
- if (ctx.getTypeSize(ctx.VoidPtrTy) == x->getBitWidth()) {
- // Convert the signedness of the integer (if necessary).
- if (x->isSigned())
- x = &getBasicValueFactory().getValue(*x, true);
-
- return evalBinOpLL(state, op, lhs, loc::ConcreteInt(*x), resultTy);
- }
- }
- }
-
- // We are dealing with pointer arithmetic.
-
- // Handle pointer arithmetic on constant values.
- if (nonloc::ConcreteInt *rhsInt = dyn_cast<nonloc::ConcreteInt>(&rhs)) {
- if (loc::ConcreteInt *lhsInt = dyn_cast<loc::ConcreteInt>(&lhs)) {
- const llvm::APSInt &leftI = lhsInt->getValue();
- assert(leftI.isUnsigned());
- llvm::APSInt rightI(rhsInt->getValue(), /* isUnsigned */ true);
-
- // Convert the bitwidth of rightI. This should deal with overflow
- // since we are dealing with concrete values.
- rightI = rightI.extOrTrunc(leftI.getBitWidth());
-
- // Offset the increment by the pointer size.
- llvm::APSInt Multiplicand(rightI.getBitWidth(), /* isUnsigned */ true);
- rightI *= Multiplicand;
-
- // Compute the adjusted pointer.
- switch (op) {
- case BO_Add:
- rightI = leftI + rightI;
- break;
- case BO_Sub:
- rightI = leftI - rightI;
- break;
- default:
- llvm_unreachable("Invalid pointer arithmetic operation");
- }
- return loc::ConcreteInt(getBasicValueFactory().getValue(rightI));
- }
- }
-
-
- // Delegate remaining pointer arithmetic to the StoreManager.
- return state->getStateManager().getStoreManager().evalBinOp(op, lhs,
- rhs, resultTy);
-}
-
-const llvm::APSInt *SimpleSValBuilder::getKnownValue(const GRState *state,
- SVal V) {
- if (V.isUnknownOrUndef())
- return NULL;
-
- if (loc::ConcreteInt* X = dyn_cast<loc::ConcreteInt>(&V))
- return &X->getValue();
-
- if (nonloc::ConcreteInt* X = dyn_cast<nonloc::ConcreteInt>(&V))
- return &X->getValue();
-
- if (SymbolRef Sym = V.getAsSymbol())
- return state->getSymVal(Sym);
-
- // FIXME: Add support for SymExprs.
- return NULL;
-}
Removed: cfe/trunk/lib/StaticAnalyzer/EntoSA/Store.cpp
URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/lib/StaticAnalyzer/EntoSA/Store.cpp?rev=122542&view=auto
==============================================================================
--- cfe/trunk/lib/StaticAnalyzer/EntoSA/Store.cpp (original)
+++ cfe/trunk/lib/StaticAnalyzer/EntoSA/Store.cpp (removed)
@@ -1,334 +0,0 @@
-//== Store.cpp - Interface for maps from Locations to Values ----*- C++ -*--==//
-//
-// The LLVM Compiler Infrastructure
-//
-// This file is distributed under the University of Illinois Open Source
-// License. See LICENSE.TXT for details.
-//
-//===----------------------------------------------------------------------===//
-//
-// This file defined the types Store and StoreManager.
-//
-//===----------------------------------------------------------------------===//
-
-#include "clang/StaticAnalyzer/PathSensitive/Store.h"
-#include "clang/StaticAnalyzer/PathSensitive/GRState.h"
-#include "clang/AST/CharUnits.h"
-
-using namespace clang;
-using namespace ento;
-
-StoreManager::StoreManager(GRStateManager &stateMgr)
- : svalBuilder(stateMgr.getSValBuilder()), StateMgr(stateMgr),
- MRMgr(svalBuilder.getRegionManager()), Ctx(stateMgr.getContext()) {}
-
-Store StoreManager::EnterStackFrame(const GRState *state,
- const StackFrameContext *frame) {
- return state->getStore();
-}
-
-const MemRegion *StoreManager::MakeElementRegion(const MemRegion *Base,
- QualType EleTy, uint64_t index) {
- NonLoc idx = svalBuilder.makeArrayIndex(index);
- return MRMgr.getElementRegion(EleTy, idx, Base, svalBuilder.getContext());
-}
-
-// FIXME: Merge with the implementation of the same method in MemRegion.cpp
-static bool IsCompleteType(ASTContext &Ctx, QualType Ty) {
- if (const RecordType *RT = Ty->getAs<RecordType>()) {
- const RecordDecl *D = RT->getDecl();
- if (!D->getDefinition())
- return false;
- }
-
- return true;
-}
-
-const ElementRegion *StoreManager::GetElementZeroRegion(const MemRegion *R,
- QualType T) {
- NonLoc idx = svalBuilder.makeZeroArrayIndex();
- assert(!T.isNull());
- return MRMgr.getElementRegion(T, idx, R, Ctx);
-}
-
-const MemRegion *StoreManager::CastRegion(const MemRegion *R, QualType CastToTy) {
-
- ASTContext& Ctx = StateMgr.getContext();
-
- // Handle casts to Objective-C objects.
- if (CastToTy->isObjCObjectPointerType())
- return R->StripCasts();
-
- if (CastToTy->isBlockPointerType()) {
- // FIXME: We may need different solutions, depending on the symbol
- // involved. Blocks can be casted to/from 'id', as they can be treated
- // as Objective-C objects. This could possibly be handled by enhancing
- // our reasoning of downcasts of symbolic objects.
- if (isa<CodeTextRegion>(R) || isa<SymbolicRegion>(R))
- return R;
-
- // We don't know what to make of it. Return a NULL region, which
- // will be interpretted as UnknownVal.
- return NULL;
- }
-
- // Now assume we are casting from pointer to pointer. Other cases should
- // already be handled.
- QualType PointeeTy = CastToTy->getAs<PointerType>()->getPointeeType();
- QualType CanonPointeeTy = Ctx.getCanonicalType(PointeeTy);
-
- // Handle casts to void*. We just pass the region through.
- if (CanonPointeeTy.getLocalUnqualifiedType() == Ctx.VoidTy)
- return R;
-
- // Handle casts from compatible types.
- if (R->isBoundable())
- if (const TypedRegion *TR = dyn_cast<TypedRegion>(R)) {
- QualType ObjTy = Ctx.getCanonicalType(TR->getValueType());
- if (CanonPointeeTy == ObjTy)
- return R;
- }
-
- // Process region cast according to the kind of the region being cast.
- switch (R->getKind()) {
- case MemRegion::CXXThisRegionKind:
- case MemRegion::GenericMemSpaceRegionKind:
- case MemRegion::StackLocalsSpaceRegionKind:
- case MemRegion::StackArgumentsSpaceRegionKind:
- case MemRegion::HeapSpaceRegionKind:
- case MemRegion::UnknownSpaceRegionKind:
- case MemRegion::NonStaticGlobalSpaceRegionKind:
- case MemRegion::StaticGlobalSpaceRegionKind: {
- assert(0 && "Invalid region cast");
- break;
- }
-
- case MemRegion::FunctionTextRegionKind:
- case MemRegion::BlockTextRegionKind:
- case MemRegion::BlockDataRegionKind:
- case MemRegion::StringRegionKind:
- // FIXME: Need to handle arbitrary downcasts.
- case MemRegion::SymbolicRegionKind:
- case MemRegion::AllocaRegionKind:
- case MemRegion::CompoundLiteralRegionKind:
- case MemRegion::FieldRegionKind:
- case MemRegion::ObjCIvarRegionKind:
- case MemRegion::VarRegionKind:
- case MemRegion::CXXTempObjectRegionKind:
- case MemRegion::CXXBaseObjectRegionKind:
- return MakeElementRegion(R, PointeeTy);
-
- case MemRegion::ElementRegionKind: {
- // If we are casting from an ElementRegion to another type, the
- // algorithm is as follows:
- //
- // (1) Compute the "raw offset" of the ElementRegion from the
- // base region. This is done by calling 'getAsRawOffset()'.
- //
- // (2a) If we get a 'RegionRawOffset' after calling
- // 'getAsRawOffset()', determine if the absolute offset
- // can be exactly divided into chunks of the size of the
- // casted-pointee type. If so, create a new ElementRegion with
- // the pointee-cast type as the new ElementType and the index
- // being the offset divded by the chunk size. If not, create
- // a new ElementRegion at offset 0 off the raw offset region.
- //
- // (2b) If we don't a get a 'RegionRawOffset' after calling
- // 'getAsRawOffset()', it means that we are at offset 0.
- //
- // FIXME: Handle symbolic raw offsets.
-
- const ElementRegion *elementR = cast<ElementRegion>(R);
- const RegionRawOffset &rawOff = elementR->getAsArrayOffset();
- const MemRegion *baseR = rawOff.getRegion();
-
- // If we cannot compute a raw offset, throw up our hands and return
- // a NULL MemRegion*.
- if (!baseR)
- return NULL;
-
- CharUnits off = CharUnits::fromQuantity(rawOff.getByteOffset());
-
- if (off.isZero()) {
- // Edge case: we are at 0 bytes off the beginning of baseR. We
- // check to see if type we are casting to is the same as the base
- // region. If so, just return the base region.
- if (const TypedRegion *TR = dyn_cast<TypedRegion>(baseR)) {
- QualType ObjTy = Ctx.getCanonicalType(TR->getValueType());
- QualType CanonPointeeTy = Ctx.getCanonicalType(PointeeTy);
- if (CanonPointeeTy == ObjTy)
- return baseR;
- }
-
- // Otherwise, create a new ElementRegion at offset 0.
- return MakeElementRegion(baseR, PointeeTy);
- }
-
- // We have a non-zero offset from the base region. We want to determine
- // if the offset can be evenly divided by sizeof(PointeeTy). If so,
- // we create an ElementRegion whose index is that value. Otherwise, we
- // create two ElementRegions, one that reflects a raw offset and the other
- // that reflects the cast.
-
- // Compute the index for the new ElementRegion.
- int64_t newIndex = 0;
- const MemRegion *newSuperR = 0;
-
- // We can only compute sizeof(PointeeTy) if it is a complete type.
- if (IsCompleteType(Ctx, PointeeTy)) {
- // Compute the size in **bytes**.
- CharUnits pointeeTySize = Ctx.getTypeSizeInChars(PointeeTy);
- if (!pointeeTySize.isZero()) {
- // Is the offset a multiple of the size? If so, we can layer the
- // ElementRegion (with elementType == PointeeTy) directly on top of
- // the base region.
- if (off % pointeeTySize == 0) {
- newIndex = off / pointeeTySize;
- newSuperR = baseR;
- }
- }
- }
-
- if (!newSuperR) {
- // Create an intermediate ElementRegion to represent the raw byte.
- // This will be the super region of the final ElementRegion.
- newSuperR = MakeElementRegion(baseR, Ctx.CharTy, off.getQuantity());
- }
-
- return MakeElementRegion(newSuperR, PointeeTy, newIndex);
- }
- }
-
- assert(0 && "unreachable");
- return 0;
-}
-
-
-/// CastRetrievedVal - Used by subclasses of StoreManager to implement
-/// implicit casts that arise from loads from regions that are reinterpreted
-/// as another region.
-SVal StoreManager::CastRetrievedVal(SVal V, const TypedRegion *R,
- QualType castTy, bool performTestOnly) {
-
- if (castTy.isNull())
- return V;
-
- ASTContext &Ctx = svalBuilder.getContext();
-
- if (performTestOnly) {
- // Automatically translate references to pointers.
- QualType T = R->getValueType();
- if (const ReferenceType *RT = T->getAs<ReferenceType>())
- T = Ctx.getPointerType(RT->getPointeeType());
-
- assert(svalBuilder.getContext().hasSameUnqualifiedType(castTy, T));
- return V;
- }
-
- if (const Loc *L = dyn_cast<Loc>(&V))
- return svalBuilder.evalCastL(*L, castTy);
- else if (const NonLoc *NL = dyn_cast<NonLoc>(&V))
- return svalBuilder.evalCastNL(*NL, castTy);
-
- return V;
-}
-
-SVal StoreManager::getLValueFieldOrIvar(const Decl* D, SVal Base) {
- if (Base.isUnknownOrUndef())
- return Base;
-
- Loc BaseL = cast<Loc>(Base);
- const MemRegion* BaseR = 0;
-
- switch (BaseL.getSubKind()) {
- case loc::MemRegionKind:
- BaseR = cast<loc::MemRegionVal>(BaseL).getRegion();
- break;
-
- case loc::GotoLabelKind:
- // These are anormal cases. Flag an undefined value.
- return UndefinedVal();
-
- case loc::ConcreteIntKind:
- // While these seem funny, this can happen through casts.
- // FIXME: What we should return is the field offset. For example,
- // add the field offset to the integer value. That way funny things
- // like this work properly: &(((struct foo *) 0xa)->f)
- return Base;
-
- default:
- assert(0 && "Unhandled Base.");
- return Base;
- }
-
- // NOTE: We must have this check first because ObjCIvarDecl is a subclass
- // of FieldDecl.
- if (const ObjCIvarDecl *ID = dyn_cast<ObjCIvarDecl>(D))
- return loc::MemRegionVal(MRMgr.getObjCIvarRegion(ID, BaseR));
-
- return loc::MemRegionVal(MRMgr.getFieldRegion(cast<FieldDecl>(D), BaseR));
-}
-
-SVal StoreManager::getLValueElement(QualType elementType, NonLoc Offset,
- SVal Base) {
-
- // If the base is an unknown or undefined value, just return it back.
- // FIXME: For absolute pointer addresses, we just return that value back as
- // well, although in reality we should return the offset added to that
- // value.
- if (Base.isUnknownOrUndef() || isa<loc::ConcreteInt>(Base))
- return Base;
-
- const MemRegion* BaseRegion = cast<loc::MemRegionVal>(Base).getRegion();
-
- // Pointer of any type can be cast and used as array base.
- const ElementRegion *ElemR = dyn_cast<ElementRegion>(BaseRegion);
-
- // Convert the offset to the appropriate size and signedness.
- Offset = cast<NonLoc>(svalBuilder.convertToArrayIndex(Offset));
-
- if (!ElemR) {
- //
- // If the base region is not an ElementRegion, create one.
- // This can happen in the following example:
- //
- // char *p = __builtin_alloc(10);
- // p[1] = 8;
- //
- // Observe that 'p' binds to an AllocaRegion.
- //
- return loc::MemRegionVal(MRMgr.getElementRegion(elementType, Offset,
- BaseRegion, Ctx));
- }
-
- SVal BaseIdx = ElemR->getIndex();
-
- if (!isa<nonloc::ConcreteInt>(BaseIdx))
- return UnknownVal();
-
- const llvm::APSInt& BaseIdxI = cast<nonloc::ConcreteInt>(BaseIdx).getValue();
-
- // Only allow non-integer offsets if the base region has no offset itself.
- // FIXME: This is a somewhat arbitrary restriction. We should be using
- // SValBuilder here to add the two offsets without checking their types.
- if (!isa<nonloc::ConcreteInt>(Offset)) {
- if (isa<ElementRegion>(BaseRegion->StripCasts()))
- return UnknownVal();
-
- return loc::MemRegionVal(MRMgr.getElementRegion(elementType, Offset,
- ElemR->getSuperRegion(),
- Ctx));
- }
-
- const llvm::APSInt& OffI = cast<nonloc::ConcreteInt>(Offset).getValue();
- assert(BaseIdxI.isSigned());
-
- // Compute the new index.
- nonloc::ConcreteInt NewIdx(svalBuilder.getBasicValueFactory().getValue(BaseIdxI +
- OffI));
-
- // Construct the new ElementRegion.
- const MemRegion *ArrayR = ElemR->getSuperRegion();
- return loc::MemRegionVal(MRMgr.getElementRegion(elementType, NewIdx, ArrayR,
- Ctx));
-}
Removed: cfe/trunk/lib/StaticAnalyzer/EntoSA/SymbolManager.cpp
URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/lib/StaticAnalyzer/EntoSA/SymbolManager.cpp?rev=122542&view=auto
==============================================================================
--- cfe/trunk/lib/StaticAnalyzer/EntoSA/SymbolManager.cpp (original)
+++ cfe/trunk/lib/StaticAnalyzer/EntoSA/SymbolManager.cpp (removed)
@@ -1,343 +0,0 @@
-//== SymbolManager.h - Management of Symbolic Values ------------*- C++ -*--==//
-//
-// The LLVM Compiler Infrastructure
-//
-// This file is distributed under the University of Illinois Open Source
-// License. See LICENSE.TXT for details.
-//
-//===----------------------------------------------------------------------===//
-//
-// This file defines SymbolManager, a class that manages symbolic values
-// created for use by ExprEngine and related classes.
-//
-//===----------------------------------------------------------------------===//
-
-#include "clang/StaticAnalyzer/PathSensitive/SymbolManager.h"
-#include "clang/Analysis/Analyses/LiveVariables.h"
-#include "clang/StaticAnalyzer/PathSensitive/MemRegion.h"
-#include "llvm/Support/raw_ostream.h"
-
-using namespace clang;
-using namespace ento;
-
-void SymExpr::dump() const {
- dumpToStream(llvm::errs());
-}
-
-static void print(llvm::raw_ostream& os, BinaryOperator::Opcode Op) {
- switch (Op) {
- default:
- assert(false && "operator printing not implemented");
- break;
- case BO_Mul: os << '*' ; break;
- case BO_Div: os << '/' ; break;
- case BO_Rem: os << '%' ; break;
- case BO_Add: os << '+' ; break;
- case BO_Sub: os << '-' ; break;
- case BO_Shl: os << "<<" ; break;
- case BO_Shr: os << ">>" ; break;
- case BO_LT: os << "<" ; break;
- case BO_GT: os << '>' ; break;
- case BO_LE: os << "<=" ; break;
- case BO_GE: os << ">=" ; break;
- case BO_EQ: os << "==" ; break;
- case BO_NE: os << "!=" ; break;
- case BO_And: os << '&' ; break;
- case BO_Xor: os << '^' ; break;
- case BO_Or: os << '|' ; break;
- }
-}
-
-void SymIntExpr::dumpToStream(llvm::raw_ostream& os) const {
- os << '(';
- getLHS()->dumpToStream(os);
- os << ") ";
- print(os, getOpcode());
- os << ' ' << getRHS().getZExtValue();
- if (getRHS().isUnsigned()) os << 'U';
-}
-
-void SymSymExpr::dumpToStream(llvm::raw_ostream& os) const {
- os << '(';
- getLHS()->dumpToStream(os);
- os << ") ";
- os << '(';
- getRHS()->dumpToStream(os);
- os << ')';
-}
-
-void SymbolConjured::dumpToStream(llvm::raw_ostream& os) const {
- os << "conj_$" << getSymbolID() << '{' << T.getAsString() << '}';
-}
-
-void SymbolDerived::dumpToStream(llvm::raw_ostream& os) const {
- os << "derived_$" << getSymbolID() << '{'
- << getParentSymbol() << ',' << getRegion() << '}';
-}
-
-void SymbolExtent::dumpToStream(llvm::raw_ostream& os) const {
- os << "extent_$" << getSymbolID() << '{' << getRegion() << '}';
-}
-
-void SymbolMetadata::dumpToStream(llvm::raw_ostream& os) const {
- os << "meta_$" << getSymbolID() << '{'
