2008-10-08 10:50:44 +08:00
|
|
|
//== RegionStore.cpp - Field-sensitive store model --------------*- C++ -*--==//
|
|
|
|
//
|
|
|
|
// The LLVM Compiler Infrastructure
|
|
|
|
//
|
|
|
|
// This file is distributed under the University of Illinois Open Source
|
|
|
|
// License. See LICENSE.TXT for details.
|
|
|
|
//
|
|
|
|
//===----------------------------------------------------------------------===//
|
|
|
|
//
|
|
|
|
// This file defines a basic region store model. In this model, we do have field
|
|
|
|
// sensitivity. But we assume nothing about the heap shape. So recursive data
|
|
|
|
// structures are largely ignored. Basically we do 1-limiting analysis.
|
|
|
|
// Parameter pointers are assumed with no aliasing. Pointee objects of
|
|
|
|
// parameters are created lazily.
|
|
|
|
//
|
|
|
|
//===----------------------------------------------------------------------===//
|
|
|
|
#include "clang/Analysis/PathSensitive/MemRegion.h"
|
|
|
|
#include "clang/Analysis/PathSensitive/GRState.h"
|
|
|
|
#include "clang/Analysis/Analyses/LiveVariables.h"
|
|
|
|
|
|
|
|
#include "llvm/ADT/ImmutableMap.h"
|
|
|
|
#include "llvm/Support/Compiler.h"
|
|
|
|
|
|
|
|
using namespace clang;
|
|
|
|
|
2008-10-17 13:57:07 +08:00
|
|
|
typedef llvm::ImmutableMap<const MemRegion*, SVal> RegionBindingsTy;
|
2008-10-08 10:50:44 +08:00
|
|
|
|
|
|
|
namespace {
|
|
|
|
|
|
|
|
class VISIBILITY_HIDDEN RegionStoreManager : public StoreManager {
|
|
|
|
RegionBindingsTy::Factory RBFactory;
|
|
|
|
GRStateManager& StateMgr;
|
|
|
|
MemRegionManager MRMgr;
|
|
|
|
|
|
|
|
public:
|
|
|
|
RegionStoreManager(GRStateManager& mgr)
|
|
|
|
: StateMgr(mgr), MRMgr(StateMgr.getAllocator()) {}
|
|
|
|
|
|
|
|
virtual ~RegionStoreManager() {}
|
|
|
|
|
2008-10-22 21:44:38 +08:00
|
|
|
SVal getLValueVar(const GRState* St, const VarDecl* VD);
|
|
|
|
|
|
|
|
SVal getLValueIvar(const GRState* St, const ObjCIvarDecl* D, SVal Base);
|
|
|
|
|
|
|
|
SVal getLValueField(const GRState* St, SVal Base, const FieldDecl* D);
|
|
|
|
|
2008-10-24 09:09:32 +08:00
|
|
|
SVal getLValueElement(const GRState* St, SVal Base, SVal Offset);
|
|
|
|
|
|
|
|
SVal ArrayToPointer(SVal Array);
|
|
|
|
|
2008-10-21 14:27:32 +08:00
|
|
|
SVal Retrieve(Store S, Loc L, QualType T);
|
2008-10-22 21:44:38 +08:00
|
|
|
|
2008-10-21 14:27:32 +08:00
|
|
|
Store Bind(Store St, Loc LV, SVal V);
|
2008-10-08 10:50:44 +08:00
|
|
|
|
|
|
|
Store getInitialStore();
|
|
|
|
|
2008-10-21 13:29:26 +08:00
|
|
|
Store AddDecl(Store store, const VarDecl* VD, Expr* Ex, SVal InitVal,
|
|
|
|
unsigned Count);
|
|
|
|
|
|
|
|
Loc getVarLoc(const VarDecl* VD) {
|
|
|
|
return loc::MemRegionVal(MRMgr.getVarRegion(VD));
|
|
|
|
}
|
|
|
|
|
|
|
|
Loc getElementLoc(const VarDecl* VD, SVal Idx);
|
|
|
|
|
2008-10-08 10:50:44 +08:00
|
|
|
static inline RegionBindingsTy GetRegionBindings(Store store) {
|
|
|
|
return RegionBindingsTy(static_cast<const RegionBindingsTy::TreeTy*>(store));
|
|
|
|
}
|
|
|
|
};
|
|
|
|
|
|
|
|
} // end anonymous namespace
|
|
|
|
|
2008-10-24 09:04:59 +08:00
|
|
|
StoreManager* clang::CreateRegionStoreManager(GRStateManager& StMgr) {
|
|
|
|
// return new RegionStoreManager(StMgr);
|
|
|
|
return 0; // Uncomment the above line when RegionStoreManager is not abstract.
|
|
|
|
}
|
|
|
|
|
2008-10-21 13:29:26 +08:00
|
|
|
Loc RegionStoreManager::getElementLoc(const VarDecl* VD, SVal Idx) {
|
|
|
|
MemRegion* R = MRMgr.getVarRegion(VD);
|
|
|
|
ElementRegion* ER = MRMgr.getElementRegion(Idx, R);
|
|
|
|
return loc::MemRegionVal(ER);
|
|
|
|
}
|
|
|
|
|
2008-10-22 21:44:38 +08:00
|
|
|
SVal RegionStoreManager::getLValueVar(const GRState* St, const VarDecl* VD) {
|
|
|
|
return loc::MemRegionVal(MRMgr.getVarRegion(VD));
|
|
|
|
}
|
|
|
|
|
|
|
|
SVal RegionStoreManager::getLValueIvar(const GRState* St, const ObjCIvarDecl* D,
|
|
|
|
SVal Base) {
|
|
|
|
return UnknownVal();
|
|
|
|
}
|
|
|
|
|
|
|
|
SVal RegionStoreManager::getLValueField(const GRState* St, SVal Base,
|
|
|
|
const FieldDecl* D) {
|
|
|
|
if (Base.isUnknownOrUndef())
|
|
|
|
return Base;
|
|
|
|
|
|
|
|
Loc BaseL = cast<Loc>(Base);
|
|
|
|
const MemRegion* BaseR = 0;
|
|
|
|
|
|
|
|
switch (BaseL.getSubKind()) {
|
|
|
|
case loc::MemRegionKind:
|
|
|
|
BaseR = cast<loc::MemRegionVal>(BaseL).getRegion();
|
|
|
|
break;
|
|
|
|
|
|
|
|
case loc::SymbolValKind:
|
|
|
|
BaseR = MRMgr.getSymbolicRegion(cast<loc::SymbolVal>(&BaseL)->getSymbol());
|
|
|
|
break;
|
|
|
|
|
|
|
|
case loc::GotoLabelKind:
|
|
|
|
case loc::FuncValKind:
|
|
|
|
// These are anormal cases. Flag an undefined value.
|
|
|
|
return UndefinedVal();
|
|
|
|
|
|
|
|
case loc::ConcreteIntKind:
|
|
|
|
case loc::StringLiteralValKind:
|
|
|
|
// While these seem funny, this can happen through casts.
|
|
|
|
// FIXME: What we should return is the field offset. For example,
|
|
|
|
// add the field offset to the integer value. That way funny things
|
|
|
|
// like this work properly: &(((struct foo *) 0xa)->f)
|
|
|
|
return Base;
|
|
|
|
|
|
|
|
default:
|
|
|
|
assert("Unhandled Base.");
|
|
|
|
return Base;
|
|
|
|
}
|
|
|
|
|
|
|
|
return loc::MemRegionVal(MRMgr.getFieldRegion(D, BaseR));
|
|
|
|
}
|
|
|
|
|
2008-10-24 09:09:32 +08:00
|
|
|
SVal RegionStoreManager::getLValueElement(const GRState* St,
|
|
|
|
SVal Base, SVal Offset) {
|
|
|
|
if (Base.isUnknownOrUndef())
|
|
|
|
return Base;
|
|
|
|
|
|
|
|
loc::MemRegionVal& BaseL = cast<loc::MemRegionVal>(Base);
|
|
|
|
|
|
|
|
// We expect BaseR is an ElementRegion, not a base VarRegion.
|
|
|
|
|
|
|
|
const ElementRegion* ElemR = cast<ElementRegion>(BaseL.getRegion());
|
|
|
|
|
|
|
|
SVal Idx = ElemR->getIndex();
|
|
|
|
|
|
|
|
nonloc::ConcreteInt *CI1, *CI2;
|
|
|
|
|
|
|
|
// Only handle integer indices for now.
|
|
|
|
if ((CI1 = dyn_cast<nonloc::ConcreteInt>(&Idx)) &&
|
|
|
|
(CI2 = dyn_cast<nonloc::ConcreteInt>(&Offset))) {
|
|
|
|
SVal NewIdx = CI1->EvalBinOp(StateMgr.getBasicVals(), BinaryOperator::Add,
|
|
|
|
*CI2);
|
|
|
|
return loc::MemRegionVal(MRMgr.getElementRegion(NewIdx,
|
|
|
|
ElemR->getSuperRegion()));
|
|
|
|
}
|
|
|
|
|
|
|
|
return UnknownVal();
|
|
|
|
}
|
|
|
|
|
|
|
|
// Cast 'pointer to array' to 'pointer to the first element of array'.
|
|
|
|
|
|
|
|
SVal RegionStoreManager::ArrayToPointer(SVal Array) {
|
|
|
|
const MemRegion* ArrayR = cast<loc::MemRegionVal>(&Array)->getRegion();
|
|
|
|
|
|
|
|
const VarDecl* D = cast<VarRegion>(ArrayR)->getDecl();
|
|
|
|
|
|
|
|
if (const ConstantArrayType* CAT =
|
|
|
|
dyn_cast<ConstantArrayType>(D->getType().getTypePtr())) {
|
|
|
|
|
|
|
|
BasicValueFactory& BasicVals = StateMgr.getBasicVals();
|
|
|
|
|
|
|
|
nonloc::ConcreteInt Idx(BasicVals.getValue(0, CAT->getSize().getBitWidth(),
|
|
|
|
false));
|
|
|
|
|
|
|
|
ElementRegion* ER = MRMgr.getElementRegion(Idx, ArrayR);
|
|
|
|
|
|
|
|
return loc::MemRegionVal(ER);
|
|
|
|
}
|
|
|
|
|
|
|
|
return Array;
|
|
|
|
}
|
|
|
|
|
2008-10-21 14:27:32 +08:00
|
|
|
SVal RegionStoreManager::Retrieve(Store S, Loc L, QualType T) {
|
2008-10-21 13:29:26 +08:00
|
|
|
assert(!isa<UnknownVal>(L) && "location unknown");
|
|
|
|
assert(!isa<UndefinedVal>(L) && "location undefined");
|
|
|
|
|
|
|
|
switch (L.getSubKind()) {
|
|
|
|
case loc::MemRegionKind: {
|
|
|
|
const MemRegion* R = cast<loc::MemRegionVal>(L).getRegion();
|
|
|
|
assert(R && "bad region");
|
|
|
|
|
|
|
|
RegionBindingsTy B(static_cast<const RegionBindingsTy::TreeTy*>(S));
|
|
|
|
RegionBindingsTy::data_type* V = B.lookup(R);
|
|
|
|
return V ? *V : UnknownVal();
|
|
|
|
}
|
|
|
|
|
|
|
|
case loc::SymbolValKind:
|
|
|
|
return UnknownVal();
|
|
|
|
|
|
|
|
case loc::ConcreteIntKind:
|
|
|
|
return UndefinedVal(); // As in BasicStoreManager.
|
|
|
|
|
|
|
|
case loc::FuncValKind:
|
|
|
|
return L;
|
|
|
|
|
|
|
|
case loc::StringLiteralValKind:
|
|
|
|
return UnknownVal();
|
|
|
|
|
|
|
|
default:
|
|
|
|
assert(false && "Invalid Location");
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2008-10-21 14:27:32 +08:00
|
|
|
Store RegionStoreManager::Bind(Store store, Loc LV, SVal V) {
|
2008-10-17 13:57:07 +08:00
|
|
|
assert(LV.getSubKind() == loc::MemRegionKind);
|
2008-10-08 10:50:44 +08:00
|
|
|
|
2008-10-18 04:28:54 +08:00
|
|
|
const MemRegion* R = cast<loc::MemRegionVal>(LV).getRegion();
|
2008-10-08 10:50:44 +08:00
|
|
|
|
|
|
|
if (!R)
|
|
|
|
return store;
|
|
|
|
|
|
|
|
RegionBindingsTy B = GetRegionBindings(store);
|
|
|
|
return V.isUnknown()
|
|
|
|
? RBFactory.Remove(B, R).getRoot()
|
|
|
|
: RBFactory.Add(B, R, V).getRoot();
|
|
|
|
}
|
|
|
|
|
|
|
|
Store RegionStoreManager::getInitialStore() {
|
|
|
|
typedef LiveVariables::AnalysisDataTy LVDataTy;
|
|
|
|
LVDataTy& D = StateMgr.getLiveVariables().getAnalysisData();
|
|
|
|
|
|
|
|
Store St = RBFactory.GetEmptyMap().getRoot();
|
|
|
|
|
|
|
|
for (LVDataTy::decl_iterator I=D.begin_decl(), E=D.end_decl(); I != E; ++I) {
|
2008-10-22 00:13:35 +08:00
|
|
|
NamedDecl* ND = const_cast<NamedDecl*>(I->first);
|
2008-10-08 10:50:44 +08:00
|
|
|
|
2008-10-22 00:13:35 +08:00
|
|
|
if (VarDecl* VD = dyn_cast<VarDecl>(ND)) {
|
2008-10-08 10:50:44 +08:00
|
|
|
// Punt on static variables for now.
|
|
|
|
if (VD->getStorageClass() == VarDecl::Static)
|
|
|
|
continue;
|
|
|
|
|
|
|
|
QualType T = VD->getType();
|
|
|
|
// Only handle pointers and integers for now.
|
2008-10-17 13:57:07 +08:00
|
|
|
if (Loc::IsLocType(T) || T->isIntegerType()) {
|
2008-10-08 10:50:44 +08:00
|
|
|
// Initialize globals and parameters to symbolic values.
|
|
|
|
// Initialize local variables to undefined.
|
2008-10-17 13:57:07 +08:00
|
|
|
SVal X = (VD->hasGlobalStorage() || isa<ParmVarDecl>(VD) ||
|
2008-10-08 10:50:44 +08:00
|
|
|
isa<ImplicitParamDecl>(VD))
|
2008-10-17 13:57:07 +08:00
|
|
|
? SVal::GetSymbolValue(StateMgr.getSymbolManager(), VD)
|
2008-10-08 10:50:44 +08:00
|
|
|
: UndefinedVal();
|
|
|
|
|
2008-10-21 14:27:32 +08:00
|
|
|
St = Bind(St, getVarLoc(VD), X);
|
2008-10-08 10:50:44 +08:00
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return St;
|
|
|
|
}
|
2008-10-21 13:29:26 +08:00
|
|
|
|
|
|
|
Store RegionStoreManager::AddDecl(Store store,
|
|
|
|
const VarDecl* VD, Expr* Ex,
|
|
|
|
SVal InitVal, unsigned Count) {
|
|
|
|
BasicValueFactory& BasicVals = StateMgr.getBasicVals();
|
|
|
|
SymbolManager& SymMgr = StateMgr.getSymbolManager();
|
|
|
|
|
|
|
|
if (VD->hasGlobalStorage()) {
|
|
|
|
// Static global variables should not be visited here.
|
|
|
|
assert(!(VD->getStorageClass() == VarDecl::Static &&
|
|
|
|
VD->isFileVarDecl()));
|
|
|
|
// Process static variables.
|
|
|
|
if (VD->getStorageClass() == VarDecl::Static) {
|
|
|
|
if (!Ex) {
|
|
|
|
// Only handle pointer and integer static variables.
|
|
|
|
|
|
|
|
QualType T = VD->getType();
|
|
|
|
|
|
|
|
if (Loc::IsLocType(T))
|
2008-10-21 14:27:32 +08:00
|
|
|
store = Bind(store, getVarLoc(VD),
|
|
|
|
loc::ConcreteInt(BasicVals.getValue(0, T)));
|
2008-10-21 13:29:26 +08:00
|
|
|
|
|
|
|
else if (T->isIntegerType())
|
2008-10-21 14:27:32 +08:00
|
|
|
store = Bind(store, getVarLoc(VD),
|
|
|
|
loc::ConcreteInt(BasicVals.getValue(0, T)));
|
2008-10-21 13:29:26 +08:00
|
|
|
else
|
|
|
|
assert("ignore other types of variables");
|
|
|
|
} else {
|
2008-10-21 14:27:32 +08:00
|
|
|
store = Bind(store, getVarLoc(VD), InitVal);
|
2008-10-21 13:29:26 +08:00
|
|
|
}
|
|
|
|
}
|
|
|
|
} else {
|
|
|
|
// Process local variables.
|
|
|
|
|
|
|
|
QualType T = VD->getType();
|
|
|
|
|
|
|
|
if (Loc::IsLocType(T) || T->isIntegerType()) {
|
|
|
|
SVal V = Ex ? InitVal : UndefinedVal();
|
|
|
|
if (Ex && InitVal.isUnknown()) {
|
|
|
|
// "Conjured" symbols.
|
|
|
|
SymbolID Sym = SymMgr.getConjuredSymbol(Ex, Count);
|
|
|
|
V = Loc::IsLocType(Ex->getType())
|
|
|
|
? cast<SVal>(loc::SymbolVal(Sym))
|
|
|
|
: cast<SVal>(nonloc::SymbolVal(Sym));
|
|
|
|
}
|
2008-10-21 14:27:32 +08:00
|
|
|
store = Bind(store, getVarLoc(VD), V);
|
2008-10-21 13:29:26 +08:00
|
|
|
|
|
|
|
} else if (T->isArrayType()) {
|
|
|
|
// Only handle constant size array.
|
|
|
|
if (ConstantArrayType* CAT=dyn_cast<ConstantArrayType>(T.getTypePtr())) {
|
|
|
|
|
|
|
|
llvm::APInt Size = CAT->getSize();
|
|
|
|
|
|
|
|
for (llvm::APInt i = llvm::APInt::getNullValue(Size.getBitWidth());
|
|
|
|
i != Size; ++i) {
|
|
|
|
nonloc::ConcreteInt Idx(BasicVals.getValue(llvm::APSInt(i)));
|
2008-10-21 14:27:32 +08:00
|
|
|
store = Bind(store, getElementLoc(VD, Idx), UndefinedVal());
|
2008-10-21 13:29:26 +08:00
|
|
|
}
|
|
|
|
}
|
|
|
|
} else if (T->isStructureType()) {
|
|
|
|
// FIXME: Implement struct initialization.
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return store;
|
|
|
|
}
|
|
|
|
|