[cfe-commits] r122546 - in /cfe/trunk: include/clang/StaticAnalyzer/PathSensitive/MemRegion.h include/clang/StaticAnalyzer/PathSensitive/Store.h lib/StaticAnalyzer/Checkers/ExprEngine.cpp lib/StaticAnalyzer/SimpleSValBuilder.cpp test/Analysis/out-of-bounds.c

Fri Dec 24 00:39:34 PST 2010

Author: kremenek
Date: Fri Dec 24 02:39:33 2010
New Revision: 122546

URL: http://llvm.org/viewvc/llvm-project?rev=122546&view=rev
Log:
Add basic support for pointer arithmetic in
SimpleSValBuilder.  This clears up some
false positives emitted by ArrayBoundCheckerV2
due to the lack of support for pointer arithmetic.

Modified:
    cfe/trunk/include/clang/StaticAnalyzer/PathSensitive/MemRegion.h
    cfe/trunk/include/clang/StaticAnalyzer/PathSensitive/Store.h
    cfe/trunk/lib/StaticAnalyzer/Checkers/ExprEngine.cpp
    cfe/trunk/lib/StaticAnalyzer/SimpleSValBuilder.cpp
    cfe/trunk/test/Analysis/out-of-bounds.c

Modified: cfe/trunk/include/clang/StaticAnalyzer/PathSensitive/MemRegion.h
URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/include/clang/StaticAnalyzer/PathSensitive/MemRegion.h?rev=122546&r1=122545&r2=122546&view=diff
==============================================================================

--- cfe/trunk/include/clang/StaticAnalyzer/PathSensitive/MemRegion.h (original)
+++ cfe/trunk/include/clang/StaticAnalyzer/PathSensitive/MemRegion.h Fri Dec 24 02:39:33 2010
@@ -357,7 +357,11 @@
 
   virtual QualType getLocationType() const {
     // FIXME: We can possibly optimize this later to cache this value.
-    return getContext().getPointerType(getValueType());
+    QualType T = getValueType();
+    ASTContext &ctx = getContext();
+    if (T->getAs<ObjCObjectType>())
+      return ctx.getObjCObjectPointerType(T);
+    return ctx.getPointerType(getValueType());
   }
 
   QualType getDesugaredValueType(ASTContext &Context) const {

Modified: cfe/trunk/include/clang/StaticAnalyzer/PathSensitive/Store.h
URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/include/clang/StaticAnalyzer/PathSensitive/Store.h?rev=122546&r1=122545&r2=122546&view=diff
==============================================================================
--- cfe/trunk/include/clang/StaticAnalyzer/PathSensitive/Store.h (original)
+++ cfe/trunk/include/clang/StaticAnalyzer/PathSensitive/Store.h Fri Dec 24 02:39:33 2010
@@ -153,13 +153,6 @@
   ///  casted and 'CastToTy' the result type of the cast.
   const MemRegion *CastRegion(const MemRegion *region, QualType CastToTy);
 
-
-  /// evalBinOp - Perform pointer arithmetic.
-  virtual SVal evalBinOp(BinaryOperator::Opcode Op,
-                         Loc lhs, NonLoc rhs, QualType resultTy) {
-    return UnknownVal();
-  }
-
   virtual Store RemoveDeadBindings(Store store, const StackFrameContext *LCtx,
                                    SymbolReaper& SymReaper,
                       llvm::SmallVectorImpl<const MemRegion*>& RegionRoots) = 0;

Modified: cfe/trunk/lib/StaticAnalyzer/Checkers/ExprEngine.cpp
URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/lib/StaticAnalyzer/Checkers/ExprEngine.cpp?rev=122546&r1=122545&r2=122546&view=diff
==============================================================================
--- cfe/trunk/lib/StaticAnalyzer/Checkers/ExprEngine.cpp (original)
+++ cfe/trunk/lib/StaticAnalyzer/Checkers/ExprEngine.cpp Fri Dec 24 02:39:33 2010
@@ -2950,7 +2950,7 @@
       SVal RHS;
 
       if (U->getType()->isAnyPointerType())
-        RHS = svalBuilder.makeIntValWithPtrWidth(1, false);
+        RHS = svalBuilder.makeArrayIndex(1);
       else
         RHS = svalBuilder.makeIntVal(1, U->getType());
 