- << getRegion() << ',' << T.getAsString() << '}';
-}
-
-void SymbolRegionValue::dumpToStream(llvm::raw_ostream& os) const {
- os << "reg_$" << getSymbolID() << "<" << R << ">";
-}
-
-const SymbolRegionValue*
-SymbolManager::getRegionValueSymbol(const TypedRegion* R) {
- llvm::FoldingSetNodeID profile;
- SymbolRegionValue::Profile(profile, R);
- void* InsertPos;
- SymExpr *SD = DataSet.FindNodeOrInsertPos(profile, InsertPos);
- if (!SD) {
- SD = (SymExpr*) BPAlloc.Allocate<SymbolRegionValue>();
- new (SD) SymbolRegionValue(SymbolCounter, R);
- DataSet.InsertNode(SD, InsertPos);
- ++SymbolCounter;
- }
-
- return cast<SymbolRegionValue>(SD);
-}
-
-const SymbolConjured*
-SymbolManager::getConjuredSymbol(const Stmt* E, QualType T, unsigned Count,
- const void* SymbolTag) {
-
- llvm::FoldingSetNodeID profile;
- SymbolConjured::Profile(profile, E, T, Count, SymbolTag);
- void* InsertPos;
- SymExpr *SD = DataSet.FindNodeOrInsertPos(profile, InsertPos);
- if (!SD) {
- SD = (SymExpr*) BPAlloc.Allocate<SymbolConjured>();
- new (SD) SymbolConjured(SymbolCounter, E, T, Count, SymbolTag);
- DataSet.InsertNode(SD, InsertPos);
- ++SymbolCounter;
- }
-
- return cast<SymbolConjured>(SD);
-}
-
-const SymbolDerived*
-SymbolManager::getDerivedSymbol(SymbolRef parentSymbol,
- const TypedRegion *R) {
-
- llvm::FoldingSetNodeID profile;
- SymbolDerived::Profile(profile, parentSymbol, R);
- void* InsertPos;
- SymExpr *SD = DataSet.FindNodeOrInsertPos(profile, InsertPos);
- if (!SD) {
- SD = (SymExpr*) BPAlloc.Allocate<SymbolDerived>();
- new (SD) SymbolDerived(SymbolCounter, parentSymbol, R);
- DataSet.InsertNode(SD, InsertPos);
- ++SymbolCounter;
- }
-
- return cast<SymbolDerived>(SD);
-}
-
-const SymbolExtent*
-SymbolManager::getExtentSymbol(const SubRegion *R) {
- llvm::FoldingSetNodeID profile;
- SymbolExtent::Profile(profile, R);
- void* InsertPos;
- SymExpr *SD = DataSet.FindNodeOrInsertPos(profile, InsertPos);
- if (!SD) {
- SD = (SymExpr*) BPAlloc.Allocate<SymbolExtent>();
- new (SD) SymbolExtent(SymbolCounter, R);
- DataSet.InsertNode(SD, InsertPos);
- ++SymbolCounter;
- }
-
- return cast<SymbolExtent>(SD);
-}
-
-const SymbolMetadata*
-SymbolManager::getMetadataSymbol(const MemRegion* R, const Stmt* S, QualType T,
- unsigned Count, const void* SymbolTag) {
-
- llvm::FoldingSetNodeID profile;
- SymbolMetadata::Profile(profile, R, S, T, Count, SymbolTag);
- void* InsertPos;
- SymExpr *SD = DataSet.FindNodeOrInsertPos(profile, InsertPos);
- if (!SD) {
- SD = (SymExpr*) BPAlloc.Allocate<SymbolMetadata>();
- new (SD) SymbolMetadata(SymbolCounter, R, S, T, Count, SymbolTag);
- DataSet.InsertNode(SD, InsertPos);
- ++SymbolCounter;
- }
-
- return cast<SymbolMetadata>(SD);
-}
-
-const SymIntExpr *SymbolManager::getSymIntExpr(const SymExpr *lhs,
- BinaryOperator::Opcode op,
- const llvm::APSInt& v,
- QualType t) {
- llvm::FoldingSetNodeID ID;
- SymIntExpr::Profile(ID, lhs, op, v, t);
- void *InsertPos;
- SymExpr *data = DataSet.FindNodeOrInsertPos(ID, InsertPos);
-
- if (!data) {
- data = (SymIntExpr*) BPAlloc.Allocate<SymIntExpr>();
- new (data) SymIntExpr(lhs, op, v, t);
- DataSet.InsertNode(data, InsertPos);
- }
-
- return cast<SymIntExpr>(data);
-}
-
-const SymSymExpr *SymbolManager::getSymSymExpr(const SymExpr *lhs,
- BinaryOperator::Opcode op,
- const SymExpr *rhs,
- QualType t) {
- llvm::FoldingSetNodeID ID;
- SymSymExpr::Profile(ID, lhs, op, rhs, t);
- void *InsertPos;
- SymExpr *data = DataSet.FindNodeOrInsertPos(ID, InsertPos);
-
- if (!data) {
- data = (SymSymExpr*) BPAlloc.Allocate<SymSymExpr>();
- new (data) SymSymExpr(lhs, op, rhs, t);
- DataSet.InsertNode(data, InsertPos);
- }
-
- return cast<SymSymExpr>(data);
-}
-
-QualType SymbolConjured::getType(ASTContext&) const {
- return T;
-}
-
-QualType SymbolDerived::getType(ASTContext& Ctx) const {
- return R->getValueType();
-}
-
-QualType SymbolExtent::getType(ASTContext& Ctx) const {
- return Ctx.getSizeType();
-}
-
-QualType SymbolMetadata::getType(ASTContext&) const {
- return T;
-}
-
-QualType SymbolRegionValue::getType(ASTContext& C) const {
- return R->getValueType();
-}
-
-SymbolManager::~SymbolManager() {}
-
-bool SymbolManager::canSymbolicate(QualType T) {
- if (Loc::IsLocType(T))
- return true;
-
- if (T->isIntegerType())
- return T->isScalarType();
-
- if (T->isRecordType())
- return true;
-
- return false;
-}
-
-void SymbolReaper::markLive(SymbolRef sym) {
- TheLiving.insert(sym);
- TheDead.erase(sym);
-}
-
-void SymbolReaper::markInUse(SymbolRef sym) {
- if (isa<SymbolMetadata>(sym))
- MetadataInUse.insert(sym);
-}
-
-bool SymbolReaper::maybeDead(SymbolRef sym) {
- if (isLive(sym))
- return false;
-
- TheDead.insert(sym);
- return true;
-}
-
-static bool IsLiveRegion(SymbolReaper &Reaper, const MemRegion *MR) {
- MR = MR->getBaseRegion();
-
- if (const SymbolicRegion *SR = dyn_cast<SymbolicRegion>(MR))
- return Reaper.isLive(SR->getSymbol());
-
- if (const VarRegion *VR = dyn_cast<VarRegion>(MR))
- return Reaper.isLive(VR);
-
- // FIXME: This is a gross over-approximation. What we really need is a way to
- // tell if anything still refers to this region. Unlike SymbolicRegions,
- // AllocaRegions don't have associated symbols, though, so we don't actually
- // have a way to track their liveness.
- if (isa<AllocaRegion>(MR))
- return true;
-
- if (isa<CXXThisRegion>(MR))
- return true;
-
- if (isa<MemSpaceRegion>(MR))
- return true;
-
- return false;
-}
-
-bool SymbolReaper::isLive(SymbolRef sym) {
- if (TheLiving.count(sym))
- return true;
-
- if (const SymbolDerived *derived = dyn_cast<SymbolDerived>(sym)) {
- if (isLive(derived->getParentSymbol())) {
- markLive(sym);
- return true;
- }
- return false;
- }
-
- if (const SymbolExtent *extent = dyn_cast<SymbolExtent>(sym)) {
- if (IsLiveRegion(*this, extent->getRegion())) {
- markLive(sym);
- return true;
- }
- return false;
- }
-
- if (const SymbolMetadata *metadata = dyn_cast<SymbolMetadata>(sym)) {
- if (MetadataInUse.count(sym)) {
- if (IsLiveRegion(*this, metadata->getRegion())) {
- markLive(sym);
- MetadataInUse.erase(sym);
- return true;
- }
- }
- return false;
- }
-
- // Interogate the symbol. It may derive from an input value to
- // the analyzed function/method.
- return isa<SymbolRegionValue>(sym);
-}
-
-bool SymbolReaper::isLive(const Stmt* ExprVal) const {
- return LCtx->getAnalysisContext()->getRelaxedLiveVariables()->
- isLive(Loc, ExprVal);
-}
-
-bool SymbolReaper::isLive(const VarRegion *VR) const {
- const StackFrameContext *VarContext = VR->getStackFrame();
- const StackFrameContext *CurrentContext = LCtx->getCurrentStackFrame();
-
- if (VarContext == CurrentContext)
- return LCtx->getAnalysisContext()->getRelaxedLiveVariables()->
- isLive(Loc, VR->getDecl());
-
- return VarContext->isParentOf(CurrentContext);
-}
-
-SymbolVisitor::~SymbolVisitor() {}
Removed: cfe/trunk/lib/StaticAnalyzer/EntoSA/TextPathDiagnostics.cpp
URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/lib/StaticAnalyzer/EntoSA/TextPathDiagnostics.cpp?rev=122542&view=auto
==============================================================================
--- cfe/trunk/lib/StaticAnalyzer/EntoSA/TextPathDiagnostics.cpp (original)
+++ cfe/trunk/lib/StaticAnalyzer/EntoSA/TextPathDiagnostics.cpp (removed)
@@ -1,70 +0,0 @@
-//===--- TextPathDiagnostics.cpp - Text Diagnostics for Paths ---*- C++ -*-===//
-//
-// The LLVM Compiler Infrastructure
-//
-// This file is distributed under the University of Illinois Open Source
-// License. See LICENSE.TXT for details.
-//
-//===----------------------------------------------------------------------===//
-//
-// This file defines the TextPathDiagnostics object.
-//
-//===----------------------------------------------------------------------===//
-
-#include "clang/StaticAnalyzer/PathDiagnosticClients.h"
-#include "clang/StaticAnalyzer/BugReporter/PathDiagnostic.h"
-#include "clang/Lex/Preprocessor.h"
-#include "llvm/Support/raw_ostream.h"
-using namespace clang;
-using namespace ento;
-using namespace llvm;
-
-namespace {
-
-/// \brief Simple path diagnostic client used for outputting as diagnostic notes
-/// the sequence of events.
-class TextPathDiagnostics : public PathDiagnosticClient {
- const std::string OutputFile;
- Diagnostic &Diag;
-
-public:
- TextPathDiagnostics(const std::string& output, Diagnostic &diag)
- : OutputFile(output), Diag(diag) {}
-
- void HandlePathDiagnostic(const PathDiagnostic* D);
-
- void FlushDiagnostics(llvm::SmallVectorImpl<std::string> *FilesMade) { }
-
- virtual llvm::StringRef getName() const {
- return "TextPathDiagnostics";
- }
-
- PathGenerationScheme getGenerationScheme() const { return Minimal; }
- bool supportsLogicalOpControlFlow() const { return true; }
- bool supportsAllBlockEdges() const { return true; }
- virtual bool useVerboseDescription() const { return true; }
-};
-
-} // end anonymous namespace
-
-PathDiagnosticClient*
-ento::createTextPathDiagnosticClient(const std::string& out,
- const Preprocessor &PP) {
- return new TextPathDiagnostics(out, PP.getDiagnostics());
-}
-
-void TextPathDiagnostics::HandlePathDiagnostic(const PathDiagnostic* D) {
- if (!D)
- return;
-
- if (D->empty()) {
- delete D;
- return;
- }
-
- for (PathDiagnostic::const_iterator I=D->begin(), E=D->end(); I != E; ++I) {
- unsigned diagID = Diag.getDiagnosticIDs()->getCustomDiagID(
- DiagnosticIDs::Note, I->getString());
- Diag.Report(I->getLocation().asLocation(), diagID);
- }
-}
More information about the cfe-commits
mailing list