Modified: cfe/trunk/lib/StaticAnalyzer/SimpleSValBuilder.cpp
URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/lib/StaticAnalyzer/SimpleSValBuilder.cpp?rev=122546&r1=122545&r2=122546&view=diff
==============================================================================
--- cfe/trunk/lib/StaticAnalyzer/SimpleSValBuilder.cpp (original)
+++ cfe/trunk/lib/StaticAnalyzer/SimpleSValBuilder.cpp Fri Dec 24 02:39:33 2010
@@ -808,6 +808,11 @@
 SVal SimpleSValBuilder::evalBinOpLN(const GRState *state,
                                   BinaryOperator::Opcode op,
                                   Loc lhs, NonLoc rhs, QualType resultTy) {
+  
+  // Special case: rhs is a zero constant.
+  if (rhs.isZeroConstant())
+    return lhs;
+  
   // Special case: 'rhs' is an integer that has the same width as a pointer and
   // we are using the integer location in a comparison.  Normally this cannot be
   // triggered, but transfer functions like those for OSCommpareAndSwapBarrier32
@@ -858,11 +863,39 @@
       return loc::ConcreteInt(getBasicValueFactory().getValue(rightI));
     }
   }
-  
 
-  // Delegate remaining pointer arithmetic to the StoreManager.
-  return state->getStateManager().getStoreManager().evalBinOp(op, lhs,
-                                                              rhs, resultTy);
+  // Handle cases where 'lhs' is a region.
+  if (const MemRegion *region = lhs.getAsRegion()) {
+    rhs = cast<NonLoc>(convertToArrayIndex(rhs));
+    SVal index = UnknownVal();
+    const MemRegion *superR = 0;
+    QualType elementType;
+
+    if (const ElementRegion *elemReg = dyn_cast<ElementRegion>(region)) {
+      index = evalBinOpNN(state, BO_Add, elemReg->getIndex(), rhs,
+                          getArrayIndexType());
+      superR = elemReg->getSuperRegion();
+      elementType = elemReg->getElementType();
+    }
+    else if (isa<SubRegion>(region)) {
+      superR = region;
+      index = rhs;
+      if (const PointerType *PT = resultTy->getAs<PointerType>()) {
+        elementType = PT->getPointeeType();
+      }
+      else {
+        const ObjCObjectPointerType *OT =
+          resultTy->getAs<ObjCObjectPointerType>();
+        elementType = OT->getPointeeType();
+      }
+    }
+
+    if (NonLoc *indexV = dyn_cast<NonLoc>(&index)) {
+      return loc::MemRegionVal(MemMgr.getElementRegion(elementType, *indexV,
+                                                       superR, getContext()));
+    }
+  }
+  return UnknownVal();  
 }
 
 const llvm::APSInt *SimpleSValBuilder::getKnownValue(const GRState *state,

Modified: cfe/trunk/test/Analysis/out-of-bounds.c
URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/test/Analysis/out-of-bounds.c?rev=122546&r1=122545&r2=122546&view=diff
==============================================================================
--- cfe/trunk/test/Analysis/out-of-bounds.c (original)
+++ cfe/trunk/test/Analysis/out-of-bounds.c Fri Dec 24 02:39:33 2010
@@ -44,7 +44,6 @@
   p[99] = 1; // no-warning
 }
 
-// ** FIXME **  Doesn't work yet because we don't support pointer arithmetic.
 // Tests doing an out-of-bounds access before the start of an array using:
 // - indirect pointer to buffer, manipulated using simple pointer arithmetic
 // - constant integer index
@@ -53,7 +52,7 @@
   int buf[100];
   int *p = buf;
   p = p + 100;
-  p[0] = 1; // no-warning
+  p[0] = 1; // expected-warning{{Out of bound memory access}}
 }
 
 void test1_ptr_arith_ok(int x) {
@@ -63,21 +62,18 @@
   p[0] = 1; // no-warning
 }
 
-// ** FIXME **  Doesn't work yet because we don't support pointer arithmetic.
 void test1_ptr_arith_bad(int x) {
   int buf[100];
   int *p = buf;
   p = p + 99;
-  p[1] = 1; // no-warning
+  p[1] = 1; // expected-warning{{Out of bound memory access}}
 }
 
-// ** FIXME ** we falsely emit a warning here because of our lack of
-// handling of pointer arithmetic.
 void test1_ptr_arith_ok2(int x) {
   int buf[100];
   int *p = buf;
   p = p + 99;
-  p[-1] = 1; // expected-warning{{Out of bound}}
+  p[-1] = 1; // no-warning
 }
 
 // Tests doing an out-of-bounds access before the start of an array using:



